Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' changes from edebe4dc..d7d2e693

d7d2e693 fix: typo in bare metal detection (fixes #269)
b0083d91 Remove unneeded volumes in Dockerfile (#266)
904a83c6 Fix Arch kernel image detection (#268)
906f54cf Improved hypervisor detection (#259)
c45a06f4 Warn on missing kernel info (#265)
4a6fa070 Fix misdetection of files under Clear Linux (#264)
c705afe7 bump to v0.40
401ccd4b Correct aarch64 KPTI dmesg message
55120839 Fix a typo in check_variant3_linux()
f5106b3c update MCEDB from v83 to v84 (no actual change)
68289dae feat: add --update-builtin-mcedb to update the DB inside the script
3b2d5296 feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)
cbb18cb6 fix(l1tf): properly detect status under Red Hat/CentOS kernels
299103a3 some fixes when script is not started as root
dc5402b3 chore: speed optimization of hw check and indentation fixes
90c2ae5d feat: use the MCExtractor DB as the reference for the microcode versions
53d6a447 Fix detection of CVE-2018-3615 (L1TF_SGX) (#253)
297d890c fix ucode version check regression introduced by fbbb19f under BSD
0252e74f feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection
fbbb19f2 Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246)
1571a56c feat: add L1D flush cpuid feature bit detection
3cf91416 fix: don't display summary if no CVE was tested (e.g. --hw-only)
bff38f1b BSD: add not-implemented-yet notice for Foreshadow-NG
b419fe7c feat(variant4): properly detect SSBD under BSD
f193484a chore: fix deprecated SPDX license identifier (#249) (#251)
349d77b3 Fix kernel detection when /lib/kernel exists on a distro (#252)
e589ed7f fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable
ae120628 fix: remove some harcoded /proc paths, use $procfs instead
b44d2b54 chore: remove 'experimental' notice of Foreshadow from README
7b72c20f feat(l1tf): explode L1TF in its 3 distinct CVEs
b48b2177 feat: Add Clear Linux Distro (#244)
8f31634d feat(batch): Add a batch short option for one line result (#243)
96798b19 chore: add SPDX GPL-3.0 license identifier (#245)
687ce1a7 fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there
80e0db7c fix: don't show erroneous ucode version when latest version is unknown (fixes #238)
e8890ffa feat(config): support for genkernel kernel config file (#239)
b2f64e11 fix README after merge
42a3a61f Slightly improved Docker configuration (#230)
afb36c51 Fix typo: 'RBS filling' => 'RSB filling' (#237)
0009c0d4 fix: --batch now implies --no-color to avoid colored warnings
dd67fd94 feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)
339ad317 fix: add missing l1tf CPU vulnerability display in hw section
794c5be1 feat: add optional git describe support to display inter-release version numbers
a7afc585 fix several incorrect ucode version numbers
fc1dffd0 feat: implement detection of latest known versions of intel microcodes
e9426161 feat: initial support for L1TF
360be7b3 fix: hide arch_capabilities_msr_not_read warning under !intel
5f592578 bump to v0.39
92d59cbd chore: adjust some comments, add 2 missing inits
4747b932 feat: add detection of RSBA feature bit and adjust logic accordingly
860023a8 fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection
ab67a922 feat: read/write msr now supports msr-tools or perl as dd fallback
f4592bf3 Add Arch armv5/armv7 kernel image location (#227)
be15e476 chore: setting master to v0.38+
d3481d95 Add support for the kernel being within a btrfs subvolume (#226)
21af5611 bump to v0.38
cb740397 feat(arm32): add spectrev1 mitigation detection
84195689 change: default to --no-explain, use --explain to get detailed mitigation help
b637681f fix: debug output: msg inaccuracy for ARM checks
9316c305 fix: armv8: models < 0xd07 are not vulnerable
f9dd9d8c add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 (#222)
0f0d103a fix: correctly init capabilities_ssb_no var in all cases
b262c405 fix: remove spurious character after an else statement
cc2910fb fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions
30c4a1f6 arm64: cavium: Add CPU Implementer Cavium (#216)
cf06636a fix: prometheus output: use printf for proper \n interpretation (#204)
60077c8d fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76
c181978d fix(arm): Updated arm cortex status (#209)
9a6406a9 chore: add docker support (#203)
5962d20b fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass (#202)
17a34885 fix(help): add missing references to variants 3a & 4 (#201)
e54e8b3e chore: remove warning in README, fix display indentation
39c778e3 fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB
2cde6e46 feat(ssbd): add detection of proper CPUID bits on AMD
f4d51e7e fix(variant4): add another detection way for Red Hat kernel
85d46b27 feat(variant4): add more detailed explanations
61e02abd feat(variant3a): detect up to date microcode
114756fa fix(amd): not vulnerable to variant3a
ea75969e fix(help): Update variant options in usage message (#200)
ca391cbf fix(variant2): correctly detect IBRS/IBPB in SLES kernels
68af5c5f feat(variant4): detect SSBD-aware kernel
19be8f79 doc: update README with some info about variant3 and variant4
f75cc0bb feat(variant4): add sysfs mitigation hint and some explanation about the vuln
f33d65ff feat(variant3a): add information about microcode-sufficient mitigation
725eaa8b feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4
c6ee0358 feat(variant4): report SSB_NO CPUs as not vulnerable
22d0b203 fix(ssb_no): rename ssbd_no to ssb_no and fix shift
3062a841 fix(msg): add missing words
6a4318ad feat(variant3a/4): initial support for 2 new CVEs
c1998618 fix(variant2): adjust detection for SLES kernels
7e4899bc  ibrs can't be enabled on no ibrs cpu  (#195)
5cc77741 Update spectre-meltdown-checker.sh
1c0f6d95 cpuid and msr module check
4acd0f64 Suggestion to change VM to a CPU with IBRS capability
fb52dbe7 set master branch to v0.37+

git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker
git-subtree-split: d7d2e6934ba08a2de2e2c80bb42936a60b884b78
This commit is contained in:
Alexandre Aubin 2019-01-19 17:15:39 +01:00
parent 77fcb6ad12
commit 4ceb2cbe1d
4 changed files with 1804 additions and 218 deletions

7
Dockerfile Normal file
View file

@ -0,0 +1,7 @@
FROM alpine:3.7
RUN apk --update --no-cache add kmod binutils grep perl
COPY . /check
ENTRYPOINT ["/check/spectre-meltdown-checker.sh"]

View file

@ -1,7 +1,15 @@
Spectre & Meltdown Checker
==========================
A shell script to tell if your system is vulnerable against the 3 "speculative execution" CVEs that were made public early 2018.
A shell script to tell if your system is vulnerable against the several "speculative execution" CVEs that were made public in 2018.
- CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
- CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
- CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
- CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
- CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
- CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)'
- CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)'
- CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)'
Supported operating systems:
- Linux (all versions, flavors and distros)
@ -39,6 +47,22 @@ chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh
```
### Run the script in a docker container
#### With docker-compose
```shell
docker-compose build
docker-compose run --rm spectre-meltdown-checker
```
#### Without docker-compose
```shell
docker build -t spectre-meltdown-checker .
docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker
```
## Example of script output
- Intel Haswell CPU running under Ubuntu 16.04 LTS
@ -74,7 +98,38 @@ sudo ./spectre-meltdown-checker.sh
- Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
- Performance impact of the mitigation: low to medium
## Disclaimer
**CVE-2018-3640** rogue system register read (Variant 3a)
- Impact: TBC
- Mitigation: microcode update only
- Performance impact of the mitigation: negligible
**CVE-2018-3639** speculative store bypass (Variant 4)
- Impact: software using JIT (no known exploitation against kernel)
- Mitigation: microcode update + kernel update making possible for affected software to protect itself
- Performance impact of the mitigation: low to medium
**CVE-2018-3615** l1 terminal fault (Foreshadow-NG SGX)
- Impact: Kernel & all software (any physical memory address in the system)
- Mitigation: microcode update
- Performance impact of the mitigation: negligible
**CVE-2018-3620** l1 terminal fault (Foreshadow-NG SMM)
- Impact: Kernel & System management mode
- Mitigation: updated kernel (with PTE inversion)
- Performance impact of the mitigation: negligible
**CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM)
- Impact: Virtualization software and Virtual Machine Monitors
- Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or
updated kernel (with L1d flush)
- Performance impact of the mitigation: low to significant
## Understanding what this script does and doesn't
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).

15
docker-compose.yml Normal file
View file

@ -0,0 +1,15 @@
version: '2'
services:
spectre-meltdown-checker:
build:
context: ./
dockerfile: ./Dockerfile
image: spectre-meltdown-checker:latest
container_name: spectre-meltdown-checker
privileged: true
network_mode: none
volumes:
- /boot:/boot:ro
- /dev/cpu:/dev/cpu:ro
- /lib/modules:/lib/modules:ro

File diff suppressed because it is too large Load diff