YunoHost/yunohost

Fork 0

mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00

Commit graph

Author	SHA1	Message	Date
Alexandre Aubin	4ceb2cbe1d	Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' changes from edebe4dc..d7d2e693 d7d2e693 fix: typo in bare metal detection (fixes #269) b0083d91 Remove unneeded volumes in Dockerfile (#266) 904a83c6 Fix Arch kernel image detection (#268) 906f54cf Improved hypervisor detection (#259) c45a06f4 Warn on missing kernel info (#265) 4a6fa070 Fix misdetection of files under Clear Linux (#264) c705afe7 bump to v0.40 401ccd4b Correct aarch64 KPTI dmesg message 55120839 Fix a typo in check_variant3_linux() f5106b3c update MCEDB from v83 to v84 (no actual change) 68289dae feat: add --update-builtin-mcedb to update the DB inside the script 3b2d5296 feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH) cbb18cb6 fix(l1tf): properly detect status under Red Hat/CentOS kernels 299103a3 some fixes when script is not started as root dc5402b3 chore: speed optimization of hw check and indentation fixes 90c2ae5d feat: use the MCExtractor DB as the reference for the microcode versions 53d6a447 Fix detection of CVE-2018-3615 (L1TF_SGX) (#253) 297d890c fix ucode version check regression introduced by fbbb19f under BSD 0252e74f feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection fbbb19f2 Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246) 1571a56c feat: add L1D flush cpuid feature bit detection 3cf91416 fix: don't display summary if no CVE was tested (e.g. --hw-only) bff38f1b BSD: add not-implemented-yet notice for Foreshadow-NG b419fe7c feat(variant4): properly detect SSBD under BSD f193484a chore: fix deprecated SPDX license identifier (#249) (#251) 349d77b3 Fix kernel detection when /lib/kernel exists on a distro (#252) e589ed7f fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable ae120628 fix: remove some harcoded /proc paths, use $procfs instead b44d2b54 chore: remove 'experimental' notice of Foreshadow from README 7b72c20f feat(l1tf): explode L1TF in its 3 distinct CVEs b48b2177 feat: Add Clear Linux Distro (#244) 8f31634d feat(batch): Add a batch short option for one line result (#243) 96798b19 chore: add SPDX GPL-3.0 license identifier (#245) 687ce1a7 fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there 80e0db7c fix: don't show erroneous ucode version when latest version is unknown (fixes #238) e8890ffa feat(config): support for genkernel kernel config file (#239) b2f64e11 fix README after merge 42a3a61f Slightly improved Docker configuration (#230) afb36c51 Fix typo: 'RBS filling' => 'RSB filling' (#237) 0009c0d4 fix: --batch now implies --no-color to avoid colored warnings dd67fd94 feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation) 339ad317 fix: add missing l1tf CPU vulnerability display in hw section 794c5be1 feat: add optional git describe support to display inter-release version numbers a7afc585 fix several incorrect ucode version numbers fc1dffd0 feat: implement detection of latest known versions of intel microcodes e9426161 feat: initial support for L1TF 360be7b3 fix: hide arch_capabilities_msr_not_read warning under !intel 5f592578 bump to v0.39 92d59cbd chore: adjust some comments, add 2 missing inits 4747b932 feat: add detection of RSBA feature bit and adjust logic accordingly 860023a8 fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection ab67a922 feat: read/write msr now supports msr-tools or perl as dd fallback f4592bf3 Add Arch armv5/armv7 kernel image location (#227) be15e476 chore: setting master to v0.38+ d3481d95 Add support for the kernel being within a btrfs subvolume (#226) 21af5611 bump to v0.38 cb740397 feat(arm32): add spectrev1 mitigation detection 84195689 change: default to --no-explain, use --explain to get detailed mitigation help b637681f fix: debug output: msg inaccuracy for ARM checks 9316c305 fix: armv8: models < 0xd07 are not vulnerable f9dd9d8c add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 (#222) 0f0d103a fix: correctly init capabilities_ssb_no var in all cases b262c405 fix: remove spurious character after an else statement cc2910fb fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions 30c4a1f6 arm64: cavium: Add CPU Implementer Cavium (#216) cf06636a fix: prometheus output: use printf for proper \n interpretation (#204) 60077c8d fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76 c181978d fix(arm): Updated arm cortex status (#209) 9a6406a9 chore: add docker support (#203) 5962d20b fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass (#202) 17a34885 fix(help): add missing references to variants 3a & 4 (#201) e54e8b3e chore: remove warning in README, fix display indentation 39c778e3 fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB 2cde6e46 feat(ssbd): add detection of proper CPUID bits on AMD f4d51e7e fix(variant4): add another detection way for Red Hat kernel 85d46b27 feat(variant4): add more detailed explanations 61e02abd feat(variant3a): detect up to date microcode 114756fa fix(amd): not vulnerable to variant3a ea75969e fix(help): Update variant options in usage message (#200) ca391cbf fix(variant2): correctly detect IBRS/IBPB in SLES kernels 68af5c5f feat(variant4): detect SSBD-aware kernel 19be8f79 doc: update README with some info about variant3 and variant4 f75cc0bb feat(variant4): add sysfs mitigation hint and some explanation about the vuln f33d65ff feat(variant3a): add information about microcode-sufficient mitigation 725eaa8b feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4 c6ee0358 feat(variant4): report SSB_NO CPUs as not vulnerable 22d0b203 fix(ssb_no): rename ssbd_no to ssb_no and fix shift 3062a841 fix(msg): add missing words 6a4318ad feat(variant3a/4): initial support for 2 new CVEs c1998618 fix(variant2): adjust detection for SLES kernels 7e4899bc ibrs can't be enabled on no ibrs cpu (#195) 5cc77741 Update spectre-meltdown-checker.sh 1c0f6d95 cpuid and msr module check 4acd0f64 Suggestion to change VM to a CPU with IBRS capability fb52dbe7 set master branch to v0.37+ git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker git-subtree-split: d7d2e6934ba08a2de2e2c80bb42936a60b884b78	2019-01-19 17:15:39 +01:00
Alexandre Aubin	77fcb6ad12	Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' changes from 7f92717..edebe4d edebe4d bump to v0.37 83ea78f fix: arm: also detect variant 1 mitigation when using native objdump 602b68d fix(spectrev2): explain that retpoline is possible for Skylake+ if there is RSB filling, even if IBRS is still better 97bccaa feat: rephrase IBPB warning when only retpoline is enabled in non-paranoid mode 68e619b feat: show RSB filling capability for non-Skylake in verbose mode a6f4475 feat: make IBRS_FW blue instead of green 223f502 feat: add --paranoid to choose whether we require IBPB c0108b9 fix(spectre2): don't explain how to fix when NOT VULNERABLE a301613 feat: make RSB filling support mandatory for Skylake+ CPUs 59d85b3 feat: detect RSB filling capability in the kernel baaefb0 fix: remove shellcheck warnings d452aca fix: invalid bash syntax when ibpb_enabled or ibrs_enabled are empty 10b8d94 feat: detect latest Red Hat kernels' RO ibpb_enabled knob 8606e60 refactor: no longer display the retoline-aware compiler test when we can't tell for sure 6a48251 fix: regression in 51aeae25, when retpoline & ibpb are enabled f4bf5e9 fix: typos 60eac1a feat: also do PTI performance check with (inv)pcid for BSD b3cc06a fix regression introduced by 82c25dc 5553576 feat(amd/zen): re-introduce IBRS for AMD except ZEN family e16ad80 feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable 29c294e feat(bsd): explain how to mitigate variant2 5971401 refactor: IBRS_ALL & RDCL_NO are Intel-only 51e8261 refactor: separate hw checks for Intel & AMD 2a4bfad refactor: add is_amd and is_intel funcs 7e52cea feat(spectre2): refined how status of this vuln is decided and more precise explanations on how to fix 417d7aa Fix trailing whitespace and mixed indent styles; 67bf761 Fix some user facing typos with codespell -w -q3 . 0eabd26 refactor: decrease default verbosity for some tests b77fb0f fix: don't override ibrs/ibpb results with later tests 89c2e0f fix(amd): show cpuinfo and ucode details b88f32e feat: print raw cpuid, and fetch ucode version under BSD 7a4ebe8 refactor: rewrite read_cpuid to get more common code parts between BSD and Linux 0919f5c feat: add explanations of what to do when a vulnerability is not mitigated de02dad feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels 07484d0 add dump of variables at end of script in debug mode a8b557b fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture 619b274 fix(sysfs): only check for sysfs for spectre2 when in live mode 94857c9 update readme 056ed00 feat(arm): detect spectre variant 1 mitigation aef99d2 fix(pti): when PTI activation is unknown, don't say we're vulnerable e2d7ed2 feat(arm): support for variant2 and meltdown mitigation detection eeaeff8 set version to v0.36+ for master branch between releases f5269a3 feat(bsd): add retpoline detection for BSD f3883a3 fix(xen): adjust message for DomUs w/ sysfs b6fd69a release: v0.36 7adb766 enh: change colors and use red only to report vulnerability c7892e3 update README.md aa74315 feat: speed up kernel version detection 0b8a09e fix: mis adjustments for BSD compat b42d8f2 fix(write_msr): use /dev/zero instead of manually echoing zeroes f191ec7 feat: add --hw-only to only show CPU microcode/cpuid/msr details 28da7a0 misc: message clarifications ece25b9 feat: implement support for NetBSD/FreeBSD/DragonFlyBSD 889172d feat: add special extract_vmlinux mode for old RHEL kernels 37ce032 fix: bypass MSR/CPUID checks for non-x86 CPUs 701cf88 feat: more robust validation of extracted kernel image 6a94c3f feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset 2d99381 feat: add --prefix-arch for cross-arch kernel inspection 4961f83 fix(ucode): fix blacklist detection for some ucode versions ecdc448 Check MSR in each CPU/Thread (#136) 12ea49f fix(kvm): properly detect PVHVM mode (fixes #163) 053f161 fix(doc): use https:// URLs in the script comment header bda18d0 fix: pine64: re-add vmlinuz location and some error checks 2551295 doc: use https URLs d5832dc feat: add ELF magic detection on kernel image blob for some arm64 systems d2f4674 feat: enhance kernel image version detection for some old kernels 2f6a655 Produce output for consumption by prometheus-node-exporter 30842dd release: bump to v0.35 b4ac5fc feat(variant2): better explanation when kernel supports IBRS but CPU does not fef380d feat(readme): add quick run section 55a6fd3 feat(variant1): better detection for Red Hat/Ubuntu patch 35c8a63 Remove the color in the title 5f914e5 fix(xen): declare Xen's PTI patch as a valid mitigation for variant3 66dce2c fix(ucode): update blacklisted ucodes list from latest Intel info 155cac2 Teach checker how to find kernels installed by systemd kernel-install 22cae60 fix(retpoline): remove the "retpoline enabled" test eb75e51 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document 253e180 Update spectre-meltdown-checker.sh 5d6102a enh: show kernel version in offline mode a2dfca6 feat: detect disrepancy between found kernel image and running kernel 36bd80d enh: speedup by not decompressing kernel on --sysfs-only 1834dd6 feat: add skylake era cpu detection routine 3d765bc enh: lazy loading of cpu informations 07afd95 feat: better cleanup routine on exit & interrupt b7a1012 fix: ARM CPU display name & detection 6346a0d fix: --no-color workaround for android's sed 8106f91 release: bump to v0.34 b1fdf88 enh: display ucode info even when not blacklisted 4d29607 cleanup: shellcheck pass 0267659 cleanup: remove superseded atom detection code 247b176 feat: detect known speculative-execution free CPUs bcae882 refacto: create a dedicated func to read cpuid bits 71e7109 refacto: move cpu discovery bits to a dedicated function aa18b51 fix(variant1): smarter lfence check b738ac4 fix: regression introduced by previous commit 799ce3e update blacklisted ucode list from kernel source f1e18c1 doc(disclaimer): Spectre affects all software e05ec5c feat(variant1): detect vanilla mitigation 6e544d6 fix(cpu): Pentium Exxxx are vulnerable to Meltdown 90a6596 adjust: show how to enable IBRS/IBPB in -v only 9b53635 refacto: fix shellcheck warnings for better compat 7404929 Fix printing of microcode to use cpuinfo values bf46fd5 update: new screenshots for README.md 0798bd4 fix: report arch_capabilities as NO when no MSR 42094c4 release: v0.33 03d2dfe feat: add blacklisted Intel ucode detection 9f00ffa fix: fallback to UNKNOWN when we get -EACCES 7f0d80b xen: detect if the host is a Xen Dom0 or PV DomU (fixes #83) d1c1f0f fix(batch): fix regression introduced by acf12a6 acf12a6 feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks b45e40b feat(stibp): add STIBP cpuid feature check 3c1d452 fix(cpuid): fix off-by-one SPEC_CTRL bit check 53b9eda fix: don't make IBPB mandatory when it's not there 3b0ec99 fix(cosmetic): tiny msg fixes d55bafd fix(cpu): trust is_cpu_vulnerable even w/ debugfs 147462c fix(variant3): do our checks even if sysfs is here ddc7197 fix(retpoline): retpoline-compiler detection e7aa3b9 feat(retpoline): check if retpoline is enabled ff5c92f feat(sysfs): print details even with sysfs 443d9a2 feat(ibpb): now also check for IBPB on variant 2 3e454f1 fix(offline): report unknown when too few info c8a25c5 feat: detect invalid kconfig files 4038134 fix(dmesg): detect when dmesg is truncated 0aa5857 fix(cpu): Pentium Exxxx series are not vulnerable b3b7f63 fix(display): use text-mode compatible colors 263ef65 bump to v0.32 a1bd233 revert to a simpler check_vmlinux() de6590c cache is_cpu_vulnerable result for performance 56d4f82 is_cpu_vulnerable: implement check for multi-arm systems 7fa2d63 check_vmlinux: when readelf doesn't work, try harder with another way 3be5e90 be smarter to find a usable echo command 995620a add pine64 vmlinuz location 193e0d8 arm: cosmetic fix for name and handle aarch64 72ef94a ARM: display a friendly name instead of empty string ccc0453 search in /lib/modules/$(uname -r) for vmlinuz, config, System.map 14ca49a Atom N270: implement another variation db357b8 CoreOS: remove ephemeral install of a non-used package 42a57dd add kern.log as another backend of dmesg output 5ab95f3 fix(atom): don't use a pcre regex, only an extended one 5b6e399 fix(atom): properly detect Nxxx Atom series 556951d Add Support for Slackware. 7a88aec Implement CoreOS compatibility mode (#84) bd18323 bump to v0.31 to reflect changes b89d67d meltdown: detecting Xen PV, reporting as not vulnerable 704e540 is_cpu_vulnerable: add check for old Atoms d960931 verbose: add PCID check for performance impact of PTI dcc4488 Merge pull request #80 from speed47/cpuid_spec_ctrl 32e3fe6 bump to v0.30 to reflect changes f488947 Merge pull request #79 from andir/add-nixos 71213c1 ibrs: check for spec_ctrl_ibrs in cpuinfo 2964c4a add support for NixOS kernel 749f432 also check for spec_ctrl flag in cpuinfo a422b53 also check for cpuinfo flag c483a2c check spec_ctrl support using cpuid dead005 fix: proper detail msg in vuln status 8ed7d46 Merge pull request #77 from speed47/exitcode e5e4851 proper return codes regardless of the batch mode git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker git-subtree-split: edebe4dcd47cb8457d778406ed9de7670d6d8eb5	2018-05-10 03:26:52 +02:00
Alexandre Aubin	80cfa3a786	Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' content from commit 7f92717 git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker git-subtree-split: 7f92717a2c720a55785f8814a872eed7d380fdcf	2018-01-13 21:22:22 +01:00

Author

SHA1

Message

Date

Alexandre Aubin

4ceb2cbe1d

Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' changes from edebe4dc..d7d2e693

d7d2e693 fix: typo in bare metal detection (fixes #269)
b0083d91 Remove unneeded volumes in Dockerfile (#266)
904a83c6 Fix Arch kernel image detection (#268)
906f54cf Improved hypervisor detection (#259)
c45a06f4 Warn on missing kernel info (#265)
4a6fa070 Fix misdetection of files under Clear Linux (#264)
c705afe7 bump to v0.40
401ccd4b Correct aarch64 KPTI dmesg message
55120839 Fix a typo in check_variant3_linux()
f5106b3c update MCEDB from v83 to v84 (no actual change)
68289dae feat: add --update-builtin-mcedb to update the DB inside the script
3b2d5296 feat(l1tf): read & report ARCH_CAPABILITIES bit 3 (SKIP_VMENTRY_L1DFLUSH)
cbb18cb6 fix(l1tf): properly detect status under Red Hat/CentOS kernels
299103a3 some fixes when script is not started as root
dc5402b3 chore: speed optimization of hw check and indentation fixes
90c2ae5d feat: use the MCExtractor DB as the reference for the microcode versions
53d6a447 Fix detection of CVE-2018-3615 (L1TF_SGX) (#253)
297d890c fix ucode version check regression introduced by fbbb19f under BSD
0252e74f feat(bsd): implement CVE-2018-3620 and CVE-2018-3646 mitigation detection
fbbb19f2 Fix cases where a CPU ucode version is not found in $procfs/cpuinfo. (#246)
1571a56c feat: add L1D flush cpuid feature bit detection
3cf91416 fix: don't display summary if no CVE was tested (e.g. --hw-only)
bff38f1b BSD: add not-implemented-yet notice for Foreshadow-NG
b419fe7c feat(variant4): properly detect SSBD under BSD
f193484a chore: fix deprecated SPDX license identifier (#249) (#251)
349d77b3 Fix kernel detection when /lib/kernel exists on a distro (#252)
e589ed7f fix: don't test SGX again in check_CVE_2018_3615, already done by is_cpu_vulnerable
ae120628 fix: remove some harcoded /proc paths, use $procfs instead
b44d2b54 chore: remove 'experimental' notice of Foreshadow from README
7b72c20f feat(l1tf): explode L1TF in its 3 distinct CVEs
b48b2177 feat: Add Clear Linux Distro (#244)
8f31634d feat(batch): Add a batch short option for one line result (#243)
96798b19 chore: add SPDX GPL-3.0 license identifier (#245)
687ce1a7 fix: load cpuid module if absent even when /dev/cpu/0/cpuid is there
80e0db7c fix: don't show erroneous ucode version when latest version is unknown (fixes #238)
e8890ffa feat(config): support for genkernel kernel config file (#239)
b2f64e11 fix README after merge
42a3a61f Slightly improved Docker configuration (#230)
afb36c51 Fix typo: 'RBS filling' => 'RSB filling' (#237)
0009c0d4 fix: --batch now implies --no-color to avoid colored warnings
dd67fd94 feat: add FLUSH_CMD MSR availability detection (part of L1TF mitigation)
339ad317 fix: add missing l1tf CPU vulnerability display in hw section
794c5be1 feat: add optional git describe support to display inter-release version numbers
a7afc585 fix several incorrect ucode version numbers
fc1dffd0 feat: implement detection of latest known versions of intel microcodes
e9426161 feat: initial support for L1TF
360be7b3 fix: hide arch_capabilities_msr_not_read warning under !intel
5f592578 bump to v0.39
92d59cbd chore: adjust some comments, add 2 missing inits
4747b932 feat: add detection of RSBA feature bit and adjust logic accordingly
860023a8 fix: ARCH MSR was not read correctly, preventing proper SSB_NO and RDCL_NO detection
ab67a922 feat: read/write msr now supports msr-tools or perl as dd fallback
f4592bf3 Add Arch armv5/armv7 kernel image location (#227)
be15e476 chore: setting master to v0.38+
d3481d95 Add support for the kernel being within a btrfs subvolume (#226)
21af5611 bump to v0.38
cb740397 feat(arm32): add spectrev1 mitigation detection
84195689 change: default to --no-explain, use --explain to get detailed mitigation help
b637681f fix: debug output: msg inaccuracy for ARM checks
9316c305 fix: armv8: models < 0xd07 are not vulnerable
f9dd9d8c add guess for archlinuxarm aarch64 kernel image on raspberry pi 3 (#222)
0f0d103a fix: correctly init capabilities_ssb_no var in all cases
b262c405 fix: remove spurious character after an else statement
cc2910fb fix: read_cpuid: don't use iflag=skip_bytes for compat with old dd versions
30c4a1f6 arm64: cavium: Add CPU Implementer Cavium (#216)
cf06636a fix: prometheus output: use printf for proper \n interpretation (#204)
60077c8d fix(arm): rewrite vuln logic from latest arm statement for Cortex A8 to A76
c181978d fix(arm): Updated arm cortex status (#209)
9a6406a9 chore: add docker support (#203)
5962d20b fix(variant4): whitelist from common.c::cpu_no_spec_store_bypass (#202)
17a34885 fix(help): add missing references to variants 3a & 4 (#201)
e54e8b3e chore: remove warning in README, fix display indentation
39c778e3 fix(amd): AMD families 0x15-0x17 non-arch MSRs are a valid way to control SSB
2cde6e46 feat(ssbd): add detection of proper CPUID bits on AMD
f4d51e7e fix(variant4): add another detection way for Red Hat kernel
85d46b27 feat(variant4): add more detailed explanations
61e02abd feat(variant3a): detect up to date microcode
114756fa fix(amd): not vulnerable to variant3a
ea75969e fix(help): Update variant options in usage message (#200)
ca391cbf fix(variant2): correctly detect IBRS/IBPB in SLES kernels
68af5c5f feat(variant4): detect SSBD-aware kernel
19be8f79 doc: update README with some info about variant3 and variant4
f75cc0bb feat(variant4): add sysfs mitigation hint and some explanation about the vuln
f33d65ff feat(variant3a): add information about microcode-sufficient mitigation
725eaa8b feat(arm): adjust vulnerable ARM CPUs for variant3a and variant4
c6ee0358 feat(variant4): report SSB_NO CPUs as not vulnerable
22d0b203 fix(ssb_no): rename ssbd_no to ssb_no and fix shift
3062a841 fix(msg): add missing words
6a4318ad feat(variant3a/4): initial support for 2 new CVEs
c1998618 fix(variant2): adjust detection for SLES kernels
7e4899bc  ibrs can't be enabled on no ibrs cpu  (#195)
5cc77741 Update spectre-meltdown-checker.sh
1c0f6d95 cpuid and msr module check
4acd0f64 Suggestion to change VM to a CPU with IBRS capability
fb52dbe7 set master branch to v0.37+

git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker
git-subtree-split: d7d2e6934ba08a2de2e2c80bb42936a60b884b78

2019-01-19 17:15:39 +01:00

Alexandre Aubin

77fcb6ad12

Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' changes from 7f92717..edebe4d

edebe4d bump to v0.37
83ea78f fix: arm: also detect variant 1 mitigation when using native objdump
602b68d fix(spectrev2): explain that retpoline is possible for Skylake+ if there is RSB filling, even if IBRS is still better
97bccaa feat: rephrase IBPB warning when only retpoline is enabled in non-paranoid mode
68e619b feat: show RSB filling capability for non-Skylake in verbose mode
a6f4475 feat: make IBRS_FW blue instead of green
223f502 feat: add --paranoid to choose whether we require IBPB
c0108b9 fix(spectre2): don't explain how to fix when NOT VULNERABLE
a301613 feat: make RSB filling support mandatory for Skylake+ CPUs
59d85b3 feat: detect RSB filling capability in the kernel
baaefb0 fix: remove shellcheck warnings
d452aca fix: invalid bash syntax when ibpb_enabled or ibrs_enabled are empty
10b8d94 feat: detect latest Red Hat kernels' RO ibpb_enabled knob
8606e60 refactor: no longer display the retoline-aware compiler test when we can't tell for sure
6a48251 fix: regression in 51aeae25, when retpoline & ibpb are enabled
f4bf5e9 fix: typos
60eac1a feat: also do PTI performance check with (inv)pcid for BSD
b3cc06a fix regression introduced by 82c25dc
5553576 feat(amd/zen): re-introduce IBRS for AMD except ZEN family
e16ad80 feat(ibpb=2): add detection of SMT before concluding the system is not vulnerable
29c294e feat(bsd): explain how to mitigate variant2
5971401 refactor: IBRS_ALL & RDCL_NO are Intel-only
51e8261 refactor: separate hw checks for Intel & AMD
2a4bfad refactor: add is_amd and is_intel funcs
7e52cea feat(spectre2): refined how status of this vuln is decided and more precise explanations on how to fix
417d7aa Fix trailing whitespace and mixed indent styles;
67bf761 Fix some user facing typos with codespell -w -q3 .
0eabd26 refactor: decrease default verbosity for some tests
b77fb0f fix: don't override ibrs/ibpb results with later tests
89c2e0f fix(amd): show cpuinfo and ucode details
b88f32e feat: print raw cpuid, and fetch ucode version under BSD
7a4ebe8 refactor: rewrite read_cpuid to get more common code parts between BSD and Linux
0919f5c feat: add explanations of what to do when a vulnerability is not mitigated
de02dad feat: rework Spectre V2 mitigations detection w/ latest vanilla & Red Hat 7 kernels
07484d0 add dump of variables at end of script in debug mode
a8b557b fix(cpu): skip CPU checks if asked to (--no-hw) or if inspecting a kernel of another architecture
619b274 fix(sysfs): only check for sysfs for spectre2 when in live mode
94857c9 update readme
056ed00 feat(arm): detect spectre variant 1 mitigation
aef99d2 fix(pti): when PTI activation is unknown, don't say we're vulnerable
e2d7ed2 feat(arm): support for variant2 and meltdown mitigation detection
eeaeff8 set version to v0.36+ for master branch between releases
f5269a3 feat(bsd): add retpoline detection for BSD
f3883a3 fix(xen): adjust message for DomUs w/ sysfs
b6fd69a release: v0.36
7adb766 enh: change colors and use red only to report vulnerability
c7892e3 update README.md
aa74315 feat: speed up kernel version detection
0b8a09e fix: mis adjustments for BSD compat
b42d8f2 fix(write_msr): use /dev/zero instead of manually echoing zeroes
f191ec7 feat: add --hw-only to only show CPU microcode/cpuid/msr details
28da7a0 misc: message clarifications
ece25b9 feat: implement support for NetBSD/FreeBSD/DragonFlyBSD
889172d feat: add special extract_vmlinux mode for old RHEL kernels
37ce032 fix: bypass MSR/CPUID checks for non-x86 CPUs
701cf88 feat: more robust validation of extracted kernel image
6a94c3f feat(extract_vmlinux): look for ELF magic in decompressed blob and cut at found offset
2d99381 feat: add --prefix-arch for cross-arch kernel inspection
4961f83 fix(ucode): fix blacklist detection for some ucode versions
ecdc448 Check MSR in each CPU/Thread (#136)
12ea49f fix(kvm): properly detect PVHVM mode (fixes #163)
053f161 fix(doc): use https:// URLs in the script comment header
bda18d0 fix: pine64: re-add vmlinuz location and some error checks
2551295 doc: use https URLs
d5832dc feat: add ELF magic detection on kernel image blob for some arm64 systems
d2f4674 feat: enhance kernel image version detection for some old kernels
2f6a655 Produce output for consumption by prometheus-node-exporter
30842dd release: bump to v0.35
b4ac5fc feat(variant2): better explanation when kernel supports IBRS but CPU does not
fef380d feat(readme): add quick run section
55a6fd3 feat(variant1): better detection for Red Hat/Ubuntu patch
35c8a63 Remove the color in the title
5f914e5 fix(xen): declare Xen's PTI patch as a valid mitigation for variant3
66dce2c fix(ucode): update blacklisted ucodes list from latest Intel info
155cac2 Teach checker how to find kernels installed by systemd kernel-install
22cae60 fix(retpoline): remove the "retpoline enabled" test
eb75e51 fix(ucode): update list of blacklisted ucodes from 2018-02-08 Intel document
253e180 Update spectre-meltdown-checker.sh
5d6102a enh: show kernel version in offline mode
a2dfca6 feat: detect disrepancy between found kernel image and running kernel
36bd80d enh: speedup by not decompressing kernel on --sysfs-only
1834dd6 feat: add skylake era cpu detection routine
3d765bc enh: lazy loading of cpu informations
07afd95 feat: better cleanup routine on exit & interrupt
b7a1012 fix: ARM CPU display name & detection
6346a0d fix: --no-color workaround for android's sed
8106f91 release: bump to v0.34
b1fdf88 enh: display ucode info even when not blacklisted
4d29607 cleanup: shellcheck pass
0267659 cleanup: remove superseded atom detection code
247b176 feat: detect known speculative-execution free CPUs
bcae882 refacto: create a dedicated func to read cpuid bits
71e7109 refacto: move cpu discovery bits to a dedicated function
aa18b51 fix(variant1): smarter lfence check
b738ac4 fix: regression introduced by previous commit
799ce3e update blacklisted ucode list from kernel source
f1e18c1 doc(disclaimer): Spectre affects all software
e05ec5c feat(variant1): detect vanilla mitigation
6e544d6 fix(cpu): Pentium Exxxx are vulnerable to Meltdown
90a6596 adjust: show how to enable IBRS/IBPB in -v only
9b53635 refacto: fix shellcheck warnings for better compat
7404929 Fix printing of microcode to use cpuinfo values
bf46fd5 update: new screenshots for README.md
0798bd4 fix: report arch_capabilities as NO when no MSR
42094c4 release: v0.33
03d2dfe feat: add blacklisted Intel ucode detection
9f00ffa fix: fallback to UNKNOWN when we get -EACCES
7f0d80b xen: detect if the host is a Xen Dom0 or PV DomU (fixes #83)
d1c1f0f fix(batch): fix regression introduced by acf12a6
acf12a6 feat(cpu) add STIBP, RDCL_NO, IBRS_ALL checks
b45e40b feat(stibp): add STIBP cpuid feature check
3c1d452 fix(cpuid): fix off-by-one SPEC_CTRL bit check
53b9eda fix: don't make IBPB mandatory when it's not there
3b0ec99 fix(cosmetic): tiny msg fixes
d55bafd fix(cpu): trust is_cpu_vulnerable even w/ debugfs
147462c fix(variant3): do our checks even if sysfs is here
ddc7197 fix(retpoline): retpoline-compiler detection
e7aa3b9 feat(retpoline): check if retpoline is enabled
ff5c92f feat(sysfs): print details even with sysfs
443d9a2 feat(ibpb): now also check for IBPB on variant 2
3e454f1 fix(offline): report unknown when too few info
c8a25c5 feat: detect invalid kconfig files
4038134 fix(dmesg): detect when dmesg is truncated
0aa5857 fix(cpu): Pentium Exxxx series are not vulnerable
b3b7f63 fix(display): use text-mode compatible colors
263ef65 bump to v0.32
a1bd233 revert to a simpler check_vmlinux()
de6590c cache is_cpu_vulnerable result for performance
56d4f82 is_cpu_vulnerable: implement check for multi-arm systems
7fa2d63 check_vmlinux: when readelf doesn't work, try harder with another way
3be5e90 be smarter to find a usable echo command
995620a add pine64 vmlinuz location
193e0d8 arm: cosmetic fix for name and handle aarch64
72ef94a ARM: display a friendly name instead of empty string
ccc0453 search in /lib/modules/$(uname -r) for vmlinuz, config, System.map
14ca49a Atom N270: implement another variation
db357b8 CoreOS: remove ephemeral install of a non-used package
42a57dd add kern.log as another backend of dmesg output
5ab95f3 fix(atom): don't use a pcre regex, only an extended one
5b6e399 fix(atom): properly detect Nxxx Atom series
556951d Add Support for Slackware.
7a88aec Implement CoreOS compatibility mode (#84)
bd18323 bump to v0.31 to reflect changes
b89d67d meltdown: detecting Xen PV, reporting as not vulnerable
704e540 is_cpu_vulnerable: add check for old Atoms
d960931 verbose: add PCID check for performance impact of PTI
dcc4488 Merge pull request #80 from speed47/cpuid_spec_ctrl
32e3fe6 bump to v0.30 to reflect changes
f488947 Merge pull request #79 from andir/add-nixos
71213c1 ibrs: check for spec_ctrl_ibrs in cpuinfo
2964c4a add support for NixOS kernel
749f432 also check for spec_ctrl flag in cpuinfo
a422b53 also check for cpuinfo flag
c483a2c check spec_ctrl support using cpuid
dead005 fix: proper detail msg in vuln status
8ed7d46 Merge pull request #77 from speed47/exitcode
e5e4851 proper return codes regardless of the batch mode

git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker
git-subtree-split: edebe4dcd47cb8457d778406ed9de7670d6d8eb5

2018-05-10 03:26:52 +02:00

Alexandre Aubin

80cfa3a786

Squashed 'src/yunohost/vendor/spectre-meltdown-checker/' content from commit 7f92717

git-subtree-dir: src/yunohost/vendor/spectre-meltdown-checker
git-subtree-split: 7f92717a2c720a55785f8814a872eed7d380fdcf

2018-01-13 21:22:22 +01:00

3 commits