From 8e2741dd99bc4c1941e410b6309111c782925d26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20S?= <bserie@evolix.fr>
Date: Thu, 28 Jun 2018 11:52:31 +0200
Subject: [PATCH] Squashed commit of the following:
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

commit db23167246678114668d640f88ed9e2f6397ded2
Author: Benoît S <bserie@evolix.fr>
Date:   Thu Jun 28 11:48:22 2018 +0200

    Add a check for kernel config gile

commit ae1ec7b2b9f3bd2d1c78af544562dd207ef5f330
Author: Benoît S <bserie@evolix.fr>
Date:   Wed Jun 27 18:01:07 2018 +0200

    Redo the jessie part

commit 62b61aabf169ebc9e7e741f4190507f177a9642d
Author: Benoît S <bserie@evolix.fr>
Date:   Wed Jun 27 17:49:44 2018 +0200

    Well... For Stretch use only /sys/devices/system/cpu/vulnerabilities/

commit 33b19090e6c2462228f9f650f1e83da0b5928406
Author: Benoît S <bserie@evolix.fr>
Date:   Wed Jun 27 17:45:11 2018 +0200

    Add check for spectre v2

commit 3451218a167e5b2efebed1f80234c9d2596546d3
Author: Benoît S <bserie@evolix.fr>
Date:   Wed Jun 27 17:33:24 2018 +0200

    Do not use the BOOT_IMAGE trick

commit ee60e28a5add36fb6b55231f8e39f275b5592409
Author: Benoît S <bserie@evolix.fr>
Date:   Wed Jun 27 17:30:18 2018 +0200

    We cannot rely on dmesg

commit 57bd4312cea6ce1d5b9c23e3e8307f1bc42852cb
Author: Benoît.S <benpro@benpro.fr>
Date:   Thu Jan 11 14:46:46 2018 +0100

    Breakline indentation

commit d2278292ccf4340913ac6982961e0f011e077a3a
Author: Benoît.S <benpro@benpro.fr>
Date:   Thu Jan 11 14:45:12 2018 +0100

    Diffrent test for Jessie kernel

commit 1418d4306e81152fa949821484a7d1226e1f2d5b
Author: Benoît.S <benpro@benpro.fr>
Date:   Thu Jan 11 11:52:43 2018 +0100

    Modified Meltdown check to handle kaiser and pti

commit 2c6d075e2a9749d2805fb52ec5a2c7274f73dfc7
Author: Benoît.S <benpro@benpro.fr>
Date:   Thu Jan 11 11:24:42 2018 +0100

    Add IS_MELTDOWN

    We check kaiser flags in /proc/cpuinfo and CONFIG_PAGE_TABLE_ISOLATION in
    kernel config file.
---
 evocheck.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/evocheck.sh b/evocheck.sh
index c7e6d20..b347cda 100755
--- a/evocheck.sh
+++ b/evocheck.sh
@@ -105,6 +105,7 @@ IS_EVOLIX_USER=1
 IS_EVOACME_CRON=1
 IS_EVOACME_LIVELINKS=1
 IS_APACHE_CONFENABLED=1
+IS_MELTDOWN_SPECTRE=1
 
 #Proper to OpenBSD
 IS_SOFTDEP=1
@@ -804,6 +805,28 @@ if [ -e /etc/debian_version ]; then
         grep -q 'Include conf.d' /etc/apache2/apache2.conf && \
           echo 'IS_APACHE_CONFENABLED FAILED!'
     fi
+
+    if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then
+        # For Stretch, detection is easy as the kernel use
+        # /sys/devices/system/cpu/vulnerabilities/
+        if is_debianversion stretch; then
+            for vuln in meltdown spectre_v1 spectre_v2; do
+                test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!'
+            done
+        # For Jessie this is quite complicated to verify and we need to use kernel config file
+        elif is_debianversion jessie; then
+            if grep -q BOOT_IMAGE= /proc/cmdline; then
+                kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2)
+                kernelVer=${kernelPath##*/vmlinuz-}
+                kernelConfig="config-${kernelVer}"
+                # Sometimes autodetection of kernel config file fail, so we test if the file really exists.
+                if [ -f /boot/$kernelConfig ]; then
+                    grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
+                    grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!'
+                fi
+            fi
+        fi
+    fi
 fi