From 2c6d075e2a9749d2805fb52ec5a2c7274f73dfc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=2ES?= Date: Thu, 11 Jan 2018 11:24:42 +0100 Subject: [PATCH 01/10] Add IS_MELTDOWN We check kaiser flags in /proc/cpuinfo and CONFIG_PAGE_TABLE_ISOLATION in kernel config file. --- evocheck.sh | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index 529d89f..f5dc5a1 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -97,6 +97,7 @@ IS_REDIS_BACKUP=1 IS_ELASTIC_BACKUP=1 IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 +IS_MELTDOWN=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -704,6 +705,18 @@ if [ -e /etc/debian_version ]; then && test -f /etc/squid/evolinux-custom.conf) || echo 'IS_SQUIDEVOLINUXCONF FAILED!' fi fi + + if [ "$IS_MELTDOWN" = 1 ]; then + if grep -q BOOT_IMAGE= /proc/cmdline; then + # We check if the current running kernel has CONFIG_PAGE_TABLE_ISOLATION enabled + kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) + kernelVer=${kernelPath##*/vmlinuz-} + kernelConfig="config-${kernelVer}" + grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' /boot/$kernelConfig || echo 'IS_MELTDOWN FAILED!' + fi + # We check if the running kernel has kaiser loaded + grep -Eq '^flags\s+:\s+.+(kaiser).+' /proc/cpuinfo || echo 'IS_MELTDOWN FAILED!' + fi fi From 1418d4306e81152fa949821484a7d1226e1f2d5b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=2ES?= Date: Thu, 11 Jan 2018 11:52:43 +0100 Subject: [PATCH 02/10] Modified Meltdown check to handle kaiser and pti --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index f5dc5a1..97008ab 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -715,7 +715,7 @@ if [ -e /etc/debian_version ]; then grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' /boot/$kernelConfig || echo 'IS_MELTDOWN FAILED!' fi # We check if the running kernel has kaiser loaded - grep -Eq '^flags\s+:\s+.+(kaiser).+' /proc/cpuinfo || echo 'IS_MELTDOWN FAILED!' + grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' fi fi From d2278292ccf4340913ac6982961e0f011e077a3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=2ES?= Date: Thu, 11 Jan 2018 14:45:12 +0100 Subject: [PATCH 03/10] Diffrent test for Jessie kernel --- evocheck.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 97008ab..46982cb 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -712,10 +712,16 @@ if [ -e /etc/debian_version ]; then kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelVer=${kernelPath##*/vmlinuz-} kernelConfig="config-${kernelVer}" - grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' /boot/$kernelConfig || echo 'IS_MELTDOWN FAILED!' + grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "/boot/${kernelConfig}" \ + || echo 'IS_MELTDOWN FAILED!' fi # We check if the running kernel has kaiser loaded - grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' + if is_debianversion stretch; then + grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' + elif is_debianversion jessie; then + dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' \ + || echo 'IS_MELTDOWN FAILED!' + fi fi fi From 57bd4312cea6ce1d5b9c23e3e8307f1bc42852cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=2ES?= Date: Thu, 11 Jan 2018 14:46:46 +0100 Subject: [PATCH 04/10] Breakline indentation --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 46982cb..53a70a4 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -720,7 +720,7 @@ if [ -e /etc/debian_version ]; then grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' elif is_debianversion jessie; then dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' \ - || echo 'IS_MELTDOWN FAILED!' + || echo 'IS_MELTDOWN FAILED!' fi fi fi From ee60e28a5add36fb6b55231f8e39f275b5592409 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Wed, 27 Jun 2018 17:30:18 +0200 Subject: [PATCH 05/10] We cannot rely on dmesg --- evocheck.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 53a70a4..0d23dfe 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -718,9 +718,6 @@ if [ -e /etc/debian_version ]; then # We check if the running kernel has kaiser loaded if is_debianversion stretch; then grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' - elif is_debianversion jessie; then - dmesg | grep -Eq 'Kernel/User page tables isolation: enabled|Kernel page table isolation enabled' \ - || echo 'IS_MELTDOWN FAILED!' fi fi fi From 3451218a167e5b2efebed1f80234c9d2596546d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Wed, 27 Jun 2018 17:33:24 +0200 Subject: [PATCH 06/10] Do not use the BOOT_IMAGE trick --- evocheck.sh | 8 -------- 1 file changed, 8 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 0d23dfe..b4984bb 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -707,14 +707,6 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MELTDOWN" = 1 ]; then - if grep -q BOOT_IMAGE= /proc/cmdline; then - # We check if the current running kernel has CONFIG_PAGE_TABLE_ISOLATION enabled - kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) - kernelVer=${kernelPath##*/vmlinuz-} - kernelConfig="config-${kernelVer}" - grep -Eq '^(CONFIG_PAGE_TABLE_ISOLATION|CONFIG_KAISER)=y' "/boot/${kernelConfig}" \ - || echo 'IS_MELTDOWN FAILED!' - fi # We check if the running kernel has kaiser loaded if is_debianversion stretch; then grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' From 33b19090e6c2462228f9f650f1e83da0b5928406 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Wed, 27 Jun 2018 17:45:11 +0200 Subject: [PATCH 07/10] Add check for spectre v2 --- evocheck.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index b4984bb..9c11b1a 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -97,7 +97,7 @@ IS_REDIS_BACKUP=1 IS_ELASTIC_BACKUP=1 IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 -IS_MELTDOWN=1 +IS_MELTDOWN_SPECTRE=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -706,10 +706,11 @@ if [ -e /etc/debian_version ]; then fi fi - if [ "$IS_MELTDOWN" = 1 ]; then + if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then # We check if the running kernel has kaiser loaded if is_debianversion stretch; then - grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN FAILED!' + grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN_SPECTRE FAILED!' + test -f /sys/devices/system/cpu/vulnerabilities/spectre_v2 || echo 'IS_MELTDOWN_SPECTRE FAILED!' fi fi fi From 62b61aabf169ebc9e7e741f4190507f177a9642d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Wed, 27 Jun 2018 17:49:44 +0200 Subject: [PATCH 08/10] Well... For Stretch use only /sys/devices/system/cpu/vulnerabilities/ --- evocheck.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 9c11b1a..e634be4 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -707,10 +707,10 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then - # We check if the running kernel has kaiser loaded if is_debianversion stretch; then - grep '^flags' /proc/cpuinfo | grep -qEw '(kaiser|pti)' || echo 'IS_MELTDOWN_SPECTRE FAILED!' - test -f /sys/devices/system/cpu/vulnerabilities/spectre_v2 || echo 'IS_MELTDOWN_SPECTRE FAILED!' + for vuln in meltdown spectre_v1 spectre_v2; do + test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!' + done fi fi fi From ae1ec7b2b9f3bd2d1c78af544562dd207ef5f330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Wed, 27 Jun 2018 18:01:07 +0200 Subject: [PATCH 09/10] Redo the jessie part --- evocheck.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/evocheck.sh b/evocheck.sh index e634be4..f5c88a3 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -707,10 +707,21 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MELTDOWN_SPECTRE" = 1 ]; then + # For Stretch, detection is easy as the kernel use + # /sys/devices/system/cpu/vulnerabilities/ if is_debianversion stretch; then for vuln in meltdown spectre_v1 spectre_v2; do test -f /sys/devices/system/cpu/vulnerabilities/$vuln || echo 'IS_MELTDOWN_SPECTRE FAILED!' done + # For Jessie this is quite complicated to verify and we need to use kernel config file + elif is_debianversion jessie; then + if grep -q BOOT_IMAGE= /proc/cmdline; then + kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) + kernelVer=${kernelPath##*/vmlinuz-} + kernelConfig="config-${kernelVer}" + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + fi fi fi fi From db23167246678114668d640f88ed9e2f6397ded2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 28 Jun 2018 11:48:22 +0200 Subject: [PATCH 10/10] Add a check for kernel config gile --- evocheck.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index f5c88a3..da39630 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -719,8 +719,11 @@ if [ -e /etc/debian_version ]; then kernelPath=$(grep -Eo 'BOOT_IMAGE=[^ ]+' /proc/cmdline | cut -d= -f2) kernelVer=${kernelPath##*/vmlinuz-} kernelConfig="config-${kernelVer}" - grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' - grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + # Sometimes autodetection of kernel config file fail, so we test if the file really exists. + if [ -f /boot/$kernelConfig ]; then + grep -Eq '^CONFIG_PAGE_TABLE_ISOLATION=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + grep -Eq '^CONFIG_RETPOLINE=y' /boot/$kernelConfig || echo 'IS_MELTDOWN_SPECTRE FAILED!' + fi fi fi fi