speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.88k stars 476 forks source link

XU4 #164

Closed Dmole closed 6 years ago

Dmole commented 6 years ago

Report for the XU4;

Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.14.26-119 #1 SMP PREEMPT Tue Mar 13 08:11:46 UTC 2018 armv7l
CPU is ARM v7 model 0xc07

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBRS capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBPB capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates STIBP capability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN 
  * CPU microcode is known to cause stability problems:  NO 
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.14.26-119))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.14.26-119))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.14.26-119))
> STATUS:  UNKNOWN  (Couldn't find kernel image or tools missing to execute the checks)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

The "Couldn't find kernel image or tools missing to execute the checks" note seems to be wrong...

Dmole commented 6 years ago

The man pages for /dev/cpu/0/msr and /dev/cpu/0/cpuid say they are x86 spesific; probably should not be checked if not running on an x86.

speed47 commented 6 years ago

Can you run it again in very verbose mode ? (-v -v) You should have more details about the image decompression, for some reason it seems the script can't read/understand your kernel image.

About msr/cpuid, indeed, I'll add a check for x86. This won't change the script result, but the output will be nicer to the eyes of non-x86 owners ;)

Dmole commented 6 years ago

Thanks;

> git rev-parse --short HEAD
053f161
> bash spectre-meltdown-checker.sh -v -v
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.14.26-119 #1 SMP PREEMPT Tue Mar 13 08:11:46 UTC 2018 armv7l
CPU is ARM v7 model 0xc07
Will use vmlinux image /boot/vmlinuz-4.14.26-119
Will use kconfig /proc/config.gz (decompressed)
Will use System.map file /proc/kallsyms
(debug) try_decompress: magic for gunzip found at offset 27501:xy
(debug) try_decompress: decompression with gunzip did not work
(debug) try_decompress: magic for gunzip found at offset 5059753:xy
(debug) try_decompress: decompression with gunzip did not work
(debug) try_decompress: magic for gunzip found at offset 5149961:xy
(debug) try_decompress: decompression with gunzip did not work
(debug) try_decompress: magic for unlzma found at offset 2898:xxx
(debug) try_decompress: decompression with unlzma did not work

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: (debug) attempted to load module msr, insmod_msr=
 UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBRS capability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * Kernel has set the spec_ctrl flag in cpuinfo:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBPB capability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates STIBP capability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN 
  * CPU microcode is known to cause stability problems:  NO 
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1: (debug) checking cpu1: <0xc07> <7>
(debug) checking cpu1: this arm non vulnerable to 1 & 2
(debug) checking cpu1: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu1 and so far, we have <immune> <immune> <immune>
(debug) checking cpu2: <0xc07> <7>
(debug) checking cpu2: this arm non vulnerable to 1 & 2
(debug) checking cpu2: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu2 and so far, we have <immune> <immune> <immune>
(debug) checking cpu3: <0xc07> <7>
(debug) checking cpu3: this arm non vulnerable to 1 & 2
(debug) checking cpu3: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu3 and so far, we have <immune> <immune> <immune>
(debug) checking cpu4: <0xc07> <7>
(debug) checking cpu4: this arm non vulnerable to 1 & 2
(debug) checking cpu4: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu4 and so far, we have <immune> <immune> <immune>
(debug) checking cpu5: <0xc0f> <7>
(debug) checking cpu5: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu5: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu5 and so far, we have <vuln> <vuln> <immune>
(debug) checking cpu6: <0xc0f> <7>
(debug) checking cpu6: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu6: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu6 and so far, we have <vuln> <vuln> <immune>
(debug) checking cpu7: <0xc0f> <7>
(debug) checking cpu7: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu7: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu7 and so far, we have <vuln> <vuln> <immune>
(debug) checking cpu8: <0xc0f> <7>
(debug) checking cpu8: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu8: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu8 and so far, we have <vuln> <vuln> <immune>
(debug) is_cpu_vulnerable: temp results are <vuln> <vuln> <immune>
(debug) is_cpu_vulnerable: final results are <0> <0> <1>
 YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.14.26-119))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.14.26-119))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (couldn't extract your kernel from /boot/vmlinuz-4.14.26-119))
> STATUS:  UNKNOWN  (Couldn't find kernel image or tools missing to execute the checks)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support: (debug) ibrs: /sys/kernel/debug/ibrs_enabled file doesn't exist
(debug) ibrs: /sys/kernel/debug/x86/ibrs_enabled file doesn't exist
(debug) ibrs: /proc/sys/kernel/ibrs_enabled file doesn't exist
 NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active: (debug) kpti_enabled: couldn't find any hint that PTI is enabled
 NO 
* Performance impact if PTI is enabled
  * CPU supports PCID:  NO  (no security impact but performance will be degraded with PTI)
  * CPU supports INVPCID:  NO  (no security impact but performance will be degraded with PTI)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
speed47 commented 6 years ago

(debug) try_decompress: magic for gunzip found at offset 27501:xy (debug) try_decompress: decompression with gunzip did not work (debug) try_decompress: magic for gunzip found at offset 5059753:xy (debug) try_decompress: decompression with gunzip did not work (debug) try_decompress: magic for gunzip found at offset 5149961:xy (debug) try_decompress: decompression with gunzip did not work (debug) try_decompress: magic for unlzma found at offset 2898:xxx (debug) try_decompress: decompression with unlzma did not work

OK so clearly the script couldn't extract your kernel image properly. Do you happen to know which compression format it uses ? Does file /boot/vmlinuz-4.14.26-119 indicate it ? If not, would you be able to upload it somewhere so I can have a look ? The script supports gzip, xz, bzip2, lzma, lzop and lz4, maybe your compression format is yet different

Dmole commented 6 years ago
> file /boot/vmlinuz-4.14.26-119
/boot/vmlinuz-4.14.26-119: Linux kernel ARM boot executable zImage (little-endian)
> file /boot/vmlinuz-4.14.26-119 --mime
/boot/vmlinuz-4.14.26-119: application/octet-stream; charset=binary

maybe I should cut up the file first though.

speed47 commented 6 years ago

Hmm. Did you compile it yourself or is it readily available somewhere in some well-known distro I can fetch?

Dmole commented 6 years ago

I compiled my own Kernel in the past for this board, but i'm using stock ( src, bin ) for this test. Well-known distros (debian, fedora, arch) don't ship kernels for non-x86, so arm/aarch64 kernels are independent from the distro (why there are ~1,849 repos in LineageOS)

speed47 commented 6 years ago

Thanks, the kernel is compressed by an already supported algorithm (gzip in this case) but the resulting decompressed file is not the kernel image directly. The image is at a non-zero offset. I added code to support this in the offset branch. Could you try it ?

Dmole commented 6 years ago
> bash spectre-meltdown-checker.sh -v -v
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.14.26-119 #1 SMP PREEMPT Tue Mar 13 08:11:46 UTC 2018 armv7l
CPU is ARM v7 model 0xc07
Will use vmlinux image /boot/vmlinuz-4.14.26-119
Will use kconfig /proc/config.gz (decompressed)
Will use System.map file /proc/kallsyms
(debug) try_decompress: looking for gunzip magic in /boot/vmlinuz-4.14.26-119
(debug) try_decompress: magic for gunzip found at offset 27501:xy
(debug) try_decompress: decompression with gunzip worked but result is not a kernel, trying with an offset
(debug) try_decompress: looking for cat magic in /tmp/vmlinux-ptrtPJ
(debug) try_decompress: magic for cat found at offset 10745961:xxy
(debug) try_decompress: decompressed with cat successfully!
Kernel image version is unknown

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available: (debug) attempted to load module msr, insmod_msr=
 UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBRS capability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * Kernel has set the spec_ctrl flag in cpuinfo:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates IBPB capability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    * CPU indicates STIBP capability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: (debug) attempted to load module cpuid, insmod_cpuid=
 UNKNOWN  (couldn't read /dev/cpu/0/cpuid, is cpuid support enabled in your kernel?)
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  UNKNOWN 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  UNKNOWN 
  * CPU microcode is known to cause stability problems:  NO 
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1: (debug) checking cpu1: <0xc07> <7>
(debug) checking cpu1: this arm non vulnerable to 1 & 2
(debug) checking cpu1: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu1 and so far, we have <immune> <immune> <immune>
(debug) checking cpu2: <0xc07> <7>
(debug) checking cpu2: this arm non vulnerable to 1 & 2
(debug) checking cpu2: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu2 and so far, we have <immune> <immune> <immune>
(debug) checking cpu3: <0xc07> <7>
(debug) checking cpu3: this arm non vulnerable to 1 & 2
(debug) checking cpu3: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu3 and so far, we have <immune> <immune> <immune>
(debug) checking cpu4: <0xc07> <7>
(debug) checking cpu4: this arm non vulnerable to 1 & 2
(debug) checking cpu4: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu4 and so far, we have <immune> <immune> <immune>
(debug) checking cpu5: <0xc0f> <7>
(debug) checking cpu5: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu5: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu5 and so far, we have <vuln> <vuln> <immune>
(debug) checking cpu6: <0xc0f> <7>
(debug) checking cpu6: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu6: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu6 and so far, we have <vuln> <vuln> <immune>
(debug) checking cpu7: <0xc0f> <7>
(debug) checking cpu7: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu7: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu7 and so far, we have <vuln> <vuln> <immune>
(debug) checking cpu8: <0xc0f> <7>
(debug) checking cpu8: this armv7 vulnerable to spectre 1 & 2
(debug) checking cpu8: this arm non vulnerable to meltdown
(debug) is_cpu_vulnerable: for cpu8 and so far, we have <vuln> <vuln> <immune>
(debug) is_cpu_vulnerable: temp results are <vuln> <vuln> <immune>
(debug) is_cpu_vulnerable: final results are <0> <0> <1>
 YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  NO 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Checking count of LFENCE instructions following a jump in kernel... objdump: /tmp/vmlinux-G0rEmi: File format not recognized
 NO  (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support: (debug) ibrs: /sys/kernel/debug/ibrs_enabled file doesn't exist
(debug) ibrs: /sys/kernel/debug/x86/ibrs_enabled file doesn't exist
(debug) ibrs: /proc/sys/kernel/ibrs_enabled file doesn't exist
 NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active: (debug) kpti_enabled: couldn't find any hint that PTI is enabled
 NO 
* Performance impact if PTI is enabled
  * CPU supports PCID:  NO  (no security impact but performance will be degraded with PTI)
  * CPU supports INVPCID:  NO  (no security impact but performance will be degraded with PTI)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
speed47 commented 6 years ago

Interesting, there are actually 2 ELF images in the vmlinuz, and the first one is half-parsed by readelf but doesn't make it error, so the image was considered valid. I've implemented a more robust check for extracted vmlinux validity. I've also implemented cross-architecture support so that an ARM kernel can be tested from a non-ARM system (such as mine).

The branch has been updated:

$ ./spectre-meltdown-checker.sh --kernel /mnt/a/boot/vmlinuz-4.14.5-92 --arch-prefix arm-linux-gnueabihf- 
Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities against specified kernel
CPU is Intel(R) Pentium(R) CPU G3420 @ 3.20GHz
We're missing some kernel info (see -v), accuracy might be reduced
Kernel image is 4.14.5-92 #1 SMP PREEMPT Mon Dec 11 15:48:15 UTC 2017 

Hardware check
[...irrelevant because I don't have your CPU...]

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO 
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Checking count of LFENCE instructions following a jump in kernel...  NO  (only 0 jump-then-lfence instructions found, should be >= 30 (heuristic))
> STATUS:  VULNERABLE  (Kernel source needs to be patched to mitigate the vulnerability)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  N/A  (not testable in offline mode)
    * IBRS enabled for User space:  N/A  (not testable in offline mode)
    * IBPB enabled:  N/A  (not testable in offline mode)
* Mitigation 2
  * Kernel compiled with retpoline option:  NO 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  N/A  (can't verify if PTI is enabled in offline mode)
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer