Open festerspectre opened 6 years ago
speed47
commented
6 years ago I have no access to a Chromebook to be able to test on it, but based on the output of the script, it would seem that the script can't read the kernel configuration nor find the /boot image, so accuracy is very limited in that case.
Can you run the script in more verbose mode ? (./spectre-meltdown-checker.sh -v -v)
festerspectre
commented
6 years ago @speed47 results with -v -v
Checking for vulnerabilities against live running kernel Linux 3.18.0-16288-g64d05cf80004 #1 SMP
PREEMPT Mon Jan 8 23:16:08 PST 2018 x86_64
Will use no vmlinux image (accuracy might be reduced)
Will use no kconfig (accuracy might be reduced)
Will use System.map file /proc/kallsyms
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot,
this is normal))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to
mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)Those are the important bits:
Will use no vmlinux image (accuracy might be reduced) Will use no kconfig (accuracy might be reduced)
However I don't see the debug output that I would have expected with -v -v, are you using a recent version of the script ? (you stripped out the version number from your excerpt so I can't tell)
festerspectre
commented
6 years ago @speed47 My bad, that was v0.27, here is the output for v0.28
Spectre and Meltdown mitigation detection tool v0.28
Checking for vulnerabilities against running kernel Linux 3.18.0-16288-g64d05cf80004 #1 SMP
PREEMPT Mon Jan 8 23:16:08 PST 2018 x86_64
CPU is Intel(R) Celeron(R) CPU N3160 @ 1.60GHz
Will use no vmlinux image (accuracy might be reduced)
Will use no kconfig (accuracy might be reduced)
Will use System.map file /proc/kallsyms
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: UNKNOWN
> STATUS: UNKNOWN (couldn't check (couldn't find your kernel image in /boot, if you used netboot,
this is normal))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: (debug) ibrs: file /sys/kernel/debug/ibrs_enabled doesn't exist
(debug) ibrs: file /sys/kernel/debug/x86/ibrs_enabled doesn't exist
(debug) ibrs: file /proc/sys/kernel/ibrs_enabled doesn't exist
NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: UNKNOWN (couldn't read your kernel configuration)
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to
mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: (debug) kpti_enabled: couldn't find any hint that PTI is enabled
NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)I'm not familiar with Chromebooks but I'm wondering if the developer shells can access the whole system. Could you post the output of the following commands ?
ls /boot
ls /sys
cat /proc/cmdlineFrom https://www.chromium.org/chromium-os/chromiumos-design-docs/disk-format :
"Google Chrome OS devices (x86/x86_64/arm) have custom BIOSes that use yet another boot method to ensure that the user is running only the bits that are intended. Instead of a separate bootloader and kernel, there is one binary blob contained in its own GPT partition. That blob is cryptographically signed and the signature is verified before booting. Under normal conditions, the process is:
- The BIOS searches the first drive (only) for a GPT partition identified with our special ChromeOS Kernel Type GUID (fe3a2a5d-4f32-41a7-b725-accc3285a309). There should be two (image A and image B). Attribute bits within each partition table entry select which of the two is the most recent (or valid) one.
- The first 64K bytes of the kernel partition are reserved for the signature header for verified boot. Following that is the 32-bit part of the kernel, a few data structures, and our bootloader stub. BIOS verifies the signature, loads the rest of kernel stuff into memory, and invokes the bootloader stub.
- The bootloader stub is just an EFI application. It sets up any tables the kernel needs in order to continue booting, and jumps to the kernel's 32-bit entry point."
Requested output:
chronos@localhost ~ $ ls /boot ls: cannot access '/boot': No such file or directory
chronos@localhost ~ $ ls /sys block bus class dev devices firmware fs kernel module power
chronos@localhost ~ $ cat /proc/cmdline cros_secure console= loglevel=7 init=/sbin/init cros_secure oops=panic panic=-1 root=/dev/dm-0 rootwait ro dm_verity.error_behavior=3 dm_verity.max_bios=-1 dm_verity.dev_wait=1 dm="1 vroot none ro 1,0 3584000 verity payload=PARTUUID=elided/PARTNROFF=1 hashtree=PARTUUID=elided/PARTNROFF=1 hashstart=3584000 alg=sha1 root_hexdigest=elided salt=elided" noinitrd vt.global_cursor_default=0 kern_guid=elided add_efi_memmap boot=local noresume noswap i915.modeset=1 tpm_tis.force=1 tpm_tis.interrupts=0 nmi_watchdog=panic,lapic
speed47
commented
6 years ago Wow, this seems to be a heavily modified Linux kernel, with a completely non-standard boot procedure. I'm not even sure the kernel image nor configuration is accessible from the OS once booted. As I don't have a Chromebook, and apparently no emulator exists, I can't really dig further. Adding the "help wanted" tag in case a Chromebook guru wants to jump in.
festerspectre
commented
6 years ago @speed47 Great, that's exactly what we need here. Given everything that's gone on, I think the old adage of "trust, but verify" is important, and right now wrt Chromebooks that's a little difficult.
festerspectre
commented
6 years ago Based on the code here it would appear that this model of Chromebook (Acer 14 CB3-431-C5EX) is still vulnerable to Spectre. Probably they're counting on chrome://flags#enable-site-per-process to mitigate Meltdown.
user@localhost:~/spectre-testing$ ./spectre Putting 'The Magic Words are Squeamish Ossifrage.' in memory, address 0x64b6978fbe38 Reading 40 bytes: Reading at malicious_x = 0xffffffffffdfedb8... Success: 0x54='T' score=2 Reading at malicious_x = 0xffffffffffdfedb9... Success: 0x68='h' score=2 Reading at malicious_x = 0xffffffffffdfedba... Success: 0x65='e' score=2 Reading at malicious_x = 0xffffffffffdfedbb... Success: 0x20=' ' score=2 Reading at malicious_x = 0xffffffffffdfedbc... Success: 0x4D='M' score=2 Reading at malicious_x = 0xffffffffffdfedbd... Success: 0x61='a' score=2 Reading at malicious_x = 0xffffffffffdfedbe... Success: 0x67='g' score=2 Reading at malicious_x = 0xffffffffffdfedbf... Success: 0x69='i' score=2 Reading at malicious_x = 0xffffffffffdfedc0... Success: 0x63='c' score=2 Reading at malicious_x = 0xffffffffffdfedc1... Success: 0x20=' ' score=2 Reading at malicious_x = 0xffffffffffdfedc2... Success: 0x57='W' score=2 Reading at malicious_x = 0xffffffffffdfedc3... Success: 0x6F='o' score=2 Reading at malicious_x = 0xffffffffffdfedc4... Success: 0x72='r' score=2 Reading at malicious_x = 0xffffffffffdfedc5... Success: 0x64='d' score=2 Reading at malicious_x = 0xffffffffffdfedc6... Success: 0x73='s' score=2 Reading at malicious_x = 0xffffffffffdfedc7... Success: 0x20=' ' score=2 Reading at malicious_x = 0xffffffffffdfedc8... Success: 0x61='a' score=2 Reading at malicious_x = 0xffffffffffdfedc9... Success: 0x72='r' score=2 Reading at malicious_x = 0xffffffffffdfedca... Success: 0x65='e' score=2 Reading at malicious_x = 0xffffffffffdfedcb... Success: 0x20=' ' score=2 Reading at malicious_x = 0xffffffffffdfedcc... Success: 0x53='S' score=2 Reading at malicious_x = 0xffffffffffdfedcd... Success: 0x71='q' score=2 Reading at malicious_x = 0xffffffffffdfedce... Success: 0x75='u' score=2 Reading at malicious_x = 0xffffffffffdfedcf... Success: 0x65='e' score=2 Reading at malicious_x = 0xffffffffffdfedd0... Success: 0x61='a' score=2 Reading at malicious_x = 0xffffffffffdfedd1... Success: 0x6D='m' score=2 Reading at malicious_x = 0xffffffffffdfedd2... Success: 0x69='i' score=2 Reading at malicious_x = 0xffffffffffdfedd3... Success: 0x73='s' score=2 Reading at malicious_x = 0xffffffffffdfedd4... Success: 0x68='h' score=2 Reading at malicious_x = 0xffffffffffdfedd5... Success: 0x20=' ' score=2 Reading at malicious_x = 0xffffffffffdfedd6... Success: 0x4F='O' score=2 Reading at malicious_x = 0xffffffffffdfedd7... Success: 0x73='s' score=2 Reading at malicious_x = 0xffffffffffdfedd8... Success: 0x73='s' score=2 Reading at malicious_x = 0xffffffffffdfedd9... Success: 0x69='i' score=2 Reading at malicious_x = 0xffffffffffdfedda... Success: 0x66='f' score=2 Reading at malicious_x = 0xffffffffffdfeddb... Success: 0x72='r' score=2 Reading at malicious_x = 0xffffffffffdfeddc... Success: 0x61='a' score=2 Reading at malicious_x = 0xffffffffffdfeddd... Success: 0x67='g' score=2 Reading at malicious_x = 0xffffffffffdfedde... Success: 0x65='e' score=2 Reading at malicious_x = 0xffffffffffdfeddf... Success: 0x2E='.' score=2
Chrome is reported as patched against both Spectre and Meltdown. Results of running checker in in developer shell listed below. This is a vanilla machine w/ dev mode enabled specifically to run checker's live test and see what the results were. Note UNKNOWN result for CVE-2017-5753 and Mitigation 2 of CVE-2017-5715. chrome://flags/#enable-site-per-process is enabled on this machine.