Okay, this one is a massive update. Or, is this an easter egg?
First and foremost, the least visible but probably the most important for the continued maintainability of this project: the script has been split into a structured source tree of smaller scripts snippets, that are then assembled to produce the final self-contained spectre-meltdown-checker.sh.
This repo now has 5 branches:
test, this is where patches land first. This branch has the structured source tree hierarchy, so there is no usable script there, only the snippets to assemble the final script.test-build, is where the CI builds the script from thetestbranch and commits it. Basic tests are done in the CI to ensure the script is not completely broken (more on that below), but still, don't use this except if you want to test a bugfix you're interested in. This branch might functionally break at any time. It's a sandbox.source, this is where the stable source lives. This branch also has the structured source tree hierarchy and no directly usable script. This is were patches land before making it tomaster.source-build, same thantest-buildbut produced with the code from thesourcebranch. Consider the script in this branch to be of beta quality. Don't use it in production.master, this is the historical branch that will stay the release branch. Merges are done fromsource-buildmanually when the author believes that the build is of sufficient quality.
Now that the "source" branches trees (test, source), are organized completely differently than the "binary" branches (test-build, source-build, master), so now a lot more can be done in terms of tests and helper scripts. I never wanted to clobber the master branch with this because this is the branch the users are checking out in production, so this change also makes room for a real testsuite, among other things.
With all this, also comes a new version numbering scheme: vXX.YY.ZZZZZZZ, automatically updated by the CI. XX=year, YY=number_of_managed_CVEs, ZZZZZZZ=based_on_datetime_of_release.
Now, here is a clearly non-exhaustive list of changes (refer to the commit log for more):
- feat: added CVE-2024-36350/CVE-2024-36357 (Transient Scheduler Attack / TSA) (fixes #509)
- feat: added CVE-2023-23583 (Reptar)
- enh: CVE-2023-20593 (Zenbleed): Mitigation detection added for BSD
- enh: improvement under BSD for a few CVEs, identifying unaffected CPUs even if mitigation is not implemented in BSD
- enh: CVE-2017-5753 (Spectre Variant 1): massive update to the detection logic, as this was the first CVE ever implemented in this script, and a lot changed since then, both in the understanding of Spectre V1 and in the kernels.
- enh: CVE-2017-5715 (Spectre Variant 2): massive update here too, including adding detection for BHI
- enh: enhanced VMM autodetection with more supported hypervisor binaries
- fix:
cap_rdcl_no,cap_gds_no,cap_tsa_*_nowere not marking the current CPU as immune for their respective vulnerabilities - fix: CVE-2018-3620: false
VULNstatus on kernels reporting CPU as unaffected whenRDCL_NOcouldn't be parsed - fix: CVE-2023-20569: logic errors from
kernel_srotype change, old kernels incorrectly reporting mitigated via sysfs are now detected - fix:
--sysfs-onlypath fixed for a handful of CVEs, started to document complete sysfs strings history from the kernel source code for reference - fix:
read_msr: fixed handling of values >INT32_MAX(fixes #507) - fix: several tool uses replaced (
sort -V,sed -r,cut -w,stat -c,date -d @) to ensure compatibility with BSD (fixes #525) - doc: a (hopefully) nicer README, I'll have to update the screenshots though
... and, well, a lot more, git log is your friend if you're curious.
There's a bunch of work ongoing (inteldb update, testsuite, better --batch machine formats with way more details for monitoring), but I figured this what the time to get this one out the door.
Happy spectre-meltdown-checking!