Skip to content

Instantly share code, notes, and snippets.

@Szpadel
Last active January 15, 2018 15:53
Show Gist options
  • Save Szpadel/003798ac7f4d98bc3583c2a5f3064cb3 to your computer and use it in GitHub Desktop.
Save Szpadel/003798ac7f4d98bc3583c2a5f3064cb3 to your computer and use it in GitHub Desktop.
Script for checking system status against Meltdown issue
#!/usr/bin/env bash
CR="\e[0m"
CBAD="\e[41m"
CWRN="\e[33m"
COK="\e[32m"
CINF="\e[34m"
isPcidPresent() {
grep -q pcid /proc/cpuinfo
}
isConfigPresent() {
KERN_VER=$(uname -r)
RET=
if [ -e /proc/config.gz ];then
zgrep -q $1=y /proc/config.gz
RET=$?
echo "(in /proc/config.gz) "
return $RET
elif [ -e /boot/config-$KERN_VER ];then
grep -q $1=y /boot/config-$KERN_VER
RET=$?
echo "(in /boot/config-$KERN_VER) "
return $RET
else
echo "(could not find config for current kernel) "
return 1
fi
}
kptiStatus() {
if [ -e /sys/kernel/debug/x86/pti_enabled ];then
echo "(runtime) "
[ "$(cat /sys/kernel/debug/x86/pti_enabled)" != 0 ] && echo -e "${COK}Enabled${CR}" || echo -e "${CBAD}Disabled${CR}"
return
fi
echo "(boot) "
[ -n "$(dmesg | grep 'Kernel/User page tables isolation: enabled')" ] && echo -e "${COK}Enabled${CR}" && return
[ -n "$(dmesg | grep 'Kernel/User page tables isolation: force enabled on command line')" ] && echo -e "${COK}Forced${CR}" && return
echo -e "${CBAD}Disabled${CR}"
}
redpolineStatus() {
msg=$(dmesg | grep 'Spectre V2 mitigation: '|sed 's/^.*Spectre V2 mitigation: \(.*\)$/\1/')
[ -n "$(echo $msg|grep 'Not affected')" ] && echo -e "${COK}${msg}${CR}" && return
[ -n "$(echo $msg|grep Mitigation)" ] && echo -e "${COK}${msg}${CR}" && return
[ -n "$(echo $msg|grep Vulnerable)" ] && echo -e "${CBAD}${msg}${CR}" && return
[ -z "$msg" ] && echo -e "${CBAD}MISSING${CR}"
echo -e "${CINF}${msg}${CR}"
}
cpuSecure() {
! grep -q cpu_insecure /proc/cpuinfo
}
cpuModel() {
grep 'model name' /proc/cpuinfo |head -n1|sed 's/^model name\t: \(.*\)$/\1/'
}
printCpuVul() {
[ -e /sys/devices/system/cpu/vulnerabilities ] || return
echo Found cpu vulnerabilities kernel raport
for vul in /sys/devices/system/cpu/vulnerabilities/*;do
v=$(basename $vul)
echo -e "Vulnerability $v status: ${CINF}$(cat $vul)${CR}"
done
}
echo -e CPU detected: ${CINF}$(cpuModel)${CR}
echo CPU bug detected: $(cpuSecure && echo -e "${CINF}Not aware${CR}" || echo -e "${CWRN}Bug present${CR}")
echo CPU PCID support: $(isPcidPresent && echo -e "${COK}Present${CR}" || echo -e "${CBAD}MISSING${CR}" )
echo KPTI kernel option: $(isConfigPresent CONFIG_PAGE_TABLE_ISOLATION && echo -e "${COK}Present${CR}" || echo -e "${CWRN}MISSING${CR}")
echo Retpoline kernel option: $(isConfigPresent CONFIG_RETPOLINE && echo -e "${COK}Present${CR}" || echo -e "${CWRN}MISSING${CR}")
echo Retpoline boot status: $(redpolineStatus)
echo KPTI status: $(kptiStatus)
printCpuVul
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment