New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pine64 board with UNKNOWN status reported as not vulnerable #82
Comments
It's an ARM board, so indeed you're not vulnerable except if it's running one of the few ARM Cortex that are vulnerable. ARM published a statement about it, and the script is able to correctly detect which ARM chips are vulnerable, and which aren't. The
line is strange, I'll need your help to fix that, but it's only for display purposes (the script doesn't rely on what's displayed in that case). I'll propose a fix on a branch that you'll be able to test soon. Regarding the fact that the first test comes out as UNKNOWN, it's strange because if you're missing the readelf or objdump tool (the 2 most usual reasons to get UNKNOWN here), the tool should tell you. So it might be another reason, could you run the script again in very verbose mode ? ( Regardless of the UNKNOWN status of the check for variant 1, the script correctly reports your system as non-vulnerable as you have a non-vulnerable CPU (so it doesn't need the result of the mitigation check for variant 1 to draw this conclusion) |
Can you try the |
UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
UNKNOWN (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?)
|
Thanks! Now I see why you get 'unknown: the script doesn't find your kernel image. Could you provide the output of I've also pushed a new version on the arm_display branch with a minor fix (some kernels as yours report AArch64 instead of ARMv8, this is now handled) |
@speed47 :
Hope this will help ... If not, please let me know ! Cheers, |
Thanks, it does help. Could you try the new version from the |
@speed47 :
UNKNOWN (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
UNKNOWN (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?)
Another kind of tests needed ? Regards, |
Uh oh, I thought that |
@speed47 :
Regards, |
Thanks, the correct kernel image seems to be |
@speed47 :
Oups ... :-) Jean |
Uh oh, it seems to be a strange kernel image! :) Would you be able to upload this file somewhere for me to have a look at it? |
@speed47 :
Which files do you need ?
Basically :
Nothing else as this board hosts my cloud only (WEB Server). Regards. |
Thanks, I could download a copy of the OS image and get access to the famous /boot/pine64/Image file! Could you run the following commands on your ARM system ? If these commands don't exist on your system, you might need to install the Thanks! |
@speed47 :
Not sure it helps so much ... What are You looking for ? Cheers, |
You can try with the latest master branch, I added an extract method that seems to be used by your system : the kernel image blob actually contains other stuff and the real kernel image can be found uncompressed in it ! |
Hi @speed47, please find below the output of the new release : Checking for vulnerabilities on current system Hardware check
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
A false sense of security is worse than no security at all, see --disclaimer Regards |
Thanks, as your system is not that common, you're finding me some bugs ;)
fixed
fixed I've also re-added the specific kernel image path pine64 is using, I think it was squeezed out by some previous merge. Pushed those to the master branch. If you run it again, you shouldn't have those errors, and hopefully the script will now be able to dig into your kernel image for variant 1 mitigations (it probably won't find any, and your ARM is not vulnerable and don't need those anyway) |
Assuming we can close this. Feel free to reopen if needed! |
Dear Speed47,
Bellow if the output of the provided script executed on a Pine64 board running Linux. The CPU is not detected properly. The report show the board as NOT VULNERABLE, but some tests results are UNKNOWN : Can you please confirm if the board/CPU is vulnerable or not ?
How can I maybe help regarding the board ?
Many thanks in advance,
Best regards.
The text was updated successfully, but these errors were encountered: