Skip to content

@speed47 speed47 released this Oct 3, 2018 · 8 commits to master since this release

  • Feature: add support for the 3 L1TF CVEs aka Foreshadow and Foreshadow-NG, under Linux and FreeBSD
  • Feature: use the excellent MCExtractor microcode versions database as reference to tell if CPU microcode is up to date, use --update-mcedb to update it (a builtin version is included)
  • Feature: add summary of vulnerabilites at the end of script
  • Feature: add a --batch short option for one line result
  • Enhancement: dynamically use git when available to better describe inter-release versions
  • Enhancement: add the --cve parameter to selectively test vulnerabilities
  • Fix: properly detect SSBD under BSD
  • Fix: --batch now implies --no-color to avoid colored warnings
  • Misc: dozens of other fixes and enhancements
Assets 2

@speed47 speed47 released this Aug 13, 2018 · 48 commits to master since this release

  • Feature: two new methods for reading MSR without a recent-enough dd binary: using perl or the msr-tools when these are present
  • Feature: add detection of RSBA feature bit (set by some hypervisors) indicating possible RSB underflow host CPU vulnerability, and require kernel support for RSB stuffing even on non-Skylake CPUs when this is the case
  • Feature: support for /boot partition on a btrfs subvolume (#226)
  • Feature: add standard location of Arch armv5/armv7 kernel image (#227)
  • Fix: the ARCH_CAPABILITIES MSR wasn't read correctly, preventing proper SSB_NO and RDCL_NO feature bits detection
Assets 2

@speed47 speed47 released this Aug 7, 2018 · 57 commits to master since this release

  • Feature: support detection for Variant 3a (CVE-2018-3640) and Variant 4 (CVE-2018-3639)
  • Feature: add Spectre v1 mitigation detection for ARM 32 bits
  • Feature: add Cavium CPU support and correct vulnerability information
  • Feature: add guess for kernel image location on Raspberry Pi 3
  • Feature: ability to run the script inside a Docker container (Dockerfile included)
  • Change: omit explanations by default to avoid cluttering the output, use --explain to get detailed mitigation help
  • Enhancement: explain mode: suggest to set VM CPU to an IBRS-capable one for hypervisors
  • Enhancement: avoid use of iflag=skip_bytes for compat with old dd versions
  • Fix: no longer unload msr or cpuid modules on exit if they were loaded before we started
  • Fix: when we can't determine if IBRS is enabled or not, report it as NO instead of UNKNOWN when we know that the CPU can't support it
  • Fix: variant2: detection now works under SLES kernels
  • Fix: ARM: update vulnerability info to latest vendor statement
  • Fix: ARM: ARMv8 models under Cortex A57 correctly marked as non-vulnerable (also fixes Raspberry Pi 3)
  • Fix: prometheus output wouldn't format \n correctly under some systems
Assets 2

@speed47 speed47 released this Apr 18, 2018 · 97 commits to master since this release

  • Feature: add a detailed explanation of "what to do" when system if found vulnerable against one of the vulnerabilities (skip with --no-explain)
  • Feature: rework output for IBRS/IBPB check and better detection for newer kernels (IBRS_FW, IBPB without IBRS, ...)
  • Feature: check for Red Hat 7/CentOS 7 specific retp_enabled knob in sysfs
  • Feature: detect arm64 Spectre Variant 1, Spectre Variant 2 and Meltdown (Variant 3) mitigations
  • Feature: add retpoline detection for BSD
  • Feature: add microcode information under BSD
  • Feature: add PTI performance check under BSD
  • Feature: add detection of AMD-specific STIBP, STIBP-always-on, IBRS, IBRS-always-on and IBRS-preferred CPUID feature flags
  • Feature: when ibpb_enabled=2 (Red Hat), warn if SMT is not disabled
  • Feature: detect whether the kernel supports RSB filling (important for Skylake+)
  • Feature: add --paranoid to make IBPB required in addition to retpoline for Variant 2
  • Refactor: don't test AMD-specific flags on Intel and Intel-specific flags on AMD for clarity
  • Fix: when PTI activation is unknown, don't say we're vulnerable
  • Fix: don't hide microcode information for AMD CPUs
  • Misc: other minor fixes and enhancements
Assets 2

@speed47 speed47 released this Mar 27, 2018 · 141 commits to master since this release

  • Feature: Support for Spectre v2 and Meltdown mitigation detection for BSD such as FreeBSD, NetBSD, DragonFlyBSD and derivatives (#135)
  • Feature: Add support to detect RHEL 5 kernels backported mitigations (#146)
  • Feature: Add --prefix-arch option for cross-architecture kernel inspection
  • Feature: Add --hw-only option to only show CPU microcode features supported for mitigation
  • Feature: Add support to properly extract some previously unsupported ARM kernels (#82 #164)
  • Feature: Check for MSR/CPUID of each CPU core, not just the first one (#136)
  • Feature: Add --batch prometheus option to produce output for consumption by prometheus-node-exporter (#154)
  • Fix: Corrected a corner case of blacklist detection for some microcode versions (#165 #167)
  • Fix: Properly detect Xen PVHVM mode (#163)
  • Fix: No longer check MSR/CPUID for non-x86 CPUs (#164)
  • Misc: Other tiny enhancements and fixes
Assets 2

@speed47 speed47 released this Feb 16, 2018 · 164 commits to master since this release

  • Feature: correctly detect specific Red Hat/Ubuntu patch for Spectre Variant 1
  • Update: new list of blacklisted microcodes (from Intel document)
  • Enhancement: detect disrepancy between found kernel image and running kernel
  • Enhancement: speed up execution by not decompressing kernel in --sysfs-only mode
  • Enhancement: find images installed by systemd kernel-install
  • Enhancement: better explanation when kernel supports IBRS but CPU doesn't
  • Misc: other minor changes and bugfixes
Assets 2

@speed47 speed47 released this Jan 31, 2018 · 183 commits to master since this release

  • Feature: detect vanilla mitigation for Variant 1 (not yet pushed to a kernel.org release)
  • Feature: detect known speculative-execution-free CPUs (that are not vulnerable to any of the 3 variants)
  • Enhancement: update list of known blacklisted microcodes from kernel source
  • Enhancement: smarter heuristic for LFENCE check, with less false positives (always only used in last resort)
  • Misc: some cleanup, refactoring, and a couple tiny bugs squashed
Assets 2

@speed47 speed47 released this Jan 31, 2018 · 201 commits to master since this release

  • Feature: add blacklisted Intel microcode detection
  • Feature: add STIBP, RDCL_NO, IBRS_ALL CPU flags detection (without relying on kernel)
  • Feature: add IBPB detection for Variant 2
  • Feature: detect Xen Dom0/DomU and report accordingly
  • Feature: detect retpoline-aware compiler and runtime retpoline activation
  • Enhancement: detect when dmesg is truncated and don't rely on log files
  • Some minor fixes
Assets 2
Jan 20, 2018
bump to v0.32
Jan 14, 2018
bump to v0.31 to reflect changes
You can’t perform that action at this time.