sh spectre-meltdown-checker.sh 


Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 3.16.55-slitaz64 #2 SMP Mon May 21 20:31:03 CEST 2018 x86_64
CPU is Intel(R) Erkan_deleted_this

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  UNKNOWN  (is msr kernel module available?)
    * CPU indicates STIBP capability:  NO 
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 23 stepping 10 ucode 0x60b cpuid 0x1067a)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 
  * Vulnerable to Variant 3a:  YES 
  * Vulnerable to Variant 4:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec (x86):  UNKNOWN  (couldn't check (couldn't extract your kernel from 
/boot/vmlinuz-3.16.55-slitaz64))
* Kernel has the Red Hat/Ubuntu patch:  UNKNOWN  (couldn't check (couldn't extract your kernel from 
/boot/vmlinuz-3.16.55-slitaz64))
* Kernel has mask_nospec64 (arm):  UNKNOWN  (couldn't check (couldn't extract your kernel from 
/boot/vmlinuz-3.16.55-slitaz64))
* Checking count of LFENCE instructions following a jump in kernel...  UNKNOWN  (couldn't check (couldn't extract 
your kernel from /boot/vmlinuz-3.16.55-slitaz64))
> STATUS:  UNKNOWN  (Couldn't find kernel image or tools missing to execute the checks)

> How to fix: Re-run this script with root privileges, after installing the missing tools indicated above

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS support:  NO 
    * IBRS enabled and active:  NO 
  * Kernel is compiled with IBPB support:  UNKNOWN  (in offline mode, we need the kernel image to be able to tell)
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  NO 
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

> How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your 
CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a 
retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB 
requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the 
performance impact is lower. More information about how to enable the missing bits for those two possible mitigations 
on your system follow. You only need to take one of the two approaches.

> How to fix: The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot 
time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're 
using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro 
kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out 
online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check 
section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If 
you're running under an hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be 
able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is 
IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM 
to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix.

> How to fix: Your kernel doesn't have IBPB support, so you need to either upgrade your kernel (if you're using a 
distro) or recompiling a more recent kernel.

> How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot 
time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're 
using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro 
kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out 
online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check 
section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If 
you're running under an hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be 
able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is 
IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. You may need to reconfigure your VM 
to use a CPU model that has IBRS capability; in Libvirt, such CPUs are listed with an IBRS suffix.

> How to fix: Your kernel doesn't have IBRS support, so you need to either upgrade your kernel (if you're using a 
distro) or recompiling a more recent kernel.

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  UNKNOWN  (dmesg truncated, please reboot and relaunch this script)
  * Reduced performance impact of PTI:  NO  (PCID/INVPCID not supported, performance impact of PTI will be 
significant)
* Running as a Xen PV DomU:  NO 
> STATUS:  UNKNOWN  (couldn't find any clue of PTI activation due to a truncated dmesg, please reboot and relaunch 
this script)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
  * CPU microcode mitigates the vulnerability:  UNKNOWN  (an up to date microcode is sufficient to mitigate this 
vulnerability, detection will be implemented soon)
> STATUS:  VULNERABLE  (a new microcode will mitigate this vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
  * Kernel supports speculation store bypass:  NO 
> STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)

> How to fix: You need to update your CPU microcode and use a more recent kernel to provide the necessary mitigation 
tools to the software running on your machine

A false sense of security is worse than no security at all, see --disclaimer