Skip to content

Improved hypervisor detection #259

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
speed47 merged 10 commits into from
Dec 10, 2018
Merged

Improved hypervisor detection #259

speed47 merged 10 commits into from
Dec 10, 2018

Conversation

@rrobgill
Copy link
Contributor

@rrobgill rrobgill commented Oct 28, 2018
edited
Loading

Tests for presence of hypervisor flag in /proc/cpuino if available and tests for evidence of hypervisor in dmesg. (Rather than relying on output of ps).

Also fix unset $l1d_mode causing error & typos.

Update processor names of atom 6 family processors to align with those from kernel as of October 2018.

@rrobgill
Merge pull request #1 from speed47/master
664fb76 
merge
@rrobgill
Code consistency
61ad5d5 
``` opt_batch_format="text" ``` replaced by ``` opt_batch_format='text' ```
```nrpe_vuln='"" ``` replaced by ``` nrpe_vuln='' ``` , as used by other parse options

Redundant ``` ! -z ``` replaced by ``` -n ```, as used elsewhere

Signed-off-by: Rob Gill <rrobgill@protonmail.com>
@rrobgill
Merge pull request #2 from speed47/master
0258553 
merge
@rrobgill
Improved hypervisor detection
b53400f 
Tests for presence of hypervisor flag in /proc/cpuino
Tests for evidence of hypervisor in dmesg

Signed-off-by: Rob Gill <rrobgill@protonmail.com>
@rrobgill
formatting fix
36d31e5 
Signed-off-by: Rob Gill <rrobgill@protonmail.com>
@rrobgill
Set $l1d_mode to -1 in cases where cpu/vulnerabilities/l1tf is not av…
af84646 
…ailable

(prevents invalid number error when evaluating [ "$l1d_mode" -ge 1 ])

Signed-off-by: Rob Gill <rrobgill@protonmail.com>
@rrobgill
Update Intel Atom 6 cpu names to align with kernel
47f8f67 
Update processor names of atom 6 family processors to align with those from kernel as of October 2018.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/arch/x86/include/asm/intel-family.h?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
Update list of known immune processors from
https://git.kernel.org/pub/scm/linux/kernel/git/tip/tip.git/commit/arch/x86/kernel/cpu/common.c?id=f2c4db1bd80720cd8cb2a5aa220d9bc9f374f04e
@rrobgill
Fix unset $l1d_mode
ad2b89c 
Another instance of unset l1d_mode causing error "./spectre-meltdown-checker.sh: 3867: [: Illegal number:"
@rrobgill
chore: update readme with brief summary of L1tfs
2d3341f 
L1tf mitigation and impact details from

https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html and https://blogs.oracle.com/oraclesecurity/intel-l1tf
@rrobgill
typo
00a42c8
@speed47
Copy link
Owner

speed47 commented Nov 25, 2018

Thanks for your work, and sorry for the time it took me to check your PR!
All good and well for the fixes, readme update and atom name updates.

On the "has_vmm" code however, your version of the code (which is way less dumb than the ps indeed), changes the meaning of the check, as I understand it. You've implemented several ways of detecting whether we were run from inside a VM, but the original check actually checks if we're running on a "bare metal" host that is hosting VMs. This is because the L1D cache flushing must be done by the host kernel and the hypervisor, not from inside the VM. But if you're running a simple server (or desktop) without VMs on it, then it's not an issue and you don't even need mitigation. Am I reading your code correctly?

@rrobgill
Copy link
Contributor Author

rrobgill commented Nov 27, 2018

Yes, effectively reversing the detection assuming bare metal if not detected as inside the vm.

@speed47
Copy link
Owner

speed47 commented Dec 10, 2018

Indeed, so we make the assumption that if we're on bare metal, we possibly are actually hosting an hypervisor that might host VMs. This is probably reasonable, and the behavior can still be overridden through the comand-line, if we are on bare metal and we know we'll never run VMs on it.
Thanks.

@speed47 speed47 merged commit 906f54c into speed47:master Dec 10, 2018
@mattvw mattvw mentioned this pull request Apr 20, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rrobgill @speed47