Arch Linux User Repository

pkgbase = spectre-meltdown-checker-pt-br

pkgdesc = Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad verificador de vulnerabilidade/mitigação

pkgrel = 1

url = https://github.com/speed47/spectre-meltdown-checker

arch = any

makedepends = patch

depends = sh

depends = sqlite

conflicts = spectre-meltdown-checker

source = translate-pt-br.patch

sha256sums = SKIP

pkgname = spectre-meltdown-checker-pt-br

_pkgname=spectre-meltdown-checker

pkgname=${_pkgname}-pt-br

pkgrel=1

pkgdesc="Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad verificador de vulnerabilidade/mitigação"

arch=('any')

makedepends=('git' 'patch')

conflicts=("${_pkgname}")

provides=("${_pkgname}=${pkgver}")

source=("git+https://github.com/speed47/spectre-meltdown-checker.git#commit=$_commit"

'translate-pt-br.patch')

sha256sums=('SKIP'

prepare() {

cd "${srcdir}/${_pkgname}"

From: tioguda <guda.flavio@gmail.com>

Subject: Tradução

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

--- a/spectre-meltdown-checker.sh

+++ b/spectre-meltdown-checker.sh

@@ -15,7 +15,7 @@

- CVE-2018-12207) echo "No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)";;

- CVE-2020-0543) echo "Special Register Buffer Data Sampling (SRBDS)";;

- CVE-2023-20593) echo "Zenbleed, cross-process information leak";;

+ CVE-2017-5753) echo "Spectre Variante 1, desvio de verificação de limites";;

+ CVE-2017-5715) echo "Spectre Variante 2, injeção no alvo do ramo";;

+ CVE-2017-5754) echo "Variante 3, Meltdown, carregamento de cache de dados não autorizado";;

+ CVE-2018-12207) echo "Sem exceções de eXcuses, iTLB Multihit, verificação de máquina nas alterações de tamanho de página (MCEPSC)";;

+ CVE-2020-0543) echo "Amostragem de dados de buffer de registro especial (SRBDS)";;

+ CVE-2023-20593) echo "Zenbleed, vazamento de informações entre processos";;

+ *) echo "$0: erro: CVE inválido '$1' passado para cve2name()" >&2; exit 255;;

esac

}

return $ret

fi

echo DONE

# first, download the MCE.db from the excellent platomav's MCExtractor project

mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"

mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'

## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git

download_file "$intel_url" "$intel_tmp/fw.zip" || return $?

@@ -1026,23 +1026,23 @@ update_fwdb()

sqlite3 "$mcedb_tmp" "UPDATE \"Intel\" SET \"origin\"='mce'"

sqlite3 "$mcedb_tmp" "UPDATE \"AMD\" SET \"origin\"='mce'"

unset nbfound

dbversion="$mcedb_revision+i$_intel_latest_date"

fi

if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then

- _info_nol "Building local database... "

+ _info_nol "Criando banco de dados local... "

{

echo "# %%% MCEDB v$dbversion";

@@ -1124,7 +1124,7 @@ update_fwdb()

sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||\"t1\".\"cpuid\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"Intel\" AS \"t1\" LEFT OUTER JOIN \"Intel\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\" ORDER BY \"t1\".\"cpuid\" ASC;" | grep -v '^# .,0x00000000,';

sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||\"t1\".\"cpuid\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"AMD\" AS \"t1\" LEFT OUTER JOIN \"AMD\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\" ORDER BY \"t1\".\"cpuid\" ASC;" | grep -v '^# .,0x00000000,';

fi

fi

get_cmdline

if [ "$opt_cpu" != all ] && [ "$opt_cpu" -gt "$max_core_id" ]; then

fi

if [ "$opt_live" = 1 ]; then

- _info "Checking for vulnerabilities on current system"

- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"

- _info "CPU is \033[35m$cpu_friendly_name\033[0m"

# try to find the image of the current running kernel

if [ -n "$opt_kernel" ]; then

# first, look for the BOOT_IMAGE hint in the kernel cmdline

elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then

opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)

# if the boot partition is within a btrfs subvolume, strip the subvolume name

# if /boot is a separate subvolume, the remainder of the code in this section should handle it

if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi

[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"

# special case for CoreOS if we're inside the toolbox

[ -e "/media/root/boot/$opt_kernel" ] && opt_kernel="/media/root/boot/$opt_kernel"

# else, the full path is already there (most probably /boot/something)

fi

# if we didn't find a kernel, default to guessing

opt_config="/lib/kernel/config-$(uname -r)"

fi

else

else

# vanilla kernels have with ^Linux version

# also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string

if [ -n "$kernel_version" ]; then

# in live mode, check if the img we found is the correct one

if [ "$opt_live" = 1 ]; then

fi

fi

_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"

# shellcheck disable=SC2086,SC1083

if [ -n "$(eval echo \${$_mockvarname:-})" ]; then

mocked=1

return "$(eval echo \$$_mockvarname)"

fi

if [ -n "$(eval echo \${$_mockvarname:-})" ]; then

fullmsg="$(eval echo \$$_mockvarname)"

msg=$(echo "$fullmsg" | grep -Eo "$regex")

mocked=1

else

fullmsg=$(cat "$file")

if [ "$mode" = silent ]; then

return 0

elif [ "$mode" = quiet ]; then

fi

_debug "sys_interface_check: $file=$msg (re=$regex)"

return 0

else

# compare first core with the other ones

if [ $_first_core_ret != $ret ]; then

return $WRITE_MSR_RET_ERR

fi

fi

_msr_dec=$(( $2 ))

_msr=$(printf "0x%x" "$_msr_dec")

mocked=1

[ "$(eval echo \$$_mockvarname)" = $WRITE_MSR_RET_LOCKDOWN ] && msr_locked_down=1

return "$(eval echo \$$_mockvarname)"

load_msr

fi

if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then

return $WRITE_MSR_RET_ERR

fi

# for Linux

# convert to decimal

if [ ! -w /dev/cpu/"$_core"/msr ]; then

dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?

# if it failed, inspect stderrto look for EPERM

if [ "$ret" != 0 ]; then

fi

# or if we have perl, use it, any 5.x version will work

elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then

return $WRITE_MSR_RET_ERR

fi

if [ "$ret" != 0 ]; then

# yet more recent versions of the msr module can be set to msr.allow_writes=off, in which case no dmesg message is printed,

# but the write fails

if [ "$_write_denied" = 1 ]; then

return $WRITE_MSR_RET_LOCKDOWN

fi

unset _write_denied

else

ret=$WRITE_MSR_RET_KO

fi

mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$ret")

return $ret

}

else

# compare first core with the other ones

if [ $_first_core_ret != $ret ] || [ "$_first_core_value" != "$read_msr_value" ]; then

return $READ_MSR_RET_ERR

fi

fi

_msr=$(printf "0x%x" "$_msr_dec")

read_msr_value=''

mocked=1

return $READ_MSR_RET_OK

fi

_mockvarname="SMC_MOCK_RDMSR_${_msr}_RET"

# shellcheck disable=SC2086,SC1083

if [ -n "$(eval echo \${$_mockvarname:-})" ] && [ "$(eval echo \$$_mockvarname)" -ne 0 ]; then

mocked=1

return "$(eval echo \$$_mockvarname)"

fi

load_msr

fi

if [ ! -e /dev/cpu/0/msr ] && [ ! -e /dev/cpuctl0 ]; then

return $READ_MSR_RET_ERR

fi

# for Linux

if [ ! -r /dev/cpu/"$_core"/msr ]; then

mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")

return $READ_MSR_RET_ERR

fi

if [ -z "$read_msr_value" ]; then

read_msr_value=$(( read_msr_value ))

fi

mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}='$read_msr_value'")

# from kernel src: { X86_FEATURE_SPEC_CTRL, CPUID_EDX,26, 0x00000007, 0 },

# amd: https://developer.amd.com/wp-content/resources/Architecture_Guidelines_Update_Indirect_Branch_Control.pdf

# amd: 8000_0008 EBX[14]=1

if is_intel; then

read_cpuid 0x7 0x0 $EDX 26 1 1; ret=$?

if [ $ret = $READ_CPUID_RET_OK ]; then

#hygon cpuid_ssbd_virt_spec_ctrl=1

elif [ "$cpu_family" -ge 24 ]; then

cpuid_ssbd='HYGON non-architectural MSR'

fi

if [ -n "${cpuid_ssbd:=}" ]; then

fi

amd_ssb_no=0

fi

fi

cpuid_l1df=-1

fi

fi

if is_intel; then

fi

# make shellcheck happy while we're not yet using these new cpuid values in our checks

fi

if is_intel; then

capabilities_taa_no=-1

capabilities_mds_no=-1

capabilities_rdcl_no=-1

capabilities_gds_ctrl=-1

capabilities_gds_no=-1

if [ "$cpuid_arch_capabilities" = -1 ]; then

elif [ "$cpuid_arch_capabilities" != 1 ]; then

capabilities_rdcl_no=0

capabilities_taa_no=0

capabilities_tsx_ctrl_msr=0

capabilities_gds_ctrl=0

capabilities_gds_no=0

else

# the new MSR 'ARCH_CAPABILITIES' is at offset 0x10a

read_msr 0x10a; ret=$?

if [ $ret = $READ_MSR_RET_OK ]; then

capabilities=$read_msr_value

# https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/x86/include/asm/msr-index.h#n82

[ $(( capabilities >> 0 & 1 )) -eq 1 ] && capabilities_rdcl_no=1

[ $(( capabilities >> 1 & 1 )) -eq 1 ] && capabilities_ibrs_all=1

[ $(( capabilities >> 2 & 1 )) -eq 1 ] && capabilities_rsba=1

[ $(( capabilities >> 8 & 1 )) -eq 1 ] && capabilities_taa_no=1

[ $(( capabilities >> 25 & 1 )) -eq 1 ] && capabilities_gds_ctrl=1

[ $(( capabilities >> 26 & 1 )) -eq 1 ] && capabilities_gds_no=1

fi

if [ "$capabilities_tsx_ctrl_msr" = 1 ]; then

tsx_ctrl_msr_cpuid_clear=$(( tsx_ctrl_msr >> 1 & 1 ))

fi

fi

mcu_opt_ctrl_gds_mitg_dis=-1

mcu_opt_ctrl_gds_mitg_lock=$(( mcu_opt_ctrl >> 5 & 1 ))

fi

ret=$READ_CPUID_RET_KO

cpuid_rtm=0

if is_intel; then

fi

if [ $ret = $READ_CPUID_RET_OK ]; then

cpuid_rtm=1

# A processor supports SRBDS if it enumerates CPUID (EAX=7H,ECX=0):EDX[9] as 1

# That means the mitigation disabling SRBDS exists

ret=$READ_CPUID_RET_KO

read_cpuid 0x7 0x0 $EDX 9 1 1; ret=$?

fi

if [ $ret = $READ_CPUID_RET_OK ]; then

cpuid_srbds=1

read_msr 0x123; ret=$?

if [ $ret = $READ_MSR_RET_OK ]; then

srbds_on=-1

fi

elif [ $ret = $READ_CPUID_RET_KO ]; then

fi

done

}

if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then

# 1) detect their specific variant2 patch. If it's present, it means

# that the variant1 patch is also present (both were merged at the same time)

redhat_canonical_spectre=2

else

redhat_canonical_spectre=0

check_has_vmm()

{

has_vmm=$opt_vmm

if [ "$has_vmm" = -1 ] && [ "$opt_paranoid" = 1 ]; then

# In paranoid mode, if --vmm was not specified on the command-line,

# is null, which is the case for kernel threads: ignore those to

# avoid false positives (such as [kvm-irqfd-clean] under at least RHEL 7.6/7.7)

if ! [ "$(readlink -m "/proc/$_pid/exe")" = "/proc/$_pid/exe" ]; then

has_vmm=1

fi

done

fi

if [ "$has_vmm" = 0 ]; then

if [ "$opt_vmm" != -1 ]; then

fi

fi

}

check_CVE_2017_5753()

{

cve='CVE-2017-5753'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v1"; then

fi

if [ "$opt_sysfs_only" != 1 ]; then

# no /sys interface (or offline mode), fallback to our own ways

# vanilla: look for the Linus' mask aka array_index_mask_nospec()

# that is inlined at least in raw_copy_from_user (__get_user_X symbols)

#mov PER_CPU_VAR(current_task), %_ASM_DX

# http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?h=spectre&id=a78d156587931a2c3b354534aa772febf6c9e855

v1_mask_nospec=''

if [ -n "$kernel_err" ]; then

#.macro mask_nospec64, idx, limit, tmp

#sub \tmp, \idx, \limit

#bic \tmp, \tmp, \idx

#

# if we have v1_mask_nospec or redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.

if [ -n "$v1_mask_nospec" ] || [ "$redhat_canonical_spectre" -gt 0 ]; then

# in 4.19+ kernels, the mask_nospec64 asm64 macro is replaced by array_index_nospec, defined in nospec.h, and used in invoke_syscall()

# ffffff8008090a4c: 2a0203e2 mov w2, w2

# ffffff8008090a50: eb0200bf cmp x5, x2

#

# if we have v1_mask_nospec or redhat_canonical_spectre>0, don't bother disassembling the kernel, the answer is no.

if [ -n "$v1_mask_nospec" ] || [ "$redhat_canonical_spectre" -gt 0 ]; then

else

# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode

# in non-patched kernels, this has been empirically determined as being around 40-50

# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45

nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')

if [ "$nb_lfence" -lt 30 ]; then

fi

fi

fi

else

# we have no sysfs but were asked to use it only!

fi

pvulnstatus $cve "$status" "$msg"

[ -n "${_explain:-}" ] && explain "$_explain"

{

if ! is_cpu_affected "$cve"; then

# override status & msg in case CPU is not vulnerable after all

fi

}

check_CVE_2017_5715()

{

cve='CVE-2017-5715'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spectre_v2"; then

sys_interface_available=1

fi

if [ "$opt_sysfs_only" != 1 ]; then

ibrs_can_tell=0

ibrs_supported=''

# /sys/kernel/debug/x86/ibrs_enabled: Red Hat (see https://access.redhat.com/articles/3311301)

# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed

specex_knob_dir=$dir

fi

done

# on some newer kernels, the spec_ctrl_ibrs flag in "$procfs/cpuinfo"

# as per the ibrs patch series v3

if [ -z "$ibrs_supported" ]; then

if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then

# enabled=2 -> kernel & user

ibrs_enabled=2

# XXX and what about ibpb ?

if [ -n "$fullmsg" ]; then

# when IBPB is enabled on 4.15+, we can see it in sysfs

if echo "$fullmsg" | grep -q 'IBPB'; then

# 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,

# that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"

ibrs_enabled=4

if [ -z "$ibrs_supported" ]; then

check_redhat_canonical_spectre

if [ "$redhat_canonical_spectre" = 1 ]; then

fi

fi

if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then

ibrs_can_tell=1

ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)

if [ -n "$ibrs_supported" ]; then

fi

fi

# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat

ibpb_can_tell=1

ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)

if [ -n "$ibpb_supported" ]; then

else

# 0 means disabled

# 1 is enabled only for kernel space

case "$ibrs_enabled" in

0)

if [ "$ibrs_fw_enabled" = 1 ]; then

fi

if [ "$retpoline" = 1 ]; then

if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then

if echo "$fullmsg" | grep -qwi minimal; then

retpoline_compiler=0

fi

elif [ -n "$kernel" ]; then

# look for the symbol

# the proper way: use nm and look for the symbol

if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then

retpoline_compiler=1

fi

fi

fi

if [ "$opt_live" = 1 ]; then

if [ -e "$specex_knob_dir/retp_enabled" ]; then

retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)

fi

fi

fi

elif [ "$sys_interface_available" = 0 ]; then

# we have no sysfs but were asked to use it only!

fi

fi

if [ "$pvulnstatus_last_cve" != "$cve" ]; then

# explain what's needed for this CPU

if is_vulnerable_to_empty_rsb; then

fi

fi

fi

# RETPOLINE (amd & intel &hygon )

if is_amd || is_intel || is_hygon; then

if [ "$retpoline" = 0 ]; then

fi

fi

# /RETPOLINE

check_CVE_2017_5715_bsd()

{

fi

}

# https://groups.google.com/forum/m/#!topic/mechanical-sympathy/L9mHTbeQLNU

pti_performance_check()

{

if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then

cpu_pcid=1

else

fi

if [ "$cpu_invpcid" = 1 ]; then

fi

}

check_CVE_2017_5754()

{

cve='CVE-2017-5754'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/meltdown"; then

sys_interface_available=1

fi

if [ "$opt_sysfs_only" != 1 ]; then

fi

fi

if [ -z "$kpti_support" ] && [ -n "$opt_map" ]; then

kpti_can_tell=1

kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")

if [ -n "$kpti_support" ]; then

fi

fi

if [ -z "$kpti_support" ] && [ -n "$kernel" ]; then

# 'kpti=': arm

kpti_can_tell=1

if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then

- _info_nol " * PTI enabled and active: "

+ _info_nol " * PTI ativado e ativo: "

if [ "$opt_live" = 1 ]; then

if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then

# vanilla PTI patch sets the 'pti' flag in cpuinfo

- _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"

kpti_enabled=1

elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then

# Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301

if [ -z "$kpti_enabled" ]; then

dmesg_grep "$dmesg_grep"; ret=$?

if [ $ret -eq 0 ]; then

fi

if [ "$opt_live" = 1 ]; then

# checking whether we're running under Xen PV 64 bits. If yes, we are affected by variant3

# (unless we are a Dom0)

[ -n "${_explain:-}" ] && explain "$_explain"

unset _explain

fi

# Warn the user about XSA-254 recommended mitigations

if [ "$xen_pv_domo" = 1 ]; then

_warn

fi

}

check_CVE_2018_3640()

{

cve='CVE-2018-3640'

fi

}

check_CVE_2018_3639()

{

cve='CVE-2018-3639'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/spec_store_bypass"; then

sys_interface_available=1

fi

if [ "$opt_sysfs_only" != 1 ]; then

fi

fi

else

check_CVE_2018_3639_bsd()

{

fi

fi

fi

check_CVE_2018_3615()

{

cve='CVE-2018-3615'

if { [ "$cpu_flush_cmd" = 1 ] || { [ "$msr_locked_down" = 1 ] && [ "$cpuid_l1df" = 1 ]; }; } && [ "$cpuid_sgx" = 1 ]; then

# no easy way to detect a fixed SGX but we know that

# microcodes that have the FLUSH_CMD MSR also have the

# if the system we're running on is locked down (no way to write MSRs),

# make the assumption that if the L1D flush CPUID bit is set, probably

# that FLUSH_CMD MSR is here too

fi

}

check_CVE_2018_3620()

{

cve='CVE-2018-3620'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf"; then

sys_interface_available=1

fi

if [ "$opt_sysfs_only" != 1 ]; then

fi

else

pvulnstatus $cve "$status" "$msg"

check_CVE_2018_3620_bsd()

{

fi

fi

}

check_CVE_2018_3646()

{

cve='CVE-2018-3646'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/l1tf" '.*' quiet; then

if [ "$opt_sysfs_only" != 1 ]; then

check_has_vmm

if [ "$opt_live" = 1 ]; then

if [ -n "$fullmsg" ]; then

# vanilla: VMX: $l1dstatus, SMT $smtstatus

# can also just be "Not affected"

if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then

l1d_mode=0

else

if is_xen_dom0; then

l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)

if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then

l1d_mode=5

fi

fi

}

check_mds()

{

cve=$1

if [ "$kernel_md_clear" = 1 ]; then

kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)

else

fi

# https://github.com/freebsd/freebsd/blob/master/sys/x86/x86/cpu_machdep.c#L953

case "$kernel_mds_state" in

else

if [ "$cpuid_md_clear" = 1 ]; then

if [ "$kernel_md_clear" = 1 ]; then

# mitigation must also be enabled

if [ "$kernel_mds_enabled" -ge 1 ]; then

if [ "$opt_paranoid" != 1 ] || [ "$kernel_smt_allowed" = 0 ]; then

fi

fi

fi

check_mds_linux()

{

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/mds" '^[^;]+'; then

fi

if [ "$opt_sysfs_only" != 1 ]; then

fi

if [ -z "$kernel_md_clear" ]; then

if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then

elif [ -n "$kernel_err" ]; then

kernel_md_clear_can_tell=0

elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then

else

if [ "$opt_sysfs_only" != 1 ]; then

# compute mystatus and mymsg from our own logic

if [ "$mds_mitigated" = 1 ]; then

if [ "$opt_paranoid" != 1 ] || [ "$mds_smt_mitigated" = 1 ]; then

mystatus=OK

fi

fi

else

check_CVE_2019_11135()

{

cve='CVE-2019-11135'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/tsx_async_abort"; then

sys_interface_available=1

fi

if [ "$opt_sysfs_only" != 1 ]; then

else

pvulnstatus $cve "$status" "$msg"

fi

{

if ! is_cpu_affected "$cve" ; then

# override status & msg in case CPU is not vulnerable after all

fi

}

check_CVE_2018_12207()

{

cve='CVE-2018-12207'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/itlb_multihit"; then

if [ "$opt_sysfs_only" != 1 ]; then

check_has_vmm

fi

fi

else

check_CVE_2018_12207_bsd()

{

fi

}

check_CVE_2020_0543()

{

cve='CVE-2020-0543'

sys_interface_available=0

msg=''

if sys_interface_check "/sys/devices/system/cpu/vulnerabilities/srbds"; then

sys_interface_available=1

fi

if [ "$opt_sysfs_only" != 1 ]; then

else

if [ "$opt_sysfs_only" != 1 ]; then

if [ "$cpuid_srbds" = 1 ]; then

# if msg is empty, sysfs check didn't fill it, rely on our own test

if [ "$opt_live" = 1 ]; then

# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old

fi

fi

elif [ "$srbds_on" = 0 ]; then

if [ -z "$msg" ]; then

if [ "$opt_live" = 1 ]; then

# if we're in live mode and $msg is empty, sysfs file is not there so kernel is too old

fi

else

# sysfs only: return the status/msg we got

{

if ! is_cpu_affected "$cve"; then

# override status & msg in case CPU is not vulnerable after all

fi

}

check_CVE_2023_20593()

{

cve='CVE-2023-20593'

if [ "$opt_live" = 1 ]; then

# read the DE_CFG MSR, we want to check the 9th bit

# don't do it on non-Zen2 AMD CPUs or later, aka Family 17h,

read_msr 0xc0011029; ret=$?

if [ $ret = $READ_MSR_RET_OK ]; then

if [ $(( read_msr_value >> 9 & 1 )) -eq 1 ]; then

fi

unset zenbleed_print_vuln

else

check_CVE_2022_40982() {

cve='CVE-2022-40982'

sys_interface_available=0

msg=''

fi

if [ "$opt_sysfs_only" != 1 ]; then

fi

if [ -n "$kernel_gds" ]; then

# Check dmesg message to see whether AVX has been disabled

- pstatus green YES "$kernel_avx_disabled"

+ pstatus green SIM "$kernel_avx_disabled"

else

fi

fi

elif [ "$sys_interface_available" = 0 ]; then

# we have no sysfs but were asked to use it only!

- msg="/sys vulnerability interface use forced, but it's not available!"

+ msg="interface de vulnerabilidade /sys usa forçado, mas não está disponível!"

fi

if ! is_cpu_affected "$cve" ; then

fi

else

pvulnstatus $cve "$status" "$msg"

done

if [ -n "$final_summary" ]; then

if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then

if command -v "gzip" >/dev/null 2>&1; then

fi

_info ""

# shellcheck disable=SC2046

- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)

fi

if [ "$opt_explain" = 0 ]; then

- _info "Need more detailed information about mitigation options? Use --explain"

fi

-_info "A false sense of security is worse than no security at all, see --disclaimer"

_info ""

- _warn "One or several values have been mocked. This should only be done when debugging/testing this script."

- _warn "The results do NOT reflect the actual status of the system we're running on."

+ _warn "Os resultados NÃO refletem o status real do sistema em que estamos executando."

fi

else

echo "OK"

fi

fi

if [ "$opt_batch" = 1 ] && [ "$opt_batch_format" = "prometheus" ]; then