Szpadel/meltdown-check.sh

## meltdown-check.sh
#!/usr/bin/env bash

CR="\e[0m"
CBAD="\e[41m"
CWRN="\e[33m"
COK="\e[32m"
CINF="\e[34m"

isPcidPresent() {
  grep -q pcid /proc/cpuinfo
}

isConfigPresent() {
  KERN_VER=$(uname -r)
  RET=
  if [ -e /proc/config.gz ];then
    zgrep -q $1=y /proc/config.gz
    RET=$?
    echo "(in /proc/config.gz) "
    return $RET
  elif [ -e /boot/config-$KERN_VER ];then
    grep -q $1=y /boot/config-$KERN_VER
    RET=$?
    echo "(in /boot/config-$KERN_VER) "
    return $RET
  else
    echo "(could not find config for current kernel) "
    return 1
  fi
}

kptiStatus() {
  if [ -e /sys/kernel/debug/x86/pti_enabled ];then
    echo "(runtime) "
    [ "$(cat /sys/kernel/debug/x86/pti_enabled)" != 0 ] && echo -e "${COK}Enabled${CR}" || echo -e "${CBAD}Disabled${CR}"
    return
  fi
  echo "(boot) "
  [ -n "$(dmesg | grep 'Kernel/User page tables isolation: enabled')" ] && echo -e "${COK}Enabled${CR}" && return
  [ -n "$(dmesg | grep 'Kernel/User page tables isolation: force enabled on command line')" ] && echo -e "${COK}Forced${CR}" && return
  echo -e "${CBAD}Disabled${CR}"
}

redpolineStatus() {
  msg=$(dmesg | grep 'Spectre V2 mitigation: '|sed 's/^.*Spectre V2 mitigation: \(.*\)$/\1/')
  [ -n "$(echo $msg|grep 'Not affected')" ] && echo -e "${COK}${msg}${CR}" && return
  [ -n "$(echo $msg|grep Mitigation)" ] && echo -e "${COK}${msg}${CR}" && return
  [ -n "$(echo $msg|grep Vulnerable)" ] && echo -e "${CBAD}${msg}${CR}" && return
  [ -z "$msg" ] && echo -e "${CBAD}MISSING${CR}"
  echo -e "${CINF}${msg}${CR}"
}

cpuSecure() {
  ! grep -q cpu_insecure /proc/cpuinfo
}

cpuModel() {
  grep 'model name' /proc/cpuinfo |head -n1|sed 's/^model name\t: \(.*\)$/\1/'
}

printCpuVul() {
  [ -e /sys/devices/system/cpu/vulnerabilities ] || return
  echo Found cpu vulnerabilities kernel raport
  for vul in /sys/devices/system/cpu/vulnerabilities/*;do
    v=$(basename $vul)
    echo -e "Vulnerability $v status: ${CINF}$(cat $vul)${CR}"
  done
}

echo -e CPU detected: ${CINF}$(cpuModel)${CR}
echo CPU bug detected: $(cpuSecure && echo -e "${CINF}Not aware${CR}" || echo -e "${CWRN}Bug present${CR}")
echo CPU PCID support: $(isPcidPresent && echo -e "${COK}Present${CR}" || echo -e "${CBAD}MISSING${CR}" )
echo KPTI kernel option: $(isConfigPresent CONFIG_PAGE_TABLE_ISOLATION  && echo -e "${COK}Present${CR}" || echo -e "${CWRN}MISSING${CR}")
echo Retpoline kernel option: $(isConfigPresent CONFIG_RETPOLINE && echo -e "${COK}Present${CR}" || echo -e "${CWRN}MISSING${CR}")
echo Retpoline boot status: $(redpolineStatus)
echo KPTI status: $(kptiStatus)
printCpuVul
	#!/usr/bin/env bash

	CR="\e[0m"
	CBAD="\e[41m"
	CWRN="\e[33m"
	COK="\e[32m"
	CINF="\e[34m"

	isPcidPresent() {
	grep -q pcid /proc/cpuinfo
	}

	isConfigPresent() {
	KERN_VER=$(uname -r)
	RET=
	if [ -e /proc/config.gz ];then
	zgrep -q $1=y /proc/config.gz
	RET=$?
	echo "(in /proc/config.gz) "
	return $RET
	elif [ -e /boot/config-$KERN_VER ];then
	grep -q $1=y /boot/config-$KERN_VER
	RET=$?
	echo "(in /boot/config-$KERN_VER) "
	return $RET
	else
	echo "(could not find config for current kernel) "
	return 1
	fi
	}

	kptiStatus() {
	if [ -e /sys/kernel/debug/x86/pti_enabled ];then
	echo "(runtime) "
	[ "$(cat /sys/kernel/debug/x86/pti_enabled)" != 0 ] && echo -e "${COK}Enabled${CR}" \|\| echo -e "${CBAD}Disabled${CR}"
	return
	fi
	echo "(boot) "
	[ -n "$(dmesg \| grep 'Kernel/User page tables isolation: enabled')" ] && echo -e "${COK}Enabled${CR}" && return
	[ -n "$(dmesg \| grep 'Kernel/User page tables isolation: force enabled on command line')" ] && echo -e "${COK}Forced${CR}" && return
	echo -e "${CBAD}Disabled${CR}"
	}

	redpolineStatus() {
	msg=$(dmesg \| grep 'Spectre V2 mitigation: '\|sed 's/^.Spectre V2 mitigation: \(.\)$/\1/')
	[ -n "$(echo $msg\|grep 'Not affected')" ] && echo -e "${COK}${msg}${CR}" && return
	[ -n "$(echo $msg\|grep Mitigation)" ] && echo -e "${COK}${msg}${CR}" && return
	[ -n "$(echo $msg\|grep Vulnerable)" ] && echo -e "${CBAD}${msg}${CR}" && return
	[ -z "$msg" ] && echo -e "${CBAD}MISSING${CR}"
	echo -e "${CINF}${msg}${CR}"
	}

	cpuSecure() {
	! grep -q cpu_insecure /proc/cpuinfo
	}

	cpuModel() {
	grep 'model name' /proc/cpuinfo \|head -n1\|sed 's/^model name\t: \(.*\)$/\1/'
	}

	printCpuVul() {
	[ -e /sys/devices/system/cpu/vulnerabilities ] \|\| return
	echo Found cpu vulnerabilities kernel raport
	for vul in /sys/devices/system/cpu/vulnerabilities/*;do
	v=$(basename $vul)
	echo -e "Vulnerability $v status: ${CINF}$(cat $vul)${CR}"
	done
	}

	echo -e CPU detected: ${CINF}$(cpuModel)${CR}
	echo CPU bug detected: $(cpuSecure && echo -e "${CINF}Not aware${CR}" \|\| echo -e "${CWRN}Bug present${CR}")
	echo CPU PCID support: $(isPcidPresent && echo -e "${COK}Present${CR}" \|\| echo -e "${CBAD}MISSING${CR}" )
	echo KPTI kernel option: $(isConfigPresent CONFIG_PAGE_TABLE_ISOLATION && echo -e "${COK}Present${CR}" \|\| echo -e "${CWRN}MISSING${CR}")
	echo Retpoline kernel option: $(isConfigPresent CONFIG_RETPOLINE && echo -e "${COK}Present${CR}" \|\| echo -e "${CWRN}MISSING${CR}")
	echo Retpoline boot status: $(redpolineStatus)
	echo KPTI status: $(kptiStatus)
	printCpuVul