Spectre Meltdown Checker Versions Save

This release mainly focuses on the detection of the new Zenbleed (CVE-2023-20593) vulnerability, among few other changes that were in line waiting for a release:

• feat: detect the vulnerability and mitigation of Zenbleed (CVE-2023-20593)
• feat: add the linux-firmware repository as another source for CPU microcode versions
• feat: arm: add Neoverse-N2, Neoverse-V1 and Neoverse-V2
• fix: docker: adding missing utils (#433)
• feat: add support for Guix System kernel
• fix: rewrite SQL to be sqlite3 >= 3.41 compatible (#443)
• fix: a /devnull file was mistakenly created on the filesystem
• fix: fwdb: ignore MCEdb versions where an official Intel version exists (fixes #430)

Thanks to the following contributors: @ShadowCurse and @rakino

An intermediary release with preparatory work needed to integrate support for new vulns BHI and intra-mode BTI (Spectre V2-like), along with other changes that were in the pipe in the last few months:

• feat: add --cpu, to conduct MSR read/writes and cpuinfo checks on a given CPU/core number. By default, the first core is used (id 0). --cpu all is also supported, to query all cores and report whether there is discrepancies between cores
• feat: hardware check: add IPRED_CTRL, RRSBA_CTRL, and BHI_CTRL feature bits checks in cpuinfo, these are needed to mitigate BHI and Intra-mode BTI (https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html)
• feat: add subleaf (ecx) != 0 support for read_cpuid, needed to query support of new bits in the IA32_SPEC_CTRL MSR
• feat: add --allow-msr-write, and no longer write to MSRs by default, to avoid spurious messages in kernel logs, as more and more distros default having msr.allow_writes to default (allow but log a warning) or even off, which prevents writing from userspace altogether. This also fixes #385. When the cpuid bit indicating the presence of a write-only MSR is set, we'll now make the assumption that it exists, unless --allow-msr-write is specified, in which case we'll also check that.
• feat: bsd: for unimplemented CVEs, at least report when CPU is not affected
• feat: bsd: implement mitigation detection for the MCEPSC vulnerability
• feat: arm: add Cortex A77 and Neoverse-N1 (fixes #371)
• feat: arm64: phytium: Add CPU Implementer Phytium
• feat: arm64: variant 4: detect ssbd mitigation from kernel img, system.map or kconfig
• feat: Android: autodetect a better suitable default TMPDIR (#415 #424)
• fix: retpoline: detection on 5.15.28+ (#420)
• fix: has_vmm false positive with pcp (#394)
• fix: is_ucode_blacklisted: fix some model names
• fix: refuse to run under MacOS and ESXi (#398)
• fix: variant4: added case where prctl ssbd status is tagged as 'unknown'
• fix: extract_kernel: don't overwrite kernel_err if already set
• chore: only attempt to load msr and cpuid modules once
• chore: read_cpuid/read_msr/write_msr: use named constants for better maintainability
• chore: wording: model not vulnerable -> model not affected
• chore: update Intel Family 6 models
• chore: ensure vars are set before being de-referenced (set -u compat)
• chore: update fwdb to v222+i20220208

Quite a big release this time again:

• feat: add support for SRBDS related vulnerabilities
• feat: add zstd kernel decompression (#370)
• enh: arm: add experimental support for binary arm images
• enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode
• fix: fwdb: remove Intel extract tempdir on exit
• fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes #278)
• fix: fwdb: use the commit date as the intel fwdb version
• fix: fwdb: update Intel's repository URL
• fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro
• fix: on CPU parse info under FreeBSD
• chore: github: add check run on pull requests
• chore: fwdb: update to v165.20201021+i20200616

A lot of changes made it to this release:

• feat: implement TAA detection (CVE-2019-11135)
• feat: implement MCEPSC / iTLB Multihit detection (CVE-2018-12207)
• feat: taa: add TSX_CTRL MSR detection in hardware info
• feat: fwdb: use both Intel GitHub repo and MCEdb to build our firmware version database
• feat: use --live with --kernel/--config/--map to override file detection in live mode
• enh: rework the vuln logic of MDS with --paranoid (fixes #307)
• enh: explain that Enhanced IBRS is better for performance than classic IBRS
• enh: kernel: autodetect customized arch kernels from cmdline
• enh: kernel decompression: better tolerance against missing tools
• enh: mock: implement reading from /proc/cmdline
• fix: variant3a: Silvermont CPUs are not vulnerable to variant 3a
• fix: lockdown: detect Red Hat locked down kernels (impacts MSR writes)
• fix: lockdown: detect locked down mode in vanilla 5.4+ kernels
• fix: sgx: on locked down kernels, fallback to CPUID bit for detection
• fix: fwdb: builtin version takes precedence if the local cached version is older
• fix: pteinv: don't check kernel image if not available
• fix: silence useless error from grep (fixes #322)
• fix: msr: fix msr module detection under Ubuntu 19.10 (fixes #316)
• fix: mocking value for read_msr
• chore: rename mcedb cmdline parameters to fwdb, and change db version scheme
• chore: fwdb: update to v130.20191104+i20191027
• chore: add GitHub check workflow

• Feature: add FreeBSD MDS mitigation detection
• Feature: add mocking functionality to help debugging, dump data to mock the behavior of your CPU with --dump-mock-data
• Fix: AMD, ARM and CAVIUM are not vulnerable to MDS
• Fix: RDCL_NO bit wasn't taking precedence for L1TF check on some newer Intel CPUs
• Fix: The MDS_NO bit on newer Intel CPUs is now recognized and used
• Fix: remove libvirtd from hypervisor detection to avoid false positives (#278)
• Fix: under BSD, the data returned when reading MSR was incorrectly formatted
• Misc: update builtin MCEdb from v110 to v111

• Feature: add support for the 4 MDS CVEs (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091 / Fallout, RIDL, ZombieLoad)
• Feature: add Spectre and Meltdown mitigation detection for Hygon CPU (#271)
• Feature: for SSBD, report whether the mitigation is active (in live mode) (#210)
• Enhancement: better Xen and hypervisors detection (#259) (#270)
• Enhancement: in paranoid mode, assume we're running a hypervisor (for L1TF) unless stated otherwise
• Enhancement: better detect Arch kernel image location (#268)
• Fix: error when no process used prctl to set SSB mitigation
• Fix: invalid names in json batch mode (#279)
• Fix: IBRS kernel reported active even if sysfs had "IBRS_FW" only (#275) (#276)
• Fix: load vmm under BSD if not already loaded (#274)
• Fix: misdetection of files under Clear Linux (#264)
• Misc: update MCEdb to v110
• Misc: dozens of other fixes and enhancements

• Feature: add support for the 3 L1TF CVEs aka Foreshadow and Foreshadow-NG, under Linux and FreeBSD
• Feature: use the excellent MCExtractor microcode versions database as reference to tell if CPU microcode is up to date, use --update-mcedb to update it (a builtin version is included)
• Feature: add summary of vulnerabilites at the end of script
• Feature: add a --batch short option for one line result
• Enhancement: dynamically use git when available to better describe inter-release versions
• Enhancement: add the --cve parameter to selectively test vulnerabilities
• Fix: properly detect SSBD under BSD
• Fix: --batch now implies --no-color to avoid colored warnings
• Misc: dozens of other fixes and enhancements

• Feature: two new methods for reading MSR without a recent-enough dd binary: using perl or the msr-tools when these are present
• Feature: add detection of RSBA feature bit (set by some hypervisors) indicating possible RSB underflow host CPU vulnerability, and require kernel support for RSB stuffing even on non-Skylake CPUs when this is the case
• Feature: support for /boot partition on a btrfs subvolume (#226)
• Feature: add standard location of Arch armv5/armv7 kernel image (#227)
• Fix: the ARCH_CAPABILITIES MSR wasn't read correctly, preventing proper SSB_NO and RDCL_NO feature bits detection

• Feature: support detection for Variant 3a (CVE-2018-3640) and Variant 4 (CVE-2018-3639)
• Feature: add Spectre v1 mitigation detection for ARM 32 bits
• Feature: add Cavium CPU support and correct vulnerability information
• Feature: add guess for kernel image location on Raspberry Pi 3
• Feature: ability to run the script inside a Docker container (Dockerfile included)
• Change: omit explanations by default to avoid cluttering the output, use --explain to get detailed mitigation help
• Enhancement: explain mode: suggest to set VM CPU to an IBRS-capable one for hypervisors
• Enhancement: avoid use of iflag=skip_bytes for compat with old dd versions
• Fix: no longer unload msr or cpuid modules on exit if they were loaded before we started
• Fix: when we can't determine if IBRS is enabled or not, report it as NO instead of UNKNOWN when we know that the CPU can't support it
• Fix: variant2: detection now works under SLES kernels
• Fix: ARM: update vulnerability info to latest vendor statement
• Fix: ARM: ARMv8 models under Cortex A57 correctly marked as non-vulnerable (also fixes Raspberry Pi 3)
• Fix: prometheus output wouldn't format \n correctly under some systems

• Feature: add a detailed explanation of "what to do" when system if found vulnerable against one of the vulnerabilities (skip with --no-explain)
• Feature: rework output for IBRS/IBPB check and better detection for newer kernels (IBRS_FW, IBPB without IBRS, ...)
• Feature: check for Red Hat 7/CentOS 7 specific retp_enabled knob in sysfs
• Feature: detect arm64 Spectre Variant 1, Spectre Variant 2 and Meltdown (Variant 3) mitigations
• Feature: add retpoline detection for BSD
• Feature: add microcode information under BSD
• Feature: add PTI performance check under BSD
• Feature: add detection of AMD-specific STIBP, STIBP-always-on, IBRS, IBRS-always-on and IBRS-preferred CPUID feature flags
• Feature: when ibpb_enabled=2 (Red Hat), warn if SMT is not disabled
• Feature: detect whether the kernel supports RSB filling (important for Skylake+)
• Feature: add --paranoid to make IBPB required in addition to retpoline for Variant 2
• Refactor: don't test AMD-specific flags on Intel and Intel-specific flags on AMD for clarity
• Fix: when PTI activation is unknown, don't say we're vulnerable
• Fix: don't hide microcode information for AMD CPUs
• Misc: other minor fixes and enhancements