如何检查Linux的Spectre和Meltdown漏洞
时间:2020-01-09 10:37:38 来源:igfitidea点击:
如何检查我的Linux服务器是否仍然容易受到Spectre和Meltdown CPU错误的影响?
Spectre&Meltdown Checker是一个shell脚本,用于检查以下Intel/AMD/ARM和其他CPU的错误:
- CVE-2017-5753:边界检查绕过(Spectre Variant 1)。您需要使用修改后的编译器重新编译软件和内核,该编译器会在结果代码的适当位置引入LFENCE操作码。缓解的性能影响可以忽略不计。
- CVE-2017-5715:分支目标注入(Spectre Variant 2)。缓解措施的性能影响取决于您的CPU。
- CVE-2017-5754:恶意数据缓存加载(Meltdown)。您必须安装带有PTI/KPTI补丁的更新的内核版本。更新内核就足够了。缓解的性能影响是中低水平。
spectre-meltdown-checker.sh是一个简单的shell脚本,用于确定您的Linux内核(安装)是否容易受到3种推测性执行CVE的攻击。
使用此脚本来检查或查看在应用内核补丁后是否仍然容易受到Meltdown和Spectre CPU错误的影响。
安装
该脚本必须以root用户身份运行。
您可以在此处查看源代码。
使用wget命令或curl命令在Linux机器上获取源代码:
$ cd /tmp/ $ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
或者
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
输出示例:
Cloning into 'spectre-meltdown-checker'... remote: Counting objects: 155, done. remote: Compressing objects: 100% (20/20), done. remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125 Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done. Resolving deltas: 100% (88/88), done.
如何检查Linux的Spectre和Meltdown漏洞
使用sudo命令或su命令以root用户身份运行脚本:
$ sudo sh spectre-meltdown-checker.sh
Ubuntu Linux桌面的示例输出:
[sudo] password for Hyman: Spectre and Meltdown mitigation detection tool v0.16 Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70) > STATUS: VULNERABLE CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: NO * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: NO > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
我的CentOS 7.x服务器的另一个输出,其中Meltdown/Spectre v1用内核修补了:
$ sudo sh spectre-meltdown-checker.sh
适用于Linux的Spectre Meltdown漏洞缓解检测工具
