]>
Commit | Line | Data |
---|---|---|
65871d1a MT |
1 | #!/usr/bin/perl |
2 | ############################################################################### | |
3 | # # | |
4 | # IPFire.org - A linux based firewall # | |
edc78459 | 5 | # Copyright (C) 2007-2023 IPFire Team <info@ipfire.org> # |
65871d1a MT |
6 | # # |
7 | # This program is free software: you can redistribute it and/or modify # | |
8 | # it under the terms of the GNU General Public License as published by # | |
9 | # the Free Software Foundation, either version 3 of the License, or # | |
10 | # (at your option) any later version. # | |
11 | # # | |
12 | # This program is distributed in the hope that it will be useful, # | |
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
15 | # GNU General Public License for more details. # | |
16 | # # | |
17 | # You should have received a copy of the GNU General Public License # | |
18 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
19 | # # | |
20 | ############################################################################### | |
21 | ||
22 | use strict; | |
23 | ||
24 | # enable only the following on debugging purpose | |
f238e251 MT |
25 | #use warnings; |
26 | #use CGI::Carp 'fatalsToBrowser'; | |
65871d1a MT |
27 | |
28 | require '/var/ipfire/general-functions.pl'; | |
29 | require "${General::swroot}/lang.pl"; | |
30 | require "${General::swroot}/header.pl"; | |
31 | ||
32 | my %VULNERABILITIES = ( | |
edc78459 | 33 | "gather_data_sampling" => "$Lang::tr{'downfall gather data sampling'} (CVE-2022-40982)", |
6fb52ca1 | 34 | "itlb_multihit" => "$Lang::tr{'itlb multihit'} (CVE-2018-12207)", |
65871d1a MT |
35 | "l1tf" => "$Lang::tr{'foreshadow'} (CVE-2018-3620)", |
36 | "mds" => "$Lang::tr{'fallout zombieload ridl'} (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)", | |
37 | "meltdown" => "$Lang::tr{'meltdown'} (CVE-2017-5754)", | |
34798dcd | 38 | "mmio_stale_data" => "$Lang::tr{'mmio stale data'} (CVE-2022-21123, CVE-2022-21125, CVE-2022-21127, CVE-2022-21166)", |
7ee2eec3 | 39 | "retbleed" => "$Lang::tr{'retbleed'} (CVE-2022-29900, CVE-2022-29901)", |
edc78459 | 40 | "spec_rstack_overflow" => "$Lang::tr{'spec rstack overflow'} (CVE-2023-20569)", |
65871d1a MT |
41 | "spec_store_bypass" => "$Lang::tr{'spectre variant 4'} (CVE-2018-3639)", |
42 | "spectre_v1" => "$Lang::tr{'spectre variant 1'} (CVE-2017-5753)", | |
43 | "spectre_v2" => "$Lang::tr{'spectre variant 2'} (CVE-2017-5715)", | |
e9c62e37 | 44 | "srbds" => "$Lang::tr{'srbds'} (CVE-2020-0543)", |
6fb52ca1 | 45 | "tsx_async_abort" => "$Lang::tr{'taa zombieload2'} (CVE-2019-11135)", |
65871d1a MT |
46 | ); |
47 | ||
48 | my $errormessage = ""; | |
49 | my $notice = ""; | |
50 | ||
51 | my %mainsettings = (); | |
52 | my %color = (); | |
53 | &General::readhash("${General::swroot}/main/settings", \%mainsettings); | |
8186b372 | 54 | &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); |
65871d1a MT |
55 | |
56 | my %settings = ( | |
57 | "ENABLE_SMT" => "auto", | |
58 | ); | |
59 | &General::readhash("${General::swroot}/main/security", \%settings); | |
60 | ||
61 | &Header::showhttpheaders(); | |
62 | ||
63 | &Header::getcgihash(\%settings); | |
64 | ||
65 | if ($settings{'ACTION'} eq $Lang::tr{'save'}) { | |
66 | if ($settings{'ENABLE_SMT'} !~ /^(auto|on)$/) { | |
67 | $errormessage = $Lang::tr{'invalid input'}; | |
68 | } | |
69 | ||
70 | unless ($errormessage) { | |
71 | &General::writehash("${General::swroot}/main/security", \%settings); | |
72 | $notice = $Lang::tr{'please reboot to apply your changes'}; | |
73 | } | |
74 | } | |
75 | ||
76 | my %checked = (); | |
77 | $checked{'ENABLE_SMT'}{'auto'} = ''; | |
78 | $checked{'ENABLE_SMT'}{'on'} = ''; | |
79 | $checked{'ENABLE_SMT'}{$settings{'ENABLE_SMT'}} = "checked"; | |
80 | ||
81 | &Header::openpage($Lang::tr{'processor vulnerability mitigations'}, 1, ''); | |
82 | ||
83 | &Header::openbigbox("100%", "left", "", $errormessage); | |
84 | ||
85 | if ($errormessage) { | |
86 | &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); | |
87 | print "<font color='red'>$errormessage</font>"; | |
88 | &Header::closebox(); | |
89 | } | |
90 | ||
91 | if ($notice) { | |
92 | &Header::openbox('100%', 'left', $Lang::tr{'notice'}); | |
93 | print "<font color='red'>$notice</font>"; | |
94 | &Header::closebox(); | |
95 | } | |
96 | ||
97 | &Header::openbox('100%', 'center', $Lang::tr{'processor vulnerability mitigations'}); | |
98 | ||
99 | print <<END; | |
100 | <table class="tbl" width='100%'> | |
101 | <thead> | |
102 | <tr> | |
103 | <th align="center"> | |
104 | <strong>$Lang::tr{'vulnerability'}</strong> | |
105 | </th> | |
106 | <th align="center"> | |
107 | <strong>$Lang::tr{'status'}</strong> | |
108 | </th> | |
109 | </tr> | |
110 | </thead> | |
111 | <tbody> | |
112 | END | |
113 | ||
114 | my $id = 0; | |
115 | for my $vuln (sort keys %VULNERABILITIES) { | |
116 | my ($status, $message) = &check_status($vuln); | |
117 | next if (!$status); | |
118 | ||
119 | my $colour = ""; | |
120 | my $bgcolour = ""; | |
121 | my $status_message = ""; | |
122 | ||
123 | # Not affected | |
124 | if ($status eq "Not affected") { | |
125 | $status_message = $Lang::tr{'not affected'}; | |
126 | $colour = "white"; | |
29abc2d0 | 127 | $bgcolour = ${Header::colourgreen}; |
65871d1a MT |
128 | |
129 | # Vulnerable | |
130 | } elsif ($status eq "Vulnerable") { | |
131 | $status_message = $Lang::tr{'vulnerable'}; | |
132 | $colour = "white"; | |
133 | $bgcolour = ${Header::colourred}; | |
134 | ||
135 | # Mitigated | |
136 | } elsif ($status eq "Mitigation") { | |
137 | $status_message = $Lang::tr{'mitigated'}; | |
984a6cab | 138 | $colour = "white"; |
29abc2d0 | 139 | $bgcolour = ${Header::colourblue}; |
65871d1a | 140 | |
984a6cab | 141 | # Unknown report from kernel |
65871d1a | 142 | } else { |
b23db9b9 | 143 | $status_message = $status; |
984a6cab AF |
144 | $colour = "black"; |
145 | $bgcolour = ${Header::colouryellow}; | |
65871d1a MT |
146 | } |
147 | ||
148 | my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'}; | |
149 | ||
150 | print <<END; | |
151 | <tr bgcolor="$table_colour"> | |
152 | <td align="left"> | |
153 | <strong>$VULNERABILITIES{$vuln}</strong> | |
154 | </td> | |
155 | ||
156 | <td bgcolor="$bgcolour" align="center"> | |
157 | <font color="$colour"> | |
158 | END | |
159 | if ($message) { | |
e896a9bd | 160 | print "<strong>$status_message</strong> - $message"; |
65871d1a MT |
161 | } else { |
162 | print "<strong>$status_message</strong>"; | |
163 | } | |
164 | ||
165 | print <<END; | |
166 | </font> | |
167 | </td> | |
168 | </tr> | |
169 | END | |
170 | } | |
171 | ||
172 | print <<END; | |
173 | </tbody> | |
174 | </table> | |
175 | END | |
176 | ||
177 | &Header::closebox(); | |
178 | ||
179 | print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n"; | |
180 | ||
181 | &Header::openbox('100%', 'center', $Lang::tr{'settings'}); | |
182 | ||
1cbcd044 MT |
183 | my $smt_status = &smt_status(); |
184 | ||
65871d1a | 185 | print <<END; |
8494102a | 186 | <table class="tbl" width="100%"> |
65871d1a | 187 | <tbody> |
1cbcd044 MT |
188 | <tr> |
189 | <th colspan="2" align="center"> | |
190 | <strong>$smt_status</strong> | |
191 | </th> | |
192 | </tr> | |
193 | ||
65871d1a MT |
194 | <tr> |
195 | <td width="50%" align="left"> | |
1cbcd044 | 196 | $Lang::tr{'enable smt'} |
65871d1a MT |
197 | </td> |
198 | ||
199 | <td width="50%" align="center"> | |
200 | <label> | |
201 | <input type="radio" name="ENABLE_SMT" | |
202 | value="auto" $checked{'ENABLE_SMT'}{'auto'}> | |
203 | $Lang::tr{'automatic'} | |
204 | </label> / | |
205 | <label> | |
206 | <input type="radio" name="ENABLE_SMT" | |
207 | value="on" $checked{'ENABLE_SMT'}{'on'}> | |
208 | $Lang::tr{'force enable'} ($Lang::tr{'dangerous'}) | |
209 | </label> | |
210 | </td> | |
211 | </tr> | |
212 | ||
213 | <tr> | |
214 | <td colspan="2" align="right"> | |
215 | <input type="submit" name="ACTION" value="$Lang::tr{'save'}"> | |
216 | </td> | |
217 | </tr> | |
218 | </tbody> | |
219 | </table> | |
220 | END | |
221 | ||
222 | &Header::closebox(); | |
223 | ||
224 | print "</form>\n"; | |
225 | ||
226 | &Header::closebigbox(); | |
227 | ||
228 | &Header::closepage(); | |
229 | ||
230 | sub check_status($) { | |
231 | my $vuln = shift; | |
232 | ||
233 | open(FILE, "/sys/devices/system/cpu/vulnerabilities/$vuln") or return undef; | |
234 | my $status = <FILE>; | |
235 | close(FILE); | |
236 | ||
e896a9bd AF |
237 | chomp($status); |
238 | ||
413f84e9 | 239 | # Fix status when something has been mitigated, but not fully, yet |
b23db9b9 | 240 | if ($status =~ /^(Mitigation): (.*vulnerable.*)$/) { |
e896a9bd | 241 | return ("Vulnerable", $status); |
b23db9b9 AF |
242 | } |
243 | ||
a96bcf41 | 244 | if ($status =~ /^(Vulnerable|Mitigation): (.*)$/) { |
65871d1a | 245 | return ($1, $2); |
66c36198 | 246 | } |
65871d1a MT |
247 | |
248 | return $status; | |
249 | } | |
1cbcd044 MT |
250 | |
251 | sub smt_status() { | |
252 | open(FILE, "/sys/devices/system/cpu/smt/control"); | |
253 | my $status = <FILE>; | |
254 | close(FILE); | |
255 | ||
256 | chomp($status); | |
257 | ||
258 | if ($status eq "on") { | |
259 | return $Lang::tr{'smt enabled'}; | |
260 | } elsif (($status eq "off") || ($status eq "forceoff")) { | |
261 | return $Lang::tr{'smt disabled'}; | |
262 | } elsif ($status eq "notsupported") { | |
263 | return $Lang::tr{'smt not supported'}; | |
264 | } | |
265 | ||
266 | return $status; | |
267 | } |