-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzenbleed-workaround.csh
338 lines (298 loc) · 16.4 KB
/
zenbleed-workaround.csh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
#!/bin/tcsh -f
# Quadhelion Engineering
# https://www.quadhelion.engineering
# https://got.quadhelion.engineering
# License: QHELP-OME-NC-ND-NAI https://www.quadhelion.engineering/QHELP-OME-NC-ND-NAI.html
# Argument clean
# Removes all conf directives, suitable for use after a microcode update where no workaround was ever used
#
# Argument remove
# Removes the workaround including rc script and cpucontrol loading
set ZenBleeders = ( "Ryzen 3 3100" "Ryzen 3 3300X" "Ryzen 3 4100" "Ryzen 3 4300G" "Ryzen 3 4300GE" "Ryzen 4700S" "Ryzen 5 3500" "Ryzen 5 3500X" "Ryzen 5 3600" "Ryzen 5 3600X" "Ryzen 5 3600XT" "Ryzen 5 4500" "Ryzen 5 4600G" "Ryzen 5 4600GE" "Ryzen 7 3700X" "Ryzen 7 3800X" "Ryzen 7 3800XT" "Ryzen 7 4700G" "Ryzen 7 4700GE" "Ryzen 9 3900" "Ryzen 9 3900X" "Ryzen 9 3900XT" "Ryzen 9 3950X" "Ryzen 3 4300U" "Ryzen 3 5300U" "Ryzen 3 7320U" "Ryzen 5 4500U" "Ryzen 5 4600H" "Ryzen 5 4600HS" "Ryzen 5 4600U" "Ryzen 5 4680U" "Ryzen 5 5500U" "Ryzen 5 7520U" "Ryzen 7 4700U" "Ryzen 7 4800U" "Ryzen 7 4980U" "Ryzen 7 5700U" "Ryzen 9 4900H" "Ryzen 9 4800H" "Ryzen 9 4800HS" "Ryzen 9 4900HS" "Ryzen Threadripper 3960X" "Ryzen Threadripper 3970X" "Ryzen Threadripper 3990X" "Ryzen Threadripper Pro 3945WX" "Ryzen Threadripper Pro 3955WX" "Ryzen Threadripper Pro 3975WX" "Ryzen Threadripper Pro 3995WX" )
set microcodes = ( "00830F10" "cpu00830F10_ver0830107A_2023-05-17_D7882D6C.bin" "008A0F00" "cpu008A0F00_ver08A00008_2023-06-15_FC8F1957.bin" "00A00F10" "cpu00A00F10_ver0A001079_2023-06-09_37DED030.bin" "00A00F11" "cpu00A00F11_ver0A0011D1_2023-07-10_254BC19E.bin" "00A00F12" "cpu00A00F12_ver0A001234_2023-07-10_16B9C44F.bin" "00A10F11" "cpu00A10F11_ver0A10113E_2023-06-20_4840C55C.bin" "00A10F12" "cpu00A10F12_ver0A10123E_2023-06-20_4EE5C2BB.bin" "00AA0F01" "cpu00AA0F01_ver0AA00116_2023-06-19_BCD5C29B.bin" "00AA0F02" "cpu00AA0F02_ver0AA00212_2023-06-19_6C81D673.bin" )
set check_cpucontrol = `grep -m1 cpuctl_load /boot/loader.conf`
if ( "$1" == "" ) then
printf "\n********************\033[38;5;75m Base Mode \033[0;0m************************\n"
printf "\033[1mAvailable modes:\033[0m \033[38;5;208mclean\033[0;0m or \033[38;5;208mremove\033[0;0m \n"
printf "*******************************************************\n\n"
else if ( "$1" == "clean" ) then
printf "\n*******************\033[38;5;75m Clean Mode \033[0;0m************************\n"
printf "*******************************************************\n\n"
goto clean
else if ( "$1" == "remove" ) then
printf "\n*******************\033[38;5;75m Remove Mode \033[0;0m***********************\n"
printf "*******************************************************\n\n"
goto remove
endif
printf "\n*******************************************************\n"
printf "Verifying \033[1mcpucontrol\033[0m utility in loader.conf\n"
printf "*******************************************************\n\n"
if ( $check_cpucontrol == "" ) then
printf "*******************************************************\n"
printf "cpucontrol must be loaded to continue. \033[38;5;75mAdd it now?\033[0;0m\n"
printf "*******************************************************\n\n"
printf "\033[38;5;75m[yes/no]:\033[0m "
set cpuctl_answer = $<:l:l:l
switch ($cpuctl_answer)
case 'yes':
echo cpuctl_load=\"YES\" >> /boot/loader.conf
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "cputctl_load="YES" added to /boot/loader.conf\n"
printf "*******************************************************\n\n"
printf "\033[38;5;9mReboot required to run script again.\033[0m \n"
exit 1
breaksw
case 'y':
printf "cpuctl_load=\"YES\"\n" >> /boot/loader.conf
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "cputctl_load="YES" added to /boot/loader.conf\n"
printf "*******************************************************\n\n"
printf "\033[38;5;9mReboot required to run script again.\033[0m \n"
exit 1
breaksw
case 'n':
printf "Exiting...\n"
exit 1
case 'no':
printf "Exiting...\n"
exit 1
endsw
else
printf "******************\033[38;5;76m CPUCONTROL Found \033[0m*******************\n"
printf "*******************************************************\n\n"
endif
set amd_sysctl_check = `sysctl hw.model | awk '{ print $2 }'`
set cpu_sys = `sysctl -a | grep -m1 Origin | awk '{ print $1 }' | sed -e 's#.*=\(\)#\1#'`
set CPU_id = `sysctl -a | grep -m1 Origin | awk '{ print $2 }' | sed -e 's#.*x\(\)#\1#' | tr "[a-z]" "[A-Z]" `
printf "*******************\033[38;5;75m GhostBSD sysctl \033[0;0m********************\n"
printf "\033[1mCPU Manufacturer\033[0m: $amd_sysctl_check\n"
printf "\033[1mCPU Authenticity\033[0m: $cpu_sys\n"
printf "\033[1mCPU ID\033[0m: $CPU_id\n"
printf "*******************************************************\n\n"
printf "\n*******************************************************\n"
printf "Verifying CPU ID\n"
printf "*******************************************************\n\n"
set GenuineIntel = '0x756e65470x6c65746e0x49656e69'
set AuthenticAMD = '0x687475410x444d41630x69746e65'
set cpu_manufacturer = `(/usr/sbin/cpucontrol -i 0x0 /dev/cpuctl0 | awk '{ print $5 $6 $7 }')`
set cpu_id = `(/usr/sbin/cpucontrol -i 0x1 /dev/cpuctl0 | awk '{ print $4 }' | sed -e 's#.*x\(\)#\1#') | tr "[a-z]" "[A-Z]" `
set amd_rome_check = `sysctl -n hw.model | grep -o "Rome"`
if ( $amd_sysctl_check == "AMD" && $amd_rome_check == "" ) then
set amd_model = `sysctl -n hw.model | awk '{ print $2, $3, $4 }'`
else if ( $amd_sysctl_check == "AMD" && $amd_rome_check == Rome ) then
set amd_model = `sysctl -n hw.model | awk '{ print $2 }'`
endif
if ( $cpu_manufacturer == $GenuineIntel ) then
set amd_check = false
printf "*********************\033[38;5;75m CPUCONTROL \033[0;0m**********************\n"
printf "\033[1mCPU Manufacturer\033[0m: Intel\n"
printf "\033[1mCPU ID\033[0m: $cpu_id\n"
printf "*******************************************************\n\n"
else if ( $cpu_manufacturer == $AuthenticAMD ) then
set amd_check = true
printf "*********************\033[38;5;75m CPUCONTROL \033[0;0m**********************\n"
printf "\033[1mCPU Manufacturer\033[0m: AMD\n"
printf "\033[1mCPU ID\033[0m: $cpu_id\n"
printf "\033[1mModel\033[0m: $amd_model\n"
printf "*******************************************************\n\n"
else
printf "Could not identify CPU\n"
printf "Exiting...\n\n"
exit 1
endif
set vm_check = `sysctl -a | grep kern.vm_guest | awk '{ print $2 }'`
if ( $amd_sysctl_check == "AMD" && $amd_check == true ) then
printf "********************\033[38;5;76m AMD CPU Found \033[0;0m********************\n"
printf "*******************************************************\n\n"
else
printf "******************\033[38;5;9m AMD CPU Not Found \033[0;0m******************\n"
printf "Exiting...\n"
printf "*******************************************************\n\n"
exit 1
endif
printf "**********\033[38;5;75m Searching Matching CPU Updates \033[0;0m*************\n"
printf "*******************************************************\n\n"
set count = 1
foreach micro_id ( $microcodes )
if ( $cpu_id == $micro_id ) then
@ count = "$count" + 1
set microcode_update = $microcodes[$count]
printf "**************\033[38;5;75m Found Matching CPU Update \033[0;0m**************\n"
printf "\033[1m$microcodes[$count]\033[0m\n"
printf "*******************************************************\n\n"
endif
@ count = "$count" + 1
end
set count = 0
foreach model ( $ZenBleeders:q )
@ count = "$count" + 1
if ( "$amd_model" == "$model" ) then
set zenbleeding = true
break
else
set zenbleeding = false
endif
end
if ( $amd_sysctl_check == "AMD" && "$amd_model" == "EPYC-Rome" ) then
printf "****************\033[38;5;76m CPU Update Available \033[0;0m*****************\n"
printf "Would you like to apply the AMD CPU microcode update?\n"
printf "*******************************************************\n\n"
printf "\033[38;5;75m[yes/no]:\033[0m \n"
set microcode_answer = $<:l:l:l
switch ($microcode_answer)
case 'yes':
echo cpu_microcode_load=\"YES\" >> /boot/loader.conf
printf cpu_microcode_name=\"/boot/firmware/$microcode_update\" >> /boot/loader.conf
echo microcode_update_enable=\"YES\" >> /etc/rc.conf
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "cpu_microcode_load="YES" added to /boot/loader.conf\n"
printf "cpu_microcode_name"" added to /boot/loader.conf\n"
printf "microcode_update_enable="YES" added to /etc/rc.conf\n\n"
printf "\033[1mInstalling Update Utilities:\033[0m\n"
printf "pkg install devcpu-data\n"
printf "*******************************************************\n\n"
pkg install devcpu-data
wget https://github.com/platomav/CPUMicrocodes/blob/master/AMD/$microcode_update
cp $microcode_update /boot/firmware
service microcode_update start
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "\033[1mSecurity Notice:\033[0m\n"
printf "After update you should remove update utilities\n"
printf "Reboot, sudo zenbleed_workaround.csh clean, reboot\n"
printf "*******************************************************\n\n"
exit 1
breaksw
case 'y':
echo cpu_microcode_load=\"YES\" >> /boot/loader.conf
printf cpu_microcode_name=\"/boot/firmware/$microcode_update\" >> /boot/loader.conf
echo microcode_update_enable=\"YES\" >> /etc/rc.conf
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "cpu_microcode_load="YES" added to /boot/loader.conf\n"
printf "cpu_microcode_name"" added to /boot/loader.conf\n"
printf "microcode_update_enable="YES" added to /etc/rc.conf\n\n"
printf "\033[1mInstalling Update Utilities:\033[0m\n"
printf "pkg install devcpu-data\n"
printf "*******************************************************\n\n"
pkg install devcpu-data
wget https://github.com/platomav/CPUMicrocodes/blob/master/AMD/$microcode_update
cp $microcode_update /boot/firmware
service microcode_update start
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "\033[1mSecurity Notice:\033[0m\n"
printf "After update you should remove update utilities\n"
printf "Please reboot and run sudo zenbleed_workaround.csh clean\n"
printf "*******************************************************\n\n"
exit 1
breaksw
case 'n':
printf "Exiting...\n"
exit 1
case 'no':
printf "Exiting...\n"
exit 1
endsw
else if ( $amd_sysctl_check == "AMD" && $zenbleeding == true ) then
printf "********************\033[38;5;76m Zenbleed Found \033[0;0m*******************\n"
printf "*******************************************************\n"
printf "Executing workaround\n"
printf "*******************************************************\n"
printf "*******************************************************\n\n"
cp zenbleed-rc.sh /usr/local/etc/rc.d/
chmod 755 /usr/local/etc/rc.d
service zenbleed-rc.sh enable
service zenbleed-rc.sh start
echo
set workaround_status = `service -e | grep zenbleed-rc.sh`
if ( $workaround_status == /usr/local/etc/rc.d/zenbleed-rc.sh ) then
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "Workaround Active \033[1mUpon Reboot\033[0m\n"
printf "*******************************************************\n\n"
else
printf "**********************\033[38;5;9m Failure \033[0;0m*************************\n"
printf "Workaround Activation \033[1mFailed\033[0m\n"
printf "Please activate manually\n"
printf "*******************************************************\n\n"
exit 1
endif
printf "*********************\033[38;5;76m Reminder \033[0;0m************************\n"
printf "Set a reminder to remove the workarond in December?\n"
printf "*******************************************************\n\n"
printf "\033[38;5;75m[yes/no]:\033[0m "
set reminder_answer = $<:l:l:l
switch ($reminder_answer)
case 'yes':
printf "at 1pm 12/21/2023<<ENDMARKER\n touch REMINDER-AMD-Zenbleed-Removal\nENDMARKER\n" > $HOME/zenbleed-at-reminder.sh
chmod 750 $HOME/zenbleed-at-reminder.sh
source $HOME/zenbleed-at-reminder.sh
echo
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "at command set to create text file reminder 12/21/2023\n"
printf "*******************************************************\n\n"
exit 1
breaksw
case 'y':
printf "at 1pm 12/21/2023<<ENDMARKER\n touch REMINDER-AMD-Zenbleed-Removal\nENDMARKER\n" > $HOME/zenbleed-at-reminder.sh
chmod 750 $HOME/zenbleed-at-reminder.sh
source $HOME/zenbleed-at-reminder.sh
echo
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "at command set to create text file reminder 12/21/2023\n"
printf "*******************************************************\n\n"
exit 1
breaksw
case 'n':
printf "Exiting...\n"
exit 1
case 'no':
printf "Exiting...\n"
exit
else if ( $vm_check != "none") then
printf "\n**********************\033[38;5;75m VM Found \033[0;0m***********************\n"
printf "\033[1mVirtual Machine\033[0m: $vm_check\n"
printf "VM Hypervisors will not allow the ZenBleed workaround\n"
printf "*******************************************************\n\n"
printf "Exiting...\n\n"
exit 1
else
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "No Zenbleed affected CPU found\n"
printf "Exiting...\n"
printf "*******************************************************\n\n"
exit 1
endif
clean:
printf "****************\033[38;5;76m Cleaning System Files \033[0;0m****************\n"
printf "*******************************************************\n\n"
sed -i .zen_backup '/^cpu_microcode_load/d' /boot/loader.conf
sed -i .zen_backup '/^cpu_microcode_name/d' /boot/loader.conf
set cpu_microcode_isloaded = cpu_microcode_load=\"YES\"
set cpu_microcode_found = `grep -m1 cpu_microcode_load /etc/rc.conf`
if !( $cpu_microcode_isloaded == $cpu_microcode_found) then
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "Conf directives removed\n"
printf "*******************************************************\n\n"
else
printf "**********************\033[38;5;9m Error \033[0;0m**************************\n"
printf "Unable to remove conf directives. Manually remove.\n"
printf "*******************************************************\n\n"
endif
exit 1
remove:
printf "*****************\033[38;5;76m Removing Workaround \033[0;0m*****************\n"
printf "*******************************************************\n\n"
service zenbleed-rc.sh onestop
echo
sleep 1
service zenbleed-rc.sh onedisable
echo
sleep 1
sed -i .zen_backup '/^cpuctl_load/d' /boot/loader.conf
sed -i .zen_backup '/^zenbleed_enable/d' /etc/rc.conf
echo
rm /usr/local/etc/rc.d/zenbleed-rc.sh
echo
printf "*********************\033[38;5;76m Success \033[0;0m*************************\n"
printf "Workaround removed and cpucontrol loading disabled\n"
printf "*******************************************************\n\n"
exit 1