spectre-meltdown-checker(1)

1SPECTRE(1)                       User Commands                      SPECTRE(1)
2
3
4

NAME

6       Spectre - Spectre and Meltdown mitigation detection tool
7

DESCRIPTION

9       Spectre and Meltdown mitigation detection tool v0.42
10
11              Usage:
12
13       Live mode:
14              spectre-meltdown-checker [options] [--live]
15
16              Offline mode: spectre-meltdown-checker [options] [--kernel <ker‐
17              nel_file>] [--config <kernel_config>] [--map <kernel_map_file>]
18
19              Modes:
20
21              Two modes are available.
22
23              First mode is the "live" mode (default), it  does  its  best  to
24              find  information  about  the  currently running kernel.  To run
25              under this mode, just start the script without any  option  (you
26              can also use --live explicitly)
27
28              Second  mode  is  the  "offline"  mode,  where you can inspect a
29              non-running kernel.  You'll need to specify the location of  the
30              kernel file, config and System.map files:
31
32       --kernel kernel_file
33              specify a (possibly compressed) Linux or BSD kernel file
34
35       --config kernel_config
36              specify a kernel config file (Linux only)
37
38       --map kernel_map_file
39              specify a kernel System.map file (Linux only)
40
41              Options:
42
43       --no-color
44              don't use color codes
45
46       --verbose, -v
47              increase verbosity level, possibly several times
48
49       --explain
50              produce  an  additional human-readable explanation of actions to
51              take to mitigate a vulnerability
52
53       --paranoid
54              require IBPB to deem Variant 2 as  mitigated  also  require  SMT
55              disabled  + unconditional L1D flush to deem Foreshadow-NG VMM as
56              mitigated also require SMT disabled to deem MDS  vulnerabilities
57              mitigated
58
59       --no-sysfs
60              don't use the /sys interface even if present [Linux]
61
62       --sysfs-only
63              only use the /sys interface, don't run our own checks [Linux]
64
65       --coreos
66              special  mode  for  CoreOS  (use an ephemeral toolbox to inspect
67              kernel) [Linux]
68
69       --arch-prefix PREFIX
70              specify a prefix for cross-inspecting a kernel  of  a  different
71              arch,  for  example  "aarch64-linux-gnu-", so that invoked tools
72              will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
73
74       --batch text
75              produce machine readable output, this is the default if  --batch
76              is specified alone
77
78       --batch short
79              produce only one line with the vulnerabilities separated by spa‐
80              ces
81
82       --batch json
83              produce JSON output formatted for Puppet, Ansible, Chef...
84
85       --batch nrpe
86              produce machine readable output formatted for NRPE
87
88       --batch prometheus
89              produce output for consumption by prometheus-node-exporter
90
91       --variant VARIANT
92              specify which variant you'd like to check, by default all  vari‐
93              ants  are  checked  VARIANT  can be one of 1, 2, 3, 3a, 4, l1tf,
94              msbds, mfbds, mlpds, mdsum can be specified multiple times (e.g.
95              --variant 2 --variant 3)
96
97       --cve [cve1,cve2,...]
98              specify  which CVE you'd like to check, by default all supported
99              CVEs are checked
100
101       --hw-only
102              only check for CPU information, don't check for any variant
103
104       --no-hw
105              skip CPU information and checks, if you're inspecting  a  kernel
106              not to be run on this host
107
108       --vmm [auto,yes,no]
109              override  the  detection  of  the  presence of a hypervisor (for
110              CVE-2018-3646), default: auto
111
112       --update-mcedb
113              update our local copy of the CPU  microcodes  versions  database
114              (from the awesome MCExtractor project)
115
116       --update-builtin-mcedb
117              same  as  --update-mcedb but update builtin DB inside the script
118              itself
119
120       --dump-mock-data
121              used to mimick a CPU on an other system,  mainly  used  to  help
122              debugging this script
123
124              Return codes:
125
126              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
127
128              IMPORTANT:  A  false sense of security is worse than no security
129              at all.   Please  use  the  --disclaimer  option  to  understand
130              exactly what this script does.
131
132
133
134Spectre and Meltdown mitigation deteMcatyio2n01t9ool v0.42                SPECTRE(1)