1SPECTRE(1) User Commands SPECTRE(1)
2
3
4
6 Spectre - Spectre and Meltdown mitigation detection tool
7
9 Spectre and Meltdown mitigation detection tool v0.42
10
11 Usage:
12
13 Live mode:
14 spectre-meltdown-checker [options] [--live]
15
16 Offline mode: spectre-meltdown-checker [options] [--kernel <ker‐
17 nel_file>] [--config <kernel_config>] [--map <kernel_map_file>]
18
19 Modes:
20
21 Two modes are available.
22
23 First mode is the "live" mode (default), it does its best to
24 find information about the currently running kernel. To run
25 under this mode, just start the script without any option (you
26 can also use --live explicitly)
27
28 Second mode is the "offline" mode, where you can inspect a
29 non-running kernel. You'll need to specify the location of the
30 kernel file, config and System.map files:
31
32 --kernel kernel_file
33 specify a (possibly compressed) Linux or BSD kernel file
34
35 --config kernel_config
36 specify a kernel config file (Linux only)
37
38 --map kernel_map_file
39 specify a kernel System.map file (Linux only)
40
41 Options:
42
43 --no-color
44 don't use color codes
45
46 --verbose, -v
47 increase verbosity level, possibly several times
48
49 --explain
50 produce an additional human-readable explanation of actions to
51 take to mitigate a vulnerability
52
53 --paranoid
54 require IBPB to deem Variant 2 as mitigated also require SMT
55 disabled + unconditional L1D flush to deem Foreshadow-NG VMM as
56 mitigated also require SMT disabled to deem MDS vulnerabilities
57 mitigated
58
59 --no-sysfs
60 don't use the /sys interface even if present [Linux]
61
62 --sysfs-only
63 only use the /sys interface, don't run our own checks [Linux]
64
65 --coreos
66 special mode for CoreOS (use an ephemeral toolbox to inspect
67 kernel) [Linux]
68
69 --arch-prefix PREFIX
70 specify a prefix for cross-inspecting a kernel of a different
71 arch, for example "aarch64-linux-gnu-", so that invoked tools
72 will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
73
74 --batch text
75 produce machine readable output, this is the default if --batch
76 is specified alone
77
78 --batch short
79 produce only one line with the vulnerabilities separated by spa‐
80 ces
81
82 --batch json
83 produce JSON output formatted for Puppet, Ansible, Chef...
84
85 --batch nrpe
86 produce machine readable output formatted for NRPE
87
88 --batch prometheus
89 produce output for consumption by prometheus-node-exporter
90
91 --variant VARIANT
92 specify which variant you'd like to check, by default all vari‐
93 ants are checked VARIANT can be one of 1, 2, 3, 3a, 4, l1tf,
94 msbds, mfbds, mlpds, mdsum can be specified multiple times (e.g.
95 --variant 2 --variant 3)
96
97 --cve [cve1,cve2,...]
98 specify which CVE you'd like to check, by default all supported
99 CVEs are checked
100
101 --hw-only
102 only check for CPU information, don't check for any variant
103
104 --no-hw
105 skip CPU information and checks, if you're inspecting a kernel
106 not to be run on this host
107
108 --vmm [auto,yes,no]
109 override the detection of the presence of a hypervisor (for
110 CVE-2018-3646), default: auto
111
112 --update-mcedb
113 update our local copy of the CPU microcodes versions database
114 (from the awesome MCExtractor project)
115
116 --update-builtin-mcedb
117 same as --update-mcedb but update builtin DB inside the script
118 itself
119
120 --dump-mock-data
121 used to mimick a CPU on an other system, mainly used to help
122 debugging this script
123
124 Return codes:
125
126 0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
127
128 IMPORTANT: A false sense of security is worse than no security
129 at all. Please use the --disclaimer option to understand
130 exactly what this script does.
131
132
133
134Spectre and Meltdown mitigation deteMcatyio2n01t9ool v0.42 SPECTRE(1)