spectre-meltdown-checker(1)

1SPECTRE(1)                       User Commands                      SPECTRE(1)
2
3
4

NAME

6       Spectre - Spectre and Meltdown mitigation detection tool
7

DESCRIPTION

9       Spectre and Meltdown mitigation detection tool v0.43
10
11              Usage:
12
13       Live mode (auto):
14              spectre-meltdown-checker [options]
15
16              Live  mode (manual): spectre-meltdown-checker [options] <[--ker‐
17              nel <kimage>] [--config  <kconfig>]  [--map  <mapfile>]>  --live
18              Offline  mode:       spectre-meltdown-checker [options] <[--ker‐
19              nel <kimage>] [--config <kconfig>] [--map <mapfile>]>
20
21              Modes:
22
23              Two modes are available.
24
25              First mode is the "live" mode (default), it  does  its  best  to
26              find  information  about  the  currently running kernel.  To run
27              under this mode, just start the script without any  option  (you
28              can also use --live explicitly)
29
30              Second  mode  is  the  "offline"  mode,  where you can inspect a
31              non-running kernel.  This mode is automatically enabled when you
32              specify  the  location of the kernel file, config and System.map
33              files:
34
35       --kernel kernel_file
36              specify a (possibly compressed) Linux or BSD kernel file
37
38       --config kernel_config
39              specify a kernel config file (Linux only)
40
41       --map kernel_map_file
42              specify a kernel System.map file (Linux only)
43
44              If you want to use live mode while specifying  the  location  of
45              the  kernel,  config or map file yourself, you can add --live to
46              the above options, to tell  the  script  to  run  in  live  mode
47              instead of the offline mode, which is enabled by default when at
48              least one file is specified on the command line.
49
50              Options:
51
52       --no-color
53              don't use color codes
54
55       --verbose, -v
56              increase verbosity level, possibly several times
57
58       --explain
59              produce an additional human-readable explanation of  actions  to
60              take to mitigate a vulnerability
61
62       --paranoid
63              require  IBPB  to  deem  Variant 2 as mitigated also require SMT
64              disabled + unconditional L1D flush to deem Foreshadow-NG VMM  as
65              mitigated  also require SMT disabled to deem MDS vulnerabilities
66              mitigated
67
68       --no-sysfs
69              don't use the /sys interface even if present [Linux]
70
71       --sysfs-only
72              only use the /sys interface, don't run our own checks [Linux]
73
74       --coreos
75              special mode for CoreOS (use an  ephemeral  toolbox  to  inspect
76              kernel) [Linux]
77
78       --arch-prefix PREFIX
79              specify  a  prefix  for cross-inspecting a kernel of a different
80              arch, for example "aarch64-linux-gnu-", so  that  invoked  tools
81              will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
82
83       --batch text
84              produce  machine readable output, this is the default if --batch
85              is specified alone
86
87       --batch short
88              produce only one line with the vulnerabilities separated by spa‐
89              ces
90
91       --batch json
92              produce JSON output formatted for Puppet, Ansible, Chef...
93
94       --batch nrpe
95              produce machine readable output formatted for NRPE
96
97       --batch prometheus
98              produce output for consumption by prometheus-node-exporter
99
100       --variant VARIANT
101              specify  which variant you'd like to check, by default all vari‐
102              ants are checked VARIANT can be one of 1, 2,  3,  3a,  4,  l1tf,
103              msbds,  mfbds, mlpds, mdsum, taa, mcepsc can be specified multi‐
104              ple times (e.g. --variant 2 --variant 3)
105
106       --cve [cve1,cve2,...]
107              specify which CVE you'd like to check, by default all  supported
108              CVEs are checked
109
110       --hw-only
111              only check for CPU information, don't check for any variant
112
113       --no-hw
114              skip  CPU  information and checks, if you're inspecting a kernel
115              not to be run on this host
116
117       --vmm [auto,yes,no]
118              override the detection of the presence of a hypervisor, default:
119              auto
120
121       --update-fwdb
122              update  our  local  copy of the CPU microcodes versions database
123              (using the awesome MCExtractor project and the  Intel  firmwares
124              GitHub repository)
125
126       --update-builtin-fwdb
127              same  as  --update-fwdb  but update builtin DB inside the script
128              itself
129
130       --dump-mock-data
131              used to mimick a CPU on an other system,  mainly  used  to  help
132              debugging this script
133
134              Return codes:
135
136              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
137
138              IMPORTANT:  A  false sense of security is worse than no security
139              at all.   Please  use  the  --disclaimer  option  to  understand
140              exactly what this script does.
141
142
143
144Spectre and Meltdown mitigation deDteeccetmiboenr t2o0o1l9 v0.43                SPECTRE(1)