spectre-meltdown-checker(1)

1SPECTRE(1)                       User Commands                      SPECTRE(1)
2
3
4

NAME

6       Spectre - Spectre and Meltdown mitigation detection tool
7

DESCRIPTION

9       Spectre and Meltdown mitigation detection tool v0.45
10
11              Usage:
12
13       Live mode (auto):
14              spectre-meltdown-checker [options]
15
16              Live  mode (manual): spectre-meltdown-checker [options] <[--ker‐
17              nel <kimage>] [--config  <kconfig>]  [--map  <mapfile>]>  --live
18              Offline  mode:       spectre-meltdown-checker [options] <[--ker‐
19              nel <kimage>] [--config <kconfig>] [--map <mapfile>]>
20
21              Modes:
22
23              Two modes are available.
24
25              First mode is the "live" mode (default), it  does  its  best  to
26              find information about the currently running kernel.  To run un‐
27              der this mode, just start the script without any option (you can
28              also use --live explicitly)
29
30              Second  mode  is  the  "offline"  mode,  where you can inspect a
31              non-running kernel.  This mode is automatically enabled when you
32              specify  the  location of the kernel file, config and System.map
33              files:
34
35       --kernel kernel_file
36              specify a (possibly compressed) Linux or BSD kernel file
37
38       --config kernel_config
39              specify a kernel config file (Linux only)
40
41       --map kernel_map_file
42              specify a kernel System.map file (Linux only)
43
44              If you want to use live mode while specifying  the  location  of
45              the  kernel,  config or map file yourself, you can add --live to
46              the above options, to tell the script to run in  live  mode  in‐
47              stead  of  the offline mode, which is enabled by default when at
48              least one file is specified on the command line.
49
50              Options:
51
52       --no-color
53              don't use color codes
54
55       --verbose, -v
56              increase verbosity level, possibly several times
57
58       --explain
59              produce an additional human-readable explanation of  actions  to
60              take to mitigate a vulnerability
61
62       --paranoid
63              require  IBPB  to  deem  Variant 2 as mitigated also require SMT
64              disabled + unconditional L1D flush to deem Foreshadow-NG VMM  as
65              mitigated  also require SMT disabled to deem MDS vulnerabilities
66              mitigated
67
68       --no-sysfs
69              don't use the /sys interface even if present [Linux]
70
71       --sysfs-only
72              only use the /sys interface, don't run our own checks [Linux]
73
74       --coreos
75              special mode for CoreOS (use an  ephemeral  toolbox  to  inspect
76              kernel) [Linux]
77
78       --arch-prefix PREFIX
79              specify  a  prefix  for cross-inspecting a kernel of a different
80              arch, for example "aarch64-linux-gnu-", so  that  invoked  tools
81              will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
82
83       --batch text
84              produce  machine readable output, this is the default if --batch
85              is specified alone
86
87       --batch short
88              produce only one line with the vulnerabilities separated by spa‐
89              ces
90
91       --batch json
92              produce JSON output formatted for Puppet, Ansible, Chef...
93
94       --batch nrpe
95              produce machine readable output formatted for NRPE
96
97       --batch prometheus
98              produce output for consumption by prometheus-node-exporter
99
100       --variant VARIANT
101              specify  which variant you'd like to check, by default all vari‐
102              ants are checked VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, ms‐
103              bds,  mfbds,  mlpds,  mdsum, taa, mcepsc, srbds can be specified
104              multiple times (e.g. --variant 2 --variant 3)
105
106       --cve [cve1,cve2,...]
107              specify which CVE you'd like to check, by default all  supported
108              CVEs are checked
109
110       --hw-only
111              only check for CPU information, don't check for any variant
112
113       --no-hw
114              skip  CPU  information and checks, if you're inspecting a kernel
115              not to be run on this host
116
117       --vmm [auto,yes,no]
118              override the detection of the presence of a hypervisor, default:
119              auto
120
121       --allow-msr-write
122              allow  probing  for  write-only  MSRs, this might produce kernel
123              logs or be blocked by your system
124
125       --cpu [#,all]
126              interact with CPUID and MSR of CPU core number #,  or  all  (de‐
127              fault: CPU core 0)
128
129       --update-fwdb
130              update  our  local  copy of the CPU microcodes versions database
131              (using the awesome MCExtractor project and the  Intel  firmwares
132              GitHub repository)
133
134       --update-builtin-fwdb
135              same  as  --update-fwdb  but update builtin DB inside the script
136              itself
137
138       --dump-mock-data
139              used to mimick a CPU on an other system, mainly used to help de‐
140              bugging this script
141
142              Return codes:
143
144              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
145
146              IMPORTANT:  A  false sense of security is worse than no security
147              at all.  Please use the --disclaimer option  to  understand  ex‐
148              actly what this script does.
149
150
151
152Spectre and Meltdown mitigation detAepcrtiilon20t2o2ol v0.45                SPECTRE(1)