1SPECTRE(1) User Commands SPECTRE(1)
2
3
4
6 Spectre - Spectre and Meltdown mitigation detection tool
7
9 Spectre and Meltdown mitigation detection tool v0.45
10
11 Usage:
12
13 Live mode (auto):
14 spectre-meltdown-checker [options]
15
16 Live mode (manual): spectre-meltdown-checker [options] <[--ker‐
17 nel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
18 Offline mode: spectre-meltdown-checker [options] <[--ker‐
19 nel <kimage>] [--config <kconfig>] [--map <mapfile>]>
20
21 Modes:
22
23 Two modes are available.
24
25 First mode is the "live" mode (default), it does its best to
26 find information about the currently running kernel. To run un‐
27 der this mode, just start the script without any option (you can
28 also use --live explicitly)
29
30 Second mode is the "offline" mode, where you can inspect a
31 non-running kernel. This mode is automatically enabled when you
32 specify the location of the kernel file, config and System.map
33 files:
34
35 --kernel kernel_file
36 specify a (possibly compressed) Linux or BSD kernel file
37
38 --config kernel_config
39 specify a kernel config file (Linux only)
40
41 --map kernel_map_file
42 specify a kernel System.map file (Linux only)
43
44 If you want to use live mode while specifying the location of
45 the kernel, config or map file yourself, you can add --live to
46 the above options, to tell the script to run in live mode in‐
47 stead of the offline mode, which is enabled by default when at
48 least one file is specified on the command line.
49
50 Options:
51
52 --no-color
53 don't use color codes
54
55 --verbose, -v
56 increase verbosity level, possibly several times
57
58 --explain
59 produce an additional human-readable explanation of actions to
60 take to mitigate a vulnerability
61
62 --paranoid
63 require IBPB to deem Variant 2 as mitigated also require SMT
64 disabled + unconditional L1D flush to deem Foreshadow-NG VMM as
65 mitigated also require SMT disabled to deem MDS vulnerabilities
66 mitigated
67
68 --no-sysfs
69 don't use the /sys interface even if present [Linux]
70
71 --sysfs-only
72 only use the /sys interface, don't run our own checks [Linux]
73
74 --coreos
75 special mode for CoreOS (use an ephemeral toolbox to inspect
76 kernel) [Linux]
77
78 --arch-prefix PREFIX
79 specify a prefix for cross-inspecting a kernel of a different
80 arch, for example "aarch64-linux-gnu-", so that invoked tools
81 will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
82
83 --batch text
84 produce machine readable output, this is the default if --batch
85 is specified alone
86
87 --batch short
88 produce only one line with the vulnerabilities separated by spa‐
89 ces
90
91 --batch json
92 produce JSON output formatted for Puppet, Ansible, Chef...
93
94 --batch nrpe
95 produce machine readable output formatted for NRPE
96
97 --batch prometheus
98 produce output for consumption by prometheus-node-exporter
99
100 --variant VARIANT
101 specify which variant you'd like to check, by default all vari‐
102 ants are checked VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, ms‐
103 bds, mfbds, mlpds, mdsum, taa, mcepsc, srbds can be specified
104 multiple times (e.g. --variant 2 --variant 3)
105
106 --cve [cve1,cve2,...]
107 specify which CVE you'd like to check, by default all supported
108 CVEs are checked
109
110 --hw-only
111 only check for CPU information, don't check for any variant
112
113 --no-hw
114 skip CPU information and checks, if you're inspecting a kernel
115 not to be run on this host
116
117 --vmm [auto,yes,no]
118 override the detection of the presence of a hypervisor, default:
119 auto
120
121 --allow-msr-write
122 allow probing for write-only MSRs, this might produce kernel
123 logs or be blocked by your system
124
125 --cpu [#,all]
126 interact with CPUID and MSR of CPU core number #, or all (de‐
127 fault: CPU core 0)
128
129 --update-fwdb
130 update our local copy of the CPU microcodes versions database
131 (using the awesome MCExtractor project and the Intel firmwares
132 GitHub repository)
133
134 --update-builtin-fwdb
135 same as --update-fwdb but update builtin DB inside the script
136 itself
137
138 --dump-mock-data
139 used to mimick a CPU on an other system, mainly used to help de‐
140 bugging this script
141
142 Return codes:
143
144 0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
145
146 IMPORTANT: A false sense of security is worse than no security
147 at all. Please use the --disclaimer option to understand ex‐
148 actly what this script does.
149
150
151
152Spectre and Meltdown mitigation deteJcutliyon20t2o2ol v0.45 SPECTRE(1)