1SPECTRE(1) User Commands SPECTRE(1)
2
3
4
6 Spectre - Spectre and Meltdown mitigation detection tool
7
9 Spectre and Meltdown mitigation detection tool v0.46
10
11 Usage:
12
13 Live mode (auto):
14 spectre-meltdown-checker [options]
15
16 Live mode (manual): spectre-meltdown-checker [options] <[--ker‐
17 nel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
18 Offline mode: spectre-meltdown-checker [options] <[--ker‐
19 nel <kimage>] [--config <kconfig>] [--map <mapfile>]>
20
21 Modes:
22
23 Two modes are available.
24
25 First mode is the "live" mode (default), it does its best to
26 find information about the currently running kernel. To run un‐
27 der this mode, just start the script without any option (you can
28 also use --live explicitly)
29
30 Second mode is the "offline" mode, where you can inspect a
31 non-running kernel. This mode is automatically enabled when you
32 specify the location of the kernel file, config and System.map
33 files:
34
35 --kernel kernel_file
36 specify a (possibly compressed) Linux or BSD kernel file
37
38 --config kernel_config
39 specify a kernel config file (Linux only)
40
41 --map kernel_map_file
42 specify a kernel System.map file (Linux only)
43
44 If you want to use live mode while specifying the location of
45 the kernel, config or map file yourself, you can add --live to
46 the above options, to tell the script to run in live mode in‐
47 stead of the offline mode, which is enabled by default when at
48 least one file is specified on the command line.
49
50 Options:
51
52 --no-color
53 don't use color codes
54
55 --verbose, -v
56 increase verbosity level, possibly several times
57
58 --explain
59 produce an additional human-readable explanation of actions to
60 take to mitigate a vulnerability
61
62 --paranoid
63 require IBPB to deem Variant 2 as mitigated also require SMT
64 disabled + unconditional L1D flush to deem Foreshadow-NG VMM as
65 mitigated also require SMT disabled to deem MDS vulnerabilities
66 mitigated
67
68 --no-sysfs
69 don't use the /sys interface even if present [Linux]
70
71 --sysfs-only
72 only use the /sys interface, don't run our own checks [Linux]
73
74 --coreos
75 special mode for CoreOS (use an ephemeral toolbox to inspect
76 kernel) [Linux]
77
78 --arch-prefix PREFIX
79 specify a prefix for cross-inspecting a kernel of a different
80 arch, for example "aarch64-linux-gnu-", so that invoked tools
81 will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
82
83 --batch text
84 produce machine readable output, this is the default if --batch
85 is specified alone
86
87 --batch short
88 produce only one line with the vulnerabilities separated by spa‐
89 ces
90
91 --batch json
92 produce JSON output formatted for Puppet, Ansible, Chef...
93
94 --batch nrpe
95 produce machine readable output formatted for NRPE
96
97 --batch prometheus
98 produce output for consumption by prometheus-node-exporter
99
100 --variant VARIANT
101 specify which variant you'd like to check, by default all vari‐
102 ants are checked. can be used multiple times (e.g. --variant 3a
103 --variant l1tf) for a list of supported VARIANT parameters, use
104 --variant help
105
106 --cve CVE
107 specify which CVE you'd like to check, by default all supported
108 CVEs are checked can be used multiple times (e.g. --cve
109 CVE-2017-5753 --cve CVE-2020-0543)
110
111 --hw-only
112 only check for CPU information, don't check for any variant
113
114 --no-hw
115 skip CPU information and checks, if you're inspecting a kernel
116 not to be run on this host
117
118 --vmm [auto,yes,no]
119 override the detection of the presence of a hypervisor, default:
120 auto
121
122 --allow-msr-write
123 allow probing for write-only MSRs, this might produce kernel
124 logs or be blocked by your system
125
126 --cpu [#,all]
127 interact with CPUID and MSR of CPU core number #, or all (de‐
128 fault: CPU core 0)
129
130 --update-fwdb
131 update our local copy of the CPU microcodes versions database
132 (using the awesome MCExtractor project and the Intel firmwares
133 GitHub repository)
134
135 --update-builtin-fwdb
136 same as --update-fwdb but update builtin DB inside the script
137 itself
138
139 --dump-mock-data
140 used to mimick a CPU on an other system, mainly used to help de‐
141 bugging this script
142
143 Return codes:
144
145 0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
146
147 IMPORTANT: A false sense of security is worse than no security
148 at all. Please use the --disclaimer option to understand ex‐
149 actly what this script does.
150
151
152
153Spectre and Meltdown mitigation detAeucgtuisotn2t0o2o3l v0.46 SPECTRE(1)