spectre-meltdown-checker(1)

1SPECTRE(1)                       User Commands                      SPECTRE(1)
2
3
4

NAME

6       Spectre - Spectre and Meltdown mitigation detection tool
7

DESCRIPTION

9       Spectre and Meltdown mitigation detection tool v0.46
10
11              Usage:
12
13       Live mode (auto):
14              spectre-meltdown-checker [options]
15
16              Live  mode (manual): spectre-meltdown-checker [options] <[--ker‐
17              nel <kimage>] [--config  <kconfig>]  [--map  <mapfile>]>  --live
18              Offline  mode:       spectre-meltdown-checker [options] <[--ker‐
19              nel <kimage>] [--config <kconfig>] [--map <mapfile>]>
20
21              Modes:
22
23              Two modes are available.
24
25              First mode is the "live" mode (default), it  does  its  best  to
26              find information about the currently running kernel.  To run un‐
27              der this mode, just start the script without any option (you can
28              also use --live explicitly)
29
30              Second  mode  is  the  "offline"  mode,  where you can inspect a
31              non-running kernel.  This mode is automatically enabled when you
32              specify  the  location of the kernel file, config and System.map
33              files:
34
35       --kernel kernel_file
36              specify a (possibly compressed) Linux or BSD kernel file
37
38       --config kernel_config
39              specify a kernel config file (Linux only)
40
41       --map kernel_map_file
42              specify a kernel System.map file (Linux only)
43
44              If you want to use live mode while specifying  the  location  of
45              the  kernel,  config or map file yourself, you can add --live to
46              the above options, to tell the script to run in  live  mode  in‐
47              stead  of  the offline mode, which is enabled by default when at
48              least one file is specified on the command line.
49
50              Options:
51
52       --no-color
53              don't use color codes
54
55       --verbose, -v
56              increase verbosity level, possibly several times
57
58       --explain
59              produce an additional human-readable explanation of  actions  to
60              take to mitigate a vulnerability
61
62       --paranoid
63              require  IBPB  to  deem  Variant 2 as mitigated also require SMT
64              disabled + unconditional L1D flush to deem Foreshadow-NG VMM  as
65              mitigated  also require SMT disabled to deem MDS vulnerabilities
66              mitigated
67
68       --no-sysfs
69              don't use the /sys interface even if present [Linux]
70
71       --sysfs-only
72              only use the /sys interface, don't run our own checks [Linux]
73
74       --coreos
75              special mode for CoreOS (use an  ephemeral  toolbox  to  inspect
76              kernel) [Linux]
77
78       --arch-prefix PREFIX
79              specify  a  prefix  for cross-inspecting a kernel of a different
80              arch, for example "aarch64-linux-gnu-", so  that  invoked  tools
81              will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
82
83       --batch text
84              produce  machine readable output, this is the default if --batch
85              is specified alone
86
87       --batch short
88              produce only one line with the vulnerabilities separated by spa‐
89              ces
90
91       --batch json
92              produce JSON output formatted for Puppet, Ansible, Chef...
93
94       --batch nrpe
95              produce machine readable output formatted for NRPE
96
97       --batch prometheus
98              produce output for consumption by prometheus-node-exporter
99
100       --variant VARIANT
101              specify  which variant you'd like to check, by default all vari‐
102              ants are checked.  can be used multiple times (e.g. --variant 3a
103              --variant  l1tf) for a list of supported VARIANT parameters, use
104              --variant help
105
106       --cve CVE
107              specify which CVE you'd like to check, by default all  supported
108              CVEs  are  checked  can  be  used  multiple  times  (e.g.  --cve
109              CVE-2017-5753 --cve CVE-2020-0543)
110
111       --hw-only
112              only check for CPU information, don't check for any variant
113
114       --no-hw
115              skip CPU information and checks, if you're inspecting  a  kernel
116              not to be run on this host
117
118       --vmm [auto,yes,no]
119              override the detection of the presence of a hypervisor, default:
120              auto
121
122       --allow-msr-write
123              allow probing for write-only MSRs,  this  might  produce  kernel
124              logs or be blocked by your system
125
126       --cpu [#,all]
127              interact  with  CPUID  and MSR of CPU core number #, or all (de‐
128              fault: CPU core 0)
129
130       --update-fwdb
131              update our local copy of the CPU  microcodes  versions  database
132              (using  the  awesome MCExtractor project and the Intel firmwares
133              GitHub repository)
134
135       --update-builtin-fwdb
136              same as --update-fwdb but update builtin DB  inside  the  script
137              itself
138
139       --dump-mock-data
140              used to mimick a CPU on an other system, mainly used to help de‐
141              bugging this script
142
143              Return codes:
144
145              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
146
147              IMPORTANT: A false sense of security is worse than  no  security
148              at  all.   Please  use the --disclaimer option to understand ex‐
149              actly what this script does.
150
151
152
153Spectre and Meltdown mitigation detAeucgtuisotn2t0o2o3l v0.46                SPECTRE(1)