SPECTRE(1) User Commands SPECTRE(1)
NAME
Spectre - Spectre & Meltdown vulnerability/mitigation checker
DESCRIPTION
Spectre and Meltdown mitigation detection tool v0.45
Usage:
Live mode (auto):
spectre-meltdown-checker [options]
Live mode (manual): spectre-meltdown-checker [options] <[--ker-
nel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
Offline mode: spectre-meltdown-checker [options] <[--ker-
nel <kimage>] [--config <kconfig>] [--map <mapfile>]>
Modes:
Two modes are available.
First mode is the "live" mode (default), it does its best to
find information about the currently running kernel. To run un-
der this mode, just start the script without any option (you can
also use --live explicitly)
Second mode is the "offline" mode, where you can inspect a
non-running kernel. This mode is automatically enabled when you
specify the location of the kernel file, config and System.map
files:
--kernel kernel_file
specify a (possibly compressed) Linux or BSD kernel file
--config kernel_config
specify a kernel config file (Linux only)
--map kernel_map_file
specify a kernel System.map file (Linux only)
If you want to use live mode while specifying the location of
the kernel, config or map file yourself, you can add --live to
the above options, to tell the script to run in live mode in-
stead of the offline mode, which is enabled by default when at
least one file is specified on the command line.
Options:
--no-color
don't use color codes
--verbose, -v
increase verbosity level, possibly several times
--explain
produce an additional human-readable explanation of actions to
take to mitigate a vulnerability
--paranoid
require IBPB to deem Variant 2 as mitigated also require SMT
disabled + unconditional L1D flush to deem Foreshadow-NG VMM as
mitigated also require SMT disabled to deem MDS vulnerabilities
mitigated
--no-sysfs
don't use the /sys interface even if present [Linux]
--sysfs-only
only use the /sys interface, don't run our own checks [Linux]
--coreos
special mode for CoreOS (use an ephemeral toolbox to inspect
kernel) [Linux]
--arch-prefix PREFIX
specify a prefix for cross-inspecting a kernel of a different
arch, for example "aarch64-linux-gnu-", so that invoked tools
will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
--batch text
produce machine readable output, this is the default if --batch
is specified alone
--batch short
produce only one line with the vulnerabilities separated by spa-
ces
--batch json
produce JSON output formatted for Puppet, Ansible, Chef...
--batch nrpe
produce machine readable output formatted for NRPE
--batch prometheus
produce output for consumption by prometheus-node-exporter
--variant VARIANT
specify which variant you'd like to check, by default all vari-
ants are checked VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, ms-
bds, mfbds, mlpds, mdsum, taa, mcepsc, srbds can be specified
multiple times (e.g. --variant 2 --variant 3)
--cve [cve1,cve2,...]
specify which CVE you'd like to check, by default all supported
CVEs are checked
--hw-only
only check for CPU information, don't check for any variant
--no-hw
skip CPU information and checks, if you're inspecting a kernel
not to be run on this host
--vmm [auto,yes,no]
override the detection of the presence of a hypervisor, default:
auto
--allow-msr-write
allow probing for write-only MSRs, this might produce kernel
logs or be blocked by your system
--cpu [#,all]
interact with CPUID and MSR of CPU core number #, or all (de-
fault: CPU core 0)
--update-fwdb
update our local copy of the CPU microcodes versions database
(using the awesome MCExtractor project and the Intel firmwares
GitHub repository)
--update-builtin-fwdb
same as --update-fwdb but update builtin DB inside the script
itself
--dump-mock-data
used to mimick a CPU on an other system, mainly used to help de-
bugging this script
Return codes:
0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)
IMPORTANT: A false sense of security is worse than no security
at all. Please use the --disclaimer option to understand ex-
actly what this script does.
SEE ALSO
The full documentation for Spectre is maintained as a Texinfo manual.
If the info and Spectre programs are properly installed at your site,
the command
info Spectre
should give you access to the complete manual.
Spectre and Meltdown mitigation dJanuaryn2023l v0.45 SPECTRE(1)
Generated by dwww version 1.15 on Sun Jun 23 09:40:52 CEST 2024.