Provided by: spectre-meltdown-checker_0.40-3_all
Spectre - Spectre & Meltdown vulnerability/mitigation checker
Spectre and Meltdown mitigation detection tool v0.40 Usage: Live mode: spectre-meltdown-checker [options] [--live] Offline mode: spectre-meltdown-checker [options] [--kernel <kernel_file>] [--config <kernel_config>] [--map <kernel_map_file>] Modes: Two modes are available. First mode is the "live" mode (default), it does its best to find information about the currently running kernel. To run under this mode, just start the script without any option (you can also use --live explicitly) Second mode is the "offline" mode, where you can inspect a non-running kernel. You'll need to specify the location of the kernel file, config and System.map files: --kernel kernel_file specify a (possibly compressed) Linux or BSD kernel file --config kernel_config specify a kernel config file (Linux only) --map kernel_map_file specify a kernel System.map file (Linux only) Options: --no-color don't use color codes --verbose, -v increase verbosity level, possibly several times --explain produce an additional human-readable explanation of actions to take to mitigate a vulnerability --paranoid require IBPB to deem Variant 2 as mitigated also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated --no-sysfs don't use the /sys interface even if present [Linux] --sysfs-only only use the /sys interface, don't run our own checks [Linux] --coreos special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux] --arch-prefix PREFIX specify a prefix for cross-inspecting a kernel of a different arch, for example "aarch64-linux-gnu-", so that invoked tools will be prefixed with this (i.e. aarch64-linux-gnu-objdump) --batch text produce machine readable output, this is the default if --batch is specified alone --batch short produce only one line with the vulnerabilities separated by spaces --batch json produce JSON output formatted for Puppet, Ansible, Chef... --batch nrpe produce machine readable output formatted for NRPE --batch prometheus produce output for consumption by prometheus-node-exporter --variant [1,2,3,3a,4,l1tf] specify which variant you'd like to check, by default all variants are checked --cve [cve1,cve2,...] specify which CVE you'd like to check, by default all supported CVEs are checked can be specified multiple times (e.g. --variant 2 --variant 3) --hw-only only check for CPU information, don't check for any variant --no-hw skip CPU information and checks, if you're inspecting a kernel not to be run on this host --vmm [auto,yes,no] override the detection of the presence of an hypervisor (for CVE-2018-3646), default: auto --update-mcedb update our local copy of the CPU microcodes versions database (from the awesome MCExtractor project) --update-builtin-mcedb same as --update-mcedb but update builtin DB inside the script itself Return codes: 0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error) IMPORTANT: A false sense of security is worse than no security at all. Please use the --disclaimer option to understand exactly what this script does.
The full documentation for Spectre is maintained as a Texinfo manual. If the info and Spectre programs are properly installed at your site, the command info Spectre should give you access to the complete manual. Spectre and Meltdown mitigation detection tJanuary42019 SPECTRE(1)