Provided by: spectre-meltdown-checker_0.40-3_all bug


       Spectre - Spectre & Meltdown vulnerability/mitigation checker


       Spectre and Meltdown mitigation detection tool v0.40


       Live mode:
              spectre-meltdown-checker [options] [--live]

              Offline mode: spectre-meltdown-checker [options] [--kernel <kernel_file>] [--config
              <kernel_config>] [--map <kernel_map_file>]


              Two modes are available.

              First mode is the "live" mode (default), it does its best to find information about
              the  currently  running  kernel.   To  run  under  this mode, just start the script
              without any option (you can also use --live explicitly)

              Second mode is the "offline" mode, where you  can  inspect  a  non-running  kernel.
              You'll  need  to  specify  the  location  of the kernel file, config and

       --kernel kernel_file
              specify a (possibly compressed) Linux or BSD kernel file

       --config kernel_config
              specify a kernel config file (Linux only)

       --map kernel_map_file
              specify a kernel file (Linux only)


              don't use color codes

       --verbose, -v
              increase verbosity level, possibly several times

              produce an additional human-readable explanation of actions to take to  mitigate  a

              require  IBPB  to  deem  Variant  2  as  mitigated  also  require  SMT  disabled  +
              unconditional L1D flush to deem Foreshadow-NG VMM as mitigated

              don't use the /sys interface even if present [Linux]

              only use the /sys interface, don't run our own checks [Linux]

              special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]

       --arch-prefix PREFIX
              specify a prefix for cross-inspecting a kernel of a  different  arch,  for  example
              "aarch64-linux-gnu-",  so  that  invoked  tools  will  be  prefixed with this (i.e.

       --batch text
              produce machine readable output, this is the default if --batch is specified alone

       --batch short
              produce only one line with the vulnerabilities separated by spaces

       --batch json
              produce JSON output formatted for Puppet, Ansible, Chef...

       --batch nrpe
              produce machine readable output formatted for NRPE

       --batch prometheus
              produce output for consumption by prometheus-node-exporter

       --variant [1,2,3,3a,4,l1tf]
              specify which variant you'd like to check, by default all variants are checked

       --cve [cve1,cve2,...]
              specify which CVE you'd like to check, by default all supported CVEs are checked

              can be specified multiple times (e.g. --variant 2 --variant 3)

              only check for CPU information, don't check for any variant

              skip CPU information and checks, if you're inspecting a kernel not  to  be  run  on
              this host

       --vmm [auto,yes,no]
              override  the  detection  of  the  presence  of  an hypervisor (for CVE-2018-3646),
              default: auto

              update our local copy of the CPU microcodes versions  database  (from  the  awesome
              MCExtractor project)

              same as --update-mcedb but update builtin DB inside the script itself

              Return codes:

              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)

              IMPORTANT:  A false sense of security is worse than no security at all.  Please use
              the --disclaimer option to understand exactly what this script does.


       The full documentation for Spectre is maintained as a Texinfo manual.   If  the  info  and
       Spectre programs are properly installed at your site, the command

              info Spectre

       should give you access to the complete manual.

Spectre and Meltdown mitigation detection tJanuary42019                                SPECTRE(1)