Provided by: spectre-meltdown-checker_0.43-3_all bug

NAME
       Spectre - Spectre & Meltdown vulnerability/mitigation checker


DESCRIPTION
       Spectre and Meltdown mitigation detection tool v0.43

              Usage:

       Live mode (auto):
              spectre-meltdown-checker [options]

              Live  mode  (manual): spectre-meltdown-checker [options] <[--kernel <kimage>] [--config <kconfig>]
              [--map  <mapfile>]>  --live  Offline  mode:        spectre-meltdown-checker  [options]  <[--kernel
              <kimage>] [--config <kconfig>] [--map <mapfile>]>

              Modes:

              Two modes are available.

              First  mode is the "live" mode (default), it does its best to find information about the currently
              running kernel.  To run under this mode, just start the script without any option  (you  can  also
              use --live explicitly)

              Second  mode  is  the  "offline"  mode,  where you can inspect a non-running kernel.  This mode is
              automatically enabled when you specify the location of the  kernel  file,  config  and  System.map
              files:

       --kernel kernel_file
              specify a (possibly compressed) Linux or BSD kernel file

       --config kernel_config
              specify a kernel config file (Linux only)

       --map kernel_map_file
              specify a kernel System.map file (Linux only)

              If  you  want  to  use  live  mode while specifying the location of the kernel, config or map file
              yourself, you can add --live to the above options, to tell the script to run in live mode  instead
              of  the  offline  mode,  which  is  enabled  by default when at least one file is specified on the
              command line.

              Options:

       --no-color
              don't use color codes

       --verbose, -v
              increase verbosity level, possibly several times

       --explain
              produce an additional human-readable explanation of actions to take to mitigate a vulnerability

       --paranoid
              require IBPB to deem Variant 2 as mitigated also require SMT disabled + unconditional L1D flush to
              deem  Foreshadow-NG  VMM  as  mitigated  also  require  SMT  disabled  to deem MDS vulnerabilities
              mitigated

       --no-sysfs
              don't use the /sys interface even if present [Linux]

       --sysfs-only
              only use the /sys interface, don't run our own checks [Linux]

       --coreos
              special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]

       --arch-prefix PREFIX
              specify  a  prefix  for  cross-inspecting  a   kernel   of   a   different   arch,   for   example
              "aarch64-linux-gnu-",    so    that   invoked   tools   will   be   prefixed   with   this   (i.e.
              aarch64-linux-gnu-objdump)

       --batch text
              produce machine readable output, this is the default if --batch is specified alone

       --batch short
              produce only one line with the vulnerabilities separated by spaces

       --batch json
              produce JSON output formatted for Puppet, Ansible, Chef...

       --batch nrpe
              produce machine readable output formatted for NRPE

       --batch prometheus
              produce output for consumption by prometheus-node-exporter

       --variant VARIANT
              specify which variant you'd like to check, by default all variants are checked VARIANT can be  one
              of  1,  2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc can be specified multiple times
              (e.g. --variant 2 --variant 3)

       --cve [cve1,cve2,...]
              specify which CVE you'd like to check, by default all supported CVEs are checked

       --hw-only
              only check for CPU information, don't check for any variant

       --no-hw
              skip CPU information and checks, if you're inspecting a kernel not to be run on this host

       --vmm [auto,yes,no]
              override the detection of the presence of a hypervisor, default: auto

       --update-fwdb
              update our local copy of the CPU microcodes  versions  database  (using  the  awesome  MCExtractor
              project and the Intel firmwares GitHub repository)

       --update-builtin-fwdb
              same as --update-fwdb but update builtin DB inside the script itself

       --dump-mock-data
              used to mimick a CPU on an other system, mainly used to help debugging this script

              Return codes:

              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)

              IMPORTANT:  A  false  sense  of  security  is  worse  than  no  security  at  all.  Please use the
              --disclaimer option to understand exactly what this script does.


SEE ALSO
       The full documentation for Spectre is maintained as a Texinfo manual.  If the info and  Spectre  programs
       are properly installed at your site, the command

              info Spectre

       should give you access to the complete manual.

Spectre and Meltdown mitigation detection tool v0.4March 2020                                         SPECTRE(1)