Provided by: spectre-meltdown-checker_0.46-1_all bug

NAME
       Spectre - Spectre & Meltdown vulnerability/mitigation checker


DESCRIPTION
       Spectre and Meltdown mitigation detection tool v0.46

              Usage:

       Live mode (auto):
              spectre-meltdown-checker [options]

              Live   mode   (manual):  spectre-meltdown-checker  [options]  <[--kernel  <kimage>]
              [--config    <kconfig>]     [--map     <mapfile>]>     --live     Offline     mode:
              spectre-meltdown-checker [options] <[--kernel <kimage>] [--config <kconfig>] [--map
              <mapfile>]>

              Modes:

              Two modes are available.

              First mode is the "live" mode (default), it does its best to find information about
              the  currently  running  kernel.   To  run  under  this mode, just start the script
              without any option (you can also use --live explicitly)

              Second mode is the "offline" mode, where you  can  inspect  a  non-running  kernel.
              This  mode  is  automatically  enabled  when you specify the location of the kernel
              file, config and System.map files:

       --kernel kernel_file
              specify a (possibly compressed) Linux or BSD kernel file

       --config kernel_config
              specify a kernel config file (Linux only)

       --map kernel_map_file
              specify a kernel System.map file (Linux only)

              If you want to use live mode while specifying the location of the kernel, config or
              map  file  yourself, you can add --live to the above options, to tell the script to
              run in live mode instead of the offline mode, which is enabled by default  when  at
              least one file is specified on the command line.

              Options:

       --no-color
              don't use color codes

       --verbose, -v
              increase verbosity level, possibly several times

       --explain
              produce  an  additional human-readable explanation of actions to take to mitigate a
              vulnerability

       --paranoid
              require  IBPB  to  deem  Variant  2  as  mitigated  also  require  SMT  disabled  +
              unconditional  L1D  flush  to  deem Foreshadow-NG VMM as mitigated also require SMT
              disabled to deem MDS vulnerabilities mitigated

       --no-sysfs
              don't use the /sys interface even if present [Linux]

       --sysfs-only
              only use the /sys interface, don't run our own checks [Linux]

       --coreos
              special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]

       --arch-prefix PREFIX
              specify a prefix for cross-inspecting a kernel of a  different  arch,  for  example
              "aarch64-linux-gnu-",  so  that  invoked  tools  will  be  prefixed with this (i.e.
              aarch64-linux-gnu-objdump)

       --batch text
              produce machine readable output, this is the default if --batch is specified alone

       --batch short
              produce only one line with the vulnerabilities separated by spaces

       --batch json
              produce JSON output formatted for Puppet, Ansible, Chef...

       --batch nrpe
              produce machine readable output formatted for NRPE

       --batch prometheus
              produce output for consumption by prometheus-node-exporter

       --variant VARIANT
              specify which variant you'd like to check, by default  all  variants  are  checked.
              can  be  used  multiple  times  (e.g.  --variant  3a  --variant l1tf) for a list of
              supported VARIANT parameters, use --variant help

       --cve CVE
              specify which CVE you'd like to check, by default all supported  CVEs  are  checked
              can be used multiple times (e.g. --cve CVE-2017-5753 --cve CVE-2020-0543)

       --hw-only
              only check for CPU information, don't check for any variant

       --no-hw
              skip  CPU  information  and  checks, if you're inspecting a kernel not to be run on
              this host

       --vmm [auto,yes,no]
              override the detection of the presence of a hypervisor, default: auto

       --allow-msr-write
              allow probing for write-only MSRs, this might produce kernel logs or be blocked  by
              your system

       --cpu [#,all]
              interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)

       --update-fwdb
              update  our  local  copy of the CPU microcodes versions database (using the awesome
              MCExtractor project and the Intel firmwares GitHub repository)

       --update-builtin-fwdb
              same as --update-fwdb but update builtin DB inside the script itself

       --dump-mock-data
              used to mimick a CPU on an other system, mainly used to help debugging this script

              Return codes:

              0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)

              IMPORTANT: A false sense of security is worse than no security at all.  Please  use
              the --disclaimer option to understand exactly what this script does.


SEE ALSO
       The  full  documentation  for  Spectre is maintained as a Texinfo manual.  If the info and
       Spectre programs are properly installed at your site, the command

              info Spectre

       should give you access to the complete manual.

Spectre and Meltdown mitigation detection tAugust.2023                                 SPECTRE(1)