.\" DO NOT MODIFY THIS FILE! It was generated by help2man 1.48.1. .TH SPECTRE "1" "February 2021" "Spectre and Meltdown mitigation detection tool v0.44" "User Commands" .SH NAME Spectre \- Spectre & Meltdown vulnerability/mitigation checker .SH DESCRIPTION Spectre and Meltdown mitigation detection tool v0.44 .IP Usage: .TP Live mode (auto): spectre\-meltdown\-checker [options] .IP Live mode (manual): spectre\-meltdown\-checker [options] <[\-\-kernel ] [\-\-config ] [\-\-map ]> \fB\-\-live\fR Offline mode: spectre\-meltdown\-checker [options] <[\-\-kernel ] [\-\-config ] [\-\-map ]> .IP Modes: .IP Two modes are available. .IP First mode is the "live" mode (default), it does its best to find information about the currently running kernel. To run under this mode, just start the script without any option (you can also use \fB\-\-live\fR explicitly) .IP Second mode is the "offline" mode, where you can inspect a non\-running kernel. This mode is automatically enabled when you specify the location of the kernel file, config and System.map files: .TP \fB\-\-kernel\fR kernel_file specify a (possibly compressed) Linux or BSD kernel file .TP \fB\-\-config\fR kernel_config specify a kernel config file (Linux only) .TP \fB\-\-map\fR kernel_map_file specify a kernel System.map file (Linux only) .IP If you want to use live mode while specifying the location of the kernel, config or map file yourself, you can add \fB\-\-live\fR to the above options, to tell the script to run in live mode instead of the offline mode, which is enabled by default when at least one file is specified on the command line. .IP Options: .TP \fB\-\-no\-color\fR don't use color codes .TP \fB\-\-verbose\fR, \fB\-v\fR increase verbosity level, possibly several times .TP \fB\-\-explain\fR produce an additional human\-readable explanation of actions to take to mitigate a vulnerability .TP \fB\-\-paranoid\fR require IBPB to deem Variant 2 as mitigated also require SMT disabled + unconditional L1D flush to deem Foreshadow\-NG VMM as mitigated also require SMT disabled to deem MDS vulnerabilities mitigated .TP \fB\-\-no\-sysfs\fR don't use the \fI\,/sys\/\fP interface even if present [Linux] .TP \fB\-\-sysfs\-only\fR only use the \fI\,/sys\/\fP interface, don't run our own checks [Linux] .TP \fB\-\-coreos\fR special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux] .TP \fB\-\-arch\-prefix\fR PREFIX specify a prefix for cross\-inspecting a kernel of a different arch, for example "aarch64\-linux\-gnu\-", so that invoked tools will be prefixed with this (i.e. aarch64\-linux\-gnu\-objdump) .TP \fB\-\-batch\fR text produce machine readable output, this is the default if \fB\-\-batch\fR is specified alone .TP \fB\-\-batch\fR short produce only one line with the vulnerabilities separated by spaces .TP \fB\-\-batch\fR json produce JSON output formatted for Puppet, Ansible, Chef... .TP \fB\-\-batch\fR nrpe produce machine readable output formatted for NRPE .TP \fB\-\-batch\fR prometheus produce output for consumption by prometheus\-node\-exporter .TP \fB\-\-variant\fR VARIANT specify which variant you'd like to check, by default all variants are checked VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc, srbds can be specified multiple times (e.g. \fB\-\-variant\fR 2 \fB\-\-variant\fR 3) .TP \fB\-\-cve\fR [cve1,cve2,...] specify which CVE you'd like to check, by default all supported CVEs are checked .TP \fB\-\-hw\-only\fR only check for CPU information, don't check for any variant .TP \fB\-\-no\-hw\fR skip CPU information and checks, if you're inspecting a kernel not to be run on this host .TP \fB\-\-vmm\fR [auto,yes,no] override the detection of the presence of a hypervisor, default: auto .TP \fB\-\-update\-fwdb\fR update our local copy of the CPU microcodes versions database (using the awesome MCExtractor project and the Intel firmwares GitHub repository) .TP \fB\-\-update\-builtin\-fwdb\fR same as \fB\-\-update\-fwdb\fR but update builtin DB inside the script itself .TP \fB\-\-dump\-mock\-data\fR used to mimick a CPU on an other system, mainly used to help debugging this script .IP Return codes: .IP 0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error) .IP IMPORTANT: A false sense of security is worse than no security at all. Please use the \fB\-\-disclaimer\fR option to understand exactly what this script does. .SH "SEE ALSO" The full documentation for .B Spectre is maintained as a Texinfo manual. If the .B info and .B Spectre programs are properly installed at your site, the command .IP .B info Spectre .PP should give you access to the complete manual.