Using spectre-meltdown-checker (with examples)
- Linux
- November 5, 2023
In this article, we will explore the different use cases of the spectre-meltdown-checker
command, which is a detection tool for Spectre and Meltdown vulnerabilities. We will provide code examples for each use case and explain the motivation behind using them. Additionally, we will provide an explanation for every argument used and an example output for better understanding.
Use Case 1: Check the currently running kernel for Spectre or Meltdown
sudo spectre-meltdown-checker
Motivation: Checking the currently running kernel is the most basic and common use case for this command. It allows us to quickly determine if our system is vulnerable to Spectre or Meltdown vulnerabilities.
Explanation: This command checks the currently running kernel for Spectre or Meltdown vulnerabilities. It examines the system’s CPU and provides a report on the mitigation status.
Example Output:
Spectre and Meltdown mitigation detection...
This host is running Linux Kernel 5.4.0-81-generic.
Found microcode: 0xc2 (Reboots needed for microcode update)
==> CVE-2017-5753/1 found: SPEC_LATENCYNS, RSBA
=== Mitigation 1 ===
SUSE kernel live patching detected, checking vulnerabilities in third-party modules
SUSE kernel hotpatch status: Received the sec and spectre_v* updates, but they are not yet activated.
This system could be vulnerable if activated.
## SUCCESS 4.20.10-200.fc29.x86_64 is the current kernel
Use Case 2: Check the currently running kernel and show an explanation of the actions to take to mitigate a vulnerability
sudo spectre-meltdown-checker --explain
Motivation: Sometimes, it’s not enough to know if our system is vulnerable. We need to understand the actions required to mitigate the vulnerabilities effectively. This use case provides detailed explanations for mitigation actions.
Explanation:
By using the --explain
argument, this command not only checks the currently running kernel but also provides detailed explanations of the actions that need to be taken to mitigate a vulnerability.
Example Output:
Spectre and Meltdown mitigation detection with explanations...
Spectre Variant 1 (Spectre Bounds Check Bypass)
* This is a CPU microcode update or a software update containing CPU microcode.
* Check for BIOS/UEFI update availability.
Spectre Variant 2 (Branch Target Injection)
* This is a CPU microcode update or a software update containing CPU microcode.
* Check for BIOS/UEFI update availability.
Meltdown Variant 3 ( Rogue Data Cache Load)
* This requires a kernel and microcode updates.
* Check for kernel and microcode update availability.
* If kernel update is available, reboot is necessary.
Meltdown Variant 3a ( Rogue System Register Read)
* This requires a microcode update.
* Check for BIOS/UEFI update availability.
...
Use Case 3: Check for specific variants
sudo spectre-meltdown-checker --variant 1|2|3|3a|4|l1tf|msbds|mfbds|mlpds|mdsum|taa|mcespc|srbds
Motivation: Sometimes, we only need to check for specific variants of Spectre or Meltdown vulnerabilities. This use case allows us to focus on specific vulnerabilities rather than checking for all variants.
Explanation:
By specifying the --variant
argument followed by any specific variant(s), this command will only check for the specified vulnerabilities.
Example Output:
Spectre and Meltdown mitigation detection for variant 3...
CVE-2017-5754/3 found: Rogue Data Cache Load
### Kernel information
Kernel is Linux 4.15.0-54-generic ()
### CPU microcode is known to cause stability issues. You are advised to disable swap if you encounter system freeze/crash.
### Mitigation 1 (KPTI: Kernel Page Table Isolation)
* Kernel has KPTI (Kernel Page Table Isolation) patches
* Kernel version is 4.15.xx or later
### Mitigation 2
* Update your microcode to the latest version. Warning! Old microcode leaves your system exposed
* Microcode updates are only available on the latest hardware
### Mitigation 3
* This issue hasn't been properly fixed yet and new attacks are possible
* The best mitigation is running the latest stable kernel version and always keeping it up to date
## SUCCESS 4.15.0-54-generic is the current kernel
Use Case 4: Display output using a specific format
sudo spectre-meltdown-checker --batch text|json|nrpe|prometheus|short
Motivation: The default output format might not always be suitable for the desired use case. This use case allows us to specify the output format according to our needs.
Explanation:
By using the --batch
argument followed by the desired output format (text, json, nrpe, prometheus, or short), this command will display the output in the specified format.
Example Output:
Spectre and Meltdown mitigation detection...
{
"Kernel": "4.19.0-16-amd64",
"CPU": "Intel Core Processor (Haswell, no TSX)",
"CVE-2017-5753/1": "Vulnerable",
"Mitigation 1": "CPU microcode",
"CVE-2017-5715/2": "Vulnerable: Minimal generic ASM retpoline",
"Mitigation 2": "CPU microcode",
"CVE-2017-5754/3": "Vulnerable",
"Mitigation 3": "CPU microcode"
}
Use Case 5: Don’t use the /sys
interface even if present
sudo spectre-meltdown-checker --no-sysfs
Motivation:
In some cases, the /sys
interface might be present but not fully reliable. This use case allows us to bypass the /sys
interface and rely on other methods for checking vulnerabilities.
Explanation:
By using the --no-sysfs
argument, this command will exclude the /sys
interface, even if it is present, while checking vulnerabilities.
Example Output:
Spectre and Meltdown mitigation detection...
*** Warning, check may be incomplete or inaccurate. ***
*** This check may need a rooted shell ***
*** Read access to cpu buffer files and directories will be attempted ***
*** This can generate false positives.
*** Please see README file for bypass INTERFERENCE_ISSUES.
*** If inaccurate, or multiple Aquisitions, then collected files need to be deleted ***
*** The cache can be cleared. ***
Found CPU Vulnerability unit: 1
*** V1 Bypass Enabled ***
### Kernel information
Kernel is Linux 5.11.0-25-generic ()
### System information
Distribution is Ubuntu 21.04
...
Use Case 6: Check a non-running kernel
sudo spectre-meltdown-checker --kernel path/to/kernel_file
Motivation: Sometimes, we might need to check the vulnerabilities of a non-running kernel image. This use case allows us to specify the path to a specific kernel image file and check its vulnerabilities.
Explanation:
By using the --kernel
argument followed by the path to the kernel image file, this command will check the vulnerabilities of the specified non-running kernel image.
Example Output:
Spectre and Meltdown mitigation detection...
## Kernel
Kernel build time: 2021-12-01 10:33:33 +02:00
Distribution: Debian 11 bullseye
### Kernel information
Kernel is Linux 5.14.0-1-amd64 ()
### Found Intel CPU
Model: 79, family: 6, model number: 142, stepping: 0,
CPU signature: 906E9
### Mitigation 1 (KPTI: Kernel Page Table Isolation)
* Kernel has KPTI (Kernel Page Table Isolation) patches
* Kernel version is 4.15.xx or later
...