This is a draft document that was built and uploaded automatically. It may document beta software and be incomplete or even incorrect. Use this document at your own risk.

Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
Security and Hardening Guide / Local security / Spectre/Meltdown checker
Applies to SUSE Linux Enterprise Server 15 SP6

16 Spectre/Meltdown checker

spectre-meltdown-checker is a shell script to test if your system is vulnerable to the several speculative execution vulnerabilities that are in nearly all CPUs manufactured in the past 20 years. This is a hardware flaw that potentially allows an attacker to read all data on the system. On cloud computing services, where multiple virtual machines are on a single physical host, an attacker can gain access to all virtual machines. Fixing these vulnerabilities requires redesigning and replacing CPUs. Until this happens, there are several software patches that mitigate these vulnerabilities. If you have kept your SUSE systems updated, all these patches should already be installed.

spectre-meltdown-checker generates a detailed report. It is impossible to guarantee that your system is secure, but it shows you which mitigations are in place, and potential vulnerabilities.

16.1 Using spectre-meltdown-checker

Install the script, and then run it as root without any options:

# zypper in spectre-meltdown-checker
# spectre-meltdown-checker.sh

You see colorful output like Figure 16.1, “Output from spectre-meltdown-checker”:

Partial output of spectre-meltdown-checker.sh
Figure 16.1: Output from spectre-meltdown-checker

spectre-meltdown-checker.sh --help lists all options. It is useful to pipe plain text output, with no colors, to a file:

# spectre-meltdown-checker.sh --no-color| tee filename.txt

The previous examples are on a running system, which is the default. You may also run spectre-meltdown-checker offline by specifying the paths to the kernel, config and System.map files:

# cd /boot
# spectre-meltdown-checker.sh \
--no-color \
--kernel vmlinuz-6.4.0-150600.9-default \
--config config-6.4.0-150600.9-default \
--map System.map-6.4.0-150600.9-default| tee filename.txt

Other useful options are:

--verbose, -v

Increase verbosity; repeat for more verbosity, for example -v -v -v

--explain

Print human-readable explanations

--batch [short] [json] [nrpe] [prometheus]

Format output in various machine-readable formats

Important
Important: --disclaimer option

spectre-meltdown-checker.sh --disclaimer provides important information about what the script does, and does not do.

16.2 More information

For more information, see the following references: