How to check Linux for Spectre and Meltdown vulnerability
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Cloning into ‘spectre-meltdown-checker’…
remote: Counting objects: 158, done.
remote: Compressing objects: 100% (23/23), done.
remote: Total 158 (delta 20), reused 22 (delta 10), pack-reused 125
Receiving objects: 100% (158/158), 52.25 KiB | 252.00 KiB/s, done.
Resolving deltas: 100% (90/90), done.
[jacky@machina spectre-meltdown-checker]$ sudo sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.16
Checking vulnerabilities against Linux 4.14.11_1 #1 SMP PREEMPT Wed Jan 3 16:59:01 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
- Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 31 opcodes found, should be >= 70)
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
- Mitigation 1
- Hardware (CPU microcode) support for mitigation: NO
- Kernel support for IBRS: NO
- IBRS enabled for Kernel space: NO
- IBRS enabled for User space: NO
- Mitigation 2
- Kernel compiled with retpoline option: NO
- Kernel compiled with a retpoline-aware compiler: NO
STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
- Kernel supports Page Table Isolation (PTI): YES
- PTI enabled and active: YES
STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
2 tests out of 3 didnt pass!!!