The Spectre and Meltdown Checker is a script used to check if a system is potentially vulnerable to transient execution attacks such as bounds check bypass and rogue system register read. The script, developed and maintained by the open source community, supports several open source operating systems (OSes), and looks for vulnerabilities on a variety of platforms from multiple hardware vendors. Cloud service providers, software vendors, and individual developers have been using the Spectre and Meltdown Checker since early 2018 to determine which of their systems have mitigations in place, which systems may have mitigations installed but disabled, and which systems might still be vulnerable to known transient execution attacks. The script can run on-premises, in virtualized environments, and in containers. While Spectre and Meltdown Checker does not itself mitigate any transient execution issues, it is a valuable tool to help you determine your system’s risk exposure.
Because transient execution attacks target microarchitectural features, the mitigations for these issues in many processors are often found in microcode and/or software. As a diagnostic tool, Spectre and Meltdown Checker does not make any modifications to the system or the kernel. The tool inspects the kernel image, the system hardware, and the installed microcode to determine if the system as it is running is vulnerable to known transient execution attacks. This information can help you determine if further mitigations are required.
Using Spectre and Meltdown Checker
The first step is to install the script on your system. Some Linux* distros already include this tool in their repositories, so you can first check if you can install it using your distro’s appropriate method (such as by using apt
or yum
).
If the tool is not distributed by your distro or if you want the most up to date version of the script, then you can find it at https://meltdown.ovh or the GitHub repository. In the repository, it is recommended that you check and download the existing releases. You can get the most recent version of the script by running one of the following commands from your terminal:
# curl -L https://meltdown.ovh -o spectre-meltdown-checker.sh # wget https://meltdown.ovh -o spectre-meltdown-checker.sh
Next, change the permissions of the file so it can be executed:
# chmod +x spectre-meltdown-checker.sh
Note: We recommend that you check the content of the script before you run it.
The script needs to be executed with administrator privileges. For example, you can run the script with the following command:
# sudo ./spectre-meltdown-checker.sh
The script checks your system processor’s family/model number, stepping, and model specific registers (MSRs) for each enumerated vulnerability that could affect your system. Systems that are affected and do not have updated microcode are listed as vulnerable.
Interpreting the Results
The script first checks which known vulnerabilities may affect the current processor. At this point, if the script says that your system is affected by a vulnerability, it does not mean that your system is currently vulnerable. The system could already be mitigated, but initially the script does not check for those mitigations.
Next, for each vulnerability that the system is affected by, the script will check whether mitigations are installed in the system or not. Since different vulnerabilities have different mitigations, the script checks whether appropriate mitigation is in place for each vulnerability. For example, if the vulnerability requires both microcode and software updates, it will check that both updates are in place. If any mitigations are missing, the tool will report which component should be updated.
Taking Action
If the script shows that your system is vulnerable to an issue, the first thing to do is check with your OS, application, and hypervisor vendors for system updates that can mitigate the vulnerability. Intel works with industry partners to deploy microcode updates for systems affected by these issues. You can also refer to the guidance on the Intel software security site for details on the microcode update process and guidelines for loading microcode from the OS.
Some mitigation options for transient execution attacks allow you to configure the mitigations for your particular environment and workloads. System administrators can review Intel’s guidance for production systems when deciding how to mitigate and configure vulnerable systems.