How to check that KPTI is enabled on my Ubuntu?

The current Meltdown Intel processor vulnerability is currently remedied by having the page table isolation enabled. There is a question how to turn this off: How to disable Page Table Isolation to regain performance lost due to Intel CPU security hole patch?

My question is opposite: is there a way to check on a running system whether the PTI mechanism is effective on the system and thus the system is protected? I'm specifically looking for cat /proc/something or cat /sys/something, not checking for kernel version or config parameter or the like.


Solution 1:

  • Grepping CONFIG_PAGE_TABLE_ISOLATION in kernel config as Raniz's suggested does not help on desktop Ubuntu, but may help on cloud instances:

    grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && \
    echo "patched :)" || echo "unpatched :("
    

  • You can check with /proc/cpuinfo as JonasCz suggested:

    grep -q "cpu_insecure\|cpu_meltdown\|kaiser" /proc/cpuinfo && echo "patched :)" \
    || echo "unpatched :("
    

  • Or from dmesg (thanks to Jason Creighton):

    dmesg | grep -q "Kernel/User page tables isolation: enabled" \
    && echo "patched :)" || echo "unpatched :("
    

  • You can compile test program from Raphael Carvalho for Meltdown detection:

    sudo apt-get install git build-essential
    cd /tmp
    git clone https://github.com/raphaelsc/Am-I-affected-by-Meltdown.git
    cd Am-I-affected-by-Meltdown
    make
    sudo sh -c "echo 0  > /proc/sys/kernel/kptr_restrict"
    ./meltdown-checker
    

on patched system it should end with output

...
so far so good (i.e. meltdown safe) ...

System not affected (take it with a grain of salt though as false negative
may be reported for specific environments; Please consider running it once again).

  • Check with tool from https://github.com/speed47/spectre-meltdown-checker:

    cd /tmp
    wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
    sudo sh /tmp/spectre-meltdown-checker.sh
    

On patched system it should show the following:

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
...
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Do not install 4.4.0-108-generic on Xenial! It breaks boot/reboot/shutdown/suspend functionality!

Install 4.4.0-109-generic (see USN-3522-3 for details)!


As Robie Basak already wrote, there is a page about Spectre and Meltdown vulnerabilities status in Ubuntu.

Also there are:

  • Ubuntu Security bulletin for CVE-2017-5715
  • Ubuntu Security bulletin for CVE-2017-5753
  • Ubuntu Security bulletin for CVE-2017-5754

Solution 2:

Run the following command :

dmesg | grep 'page tables isolation'

If it displays enabled, then PTI is enabled. If nothing is displayed or you see 'disabled' in the terminal, then PTI is disabled. Ubuntu has not published the patch yet, so it won't display any message.

Solution 3:

You can check with cat /proc/cpuinfo, if it reports cpu_insecure under "bugs", then PTI is enabled.

If it's blank (or just does not list cpu_insecure), then most likely you are running a kernel which has not yet been patched (Ubuntu's hasn't), or you have an AMD processor (for which this will forseeably not be enabled, since they're not vulnerable).

Currently all CPUs are treated as vulnerable in the latest 4.15 kernel.