How to check that KPTI is enabled on my Ubuntu?

Question

The current Meltdown Intel processor vulnerability is currently remedied by having the page table isolation enabled. There is a question how to turn this off: How to disable Page Table Isolation to regain performance lost due to Intel CPU security hole patch?

My question is opposite: is there a way to check on a running system whether the PTI mechanism is effective on the system and thus the system is protected? I'm specifically looking for cat /proc/something or cat /sys/something, not checking for kernel version or config parameter or the like.

N0rbert · Answer 1 · 2018-01-12T20:47:50.360

Grepping CONFIG_PAGE_TABLE_ISOLATION in kernel config as Raniz's suggested does not help on desktop Ubuntu, but may help on cloud instances:
```
grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && \
echo "patched :)" || echo "unpatched :("
```

You can check with /proc/cpuinfo as JonasCz suggested:

grep -q "cpu_insecure\|cpu_meltdown\|kaiser" /proc/cpuinfo && echo "patched :)" \
|| echo "unpatched :("

Or from dmesg (thanks to Jason Creighton):

dmesg | grep -q "Kernel/User page tables isolation: enabled" \
&& echo "patched :)" || echo "unpatched :("

You can compile test program from Raphael Carvalho for Meltdown detection:

sudo apt-get install git build-essential
cd /tmp
git clone https://github.com/raphaelsc/Am-I-affected-by-Meltdown.git
cd Am-I-affected-by-Meltdown
make
sudo sh -c "echo 0  > /proc/sys/kernel/kptr_restrict"
./meltdown-checker

on patched system it should end with output

...
so far so good (i.e. meltdown safe) ...

System not affected (take it with a grain of salt though as false negative
may be reported for specific environments; Please consider running it once again).

Check with tool from https://github.com/speed47/spectre-meltdown-checker:

cd /tmp
wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
sudo sh /tmp/spectre-meltdown-checker.sh

On patched system it should show the following:

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.4.0-109-generic #132-Ubuntu SMP Tue Jan 9 19:52:39 UTC 2018 x86_64
...
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

Do not install 4.4.0-108-generic on Xenial! It breaks boot/reboot/shutdown/suspend functionality!

Install 4.4.0-109-generic (see USN-3522-3 for details)!

As Robie Basak already wrote, there is a page about Spectre and Meltdown vulnerabilities status in Ubuntu.

Also there are:

Aadhil · Answer 2 · 2018-01-12T02:14:36.777

18

Run the following command :

dmesg | grep 'page tables isolation'

If it displays enabled, then PTI is enabled. If nothing is displayed or you see 'disabled' in the terminal, then PTI is disabled. Ubuntu has not published the patch yet, so it won't display any message.

edited Jan 12 '18 at 02:14

answered Jan 04 '18 at 08:33

Aadhil

394

score 13 · Answer 3 · answered Jan 04 '18 at 08:16

You can check with cat /proc/cpuinfo, if it reports cpu_insecure under "bugs", then PTI is enabled.

If it's blank (or just does not list cpu_insecure), then most likely you are running a kernel which has not yet been patched (Ubuntu's hasn't), or you have an AMD processor (for which this will forseeably not be enabled, since they're not vulnerable).

Currently all CPUs are treated as vulnerable in the latest 4.15 kernel.

score 8 · Accepted Answer · answered Sep 03 '19 at 12:35

You can run the command below to see all available mitigations (not only for PTI but also for other vulnerabilities) :

$ cat /sys/devices/system/cpu/vulnerabilities/*
Mitigation: PTE Inversion
Mitigation: Clear CPU buffers; SMT vulnerable
Mitigation: PTI
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling

score 8 · Answer 5 · 2018-01-10T19:15:12.003

8

I found this great sh script to test Meltdown/spectre vulnerabilities on your system:

https://github.com/speed47/spectre-meltdown-checker

The script check your system to known Meltdown and spectre patchs on your system to tell you if these vulnerabilities are now mitigated by your OS

edited Jan 10 '18 at 19:15

answered Jan 10 '18 at 09:34

score 2 · Answer 6 · answered Jan 04 '18 at 08:28

You can check /proc/config.gz for CONFIG_PAGE_TABLE_ISOLATION=y which means that the kernel was compiled with KPTI.

This is on my patched Arch Linux system running 4.14.11-1:

$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz 
CONFIG_PAGE_TABLE_ISOLATION=y

score 1 · Answer 7 · edited Jan 12 '18 at 20:54

1

On my AWS Ubuntu 14.04.5 LTS EC2 instance, I ran

grep CONFIG_PAGE_TABLE_ISOLATION /boot/config-$(uname -r)

It should say:

CONFIG_PAGE_TABLE_ISOLATION=y

For update I did:

sudo apt-get update && sudo apt-get install linux-image-generic

I think also this is OK:

sudo apt-get update
sudo apt-get dist-upgrade

To check kernel version:

uname -r

Needs to be 3.13.0-139-generic or newer.

edited Jan 12 '18 at 20:54

wjandrea

14,504

answered Jan 12 '18 at 10:17

drKreso

111

How to check that KPTI is enabled on my Ubuntu?

7 Answers7

Do not install 4.4.0-108-generic on Xenial! It breaks boot/reboot/shutdown/suspend functionality!

Install 4.4.0-109-generic (see USN-3522-3 for details)!

Linked

Related