How do I check if KPTI is enabled on linux?
Linux kernel logs the KPTI status on boot so, running the following command would print the status on patched kernels. If it prints nothing then, KPTI is disabled.
dmesg -wH | grep 'Kernel/User page tables isolation'
Linux Kernel 4.15rc6 has enabled KPTI(Kernel page-table isolation) and it has been back ported to
Linux Kernel 4.14.11, 4.9.74, 4.4.109, 3.16.52, and 3.2.97.
So, if you are running any of these versions KPTI is in place. Most distros(running any Linux kernel version) will push an update to the Linux kernel within a day or two to fix Meltdown and spectre.
Note: Add the parameter pti=off
to the GRUB in order to disable the KPTI. For info: https://askubuntu.com/questions/19486/how-do-i-add-a-kernel-boot-parameter
Things that do indicate the state of KPTI:
In standard kernels, the strings
Kernel/User page tables isolation: enabled
orKernel/User page tables isolation: force enabled on command line
in thedmesg
output means that the kernel is performing kernel page table isolation. The latter message additionally means that the kernel thinks page-table isolation is not required for this CPU.In some vendor-patched kernels (mainly RedHat and derivatives): a nonzero value in
/sys/kernel/debug/x86/pti_enabled
. The absence of this file does not mean anything, however: the standard kernel does not provide it.In kernel 4.14.18 or newer and the corresponding versions of the LTS kernels, the contents of
/sys/devices/system/cpu/vulnerabilities/meltdown
: a line beginning withMitigation:
indicates that a mitigation (KPTI, microcode, or something else) is in place, a line beginning withNot affected
indicates that the CPU is believed to be unaffected by the issue, and a line beginning withVulnerable
indicates that the CPU is believed to be vulnerable, but no or an insufficient mitigation is in place.
Things that don't indicate the state of KPTI:
Kernel version. Kernel 4.14.11 and newer, and the corresponding versions of the 4.1, 4,4, and 4.9 LTS kernels are capable of KPTI, but they can be compiled with it disabled, and it can be disabled at boot time. Additionally, versions older than these are not automatically at risk: some distros have backported the KPTI patches to older kernels.
bugs : cpu_insecure
in/proc/cpuinfo
. The presence of this indicates that if the kernel is compiled for page-table isolation, and if page-table isolation hasn't been disabled at boot time or runtime, then page-table isolation will be used. Additionally, it does not indicate that a CPU is vulnerable to the Meltdown attack: the 4.14.11 kernel sets it for all x86 CPUs, while the 4.14.12 kernel sets it for all non-AMD CPUs, even ones like the Pentium MMX or the "Bonnell" Atom CPUs that aren't vulnerable.CONFIG_PAGE_TABLE_ISOLATION=y
in the kernel configuration. This only indicates that the kernel is capable of kernel page-table isolation. KPTI can be disabled at boot time from the kernel command line through thenopti
orpti=off
options. On some systems, it can be disabled at runtime by writing0
to/sys/kernel/debug/x86/pti_enabled
.
On a supported kernel:
dmesg | grep 'Kernel/User page tables isolation'
will result in either enabled or disabled.
If there is no result, then the kernel does not have support for KPTI.