[PATCH] gnu: Add spectre-meltdown-checker.

  • Done
  • quality assurance status badge
Details
4 participants
  • Leo Prikler
  • Liliana Marie Prikler
  • Christopher Baines
  • phodina
Owner
unassigned
Submitted by
phodina
Severity
normal
Merged with
P
P
phodina wrote on 5 Aug 2021 19:00
(name . guix-patches@gnu.org)(address . guix-patches@gnu.org)
Ii5fCk64CrGnMUNdnAJUdN1GI8QDpCLu3mLvw-dnS01TTlAg8pGKJgdcHLnrmKwT9QkGEGSv1ez0nFWcy6rflvzxhKhXB7RkuXzKK-8v2LQ=@protonmail.com
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

Toggle diff (65 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..f89f6f259e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -148,6 +149,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system go)
+ #:use-module (guix build-system copy)
#:use-module (guix build-system meson)
#:use-module (guix build-system python)
#:use-module (guix build-system trivial)
@@ -7191,6 +7193,44 @@ interfaces in parallel environments.")
(supported-systems '("i686-linux" "x86_64-linux"))
(license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+ (name "spectre-meltdown-checker")
+ (version "v0.44")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+ (build-system copy-build-system)
+ (inputs `(("util-linux" ,util-linux)
+ ("binutils" ,binutils)))
+ (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+ (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.
+@enumerate
+@item Bounds Check Bypass
+@item Branch Target Injection
+@item Rogue Data Cache Load
+@item Rogue System Register Read
+@item Speculative Store Bypass
+@item L1 Terminal Fault (SGX, OS, VMM)
+@item Microarchitectural Store Buffer Data Sampling
+@item Microarchitectural Fill Buffer Data Sampling
+@item Microarchitectural Load Port Data Sampling
+@item Microarchitectural Data Sampling Uncacheable Memory
+@item TSX asynchronous abort
+@item Machine Mheck Exception on Page Size Changes
+@item Special Register Buffer Data Sampling
+@end enumerate")
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (license license:gpl3)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.32.0
L
L
Leo Prikler wrote on 6 Aug 2021 15:58
a738184471e3b29dd342483da16e370472d5497c.camel@student.tugraz.at
Hi,

Am Donnerstag, den 05.08.2021, 17:00 +0000 schrieb phodina:
Toggle quote (30 lines)
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
>
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..f89f6f259e 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
> ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
> ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
> ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -148,6 +149,7 @@
> #:use-module (guix build-system cmake)
> #:use-module (guix build-system gnu)
> #:use-module (guix build-system go)
> + #:use-module (guix build-system copy)
> #:use-module (guix build-system meson)
> #:use-module (guix build-system python)
> #:use-module (guix build-system trivial)
> @@ -7191,6 +7193,44 @@ interfaces in parallel environments.")
> (supported-systems '("i686-linux" "x86_64-linux"))
> (license (list license:bsd-2 license:gpl2)))) ;dual
>
> +(define-public spectre-meltdown-checker
> +(package
> + (name "spectre-meltdown-checker")
> + (version "v0.44")
Version should be "0.44".
Toggle quote (6 lines)
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "
> https://github.com/speed47/spectre-meltdown-checker")
> + (commit version)))
Use (string-append "v" version).
Toggle quote (6 lines)
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> + (build-system copy-build-system)
copy-build-system needs an install plan to be meaningful.
Toggle quote (8 lines)
> + (inputs `(("util-linux" ,util-linux)
> + ("binutils" ,binutils)))
> + (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> checker")
> + (description "A shell script to assess your system's resilience
> against
> +the several transient execution CVEs that were published since early
> 2018,
"the several CVEs" is quite an obscure formulation if correct English.
Just "several CVEs" should mean about the same while being more
understandable.
Toggle quote (16 lines)
> +and give you guidance as to how to mitigate them.
> +@enumerate
> +@item Bounds Check Bypass
> +@item Branch Target Injection
> +@item Rogue Data Cache Load
> +@item Rogue System Register Read
> +@item Speculative Store Bypass
> +@item L1 Terminal Fault (SGX, OS, VMM)
> +@item Microarchitectural Store Buffer Data Sampling
> +@item Microarchitectural Fill Buffer Data Sampling
> +@item Microarchitectural Load Port Data Sampling
> +@item Microarchitectural Data Sampling Uncacheable Memory
> +@item TSX asynchronous abort
> +@item Machine Mheck Exception on Page Size Changes
> +@item Special Register Buffer Data Sampling
> +@end enumerate")
Not sure if we want to maintain this enumeration tbh.
Toggle quote (3 lines)
> + (license license:gpl3)))

Regards
P
P
phodina wrote on 7 Aug 2021 11:04
[PATCH v2] gnu: Add spectre-meltdown-checker.
(address . 49898@debbugs.gnu.org)(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)
3xoFvRtUq0ydTy_fT8l5k0jlZhvtRTdSW107c9FiBmSCvQtXUapBOqbJkTEYJtGQrlcc9RcmOSdvqayP_lMcYc71m4squo4DReV_zFEt-00=@protonmail.com
Thanks Leo for the suggestions!
-------------------
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

Toggle diff (53 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..3529fa02e2 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -148,6 +149,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system go)
+ #:use-module (guix build-system copy)
#:use-module (guix build-system meson)
#:use-module (guix build-system python)
#:use-module (guix build-system trivial)
@@ -7191,6 +7193,32 @@ interfaces in parallel environments.")
(supported-systems '("i686-linux" "x86_64-linux"))
(license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+ (name "spectre-meltdown-checker")
+ (version "0.44")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+ (build-system copy-build-system)
+ (arguments
+ `(#:install-plan '(("spectre-meltdown-checker.sh"
+ "bin/spectre-meltdown-checker.sh"))))
+ (inputs `(("util-linux" ,util-linux)
+ ("binutils" ,binutils)))
+ (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+ (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (license license:gpl3)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.32.0
L
L
Leo Prikler wrote on 7 Aug 2021 11:50
9500dbad2e885d13d06e3301f27261823d6f8698.camel@student.tugraz.at
Hi,

Am Samstag, den 07.08.2021, 09:04 +0000 schrieb phodina:
Toggle quote (49 lines)
> Thanks Leo for the suggestions!
> -------------------
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
>
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..3529fa02e2 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
> ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
> ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
> ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -148,6 +149,7 @@
> #:use-module (guix build-system cmake)
> #:use-module (guix build-system gnu)
> #:use-module (guix build-system go)
> + #:use-module (guix build-system copy)
> #:use-module (guix build-system meson)
> #:use-module (guix build-system python)
> #:use-module (guix build-system trivial)
> @@ -7191,6 +7193,32 @@ interfaces in parallel environments.")
> (supported-systems '("i686-linux" "x86_64-linux"))
> (license (list license:bsd-2 license:gpl2)))) ;dual
>
> +(define-public spectre-meltdown-checker
> +(package
> + (name "spectre-meltdown-checker")
> + (version "0.44")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "
> https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> + (build-system copy-build-system)
> + (arguments
> + `(#:install-plan '(("spectre-meltdown-checker.sh"
> + "bin/spectre-meltdown-checker.sh"))))
> + (inputs `(("util-linux" ,util-linux)
> + ("binutils" ,binutils)))
We typically sort inputs alphabetically.
Toggle quote (9 lines)
> + (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> checker")
> + (description "A shell script to assess your system's resilience
> against
> +the several transient execution CVEs that were published since early
> 2018,
> +and give you guidance as to how to mitigate them.")
> + (home-page "https://github.com/speed47/spectre-meltdown-checker")
> + (license license:gpl3)))
This looks better, but after running the checker in a few
configurations (it doesn't appear to make a difference whether with or
without root, but judging from the papers some attacks would require
sudo) I've noticed that commands are insufficiently hardcoded.
For instance, the check for Spectre Variant 1 requires perl, which is
not available and the line stating so is hidden well among a large wall
of output.
Likewise, I don't think simply including binutils does anything, you'll
have to patch those in as well if you want them.

Regards,
P
P
phodina wrote on 8 Aug 2021 13:05
[PATCH v3] gnu: Add spectre-meltdown-checker.
(address . 49898@debbugs.gnu.org)(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)
Qnv2d9veC0SXJimwcILw0UislAW8WkkHHDTmEn8RNRI-jmuH3nFOcMI7z0YLHifpvjyoA4CCLYLk92cQ651b-UUWMRUCgvtpXQH5dMs5eHM=@protonmail.com
Toggle quote (21 lines)
>
> This looks better, but after running the checker in a few
>
> configurations (it doesn't appear to make a difference whether with or
>
> without root, but judging from the papers some attacks would require
>
> sudo) I've noticed that commands are insufficiently hardcoded.
>
> For instance, the check for Spectre Variant 1 requires perl, which is
>
> not available and the line stating so is hidden well among a large wall
>
> of output.
>
> Likewise, I don't think simply including binutils does anything, you'll
>
> have to patch those in as well if you want them.
>
> Regards,

Yes, it's unfortunately well hidden and there seems to be a mix of tools also
available only for BSD. I wanted to run it in pure environment and with =-e=
but there are many condtitions that exit at once.

So I went throught the whole script and listed the commands.
Not sure regarding the admin priviledges. I'll create issue on the upstream
regarding the requirements. The Dockerfile gives some hints but it's not exhaustive.

Kind regards,
Petr

-----------------------------------------------------

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

Toggle diff (73 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..24f7d43b33 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -137,6 +138,7 @@
#:use-module (gnu packages video)
#:use-module (gnu packages vulkan)
#:use-module (gnu packages web)
+ #:use-module (gnu packages wget)
#:use-module (gnu packages xiph)
#:use-module (gnu packages xml)
#:use-module (gnu packages xdisorg)
@@ -148,6 +150,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system go)
+ #:use-module (guix build-system copy)
#:use-module (guix build-system meson)
#:use-module (guix build-system python)
#:use-module (guix build-system trivial)
@@ -7191,6 +7194,44 @@ interfaces in parallel environments.")
(supported-systems '("i686-linux" "x86_64-linux"))
(license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+ (name "spectre-meltdown-checker")
+ (version "0.44")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+ (build-system copy-build-system)
+ (arguments
+ `(#:install-plan '(("spectre-meltdown-checker.sh"
+ "bin/spectre-meltdown-checker.sh"))))
+ (inputs `(("binutils" ,binutils)
+ ("coreutils",coreutils)
+ ("gawk" ,gawk)
+ ("gzip" ,gzip)
+ ("lzop" ,lzop)
+ ("perl" ,perl)
+ ("procps" ,procps)
+ ("sqlite" ,sqlite)
+ ("util-linux" ,util-linux)
+ ("util-linux-with-udev" ,util-linux+udev)
+ ("wget" ,wget)
+ ("which" ,which)
+ ("xz" ,xz)
+ ("zstd" ,zstd)))
+ (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+ (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (license license:gpl3)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.32.0
L
L
Leo Prikler wrote on 8 Aug 2021 23:42
a4a2aeaa9b74f6b1f9ee41bf430cb3132777af09.camel@student.tugraz.at
Hi,

Am Sonntag, den 08.08.2021, 11:05 +0000 schrieb phodina:
Toggle quote (4 lines)
> Yes, it's unfortunately well hidden and there seems to be a mix of
> tools also available only for BSD. I wanted to run it in pure
> environment and with =-e= but there are many condtitions that exit at
> once.
I don't think the BSD ones should be too much of an issue, but if we
ever decide to ship a BSD kernel, that might become relevant.
Toggle quote (4 lines)
> So I went throught the whole script and listed the commands.
> Not sure regarding the admin priviledges. I'll create issue on the
> upstream regarding the requirements. The Dockerfile gives some hints
> but it's not exhaustive.
As far as I can see, I don't think it claims sudo on your behalf, so
that should be fine.

Toggle quote (65 lines)
> -----------------------------------------------------
>
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
>
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..24f7d43b33 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
> ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
> ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
> ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -137,6 +138,7 @@
> #:use-module (gnu packages video)
> #:use-module (gnu packages vulkan)
> #:use-module (gnu packages web)
> + #:use-module (gnu packages wget)
> #:use-module (gnu packages xiph)
> #:use-module (gnu packages xml)
> #:use-module (gnu packages xdisorg)
> @@ -148,6 +150,7 @@
> #:use-module (guix build-system cmake)
> #:use-module (guix build-system gnu)
> #:use-module (guix build-system go)
> + #:use-module (guix build-system copy)
> #:use-module (guix build-system meson)
> #:use-module (guix build-system python)
> #:use-module (guix build-system trivial)
> @@ -7191,6 +7194,44 @@ interfaces in parallel environments.")
> (supported-systems '("i686-linux" "x86_64-linux"))
> (license (list license:bsd-2 license:gpl2)))) ;dual
>
> +(define-public spectre-meltdown-checker
> +(package
> + (name "spectre-meltdown-checker")
> + (version "0.44")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url "
> https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (sha256
> + (base32
> + "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> + (build-system copy-build-system)
> + (arguments
> + `(#:install-plan '(("spectre-meltdown-checker.sh"
> + "bin/spectre-meltdown-checker.sh"))))
> + (inputs `(("binutils" ,binutils)
> + ("coreutils",coreutils)
> + ("gawk" ,gawk)
> + ("gzip" ,gzip)
> + ("lzop" ,lzop)
> + ("perl" ,perl)
> + ("procps" ,procps)
> + ("sqlite" ,sqlite)
> + ("util-linux" ,util-linux)
> + ("util-linux-with-udev" ,util-linux+udev)
Why both?
Toggle quote (4 lines)
> + ("wget" ,wget)
> + ("which" ,which)
> + ("xz" ,xz)
> + ("zstd" ,zstd)))
Are you sure that mere presence of these packages as inputs will do
anything to patch them? Because I'm not so much.

Regards
P
P
phodina wrote on 18 Sep 2021 17:25
[PATCH v4] gnu: Add spectre-meltdown-checker.
(name . Leo Prikler)(address . leo.prikler@student.tugraz.at)(address . 49898@debbugs.gnu.org)
ro6LEVb1lZX66TIhJRou2oJNVqkve4lPilQvbcIvlQSie3YYQHyNr4TGnW0etRRqv53uKAwAh2IbYG0FQFiH_exvAeqFq2I3zRBTqEYthMA=@protonmail.com
Hi Leo,

I've substituted most of the commands. The only commands at the moment are echo and printf. I haven't found regexp that would work as they are text is also used for variables.

Otherwise the rest of the commands should be covered.
Toggle snippet (127 lines)
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 46c9f817a8..905048a5be 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -138,6 +139,7 @@
#:use-module (gnu packages video)
#:use-module (gnu packages vulkan)
#:use-module (gnu packages web)
+ #:use-module (gnu packages wget)
#:use-module (gnu packages xiph)
#:use-module (gnu packages xml)
#:use-module (gnu packages xdisorg)
@@ -149,6 +151,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system go)
+ #:use-module (guix build-system copy)
#:use-module (guix build-system meson)
#:use-module (guix build-system python)
#:use-module (guix build-system trivial)
@@ -7372,6 +7375,93 @@ interfaces in parallel environments.")
(supported-systems '("i686-linux" "x86_64-linux"))
(license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.44")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+ (build-system copy-build-system)
+ (arguments
+ `(#:install-plan '(("spectre-meltdown-checker.sh"
+ "bin/spectre-meltdown-checker.sh"))
+ #:phases
+ (modify-phases %standard-phases
+ (add-after 'unpack 'fix-relative-locations
+ (lambda* (#:key outputs #:allow-other-keys)
+ (let ((icoreutils (assoc-ref %build-inputs "coreutils"))
+ (igrep (assoc-ref %build-inputs "grep"))
+ (iutil-linux (assoc-ref %build-inputs "util-linux"))
+ (iutil-linux-with-udev
+ (assoc-ref %build-inputs "util-linux-with-udev"))
+ (igawk (assoc-ref %build-inputs "gawk"))
+ (igzip (assoc-ref %build-inputs "gzip"))
+ (iunzip (assoc-ref %build-inputs "unzip"))
+ (ilzop (assoc-ref %build-inputs "lzop"))
+ (iperl (assoc-ref %build-inputs "perl"))
+ (iprocps (assoc-ref %build-inputs "procps"))
+ (isqlite (assoc-ref %build-inputs "sqlite"))
+ (iwget (assoc-ref %build-inputs "wget"))
+ (iwhich (assoc-ref %build-inputs "which"))
+ (ixz (assoc-ref %build-inputs "xz"))
+ (izstd (assoc-ref %build-inputs "zstd")))
+ (substitute* "spectre-meltdown-checker.sh"
+ ; TODO: Find regexp what will work
+ ;(("echo") (string-append icoreutils "/bin/echo"))
+ ;(("printf") (string-append icoreutils "/bin/printf"))
+ (("dirname") (string-append icoreutils "/bin/dirname"))
+ (("cat") (string-append icoreutils "/bin/cat"))
+ (("grep[ ]+") (string-append igrep "/bin/grep "))
+ (("cut") (string-append icoreutils "/bin/cut"))
+ (("mktemp") (string-append icoreutils "/bin/mktemp"))
+ (("stat[ ]+") (string-append icoreutils "/bin/stat " ))
+ (("tail[ ]+") (string-append icoreutils "/bin/tail " ))
+ (("head[ ]+") (string-append icoreutils "/bin/head " ))
+ (("mount[ ]+") "/run/setuid-programs/mount ")
+ (("modprobe") (string-append iutil-linux "/bin/modprobe"))
+ (("dd") (string-append icoreutils "/bin/dd"))
+ (("dmesg[ ]+") (string-append iutil-linux-with-udev "/bin/dmesg "))
+ (("awk") (string-append igawk "/bin/awk"))
+ (("gzip") (string-append igzip "/bin/gzip"))
+ (("unzip") (string-append iunzip "/bin/unzip"))
+ (("lzop") (string-append ilzop "/bin/lzop"))
+ (("perl") (string-append iperl "/bin/perl"))
+ (("ps[ ]+") (string-append iprocps "/bin/ps "))
+ (("sqlite3") (string-append isqlite "/bin/sqlite3"))
+ (("wget") (string-append iwget "/bin/wget"))
+ (("which") (string-append iwhich "/bin/which"))
+ (("xz") (string-append ixz "/bin/xz"))
+ (("zstd") (string-append izstd "/bin/zstd")))))))))
+ (inputs `(("binutils" ,binutils)
+ ("coreutils",coreutils)
+ ("gawk" ,gawk)
+ ("grep" ,grep)
+ ("gzip" ,gzip)
+ ("unzip" ,unzip)
+ ("lzop" ,lzop)
+ ("perl" ,perl)
+ ("procps" ,procps)
+ ("sqlite" ,sqlite)
+ ("util-linux" ,util-linux)
+ ("util-linux-with-udev" ,util-linux+udev)
+ ("wget" ,wget)
+ ("which" ,which)
+ ("xz" ,xz)
+ ("zstd" ,zstd)))
+ (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+ (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (license license:gpl3)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.32.0
L
L
Liliana Marie Prikler wrote on 18 Sep 2021 19:03
(name . phodina)(address . phodina@protonmail.com)(address . 49898@debbugs.gnu.org)
0611f164235f06ffdfaa3eb4fa5a7915210df134.camel@gmail.com
Hi Petr,

Am Samstag, den 18.09.2021, 15:25 +0000 schrieb phodina:
Toggle quote (25 lines)
> [...]
>
>

> + (add-after 'unpack 'fix-relative-locations
> + (lambda* (#:key outputs #:allow-other-keys)
> + (let ((icoreutils (assoc-ref %build-inputs
> "coreutils"))
> + (igrep (assoc-ref %build-inputs "grep"))
> + (iutil-linux (assoc-ref %build-inputs "util-
> linux"))
> + (iutil-linux-with-udev
> + (assoc-ref %build-inputs "util-linux-with-
> udev"))
> + (igawk (assoc-ref %build-inputs "gawk"))
> + (igzip (assoc-ref %build-inputs "gzip"))
> + (iunzip (assoc-ref %build-inputs "unzip"))
> + (ilzop (assoc-ref %build-inputs "lzop"))
> + (iperl (assoc-ref %build-inputs "perl"))
> + (iprocps (assoc-ref %build-inputs "procps"))
> + (isqlite (assoc-ref %build-inputs "sqlite"))
> + (iwget (assoc-ref %build-inputs "wget"))
> + (iwhich (assoc-ref %build-inputs "which"))
> + (ixz (assoc-ref %build-inputs "xz"))
> + (izstd (assoc-ref %build-inputs "zstd")))
I don't think Hungarian notation is very helpful here.
Toggle quote (5 lines)
> + (substitute* "spectre-meltdown-checker.sh"
> + ; TODO: Find regexp what will work
> + ;(("echo") (string-append icoreutils "/bin/echo"))
> + ;(("printf") (string-append icoreutils
> "/bin/printf"))
There are multiple ways of handling this, but I thing the best one
would be to substitute both `command -v printf' and `which echo' with
the path to false, then match the line
[ -z "$echo_cmd" ] && echo_cmd='echo'
and instead put there
echo_cmd_type='printf'
echo_cmd=(path-to "/bin/printf")

Toggle quote (31 lines)
> + (("dirname") (string-append icoreutils
> "/bin/dirname"))
> + (("cat") (string-append icoreutils "/bin/cat"))
> + (("grep[ ]+") (string-append igrep "/bin/grep "))
> + (("cut") (string-append icoreutils "/bin/cut"))
> + (("mktemp") (string-append icoreutils
> "/bin/mktemp"))
> + (("stat[ ]+") (string-append icoreutils "/bin/stat
> " ))
> + (("tail[ ]+") (string-append icoreutils "/bin/tail
> " ))
> + (("head[ ]+") (string-append icoreutils "/bin/head
> " ))
> + (("mount[ ]+") "/run/setuid-programs/mount ")
> + (("modprobe") (string-append iutil-linux
> "/bin/modprobe"))
> + (("dd") (string-append icoreutils "/bin/dd"))
> + (("dmesg[ ]+") (string-append iutil-linux-with-udev
> "/bin/dmesg "))
> + (("awk") (string-append igawk "/bin/awk"))
> + (("gzip") (string-append igzip "/bin/gzip"))
> + (("unzip") (string-append iunzip "/bin/unzip"))
> + (("lzop") (string-append ilzop "/bin/lzop"))
> + (("perl") (string-append iperl "/bin/perl"))
> + (("ps[ ]+") (string-append iprocps "/bin/ps "))
> + (("sqlite3") (string-append isqlite
> "/bin/sqlite3"))
> + (("wget") (string-append iwget "/bin/wget"))
> + (("which") (string-append iwhich "/bin/which"))
> + (("xz") (string-append ixz "/bin/xz"))
> + (("zstd") (string-append izstd "/bin/zstd")))))))))
Group those that need spaces and those that don't together, with an
explanation as to why those two groups exist.
Toggle quote (12 lines)
> + (inputs `(("binutils" ,binutils)
> + ("coreutils",coreutils)
> + ("gawk" ,gawk)
> + ("grep" ,grep)
> + ("gzip" ,gzip)
> + ("unzip" ,unzip)
> + ("lzop" ,lzop)
> + ("perl" ,perl)
> + ("procps" ,procps)
> + ("sqlite" ,sqlite)
> + ("util-linux" ,util-linux)
> + ("util-linux-with-udev" ,util-linux+udev)
Why both?
Toggle quote (20 lines)
> + ("wget" ,wget)
> + ("which" ,which)
> + ("xz" ,xz)
> + ("zstd" ,zstd)))
> + (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> checker")
> + (description "A shell script to assess your system's resilience
> against
> +the several transient execution CVEs that were published since early
> 2018,
> +and give you guidance as to how to mitigate them.")
> + (home-page "https://github.com/speed47/spectre-meltdown-checker"
> )
> + (license license:gpl3)))
> +
> (define-public snapscreenshot
> (package
> (name "snapscreenshot")
> --
> 2.32.0
P
P
phodina wrote on 7 Dec 2021 23:04
[PATCH v5] gnu: Add spectre-meltdown-checker.
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 49898@debbugs.gnu.org)
D2gPGa0WXCIsO76lbxLvD3cuk1oncyGtWwqd_v8_62noAYBvKmfbJdMv-TWoDeZak8S2pVhq1hHoG6hM6-JpwqLoIYK939aGeF7muZ0J3tw=@protonmail.com
Hi Liliana,

Toggle quote (274 lines)
> Hi Petr,
>
> Am Samstag, den 18.09.2021, 15:25 +0000 schrieb phodina:
>
> > [...]
>
> > - (add-after 'unpack 'fix-relative-locations
> >
> >
> > - (lambda* (#:key outputs #:allow-other-keys)
> >
> >
> > - (let ((icoreutils (assoc-ref %build-inputs
> >
> >
> >
> > "coreutils"))
> >
> > - (igrep (assoc-ref %build-inputs "grep"))
> >
> >
> > - (iutil-linux (assoc-ref %build-inputs "util-
> >
> >
> >
> > linux"))
> >
> > - (iutil-linux-with-udev
> >
> >
> > - (assoc-ref %build-inputs "util-linux-with-
> >
> >
> >
> > udev"))
> >
> > - (igawk (assoc-ref %build-inputs "gawk"))
> >
> >
> > - (igzip (assoc-ref %build-inputs "gzip"))
> >
> >
> > - (iunzip (assoc-ref %build-inputs "unzip"))
> >
> >
> > - (ilzop (assoc-ref %build-inputs "lzop"))
> >
> >
> > - (iperl (assoc-ref %build-inputs "perl"))
> >
> >
> > - (iprocps (assoc-ref %build-inputs "procps"))
> >
> >
> > - (isqlite (assoc-ref %build-inputs "sqlite"))
> >
> >
> > - (iwget (assoc-ref %build-inputs "wget"))
> >
> >
> > - (iwhich (assoc-ref %build-inputs "which"))
> >
> >
> > - (ixz (assoc-ref %build-inputs "xz"))
> >
> >
> > - (izstd (assoc-ref %build-inputs "zstd")))
> >
> >
>
> I don't think Hungarian notation is very helpful here.
>
> > - (substitute* "spectre-meltdown-checker.sh"
> >
> >
> > - ; TODO: Find regexp what will work
> >
> >
> > - ;(("echo") (string-append icoreutils "/bin/echo"))
> >
> >
> > - ;(("printf") (string-append icoreutils
> >
> >
> >
> > "/bin/printf"))
>
> There are multiple ways of handling this, but I thing the best one
>
> would be to substitute both `command -v printf' and` which echo' with
>
> the path to false, then match the line
>
> [ -z "$echo_cmd" ] && echo_cmd='echo'
>
> and instead put there
>
> echo_cmd_type='printf'
>
> echo_cmd=(path-to "/bin/printf")
>
> > - (("dirname") (string-append icoreutils
> >
> >
> >
> > "/bin/dirname"))
> >
> > - (("cat") (string-append icoreutils "/bin/cat"))
> >
> >
> > - (("grep[ ]+") (string-append igrep "/bin/grep "))
> >
> >
> > - (("cut") (string-append icoreutils "/bin/cut"))
> >
> >
> > - (("mktemp") (string-append icoreutils
> >
> >
> >
> > "/bin/mktemp"))
> >
> > - (("stat[ ]+") (string-append icoreutils "/bin/stat
> >
> >
> >
> > " ))
> >
> > - (("tail[ ]+") (string-append icoreutils "/bin/tail
> >
> >
> >
> > " ))
> >
> > - (("head[ ]+") (string-append icoreutils "/bin/head
> >
> >
> >
> > " ))
> >
> > - (("mount[ ]+") "/run/setuid-programs/mount ")
> >
> >
> > - (("modprobe") (string-append iutil-linux
> >
> >
> >
> > "/bin/modprobe"))
> >
> > - (("dd") (string-append icoreutils "/bin/dd"))
> >
> >
> > - (("dmesg[ ]+") (string-append iutil-linux-with-udev
> >
> >
> >
> > "/bin/dmesg "))
> >
> > - (("awk") (string-append igawk "/bin/awk"))
> >
> >
> > - (("gzip") (string-append igzip "/bin/gzip"))
> >
> >
> > - (("unzip") (string-append iunzip "/bin/unzip"))
> >
> >
> > - (("lzop") (string-append ilzop "/bin/lzop"))
> >
> >
> > - (("perl") (string-append iperl "/bin/perl"))
> >
> >
> > - (("ps[ ]+") (string-append iprocps "/bin/ps "))
> >
> >
> > - (("sqlite3") (string-append isqlite
> >
> >
> >
> > "/bin/sqlite3"))
> >
> > - (("wget") (string-append iwget "/bin/wget"))
> >
> >
> > - (("which") (string-append iwhich "/bin/which"))
> >
> >
> > - (("xz") (string-append ixz "/bin/xz"))
> >
> >
> > - (("zstd") (string-append izstd "/bin/zstd")))))))))
> >
> >
>
> Group those that need spaces and those that don't together, with an
>
> explanation as to why those two groups exist.
>
> > - (inputs `(("binutils" ,binutils)
> > - ("coreutils",coreutils)
> >
> >
> > - ("gawk" ,gawk)
> >
> >
> > - ("grep" ,grep)
> >
> >
> > - ("gzip" ,gzip)
> >
> >
> > - ("unzip" ,unzip)
> >
> >
> > - ("lzop" ,lzop)
> >
> >
> > - ("perl" ,perl)
> >
> >
> > - ("procps" ,procps)
> >
> >
> > - ("sqlite" ,sqlite)
> >
> >
> > - ("util-linux" ,util-linux)
> >
> >
> > - ("util-linux-with-udev" ,util-linux+udev)
> >
> >
>
> Why both?
>
> > - ("wget" ,wget)
> >
> >
> > - ("which" ,which)
> >
> >
> > - ("xz" ,xz)
> >
> >
> > - ("zstd" ,zstd)))
> >
> >
> > - (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> >
> > checker")
> > - (description "A shell script to assess your system's resilience
> >
> > against
> >
> > +the several transient execution CVEs that were published since early
> >
> > 2018,
> >
> > +and give you guidance as to how to mitigate them.")
> > - (home-page "https://github.com/speed47/spectre-meltdown-checker"
> >
> > )
> > - (license license:gpl3)))
> >
> > (define-public snapscreenshot
> >
> > (package
> >
> > (name "snapscreenshot")
> > ----------------------------------------------------------------
> >
> > 2.32.0

I've used the wrap-program as an alternative to the your suggested solution.

Going through the program there is a function update_fwdb [1] that downloads and updates database files when the script is executed with the --update-fwdb argument.

I've added both files [2][3] in question to the lists of inputs.

However, since they are supposed to be updated at runtime (stored in $HOME) I don't know to represent this in the package definition.

Could you please suggest how to proceed?

----
Petr

L
L
Liliana Marie Prikler wrote on 26 Jun 2022 12:23
(name . phodina)(address . phodina@protonmail.com)(address . 49898@debbugs.gnu.org)
9fb60e57ba5ed684c5ad113c3b9861e7d2e922e0.camel@gmail.com
Hi Petr,

sorry for the very late reply. Are you still interested in adding
spectre-meltdown-checker? If so, there's a new version out. Also...

Am Dienstag, dem 07.12.2021 um 22:04 +0000 schrieb phodina:
Toggle quote (2 lines)
> I've used the wrap-program as an alternative to the your suggested
> solution.
That does work, but remains quite inelegant.

Toggle quote (10 lines)
> Going through the program there is a function update_fwdb [1] that
> downloads and updates database files when the script is executed with
> the --update-fwdb argument.
>
> I've added both files [2][3] in question to the lists of inputs.
>
> However, since they are supposed to be updated at runtime (stored in
> $HOME) I don't know to represent this in the package definition.
>
> Could you please suggest how to proceed?
I'd suggest removing that functionality as well as the associated
inputs (i.e. curl etc., not the databases). Even if it's treated as
"just data", users should be able to specify on their own the data to
check against. Perhaps you could suggest to upstream that adding --
fwdb /path/to/fwdb might be useful?

Since this patch is rather old, there are a few style-related changes
that should also be incorporated:


Toggle quote (2 lines)
> + (arguments
> + `(...))
Use a list of G-Expressions.

Toggle quote (10 lines)
> + (paths (map
> + (lambda (input)
> + (string-append (assoc-ref inputs input)
> "/bin"))
> + '("coreutils" "grep" "util-linux"
> "iucode-tool"
> + "util-linux-with-udev" "gawk" "gzip"
> "lzop"
> + "lzop" "perl" "procps" "sqlite" "wget"
> "which" "xz" "zstd"))))
You can use (search-input-file inputs "/bin/CMD") to search CMD from
inputs.
Toggle quote (3 lines)
> + (inputs `(("binutils" ,binutils)
> + ("coreutils",coreutils)
> + [...])
You can drop the input labels, but you'll have to find another way to
pass the firmware databases. Speaking of which, is anything even done
with those? Could we add (a) separate package(s) with those databases
instead?

Cheers
P
P
phodina wrote on 26 Jun 2022 13:07
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 49898@debbugs.gnu.org)
MDXych3ebMv3NuAgJgpGtQ68v2qK_c7YCVZnGR0rVKkymTzHzqZ6um7eS_MVxV3Y862FQ2UVc7D5cQrsCxNkq4eu7tf9iYzcvxnxPPFqNbY=@protonmail.com
Hi,

Yes I'm still interested in upstreaming this package. True, in the meantime a lot has happened and I'll prepare a patch with simplified inputs and Gexps.

Also the databases will be in separate packages and just put into the inputs and linked correctly.

And I'll also update the package version.

Unfortunately HW issues will remain with us for long and it's useful to have some way to check for them.

FIY I'm currently also in process of packaging other stuff so it might take some time.

----
Petr
P
P
phodina wrote on 1 Jul 2022 23:57
Re: [PATCH v6] gnu: Add spectre-meltdown-checker.
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 49898@debbugs.gnu.org)
1BotgVcf3T0nBoSMz6SX1q7rpoKPp5bWkKSJcPItI46rjJV4dH0mmSkw_VVmE2MSpj10jMiscrcQLejbOo7192u2AsScBrWklgnP09m_dg4=@protonmail.com
Hi!

here's updated patch set:

- The version has been updated.
- It uses gexps.
- There are now 3 packages (intelfw and mcextractor are new).

There is the issue with Intel license. Not sure if it can be included.

The intelfw and mcextractor are used in the shell function update_fwdb. It might be better to create a patch, remove the download functionality and point it to /gnu/store for the package inputs. What do you think?

----
Petr
From fbee544b00de49e7c26e125ec2f1061524cc19ab Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Fri, 1 Jul 2022 23:18:13 +0200
Subject: [PATCH v6 1/3] gnu: Add intelfw.

* gnu/packages/linux.scm (intelfw): New variable.

Toggle diff (36 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 58d33140bd..98333c5be2 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -7983,6 +7983,29 @@ (define-public psm
(supported-systems '("i686-linux" "x86_64-linux"))
(license (list license:bsd-2 license:gpl2)))) ;dual
+(define-public intelfw
+ (package
+ (name "intelfw")
+ (version "20220510")
+ (home-page "https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files")
+ (source
+ (origin
+ (method url-fetch)
+ (uri
+ (string-append home-page
+ "/archive/refs/tags/microcode-"
+ version ".tar.gz"))
+ (sha256
+ (base32
+ "0akd526rrkskz7l0kihbymmjzcmf56pv7kh0nbdviywqnmqxqk95"))))
+ (build-system copy-build-system)
+ (synopsis "Intel Processor Microcode")
+ (description "This package provides Intel Processor Microcode provides
+a mechanism to release updates for security advisories and functional issues,
+including errata.")
+ ;; TODO: Intel nonfree license
+ (license #f)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.36.1
From cca59fd7281ce832daa46f201ad7d68058e6c2da Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Fri, 1 Jul 2022 23:18:23 +0200
Subject: [PATCH v6 2/3] gnu: Add mcextractor.

* gnu/packages/linux.scm (mcextractor): New variable.

Toggle diff (45 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 98333c5be2..5f634824bf 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -8006,6 +8006,38 @@ (define-public intelfw
;; TODO: Intel nonfree license
(license #f)))
+(define-public mcextractor
+ (package
+ (name "mcextractor")
+ (version "1.74.1")
+ (home-page "https://github.com/platomav/MCExtractor")
+ (source
+ (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url home-page)
+ (commit (string-append "v" version "-r232"))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "09pxa23kdsy8apnxay7v1wmds5879rj6hx779rrqmspllwgg79hj"))))
+ (build-system python-build-system)
+ (arguments
+ (list #:use-setuptools? #f
+ #:tests? #f
+ #:phases
+ #~(modify-phases %standard-phases
+ (delete 'build)
+ (replace 'install
+ (lambda* _
+ (install-file "MCE.py" (string-append #$output "/bin"))
+ (install-file "MCE.db" (string-append #$output
+ "/share/")))))))
+ (synopsis "Intel, AMD, VIA & Freescale Microcode Extraction Tool")
+ (description "This package provides a tool MC Extractor which parses Intel,
+AMD, VIA and Freescale processor microcode binaries")
+ (license license:bsd-2)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.36.1
From 4ec64ebd0dbaed7de220a6d0bb6a1845060b7a51 Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Thu, 5 Aug 2021 18:23:47 +0200
Subject: [PATCH v6 3/3] gnu: Add spectre-meltdown-checker.

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

Toggle diff (107 lines)
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 5f634824bf..f9c7a0c93a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -154,6 +154,7 @@ (define-module (gnu packages linux)
#:use-module (gnu packages video)
#:use-module (gnu packages vulkan)
#:use-module (gnu packages web)
+ #:use-module (gnu packages wget)
#:use-module (gnu packages xiph)
#:use-module (gnu packages xml)
#:use-module (gnu packages xdisorg)
@@ -167,6 +168,7 @@ (define-module (gnu packages linux)
#:use-module (guix build-system copy)
#:use-module (guix build-system gnu)
#:use-module (guix build-system go)
+ #:use-module (guix build-system copy)
#:use-module (guix build-system meson)
#:use-module (guix build-system python)
#:use-module (guix build-system trivial)
@@ -8038,6 +8040,84 @@ (define-public mcextractor
AMD, VIA and Freescale processor microcode binaries")
(license license:bsd-2)))
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan #~`(("spectre-meltdown-checker.sh"
+ "bin/spectre-meltdown-checker.sh"))
+ #:phases #~(modify-phases %standard-phases
+ (add-after 'unpack 'replace-paths
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("mcedb_cache=") (string-append "mcedb_cache="
+ #$mcextractor "/share/MCE.db"))
+ (("intel_tmp=") (string-append "intel_tmp="
+ #$intelfw)))))
+ (add-after 'install 'patch-paths
+ (lambda* (#:key inputs #:allow-other-keys)
+ (let ((paths (map (lambda (input)
+ (string-append (assoc-ref
+ inputs input)
+ "/bin"))
+ '("coreutils" "grep"
+ "util-linux"
+ "iucode-tool"
+ "util-linux-with-udev"
+ "gawk"
+ "gzip"
+ "lzop"
+ "lzop"
+ "perl"
+ "procps"
+ "sqlite"
+ "wget"
+ "which"
+ "xz"
+ "zstd"))))
+ (wrap-program (string-append #$output
+ "/bin/spectre-meltdown-checker.sh")
+ `("PATH" prefix
+ ,paths))))))))
+ (inputs (list bash-minimal
+ binutils
+ coreutils
+ gawk
+ grep
+ gzip
+ iucode-tool
+ intelfw
+ lzop
+ mcextractor
+ perl
+ procps
+ sqlite
+ unzip
+ util-linux
+ util-linux+udev
+ wget
+ which
+ xz
+ zstd))
+ (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+ (description
+ "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (license license:gpl3)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.36.1
L
L
Liliana Marie Prikler wrote on 2 Jul 2022 01:02
(name . phodina)(address . phodina@protonmail.com)(address . 49898@debbugs.gnu.org)
92c5868666a6472a883568b3646668d304a01dd5.camel@gmail.com
Am Freitag, dem 01.07.2022 um 21:57 +0000 schrieb phodina:
Toggle quote (10 lines)
> Hi!
>
> here's updated patch set:
>
> - The version has been updated.
> - It uses gexps.
> - There are now 3 packages (intelfw and mcextractor are new).
>
> There is the issue with Intel license. Not sure if it can be
> included.
I don't think it can. In my humble opinion, microcode counts as very
functional data and should thus be distributed under a free license.
mcextractor OTOH looks good to me, even if its main purpose is to
handle these binary blobs.

Toggle quote (4 lines)
> The intelfw and mcextractor are used in the shell function
> update_fwdb. It might be better to create a patch, remove the
> download functionality and point it to /gnu/store for the package
> inputs. What do you think?
As already outlined, I think we should go with a "please provide your
firmware via command line option if you think that makes a difference"
approach, assuming unpatched firmware if none is passed. Since Guix
doesn't actually distribute any of Intel's or AMD's blobs, that is the
correct behaviour, both ethically and functionally.

Cheers
L
L
Liliana Marie Prikler wrote on 5 Nov 2022 17:45
Re: [PATCH] gnu: Add spectre-meltdown-checker.
(address . control@debbugs.gnu.org)
dc352bee1b1599f6ba7cd291009f69c5946facd2.camel@gmail.com
merge 59053 49898
thanks

Hi Hilton,

thanks for the renewed interest in spectre-meltdown-checker. See the
other thread for a general discussion, but I'll repeat the most
important points.

Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:
Toggle quote (4 lines)
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch: New file.
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/local.mk (dist_patch_DATA): Add it.
Note that "Add it" lost its context because the new variable is between
it and the file added.
Toggle quote (69 lines)
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/linux.scm                        | 41
> +++++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
>  3 files changed, 68 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index eb6ac3df58..88c1fa6278 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1848,6 +1848,7 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index cf11a7fc1b..db199869a7 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
>  @acronym{SMAPI, System Management Application Program Interface} and
> direct
>  access to the embedded controller.")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("\\$\\{opt_arch_prefix\\}readelf")
> +                      (search-input-file inputs "/bin/readelf"))
> +                     (("perl")
> +                      (search-input-file inputs "/bin/perl"))))))))
I'm pretty sure readelf and perl are not the only commands invoked.


Toggle quote (7 lines)
> +    (inputs (list binutils perl))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis
> +     "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad
> vulnerability /
> +mitigation checker for Linux & BSD")
"for Linux & BSD" is gratuitous information imho.
As for the vulnerabilities listed in the synopsis surely there must be
a way of shortening that.
Toggle quote (6 lines)
> +    (description
> +     "A shell script to assess your system's resilience against the
> several
> +transient execution CVEs that were published since early 2018, and
> give you
> +guidance as to how to mitigate them.")
Not a full sentence.
Toggle quote (45 lines)
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++              # Guix System:
> ++              [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> +               # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
This patch LGTM.

Note that as discussed in the other thread, we'd also want the checker
to not download proprietary firmware. Could you adjust the package
accordingly?

Cheers
C
C
Christopher Baines wrote on 6 Nov 2022 15:20
tag 59053 moreinfo
(address . control@debbugs.gnu.org)
87y1sow4er.fsf@cbaines.net
tags 59053 + moreinfo
quit
?
Your comment

This issue is archived.

To comment on this conversation send an email to 49898@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 49898
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch