[PATCH] gnu: Add spectre-meltdown-checker.

  • Done
  • quality assurance status badge
Details
3 participants
  • Hilton Chain
  • Liliana Marie Prikler
  • Christopher Baines
Owner
unassigned
Submitted by
Hilton Chain
Severity
normal
Merged with
H
H
Hilton Chain wrote on 5 Nov 2022 16:57
(address . guix-patches@gnu.org)
y76pme1e6ms.wl-hako@ultrarare.space
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file.
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/linux.scm | 41 +++++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
3 files changed, 68 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

Toggle diff (97 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index eb6ac3df58..88c1fa6278 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1848,6 +1848,7 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index cf11a7fc1b..db199869a7 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
@acronym{SMAPI, System Management Application Program Interface} and direct
access to the embedded controller.")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("\\$\\{opt_arch_prefix\\}readelf")
+ (search-input-file inputs "/bin/readelf"))
+ (("perl")
+ (search-input-file inputs "/bin/perl"))))))))
+ (inputs (list binutils perl))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis
+ "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability /
+mitigation checker for Linux & BSD")
+ (description
+ "A shell script to assess your system's resilience against the several
+transient execution CVEs that were published since early 2018, and give you
+guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
--
2.38.0
L
L
Liliana Marie Prikler wrote on 5 Nov 2022 17:45
(address . control@debbugs.gnu.org)
dc352bee1b1599f6ba7cd291009f69c5946facd2.camel@gmail.com
merge 59053 49898
thanks

Hi Hilton,

thanks for the renewed interest in spectre-meltdown-checker. See the
other thread for a general discussion, but I'll repeat the most
important points.

Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:
Toggle quote (4 lines)
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch: New file.
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/local.mk (dist_patch_DATA): Add it.
Note that "Add it" lost its context because the new variable is between
it and the file added.
Toggle quote (69 lines)
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/linux.scm                        | 41
> +++++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
>  3 files changed, 68 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index eb6ac3df58..88c1fa6278 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1848,6 +1848,7 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index cf11a7fc1b..db199869a7 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
>  @acronym{SMAPI, System Management Application Program Interface} and
> direct
>  access to the embedded controller.")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("\\$\\{opt_arch_prefix\\}readelf")
> +                      (search-input-file inputs "/bin/readelf"))
> +                     (("perl")
> +                      (search-input-file inputs "/bin/perl"))))))))
I'm pretty sure readelf and perl are not the only commands invoked.


Toggle quote (7 lines)
> +    (inputs (list binutils perl))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis
> +     "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad
> vulnerability /
> +mitigation checker for Linux & BSD")
"for Linux & BSD" is gratuitous information imho.
As for the vulnerabilities listed in the synopsis surely there must be
a way of shortening that.
Toggle quote (6 lines)
> +    (description
> +     "A shell script to assess your system's resilience against the
> several
> +transient execution CVEs that were published since early 2018, and
> give you
> +guidance as to how to mitigate them.")
Not a full sentence.
Toggle quote (45 lines)
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++              # Guix System:
> ++              [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> +               # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
This patch LGTM.

Note that as discussed in the other thread, we'd also want the checker
to not download proprietary firmware. Could you adjust the package
accordingly?

Cheers
C
C
Christopher Baines wrote on 6 Nov 2022 15:20
tag 59053 moreinfo
(address . control@debbugs.gnu.org)
87y1sow4er.fsf@cbaines.net
tags 59053 + moreinfo
quit
H
H
Hilton Chain wrote on 11 Nov 2022 12:10
[PATCH v2] gnu: Add spectre-meltdown-checker.
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)
y76k041d9w6.wl-hako@ultrarare.space
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v1 -> v2:

gnu/local.mk | 3 +
gnu/packages/linux.scm | 53 +
...ker-remove-builtin-firmware-database.patch | 554 +++++
...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 +
5 files changed, 2583 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

Toggle diff (474 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 27b31ea27f..d518cd8641 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1851,6 +1851,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2c06269504..5a0d55833a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,56 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ m _)
+ (search-input-file inputs (string-append "/bin/" m)))))))))
+ (inputs
+ (list binutils
+ coreutils
+ grep
+ kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ which
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..e926551550
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,554 @@
+From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:55:25 +0800
+Subject: [PATCH 2/2] Remove builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 477 ++----------------------------------
+ 1 file changed, 27 insertions(+), 450 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..79c4bb7 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+ MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -853,9 +852,9 @@ update_fwdb()
+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ # if command -v wget >/dev/null 2>&1; then
++ # wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+@@ -874,9 +873,9 @@ update_fwdb()
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ # if command -v wget >/dev/null 2>&1; then
++ # wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+@@ -969,13 +968,13 @@ update_fwdb()
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+
+- if [ "$1" = builtin ]; then
+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- @cat@ "$newfile" > "$0"
+- @rm@ -f "$newfile"
+- fi
++ # if [ "$1" = builtin ]; then
++ # newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++ # @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++ # @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++ # @cat@ "$newfile" > "$0"
++ # @rm@ -f "$newfile"
++ # fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ update_fwdb
+ exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
++ # update_fwdb builtin
++ # exit $?
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,22 +2032,22 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
++ # older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
++ # if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ mcedb_source="$mcedb_cache"
+ mcedb_info="local firmwares DB $local_dbversion"
+- fi
++ # fi
+ fi
+ # if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
+-fi
++# if [ -z "${mcedb_source:-}" ]; then
++# mcedb_source="$0"
++# mcedb_info="builtin firmwares DB $builtin_dbversion"
++# fi
+ read_mcedb()
+ {
+ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+@@ -2070,6 +2069,9 @@ is_latest_known_ucode()
+ else
+ return 2
+ fi
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ fi
+ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ do
+ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+@@ -5833,428 +5835,3 @@ fi
+ [ "$global_critical" = 1 ] && exit 2 # critical
+ [ "$global_unknown" = 1 ] && exit 3 # unknown
+ exit 0 # ok
+-
+-# We're using MCE.db from the excellent platomav's MCExtractor project
+-# The builtin version follows, but the user can download an up-to-date copy (to be stored in his $HOME) by using --update-fwdb
+-# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb
+-
+-# %%% MCEDB v222+i20220208
+-# I,0x00000611,0x00000B27,19961218
+-# I,0x00000612,0x000000C6,19961210
+-# I,0x00000616,0x000000C6,19961210
+-# I,0x00000617,0x000000C6,19961210
+-# I,0x00000619,0x000000D2,19980218
+-# I,0x00000630,0x00000013,19960827
+-# I,0x00000632,0x00000020,19960903
+-# I,0x00000633,0x00000036,19980923
+-# I,0x00000634,0x00000037,19980923
+-# I,0x00000650,0x00000045,19990525
+-# I,0x00000651,0x00000042,19990525
+-# I,0x00000652,0x0000002D,19990518
+-# I,0x00000653,0x00000010,19990628
+-# I,0x00000660,0x0000000A,19990505
+-# I,0x00000665,0x00000003,19990505
+-# I,0x0000066A,0x0000000D,19990505
+-# I,0x0000066D,0x00000007,19990505
+-# I,0x00000670,0x00000007,19980602
+-# I,0x00000671,0x00000014,19980811
+-# I,0x00000672,0x00000038,19990922
+-# I,0x00000673,0x0000002E,19990910
+-# I,0x00000680,0x00000017,19990610
+-# I,0x00000681,0x00000014,19991209
+-# I,0x00000683,0x00000014,20010206
+-# I,0x00000686,0x00000008,20000505
+-# I,0x0000068A,0x00000005,20001207
+-# I,0x00000690,0x00000004,20000206
+-# I,0x00000691,0x00000001,20020527
+-# I,0x00000692,0x00000001,20020620
+-# I,0x00000694,0x00000002,20020926
+-# I,0x00000695,0x00000047,20041109
+-# I,0x00000696,0x00000001,20000707
+-# I,0x000006A0,0x00000003,20000110
+-# I,0x000006A1,0x00000001,20000306
+-# I,0x000006A4,0x00000001,20000616
+-# I,0x000006B0,0x0000001A,20010129
+-# I,0x000006B1,0x0000001D,20010220
+-# I,0x000006B4,0x00000002,20020111
+-# I,0x000006D0,0x00000006,20030522
+-# I,0x000006D1,0x00000009,20030709
+-# I,0x000006D2,0x00000010,20030814
+-# I,0x000006D6,0x00000018,20041017
+-# I,0x000006D8,0x00000021,20060831
+-# I,0x000006E0,0x00000008,20050215
+-# I,0x000006E1,0x0000000C,20050413
+-# I,0x000006E4,0x00000026,20050816
+-# I,0x000006E8,0x0000003C,20060208
+-# I,0x000006EC,0x0000005B,20070208
+-# I,0x000006F0,0x00000005,20050818
+-# I,0x000006F1,0x00000012,20051129
+-# I,0x000006F2,0x0000005D,20101002
+-# I,0x000006F4,0x00000028,20060417
+-# I,0x000006F5,0x00000039,20060727
+-# I,0x000006F6,0x000000D2,20101001
+-# I,0x000006F7,0x0000006B,20101002
+-# I,0x000006F9,0x00000084,20061012
+-# I,0x000006FA,0x00000095,20101002
+-# I,0x000006FB,0x000000C1,20111004
+-# I,0x000006FD,0x000000A4,20101002
+-# I,0x00000F00,0xFFFF0001,20000130
+-# I,0x00000F01,0xFFFF0007,20000404
+-# I,0x00000F02,0xFFFF000B,20000518
+-# I,0x00000F03,0xFFFF0001,20000518
+-# I,0x00000F04,0xFFFF0010,20000803
+-# I,0x00000F05,0x0000000C,20000824
+-# I,0x00000F06,0x00000004,20000911
+-# I,0x00000F07,0x00000012,20020716
+-# I,0x00000F08,0x00000008,20001101
+-# I,0x00000F09,0x00000008,20010104
+-# I,0x00000F0A,0x00000015,20020821
+-# I,0x00000F11,0x0000000A,20030729
+-# I,0x00000F12,0x0000002F,20030502
+-# I,0x00000F13,0x00000005,20030508
+-# I,0x00000F20,0x00000001,20010423
+-# I,0x00000F21,0x00000003,20010529
+-# I,0x00000F22,0x00000005,20030729
+-# I,0x00000F23,0x0000000D,20010817
+-# I,0x00000F24,0x00000021,20030610
+-# I,0x00000F25,0x0000002C,20040826
+-# I,0x00000F26,0x00000010,20040805
+-# I,0x00000F27,0x00000039,20030604
+-# I,0x00000F29,0x0000002F,20040811
+-# I,0x00000F30,0x00000013,20030815
+-# I,0x00000F31,0x0000000B,20031021
+-# I,0x00000F32,0x0000000A,20040511
+-# I,0x00000F33,0x0000000C,20050421
+-# I,0x00000F34,0x00000017,20050421
+-# I,0x00000F36,0x00000007,20040309
+-# I,0x00000F37,0x00000003,20031218
+-# I,0x00000F40,0x00000006,20040318
+-# I,0x00000F41,0x00000017,20050422
+-# I,0x00000F42,0x00000003,20050421
+-# I,0x00000F43,0x00000005,20050421
+-# I,0x00000F44,0x00000006,20050421
+-# I,0x00000F46,0x00000004,20050411
+-# I,0x00000F47,0x00000003,20050421
+-# I,0x00000F48,0x0000000E,20080115
+-# I,0x00000F49,0x00000003,20050421
+-# I,0x00000F4A,0x00000004,20051214
+-# I,0x00000F60,0x00000005,20050124
+-# I,0x00000F61,0x00000008,20050610
+-# I,0x00000F62,0x0000000F,20051215
+-# I,0x00000F63,0x00000005,20051010
+-# I,0x00000F64,0x00000004,20051223
+-# I,0x00000F65,0x0000000B,20070510
+-# I,0x00000F66,0x0000001B,20060310
+-# I,0x00000F68,0x00000009,20060714
+-# I,0x00001632,0x00000002,19980610
+-# I,0x00010650,0x00000002,20060513
+-# I,0x00010660,0x00000004,20060612
+-# I,0x00010661,0x00000045,20101004
+-# I,0x00010670,0x00000005,20070209
+-# I,0x00010671,0x00000106,20070329
+-# I,0x00010674,0x84050100,20070726
+-# I,0x00010676,0x00000612,20150802
+-# I,0x00010677,0x0000070D,20150802
+-# I,0x0001067A,0x00000A0E,20150729
+-# I,0x000106A0,0xFFFF001A,20071128
+-# I,0x000106A1,0xFFFF000B,20080220
+-# I,0x000106A2,0xFFFF0019,20080714
+-# I,0x000106A4,0x00000013,20150630
+-# I,0x000106A5,0x0000001D,20180511
+-# I,0x000106C0,0x00000007,20070824
+-# I,0x000106C1,0x00000109,20071203
+-# I,0x000106C2,0x00000219,20090410
+-# I,0x000106C9,0x00000007,20090213
+-# I,0x000106CA,0x00000107,20090825
+-# I,0x000106D0,0x00000005,20071204
+-# I,0x000106D1,0x0000002A,20150803
+-# I,0x000106E0,0xFFFF0022,20090116
+-# I,0x000106E1,0xFFFF000D,20090206
+-# I,0x000106E2,0xFFFF0011,20090924
+-# I,0x000106E3,0xFFFF0011,20090512
+-# I,0x000106E4,0x00000003,20130701
+-# I,0x000106E5,0x0000000A,20180508
+-# I,0x000106F0,0xFFFF0009,20090210
+-# I,0x000106F1,0xFFFF0007,20090210
+-# I,0x00020650,0xFFFF0008,20090218
+-# I,0x00020651,0xFFFF0018,20090818
+-# I,0x00020652,0x00000011,20180508
+-# I,0x00020654,0xFFFF0007,20091124
+-# I,0x00020655,0x00000007,20180423
+-# I,0x00020661,0x00000105,20110718
+-# I,0x000206A0,0x00000029,20091102
+-# I,0x000206A1,0x00000007,20091223
+-# I,0x000206A2,0x00000027,20100502
+-# I,0x000206A3,0x00000009,20100609
+-# I,0x000206A4,0x00000022,20100414
+-# I,0x000206A5,0x00000007,20100722
+-# I,0x000206A6,0x90030028,20100924
+-# I,0x000206A7,0x0000002F,20190217
+-# I,0x000206C0,0xFFFF001C,20091214
+-# I,0x000206C1,0x00000006,20091222
+-# I,0x000206C2,0x0000001F,20180508
+-# I,0x000206D0,0x80000006,20100816
+-# I,0x000206D1,0x80000106,20101201
+-# I,0x000206D2,0xAF506958,20110714
+-# I,0x000206D3,0xAF50696A,20110816
+-# I,0x000206D5,0xAF5069E5,20120118
+-# I,0x000206D6,0x00000621,20200304
+-# I,0x000206D7,0x0000071A,20200324
+-# I,0x000206E0,0xE3493401,20090108
+-# I,0x000206E1,0xE3493402,20090224
+-# I,0x000206E2,0xFFFF0004,20081001
+-# I,0x000206E3,0xE4486547,20090701
+-# I,0x000206E4,0xFFFF0008,20090619
+-# I,0x000206E5,0xFFFF0018,20091215
+-# I,0x000206E6,0x0000000D,20180515
+-# I,0x000206F0,0x00000005,20100729
+-# I,0x000206F1,0x00000008,20101013
+-# I,0x000206F2,0x0000003B,20180516
+-# I,0x00030650,0x00000009,20120118
+-# I,0x00030651,0x00000110,20131014
+-# I,0x00030660,0x00000003,20101103
+-# I,0x00030661,0x0000010F,20150721
+-# I,0x00030669,0x0000010D,20130515
+-# I,0x00030671,0x00000117,20130410
+-# I,0x00030672,0x0000022E,20140401
+-# I,0x00030673,0x83290100,20190916
+-# I,0x00030678,0x00000838,20190422
+-# I,0x00030679,0x0000090D,20190710
+-# I,0x000306A0,0x00000007,20110407
+-# I,0x000306A2,0x0000000C,20110725
+-# I,0x000306A4,0x00000007,20110908
+-# I,0x000306A5,0x00000009,20111110
+-# I,0x000306A6,0x00000004,20111114
+-# I,0x000306A8,0x00000010,20120220
+-# I,0x000306A9,0x00000021,20190213
+-# I,0x000306C0,0xFFFF0013,20111110
+-# I,0x000306C1,0xFFFF0014,20120725
+-# I,0x000306C2,0xFFFF0006,20121017
+-# I,0x000306C3,0x00000028,20191112
+-# I,0x000306D1,0xFFFF0009,20131015
+-# I,0x000306D2,0xFFFF0009,20131219
+-# I,0x000306D3,0xE3121338,20140825
+-# I,0x000306D4,0x0000002F,20191112
+-# I,0x000306E0,0xE920080F,20121113
+-# I,0x000306E2,0xE9220827,20130523
+-# I,0x000306E3,0x00000308,20130321
+-# I,0x000306E4,0x0000042E,20190314
+-# I,0x000306E6,0x00000600,20130619
+-# I,0x000306E7,0x00000715,20190314
+-# I,0x000306F0,0xFFFF0017,20130730
+-# I,0x000306F1,0xD141D629,20140416
+-# I,0x000306F2,0x00000049,20210811
+-# I,0x000306F3,0x0000000D,20160211
+-# I,0x000306F4,0x0000001A,20210524
+-# I,0x00040650,0xFFFF000B,20121206
+-# I,0x00040651,0x00000026,20191112
+-# I,0x00040660,0xFFFF0011,20121012
+-# I,0x00040661,0x0000001C,20191112
+-# I,0x00040670,0xFFFF0006,20140304
+-# I,0x00040671,0x00000022,20191112
+-# I,0x000406A0,0x80124001,20130521
+-# I,0x000406A8,0x0000081F,20140812
+-# I,0x000406A9,0x0000081F,20140812
+-# I,0x000406C1,0x0000010B,20140814
+-# I,0x000406C2,0x00000221,20150218
+-# I,0x000406C3,0x00000368,20190423
+-# I,0x000406C4,0x00000411,20190423
+-# I,0x000406D0,0x0000000E,20130612
+-# I,0x000406D8,0x0000012D,20190916
+-# I,0x000406E1,0x00000020,20141111
+-# I,0x000406E2,0x0000002C,20150521
+-# I,0x000406E3,0x000000EC,20210428
+-# I,0x000406E8,0x00000026,20160414
+-# I,0x000406F0,0x00000014,20150702
+-# I,0x000406F1,0x0B000040,20210519
+-# I,0x00050650,0x8000002B,20160208
+-# I,0x00050651,0x8000002B,20160208
+-# I,0x00050652,0x80000037,20170502
+-# I,0x00050653,0x0100015C,20210526
+-# I,0x00050654,0x02006C0A,20210616
+-# I,0x00050655,0x03000012,20190412
+-# I,0x00050656,0x0400320A,20210813
+-# I,0x00050657,0x0500320A,20210813
+-# I,0x0005065A,0x86002302,20210416
+-# I,0x0005065B,0x07002402,20210604
+-# I,0x00050661,0xF1000008,20150130
+-# I,0x00050662,0x0000001C,20190617
+-# I,0x00050663,0x0700001C,20210612
+-# I,0x00050664,0x0F00001A,20210612
+-# I,0x00050665,0x0E000014,20210918
+-# I,0x00050670,0xFFFF0030,20151113
+-# I,0x00050671,0x000001B6,20180108
+-# I,0x000506A0,0x00000038,20150112
+-# I,0x000506C2,0x00000014,20180511
+-# I,0x000506C8,0x90011010,20160323
+-# I,0x000506C9,0x00000046,20210510
+-# I,0x000506CA,0x00000022,20210622
+-# I,0x000506D1,0x00000102,20150605
+-# I,0x000506E0,0x00000018,20141119
+-# I,0x000506E1,0x0000002A,20150602
+-# I,0x000506E2,0x0000002E,20150815
+-# I,0x000506E3,0x000000F0,20211112
+-# I,0x000506E8,0x00000034,20160710
+-# I,0x000506F0,0x00000010,20160607
+-# I,0x000506F1,0x00000036,20210510
+-# I,0x00060660,0x0000000C,20160821
+-# I,0x00060661,0x0000000E,20170128
+-# I,0x00060662,0x00000022,201711
This message was truncated. Download the full message here.
L
L
Liliana Marie Prikler wrote on 11 Nov 2022 16:13
(name . Hilton Chain)(address . hako@ultrarare.space)(address . 59053@debbugs.gnu.org)
62dbdc4784403cc138909884b50a399485a2451f.camel@gmail.com
Hi,

Am Freitag, dem 11.11.2022 um 19:10 +0800 schrieb Hilton Chain:
Toggle quote (97 lines)
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v1 -> v2:
>
>  gnu/local.mk                                  |    3 +
>  gnu/packages/linux.scm                        |   53 +
>  ...ker-remove-builtin-firmware-database.patch |  554 +++++
>  ...cker-stage-commands-for-substitution.patch | 1947
> +++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch |   26 +
>  5 files changed, 2583 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 27b31ea27f..d518cd8641 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1851,6 +1851,9 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 2c06269504..5a0d55833a 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,56 @@ (define-public edac-utils
>  error detection and correction (EDAC).")
>      (home-page "https://github.com/grondo/edac-utils")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> +                ;; NOTE: Update these patches when updating.
> +                "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"
> +                "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> +                     (("@([a-z0-9]*)@" _ m _)
> +                      (search-input-file inputs (string-append
> "/bin/" m)))))))))
I'd prefer "command" instead of m as a variable name here.
Toggle quote (75 lines)
> +    (inputs
> +     (list binutils
> +           coreutils
> +           grep
> +           kmod
> +           lz4
> +           lzop
> +           perl
> +           procps
> +           sharutils
> +           util-linux
> +           which
> +           zstd))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis "CPU vulnerability / mitigation checker")
> +    (description
> +     "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..e926551550
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,554 @@
> +From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:55:25 +0800
> +Subject: [PATCH 2/2] Remove builtin firmware database.
> +
> +---
> + spectre-meltdown-checker.sh | 477 ++-------------------------------
> ---
> + 1 file changed, 27 insertions(+), 450 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 82cf1b6..79c4bb7 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -95,7 +95,6 @@ show_usage()
> +               --cpu [#,all]           interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +               --update-fwdb           update our local copy of the
> CPU microcodes versions database (using the awesome
> +                                       MCExtractor project and the
> Intel firmwares GitHub repository)
> +-              --update-builtin-fwdb   same as --update-fwdb but
> update builtin DB inside the script itself
> +               --dump-mock-data        used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> +       Return codes:
> +@@ -853,9 +852,9 @@ update_fwdb()
> +       mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
> +       mcedb_url='
> https://github.com/platomav/MCExtractor/raw/master/MCE.db'
> +       _info_nol "Fetching MCE.db from the MCExtractor project... "
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> ++      # if command -v wget >/dev/null 2>&1; then
> ++      #       wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> ++      if command -v curl >/dev/null 2>&1; then
> +               curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +       elif command -v fetch >/dev/null 2>&1; then
> +               fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
The curl line and fetch line do the same thing as the wget line.
Prefer removal over commenting.
Toggle quote (16 lines)
> +@@ -874,9 +873,9 @@ update_fwdb()
> +       intel_url="
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
> Files/archive/main.zip"
> +       _info_nol "Fetching Intel firmwares... "
> +       ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> ++      # if command -v wget >/dev/null 2>&1; then
> ++      #       wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> ++      if command -v curl >/dev/null 2>&1; then
> +               curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +       elif command -v fetch >/dev/null 2>&1; then
> +               fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
Same here.
Toggle quote (22 lines)
> +@@ -969,13 +968,13 @@ update_fwdb()
> +       } > "$mcedb_cache"
> +       echo DONE "(version $dbversion)"
> +
> +-      if [ "$1" = builtin ]; then
> +-              newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> +-              @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +-              @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +-              @cat@ "$newfile" > "$0"
> +-              @rm@ -f "$newfile"
> +-      fi
> ++      # if [ "$1" = builtin ]; then
> ++      #       newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> ++      #       @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> ++      #       @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> ++      #       @cat@ "$newfile" > "$0"
> ++      #       @rm@ -f "$newfile"
> ++      # fi
This time, it seems completely removed, but still prefer removal over
commenting.
Toggle quote (52 lines)
> + }
> +
> + parse_opt_file()
> +@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do
> +       elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> +               update_fwdb
> +               exit $?
> +-      elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +-              update_fwdb builtin
> +-              exit $?
> ++      # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> ++      #       update_fwdb builtin
> ++      #       exit $?
> +       elif [ "$1" = "--dump-mock-data" ]; then
> +               opt_mock=1
> +               shift
> +@@ -2033,22 +2032,22 @@ is_xen_domU()
> +       fi
> + }
> +
> +-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> ++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> +       # we have a local cache file, but it might be older than the
> builtin version we have
> +       local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +       # sort -V sorts by version number
> +-      older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> +-      if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> ++      # older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> ++      # if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +               mcedb_source="$mcedb_cache"
> +               mcedb_info="local firmwares DB $local_dbversion"
> +-      fi
> ++      # fi
> + fi
> + # if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +-      mcedb_source="$0"
> +-      mcedb_info="builtin firmwares DB $builtin_dbversion"
> +-fi
> ++# if [ -z "${mcedb_source:-}" ]; then
> ++#     mcedb_source="$0"
> ++#     mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++# fi
I'm not sure whether this is correctly patched.
Toggle quote (11 lines)
> + read_mcedb()
> + {
> +       @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> +@@ -2070,6 +2069,9 @@ is_latest_known_ucode()
> +       else
> +               return 2
> +       fi
> ++      if [ -z "$mcedb_source" ]; then
> ++              return 2
> ++      fi
Here neither, what does the return 2 above do?
Toggle quote (16 lines)
> +       for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> +       do
> +               ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
> +@@ -5833,428 +5835,3 @@ fi
> + [ "$global_critical" = 1 ] && exit 2  # critical
> + [ "$global_unknown"  = 1 ] && exit 3  # unknown
> + exit 0  # ok
> +-
> +-# We're using MCE.db from the excellent platomav's MCExtractor
> project
> +-# The builtin version follows, but the user can download an up-to-
> date copy (to be stored in his $HOME) by using --update-fwdb
> +-# To update the builtin version itself (by *modifying* this very
> file), use --update-builtin-fwdb
> +-
Can we remove this builtin version without a patch, i.e. a snippet?
I think that doing so would be more robust than keeping the patch up to
date.
Toggle quote (199 lines)
> +-# %%% MCEDB v222+i20220208
> +-# I,0x00000611,0x00000B27,19961218
> +-# I,0x00000612,0x000000C6,19961210
> +-# I,0x00000616,0x000000C6,19961210
> +-# I,0x00000617,0x000000C6,19961210
> +-# I,0x00000619,0x000000D2,19980218
> +-# I,0x00000630,0x00000013,19960827
> +-# I,0x00000632,0x00000020,19960903
> +-# I,0x00000633,0x00000036,19980923
> +-# I,0x00000634,0x00000037,19980923
> +-# I,0x00000650,0x00000045,19990525
> +-# I,0x00000651,0x00000042,19990525
> +-# I,0x00000652,0x0000002D,19990518
> +-# I,0x00000653,0x00000010,19990628
> +-# I,0x00000660,0x0000000A,19990505
> +-# I,0x00000665,0x00000003,19990505
> +-# I,0x0000066A,0x0000000D,19990505
> +-# I,0x0000066D,0x00000007,19990505
> +-# I,0x00000670,0x00000007,19980602
> +-# I,0x00000671,0x00000014,19980811
> +-# I,0x00000672,0x00000038,19990922
> +-# I,0x00000673,0x0000002E,19990910
> +-# I,0x00000680,0x00000017,19990610
> +-# I,0x00000681,0x00000014,19991209
> +-# I,0x00000683,0x00000014,20010206
> +-# I,0x00000686,0x00000008,20000505
> +-# I,0x0000068A,0x00000005,20001207
> +-# I,0x00000690,0x00000004,20000206
> +-# I,0x00000691,0x00000001,20020527
> +-# I,0x00000692,0x00000001,20020620
> +-# I,0x00000694,0x00000002,20020926
> +-# I,0x00000695,0x00000047,20041109
> +-# I,0x00000696,0x00000001,20000707
> +-# I,0x000006A0,0x00000003,20000110
> +-# I,0x000006A1,0x00000001,20000306
> +-# I,0x000006A4,0x00000001,20000616
> +-# I,0x000006B0,0x0000001A,20010129
> +-# I,0x000006B1,0x0000001D,20010220
> +-# I,0x000006B4,0x00000002,20020111
> +-# I,0x000006D0,0x00000006,20030522
> +-# I,0x000006D1,0x00000009,20030709
> +-# I,0x000006D2,0x00000010,20030814
> +-# I,0x000006D6,0x00000018,20041017
> +-# I,0x000006D8,0x00000021,20060831
> +-# I,0x000006E0,0x00000008,20050215
> +-# I,0x000006E1,0x0000000C,20050413
> +-# I,0x000006E4,0x00000026,20050816
> +-# I,0x000006E8,0x0000003C,20060208
> +-# I,0x000006EC,0x0000005B,20070208
> +-# I,0x000006F0,0x00000005,20050818
> +-# I,0x000006F1,0x00000012,20051129
> +-# I,0x000006F2,0x0000005D,20101002
> +-# I,0x000006F4,0x00000028,20060417
> +-# I,0x000006F5,0x00000039,20060727
> +-# I,0x000006F6,0x000000D2,20101001
> +-# I,0x000006F7,0x0000006B,20101002
> +-# I,0x000006F9,0x00000084,20061012
> +-# I,0x000006FA,0x00000095,20101002
> +-# I,0x000006FB,0x000000C1,20111004
> +-# I,0x000006FD,0x000000A4,20101002
> +-# I,0x00000F00,0xFFFF0001,20000130
> +-# I,0x00000F01,0xFFFF0007,20000404
> +-# I,0x00000F02,0xFFFF000B,20000518
> +-# I,0x00000F03,0xFFFF0001,20000518
> +-# I,0x00000F04,0xFFFF0010,20000803
> +-# I,0x00000F05,0x0000000C,20000824
> +-# I,0x00000F06,0x00000004,20000911
> +-# I,0x00000F07,0x00000012,20020716
> +-# I,0x00000F08,0x00000008,20001101
> +-# I,0x00000F09,0x00000008,20010104
> +-# I,0x00000F0A,0x00000015,20020821
> +-# I,0x00000F11,0x0000000A,20030729
> +-# I,0x00000F12,0x0000002F,20030502
> +-# I,0x00000F13,0x00000005,20030508
> +-# I,0x00000F20,0x00000001,20010423
> +-# I,0x00000F21,0x00000003,20010529
> +-# I,0x00000F22,0x00000005,20030729
> +-# I,0x00000F23,0x0000000D,20010817
> +-# I,0x00000F24,0x00000021,20030610
> +-# I,0x00000F25,0x0000002C,20040826
> +-# I,0x00000F26,0x00000010,20040805
> +-# I,0x00000F27,0x00000039,20030604
> +-# I,0x00000F29,0x0000002F,20040811
> +-# I,0x00000F30,0x00000013,20030815
> +-# I,0x00000F31,0x0000000B,20031021
> +-# I,0x00000F32,0x0000000A,20040511
> +-# I,0x00000F33,0x0000000C,20050421
> +-# I,0x00000F34,0x00000017,20050421
> +-# I,0x00000F36,0x00000007,20040309
> +-# I,0x00000F37,0x00000003,20031218
> +-# I,0x00000F40,0x00000006,20040318
> +-# I,0x00000F41,0x00000017,20050422
> +-# I,0x00000F42,0x00000003,20050421
> +-# I,0x00000F43,0x00000005,20050421
> +-# I,0x00000F44,0x00000006,20050421
> +-# I,0x00000F46,0x00000004,20050411
> +-# I,0x00000F47,0x00000003,20050421
> +-# I,0x00000F48,0x0000000E,20080115
> +-# I,0x00000F49,0x00000003,20050421
> +-# I,0x00000F4A,0x00000004,20051214
> +-# I,0x00000F60,0x00000005,20050124
> +-# I,0x00000F61,0x00000008,20050610
> +-# I,0x00000F62,0x0000000F,20051215
> +-# I,0x00000F63,0x00000005,20051010
> +-# I,0x00000F64,0x00000004,20051223
> +-# I,0x00000F65,0x0000000B,20070510
> +-# I,0x00000F66,0x0000001B,20060310
> +-# I,0x00000F68,0x00000009,20060714
> +-# I,0x00001632,0x00000002,19980610
> +-# I,0x00010650,0x00000002,20060513
> +-# I,0x00010660,0x00000004,20060612
> +-# I,0x00010661,0x00000045,20101004
> +-# I,0x00010670,0x00000005,20070209
> +-# I,0x00010671,0x00000106,20070329
> +-# I,0x00010674,0x84050100,20070726
> +-# I,0x00010676,0x00000612,20150802
> +-# I,0x00010677,0x0000070D,20150802
> +-# I,0x0001067A,0x00000A0E,20150729
> +-# I,0x000106A0,0xFFFF001A,20071128
> +-# I,0x000106A1,0xFFFF000B,20080220
> +-# I,0x000106A2,0xFFFF0019,20080714
> +-# I,0x000106A4,0x00000013,20150630
> +-# I,0x000106A5,0x0000001D,20180511
> +-# I,0x000106C0,0x00000007,20070824
> +-# I,0x000106C1,0x00000109,20071203
> +-# I,0x000106C2,0x00000219,20090410
> +-# I,0x000106C9,0x00000007,20090213
> +-# I,0x000106CA,0x00000107,20090825
> +-# I,0x000106D0,0x00000005,20071204
> +-# I,0x000106D1,0x0000002A,20150803
> +-# I,0x000106E0,0xFFFF0022,20090116
> +-# I,0x000106E1,0xFFFF000D,20090206
> +-# I,0x000106E2,0xFFFF0011,20090924
> +-# I,0x000106E3,0xFFFF0011,20090512
> +-# I,0x000106E4,0x00000003,20130701
> +-# I,0x000106E5,0x0000000A,20180508
> +-# I,0x000106F0,0xFFFF0009,20090210
> +-# I,0x000106F1,0xFFFF0007,20090210
> +-# I,0x00020650,0xFFFF0008,20090218
> +-# I,0x00020651,0xFFFF0018,20090818
> +-# I,0x00020652,0x00000011,20180508
> +-# I,0x00020654,0xFFFF0007,20091124
> +-# I,0x00020655,0x00000007,20180423
> +-# I,0x00020661,0x00000105,20110718
> +-# I,0x000206A0,0x00000029,20091102
> +-# I,0x000206A1,0x00000007,20091223
> +-# I,0x000206A2,0x00000027,20100502
> +-# I,0x000206A3,0x00000009,20100609
> +-# I,0x000206A4,0x00000022,20100414
> +-# I,0x000206A5,0x00000007,20100722
> +-# I,0x000206A6,0x90030028,20100924
> +-# I,0x000206A7,0x0000002F,20190217
> +-# I,0x000206C0,0xFFFF001C,20091214
> +-# I,0x000206C1,0x00000006,20091222
> +-# I,0x000206C2,0x0000001F,20180508
> +-# I,0x000206D0,0x80000006,20100816
> +-# I,0x000206D1,0x80000106,20101201
> +-# I,0x000206D2,0xAF506958,20110714
> +-# I,0x000206D3,0xAF50696A,20110816
> +-# I,0x000206D5,0xAF5069E5,20120118
> +-# I,0x000206D6,0x00000621,20200304
> +-# I,0x000206D7,0x0000071A,20200324
> +-# I,0x000206E0,0xE3493401,20090108
> +-# I,0x000206E1,0xE3493402,20090224
> +-# I,0x000206E2,0xFFFF0004,20081001
> +-# I,0x000206E3,0xE4486547,20090701
> +-# I,0x000206E4,0xFFFF0008,20090619
> +-# I,0x000206E5,0xFFFF0018,20091215
> +-# I,0x000206E6,0x0000000D,20180515
> +-# I,0x000206F0,0x00000005,20100729
> +-# I,0x000206F1,0x00000008,20101013
> +-# I,0x000206F2,0x0000003B,20180516
> +-# I,0x00030650,0x00000009,20120118
> +-# I,0x00030651,0x00000110,20131014
> +-# I,0x00030660,0x00000003,20101103
> +-# I,0x00030661,0x0000010F,20150721
> +-# I,0x00030669,0x0000010D,20130515
> +-# I,0x00030671,0x00000117,20130410
> +-# I,0x00030672,0x0000022E,20140401
> +-# I,0x00030673,0x83290100,20190916
> +-# I,0x00030678,0x00000838,20190422
> +-# I,0x00030679,0x0000090D,20190710
> +-# I,0x000306A0,0x00000007,20110407
> +-# I,0x000306A2,0x0000000C,20110725
> +-# I,0x000306A4,0x00000007,20110908
> +-# I,0x000306A5,0x00000009,20111110
> +-# I,0x000306A6,0x00000004,20111114
> +-# I,0x000306A8,0x00000010,20120220
> +-# I,0x000306A9,0x00000021,20190213
> +-# I,0x000306C0,0xFFFF0013,20111110
> +-# I,0x000306C1,0xFFFF0014,20120725
> +-# I,0x000306C2,0xFFFF0006,20121017
> +-# I,0x000306C3,0x00000028,20191112
> +-# I,0x000306D1,0xFFFF0009,20131015
> +-# I,0x000306D2,0xFFFF0009,20131219
> +-# I,0x000306D3,0xE3121338,20140825
> +-# I,0x000306D4,0x0000002F,20191112
> +-# I,0x000306E0,0xE920080F,20121113
> +-# I,0x000306E2,0xE9220827,20
This message was truncated. Download the full message here.
H
H
Hilton Chain wrote on 12 Nov 2022 13:14
[PATCH v3] gnu: Add spectre-meltdown-checker.
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 59053@debbugs.gnu.org)
y76edu8cqu3.wl-hako@ultrarare.space
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v2 -> v3:
1. Use curl as default downloader (It seems that wget doesn't work out of the
box for TLS?).
2. Remove instead of commenting.
3. Remove builtin firmware database via a snippet.
4. Adjust position of the "return 2" statement. For the purpose, it's there to
stop the version checking function, as later steps assumes a valid firmware
database. For the very value, it's that return value of is_latest_known_ucode()
other than 0 or 1, is considered "unknown" in the final output.

gnu/local.mk | 3 +
gnu/packages/linux.scm | 58 +
...ker-remove-builtin-firmware-database.patch | 113 +
...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 +
5 files changed, 2147 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

Toggle diff (404 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..46b299d0d6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..b15899baf6 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,61 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ command _)
+ (search-input-file
+ inputs (string-append "/bin/" command)))))))))
+ (inputs
+ (list binutils
+ coreutils
+ grep
+ kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ which
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..400d8d3a07
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,113 @@
+From e2cc68814cf658638946e069406ef6a6032ab318 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 19:49:36 +0800
+Subject: [PATCH 2/2] Remove references to the builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 43 +++++++++++--------------------------
+ 1 file changed, 12 insertions(+), 31 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..5104599 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+ MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -853,10 +852,10 @@ update_fwdb()
+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
++ elif command -v wget >/dev/null 2>&1; then
++ wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ else
+@@ -874,10 +873,10 @@ update_fwdb()
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
++ elif command -v wget >/dev/null 2>&1; then
++ wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ else
+@@ -968,14 +967,6 @@ update_fwdb()
+ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- @cat@ "$newfile" > "$0"
+- @rm@ -f "$newfile"
+- fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1061,6 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ update_fwdb
+ exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +2021,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +2041,10 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ # When $mcedb_source is not set, skip version checking and report unknown.
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a2f13e4195
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1947 @@
+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 1/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,
+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,
+whoami, xargs.
+---
+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------
+ 1 file changed, 324 insertions(+), 324 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..82cf1b6 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ # cleanup the temp decompressed config & kernel image
+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"
++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"
++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp"
++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp"
++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null
++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ # shellcheck disable=SC2086
+- cat <<EOF
++ @cat@ <<EOF
+ Usage:
+- Live mode (auto): $(basename $0) [options]
+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++ Live mode (auto): $(@basename@ $0) [options]
++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ Modes:
+ Two modes are available.
+@@ -110,7 +110,7 @@ EOF
+
+ show_disclaimer()
+ {
+- cat <<EOF
++ @cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -207,7 +207,7 @@ __echo()
+ _interpret_chars='-e'
+ fi
+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")
+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ fi
+ if [ "$echo_cmd_type" = printf ]; then
+ if [ "$opt" = "-n" ]; then
+@@ -383,7 +383,7 @@ is_cpu_affected()
+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ variant3=vuln
+@@ -486,7 +486,7 @@ is_cpu_affected()
+ i=$(( i + 1 ))
+ # do NOT quote $cpu_arch_list below
+ # shellcheck disable=SC2086
+- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ _debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ # some kernels report AArch64 instead of 8
+ [ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -497,49 +497,49 @@ is_cpu_affected()
+ # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d
+ # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8
+ #
+- # Whitelist identified non-affected processors, use vulnerability information from
++ # Whitelist identified non-affected processors, use vulnerability information from
+ # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ # Partnumbers can be found here:
+ # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ #
+ # Maintain cumulative check of vulnerabilities -
+ # if at least one of the cpu is affected, then the system is affected
+- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ variant1=vuln
+ variant2=vuln
+ variant3=vuln
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ [ -z "$variant3" ] && variant3=immune
+@@ -820,7 +820,7 @@ is_cpu_ssb_free()
+ if [ "$cpu_family" = "18" ] || \
+ [ "$cpu_family" = "17" ] || \
+ [ "$cpu_family" = "16" ] || \
+- [ "$cpu_family" = "15" ]; then
++ [ "$cpu_family" = "15" ]; then
+ return 0
+ fi
+ fi
+@@ -837,7 +837,7 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"
+ mcedb_cache="$HOME/.mcedb"
+ update_fwdb()
+ {
+@@ -846,11 +846,11 @@ update_fwdb()
+ set -e
+
+ if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ fi
+
+ # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX
This message was truncated. Download the full message here.
L
L
Liliana Marie Prikler wrote on 12 Nov 2022 13:28
(name . Hilton Chain)(address . hako@ultrarare.space)(address . 59053@debbugs.gnu.org)
cf3096650d54da99f849780dac120062e8dbc9c5.camel@gmail.com
Am Samstag, dem 12.11.2022 um 20:14 +0800 schrieb Hilton Chain:
Toggle quote (2 lines)
> 1. Use curl as default downloader (It seems that wget doesn't work
> out of the box for TLS?).
Uhm, what exactly is the checker downloading that it needs wget or curl
for?
H
H
Hilton Chain wrote on 12 Nov 2022 13:50
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 59053@debbugs.gnu.org)
y76k040pca6.wl-hako@ultrarare.space
On Sat, 12 Nov 2022 20:28:58 +0800,
Liliana Marie Prikler wrote:
Toggle quote (2 lines)
> Uhm, what exactly is the checker downloading that it needs wget or curl
> for?
With option "--update-fwdb", the checker fetches source files and builds the firmware database.
L
L
Liliana Marie Prikler wrote on 12 Nov 2022 14:40
(name . Hilton Chain)(address . hako@ultrarare.space)(address . 59053@debbugs.gnu.org)
60647514a548fc2589c1816ca8fef94fa20a7b94.camel@gmail.com
Am Samstag, dem 12.11.2022 um 20:50 +0800 schrieb Hilton Chain:
Toggle quote (6 lines)
> On Sat, 12 Nov 2022 20:28:58 +0800,
> Liliana Marie Prikler wrote:
> > Uhm, what exactly is the checker downloading that it needs wget or
> > curl for?
> With option "--update-fwdb", the checker fetches source files and
> builds the firmware database.
You mean proprietary firmware?
H
H
Hilton Chain wrote on 12 Nov 2022 16:15
[PATCH v4] gnu: Add spectre-meltdown-checker.
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 59053@debbugs.gnu.org)
y76v8nkdx15.wl-hako@ultrarare.space
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v3 -> v4:
1. Remove downloading function.
2. Add option for supplying a local database.

gnu/local.mk | 3 +
gnu/packages/linux.scm | 54 +
...ker-remove-builtin-firmware-database.patch | 243 +++
...cker-stage-commands-for-substitution.patch | 1849 +++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 +
5 files changed, 2175 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

Toggle diff (429 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..46b299d0d6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..1807fd5655 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,57 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ command _)
+ (search-input-file
+ inputs (string-append "/bin/" command)))))))))
+ (inputs
+ (list kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..888bb0c2b1
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,243 @@
+From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH 1/2] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+- MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
++ --with-fwdb FILE supply the CPU microcodes versions database
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+- show_header
+-
+- set -e
+-
+- if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- fi
+-
+- # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+- _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading MCE.db"
+- return $ret
+- fi
+- echo DONE
+-
+- # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+- _info_nol "Fetching Intel firmwares... "
+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading Intel firmwares"
+- return $ret
+- fi
+- echo DONE
+-
+- # now extract MCEdb contents using sqlite
+- _info_nol "Extracting MCEdb data... "
+- if ! command -v sqlite3 >/dev/null 2>&1; then
+- echo ERROR "please install the \`sqlite3\` program"
+- return 1
+- fi
+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+- if [ -z "$mcedb_revision" ]; then
+- echo ERROR "downloaded file seems invalid"
+- return 1
+- fi
+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+- echo OK "MCExtractor database revision $mcedb_revision"
+-
+- # parse Intel firmwares to get their versions
+- _info_nol "Integrating Intel firmwares data to db... "
+- if ! command -v unzip >/dev/null 2>&1; then
+- echo ERROR "please install the \`unzip\` program"
+- return 1
+- fi
+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+- return 1
+- fi
+-
+- if ! command -v iucode_tool >/dev/null 2>&1; then
+- if ! command -v iucode-tool >/dev/null 2>&1; then
+- echo ERROR "please install the \`iucode-tool\` program"
+- return 1
+- else
+- iucode_tool="iucode-tool"
+- fi
+- else
+- iucode_tool="iucode_tool"
+- fi
+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+- do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
+- _cpuid=$(( _cpuid ))
+- _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
+- _version=$(( _version ))
+- _version=$(printf "0x%08X" "$_version")
+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+- sqlite3 "$mcedb_tmp" "$_sqlstm"
+- done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+- if [ -n "$_intel_timestamp" ]; then
+- # use this date, it matches the last commit date
+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+- else
+- echo "Falling back to the latest microcode date"
+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+- fi
+- echo DONE "(version $_intel_latest_date)"
+-
+- dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+- echo "We already have this version locally, no update needed"
+- return 0
+- fi
+-
+- _info_nol "Building local database... "
+- {
+- echo "# Spectre & Meltdown Checker";
+- echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- } > "$mcedb_cache"
+- echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
+- fi
+-}
+-
+ parse_opt_file()
+ {
+ # parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ # deprecated, kept for compatibility
+ opt_explain=0
+ shift
+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+- update_fwdb
+- exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++ opt_fwdb=$2
++ if [ -f "$opt_fwdb" ]; then
++ mcedb_cache=$2
++ else
++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++ exit 255
++ fi
++ shift 2
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a8e7531f32
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1849 @@
+From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 2/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, grep,
+gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, nproc,
+objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, strings,
+sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
+---
+ spectre-meltdown-checker.sh | 606 ++++++++++++++++++------------------
+ 1 file changed, 303 insertions(+), 303 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index ce46970..4889ebb 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ # cleanup the temp decompressed config & kernel image
+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"
++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"
++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null
++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ # shellcheck disable=SC2086
+- cat <<EOF
++ @cat@ <<EOF
+ Usage:
+- Live mode (auto): $(basename $0) [options]
+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++ Live mode (auto): $(@basename@ $0) [options]
++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ Modes:
+ Two modes are available.
+@@ -106,7 +106,7 @@ EOF
+
+ show_disclaimer()
+ {
+- cat <<EOF
++ @cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -134,7 +134,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -203,7 +203,7 @@ __echo()
+ _interpret_chars='-e'
+ fi
+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")
+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ fi
+ if [ "$echo_cmd_type" = printf ]; then
+ if [ "$opt" = "-n" ]; then
+@@ -379,7 +379,7 @@ is_cpu_affected()
+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ variant1=vuln
+ [ -z "$varian
This message was truncated. Download the full message here.
L
L
Liliana Marie Prikler wrote on 12 Nov 2022 17:58
(name . Hilton Chain)(address . hako@ultrarare.space)(address . 59053@debbugs.gnu.org)
3e3c90ad73311a445a3b06c7c8afb42dcf0af1b1.camel@gmail.com
Am Samstag, dem 12.11.2022 um 23:15 +0800 schrieb Hilton Chain:
Toggle quote (78 lines)
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v3 -> v4:
> 1. Remove downloading function.
> 2. Add option for supplying a local database.
>
>  gnu/local.mk                                  |    3 +
>  gnu/packages/linux.scm                        |   54 +
>  ...ker-remove-builtin-firmware-database.patch |  243 +++
>  ...cker-stage-commands-for-substitution.patch | 1849
> +++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch |   26 +
>  5 files changed, 2175 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..46b299d0d6 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,9 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..1807fd5655 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,57 @@ (define-public edac-utils
>  error detection and correction (EDAC).")
>      (home-page "https://github.com/grondo/edac-utils")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> +                ;; NOTE: Update these patches when updating.
> +                "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
Is this comment still needed?
Toggle quote (362 lines)
> +                "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"))
> +              ;; Remove builtin firmware database.
> +              (modules '((guix build utils)))
> +              (snippet '(substitute* "spectre-meltdown-checker.sh"
> +                          (("^# [AI],.*") "")))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> +                     (("@([a-z0-9]*)@" _ command _)
> +                      (search-input-file
> +                       inputs (string-append "/bin/"
> command)))))))))
> +    (inputs
> +     (list kmod
> +           lz4
> +           lzop
> +           perl
> +           procps
> +           sharutils
> +           util-linux
> +           zstd))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis "CPU vulnerability / mitigation checker")
> +    (description
> +     "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..888bb0c2b1
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH 1/2] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> +       [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +       [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
> +       [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm
> -f "$kerneltmp2"
> +-      [ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm
> -f "$mcedb_tmp"
> +-      [ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm
> -rf "$intel_tmp"
> +       [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +       [ "${mounted_procfs:-}"  = 1 ] && umount "$procfs"
> 2>/dev/null
> +       [ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> +               --vmm [auto,yes,no]     override the detection of the
> presence of a hypervisor, default: auto
> +               --allow-msr-write       allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> +               --cpu [#,all]           interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +-              --update-fwdb           update our local copy of the
> CPU microcodes versions database (using the awesome
> +-                                      MCExtractor project and the
> Intel firmwares GitHub repository)
> +-              --update-builtin-fwdb   same as --update-fwdb but
> update builtin DB inside the script itself
> ++              --with-fwdb FILE        supply the CPU microcodes
> versions database
> +               --dump-mock-data        used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> +       Return codes:
> +@@ -837,147 +833,6 @@ show_header()
> +       _info
> + }
> +
> +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
> +-mcedb_cache="$HOME/.mcedb"
> +-update_fwdb()
> +-{
> +-      show_header
> +-
> +-      set -e
> +-
> +-      if [ -r "$mcedb_cache" ]; then
> +-              previous_dbversion=$(awk '/^# %%% MCEDB / { print $4
> }' "$mcedb_cache")
> +-      fi
> +-
> +-      # first, download the MCE.db from the excellent platomav's
> MCExtractor project
> +-      mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
> +-
>       mcedb_url='https://github.com/platomav/MCExtractor/raw/master/M
> CE.db'
> +-      _info_nol "Fetching MCE.db from the MCExtractor project... "
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> +-              curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +-      elif command -v fetch >/dev/null 2>&1; then
> +-              fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +-      else
> +-              echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +-              return 1
> +-      fi
> +-      if [ "$ret" != 0 ]; then
> +-              echo ERROR "error $ret while downloading MCE.db"
> +-              return $ret
> +-      fi
> +-      echo DONE
> +-
> +-      # second, get the Intel firmwares from GitHub
> +-      intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
> +-
>       intel_url="https://github.com/intel/Intel-Linux-Processor-Micro
> code-Data-Files/archive/main.zip"
> +-      _info_nol "Fetching Intel firmwares... "
> +-      ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> +-              curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +-      elif command -v fetch >/dev/null 2>&1; then
> +-              fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +-      else
> +-              echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +-              return 1
> +-      fi
> +-      if [ "$ret" != 0 ]; then
> +-              echo ERROR "error $ret while downloading Intel
> firmwares"
> +-              return $ret
> +-      fi
> +-      echo DONE
> +-
> +-      # now extract MCEdb contents using sqlite
> +-      _info_nol "Extracting MCEdb data... "
> +-      if ! command -v sqlite3 >/dev/null 2>&1; then
> +-              echo ERROR "please install the \`sqlite3\` program"
> +-              return 1
> +-      fi
> +-      mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from
> MCE")
> +-      if [ -z "$mcedb_revision" ]; then
> +-              echo ERROR "downloaded file seems invalid"
> +-              return 1
> +-      fi
> +-      sqlite3 "$mcedb_tmp" "alter table Intel add column origin
> text"
> +-      sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
> +-
> +-      echo OK "MCExtractor database revision $mcedb_revision"
> +-
> +-      # parse Intel firmwares to get their versions
> +-      _info_nol "Integrating Intel firmwares data to db... "
> +-      if ! command -v unzip >/dev/null 2>&1; then
> +-              echo ERROR "please install the \`unzip\` program"
> +-              return 1
> +-      fi
> +-      ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
> +-      if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-
> Files-main/intel-ucode" ]; then
> +-              echo ERROR "expected the 'intel-ucode' folder in the
> downloaded zip file"
> +-              return 1
> +-      fi
> +-
> +-      if ! command -v iucode_tool >/dev/null 2>&1; then
> +-              if ! command -v iucode-tool >/dev/null 2>&1; then
> +-                      echo ERROR "please install the \`iucode-
> tool\` program"
> +-                      return 1
> +-              else
> +-                      iucode_tool="iucode-tool"
> +-              fi
> +-      else
> +-              iucode_tool="iucode_tool"
> +-      fi
> +-      #  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev
> 0x0217, size 5120
> +-      #  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev
> 0x0107, size 5120
> +-      $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
> +-      do
> +-              _line=$(   echo "$_line" | tr -d ',')
> +-              _cpuid=$(  echo "$_line" | awk '{print $3}')
> +-              _cpuid=$(( _cpuid ))
> +-              _cpuid=$(printf "0x%08X" "$_cpuid")
> +-              _date=$(   echo "$_line" | awk '{print $6}' | tr -d
> '-')
> +-              _version=$(echo "$_line" | awk '{print $8}')
> +-              _version=$(( _version ))
> +-              _version=$(printf "0x%08X" "$_version")
> +-              _sqlstm="$(printf "INSERT INTO Intel
> (origin,cpuid,version,yyyymmdd) VALUES
> (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")"
> "$(printf "%08X" "$_version")" "$_date")"
> +-              sqlite3 "$mcedb_tmp" "$_sqlstm"
> +-      done
> +-      _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> +-      if [ -n "$_intel_timestamp" ]; then
> +-              # use this date, it matches the last commit date
> +-              _intel_latest_date=$(date +%Y%m%d -d
> @"$_intel_timestamp")
> +-      else
> +-              echo "Falling back to the latest microcode date"
> +-              _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT
> yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC
> LIMIT 1;")
> +-      fi
> +-      echo DONE "(version $_intel_latest_date)"
> +-
> +-      dbversion="$mcedb_revision+i$_intel_latest_date"
> +-
> +-      if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [
> "$previous_dbversion" = "v$dbversion" ]; then
> +-              echo "We already have this version locally, no update
> needed"
> +-              return 0
> +-      fi
> +-
> +-      _info_nol "Building local database... "
> +-      {
> +-              echo "# Spectre & Meltdown Checker";
> +-              echo "# %%% MCEDB v$dbversion";
> +-              sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +-              sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD  
> AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +-      } > "$mcedb_cache"
> +-      echo DONE "(version $dbversion)"
> +-
> +-      if [ "$1" = builtin ]; then
> +-              newfile=$(mktemp -t smc-builtin-XXXXXX)
> +-              awk '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +-              awk '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +-              cat "$newfile" > "$0"
> +-              rm -f "$newfile"
> +-      fi
> +-}
> +-
> + parse_opt_file()
> + {
> +       # parse_opt_file option_name option_value
> +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
> +               # deprecated, kept for compatibility
> +               opt_explain=0
> +               shift
> +-      elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> +-              update_fwdb
> +-              exit $?
> +-      elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +-              update_fwdb builtin
> +-              exit $?
> ++      elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ];
> then
> ++              opt_fwdb=$2
> ++              if [ -f "$opt_fwdb" ]; then
> ++                      mcedb_cache=$2
> ++              else
> ++                      echo "$0: error: --with-fwdb should be a
> file, got '$opt_fwdb'" >&2
> ++                      exit 255
> ++              fi
> ++              shift 2
> +       elif [ "$1" = "--dump-mock-data" ]; then
> +               opt_mock=1
> +               shift
> +@@ -2033,21 +1891,11 @@ is_xen_domU()
> +       fi
> + }
> +
> +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> +       # we have a local cache file, but it might be older than the
> builtin version we have
> +       local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +-      # sort -V sorts by version number
> +-      older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | sort -V | head -n1)
> +-      if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +-              mcedb_source="$mcedb_cache"
> +-              mcedb_info="local firmwares DB $local_dbversion"
> +-      fi
> +-fi
> +-# if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +-      mcedb_source="$0"
> +-      mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++      mcedb_source="$mcedb_cache"
> ++      mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
> +               return 2
> +       fi
> +       ucode_latest="latest microcode version for your CPU model is
> unknown"
> +-      if is_intel; then
> ++      if [ -z "$mcedb_source" ]; then
> ++              return 2
> ++      elif is_intel; then
> +               cpu_brand_prefix=I
> +       elif is_amd; then
> +               cpu_brand_prefix=A
> +--
> +2.38.1
> +
LGTM.
Toggle quote (23 lines)
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-
> commands-for-substitution.patch b/gnu/packages/patches/spectre-
> meltdown-checker-stage-commands-for-substitution.patch
> new file mode 100644
> index 0000000000..a8e7531f32
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-
> for-substitution.patch
> @@ -0,0 +1,1849 @@
> +From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:49:50 +0800
> +Subject: [PATCH 2/2] Stage commands for later substitution.
> +
> +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find,
> grep,
> +gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
> nproc,
> +objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
> strings,
> +sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
> +---
I think it'd better to provide a little more information in the patch
note, e.g. "The following commands are taken from the environment and
thus need to be substituted:
- awk
- base64
- basename
- ...
The following are shell built-ins and can remain as is
- command
- echo
- ..."

By the way, I feel like it'd be an improvement to crank down on the
number of context lines or translate this into an equivalent
substitute*, i.e.
(substitute* "spectre-meltdown-checker.sh"
(("\\<(awk|base64|...)\\>" all cmd)
(find-command inputs cmd))
(("\\<(gzip|gunzip|...)\\>" all cmd)
(find-command inputs cmd))
...)

where 
(define* (find-command inputs cmd #:optional (bin "bin"))
(search-input-file inputs (string-append bin "/" cmd)))
Toggle quote (18 lines)
> + spectre-meltdown-checker.sh | 606 ++++++++++++++++++---------------
> ---
> + 1 file changed, 303 insertions(+), 303 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index ce46970..4889ebb 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up...";
> exit_cleanup; exit 1' INT
> + exit_cleanup()
> + {
> +       # cleanup the temp decompressed config & kernel image
> +-      [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +-      [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
This message was truncated. Download the full message here.
H
H
Hilton Chain wrote on 13 Nov 2022 14:09
[PATCH v5] gnu: Add spectre-meltdown-checker.
(name . Liliana Marie Prikler)(address . liliana.prikler@gmail.com)(address . 59053@debbugs.gnu.org)
y76a64v2e84.wl-hako@ultrarare.space
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v4 -> v5: No more an extra patch for substitution.

gnu/local.mk | 2 +
gnu/packages/linux.scm | 130 ++++++++++
...ker-remove-builtin-firmware-database.patch | 243 ++++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 ++
4 files changed, 401 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

Toggle diff (435 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..1e85790983 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,8 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..03b7ce46b0 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,133 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list
+ #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (define* (find-command inputs cmd #:optional (bin "bin")
+ #:key (prefix "") (suffix ""))
+ (string-append
+ prefix (search-input-file inputs (string-append bin "/" cmd))
+ suffix))
+ (substitute* "spectre-meltdown-checker.sh"
+ ;; ${opt_arch_prefix}CMD
+ (((string-append
+ "\\$\\{opt_arch_prefix\\}"
+ "\\<(nm|objdump|readelf|strings)\\>") all cmd)
+ (find-command inputs cmd))
+
+ ;; dd
+ (("(dd)( if=)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+
+ ;; Commands safe to substitute directly.
+ (((string-append "\\<(" (string-join
+ (list "awk"
+ "basename"
+ "dirname"
+ "bunzip2"
+ "gunzip"
+ "gzip"
+ "lz4"
+ "lzop"
+ "modprobe"
+ "pgrep"
+ "rmmod"
+ "umount"
+ "unlzma"
+ "unxz"
+ "unzstd"
+ "uuencode")
+ "|")
+ ")\\>") all cmd)
+ (find-command inputs cmd))
+
+ ;; Search by suffix.
+ ;; CMD -
+ ;; CMD ^
+ (((string-append "\\<(" (string-join
+ (list "base64"
+ "cut"
+ "grep"
+ "head"
+ "id"
+ "mount"
+ "mktemp"
+ "od"
+ "perl"
+ "rm"
+ "uname"
+ "xargs")
+ "|")
+ ")\\>( [-^])") all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; CMD |
+ (("(dmesg)( \\|)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+
+ ;; Then prefix
+ ;; | CMD
+ (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+ ;; $(CMD
+ (("(\\$\\( *)(sysctl)" all prefix cmd)
+ (find-command inputs cmd "sbin" #:prefix prefix))
+ (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+ ;; if CMD
+ (("(if )(sysctl)" all prefix cmd)
+ (find-command inputs cmd "sbin" #:prefix prefix))
+ ;; command -v CMD
+ (("(command -v) \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+
+ ;; Cats are mysterious...
+ ;; cat <<EOF
+ (("(cat)( <<EOF)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; cat "$
+ (("(cat)(\"\\$)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; 'cat'
+ (("(')(cat)(')" all prefix cmd suffix)
+ (find-command inputs cmd #:prefix prefix #:suffix suffix))
+ ;; "cat"
+ (("(\")(cat)(\")" all prefix cmd suffix)
+ (find-command inputs cmd #:prefix prefix #:suffix suffix))))))))
+ (inputs (list kmod lz4 lzop perl procps sharutils util-linux zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..809763cf4f
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,243 @@
+From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+- MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
++ --with-fwdb FILE supply the CPU microcodes versions database
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+- show_header
+-
+- set -e
+-
+- if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- fi
+-
+- # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+- _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading MCE.db"
+- return $ret
+- fi
+- echo DONE
+-
+- # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+- _info_nol "Fetching Intel firmwares... "
+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading Intel firmwares"
+- return $ret
+- fi
+- echo DONE
+-
+- # now extract MCEdb contents using sqlite
+- _info_nol "Extracting MCEdb data... "
+- if ! command -v sqlite3 >/dev/null 2>&1; then
+- echo ERROR "please install the \`sqlite3\` program"
+- return 1
+- fi
+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+- if [ -z "$mcedb_revision" ]; then
+- echo ERROR "downloaded file seems invalid"
+- return 1
+- fi
+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+- echo OK "MCExtractor database revision $mcedb_revision"
+-
+- # parse Intel firmwares to get their versions
+- _info_nol "Integrating Intel firmwares data to db... "
+- if ! command -v unzip >/dev/null 2>&1; then
+- echo ERROR "please install the \`unzip\` program"
+- return 1
+- fi
+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+- return 1
+- fi
+-
+- if ! command -v iucode_tool >/dev/null 2>&1; then
+- if ! command -v iucode-tool >/dev/null 2>&1; then
+- echo ERROR "please install the \`iucode-tool\` program"
+- return 1
+- else
+- iucode_tool="iucode-tool"
+- fi
+- else
+- iucode_tool="iucode_tool"
+- fi
+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+- do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
+- _cpuid=$(( _cpuid ))
+- _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
+- _version=$(( _version ))
+- _version=$(printf "0x%08X" "$_version")
+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+- sqlite3 "$mcedb_tmp" "$_sqlstm"
+- done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+- if [ -n "$_intel_timestamp" ]; then
+- # use this date, it matches the last commit date
+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+- else
+- echo "Falling back to the latest microcode date"
+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+- fi
+- echo DONE "(version $_intel_latest_date)"
+-
+- dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+- echo "We already have this version locally, no update needed"
+- return 0
+- fi
+-
+- _info_nol "Building local database... "
+- {
+- echo "# Spectre & Meltdown Checker";
+- echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- } > "$mcedb_cache"
+- echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
+- fi
+-}
+-
+ parse_opt_file()
+ {
+ # parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ # deprecated, kept for compatibility
+ opt_explain=0
+ shift
+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+- update_fwdb
+- exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++ opt_fwdb=$2
++ if [ -f "$opt_fwdb" ]; then
++ mcedb_cache=$2
++ else
++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++ exit 255
++ fi
++ shift 2
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 80d10fa413cf43439f9ab94b6f69fe68811156da
--
This message was truncated. Download the full message here.
L
L
Liliana Marie Prikler wrote on 13 Nov 2022 23:02
(name . Hilton Chain)(address . hako@ultrarare.space)(address . 59053-done@debbugs.gnu.org)
ac1b13e0eb9516094b3fb543d91265e6fd48154f.camel@gmail.com
Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain:
Toggle quote (8 lines)
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
I renamed the patches for the ChangeLog, slightly rewrote their
explanations, ...

Toggle quote (112 lines)
>  gnu/local.mk                                  |   2 +
>  gnu/packages/linux.scm                        | 130 ++++++++++
>  ...ker-remove-builtin-firmware-database.patch | 243
> ++++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch |  26 ++
>  4 files changed, 401 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..1e85790983 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,8 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..03b7ce46b0 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,133 @@ (define-public edac-utils
>  error detection and correction (EDAC).")
>      (home-page "https://github.com/grondo/edac-utils")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> +              ;; Remove builtin firmware database.
> +              (modules '((guix build utils)))
> +              (snippet '(substitute* "spectre-meltdown-checker.sh"
> +                          (("^# [AI],.*") "")))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list
> +      #:install-plan
> +      #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +      #:phases
> +      #~(modify-phases %standard-phases
> +          (add-after 'unpack 'fixpath
> +            (lambda* (#:key inputs #:allow-other-keys)
> +              (define* (find-command inputs cmd #:optional (bin
> "bin")
> +                                     #:key (prefix "") (suffix ""))
> +                (string-append
> +                 prefix (search-input-file inputs (string-append bin
> "/" cmd))
> +                 suffix))
> +              (substitute* "spectre-meltdown-checker.sh"
> +                ;; ${opt_arch_prefix}CMD
> +                (((string-append
> +                   "\\$\\{opt_arch_prefix\\}"
> +                   "\\<(nm|objdump|readelf|strings)\\>") all cmd)
> +                 (find-command inputs cmd))
> +
> +                ;; dd
> +                (("(dd)( if=)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +
> +                ;; Commands safe to substitute directly.
> +                (((string-append "\\<(" (string-join
> +                                         (list "awk"
> +                                               "basename"
> +                                               "dirname"
> +                                               "bunzip2"
> +                                               "gunzip"
> +                                               "gzip"
> +                                               "lz4"
> +                                               "lzop"
> +                                               "modprobe"
> +                                               "pgrep"
> +                                               "rmmod"
> +                                               "umount"
> +                                               "unlzma"
> +                                               "unxz"
> +                                               "unzstd"
> +                                               "uuencode")
> +                                         "|")
> +                                 ")\\>") all cmd)
replaced these "clever" tricks with dumber ones,
Toggle quote (129 lines)
> +                 (find-command inputs cmd))
> +
> +                ;; Search by suffix.
> +                ;; CMD -
> +                ;; CMD ^
> +                (((string-append "\\<(" (string-join
> +                                         (list "base64"
> +                                               "cut"
> +                                               "grep"
> +                                               "head"
> +                                               "id"
> +                                               "mount"
> +                                               "mktemp"
> +                                               "od"
> +                                               "perl"
> +                                               "rm"
> +                                               "uname"
> +                                               "xargs")
> +                                         "|")
> +                                 ")\\>( [-^])") all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +                ;; CMD |
> +                (("(dmesg)( \\|)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +
> +                ;; Then prefix
> +                ;; | CMD
> +                (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix
> cmd)
> +                 (find-command inputs cmd #:prefix prefix))
> +                ;; $(CMD
> +                (("(\\$\\( *)(sysctl)" all prefix cmd)
> +                 (find-command inputs cmd "sbin" #:prefix prefix))
> +               
> (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
> +                 (find-command inputs cmd #:prefix prefix))
> +                ;; if CMD
> +                (("(if )(sysctl)" all prefix cmd)
> +                 (find-command inputs cmd "sbin" #:prefix prefix))
> +                ;; command -v CMD
> +                (("(command -v)
> \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
> +                 (find-command inputs cmd #:prefix prefix))
> +
> +                ;; Cats are mysterious...
> +                ;; cat <<EOF
> +                (("(cat)( <<EOF)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +                ;; cat "$
> +                (("(cat)(\"\\$)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +                ;; 'cat'
> +                (("(')(cat)(')" all prefix cmd suffix)
> +                 (find-command inputs cmd #:prefix prefix #:suffix
> suffix))
> +                ;; "cat"
> +                (("(\")(cat)(\")" all prefix cmd suffix)
> +                 (find-command inputs cmd #:prefix prefix #:suffix
> suffix))))))))
> +    (inputs (list kmod lz4 lzop perl procps sharutils util-linux
> zstd))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis "CPU vulnerability / mitigation checker")
> +    (description
> +     "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..809763cf4f
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> +       [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +       [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
> +       [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm
> -f "$kerneltmp2"
> +-      [ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm
> -f "$mcedb_tmp"
> +-      [ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm
> -rf "$intel_tmp"
> +       [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +       [ "${mounted_procfs:-}"  = 1 ] && umount "$procfs"
> 2>/dev/null
> +       [ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> +               --vmm [auto,yes,no]     override the detection of the
> presence of a hypervisor, default: auto
> +               --allow-msr-write       allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> +               --cpu [#,all]           interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +-              --update-fwdb           update our local copy of the
> CPU microcodes versions database (using the awesome
> +-                                      MCExtractor project and the
> Intel firmwares GitHub repository)
> +-              --update-builtin-fwdb   same as --update-fwdb but
> update builtin DB inside the script itself
> ++              --with-fwdb FILE        supply the CPU microcodes
> versions database
and added a note regarding the (lack of) freedom for proprietary
microcode.

I also added your name and email to the authors of linux.scm, since
this was a very non-trivial package.

Cheers
Closed
?
Your comment

This issue is archived.

To comment on this conversation send an email to 59053@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 59053
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch