From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: Hilton Chain <hako@ultrarare.space>
Cc: 59053@debbugs.gnu.org
Subject: [bug#59053] [PATCH v4] gnu: Add spectre-meltdown-checker.
Date: Sat, 12 Nov 2022 17:58:33 +0100 [thread overview]
Message-ID: <3e3c90ad73311a445a3b06c7c8afb42dcf0af1b1.camel@gmail.com> (raw)
In-Reply-To: <y76v8nkdx15.wl-hako@ultrarare.space>
Am Samstag, dem 12.11.2022 um 23:15 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v3 -> v4:
> 1. Remove downloading function.
> 2. Add option for supplying a local database.
>
> gnu/local.mk | 3 +
> gnu/packages/linux.scm | 54 +
> ...ker-remove-builtin-firmware-database.patch | 243 +++
> ...cker-stage-commands-for-substitution.patch | 1849
> +++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 +
> 5 files changed, 2175 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..46b299d0d6 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,9 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..1807fd5655 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,57 @@ (define-public edac-utils
> error detection and correction (EDAC).")
> (home-page "https://github.com/grondo/edac-utils")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> + ;; NOTE: Update these patches when updating.
> + "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
Is this comment still needed?
> + "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"))
> + ;; Remove builtin firmware database.
> + (modules '((guix build utils)))
> + (snippet '(substitute* "spectre-meltdown-checker.sh"
> + (("^# [AI],.*") "")))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (substitute* "spectre-meltdown-checker.sh"
> + (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> + (("@([a-z0-9]*)@" _ command _)
> + (search-input-file
> + inputs (string-append "/bin/"
> command)))))))))
> + (inputs
> + (list kmod
> + lz4
> + lzop
> + perl
> + procps
> + sharutils
> + util-linux
> + zstd))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis "CPU vulnerability / mitigation checker")
> + (description
> + "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..888bb0c2b1
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH 1/2] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm
> -f "$mcedb_tmp"
> +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm
> -rf "$intel_tmp"
> + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> + --vmm [auto,yes,no] override the detection of the
> presence of a hypervisor, default: auto
> + --allow-msr-write allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> + --cpu [#,all] interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +- --update-fwdb update our local copy of the
> CPU microcodes versions database (using the awesome
> +- MCExtractor project and the
> Intel firmwares GitHub repository)
> +- --update-builtin-fwdb same as --update-fwdb but
> update builtin DB inside the script itself
> ++ --with-fwdb FILE supply the CPU microcodes
> versions database
> + --dump-mock-data used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> + Return codes:
> +@@ -837,147 +833,6 @@ show_header()
> + _info
> + }
> +
> +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
> +-mcedb_cache="$HOME/.mcedb"
> +-update_fwdb()
> +-{
> +- show_header
> +-
> +- set -e
> +-
> +- if [ -r "$mcedb_cache" ]; then
> +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4
> }' "$mcedb_cache")
> +- fi
> +-
> +- # first, download the MCE.db from the excellent platomav's
> MCExtractor project
> +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
> +-
> mcedb_url='https://github.com/platomav/MCExtractor/raw/master/M
> CE.db'
> +- _info_nol "Fetching MCE.db from the MCExtractor project... "
> +- if command -v wget >/dev/null 2>&1; then
> +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +- elif command -v curl >/dev/null 2>&1; then
> +- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +- elif command -v fetch >/dev/null 2>&1; then
> +- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +- else
> +- echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +- return 1
> +- fi
> +- if [ "$ret" != 0 ]; then
> +- echo ERROR "error $ret while downloading MCE.db"
> +- return $ret
> +- fi
> +- echo DONE
> +-
> +- # second, get the Intel firmwares from GitHub
> +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
> +-
> intel_url="https://github.com/intel/Intel-Linux-Processor-Micro
> code-Data-Files/archive/main.zip"
> +- _info_nol "Fetching Intel firmwares... "
> +- ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +- if command -v wget >/dev/null 2>&1; then
> +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +- elif command -v curl >/dev/null 2>&1; then
> +- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +- elif command -v fetch >/dev/null 2>&1; then
> +- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +- else
> +- echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +- return 1
> +- fi
> +- if [ "$ret" != 0 ]; then
> +- echo ERROR "error $ret while downloading Intel
> firmwares"
> +- return $ret
> +- fi
> +- echo DONE
> +-
> +- # now extract MCEdb contents using sqlite
> +- _info_nol "Extracting MCEdb data... "
> +- if ! command -v sqlite3 >/dev/null 2>&1; then
> +- echo ERROR "please install the \`sqlite3\` program"
> +- return 1
> +- fi
> +- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from
> MCE")
> +- if [ -z "$mcedb_revision" ]; then
> +- echo ERROR "downloaded file seems invalid"
> +- return 1
> +- fi
> +- sqlite3 "$mcedb_tmp" "alter table Intel add column origin
> text"
> +- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
> +-
> +- echo OK "MCExtractor database revision $mcedb_revision"
> +-
> +- # parse Intel firmwares to get their versions
> +- _info_nol "Integrating Intel firmwares data to db... "
> +- if ! command -v unzip >/dev/null 2>&1; then
> +- echo ERROR "please install the \`unzip\` program"
> +- return 1
> +- fi
> +- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
> +- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-
> Files-main/intel-ucode" ]; then
> +- echo ERROR "expected the 'intel-ucode' folder in the
> downloaded zip file"
> +- return 1
> +- fi
> +-
> +- if ! command -v iucode_tool >/dev/null 2>&1; then
> +- if ! command -v iucode-tool >/dev/null 2>&1; then
> +- echo ERROR "please install the \`iucode-
> tool\` program"
> +- return 1
> +- else
> +- iucode_tool="iucode-tool"
> +- fi
> +- else
> +- iucode_tool="iucode_tool"
> +- fi
> +- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev
> 0x0217, size 5120
> +- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev
> 0x0107, size 5120
> +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
> +- do
> +- _line=$( echo "$_line" | tr -d ',')
> +- _cpuid=$( echo "$_line" | awk '{print $3}')
> +- _cpuid=$(( _cpuid ))
> +- _cpuid=$(printf "0x%08X" "$_cpuid")
> +- _date=$( echo "$_line" | awk '{print $6}' | tr -d
> '-')
> +- _version=$(echo "$_line" | awk '{print $8}')
> +- _version=$(( _version ))
> +- _version=$(printf "0x%08X" "$_version")
> +- _sqlstm="$(printf "INSERT INTO Intel
> (origin,cpuid,version,yyyymmdd) VALUES
> (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")"
> "$(printf "%08X" "$_version")" "$_date")"
> +- sqlite3 "$mcedb_tmp" "$_sqlstm"
> +- done
> +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> +- if [ -n "$_intel_timestamp" ]; then
> +- # use this date, it matches the last commit date
> +- _intel_latest_date=$(date +%Y%m%d -d
> @"$_intel_timestamp")
> +- else
> +- echo "Falling back to the latest microcode date"
> +- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT
> yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC
> LIMIT 1;")
> +- fi
> +- echo DONE "(version $_intel_latest_date)"
> +-
> +- dbversion="$mcedb_revision+i$_intel_latest_date"
> +-
> +- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [
> "$previous_dbversion" = "v$dbversion" ]; then
> +- echo "We already have this version locally, no update
> needed"
> +- return 0
> +- fi
> +-
> +- _info_nol "Building local database... "
> +- {
> +- echo "# Spectre & Meltdown Checker";
> +- echo "# %%% MCEDB v$dbversion";
> +- sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +- sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD
> AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +- } > "$mcedb_cache"
> +- echo DONE "(version $dbversion)"
> +-
> +- if [ "$1" = builtin ]; then
> +- newfile=$(mktemp -t smc-builtin-XXXXXX)
> +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +- cat "$newfile" > "$0"
> +- rm -f "$newfile"
> +- fi
> +-}
> +-
> + parse_opt_file()
> + {
> + # parse_opt_file option_name option_value
> +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
> + # deprecated, kept for compatibility
> + opt_explain=0
> + shift
> +- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> +- update_fwdb
> +- exit $?
> +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +- update_fwdb builtin
> +- exit $?
> ++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ];
> then
> ++ opt_fwdb=$2
> ++ if [ -f "$opt_fwdb" ]; then
> ++ mcedb_cache=$2
> ++ else
> ++ echo "$0: error: --with-fwdb should be a
> file, got '$opt_fwdb'" >&2
> ++ exit 255
> ++ fi
> ++ shift 2
> + elif [ "$1" = "--dump-mock-data" ]; then
> + opt_mock=1
> + shift
> +@@ -2033,21 +1891,11 @@ is_xen_domU()
> + fi
> + }
> +
> +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> + # we have a local cache file, but it might be older than the
> builtin version we have
> + local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +- # sort -V sorts by version number
> +- older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | sort -V | head -n1)
> +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +- mcedb_source="$mcedb_cache"
> +- mcedb_info="local firmwares DB $local_dbversion"
> +- fi
> +-fi
> +-# if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +- mcedb_source="$0"
> +- mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++ mcedb_source="$mcedb_cache"
> ++ mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
> + return 2
> + fi
> + ucode_latest="latest microcode version for your CPU model is
> unknown"
> +- if is_intel; then
> ++ if [ -z "$mcedb_source" ]; then
> ++ return 2
> ++ elif is_intel; then
> + cpu_brand_prefix=I
> + elif is_amd; then
> + cpu_brand_prefix=A
> +--
> +2.38.1
> +
LGTM.
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-
> commands-for-substitution.patch b/gnu/packages/patches/spectre-
> meltdown-checker-stage-commands-for-substitution.patch
> new file mode 100644
> index 0000000000..a8e7531f32
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-
> for-substitution.patch
> @@ -0,0 +1,1849 @@
> +From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:49:50 +0800
> +Subject: [PATCH 2/2] Stage commands for later substitution.
> +
> +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find,
> grep,
> +gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
> nproc,
> +objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
> strings,
> +sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
> +---
I think it'd better to provide a little more information in the patch
note, e.g. "The following commands are taken from the environment and
thus need to be substituted:
- awk
- base64
- basename
- ...
The following are shell built-ins and can remain as is
- command
- echo
- ..."
By the way, I feel like it'd be an improvement to crank down on the
number of context lines or translate this into an equivalent
substitute*, i.e.
(substitute* "spectre-meltdown-checker.sh"
(("\\<(awk|base64|...)\\>" all cmd)
(find-command inputs cmd))
(("\\<(gzip|gunzip|...)\\>" all cmd)
(find-command inputs cmd))
...)
where
(define* (find-command inputs cmd #:optional (bin "bin"))
(search-input-file inputs (string-append bin "/" cmd)))
> + spectre-meltdown-checker.sh | 606 ++++++++++++++++++---------------
> ---
> + 1 file changed, 303 insertions(+), 303 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index ce46970..4889ebb 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up...";
> exit_cleanup; exit 1' INT
> + exit_cleanup()
> + {
> + # cleanup the temp decompressed config & kernel image
> +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
> ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] &&
> @rm@ -f "$dumped_config"
> ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] &&
> @rm@ -f "$kerneltmp"
> ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] &&
> @rm@ -f "$kerneltmp2"
> ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug
> 2>/dev/null
> ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs"
> 2>/dev/null
> ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
> ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
> + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl
> 2>/dev/null
> + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm
> 2>/dev/null
> + }
> +
> + # if we were git clone'd, adjust VERSION
> +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1;
> then
> +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty
> 2>/dev/null)
> +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e
> s/^v//)
> ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null
> 2>&1; then
> ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty
> 2>/dev/null)
> ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e
> s/^v//)
> + fi
> +
> + show_usage()
> + {
> + # shellcheck disable=SC2086
> +- cat <<EOF
> ++ @cat@ <<EOF
> + Usage:
> +- Live mode (auto): $(basename $0) [options]
> +- Live mode (manual): $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> +- Offline mode: $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> ++ Live mode (auto): $(@basename@ $0) [options]
> ++ Live mode (manual): $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> ++ Offline mode: $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> +
> + Modes:
> + Two modes are available.
> +@@ -106,7 +106,7 @@ EOF
> +
> + show_disclaimer()
> + {
> +- cat <<EOF
> ++ @cat@ <<EOF
> + Disclaimer:
> +
> + This tool does its best to determine whether your system is immune
> (or has proper mitigations in place) for the
> +@@ -134,7 +134,7 @@ This tool has been released in the hope that
> it'll be useful, but don't use it t
> + EOF
> + }
> +
> +-os=$(uname -s)
> ++os=$(@uname@ -s)
> +
> + # parse options
> + opt_kernel=''
> +@@ -203,7 +203,7 @@ __echo()
> + _interpret_chars='-e'
> + fi
> + _ctrlchar=$($echo_cmd $_interpret_chars "\033")
> +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> + fi
> + if [ "$echo_cmd_type" = printf ]; then
> + if [ "$opt" = "-n" ]; then
> +@@ -379,7 +379,7 @@ is_cpu_affected()
> + # https://github.com/crozone/SpectrePoC/issues/1 ^F
> E5200 => spectre 2 not affected
> + #
> https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 =>
> meltdown affected
> + # model name : Pentium(R) Dual-Core CPU E5200
> @ 2.50GHz
> +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\)
> Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> ++ if echo "$cpu_friendly_name" | @grep@ -qE
> 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> + variant1=vuln
> + [ -z "$variant2" ] && variant2=immune
> + variant3=vuln
> +@@ -482,7 +482,7 @@ is_cpu_affected()
> + i=$(( i + 1 ))
> + # do NOT quote $cpu_arch_list below
> + # shellcheck disable=SC2086
> +- cpuarch=$(echo $cpu_arch_list | awk '{ print
> $'$i' }')
> ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{
> print $'$i' }')
> + _debug "checking cpu$i: <$cpupart>
> <$cpuarch>"
> + # some kernels report AArch64 instead of 8
> + [ "$cpuarch" = "AArch64" ] && cpuarch=8
> +@@ -493,49 +493,49 @@ is_cpu_affected()
> + # part ? ? c08 c09 c0d c0f c0e d07
> d08 d09 d0a d0b d0c d0d
> + # arch 7? 7? 7 7 7 7 7 8
> 8 8 8 8 8 8
> + #
> +- # Whitelist identified non-affected
> processors, use vulnerability information from
> ++ # Whitelist identified non-affected
> processors, use vulnerability information from
> + #
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
> + # Partnumbers can be found here:
> + #
> https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
> + #
> + # Maintain cumulative check of
> vulnerabilities -
> + # if at least one of the cpu is
> affected, then the system is affected
> +- if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> ++ if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + [ -z "$variant4" ] &&
> variant4=immune
> + _debug "checking cpu$i: armv7
> A8/A9/A12/A17 non affected to variants 3, 3a & 4"
> +- elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc0f; then
> ++ elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc0f; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + variant3a=vuln
> + [ -z "$variant4" ] &&
> variant4=immune
> + _debug "checking cpu$i: armv7
> A15 non affected to variants 3 & 4"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + variant3a=vuln
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A57/A72 non affected to variants 3"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd09; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd09; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A73 non affected to variants 3 & 3a"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0a; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0a; then
> + variant1=vuln
> + variant2=vuln
> + variant3=vuln
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A75 non affected to variant 3a"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> + variant1=vuln
> + [ -z "$variant2" ] &&
> variant2=immune
> + [ -z "$variant3" ] &&
> variant3=immune
> +@@ -816,7 +816,7 @@ is_cpu_ssb_free()
> + if [ "$cpu_family" = "18" ] || \
> + [ "$cpu_family" = "17" ] || \
> + [ "$cpu_family" = "16" ] || \
> +- [ "$cpu_family" = "15" ]; then
> ++ [ "$cpu_family" = "15" ]; then
> + return 0
> + fi
> + fi
> +@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do
> + elif [ "$1" = "--cpu" ]; then
> + opt_cpu=$2
> + if [ "$opt_cpu" != all ]; then
> +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
> ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+';
> then
> + opt_cpu=$(( opt_cpu ))
> + else
> + echo "$0: error: --cpu should be an
> integer or 'all', got '$opt_cpu'" >&2
> +@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do
> + echo "$0: error: option --cve expects a
> parameter, supported CVEs are: $supported_cve_list" >&2
> + exit 255
> + fi
> +- selected_cve=$(echo "$supported_cve_list" | grep -iwo
> "$2")
> ++ selected_cve=$(echo "$supported_cve_list" | @grep@ -
> iwo "$2")
> + if [ -n "$selected_cve" ]; then
> + opt_cve_list="$opt_cve_list $selected_cve"
> + opt_cve_all=0
> +@@ -1166,14 +1166,14 @@ check_kernel()
> + # a damaged ELF file and validate it, check for stderr
> warnings too
> +
> + # the warning "readelf: Warning: [16]: Link field (0) should
> index a symtab section./" can appear on valid kernels, ignore it
> +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n"
> "/"); ret=$?
> +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>/dev/null | grep -c -e data -e text -e init)
> +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z
> "$_file" 2>/dev/null || echo 10000)
> ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null |
> @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
> ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null |
> @grep@ -c -e data -e text -e init)
> ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f
> %z "$_file" 2>/dev/null || echo 10000)
> + _debug "check_kernel: ret=$? size=$_kernel_size
> sections=$_readelf_sections warnings=$_readelf_warnings"
> + if [ "$_mode" = desperate ]; then
> +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq
> '^Linux version '; then
> ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version
> '; then
> + _debug "check_kernel (desperate): ...
> matched!"
> +- if [ "$_readelf_sections" = 0 ] && grep -qF -
> e armv6 -e armv7 "$_file"; then
> ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF
> -e armv6 -e armv7 "$_file"; then
> + _debug "check_kernel (desperate): raw
> arm binary found, adjusting objdump options"
> + objdump_options="-D -b binary -marm"
> + else
> +@@ -1206,7 +1206,7 @@ try_decompress()
> +
> + # Try to find the header ($1) and decompress from here
> + _debug "try_decompress: looking for $3 magic in $6"
> +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo
> "^$2")
> ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo
> "^$2")
> + do
> + _debug "try_decompress: magic for $3 found at offset
> $pos"
> + if ! command -v "$3" >/dev/null 2>&1; then
> +@@ -1233,11 +1233,11 @@ try_decompress()
> + kernel="$kerneltmp"
> + _debug "try_decompress: decompressed with $3
> successfully!"
> + return 0
> +- elif [ "$3" != "cat" ]; then
> ++ elif [ "$3" != "@cat@" ]; then
> + _debug "try_decompress: decompression with $3
> worked but result is not a kernel, trying with an offset"
> +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -
> t smc-kernel-XXXXXX)
> +- cat "$kerneltmp" > "$kerneltmp2"
> +- try_decompress '\177ELF' xxy 'cat' '' cat
> "$kerneltmp2" && return 0
> ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@
> -t smc-kernel-XXXXXX)
> ++ @cat@ "$kerneltmp" > "$kerneltmp2"
> ++ try_decompress '\177ELF' xxy '@cat@' '' cat
> "$kerneltmp2" && return 0
> + else
> + _debug "try_decompress: decompression with $3
> worked but result is not a kernel"
> + fi
> +@@ -1249,12 +1249,12 @@ extract_kernel()
> + {
> + [ -n "${1:-}" ] || return 1
> + # Prepare temp files:
> +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
> ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
> +
> + # Initial attempt for uncompressed images or objects:
> + if check_kernel "$1"; then
> + _debug "extract_kernel: found kernel is valid, no
> decompression needed"
> +- cat "$1" > "$kerneltmp"
> ++ @cat@ "$1" > "$kerneltmp"
> + kernel=$kerneltmp
> + return 0
> + fi
> +@@ -1263,14 +1263,14 @@ extract_kernel()
> + for pass in 1 2; do
> + for mode in normal desperate; do
> + _debug "extract_kernel: pass $pass $mode
> mode"
> +- try_decompress '\037\213\010' xy
> gunzip '' gunzip "$1" "$mode" "$pass" && return 0
> +- try_decompress '\002\041\114\030' xyy
> 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> +- try_decompress '\3757zXZ\000' abcde
> unxz '' xz-utils "$1" "$mode" "$pass" && return 0
> +- try_decompress 'BZh' xy
> bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
> +- try_decompress '\135\0\0\0' xxx
> unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
> +- try_decompress '\211\114\132' xy
> 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
> +- try_decompress '\177ELF' xxy
> 'cat' '' cat "$1" "$mode" "$pass" && return 0
> +- try_decompress '(\265/\375' xxy
> unzstd '' zstd "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\037\213\010' xy
> @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\002\041\114\030' xyy
> '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\3757zXZ\000' abcde
> @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
> ++ try_decompress 'BZh' xy
> @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\135\0\0\0' xxx
> @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\211\114\132' xy
> '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\177ELF' xxy
> '@cat@' '' cat "$1" "$mode" "$pass" && return 0
> ++ try_decompress '(\265/\375' xxy
> @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
> + done
> + done
> + # kernel_err might already have been populated by
> try_decompress() if we're missing one of the tools
> +@@ -1287,7 +1287,7 @@ mount_debugfs()
> + {
> + if [ ! -e /sys/kernel/debug/sched_features ]; then
> + # try to mount the debugfs hierarchy ourselves and
> remember it to umount afterwards
> +- mount -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> ++ @mount@ -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> + fi
> + }
> +
> +@@ -1298,12 +1298,12 @@ load_msr()
> + load_msr_once=1
> +
> + if [ "$os" = Linux ]; then
> +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
> +- modprobe msr 2>/dev/null && insmod_msr=1
> ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null;
> then
> ++ @modprobe@ msr 2>/dev/null && insmod_msr=1
> + _debug "attempted to load module msr,
> insmod_msr=$insmod_msr"
> + else
> + _debug "msr module already loaded"
> +- fi
> ++ fi
> + else
> + if ! kldstat -q -m cpuctl; then
> + kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1321,12 +1321,12 @@ load_cpuid()
> + load_cpuid_once=1
> +
> + if [ "$os" = Linux ]; then
> +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> +- modprobe cpuid 2>/dev/null && insmod_cpuid=1
> ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> ++ @modprobe@ cpuid 2>/dev/null &&
> insmod_cpuid=1
> + _debug "attempted to load module cpuid,
> insmod_cpuid=$insmod_cpuid"
> + else
> + _debug "cpuid module already loaded"
> +- fi
> ++ fi
> + else
> + if ! kldstat -q -m cpuctl; then
> + kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1415,7 +1415,7 @@ read_cpuid_one_core()
> + fi
> + # on some kernel versions, /dev/cpu/0/cpuid doesn't
> imply that the cpuid module is loaded, in that case dd returns an
> error,
> + # we use that fact to load the module if dd returns
> an error
> +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null
> 2>&1; then
> ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1
> >/dev/null 2>&1; then
> + load_cpuid
> + fi
> + # we need _leaf to be converted to decimal for dd
> +@@ -1426,14 +1426,14 @@ read_cpuid_one_core()
> + _ddskip=$(( _position / 16 ))
> + _odskip=$(( _position - _ddskip * 16 ))
> + # now read the value
> +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip *
> 16)) -A n -t u4)
> ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip
> * 16)) -A n -t u4)
> + elif [ -e /dev/cpuctl0 ]; then
> + # BSD
> + if [ ! -r /dev/cpuctl0 ]; then
> + read_cpuid_msg="Couldn't read cpuid info from
> cpuctl"
> + return $READ_CPUID_RET_ERR
> + fi
> +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
> ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
> + # cpuid level 0x4, level_type 0x2: 0x1c004143
> 0x01c0003f 0x000001ff 0x00000000
> + else
> + read_cpuid_msg="Found no way to read cpuid info"
> +@@ -1456,7 +1456,7 @@ read_cpuid_one_core()
> + fi
> +
> + # get the value of the register we want
> +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
> ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
> + # Linux returns it as decimal, BSD as hex, normalize to
> decimal
> + _reg=$(( _reg ))
> + # shellcheck disable=SC2046
> +@@ -1484,11 +1484,11 @@ dmesg_grep()
> + # grep for something in dmesg, ensuring that the dmesg buffer
> + # has not been truncated
> + dmesg_grepped=''
> +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> + # dmesg truncated
> + return 2
> + fi
> +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
> ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
> + # not found:
> + [ -z "$dmesg_grepped" ] && return 1
> + # found, output is in $dmesg_grepped
> +@@ -1505,12 +1505,12 @@ parse_cpu_details()
> + {
> + [ "${parse_cpu_details_done:-}" = 1 ] && return 0
> +
> +- if command -v nproc >/dev/null; then
> +- number_of_cores=$(nproc)
> +- elif echo "$os" | grep -q BSD; then
> +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null ||
> echo 1)
> ++ if command -v @nproc@ >/dev/null; then
> ++ number_of_cores=$(@nproc@)
> ++ elif echo "$os" | @grep@ -q BSD; then
> ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null ||
> echo 1)
> + elif [ -e "$procfs/cpuinfo" ]; then
> +- number_of_cores=$(grep -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> ++ number_of_cores=$(@grep@ -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> + else
> + # if we don't know, default to 1 CPU
> + number_of_cores=1
> +@@ -1518,43 +1518,43 @@ parse_cpu_details()
> + max_core_id=$(( number_of_cores - 1 ))
> +
> + if [ -e "$procfs/cpuinfo" ]; then
> +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> +- cpu_friendly_name=$(grep '^model name'
> "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
> ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> ++ cpu_friendly_name=$(@grep@ '^model name'
> "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
> + # special case for ARM follows
> +- if grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> ++ if @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> + cpu_vendor='ARM'
> + # some devices (phones or other) have several
> ARMs and as such different part numbers,
> + # an example is "bigLITTLE", so we need to
> store the whole list, this is needed for is_cpu_affected
> +- cpu_part_list=$(awk '/CPU part/
> {print $4}' "$procfs/cpuinfo")
> +- cpu_arch_list=$(awk '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> ++ cpu_part_list=$(@awk@ '/CPU part/
> {print $4}' "$procfs/cpuinfo")
> ++ cpu_arch_list=$(@awk@ '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> + # take the first one to fill the friendly
> name, do NOT quote the vars below
> + # shellcheck disable=SC2086
> +- cpu_arch=$(echo $cpu_arch_list | awk '{ print
> $1 }')
> ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{
> print $1 }')
> + # shellcheck disable=SC2086
> +- cpu_part=$(echo $cpu_part_list | awk '{ print
> $1 }')
> ++ cpu_part=$(echo $cpu_part_list | @awk@ '{
> print $1 }')
> + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
> + cpu_friendly_name="ARM"
> + [ -n "$cpu_arch" ] &&
> cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
> + [ -n "$cpu_part" ] &&
> cpu_friendly_name="$cpu_friendly_name model $cpu_part"
> +
> +- elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> ++ elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> + cpu_vendor='CAVIUM'
> +- elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> ++ elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> + cpu_vendor='PHYTIUM'
> + fi
> +
> +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" |
> awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_model=$( grep '^model' "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo"
> | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> + else
> +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2
> -w | cut -f2 -d= | cut -f2 -d\" )
> +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4
> -w | cut -f2 -d= )
> ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' |
> @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
> ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' |
> @cut@ -f4 -w | @cut@ -f2 -d= )
> + cpu_family=$(( cpu_family ))
> +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -
> w | cut -f2 -d= )
> ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@
> -f5 -w | @cut@ -f2 -d= )
> + cpu_model=$(( cpu_model ))
> +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut
> -f6 -w | cut -f2 -d= )
> +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
> ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' |
> @cut@ -f6 -w | @cut@ -f2 -d= )
> ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
> + fi
> +
> + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
> +@@ -1609,7 +1609,7 @@ parse_cpu_details()
> + # call CPUID
> + cpucontrol -i 1 /dev/cpuctl0 >/dev/null
> + # read MSR
> +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> awk '{print $3}')
> ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> @awk@ '{print $3}')
> + # convert to decimal
> + cpu_ucode=$(( cpu_ucode ))
> + # convert back to hex
> +@@ -1628,7 +1628,7 @@ parse_cpu_details()
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
> + fi
> +
> +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
> ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode
> ))
> + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x
> ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping"
> "$cpu_ucode" "$cpu_cpuid")
> +
> + # also define those that we will need in other funcs
> +@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled()
> + {
> + # SMT / HyperThreading is enabled if siblings != cpucores
> + if [ -e "$procfs/cpuinfo" ]; then
> +- _siblings=$(awk '/^siblings/ {print $3;exit}'
> "$procfs/cpuinfo")
> +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}'
> "$procfs/cpuinfo")
> ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
> + if [ "$_siblings" = "$_cpucores" ]; then
> + return 1
> +@@ -1774,10 +1774,10 @@ is_ucode_blacklisted()
> + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
> + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
> + do
> +- model=$(echo "$tuple" | cut -d, -f1)
> +- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
> ++ model=$(echo "$tuple" | @cut@ -d, -f1)
> ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
> + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" =
> "$stepping" ]; then
> +- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> + if [ "$cpu_ucode" = "$ucode" ]; then
> + _debug "is_ucode_blacklisted: we have
> a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
> + return 0
> +@@ -1865,7 +1865,7 @@ is_xen_dom0()
> + return 1
> + fi
> +
> +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d"
> "$procfs/xen/capabilities"; then
> ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d"
> "$procfs/xen/capabilities"; then
> + return 0
> + else
> + return 1
> +@@ -1893,13 +1893,13 @@ is_xen_domU()
> +
> + if [ -r "$mcedb_cache" ]; then
> + # we have a local cache file, but it might be older than the
> builtin version we have
> +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> + mcedb_source="$mcedb_cache"
> + mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1
> }' "$mcedb_source"
> ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> + }
> +
> + is_latest_known_ucode()
> +@@ -1920,10 +1920,10 @@ is_latest_known_ucode()
> + else
> + return 2
> + fi
> +- for tuple in $(read_mcedb | grep "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> ++ for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> + do
> +- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r
> 's=(....)(..)(..)=\1/\2/\3=')
> ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r
> 's=(....)(..)(..)=\1/\2/\3=')
> + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid
> has ucode $cpu_ucode, last known is $ucode from $ucode_date"
> + ucode_latest=$(printf "latest version is 0x%x dated
> $ucode_date according to $mcedb_info" "$ucode")
> + if [ "$cpu_ucode" -ge "$ucode" ]; then
> +@@ -1948,7 +1948,7 @@ get_cmdline()
> + kernel_cmdline="$SMC_MOCK_CMDLINE"
> + return
> + else
> +- kernel_cmdline=$(cat "$procfs/cmdline")
> ++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CMDLINE='$kernel_cmdline'")
> + fi
> + }
> +@@ -1956,7 +1956,7 @@ get_cmdline()
> + # ENTRYPOINT
> +
> + # we can't do anything useful under WSL
> +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> + _warn "This script doesn't work under Windows Subsystem for
> Linux"
> + _warn "You should use the official Microsoft tool instead."
> + _warn "It can be found under
> https://aka.ms/SpeculationControlPS"
> +@@ -2005,15 +2005,15 @@ fi
> +
> + # if we're under a BSD, try to mount linprocfs for
> "$procfs/cpuinfo"
> + procfs=/proc
> +-if echo "$os" | grep -q BSD; then
> ++if echo "$os" | @grep@ -q BSD; then
> + _debug "We're under BSD, check if we have procfs"
> +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
> ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
> + if [ -z "$procfs" ]; then
> + _debug "we don't, try to mount it"
> + procfs=/proc
> + [ -d /compat/linux/proc ] &&
> procfs=/compat/linux/proc
> + test -d $procfs || mkdir $procfs
> +- if mount -t linprocfs linprocfs $procfs 2>/dev/null;
> then
> ++ if @mount@ -t linprocfs linprocfs $procfs
> 2>/dev/null; then
> + mounted_procfs=1
> + _debug "procfs just mounted at $procfs"
> + else
> +@@ -2045,14 +2045,14 @@ fi
> +
> + if [ "$opt_live" = 1 ]; then
> + # root check (only for live mode, for offline mode, we
> already checked if we could read the files)
> +- if [ "$(id -u)" -ne 0 ]; then
> ++ if [ "$(@id@ -u)" -ne 0 ]; then
> + _warn "Note that you should launch this script with
> root privileges to get accurate information."
> + _warn "We'll proceed but you might see permission
> denied errors."
> + _warn "To run it as root, you can try the following
> command: sudo $0"
> + _warn
> + fi
> + _info "Checking for vulnerabilities on current system"
> +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname
> -m)\033[0m"
> ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v)
> $(@uname@ -m)\033[0m"
> + _info "CPU is \033[35m$cpu_friendly_name\033[0m"
> +
> + # try to find the image of the current running kernel
> +@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then
> + # specified by user on cmdline, with --live, don't
> override
> + :
> + # first, look for the BOOT_IMAGE hint in the kernel cmdline
> +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
> +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo
> 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
> ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
> ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo
> 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
> + _debug "found opt_kernel=$opt_kernel in
> $procfs/cmdline"
> + # if the boot partition is within a btrfs subvolume,
> strip the subvolume name
> + # if /boot is a separate subvolume, the remainder of
> the code in this section should handle it
> +- if echo "$opt_kernel" | grep -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
> ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
> + # if we have a dedicated /boot partition, our
> bootloader might have just called it /
> + # so try to prepend /boot and see if we find anything
> + [ -e "/boot/$opt_kernel" ] &&
> opt_kernel="/boot/$opt_kernel"
> +@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then
> + # if we didn't find a kernel, default to guessing
> + if [ ! -e "$opt_kernel" ]; then
> + # Fedora:
> +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
> ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
> + # Slackware:
> + [ -e "/boot/vmlinuz" ] &&
> opt_kernel="/boot/vmlinuz"
> + # Arch aarch64:
> +@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then
> + # pine64
> + [ -e "/boot/pine64/Image" ] &&
> opt_kernel="/boot/pine64/Image"
> + # generic:
> +- [ -e "/boot/vmlinuz-$(uname -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(uname -r)"
> +- [ -e "/boot/kernel-$( uname -r)" ] &&
> opt_kernel="/boot/kernel-$( uname -r)"
> +- [ -e "/boot/bzImage-$(uname -r)" ] &&
> opt_kernel="/boot/bzImage-$(uname -r)"
> ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
> ++ [ -e "/boot/kernel-$( @uname@ -r)" ] &&
> opt_kernel="/boot/kernel-$( @uname@ -r)"
> ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] &&
> opt_kernel="/boot/bzImage-$(@uname@ -r)"
> + # Gentoo:
> +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> + # Guix System:
> + [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux"
> + # Clear Linux:
> +- str_uname=$(uname -r)
> ++ str_uname=$(@uname@ -r)
> + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_
> uname##*.}.${str_uname%.*}"
> + [ -e "$clear_linux_kernel" ] &&
> opt_kernel=$clear_linux_kernel
> + # Custom Arch seems to have the kernel path in its
> cmdline in the form "\directory\kernelimage",
> + # with actual \'s instead of /'s:
> +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -
> Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d
> '[:space:]')
> ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@
> -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d
> '[:space:]')
> + if [ -n "$custom_arch_kernel" ] && [ -e
> "$custom_arch_kernel" ]; then
> + opt_kernel="$custom_arch_kernel"
> + fi
> +@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then
> + :
> + elif [ -e "$procfs/kallsyms" ] ; then
> + opt_map="$procfs/kallsyms"
> +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
> +- opt_map="/lib/modules/$(uname -r)/System.map"
> +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
> +- opt_map="/boot/System.map-$(uname -r)"
> +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
> +- opt_map="/lib/kernel/System.map-$(uname -r)"
> ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
> ++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
> ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
> ++ opt_map="/boot/System.map-$(@uname@ -r)"
> ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
> ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
> + fi
> +
> + # config
> +@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then
> + # specified by user on cmdline, with --live, don't
> override
> + :
> + elif [ -e "$procfs/config.gz" ] ; then
> +- dumped_config="$(mktemp -t smc-config-XXXXXX)"
> +- gunzip -c "$procfs/config.gz" > "$dumped_config"
> ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
> ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
> + # dumped_config will be deleted at the end of the
> script
> + opt_config="$dumped_config"
> +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
> +- opt_config="/lib/modules/$(uname -r)/config"
> +- elif [ -e "/boot/config-$(uname -r)" ]; then
> +- opt_config="/boot/config-$(uname -r)"
> +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -
> r)" ]; then
> +- opt_config="/etc/kernels/kernel-config-$(uname -m)-
> $(uname -r)"
> +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
> +- opt_config="/lib/kernel/config-$(uname -r)"
> ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
> ++ opt_config="/lib/modules/$(@uname@ -r)/config"
> ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
> ++ opt_config="/boot/config-$(@uname@ -r)"
> ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@
> -r)" ]; then
> ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-
> $(@uname@ -r)"
> ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
> ++ opt_config="/lib/kernel/config-$(@uname@ -r)"
> + fi
> + else
> + _info "Checking for vulnerabilities against specified kernel"
> +@@ -2161,7 +2161,7 @@ else
> + fi
> +
> + if [ "$os" = Linux ]; then
> +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_'
> "$opt_config"; then
> ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_'
> "$opt_config"; then
> + # given file is invalid!
> + _warn "The kernel config file seems invalid, was
> expecting a plain-text file, ignoring it!"
> + opt_config=''
> +@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then
> + fi
> +
> + if [ -e "$opt_kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1;
> then
> ++ if ! command -v "@readelf@" >/dev/null 2>&1; then
> + _debug "readelf not found"
> + kernel_err="missing '${opt_arch_prefix}readelf' tool,
> please install it, usually it's in the 'binutils' package"
> + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ];
> then
> +@@ -2207,20 +2207,20 @@ else
> + # vanilla kernels have with ^Linux version
> + # also try harder with some kernels (such as Red Hat) that
> don't have ^Linux version before their version string
> + # and check for FreeBSD
> +- kernel_version=$("${opt_arch_prefix}strings" "$kernel"
> 2>/dev/null | grep -E \
> ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -
> E \
> + -e '^Linux version ' \
> + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-
> 9]+ .+ (19|20)[0-9][0-9]$' \
> +- -e '^FreeBSD [0-9]' | head -1)
> ++ -e '^FreeBSD [0-9]' | @head@ -1)
> + if [ -z "$kernel_version" ]; then
> + # try even harder with some kernels (such as ARM)
> that split the release (uname -r) and version (uname -v) in 2
> adjacent strings
> +- kernel_version=$("${opt_arch_prefix}strings"
> "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$'
> | tr "\n" " ")
> ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null |
> @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
> + fi
> + if [ -n "$kernel_version" ]; then
> + # in live mode, check if the img we found is the
> correct one
> + if [ "$opt_live" = 1 ]; then
> + _verbose "Kernel image is
> \033[35m$kernel_version"
> +- if ! echo "$kernel_version" | grep -qF
> "$(uname -r)"; then
> +- _warn "Possible discrepancy between
> your running kernel '$(uname -r)' and the image '$kernel_version' we
> found ($opt_kernel), results might be incorrect"
> ++ if ! echo "$kernel_version" | @grep@ -qF
> "$(@uname@ -r)"; then
> ++ _warn "Possible discrepancy between
> your running kernel '$(@uname@ -r)' and the image '$kernel_version'
> we found ($opt_kernel), results might be incorrect"
> + fi
> + else
> + _info "Kernel image is
> \033[35m$kernel_version"
> +@@ -2248,11 +2248,11 @@ sys_interface_check()
> + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r
> "$file" ]; then
> + :
> + else
> +- mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
> ++ mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
> + return 1
> + fi
> +
> +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
> ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
> + # shellcheck disable=SC2086,SC1083
> + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> + _debug "sysfs: MOCKING enabled for $file func returns
> $(eval echo \$$_mockvarname)"
> +@@ -2261,17 +2261,17 @@ sys_interface_check()
> + fi
> +
> + [ -n "$regex" ] || regex='.*'
> +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
> ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
> + # shellcheck disable=SC2086,SC1083
> + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> + fullmsg="$(eval echo \$$_mockvarname)"
> +- msg=$(echo "$fullmsg" | grep -Eo "$regex")
> ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
> + _debug "sysfs: MOCKING enabled for $file, will return
> $fullmsg"
> + mocked=1
> + else
> +- fullmsg=$(cat "$file")
> +- msg=$(grep -Eo "$regex" "$file")
> +- mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
> ++ fullmsg=$(@cat@ "$file")
> ++ msg=$(@grep@ -Eo "$regex" "$file")
> ++ mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
> + fi
> + if [ "$mode" = silent ]; then
> + return 0
> +@@ -2280,15 +2280,15 @@ sys_interface_check()
> + return 0
> + fi
> + _info_nol "* Mitigated according to the /sys interface: "
> +- if echo "$msg" | grep -qi '^not affected'; then
> ++ if echo "$msg" | @grep@ -qi '^not affected'; then
> + # Not affected
> + status=OK
> + pstatus green YES "$fullmsg"
> +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
> ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
> + # Mitigation: PTI
> + status=OK
> + pstatus green YES "$fullmsg"
> +- elif echo "$msg" | grep -qi '^vulnerable'; then
> ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
> + # Vulnerable
> + status=VULN
> + pstatus yellow NO "$fullmsg"
> +@@ -2376,20 +2376,20 @@ write_msr_one_core()
> + # ret=4: msr doesn't exist, ret=127:
> msr.allow_writes=off
> + [ "$ret" = 127 ] && _write_denied=1
> + # or fallback to dd if it supports seek_bytes, we
> prefer it over perl because we can tell the difference between EPERM
> and EIO
> +- elif dd if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> + _debug "write_msr: using dd"
> +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8
> count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr
> bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> + # if it failed, inspect stderrto look for
> EPERM
> + if [ "$ret" != 0 ]; then
> +- if dd if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
> ++ if @dd@ if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
> + _write_denied=1
> + fi
> + fi
> + # or if we have perl, use it, any 5.x version will
> work
> +- elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++ elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> + _debug "write_msr: using perl"
> + ret=1
> +- perl -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> + else
> + _debug "write_msr: got no wrmsr, perl or
> recent enough dd!"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
> +@@ -2411,13 +2411,13 @@ write_msr_one_core()
> + msr_locked_down=1
> + write_msr_msg="your kernel is
> configured to deny writes to MSRs from user space"
> + return $WRITE_MSR_RET_LOCKDOWN
> +- elif dmesg | grep -qF "msr: Direct access to
> MSR"; then
> ++ elif @dmesg@ | @grep@ -qF "msr: Direct access
> to MSR"; then
> + _debug "write_msr: locked down kernel
> detected (Red Hat / Fedora)"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> + msr_locked_down=1
> + write_msr_msg="your kernel is locked
> down (Fedora/Red Hat), please reboot without secure boot and retry"
> + return $WRITE_MSR_RET_LOCKDOWN
> +- elif dmesg | grep -qF "raw MSR access is
> restricted"; then
> ++ elif @dmesg@ | @grep@ -qF "raw MSR access is
> restricted"; then
> + _debug "write_msr: locked down kernel
> detected (vanilla)"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> + msr_locked_down=1
> +@@ -2516,8 +2516,8 @@ read_msr_one_core()
> + return $READ_MSR_RET_KO
> + fi
> + # MSR 0x10: 0x000003e1 0xb106dded
> +- _msr_h=$(echo "$_msr" | awk '{print $3}');
> +- _msr_l=$(echo "$_msr" | awk '{print $4}');
> ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
> ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
> + read_msr_value=$(( _msr_h << 32 | _msr_l ))
> + else
> + # for Linux
> +@@ -2528,15 +2528,15 @@ read_msr_one_core()
> + # if rdmsr is available, use it
> + elif command -v rdmsr >/dev/null 2>&1 && [
> "${SMC_NO_RDMSR:-}" != 1 ]; then
> + _debug "read_msr: using rdmsr on $_msr"
> +- read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | od -t u8 -A n)
> ++ read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | @od@ -t u8 -A n)
> + # or if we have perl, use it, any 5.x version will
> work
> +- elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++ elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> + _debug "read_msr: using perl on $_msr"
> +- read_msr_value=$(perl -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | od -t u8 -A n)
> ++ read_msr_value=$(@perl@ -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | @od@ -t u8 -A n)
> + # fallback to dd if it supports skip_bytes
> +- elif dd if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> + _debug "read_msr: using dd on $_msr"
> +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr
> bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8
> -A n)
> ++ read_msr_value=$(@dd@
> if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec"
> iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
> + else
> + _debug "read_msr: got no rdmsr, perl or
> recent enough dd!"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
> +@@ -2560,7 +2560,7 @@ check_cpu()
> + {
> + _info "\033[1;34mHardware check\033[0m"
> +
> +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
> ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
> + return
> + fi
> +
> +@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre()
> + # if we were already called, don't do it again
> + [ -n "${redhat_canonical_spectre:-}" ] && return
> +
> +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1;
> then
> ++ if ! command -v "@strings@" >/dev/null 2>&1; then
> + redhat_canonical_spectre=-1
> + elif [ -n "$kernel_err" ]; then
> + redhat_canonical_spectre=-2
> + else
> + # Red Hat / Ubuntu specific variant1 patch is
> difficult to detect,
> + # let's use the two same tricks than the official Red
> Hat detection script uses:
> +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw
> noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb;
> then
> ++ if "@strings@" "$kernel" | @grep@ -qw noibrs &&
> "@strings@" "$kernel" | @grep@ -qw noibpb; then
> + # 1) detect their specific variant2 patch. If
> it's present, it means
> + # that the variant1 patch is also present
> (both were merged at the same time)
> + _debug "found redhat/canonical version of the
> variant2 patch (implies variant1)"
> + redhat_canonical_spectre=1
> +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q
> 'x86/pti:'; then
> ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:';
> then
> + # 2) detect their specific variant3 patch. If
> it's present, but the variant2
> + # is not, it means that only variant1 is
> present in addition to variant3
> + _debug "found redhat/canonical version of the
> variant3 patch (implies variant1 but not variant2)"
> +@@ -3213,13 +3213,13 @@ check_has_vmm()
> + # If we find no evidence that this is the case,
> assume we're not (to avoid scaring users),
> + # this can always be overridden with --vmm in any
> case.
> + has_vmm=0
> +- if command -v pgrep >/dev/null 2>&1; then
> ++ if command -v @pgrep@ >/dev/null 2>&1; then
> + # remove xenbus and xenwatch, also present
> inside domU
> + # remove libvirtd as it can also be used to
> manage containers and not VMs
> + # for each binary we want to grep, get the
> pids
> + for _binary in qemu kvm xenstored xenconsoled
> + do
> +- for _pid in $(pgrep -x $_binary)
> ++ for _pid in $(@pgrep@ -x $_binary)
> + do
> + # resolve the exe symlink, if
> it doesn't resolve with -m,
> + # which doesn't even need the
> dest to exist, it means the symlink
> +@@ -3235,7 +3235,7 @@ check_has_vmm()
> + else
> + # ignore SC2009 as `ps ax` is actually used
> as a fallback if `pgrep` isn't installed
> + # shellcheck disable=SC2009
> +- if command -v ps >/devnull && ps ax | grep -
> vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> ++ if command -v ps >/devnull && ps ax | @grep@
> -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> + has_vmm=1
> + fi
> + fi
> +@@ -3267,7 +3267,7 @@ check_CVE_2017_5753()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5753_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5753_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux()
> + v1_mask_nospec=''
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> + else
> +- perl -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++ @perl@ -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> + if [ $ret -gt 0 ]; then
> + pstatus green YES "$ret occurrence(s)
> found of x86 64 bits array_index_mask_nospec()"
> + v1_mask_nospec="x86 64 bits
> array_index_mask_nospec"
> + else
> +- perl -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++ @perl@ -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> + if [ $ret -gt 0 ]; then
> + pstatus green YES "$ret
> occurrence(s) found of x86 32 bits array_index_mask_nospec()"
> + v1_mask_nospec="x86 32 bits
> array_index_mask_nospec"
> + else
> +-
> ret=$("${opt_arch_prefix}objdum
> p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 |
> grep -B1 -w sbc | grep -w -c cmp)
> ++ ret=$("@objdump@"
> $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 |
> @grep@ -B1 -w sbc | @grep@ -w -c cmp)
> + if [ "$ret" -gt 0 ]; then
> + pstatus green YES
> "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
> + v1_mask_nospec="arm
> 32 bits array_index_mask_nospec"
> +@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux()
> + pstatus yellow NO
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +- elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> + else
> +- "${opt_arch_prefix}objdump" $objdump_options
> "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ &&
> $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
> ++ "@objdump@" $objdump_options "$kernel" |
> @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/
> && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift
> @r if @r>3'; ret=$?
> + if [ "$ret" -eq 9 ]; then
> + pstatus green YES "mask_nospec64
> macro is present and used"
> + v1_mask_nospec="arm64 mask_nospec64"
> +@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux()
> + pstatus yellow NO
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +- elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> + else
> +- "${opt_arch_prefix}objdump" -d "$kernel" |
> perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push
> @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> + if [ "$ret" -eq 9 ]; then
> + pstatus green YES "array_index_nospec
> macro is present and used"
> + v1_mask_nospec="arm64
> array_index_nospec"
> +@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't
> check ($kernel_err)"
> + else
> +- if ! command -v
> "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
> ++ if ! command -v "@objdump@"
> >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN
> "missing '${opt_arch_prefix}objdump' tool, please install it, usually
> it's in the binutils package"
> + else
> + # here we disassemble the
> kernel and count the number of occurrences of the LFENCE opcode
> +@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux()
> + # so let's push the threshold
> to 70.
> + # v0.33+: now only count
> lfence opcodes after a jump, way less error-prone
> + # non patched kernel have
> between 0 and 20 matches, patched ones have at least 40-45
> +-
> nb_lfence=$("${opt_arch_prefix}
> objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence
> | grep -Ewc 'jmp|jne|je')
> ++ nb_lfence=$("@objdump@"
> $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence |
> @grep@ -Ewc 'jmp|jne|je')
> + if [ "$nb_lfence" -lt 30 ];
> then
> + pstatus yellow NO
> "only $nb_lfence jump-then-lfence instructions found, should be >= 30
> (heuristic)"
> + else
> +@@ -3505,7 +3505,7 @@ check_CVE_2017_5715()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5715_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5715_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux()
> + #
> /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
> + specex_knob_dir=$dir
> + ibrs_supported="$dir/ibrs_ena
> bled exists"
> +- ibrs_enabled=$(cat
> "$dir/ibrs_enabled" 2>/dev/null)
> ++ ibrs_enabled=$(@cat@
> "$dir/ibrs_enabled" 2>/dev/null)
> + _debug "ibrs: found
> $dir/ibrs_enabled=$ibrs_enabled"
> + # if ibrs_enabled is there,
> ibpb_enabled will be in the same dir
> + if [ -e "$dir/ibpb_enabled"
> ]; then
> + # if the file is
> there, we have IBPB compiled-in (see note above for IBRS)
> + ibpb_supported="$dir/
> ibpb_enabled exists"
> +- ibpb_enabled=$(cat
> "$dir/ibpb_enabled" 2>/dev/null)
> ++ ibpb_enabled=$(@cat@
> "$dir/ibpb_enabled" 2>/dev/null)
> + _debug "ibpb: found
> $dir/ibpb_enabled=$ibpb_enabled"
> + else
> + _debug "ibpb:
> $dir/ibpb_enabled file doesn't exist"
> +@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux()
> + # which in that case means ibrs is supported
> *and* enabled for kernel & user
> + # as per the ibrs patch series v3
> + if [ -z "$ibrs_supported" ]; then
> +- if grep ^flags "$procfs/cpuinfo" |
> grep -qw spec_ctrl_ibrs; then
> ++ if @grep@ ^flags "$procfs/cpuinfo" |
> @grep@ -qw spec_ctrl_ibrs; then
> + _debug "ibrs: found
> spec_ctrl_ibrs flag in $procfs/cpuinfo"
> + ibrs_supported="spec_ctrl_ibr
> s flag in $procfs/cpuinfo"
> + # enabled=2 -> kernel & user
> +@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -n "$fullmsg" ]; then
> + # when IBPB is enabled on 4.15+, we
> can see it in sysfs
> +- if echo "$fullmsg" | grep -q 'IBPB';
> then
> ++ if echo "$fullmsg" | @grep@ -q
> 'IBPB'; then
> + _debug "ibpb: found enabled
> in sysfs"
> + [ -z "$ibpb_supported" ] &&
> ibpb_supported='IBPB found enabled in sysfs'
> + [ -z "$ibpb_enabled" ] &&
> ibpb_enabled=1
> + fi
> + # when IBRS_FW is enabled on 4.15+,
> we can see it in sysfs
> +- if echo "$fullmsg" | grep -q ',
> IBRS_FW'; then
> ++ if echo "$fullmsg" | @grep@ -q ',
> IBRS_FW'; then
> + _debug "ibrs: found IBRS_FW
> in sysfs"
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS_FW in sysfs'
> + ibrs_fw_enabled=1
> +@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux()
> + # when IBRS is enabled on 4.15+, we
> can see it in sysfs
> + # on a more recent kernel, classic
> "IBRS" is not even longer an option, because of the performance
> impact.
> + # only "Enhanced IBRS" is available
> (on CPUs with the IBRS_ALL flag)
> +- if echo "$fullmsg" | grep -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> ++ if echo "$fullmsg" | @grep@ -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> + _debug "ibrs: found IBRS in
> sysfs"
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS in sysfs'
> + [ -z "$ibrs_enabled" ] &&
> ibrs_enabled=3
> + fi
> + # checking for 'Enhanced IBRS' in
> sysfs, enabled on CPUs with IBRS_ALL
> +- if echo "$fullmsg" | grep -q -e
> 'Enhanced IBRS'; then
> ++ if echo "$fullmsg" | @grep@ -q -e
> 'Enhanced IBRS'; then
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found Enhanced IBRS in sysfs'
> + # 4 isn't actually a valid
> value of the now extinct "ibrs_enabled" flag file,
> + # that only went from 0 to 3,
> so we use 4 as "enhanced ibrs is enabled"
> +@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux()
> + fi
> + fi
> + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + :
> + else
> + ibrs_can_tell=1
> +-
> ibrs_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
> ++ ibrs_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
> + if [ -n "$ibrs_supported" ]; then
> + _debug "ibrs: found ibrs
> evidence in kernel image ($ibrs_supported)"
> + ibrs_supported="found
> '$ibrs_supported' in kernel image"
> +@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ];
> then
> + ibrs_can_tell=1
> +- if grep -q spec_ctrl "$opt_map"; then
> ++ if @grep@ -q spec_ctrl "$opt_map"; then
> + ibrs_supported="found spec_ctrl in
> symbols file"
> + _debug "ibrs: found '*spec_ctrl*'
> symbol in $opt_map"
> + fi
> +@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux()
> + # recent (4.15) vanilla kernels have IBPB but not
> IBRS, and without the debugfs tunables of Red Hat
> + # we can detect it directly in the image
> + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + :
> + else
> + ibpb_can_tell=1
> +-
> ibpb_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
> ++ ibpb_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
> + if [ -n "$ibpb_supported" ]; then
> + _debug "ibpb: found ibpb
> evidence in kernel image ($ibpb_supported)"
> + ibpb_supported="found
> '$ibpb_supported' in kernel image"
> +@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux()
> + 2) if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user
> space, and firmware code" ; else pstatus green YES "for both kernel
> and user space"; fi;;
> + 3) if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and
> firmware code"; else pstatus green YES; fi;;
> + 4) pstatus green YES
> "Enhanced flavor, performance impact will be greatly reduced";;
> +- *) if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> +- then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> +- else
> ++ *) if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> ++ then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> ++ else
> + pstatus
> yellow UNKNOWN; fi;;
> + esac
> + fi
> +@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux()
> + bp_harden=''
> + if [ -r "$opt_config" ]; then
> + bp_harden_can_tell=1
> +- bp_harden=$(grep -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> ++ bp_harden=$(@grep@ -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> + if [ -n "$bp_harden" ]; then
> + pstatus green YES
> + _debug "bp_harden: found '$bp_harden'
> in $opt_config"
> +@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
> + bp_harden_can_tell=1
> +- bp_harden=$(grep -w bp_hardening_data
> "$opt_map")
> ++ bp_harden=$(@grep@ -w bp_hardening_data
> "$opt_map")
> + if [ -n "$bp_harden" ]; then
> + pstatus green YES
> + _debug "bp_harden: found '$bp_harden'
> in $opt_map"
> +@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux()
> + # We check the RETPOLINE kernel options
> + retpoline=0
> + if [ -r "$opt_config" ]; then
> +- if grep -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> ++ if @grep@ -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> + pstatus green YES
> + retpoline=1
> + # shellcheck disable=SC2046
> +- _debug 'retpoline: found '$(grep
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> ++ _debug 'retpoline: found '$(@grep@
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> + else
> + pstatus yellow NO
> + fi
> +@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux()
> + # since 5.15.28, this is now "Retpolines" as
> the implementation was switched to a generic one,
> + # so we look for both "retpoline" and
> "retpolines"
> + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ];
> then
> +- if echo "$fullmsg" | grep -qwi -e
> retpoline -e retpolines; then
> +- if echo "$fullmsg" | grep -
> qwi minimal; then
> ++ if echo "$fullmsg" | @grep@ -qwi -e
> retpoline -e retpolines; then
> ++ if echo "$fullmsg" | @grep@ -
> qwi minimal; then
> + retpoline_compiler=0
> + retpoline_compiler_re
> ason="kernel reports minimal retpoline compilation"
> + else
> +@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux()
> + fi
> + elif [ -n "$opt_map" ]; then
> + # look for the symbol
> +- if grep -qw noretpoline_setup
> "$opt_map"; then
> ++ if @grep@ -qw noretpoline_setup
> "$opt_map"; then
> + retpoline_compiler=1
> + retpoline_compiler_reason="no
> retpoline_setup symbol found in System.map"
> + fi
> + elif [ -n "$kernel" ]; then
> + # look for the symbol
> +- if command -v "${opt_arch_prefix}nm"
> >/dev/null 2>&1; then
> ++ if command -v "@nm@" >/dev/null 2>&1;
> then
> + # the proper way: use nm and
> look for the symbol
> +- if "${opt_arch_prefix}nm"
> "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
> ++ if "@nm@" "$kernel"
> 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
> + retpoline_compiler=1
> + retpoline_compiler_re
> ason="noretpoline_setup found in kernel symbols"
> + fi
> +- elif grep -q noretpoline_setup
> "$kernel"; then
> ++ elif @grep@ -q noretpoline_setup
> "$kernel"; then
> + # if we don't have nm,
> nevermind, the symbol name is long enough to not have
> + # any false positive using
> good old grep directly on the binary
> + retpoline_compiler=1
> +@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux()
> + retp_enabled=-1
> + if [ "$opt_live" = 1 ]; then
> + if [ -e "$specex_knob_dir/retp_enabled" ];
> then
> +- retp_enabled=$(cat
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> ++ retp_enabled=$(@cat@
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> + _debug "retpoline: found
> $specex_knob_dir/retp_enabled=$retp_enabled"
> + _info_nol " * Retpoline is
> enabled: "
> + if [ "$retp_enabled" = 1 ]; then
> +@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux()
> + rsb_filling=0
> + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs"
> != 1 ]; then
> + # if we're live and we aren't denied
> looking into /sys, let's do it
> +- if echo "$msg" | grep -qw RSB; then
> ++ if echo "$msg" | @grep@ -qw RSB; then
> + rsb_filling=1
> + pstatus green YES
> + fi
> +@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN
> "couldn't check ($kernel_err)"
> + else
> +- if grep -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> ++ if @grep@ -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> + rsb_filling=1
> + pstatus green YES
> + else
> +@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd()
> + {
> + _info "* Mitigation 1"
> + _info_nol " * Kernel supports IBRS: "
> +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
> ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
> + if [ -z "$ibrs_disabled" ]; then
> + pstatus yellow NO
> + else
> +@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd()
> + fi
> +
> + _info_nol " * IBRS enabled and active: "
> +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
> ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
> + if [ "$ibrs_active" = 1 ]; then
> + pstatus green YES
> + else
> +@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
> + else
> +- if ! command -v "${opt_arch_prefix}readelf"
> >/dev/null 2>&1; then
> ++ if ! command -v "@readelf@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}readelf' tool, please install it, usually it's in
> the binutils package"
> + else
> +- nb_thunks=$("${opt_arch_prefix}readelf" -s
> "$kernel" | grep -c -e __llvm_retpoline_ -e
> __llvm_external_retpoline_ -e __x86_indirect_thunk_)
> ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@
> -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e
> __x86_indirect_thunk_)
> + if [ "$nb_thunks" -gt 0 ]; then
> + retpoline=1
> + pstatus green YES "found $nb_thunks
> thunk(s)"
> +@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd()
> + pti_performance_check()
> + {
> + _info_nol " * Reduced performance impact of PTI: "
> +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw pcid; then
> ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw pcid; then
> + cpu_pcid=1
> + else
> + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
> +@@ -4122,7 +4122,7 @@ pti_performance_check()
> + fi
> + fi
> +
> +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw invpcid; then
> ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw invpcid; then
> + cpu_invpcid=1
> + else
> + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
> +@@ -4147,7 +4147,7 @@ check_CVE_2017_5754()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5754_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5754_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux()
> + kpti_can_tell=0
> + if [ -n "$opt_config" ]; then
> + kpti_can_tell=1
> +- kpti_support=$(grep -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> ++ kpti_support=$(@grep@ -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found option
> '$kpti_support' in $opt_config"
> + fi
> +@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux()
> + # so we try to find an exported symbol that
> is part of the PTI patch in System.map
> + # parse_kpti: arm
> + kpti_can_tell=1
> +- kpti_support=$(grep -w -e kpti_force_enabled
> -e parse_kpti "$opt_map")
> ++ kpti_support=$(@grep@ -w -e
> kpti_force_enabled -e parse_kpti "$opt_map")
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found
> '$kpti_support' in $opt_map"
> + fi
> +@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux()
> + # nopti option that is part of the patch
> (kernel command line option)
> + # 'kpti=': arm
> + kpti_can_tell=1
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> + else
> +-
> kpti_support=$("${opt_arch_prefix}strin
> gs" "$kernel" | grep -w -e nopti -e kpti=)
> ++ kpti_support=$("@strings@" "$kernel"
> | @grep@ -w -e nopti -e kpti=)
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found
> '$kpti_support' in $kernel"
> + fi
> +@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux()
> + dmesg_grep="$dmesg_grep|x86/pti: Unmapping
> kernel while in userspace"
> + # aarch64
> + dmesg_grep="$dmesg_grep|CPU features:
> detected( feature)?: Kernel page table isolation \(KPTI\)"
> +- if grep ^flags "$procfs/cpuinfo" | grep -qw
> pti; then
> ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -
> qw pti; then
> + # vanilla PTI patch sets the 'pti'
> flag in cpuinfo
> + _debug "kpti_enabled: found 'pti'
> flag in $procfs/cpuinfo"
> + kpti_enabled=1
> +- elif grep ^flags "$procfs/cpuinfo" | grep -qw
> kaiser; then
> ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@
> -qw kaiser; then
> + # kernel line 4.9 sets the 'kaiser'
> flag in cpuinfo
> + _debug "kpti_enabled: found 'kaiser'
> flag in $procfs/cpuinfo"
> + kpti_enabled=1
> + elif [ -e /sys/kernel/debug/x86/pti_enabled
> ]; then
> + # Red Hat Backport creates a
> dedicated file, see https://access.redhat.com/articles/3311301
> +- kpti_enabled=$(cat
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> ++ kpti_enabled=$(@cat@
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> + _debug "kpti_enabled: file
> /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
> + elif is_xen_dom0; then
> +- pti_xen_pv_domU=$(xl dmesg | grep
> 'XPTI' | grep 'DomU enabled' | head -1)
> ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@
> 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
> +
> + [ -n "$pti_xen_pv_domU" ] &&
> kpti_enabled=1
> + fi
> +@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux()
> + if [ -n "$kpti_support" ]; then
> + if [ -e
> "/sys/kernel/debug/x86/pti_enabled" ]; then
> + explain "Your kernel
> supports PTI but it's disabled, you can enable it with \`echo 1 >
> /sys/kernel/debug/x86/pti_enabled\`"
> +- elif echo "$kernel_cmdline" |
> grep -q -w -e nopti -e pti=off; then
> ++ elif echo "$kernel_cmdline" |
> @grep@ -q -w -e nopti -e pti=off; then
> + explain "Your kernel
> supports PTI but it has been disabled on command-line, remove the
> nopti or pti=off option from your bootloader configuration"
> + else
> + explain "Your kernel
> supports PTI but it has been disabled, check \`dmesg\` right after
> boot to find clues why the system disabled it"
> +@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux()
> + check_CVE_2017_5754_bsd()
> + {
> + _info_nol "* Kernel supports Page Table Isolation (PTI): "
> +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
> ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
> + if [ -z "$kpti_enabled" ]; then
> + pstatus yellow NO
> + else
> +@@ -4429,7 +4429,7 @@ check_CVE_2018_3639()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3639_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3639_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux()
> + if [ "$opt_sysfs_only" != 1 ]; then
> + _info_nol "* Kernel supports disabling speculative
> store bypass (SSB): "
> + if [ "$opt_live" = 1 ]; then
> +- if grep -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssb="found in
> $procfs/self/status"
> + _debug "found
> Speculation.Store.Bypass: in $procfs/self/status"
> + fi
> + fi
> + # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep
> -q 'arm64_sys_' "$kernel"; then
> +- kernel_ssb=$("${opt_arch_prefix}strings"
> "$kernel" | grep spec_store_bypass | head -n1);
> ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && !
> @grep@ -q 'arm64_sys_' "$kernel"; then
> ++ kernel_ssb=$("@strings@" "$kernel" | @grep@
> spec_store_bypass | @head@ -n1);
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in kernel"
> + fi
> + # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> grep -q 'arm64_sys_' "$opt_map"; then
> +- kernel_ssb=$(grep spec_store_bypass
> "$opt_map" | awk '{print $3}' | head -n1)
> ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> @grep@ -q 'arm64_sys_' "$opt_map"; then
> ++ kernel_ssb=$(@grep@ spec_store_bypass
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> + fi
> + # arm64 only:
> + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
> +- kernel_ssb=$(grep -w cpu_enable_ssbs
> "$opt_map" | awk '{print $3}' | head -n1)
> ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> + fi
> + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
> +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> + [ -n "$kernel_ssb" ] &&
> kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
> + fi
> + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
> + # this string only appears in kernel if
> CONFIG_ARM64_SSBD is set
> +- kernel_ssb=$(grep -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> ++ kernel_ssb=$(@grep@ -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> 'Speculative Store Bypassing Safe (SSBS)' in kernel"
> + fi
> + # /arm64 only
> +@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux()
> + if [ "$opt_live" = 1 ]; then
> + #
> https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
> + _info_nol "* SSB mitigation is enabled and
> active: "
> +- if grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> ++ if @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> + kernel_ssbd_enabled=1
> + pstatus green YES "per-thread through
> prctl"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=2
> + pstatus green YES "global"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=0
> + pstatus yellow NO
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=-2
> + pstatus blue NO "not vulnerable"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=0
> + pstatus blue NO
> + else
> +- pstatus blue UNKNOWN "unknown value:
> $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | cut -d: -f2-)"
> ++ pstatus blue UNKNOWN "unknown value:
> $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | @cut@ -d: -f2-)"
> + fi
> +
> + if [ "$kernel_ssbd_enabled" = 1 ]; then
> + _info_nol "* SSB mitigation currently
> active for selected processes: "
> + # silence grep's stderr here to avoid
> ENOENT errors from processes that have exited since the shell's
> expansion of the *
> +- mitigated_processes=$(find /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> +- | xargs -r0 grep -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> +- | sed s/status/exe/ | xargs -
> r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr
> "\n" " " | sed 's/ $//')
> ++ mitigated_processes=$(@find@ /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> ++ | @xargs@ -r0 @grep@ -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> ++ | @sed@ s/status/exe/ |
> @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ |
> @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
> + if [ -n "$mitigated_processes" ];
> then
> + pstatus green YES
> "$mitigated_processes"
> + else
> +@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux()
> + check_CVE_2018_3639_bsd()
> + {
> + _info_nol "* Kernel supports speculation store bypass: "
> +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
> ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1;
> then
> + kernel_ssb=1
> + pstatus green YES
> + else
> +@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd()
> + fi
> +
> + _info_nol "* Speculation store bypass is administratively
> enabled: "
> +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable
> 2>/dev/null)
> ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable
> 2>/dev/null)
> + _debug "hw.spec_store_bypass_disable=$ssb_enabled"
> + case "$ssb_enabled" in
> + 0) pstatus yellow NO "disabled";;
> +@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd()
> + esac
> +
> + _info_nol "* Speculation store bypass is currently active: "
> +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> + _debug "hw.spec_store_bypass_disable_active=$ssb_active"
> + case "$ssb_active" in
> + 1) pstatus green YES;;
> +@@ -4656,7 +4656,7 @@ check_CVE_2018_3620()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3620_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3620_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux()
> + fi
> + if [ "$opt_sysfs_only" != 1 ]; then
> + _info_nol "* Kernel supports PTE inversion: "
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'strings'
> tool, please install it"
> + pteinv_supported=-1
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "$kernel_err"
> + pteinv_supported=-1
> + else
> +- if "${opt_arch_prefix}strings" "$kernel" |
> grep -Fq 'PTE Inversion'; then
> ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE
> Inversion'; then
> + pstatus green YES "found in kernel
> image"
> + _debug "pteinv: found pte inversion
> evidence in kernel image"
> + pteinv_supported=1
> +@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux()
> + _info_nol "* PTE inversion enabled and active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -q
> 'Mitigation: PTE Inversion'; then
> ++ if echo "$fullmsg" | @grep@ -q
> 'Mitigation: PTE Inversion'; then
> + pstatus green YES
> + pteinv_active=1
> + else
> +@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd()
> + else
> + _debug "vmm module already loaded"
> + fi
> +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> + #
> https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
> + # this is very difficult to detect that the kernel
> reserved the 0 page, but this fix
> + # is part of the exact same patch than the other L1TF
> CVE, so we detect it
> +@@ -4772,7 +4772,7 @@ check_CVE_2018_3646()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3646_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3646_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux()
> + if [ "$opt_live" = 1 ]; then
> + if ! [ -r
> /sys/module/kvm_intel/parameters/ept ]; then
> + pstatus blue N/A "the kvm_intel
> module is not loaded"
> +- elif [ "$(cat
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> ++ elif [ "$(@cat@
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> + pstatus green YES
> + ept_disabled=1
> + else
> +@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux()
> +
> + _info "* Mitigation 2"
> + _info_nol " * L1D flush is supported by kernel: "
> +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d
> "$procfs/cpuinfo"; then
> ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d
> "$procfs/cpuinfo"; then
> + l1d_kernel="found flush_l1d in
> $procfs/cpuinfo"
> + fi
> + if [ -z "$l1d_kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + l1d_kernel_err="missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> + elif [ -n "$kernel_err" ]; then
> + l1d_kernel_err="$kernel_err"
> +- elif "${opt_arch_prefix}strings" "$kernel" |
> grep -qw flush_l1d; then
> ++ elif "@strings@" "$kernel" | @grep@ -qw
> flush_l1d; then
> + l1d_kernel='found flush_l1d in kernel
> image'
> + fi
> + fi
> +@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux()
> + # $l1dstatus is one of
> (auto|vulnerable|conditional cache flushes|cache flushes|EPT
> disabled|flush not necessary)
> + # $smtstatus is one of
> (vulnerable|disabled)
> + # can also just be "Not affected"
> +- if echo "$fullmsg" | grep -Eq -e 'Not
> affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> ++ if echo "$fullmsg" | @grep@ -Eq -e
> 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> + l1d_mode=0
> + pstatus yellow NO
> +- elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> ++ elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> + l1d_mode=1
> + pstatus green YES
> "conditional flushes"
> +- elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) cache flushes'; then
> ++ elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) cache flushes'; then
> + l1d_mode=2
> + pstatus green YES
> "unconditional flushes"
> + else
> + if is_xen_dom0; then
> +- l1d_xen_hardware=$(xl
> dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
> +-
> l1d_xen_hypervisor=$(xl
> dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
> +- l1d_xen_pv_domU=$(xl
> dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
> ++ l1d_xen_hardware=$(xl
> @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -
> 1)
> ++ l1d_xen_hypervisor=$(
> xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
> ++ l1d_xen_pv_domU=$(xl
> @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' |
> @head@ -1)
> +
> + if [ -n
> "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n
> "$l1d_xen_pv_domU" ]; then
> + l1d_mode=5
> +@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux()
> +
> + _info_nol " * Hardware-backed L1D flush supported: "
> + if [ "$opt_live" = 1 ]; then
> +- if grep -qw flush_l1d "$procfs/cpuinfo" || [
> -n "$l1d_xen_hardware" ]; then
> ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" ||
> [ -n "$l1d_xen_hardware" ]; then
> + pstatus green YES "performance impact
> of the mitigation will be greatly reduced"
> + else
> + pstatus blue NO "flush will be done
> in software, this is slower"
> +@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux()
> + check_CVE_2018_3646_bsd()
> + {
> + _info_nol "* Kernel supports L1D flushing: "
> +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> + pstatus green YES
> + kernel_l1d_supported=1
> + else
> +@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd()
> + fi
> +
> + _info_nol "* L1D flushing is enabled: "
> +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> + case "$kernel_l1d_enabled" in
> + 0) pstatus yellow NO;;
> + 1) pstatus green YES;;
> +@@ -5018,7 +5018,7 @@ check_CVE_2018_12127()
> + ###################
> + # MDSUM SECTION
> +
> +-# Microarchitectural Data Sampling Uncacheable Memory
> ++# Microarchitectural Data Sampling Uncacheable Memory
> + check_CVE_2019_11091()
> + {
> + cve='CVE-2019-11091'
> +@@ -5032,7 +5032,7 @@ check_mds()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_mds_linux "$cve"
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_mds_bsd "$cve"
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5043,7 +5043,7 @@ check_mds_bsd()
> + {
> + _info_nol "* Kernel supports using MD_CLEAR mitigation: "
> + if [ "$opt_live" = 1 ]; then
> +- if sysctl hw.mds_disable >/dev/null 2>&1; then
> ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
> + pstatus green YES
> + kernel_md_clear=1
> + else
> +@@ -5051,7 +5051,7 @@ check_mds_bsd()
> + kernel_md_clear=0
> + fi
> + else
> +- if grep -Fq hw.mds_disable $opt_kernel; then
> ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
> + pstatus green YES
> + kernel_md_clear=1
> + else
> +@@ -5061,8 +5061,8 @@ check_mds_bsd()
> + fi
> +
> + _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
> +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> +- kernel_smt_allowed=$(sysctl -n
> machdep.hyperthreading_allowed 2>/dev/null)
> ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> ++ kernel_smt_allowed=$(@sysctl@ -n
> machdep.hyperthreading_allowed 2>/dev/null)
> + if [ "$kernel_smt_allowed" = 1 ]; then
> + pstatus yellow NO
> + else
> +@@ -5074,7 +5074,7 @@ check_mds_bsd()
> +
> + _info_nol "* Kernel mitigation is enabled: "
> + if [ "$kernel_md_clear" = 1 ]; then
> +- kernel_mds_enabled=$(sysctl -n hw.mds_disable
> 2>/dev/null)
> ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable
> 2>/dev/null)
> + else
> + kernel_mds_enabled=0
> + fi
> +@@ -5088,7 +5088,7 @@ check_mds_bsd()
> +
> + _info_nol "* Kernel mitigation is active: "
> + if [ "$kernel_md_clear" = 1 ]; then
> +- kernel_mds_state=$(sysctl -n hw.mds_disable_state
> 2>/dev/null)
> ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state
> 2>/dev/null)
> + else
> + kernel_mds_state=inactive
> + fi
> +@@ -5146,16 +5146,16 @@ check_mds_linux()
> + _info_nol "* Kernel supports using MD_CLEAR
> mitigation: "
> + kernel_md_clear=''
> + kernel_md_clear_can_tell=1
> +- if [ "$opt_live" = 1 ] && grep ^flags
> "$procfs/cpuinfo" | grep -qw md_clear; then
> ++ if [ "$opt_live" = 1 ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw md_clear; then
> + kernel_md_clear="md_clear found in
> $procfs/cpuinfo"
> + pstatus green YES "$kernel_md_clear"
> + fi
> + if [ -z "$kernel_md_clear" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + kernel_md_clear_can_tell=0
> + elif [ -n "$kernel_err" ]; then
> + kernel_md_clear_can_tell=0
> +- elif "${opt_arch_prefix}strings" "$kernel" |
> grep -q 'Clear CPU buffers'; then
> ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear
> CPU buffers'; then
> + _debug "md_clear: found 'Clear CPU
> buffers' string in kernel image"
> + kernel_md_clear='found md_clear
> implementation evidence in kernel image'
> + pstatus green YES "$kernel_md_clear"
> +@@ -5171,7 +5171,7 @@ check_mds_linux()
> +
> + if [ "$opt_live" = 1 ] && [
> "$sys_interface_available" = 1 ]; then
> + _info_nol "* Kernel mitigation is enabled and
> active: "
> +- if echo "$fullmsg" | grep -qi ^mitigation;
> then
> ++ if echo "$fullmsg" | @grep@ -qi ^mitigation;
> then
> + mds_mitigated=1
> + pstatus green YES
> + else
> +@@ -5179,7 +5179,7 @@ check_mds_linux()
> + pstatus yellow NO
> + fi
> + _info_nol "* SMT is either mitigated or
> disabled: "
> +- if echo "$fullmsg" | grep -Eq 'SMT
> (disabled|mitigated)'; then
> ++ if echo "$fullmsg" | @grep@ -Eq 'SMT
> (disabled|mitigated)'; then
> + mds_smt_mitigated=1
> + pstatus green YES
> + else
> +@@ -5265,7 +5265,7 @@ check_CVE_2019_11135()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2019_11135_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2019_11135_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux()
> + kernel_taa=''
> + if [ -n "$kernel_err" ]; then
> + kernel_taa_err="$kernel_err"
> +- elif grep -q 'tsx_async_abort' "$kernel"; then
> ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
> + kernel_taa="found tsx_async_abort in kernel
> image"
> + fi
> + if [ -n "$kernel_taa" ]; then
> +@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux()
> + _info_nol "* TAA mitigation enabled and active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux()
> + else
> + if [ "$opt_paranoid" = 1 ]; then
> + # in paranoid mode, TSX or SMT enabled are
> not OK, even if TAA is mitigated
> +- if ! echo "$fullmsg" | grep -qF 'TSX
> disabled'; then
> ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX
> disabled'; then
> + pvulnstatus $cve VULN "TSX must be
> disabled for full mitigation"
> +- elif echo "$fullmsg" | grep -qF 'SMT
> vulnerable'; then
> ++ elif echo "$fullmsg" | @grep@ -qF 'SMT
> vulnerable'; then
> + pvulnstatus $cve VULN "SMT
> (HyperThreading) must be disabled for full mitigation"
> + else
> + pvulnstatus $cve "$status" "$msg"
> +@@ -5367,7 +5367,7 @@ check_CVE_2018_12207()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_12207_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_12207_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux()
> + if [ -n "$kernel_err" ]; then
> + kernel_itlbmh_err="$kernel_err"
> + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
> +- elif grep -q 'itlb_multihit' "$kernel"; then
> ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
> + kernel_itlbmh="found itlb_multihit in kernel
> image"
> + fi
> + if [ -n "$kernel_itlbmh" ]; then
> +@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux()
> + _info_nol "* iTLB Multihit mitigation enabled and
> active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qF
> 'Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qF
> 'Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux()
> + check_CVE_2018_12207_bsd()
> + {
> + _info_nol "* Kernel supports disabling superpages for
> executable mappings under EPT: "
> +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> + if [ -z "$kernel_2m_x_ept" ]; then
> + pstatus yellow NO
> + else
> +@@ -5484,7 +5484,7 @@ check_CVE_2020_0543()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2020_0543_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2020_0543_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux()
> + kernel_srbds=''
> + if [ -n "$kernel_err" ]; then
> + kernel_srbds_err="$kernel_err"
> +- elif grep -q 'Dependent on hypervisor' "$kernel";
> then
> ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel";
> then
> + kernel_srbds="found SRBDS implementation
> evidence in kernel image. Your kernel is up to date for SRBDS
> mitigation"
> + fi
> + if [ -n "$kernel_srbds" ]; then
> +@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux()
> + _info_nol "* SRBDS mitigation control is enabled and
> active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5608,8 +5608,8 @@ fi
> + # now run the checks the user asked for
> + for cve in $supported_cve_list
> + do
> +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw
> "$cve"; then
> +- check_"$(echo "$cve" | tr - _)"
> ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -
> qw "$cve"; then
> ++ check_"$(echo "$cve" | @tr@ - _)"
> + _info
> + fi
> + done
> +@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then
> + _warn "We're missing some kernel info (see -v), accuracy
> might be reduced"
> + fi
> +
> +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' |
> sort | tr "\n" '|')
> ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F
> 'mockme=' | @sort@ | @tr@ "\n" '|')
> + _debug "variables at end of script: $_vars"
> +
> + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
> +- if command -v "gzip" >/dev/null 2>&1; then
> ++ if command -v "@gzip@" >/dev/null 2>&1; then
> + # not a useless use of cat: gzipping cpuinfo directly
> doesn't work well
> + # shellcheck disable=SC2002
> +- if command -v "base64" >/dev/null 2>&1; then
> +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> base64 -w0)"
> +- elif command -v "uuencode" >/dev/null 2>&1; then
> +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d
> "\n")"
> ++ if command -v "@base64@" >/dev/null 2>&1; then
> ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @base64@ -w0)"
> ++ elif command -v "@uuencode@" >/dev/null 2>&1; then
> ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv --
> '====' | @tr@ -d "\n")"
> + fi
> + fi
> + if [ -n "$mock_cpuinfo" ]; then
> +@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ];
> then
> + fi
> + _info ""
> + # shellcheck disable=SC2046
> +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> sort -u)
> ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> @sort@ -u)
> + fi
> +
> + if [ "$opt_explain" = 0 ]; then
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++ # Guix System:
> ++ [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> + # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
> --
> 2.38.1
Cheers
next prev parent reply other threads:[~2022-11-12 16:59 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-05 15:57 [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker Hilton Chain via Guix-patches via
2022-11-05 16:45 ` Liliana Marie Prikler
2022-11-11 11:10 ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via
2022-11-11 15:13 ` Liliana Marie Prikler
2022-11-12 12:14 ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via
2022-11-12 12:28 ` Liliana Marie Prikler
2022-11-12 12:50 ` Hilton Chain via Guix-patches via
2022-11-12 13:40 ` Liliana Marie Prikler
2022-11-12 15:15 ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via
2022-11-12 16:58 ` Liliana Marie Prikler [this message]
2022-11-13 13:09 ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via
2022-11-13 22:02 ` bug#59053: " Liliana Marie Prikler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3e3c90ad73311a445a3b06c7c8afb42dcf0af1b1.camel@gmail.com \
--to=liliana.prikler@gmail.com \
--cc=59053@debbugs.gnu.org \
--cc=hako@ultrarare.space \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).