From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 2001
From: Hilton Chain <hako@ultrarare.space>
Date: Fri, 11 Nov 2022 18:49:50 +0800
Subject: [PATCH 2/2] Stage commands for later substitution.

awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, grep,
gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, nproc,
objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, strings,
sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
---
 spectre-meltdown-checker.sh | 606 ++++++++++++++++++------------------
 1 file changed, 303 insertions(+), 303 deletions(-)

diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index ce46970..4889ebb 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
 exit_cleanup()
 {
 	# cleanup the temp decompressed config & kernel image
-	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
-	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
-	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
-	[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
-	[ "${mounted_procfs:-}"  = 1 ] && umount "$procfs" 2>/dev/null
-	[ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
-	[ "${insmod_msr:-}"      = 1 ] && rmmod msr 2>/dev/null
+	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
+	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && @rm@ -f "$kerneltmp"
+	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && @rm@ -f "$kerneltmp2"
+	[ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
+	[ "${mounted_procfs:-}"  = 1 ] && @umount@ "$procfs" 2>/dev/null
+	[ "${insmod_cpuid:-}"    = 1 ] && @rmmod@ cpuid 2>/dev/null
+	[ "${insmod_msr:-}"      = 1 ] && @rmmod@ msr 2>/dev/null
 	[ "${kldload_cpuctl:-}"  = 1 ] && kldunload cpuctl 2>/dev/null
 	[ "${kldload_vmm:-}"     = 1 ] && kldunload vmm    2>/dev/null
 }

 # if we were git clone'd, adjust VERSION
-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
-	describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
-	[ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
+if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+	describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
+	[ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
 fi

 show_usage()
 {
 	# shellcheck disable=SC2086
-	cat <<EOF
+	@cat@ <<EOF
 	Usage:
-		Live mode (auto):   $(basename $0) [options]
-		Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
-		Offline mode:       $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+		Live mode (auto):   $(@basename@ $0) [options]
+		Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+		Offline mode:       $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>

 	Modes:
 		Two modes are available.
@@ -106,7 +106,7 @@ EOF

 show_disclaimer()
 {
-	cat <<EOF
+	@cat@ <<EOF
 Disclaimer:

 This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
@@ -134,7 +134,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
 EOF
 }

-os=$(uname -s)
+os=$(@uname@ -s)

 # parse options
 opt_kernel=''
@@ -203,7 +203,7 @@ __echo()
 			_interpret_chars='-e'
 		fi
 		_ctrlchar=$($echo_cmd $_interpret_chars "\033")
-		_msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+		_msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
 	fi
 	if [ "$echo_cmd_type" = printf ]; then
 		if [ "$opt" = "-n" ]; then
@@ -379,7 +379,7 @@ is_cpu_affected()
 		# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
 		# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
 		# model name : Pentium(R) Dual-Core  CPU      E5200  @ 2.50GHz
-		if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+		if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
 			variant1=vuln
 			[ -z "$variant2" ] && variant2=immune
 			variant3=vuln
@@ -482,7 +482,7 @@ is_cpu_affected()
 			i=$(( i + 1 ))
 			# do NOT quote $cpu_arch_list below
 			# shellcheck disable=SC2086
-			cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
+			cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
 			_debug "checking cpu$i: <$cpupart> <$cpuarch>"
 			# some kernels report AArch64 instead of 8
 			[ "$cpuarch" = "AArch64" ] && cpuarch=8
@@ -493,49 +493,49 @@ is_cpu_affected()
 				# part   ?  ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c         d0d
 				# arch  7? 7? 7   7   7   7   7   8   8   8   8   8   8           8
 				#
-				# Whitelist identified non-affected processors, use vulnerability information from
+				# Whitelist identified non-affected processors, use vulnerability information from
 				# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
 				# Partnumbers can be found here:
 				# https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
 				#
 				# Maintain cumulative check of vulnerabilities -
 				# if at least one of the cpu is affected, then the system is affected
-				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+				if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
 					variant1=vuln
 					variant2=vuln
 					[ -z "$variant3" ] && variant3=immune
 					[ -z "$variant3a" ] && variant3a=immune
 					[ -z "$variant4" ] && variant4=immune
 					_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
-				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
+				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
 					variant1=vuln
 					variant2=vuln
 					[ -z "$variant3" ] && variant3=immune
 					variant3a=vuln
 					[ -z "$variant4" ] && variant4=immune
 					_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
 					variant1=vuln
 					variant2=vuln
 					[ -z "$variant3" ] && variant3=immune
 					variant3a=vuln
 					variant4=vuln
 					_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
 					variant1=vuln
 					variant2=vuln
 					[ -z "$variant3" ] && variant3=immune
 					[ -z "$variant3a" ] && variant3a=immune
 					variant4=vuln
 					_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
 					variant1=vuln
 					variant2=vuln
 					variant3=vuln
 					[ -z "$variant3a" ] && variant3a=immune
 					variant4=vuln
 					_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
 					variant1=vuln
 					[ -z "$variant2" ] && variant2=immune
 					[ -z "$variant3" ] && variant3=immune
@@ -816,7 +816,7 @@ is_cpu_ssb_free()
 		if [ "$cpu_family" = "18" ] || \
 			[ "$cpu_family" = "17" ] || \
 			[ "$cpu_family" = "16" ] || \
-			[ "$cpu_family" = "15" ]; then
+			[ "$cpu_family" = "15" ]; then
 			return 0
 		fi
 	fi
@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do
 	elif [ "$1" = "--cpu" ]; then
 		opt_cpu=$2
 		if [ "$opt_cpu" != all ]; then
-			if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
+			if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
 				opt_cpu=$(( opt_cpu ))
 			else
 				echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do
 			echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
 			exit 255
 		fi
-		selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
+		selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
 		if [ -n "$selected_cve" ]; then
 			opt_cve_list="$opt_cve_list $selected_cve"
 			opt_cve_all=0
@@ -1166,14 +1166,14 @@ check_kernel()
 	# a damaged ELF file and validate it, check for stderr warnings too

 	# the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
-	_readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
-	_readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
-	_kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
+	_readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
+	_readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
+	_kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
 	_debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
 	if [ "$_mode" = desperate ]; then
-		if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
+		if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
 			_debug "check_kernel (desperate): ... matched!"
-			if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
+			if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
 				_debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
 				objdump_options="-D -b binary -marm"
 			else
@@ -1206,7 +1206,7 @@ try_decompress()

 	# Try to find the header ($1) and decompress from here
 	_debug "try_decompress: looking for $3 magic in $6"
-	for     pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
+	for     pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
 	do
 		_debug "try_decompress: magic for $3 found at offset $pos"
 		if ! command -v "$3" >/dev/null 2>&1; then
@@ -1233,11 +1233,11 @@ try_decompress()
 			kernel="$kerneltmp"
 			_debug "try_decompress: decompressed with $3 successfully!"
 			return 0
-		elif [ "$3" != "cat" ]; then
+		elif [ "$3" != "@cat@" ]; then
 			_debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
-			[ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
-			cat "$kerneltmp" > "$kerneltmp2"
-			try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
+			[ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
+			@cat@ "$kerneltmp" > "$kerneltmp2"
+			try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
 		else
 			_debug "try_decompress: decompression with $3 worked but result is not a kernel"
 		fi
@@ -1249,12 +1249,12 @@ extract_kernel()
 {
 	[ -n "${1:-}" ] || return 1
 	# Prepare temp files:
-	kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
+	kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"

 	# Initial attempt for uncompressed images or objects:
 	if check_kernel "$1"; then
 		_debug "extract_kernel: found kernel is valid, no decompression needed"
-		cat "$1" > "$kerneltmp"
+		@cat@ "$1" > "$kerneltmp"
 		kernel=$kerneltmp
 		return 0
 	fi
@@ -1263,14 +1263,14 @@ extract_kernel()
 	for pass in 1 2; do
 		for mode in normal desperate; do
 			_debug "extract_kernel: pass $pass $mode mode"
-			try_decompress '\037\213\010'     xy    gunzip  ''      gunzip      "$1" "$mode" "$pass" && return 0
-			try_decompress '\002\041\114\030' xyy   'lz4'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
-			try_decompress '\3757zXZ\000'     abcde unxz    ''      xz-utils    "$1" "$mode" "$pass" && return 0
-			try_decompress 'BZh'              xy    bunzip2 ''      bzip2       "$1" "$mode" "$pass" && return 0
-			try_decompress '\135\0\0\0'       xxx   unlzma  ''      xz-utils    "$1" "$mode" "$pass" && return 0
-			try_decompress '\211\114\132'     xy    'lzop'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
-			try_decompress '\177ELF'          xxy   'cat'   ''      cat         "$1" "$mode" "$pass" && return 0
-			try_decompress '(\265/\375'       xxy   unzstd  ''      zstd        "$1" "$mode" "$pass" && return 0
+			try_decompress '\037\213\010'     xy    @gunzip@  ''      gunzip      "$1" "$mode" "$pass" && return 0
+			try_decompress '\002\041\114\030' xyy   '@lz4@'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+			try_decompress '\3757zXZ\000'     abcde @unxz@    ''      xz-utils    "$1" "$mode" "$pass" && return 0
+			try_decompress 'BZh'              xy    @bunzip2@ ''      bzip2       "$1" "$mode" "$pass" && return 0
+			try_decompress '\135\0\0\0'       xxx   @unlzma@  ''      xz-utils    "$1" "$mode" "$pass" && return 0
+			try_decompress '\211\114\132'     xy    '@lzop@'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
+			try_decompress '\177ELF'          xxy   '@cat@'   ''      cat         "$1" "$mode" "$pass" && return 0
+			try_decompress '(\265/\375'       xxy   @unzstd@  ''      zstd        "$1" "$mode" "$pass" && return 0
 		done
 	done
 	# kernel_err might already have been populated by try_decompress() if we're missing one of the tools
@@ -1287,7 +1287,7 @@ mount_debugfs()
 {
 	if [ ! -e /sys/kernel/debug/sched_features ]; then
 		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+		@mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
 	fi
 }

@@ -1298,12 +1298,12 @@ load_msr()
 	load_msr_once=1

 	if [ "$os" = Linux ]; then
-		if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
-			modprobe msr 2>/dev/null && insmod_msr=1
+		if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
+			@modprobe@ msr 2>/dev/null && insmod_msr=1
 			_debug "attempted to load module msr, insmod_msr=$insmod_msr"
 		else
 			_debug "msr module already loaded"
-		fi
+		fi
 	else
 		if ! kldstat -q -m cpuctl; then
 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
@@ -1321,12 +1321,12 @@ load_cpuid()
 	load_cpuid_once=1

 	if [ "$os" = Linux ]; then
-		if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
-			modprobe cpuid 2>/dev/null && insmod_cpuid=1
+		if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
+			@modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
 			_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
 		else
 			_debug "cpuid module already loaded"
-		fi
+		fi
 	else
 		if ! kldstat -q -m cpuctl; then
 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
@@ -1415,7 +1415,7 @@ read_cpuid_one_core()
 		fi
 		# on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
 		# we use that fact to load the module if dd returns an error
-		if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+		if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
 			load_cpuid
 		fi
 		# we need _leaf to be converted to decimal for dd
@@ -1426,14 +1426,14 @@ read_cpuid_one_core()
 		_ddskip=$(( _position / 16 ))
 		_odskip=$(( _position - _ddskip * 16 ))
 		# now read the value
-		_cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
+		_cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
 	elif [ -e /dev/cpuctl0 ]; then
 		# BSD
 		if [ ! -r /dev/cpuctl0 ]; then
 			read_cpuid_msg="Couldn't read cpuid info from cpuctl"
 			return $READ_CPUID_RET_ERR
 		fi
-		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
+		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
 		# cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
 	else
 		read_cpuid_msg="Found no way to read cpuid info"
@@ -1456,7 +1456,7 @@ read_cpuid_one_core()
 	fi

 	# get the value of the register we want
-	_reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
+	_reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
 	# Linux returns it as decimal, BSD as hex, normalize to decimal
 	_reg=$(( _reg ))
 	# shellcheck disable=SC2046
@@ -1484,11 +1484,11 @@ dmesg_grep()
 	# grep for something in dmesg, ensuring that the dmesg buffer
 	# has not been truncated
 	dmesg_grepped=''
-	if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+	if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
 		# dmesg truncated
 		return 2
 	fi
-	dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
+	dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
 	# not found:
 	[ -z "$dmesg_grepped" ] && return 1
 	# found, output is in $dmesg_grepped
@@ -1505,12 +1505,12 @@ parse_cpu_details()
 {
 	[ "${parse_cpu_details_done:-}" = 1 ] && return 0

-	if command -v nproc >/dev/null; then
-		number_of_cores=$(nproc)
-	elif echo "$os" | grep -q BSD; then
-		number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
+	if command -v @nproc@ >/dev/null; then
+		number_of_cores=$(@nproc@)
+	elif echo "$os" | @grep@ -q BSD; then
+		number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
 	elif [ -e "$procfs/cpuinfo" ]; then
-		number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+		number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
 	else
 		# if we don't know, default to 1 CPU
 		number_of_cores=1
@@ -1518,43 +1518,43 @@ parse_cpu_details()
 	max_core_id=$(( number_of_cores - 1 ))

 	if [ -e "$procfs/cpuinfo" ]; then
-		cpu_vendor=$(  grep '^vendor_id'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
-		cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
+		cpu_vendor=$(  @grep@ '^vendor_id'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+		cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
 		# special case for ARM follows
-		if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+		if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
 			cpu_vendor='ARM'
 			# some devices (phones or other) have several ARMs and as such different part numbers,
 			# an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
-			cpu_part_list=$(awk '/CPU part/         {print $4}' "$procfs/cpuinfo")
-			cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+			cpu_part_list=$(@awk@ '/CPU part/         {print $4}' "$procfs/cpuinfo")
+			cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
 			# take the first one to fill the friendly name, do NOT quote the vars below
 			# shellcheck disable=SC2086
-			cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
+			cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
 			# shellcheck disable=SC2086
-			cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
+			cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
 			[ "$cpu_arch" = "AArch64" ] && cpu_arch=8
 			cpu_friendly_name="ARM"
 			[ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
 			[ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"

-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
 			cpu_vendor='CAVIUM'
-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
 			cpu_vendor='PHYTIUM'
 		fi

-		cpu_family=$(  grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
-		cpu_model=$(   grep '^model'      "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
-		cpu_stepping=$(grep '^stepping'   "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
-		cpu_ucode=$(   grep '^microcode'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+		cpu_family=$(  @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
+		cpu_model=$(   @grep@ '^model'      "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
+		cpu_stepping=$(@grep@ '^stepping'   "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
+		cpu_ucode=$(   @grep@ '^microcode'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
 	else
-		cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
-		cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
+		cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
+		cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
 		cpu_family=$(( cpu_family ))
-		cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
+		cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
 		cpu_model=$(( cpu_model ))
-		cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
-		cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
+		cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
+		cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
 	fi

 	if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
@@ -1609,7 +1609,7 @@ parse_cpu_details()
 			# call CPUID
 			cpucontrol -i 1 /dev/cpuctl0 >/dev/null
 			# read MSR
-			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
+			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
 			# convert to decimal
 			cpu_ucode=$(( cpu_ucode ))
 			# convert back to hex
@@ -1628,7 +1628,7 @@ parse_cpu_details()
 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
 	fi

-	echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
+	echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
 	ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")

 	# also define those that we will need in other funcs
@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled()
 {
 	# SMT / HyperThreading is enabled if siblings != cpucores
 	if [ -e "$procfs/cpuinfo" ]; then
-		_siblings=$(awk '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
-		_cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+		_siblings=$(@awk@ '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
+		_cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
 		if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
 			if [ "$_siblings" = "$_cpucores" ]; then
 				return 1
@@ -1774,10 +1774,10 @@ is_ucode_blacklisted()
 		$INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b   \
 		$INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
 	do
-		model=$(echo "$tuple" | cut -d, -f1)
-		stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
+		model=$(echo "$tuple" | @cut@ -d, -f1)
+		stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
 		if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
-			ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
+			ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
 			if [ "$cpu_ucode" = "$ucode" ]; then
 				_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
 				return 0
@@ -1865,7 +1865,7 @@ is_xen_dom0()
 		return 1
 	fi

-	if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
+	if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
 		return 0
 	else
 		return 1
@@ -1893,13 +1893,13 @@ is_xen_domU()

 if [ -r "$mcedb_cache" ]; then
 	# we have a local cache file, but it might be older than the builtin version we have
-	local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+	local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
 	mcedb_source="$mcedb_cache"
 	mcedb_info="local firmwares DB $local_dbversion"
 fi
 read_mcedb()
 {
-	awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+	@awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
 }

 is_latest_known_ucode()
@@ -1920,10 +1920,10 @@ is_latest_known_ucode()
 	else
 		return 2
 	fi
-	for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+	for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
 	do
-		ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
-		ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
+		ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
+		ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
 		_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
 		ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
 		if [ "$cpu_ucode" -ge "$ucode" ]; then
@@ -1948,7 +1948,7 @@ get_cmdline()
 		kernel_cmdline="$SMC_MOCK_CMDLINE"
 		return
 	else
-		kernel_cmdline=$(cat "$procfs/cmdline")
+		kernel_cmdline=$(@cat@ "$procfs/cmdline")
 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
 	fi
 }
@@ -1956,7 +1956,7 @@ get_cmdline()
 # ENTRYPOINT

 # we can't do anything useful under WSL
-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
 	_warn "This script doesn't work under Windows Subsystem for Linux"
 	_warn "You should use the official Microsoft tool instead."
 	_warn "It can be found under https://aka.ms/SpeculationControlPS"
@@ -2005,15 +2005,15 @@ fi

 # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
 procfs=/proc
-if echo "$os" | grep -q BSD; then
+if echo "$os" | @grep@ -q BSD; then
 	_debug "We're under BSD, check if we have procfs"
-	procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
+	procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
 	if [ -z "$procfs" ]; then
 		_debug "we don't, try to mount it"
 		procfs=/proc
 		[ -d /compat/linux/proc ] && procfs=/compat/linux/proc
 		test -d $procfs || mkdir $procfs
-		if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
+		if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
 			mounted_procfs=1
 			_debug "procfs just mounted at $procfs"
 		else
@@ -2045,14 +2045,14 @@ fi

 if [ "$opt_live" = 1 ]; then
 	# root check (only for live mode, for offline mode, we already checked if we could read the files)
-	if [ "$(id -u)" -ne 0 ]; then
+	if [ "$(@id@ -u)" -ne 0 ]; then
 		_warn "Note that you should launch this script with root privileges to get accurate information."
 		_warn "We'll proceed but you might see permission denied errors."
 		_warn "To run it as root, you can try the following command: sudo $0"
 		_warn
 	fi
 	_info "Checking for vulnerabilities on current system"
-	_info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
+	_info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
 	_info "CPU is \033[35m$cpu_friendly_name\033[0m"

 	# try to find the image of the current running kernel
@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then
 		# specified by user on cmdline, with --live, don't override
 		:
 	# first, look for the BOOT_IMAGE hint in the kernel cmdline
-	elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
-		opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
+	elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
+		opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
 		_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
 		# if the boot partition is within a btrfs subvolume, strip the subvolume name
 		# if /boot is a separate subvolume, the remainder of the code in this section should handle it
-		if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
+		if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
 		# if we have a dedicated /boot partition, our bootloader might have just called it /
 		# so try to prepend /boot and see if we find anything
 		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then
 	# if we didn't find a kernel, default to guessing
 	if [ ! -e "$opt_kernel" ]; then
 		# Fedora:
-		[ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
+		[ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
 		# Slackware:
 		[ -e "/boot/vmlinuz"             ] && opt_kernel="/boot/vmlinuz"
 		# Arch aarch64:
@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then
 		# pine64
 		[ -e "/boot/pine64/Image"        ] && opt_kernel="/boot/pine64/Image"
 		# generic:
-		[ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
-		[ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
-		[ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
+		[ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
+		[ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
+		[ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
 		# Gentoo:
-		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+		[ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
 		# NixOS:
 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
 		# Guix System:
 		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
 		# systemd kernel-install:
-		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+		[ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
 		# Clear Linux:
-		str_uname=$(uname -r)
+		str_uname=$(@uname@ -r)
 		clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
 		[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
 		# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
 		# with actual \'s instead of /'s:
-		custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
+		custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
 		if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
 			opt_kernel="$custom_arch_kernel"
 		fi
@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then
 		:
 	elif [ -e "$procfs/kallsyms" ] ; then
 		opt_map="$procfs/kallsyms"
-	elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
-		opt_map="/lib/modules/$(uname -r)/System.map"
-	elif [ -e "/boot/System.map-$(uname -r)" ] ; then
-		opt_map="/boot/System.map-$(uname -r)"
-	elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
-		opt_map="/lib/kernel/System.map-$(uname -r)"
+	elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
+		opt_map="/lib/modules/$(@uname@ -r)/System.map"
+	elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
+		opt_map="/boot/System.map-$(@uname@ -r)"
+	elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
+		opt_map="/lib/kernel/System.map-$(@uname@ -r)"
 	fi

 	# config
@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then
 		# specified by user on cmdline, with --live, don't override
 		:
 	elif [ -e "$procfs/config.gz" ] ; then
-		dumped_config="$(mktemp -t smc-config-XXXXXX)"
-		gunzip -c "$procfs/config.gz" > "$dumped_config"
+		dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
+		@gunzip@ -c "$procfs/config.gz" > "$dumped_config"
 		# dumped_config will be deleted at the end of the script
 		opt_config="$dumped_config"
-	elif [ -e "/lib/modules/$(uname -r)/config" ]; then
-		opt_config="/lib/modules/$(uname -r)/config"
-	elif [ -e "/boot/config-$(uname -r)" ]; then
-		opt_config="/boot/config-$(uname -r)"
-	elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
-		opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
-	elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
-		opt_config="/lib/kernel/config-$(uname -r)"
+	elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
+		opt_config="/lib/modules/$(@uname@ -r)/config"
+	elif [ -e "/boot/config-$(@uname@ -r)" ]; then
+		opt_config="/boot/config-$(@uname@ -r)"
+	elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
+		opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
+	elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
+		opt_config="/lib/kernel/config-$(@uname@ -r)"
 	fi
 else
 	_info "Checking for vulnerabilities against specified kernel"
@@ -2161,7 +2161,7 @@ else
 fi

 if [ "$os" = Linux ]; then
-	if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
+	if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
 		# given file is invalid!
 		_warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
 		opt_config=''
@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then
 fi

 if [ -e "$opt_kernel" ]; then
-	if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
+	if ! command -v "@readelf@" >/dev/null 2>&1; then
 		_debug "readelf not found"
 		kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
 	elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
@@ -2207,20 +2207,20 @@ else
 	# vanilla kernels have with ^Linux version
 	# also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
 	# and check for FreeBSD
-	kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
+	kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
 		-e '^Linux version ' \
 		-e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
-		-e '^FreeBSD [0-9]' | head -1)
+		-e '^FreeBSD [0-9]' | @head@ -1)
 	if [ -z "$kernel_version" ]; then
 		# try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
-		kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
+		kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
 	fi
 	if [ -n "$kernel_version" ]; then
 		# in live mode, check if the img we found is the correct one
 		if [ "$opt_live" = 1 ]; then
 			_verbose "Kernel image is \033[35m$kernel_version"
-			if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
-				_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+			if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
+				_warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
 			fi
 		else
 			_info "Kernel image is \033[35m$kernel_version"
@@ -2248,11 +2248,11 @@ sys_interface_check()
 	if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
 		:
 	else
-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
+		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
 		return 1
 	fi

-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
+	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
 	# shellcheck disable=SC2086,SC1083
 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
 		_debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
@@ -2261,17 +2261,17 @@ sys_interface_check()
 	fi

 	[ -n "$regex" ] || regex='.*'
-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
+	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
 	# shellcheck disable=SC2086,SC1083
 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
 		fullmsg="$(eval echo \$$_mockvarname)"
-		msg=$(echo "$fullmsg" | grep -Eo "$regex")
+		msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
 		_debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
 		mocked=1
 	else
-		fullmsg=$(cat "$file")
-		msg=$(grep -Eo "$regex" "$file")
-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
+		fullmsg=$(@cat@ "$file")
+		msg=$(@grep@ -Eo "$regex" "$file")
+		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
 	fi
 	if [ "$mode" = silent ]; then
 		return 0
@@ -2280,15 +2280,15 @@ sys_interface_check()
 		return 0
 	fi
 	_info_nol "* Mitigated according to the /sys interface: "
-	if echo "$msg" | grep -qi '^not affected'; then
+	if echo "$msg" | @grep@ -qi '^not affected'; then
 		# Not affected
 		status=OK
 		pstatus green YES "$fullmsg"
-	elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
+	elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
 		# Mitigation: PTI
 		status=OK
 		pstatus green YES "$fullmsg"
-	elif echo "$msg" | grep -qi '^vulnerable'; then
+	elif echo "$msg" | @grep@ -qi '^vulnerable'; then
 		# Vulnerable
 		status=VULN
 		pstatus yellow NO "$fullmsg"
@@ -2376,20 +2376,20 @@ write_msr_one_core()
 			# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
 			[ "$ret" = 127 ] && _write_denied=1
 		# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
-		elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
 			_debug "write_msr: using dd"
-			dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+			@dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
 			# if it failed, inspect stderrto look for EPERM
 			if [ "$ret" != 0 ]; then
-				if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
+				if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
 					_write_denied=1
 				fi
 			fi
 		# or if we have perl, use it, any 5.x version will work
-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
 			_debug "write_msr: using perl"
 			ret=1
-			perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+			@perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
 		else
 			_debug "write_msr: got no wrmsr, perl or recent enough dd!"
 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
@@ -2411,13 +2411,13 @@ write_msr_one_core()
 				msr_locked_down=1
 				write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
 				return $WRITE_MSR_RET_LOCKDOWN
-			elif dmesg | grep -qF "msr: Direct access to MSR"; then
+			elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
 				_debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
 				msr_locked_down=1
 				write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
 				return $WRITE_MSR_RET_LOCKDOWN
-			elif dmesg | grep -qF "raw MSR access is restricted"; then
+			elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
 				_debug "write_msr: locked down kernel detected (vanilla)"
 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
 				msr_locked_down=1
@@ -2516,8 +2516,8 @@ read_msr_one_core()
 			return $READ_MSR_RET_KO
 		fi
 		# MSR 0x10: 0x000003e1 0xb106dded
-		_msr_h=$(echo "$_msr" | awk '{print $3}');
-		_msr_l=$(echo "$_msr" | awk '{print $4}');
+		_msr_h=$(echo "$_msr" | @awk@ '{print $3}');
+		_msr_l=$(echo "$_msr" | @awk@ '{print $4}');
 		read_msr_value=$(( _msr_h << 32 | _msr_l ))
 	else
 		# for Linux
@@ -2528,15 +2528,15 @@ read_msr_one_core()
 		# if rdmsr is available, use it
 		elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
 			_debug "read_msr: using rdmsr on $_msr"
-			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
+			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
 		# or if we have perl, use it, any 5.x version will work
-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
 			_debug "read_msr: using perl on $_msr"
-			read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
+			read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
 		# fallback to dd if it supports skip_bytes
-		elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
 			_debug "read_msr: using dd on $_msr"
-			read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
+			read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
 		else
 			_debug "read_msr: got no rdmsr, perl or recent enough dd!"
 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
@@ -2560,7 +2560,7 @@ check_cpu()
 {
 	_info "\033[1;34mHardware check\033[0m"

-	if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
+	if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
 		return
 	fi

@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre()
 	# if we were already called, don't do it again
 	[ -n "${redhat_canonical_spectre:-}" ] && return

-	if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+	if ! command -v "@strings@" >/dev/null 2>&1; then
 		redhat_canonical_spectre=-1
 	elif [ -n "$kernel_err" ]; then
 		redhat_canonical_spectre=-2
 	else
 		# Red Hat / Ubuntu specific variant1 patch is difficult to detect,
 		# let's use the two same tricks than the official Red Hat detection script uses:
-		if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
+		if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
 			# 1) detect their specific variant2 patch. If it's present, it means
 			# that the variant1 patch is also present (both were merged at the same time)
 			_debug "found redhat/canonical version of the variant2 patch (implies variant1)"
 			redhat_canonical_spectre=1
-		elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
+		elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
 			# 2) detect their specific variant3 patch. If it's present, but the variant2
 			# is not, it means that only variant1 is present in addition to variant3
 			_debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
@@ -3213,13 +3213,13 @@ check_has_vmm()
 		# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
 		# this can always be overridden with --vmm in any case.
 		has_vmm=0
-		if command -v pgrep >/dev/null 2>&1; then
+		if command -v @pgrep@ >/dev/null 2>&1; then
 			# remove xenbus and xenwatch, also present inside domU
 			# remove libvirtd as it can also be used to manage containers and not VMs
 			# for each binary we want to grep, get the pids
 			for _binary in qemu kvm xenstored xenconsoled
 			do
-				for _pid in $(pgrep -x $_binary)
+				for _pid in $(@pgrep@ -x $_binary)
 				do
 					# resolve the exe symlink, if it doesn't resolve with -m,
 					# which doesn't even need the dest to exist, it means the symlink
@@ -3235,7 +3235,7 @@ check_has_vmm()
 		else
 			# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
 			# shellcheck disable=SC2009
-			if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+			if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
 				has_vmm=1
 			fi
 		fi
@@ -3267,7 +3267,7 @@ check_CVE_2017_5753()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2017_5753_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2017_5753_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux()
 		v1_mask_nospec=''
 		if [ -n "$kernel_err" ]; then
 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
-		elif ! command -v perl >/dev/null 2>&1; then
+		elif ! command -v @perl@ >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
 		else
-			perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+			@perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
 			if [ $ret -gt 0 ]; then
 				pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
 				v1_mask_nospec="x86 64 bits array_index_mask_nospec"
 			else
-				perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+				@perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
 				if [ $ret -gt 0 ]; then
 					pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
 					v1_mask_nospec="x86 32 bits array_index_mask_nospec"
 				else
-					ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
+					ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
 					if [ "$ret" -gt 0 ]; then
 						pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
 						v1_mask_nospec="arm 32 bits array_index_mask_nospec"
@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux()
 			pstatus yellow NO
 		elif [ -n "$kernel_err" ]; then
 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
-		elif ! command -v perl >/dev/null 2>&1; then
+		elif ! command -v @perl@ >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
+		elif ! command -v "@objdump@" >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
 		else
-			"${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+			"@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
 			if [ "$ret" -eq 9 ]; then
 				pstatus green YES "mask_nospec64 macro is present and used"
 				v1_mask_nospec="arm64 mask_nospec64"
@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux()
 			pstatus yellow NO
 		elif [ -n "$kernel_err" ]; then
 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
-		elif ! command -v perl >/dev/null 2>&1; then
+		elif ! command -v @perl@ >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
+		elif ! command -v "@objdump@" >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
 		else
-			"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+			"@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
 			if [ "$ret" -eq 9 ]; then
 				pstatus green YES "array_index_nospec macro is present and used"
 				v1_mask_nospec="arm64 array_index_nospec"
@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux()
 			if [ -n "$kernel_err" ]; then
 				pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
 			else
-				if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
+				if ! command -v "@objdump@" >/dev/null 2>&1; then
 					pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
 				else
 					# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux()
 					# so let's push the threshold to 70.
 					# v0.33+: now only count lfence opcodes after a jump, way less error-prone
 					# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
-					nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
+					nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
 					if [ "$nb_lfence" -lt 30 ]; then
 						pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
 					else
@@ -3505,7 +3505,7 @@ check_CVE_2017_5715()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2017_5715_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2017_5715_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux()
 					# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
 					specex_knob_dir=$dir
 					ibrs_supported="$dir/ibrs_enabled exists"
-					ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
+					ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
 					_debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
 					# if ibrs_enabled is there, ibpb_enabled will be in the same dir
 					if [ -e "$dir/ibpb_enabled" ]; then
 						# if the file is there, we have IBPB compiled-in (see note above for IBRS)
 						ibpb_supported="$dir/ibpb_enabled exists"
-						ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
+						ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
 						_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
 					else
 						_debug "ibpb: $dir/ibpb_enabled file doesn't exist"
@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux()
 			# which in that case means ibrs is supported *and* enabled for kernel & user
 			# as per the ibrs patch series v3
 			if [ -z "$ibrs_supported" ]; then
-				if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
+				if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
 					_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
 					ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
 					# enabled=2 -> kernel & user
@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux()
 			fi
 			if [ -n "$fullmsg" ]; then
 				# when IBPB is enabled on 4.15+, we can see it in sysfs
-				if echo "$fullmsg" | grep -q 'IBPB'; then
+				if echo "$fullmsg" | @grep@ -q 'IBPB'; then
 					_debug "ibpb: found enabled in sysfs"
 					[ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
 					[ -z "$ibpb_enabled"   ] && ibpb_enabled=1
 				fi
 				# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
-				if echo "$fullmsg" | grep -q ', IBRS_FW'; then
+				if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
 					_debug "ibrs: found IBRS_FW in sysfs"
 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
 					ibrs_fw_enabled=1
@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux()
 				# when IBRS is enabled on 4.15+, we can see it in sysfs
 				# on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
 				# only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
-				if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+				if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
 					_debug "ibrs: found IBRS in sysfs"
 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
 					[ -z "$ibrs_enabled"   ] && ibrs_enabled=3
 				fi
 				# checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
-				if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
+				if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
 					[ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
 					# 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
 					# that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux()
 			fi
 		fi
 		if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+			if ! command -v "@strings@" >/dev/null 2>&1; then
 				:
 			else
 				ibrs_can_tell=1
-				ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
+				ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
 				if [ -n "$ibrs_supported" ]; then
 					_debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
 					ibrs_supported="found '$ibrs_supported' in kernel image"
@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux()
 		fi
 		if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
 			ibrs_can_tell=1
-			if grep -q spec_ctrl "$opt_map"; then
+			if @grep@ -q spec_ctrl "$opt_map"; then
 				ibrs_supported="found spec_ctrl in symbols file"
 				_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
 			fi
@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux()
 		# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
 		# we can detect it directly in the image
 		if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+			if ! command -v "@strings@" >/dev/null 2>&1; then
 				:
 			else
 				ibpb_can_tell=1
-				ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
+				ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
 				if [ -n "$ibpb_supported" ]; then
 					_debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
 					ibpb_supported="found '$ibpb_supported' in kernel image"
@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux()
 					2)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
 					3)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
 					4)	pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
-					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
-							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
-						else
+					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+						else
 							pstatus yellow UNKNOWN; fi;;
 				esac
 			fi
@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux()
 		bp_harden=''
 		if [ -r "$opt_config" ]; then
 			bp_harden_can_tell=1
-			bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+			bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
 			if [ -n "$bp_harden" ]; then
 				pstatus green YES
 				_debug "bp_harden: found '$bp_harden' in $opt_config"
@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux()
 		fi
 		if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
 			bp_harden_can_tell=1
-			bp_harden=$(grep -w bp_hardening_data "$opt_map")
+			bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
 			if [ -n "$bp_harden" ]; then
 				pstatus green YES
 				_debug "bp_harden: found '$bp_harden' in $opt_map"
@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux()
 		# We check the RETPOLINE kernel options
 		retpoline=0
 		if [ -r "$opt_config" ]; then
-			if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+			if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
 				pstatus green YES
 				retpoline=1
 				# shellcheck disable=SC2046
-				_debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+				_debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
 			else
 				pstatus yellow NO
 			fi
@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux()
 			# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
 			# so we look for both "retpoline" and "retpolines"
 			if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
-				if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
-					if echo "$fullmsg" | grep -qwi minimal; then
+				if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
+					if echo "$fullmsg" | @grep@ -qwi minimal; then
 						retpoline_compiler=0
 						retpoline_compiler_reason="kernel reports minimal retpoline compilation"
 					else
@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux()
 				fi
 			elif [ -n "$opt_map" ]; then
 				# look for the symbol
-				if grep -qw noretpoline_setup "$opt_map"; then
+				if @grep@ -qw noretpoline_setup "$opt_map"; then
 					retpoline_compiler=1
 					retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
 				fi
 			elif [ -n "$kernel" ]; then
 				# look for the symbol
-				if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
+				if command -v "@nm@" >/dev/null 2>&1; then
 					# the proper way: use nm and look for the symbol
-					if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
+					if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
 						retpoline_compiler=1
 						retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
 					fi
-				elif grep -q noretpoline_setup "$kernel"; then
+				elif @grep@ -q noretpoline_setup "$kernel"; then
 					# if we don't have nm, nevermind, the symbol name is long enough to not have
 					# any false positive using good old grep directly on the binary
 					retpoline_compiler=1
@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux()
 		retp_enabled=-1
 		if [ "$opt_live" = 1 ]; then
 			if [ -e "$specex_knob_dir/retp_enabled" ]; then
-				retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
+				retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
 				_debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
 				_info_nol "    * Retpoline is enabled: "
 				if [ "$retp_enabled" = 1 ]; then
@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux()
 			rsb_filling=0
 			if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
 				# if we're live and we aren't denied looking into /sys, let's do it
-				if echo "$msg" | grep -qw RSB; then
+				if echo "$msg" | @grep@ -qw RSB; then
 					rsb_filling=1
 					pstatus green YES
 				fi
@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux()
 				if [ -n "$kernel_err" ]; then
 					pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
 				else
-					if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
+					if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
 						rsb_filling=1
 						pstatus green YES
 					else
@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd()
 {
 	_info     "* Mitigation 1"
 	_info_nol "  * Kernel supports IBRS: "
-	ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
+	ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
 	if [ -z "$ibrs_disabled" ]; then
 		pstatus yellow NO
 	else
@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd()
 	fi

 	_info_nol "  * IBRS enabled and active: "
-	ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
+	ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
 	if [ "$ibrs_active" = 1 ]; then
 		pstatus green YES
 	else
@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd()
 	if [ -n "$kernel_err" ]; then
 		pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
 	else
-		if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
+		if ! command -v "@readelf@" >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
 		else
-			nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+			nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
 			if [ "$nb_thunks" -gt 0 ]; then
 				retpoline=1
 				pstatus green YES "found $nb_thunks thunk(s)"
@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd()
 pti_performance_check()
 {
 	_info_nol "  * Reduced performance impact of PTI: "
-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
+	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
 		cpu_pcid=1
 	else
 		read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
@@ -4122,7 +4122,7 @@ pti_performance_check()
 		fi
 	fi

-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
+	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
 		cpu_invpcid=1
 	else
 		read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
@@ -4147,7 +4147,7 @@ check_CVE_2017_5754()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2017_5754_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2017_5754_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux()
 		kpti_can_tell=0
 		if [ -n "$opt_config" ]; then
 			kpti_can_tell=1
-			kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+			kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
 			if [ -n "$kpti_support" ]; then
 				_debug "kpti_support: found option '$kpti_support' in $opt_config"
 			fi
@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux()
 			# so we try to find an exported symbol that is part of the PTI patch in System.map
 			# parse_kpti: arm
 			kpti_can_tell=1
-			kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+			kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
 			if [ -n "$kpti_support" ]; then
 				_debug "kpti_support: found '$kpti_support' in $opt_map"
 			fi
@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux()
 			# nopti option that is part of the patch (kernel command line option)
 			# 'kpti=': arm
 			kpti_can_tell=1
-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+			if ! command -v "@strings@" >/dev/null 2>&1; then
 				pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
 			else
-				kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
+				kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
 				if [ -n "$kpti_support" ]; then
 					_debug "kpti_support: found '$kpti_support' in $kernel"
 				fi
@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux()
 			dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
 			# aarch64
 			dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
-			if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
+			if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
 				# vanilla PTI patch sets the 'pti' flag in cpuinfo
 				_debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
 				kpti_enabled=1
-			elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
+			elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
 				# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
 				_debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
 				kpti_enabled=1
 			elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
 				# Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
-				kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+				kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
 				_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
 			elif is_xen_dom0; then
-				pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
+				pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)

 				[ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
 			fi
@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux()
 				if [ -n "$kpti_support" ]; then
 					if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
 						explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
-					elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
+					elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
 						explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
 					else
 						explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux()
 check_CVE_2017_5754_bsd()
 {
 	_info_nol "* Kernel supports Page Table Isolation (PTI): "
-	kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
+	kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
 	if [ -z "$kpti_enabled" ]; then
 		pstatus yellow NO
 	else
@@ -4429,7 +4429,7 @@ check_CVE_2018_3639()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2018_3639_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2018_3639_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux()
 	if [ "$opt_sysfs_only" != 1 ]; then
 		_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
 		if [ "$opt_live" = 1 ]; then
-			if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+			if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
 				kernel_ssb="found in $procfs/self/status"
 				_debug "found Speculation.Store.Bypass: in $procfs/self/status"
 			fi
 		fi
 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
-		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
-			kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
+		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
+			kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
 		fi
 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
-		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
-			kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
+		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
+			kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
 		fi
 		# arm64 only:
 		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
-			kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
+			kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
 		fi
 		if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
-			kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+			kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
 			[ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
 		fi
 		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
 			# this string only appears in kernel if CONFIG_ARM64_SSBD is set
-			kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+			kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
 			[ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
 		fi
 		# /arm64 only
@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux()
 		if [ "$opt_live" = 1 ]; then
 			# https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
 			_info_nol "* SSB mitigation is enabled and active: "
-			if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+			if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
 				kernel_ssbd_enabled=1
 				pstatus green YES "per-thread through prctl"
-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
 				kernel_ssbd_enabled=2
 				pstatus green YES "global"
-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
 				kernel_ssbd_enabled=0
 				pstatus yellow NO
-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
 				kernel_ssbd_enabled=-2
 				pstatus blue NO "not vulnerable"
-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
 				kernel_ssbd_enabled=0
 				pstatus blue NO
 			else
-				pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
+				pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
 			fi

 			if [ "$kernel_ssbd_enabled" = 1 ]; then
 				_info_nol "* SSB mitigation currently active for selected processes: "
 				# silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
-				mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
-					| xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
-					| sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
+				mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+					| @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+					| @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
 				if [ -n "$mitigated_processes" ]; then
 					pstatus green YES "$mitigated_processes"
 				else
@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux()
 check_CVE_2018_3639_bsd()
 {
 	_info_nol "* Kernel supports speculation store bypass: "
-	if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
+	if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
 		kernel_ssb=1
 		pstatus green YES
 	else
@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd()
 	fi

 	_info_nol "* Speculation store bypass is administratively enabled: "
-	ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
+	ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
 	_debug "hw.spec_store_bypass_disable=$ssb_enabled"
 	case "$ssb_enabled" in
 		0) pstatus yellow NO "disabled";;
@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd()
 	esac

 	_info_nol "* Speculation store bypass is currently active: "
-	ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
+	ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
 	_debug "hw.spec_store_bypass_disable_active=$ssb_active"
 	case "$ssb_active" in
 		1) pstatus green YES;;
@@ -4656,7 +4656,7 @@ check_CVE_2018_3620()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2018_3620_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2018_3620_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux()
 	fi
 	if [ "$opt_sysfs_only" != 1 ]; then
 		_info_nol "* Kernel supports PTE inversion: "
-		if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+		if ! command -v "@strings@" >/dev/null 2>&1; then
 			pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
 			pteinv_supported=-1
 		elif [ -n "$kernel_err" ]; then
 			pstatus yellow UNKNOWN "$kernel_err"
 			pteinv_supported=-1
 		else
-			if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
+			if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
 				pstatus green YES "found in kernel image"
 				_debug "pteinv: found pte inversion evidence in kernel image"
 				pteinv_supported=1
@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux()
 		_info_nol "* PTE inversion enabled and active: "
 		if [ "$opt_live" = 1 ]; then
 			if [ -n "$fullmsg" ]; then
-				if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
+				if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
 					pstatus green YES
 					pteinv_active=1
 				else
@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd()
 	else
 		_debug "vmm module already loaded"
 	fi
-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
 		# https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
 		# this is very difficult to detect that the kernel reserved the 0 page, but this fix
 		# is part of the exact same patch than the other L1TF CVE, so we detect it
@@ -4772,7 +4772,7 @@ check_CVE_2018_3646()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2018_3646_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2018_3646_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux()
 		if [ "$opt_live" = 1 ]; then
 			if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
 				pstatus blue N/A "the kvm_intel module is not loaded"
-			elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
+			elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
 				pstatus green YES
 				ept_disabled=1
 			else
@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux()

 		_info "* Mitigation 2"
 		_info_nol "  * L1D flush is supported by kernel: "
-		if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
+		if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
 			l1d_kernel="found flush_l1d in $procfs/cpuinfo"
 		fi
 		if [ -z "$l1d_kernel" ]; then
-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+			if ! command -v "@strings@" >/dev/null 2>&1; then
 				l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
 			elif [ -n "$kernel_err" ]; then
 				l1d_kernel_err="$kernel_err"
-			elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
+			elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
 				l1d_kernel='found flush_l1d in kernel image'
 			fi
 		fi
@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux()
 				# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
 				# $smtstatus is one of (vulnerable|disabled)
 				# can also just be "Not affected"
-				if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+				if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
 					l1d_mode=0
 					pstatus yellow NO
-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
+				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
 					l1d_mode=1
 					pstatus green YES "conditional flushes"
-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
+				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
 					l1d_mode=2
 					pstatus green YES "unconditional flushes"
 				else
 					if is_xen_dom0; then
-						l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
-						l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
-						l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
+						l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
+						l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
+						l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)

 						if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
 							l1d_mode=5
@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux()

 		_info_nol "  * Hardware-backed L1D flush supported: "
 		if [ "$opt_live" = 1 ]; then
-			if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+			if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
 				pstatus green YES "performance impact of the mitigation will be greatly reduced"
 			else
 				pstatus blue NO "flush will be done in software, this is slower"
@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux()
 check_CVE_2018_3646_bsd()
 {
 	_info_nol "* Kernel supports L1D flushing: "
-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
 		pstatus green YES
 		kernel_l1d_supported=1
 	else
@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd()
 	fi

 	_info_nol "* L1D flushing is enabled: "
-	kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+	kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
 	case "$kernel_l1d_enabled" in
 		0) pstatus yellow NO;;
 		1) pstatus green YES;;
@@ -5018,7 +5018,7 @@ check_CVE_2018_12127()
 ###################
 # MDSUM SECTION

-# Microarchitectural Data Sampling Uncacheable Memory
+# Microarchitectural Data Sampling Uncacheable Memory
 check_CVE_2019_11091()
 {
 	cve='CVE-2019-11091'
@@ -5032,7 +5032,7 @@ check_mds()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_mds_linux "$cve"
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_mds_bsd "$cve"
 	else
 		_warn "Unsupported OS ($os)"
@@ -5043,7 +5043,7 @@ check_mds_bsd()
 {
 	_info_nol "* Kernel supports using MD_CLEAR mitigation: "
 	if [ "$opt_live" = 1 ]; then
-		if sysctl hw.mds_disable >/dev/null 2>&1; then
+		if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
 			pstatus green YES
 			kernel_md_clear=1
 		else
@@ -5051,7 +5051,7 @@ check_mds_bsd()
 			kernel_md_clear=0
 		fi
 	else
-		if grep -Fq hw.mds_disable $opt_kernel; then
+		if @grep@ -Fq hw.mds_disable $opt_kernel; then
 			pstatus green YES
 			kernel_md_clear=1
 		else
@@ -5061,8 +5061,8 @@ check_mds_bsd()
 	fi

 	_info_nol "* CPU Hyper-Threading (SMT) is disabled: "
-	if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
-		kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
+	if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
+		kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
 		if [ "$kernel_smt_allowed" = 1 ]; then
 			pstatus yellow NO
 		else
@@ -5074,7 +5074,7 @@ check_mds_bsd()

 	_info_nol "* Kernel mitigation is enabled: "
 	if [ "$kernel_md_clear" = 1 ]; then
-		kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
+		kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
 	else
 		kernel_mds_enabled=0
 	fi
@@ -5088,7 +5088,7 @@ check_mds_bsd()

 	_info_nol "* Kernel mitigation is active: "
 	if [ "$kernel_md_clear" = 1 ]; then
-		kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
+		kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
 	else
 		kernel_mds_state=inactive
 	fi
@@ -5146,16 +5146,16 @@ check_mds_linux()
 		_info_nol "* Kernel supports using MD_CLEAR mitigation: "
 		kernel_md_clear=''
 		kernel_md_clear_can_tell=1
-		if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
+		if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
 			kernel_md_clear="md_clear found in $procfs/cpuinfo"
 			pstatus green YES "$kernel_md_clear"
 		fi
 		if [ -z "$kernel_md_clear" ]; then
-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
+			if ! command -v "@strings@" >/dev/null 2>&1; then
 				kernel_md_clear_can_tell=0
 			elif [ -n "$kernel_err" ]; then
 				kernel_md_clear_can_tell=0
-			elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
+			elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
 				_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
 				kernel_md_clear='found md_clear implementation evidence in kernel image'
 				pstatus green YES "$kernel_md_clear"
@@ -5171,7 +5171,7 @@ check_mds_linux()

 		if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
 			_info_nol "* Kernel mitigation is enabled and active: "
-			if echo "$fullmsg" | grep -qi ^mitigation; then
+			if echo "$fullmsg" | @grep@ -qi ^mitigation; then
 				mds_mitigated=1
 				pstatus green YES
 			else
@@ -5179,7 +5179,7 @@ check_mds_linux()
 				pstatus yellow NO
 			fi
 			_info_nol "* SMT is either mitigated or disabled: "
-			if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
+			if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
 				mds_smt_mitigated=1
 				pstatus green YES
 			else
@@ -5265,7 +5265,7 @@ check_CVE_2019_11135()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2019_11135_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2019_11135_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux()
 		kernel_taa=''
 		if [ -n "$kernel_err" ]; then
 			kernel_taa_err="$kernel_err"
-		elif grep -q 'tsx_async_abort' "$kernel"; then
+		elif @grep@ -q 'tsx_async_abort' "$kernel"; then
 			kernel_taa="found tsx_async_abort in kernel image"
 		fi
 		if [ -n "$kernel_taa" ]; then
@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux()
 		_info_nol "* TAA mitigation enabled and active: "
 		if [ "$opt_live" = 1 ]; then
 			if [ -n "$fullmsg" ]; then
-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
+				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
 					pstatus green YES "$fullmsg"
 				else
 					pstatus yellow NO
@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux()
 	else
 		if [ "$opt_paranoid" = 1 ]; then
 			# in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
-			if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
+			if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
 				pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
-			elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
+			elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
 				pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
 			else
 				pvulnstatus $cve "$status" "$msg"
@@ -5367,7 +5367,7 @@ check_CVE_2018_12207()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2018_12207_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2018_12207_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux()
 		if [ -n "$kernel_err" ]; then
 			kernel_itlbmh_err="$kernel_err"
 		# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
-		elif grep -q 'itlb_multihit' "$kernel"; then
+		elif @grep@ -q 'itlb_multihit' "$kernel"; then
 			kernel_itlbmh="found itlb_multihit in kernel image"
 		fi
 		if [ -n "$kernel_itlbmh" ]; then
@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux()
 		_info_nol "* iTLB Multihit mitigation enabled and active: "
 		if [ "$opt_live" = 1 ]; then
 			if [ -n "$fullmsg" ]; then
-				if echo "$fullmsg" | grep -qF 'Mitigation'; then
+				if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
 					pstatus green YES "$fullmsg"
 				else
 					pstatus yellow NO
@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux()
 check_CVE_2018_12207_bsd()
 {
 	_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
-	kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+	kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
 	if [ -z "$kernel_2m_x_ept" ]; then
 		pstatus yellow NO
 	else
@@ -5484,7 +5484,7 @@ check_CVE_2020_0543()
 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
 	if [ "$os" = Linux ]; then
 		check_CVE_2020_0543_linux
-	elif echo "$os" | grep -q BSD; then
+	elif echo "$os" | @grep@ -q BSD; then
 		check_CVE_2020_0543_bsd
 	else
 		_warn "Unsupported OS ($os)"
@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux()
 		kernel_srbds=''
 		if [ -n "$kernel_err" ]; then
 			kernel_srbds_err="$kernel_err"
-		elif grep -q 'Dependent on hypervisor' "$kernel"; then
+		elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
 			kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
 		fi
 		if [ -n "$kernel_srbds" ]; then
@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux()
 		_info_nol "* SRBDS mitigation control is enabled and active: "
 		if [ "$opt_live" = 1 ]; then
 			if [ -n "$fullmsg" ]; then
-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
+				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
 					pstatus green YES "$fullmsg"
 				else
 					pstatus yellow NO
@@ -5608,8 +5608,8 @@ fi
 # now run the checks the user asked for
 for cve in $supported_cve_list
 do
-	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
-		check_"$(echo "$cve" | tr - _)"
+	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
+		check_"$(echo "$cve" | @tr@ - _)"
 		_info
 	fi
 done
@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then
 	_warn "We're missing some kernel info (see -v), accuracy might be reduced"
 fi

-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
+_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
 _debug "variables at end of script: $_vars"

 if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
-	if command -v "gzip" >/dev/null 2>&1; then
+	if command -v "@gzip@" >/dev/null 2>&1; then
 		# not a useless use of cat: gzipping cpuinfo directly doesn't work well
 		# shellcheck disable=SC2002
-		if command -v "base64" >/dev/null 2>&1; then
-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
-		elif command -v "uuencode" >/dev/null 2>&1; then
-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
+		if command -v "@base64@" >/dev/null 2>&1; then
+			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
+		elif command -v "@uuencode@" >/dev/null 2>&1; then
+			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
 		fi
 	fi
 	if [ -n "$mock_cpuinfo" ]; then
@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
 	fi
 	_info ""
 	# shellcheck disable=SC2046
-	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
+	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
 fi

 if [ "$opt_explain" = 0 ]; then
--
2.38.1