From: Liliana Marie Prikler <liliana.prikler@gmail.com>
To: Hilton Chain <hako@ultrarare.space>
Cc: 59053-done@debbugs.gnu.org
Subject: bug#59053: [PATCH v5] gnu: Add spectre-meltdown-checker.
Date: Sun, 13 Nov 2022 23:02:06 +0100 [thread overview]
Message-ID: <ac1b13e0eb9516094b3fb543d91265e6fd48154f.camel@gmail.com> (raw)
In-Reply-To: <y76a64v2e84.wl-hako@ultrarare.space>
Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
I renamed the patches for the ChangeLog, slightly rewrote their
explanations, ...
> gnu/local.mk | 2 +
> gnu/packages/linux.scm | 130 ++++++++++
> ...ker-remove-builtin-firmware-database.patch | 243
> ++++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 ++
> 4 files changed, 401 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..1e85790983 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,8 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..03b7ce46b0 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,133 @@ (define-public edac-utils
> error detection and correction (EDAC).")
> (home-page "https://github.com/grondo/edac-utils")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> + ;; Remove builtin firmware database.
> + (modules '((guix build utils)))
> + (snippet '(substitute* "spectre-meltdown-checker.sh"
> + (("^# [AI],.*") "")))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list
> + #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (define* (find-command inputs cmd #:optional (bin
> "bin")
> + #:key (prefix "") (suffix ""))
> + (string-append
> + prefix (search-input-file inputs (string-append bin
> "/" cmd))
> + suffix))
> + (substitute* "spectre-meltdown-checker.sh"
> + ;; ${opt_arch_prefix}CMD
> + (((string-append
> + "\\$\\{opt_arch_prefix\\}"
> + "\\<(nm|objdump|readelf|strings)\\>") all cmd)
> + (find-command inputs cmd))
> +
> + ;; dd
> + (("(dd)( if=)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> +
> + ;; Commands safe to substitute directly.
> + (((string-append "\\<(" (string-join
> + (list "awk"
> + "basename"
> + "dirname"
> + "bunzip2"
> + "gunzip"
> + "gzip"
> + "lz4"
> + "lzop"
> + "modprobe"
> + "pgrep"
> + "rmmod"
> + "umount"
> + "unlzma"
> + "unxz"
> + "unzstd"
> + "uuencode")
> + "|")
> + ")\\>") all cmd)
replaced these "clever" tricks with dumber ones,
> + (find-command inputs cmd))
> +
> + ;; Search by suffix.
> + ;; CMD -
> + ;; CMD ^
> + (((string-append "\\<(" (string-join
> + (list "base64"
> + "cut"
> + "grep"
> + "head"
> + "id"
> + "mount"
> + "mktemp"
> + "od"
> + "perl"
> + "rm"
> + "uname"
> + "xargs")
> + "|")
> + ")\\>( [-^])") all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; CMD |
> + (("(dmesg)( \\|)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> +
> + ;; Then prefix
> + ;; | CMD
> + (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix
> cmd)
> + (find-command inputs cmd #:prefix prefix))
> + ;; $(CMD
> + (("(\\$\\( *)(sysctl)" all prefix cmd)
> + (find-command inputs cmd "sbin" #:prefix prefix))
> +
> (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
> + (find-command inputs cmd #:prefix prefix))
> + ;; if CMD
> + (("(if )(sysctl)" all prefix cmd)
> + (find-command inputs cmd "sbin" #:prefix prefix))
> + ;; command -v CMD
> + (("(command -v)
> \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
> + (find-command inputs cmd #:prefix prefix))
> +
> + ;; Cats are mysterious...
> + ;; cat <<EOF
> + (("(cat)( <<EOF)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; cat "$
> + (("(cat)(\"\\$)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; 'cat'
> + (("(')(cat)(')" all prefix cmd suffix)
> + (find-command inputs cmd #:prefix prefix #:suffix
> suffix))
> + ;; "cat"
> + (("(\")(cat)(\")" all prefix cmd suffix)
> + (find-command inputs cmd #:prefix prefix #:suffix
> suffix))))))))
> + (inputs (list kmod lz4 lzop perl procps sharutils util-linux
> zstd))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis "CPU vulnerability / mitigation checker")
> + (description
> + "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..809763cf4f
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm
> -f "$mcedb_tmp"
> +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm
> -rf "$intel_tmp"
> + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> + --vmm [auto,yes,no] override the detection of the
> presence of a hypervisor, default: auto
> + --allow-msr-write allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> + --cpu [#,all] interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +- --update-fwdb update our local copy of the
> CPU microcodes versions database (using the awesome
> +- MCExtractor project and the
> Intel firmwares GitHub repository)
> +- --update-builtin-fwdb same as --update-fwdb but
> update builtin DB inside the script itself
> ++ --with-fwdb FILE supply the CPU microcodes
> versions database
and added a note regarding the (lack of) freedom for proprietary
microcode.
I also added your name and email to the authors of linux.scm, since
this was a very non-trivial package.
Cheers
prev parent reply other threads:[~2022-11-13 22:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-05 15:57 [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker Hilton Chain via Guix-patches via
2022-11-05 16:45 ` Liliana Marie Prikler
2022-11-11 11:10 ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via
2022-11-11 15:13 ` Liliana Marie Prikler
2022-11-12 12:14 ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via
2022-11-12 12:28 ` Liliana Marie Prikler
2022-11-12 12:50 ` Hilton Chain via Guix-patches via
2022-11-12 13:40 ` Liliana Marie Prikler
2022-11-12 15:15 ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via
2022-11-12 16:58 ` Liliana Marie Prikler
2022-11-13 13:09 ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via
2022-11-13 22:02 ` Liliana Marie Prikler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac1b13e0eb9516094b3fb543d91265e6fd48154f.camel@gmail.com \
--to=liliana.prikler@gmail.com \
--cc=59053-done@debbugs.gnu.org \
--cc=hako@ultrarare.space \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).