* [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker. @ 2022-11-05 15:57 Hilton Chain via Guix-patches via 2022-11-05 16:45 ` Liliana Marie Prikler 0 siblings, 1 reply; 12+ messages in thread From: Hilton Chain via Guix-patches via @ 2022-11-05 15:57 UTC (permalink / raw) To: 59053 * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file. * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. * gnu/local.mk (dist_patch_DATA): Add it. --- gnu/local.mk | 1 + gnu/packages/linux.scm | 41 +++++++++++++++++++ ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch diff --git a/gnu/local.mk b/gnu/local.mk index eb6ac3df58..88c1fa6278 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1848,6 +1848,7 @@ dist_patch_DATA = \ %D%/packages/patches/syslinux-strip-gnu-property.patch \ %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ %D%/packages/patches/sssd-optional-systemd.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index cf11a7fc1b..db199869a7 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module @acronym{SMAPI, System Management Application Program Interface} and direct access to the embedded controller.") (license license:gpl2+))) + +(define-public spectre-meltdown-checker + (package + (name "spectre-meltdown-checker") + (version "0.45") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches + (search-patches + ;; https://github.com/speed47/spectre-meltdown-checker/pull/441 + "spectre-meltdown-checker-support-guix-system-kernel.patch")) + (sha256 + (base32 + "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) + (build-system copy-build-system) + (arguments + (list #:install-plan + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'fixpath + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "spectre-meltdown-checker.sh" + (("\\$\\{opt_arch_prefix\\}readelf") + (search-input-file inputs "/bin/readelf")) + (("perl") + (search-input-file inputs "/bin/perl")))))))) + (inputs (list binutils perl)) + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (synopsis + "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability / +mitigation checker for Linux & BSD") + (description + "A shell script to assess your system's resilience against the several +transient execution CVEs that were published since early 2018, and give you +guidance as to how to mitigate them.") + (license license:gpl3))) diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch new file mode 100644 index 0000000000..afec52b418 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch @@ -0,0 +1,26 @@ +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 5 Nov 2022 23:22:31 +0800 +Subject: [PATCH] Add support for Guix System kernel. + +--- + spectre-meltdown-checker.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 248a444..855a090 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" ++ # Guix System: ++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" + # Clear Linux: + +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 +-- +2.38.0 base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21 -- 2.38.0 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker. 2022-11-05 15:57 [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker Hilton Chain via Guix-patches via @ 2022-11-05 16:45 ` Liliana Marie Prikler 2022-11-11 11:10 ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Liliana Marie Prikler @ 2022-11-05 16:45 UTC (permalink / raw) To: Hilton Chain, 59053; +Cc: control merge 59053 49898 thanks Hi Hilton, thanks for the renewed interest in spectre-meltdown-checker. See the other thread for a general discussion, but I'll repeat the most important points. Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain: > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: New file. > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/local.mk (dist_patch_DATA): Add it. Note that "Add it" lost its context because the new variable is between it and the file added. > --- > gnu/local.mk | 1 + > gnu/packages/linux.scm | 41 > +++++++++++++++++++ > ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++ > 3 files changed, 68 insertions(+) > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index eb6ac3df58..88c1fa6278 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1848,6 +1848,7 @@ dist_patch_DATA > = \ > %D%/packages/patches/syslinux-strip-gnu-property.patch \ > %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch \ > %D%/packages/patches/snappy-add-inline-for-GCC.patch \ > + %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ > %D%/packages/patches/sphinxbase-fix-doxygen.patch \ > %D%/packages/patches/spice-vdagent-glib-2.68.patch \ > %D%/packages/patches/sssd-optional-systemd.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index cf11a7fc1b..db199869a7 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module > @acronym{SMAPI, System Management Application Program Interface} and > direct > access to the embedded controller.") > (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > + (package > + (name "spectre-meltdown-checker") > + (version "0.45") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url > "https://github.com/speed47/spectre-meltdown-checker") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (patches > + (search-patches > + ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > + "spectre-meltdown-checker-support-guix-system- > kernel.patch")) > + (sha256 > + (base32 > + > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > + (build-system copy-build-system) > + (arguments > + (list #:install-plan > + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'fixpath > + (lambda* (#:key inputs #:allow-other-keys) > + (substitute* "spectre-meltdown-checker.sh" > + (("\\$\\{opt_arch_prefix\\}readelf") > + (search-input-file inputs "/bin/readelf")) > + (("perl") > + (search-input-file inputs "/bin/perl")))))))) I'm pretty sure readelf and perl are not the only commands invoked. > + (inputs (list binutils perl)) > + (home-page > "https://github.com/speed47/spectre-meltdown-checker") > + (synopsis > + "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad > vulnerability / > +mitigation checker for Linux & BSD") "for Linux & BSD" is gratuitous information imho. As for the vulnerabilities listed in the synopsis surely there must be a way of shortening that. > + (description > + "A shell script to assess your system's resilience against the > several > +transient execution CVEs that were published since early 2018, and > give you > +guidance as to how to mitigate them.") Not a full sentence. > + (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-support- > guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown- > checker-support-guix-system-kernel.patch > new file mode 100644 > index 0000000000..afec52b418 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix- > system-kernel.patch > @@ -0,0 +1,26 @@ > +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Sat, 5 Nov 2022 23:22:31 +0800 > +Subject: [PATCH] Add support for Guix System kernel. > + > +--- > + spectre-meltdown-checker.sh | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 248a444..855a090 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then > + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > + # NixOS: > + [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > ++ # Guix System: > ++ [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > + # systemd kernel-install: > + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > + # Clear Linux: > + > +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 > +-- > +2.38.0 > > base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21 This patch LGTM. Note that as discussed in the other thread, we'd also want the checker to not download proprietary firmware. Could you adjust the package accordingly? Cheers ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v2] gnu: Add spectre-meltdown-checker. 2022-11-05 16:45 ` Liliana Marie Prikler @ 2022-11-11 11:10 ` Hilton Chain via Guix-patches via 2022-11-11 15:13 ` Liliana Marie Prikler 0 siblings, 1 reply; 12+ messages in thread From: Hilton Chain via Guix-patches via @ 2022-11-11 11:10 UTC (permalink / raw) To: Liliana Marie Prikler; +Cc: control, 59053 * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patches. --- v1 -> v2: gnu/local.mk | 3 + gnu/packages/linux.scm | 53 + ...ker-remove-builtin-firmware-database.patch | 554 +++++ ...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++ ...n-checker-support-guix-system-kernel.patch | 26 + 5 files changed, 2583 insertions(+) create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch diff --git a/gnu/local.mk b/gnu/local.mk index 27b31ea27f..d518cd8641 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1851,6 +1851,9 @@ dist_patch_DATA = \ %D%/packages/patches/syslinux-strip-gnu-property.patch \ %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \ + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \ + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ %D%/packages/patches/sssd-optional-systemd.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 2c06269504..5a0d55833a 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -9595,3 +9595,56 @@ (define-public edac-utils error detection and correction (EDAC).") (home-page "https://github.com/grondo/edac-utils") (license license:gpl2+))) + +(define-public spectre-meltdown-checker + (package + (name "spectre-meltdown-checker") + (version "0.45") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches + (search-patches + ;; https://github.com/speed47/spectre-meltdown-checker/pull/441 + "spectre-meltdown-checker-support-guix-system-kernel.patch" + ;; NOTE: Update these patches when updating. + "spectre-meltdown-checker-stage-commands-for-substitution.patch" + "spectre-meltdown-checker-remove-builtin-firmware-database.patch")) + (sha256 + (base32 + "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) + (build-system copy-build-system) + (arguments + (list #:install-plan + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'fixpath + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "spectre-meltdown-checker.sh" + (("@sysctl@") (search-input-file inputs "/sbin/sysctl")) + (("@([a-z0-9]*)@" _ m _) + (search-input-file inputs (string-append "/bin/" m))))))))) + (inputs + (list binutils + coreutils + grep + kmod + lz4 + lzop + perl + procps + sharutils + util-linux + which + zstd)) + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (synopsis "CPU vulnerability / mitigation checker") + (description + "This package provides a shell script to assess your system's resilience +against the several transient execution CVEs that were published since early +2018, and give you guidance as to how to mitigate them.") + (license license:gpl3))) diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch new file mode 100644 index 0000000000..e926551550 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch @@ -0,0 +1,554 @@ +From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Fri, 11 Nov 2022 18:55:25 +0800 +Subject: [PATCH 2/2] Remove builtin firmware database. + +--- + spectre-meltdown-checker.sh | 477 ++---------------------------------- + 1 file changed, 27 insertions(+), 450 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 82cf1b6..79c4bb7 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -95,7 +95,6 @@ show_usage() + --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0) + --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome + MCExtractor project and the Intel firmwares GitHub repository) +- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself + --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script + + Return codes: +@@ -853,9 +852,9 @@ update_fwdb() + mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)" + mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' + _info_nol "Fetching MCE.db from the MCExtractor project... " +- if command -v wget >/dev/null 2>&1; then +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? +- elif command -v curl >/dev/null 2>&1; then ++ # if command -v wget >/dev/null 2>&1; then ++ # wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? ++ if command -v curl >/dev/null 2>&1; then + curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? + elif command -v fetch >/dev/null 2>&1; then + fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? +@@ -874,9 +873,9 @@ update_fwdb() + intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip" + _info_nol "Fetching Intel firmwares... " + ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git +- if command -v wget >/dev/null 2>&1; then +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? +- elif command -v curl >/dev/null 2>&1; then ++ # if command -v wget >/dev/null 2>&1; then ++ # wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? ++ if command -v curl >/dev/null 2>&1; then + curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? + elif command -v fetch >/dev/null 2>&1; then + fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? +@@ -969,13 +968,13 @@ update_fwdb() + } > "$mcedb_cache" + echo DONE "(version $dbversion)" + +- if [ "$1" = builtin ]; then +- newfile=$(@mktemp@ -t smc-builtin-XXXXXX) +- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" +- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" +- @cat@ "$newfile" > "$0" +- @rm@ -f "$newfile" +- fi ++ # if [ "$1" = builtin ]; then ++ # newfile=$(@mktemp@ -t smc-builtin-XXXXXX) ++ # @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" ++ # @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" ++ # @cat@ "$newfile" > "$0" ++ # @rm@ -f "$newfile" ++ # fi + } + + parse_opt_file() +@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do + elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then + update_fwdb + exit $? +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then +- update_fwdb builtin +- exit $? ++ # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then ++ # update_fwdb builtin ++ # exit $? + elif [ "$1" = "--dump-mock-data" ]; then + opt_mock=1 + shift +@@ -2033,22 +2032,22 @@ is_xen_domU() + fi + } + +-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") ++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have + local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") + # sort -V sorts by version number +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1) +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then ++ # older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1) ++ # if [ "$older_dbversion" = "$builtin_dbversion" ]; then + mcedb_source="$mcedb_cache" + mcedb_info="local firmwares DB $local_dbversion" +- fi ++ # fi + fi + # if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db +-if [ -z "${mcedb_source:-}" ]; then +- mcedb_source="$0" +- mcedb_info="builtin firmwares DB $builtin_dbversion" +-fi ++# if [ -z "${mcedb_source:-}" ]; then ++# mcedb_source="$0" ++# mcedb_info="builtin firmwares DB $builtin_dbversion" ++# fi + read_mcedb() + { + @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" +@@ -2070,6 +2069,9 @@ is_latest_known_ucode() + else + return 2 + fi ++ if [ -z "$mcedb_source" ]; then ++ return 2 ++ fi + for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") + do + ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) +@@ -5833,428 +5835,3 @@ fi + [ "$global_critical" = 1 ] && exit 2 # critical + [ "$global_unknown" = 1 ] && exit 3 # unknown + exit 0 # ok +- +-# We're using MCE.db from the excellent platomav's MCExtractor project +-# The builtin version follows, but the user can download an up-to-date copy (to be stored in his $HOME) by using --update-fwdb +-# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb +- +-# %%% MCEDB v222+i20220208 +-# I,0x00000611,0x00000B27,19961218 +-# I,0x00000612,0x000000C6,19961210 +-# I,0x00000616,0x000000C6,19961210 +-# I,0x00000617,0x000000C6,19961210 +-# I,0x00000619,0x000000D2,19980218 +-# I,0x00000630,0x00000013,19960827 +-# I,0x00000632,0x00000020,19960903 +-# I,0x00000633,0x00000036,19980923 +-# I,0x00000634,0x00000037,19980923 +-# I,0x00000650,0x00000045,19990525 +-# I,0x00000651,0x00000042,19990525 +-# I,0x00000652,0x0000002D,19990518 +-# I,0x00000653,0x00000010,19990628 +-# I,0x00000660,0x0000000A,19990505 +-# I,0x00000665,0x00000003,19990505 +-# I,0x0000066A,0x0000000D,19990505 +-# I,0x0000066D,0x00000007,19990505 +-# I,0x00000670,0x00000007,19980602 +-# I,0x00000671,0x00000014,19980811 +-# I,0x00000672,0x00000038,19990922 +-# I,0x00000673,0x0000002E,19990910 +-# I,0x00000680,0x00000017,19990610 +-# I,0x00000681,0x00000014,19991209 +-# I,0x00000683,0x00000014,20010206 +-# I,0x00000686,0x00000008,20000505 +-# I,0x0000068A,0x00000005,20001207 +-# I,0x00000690,0x00000004,20000206 +-# I,0x00000691,0x00000001,20020527 +-# I,0x00000692,0x00000001,20020620 +-# I,0x00000694,0x00000002,20020926 +-# I,0x00000695,0x00000047,20041109 +-# I,0x00000696,0x00000001,20000707 +-# I,0x000006A0,0x00000003,20000110 +-# I,0x000006A1,0x00000001,20000306 +-# I,0x000006A4,0x00000001,20000616 +-# I,0x000006B0,0x0000001A,20010129 +-# I,0x000006B1,0x0000001D,20010220 +-# I,0x000006B4,0x00000002,20020111 +-# I,0x000006D0,0x00000006,20030522 +-# I,0x000006D1,0x00000009,20030709 +-# I,0x000006D2,0x00000010,20030814 +-# I,0x000006D6,0x00000018,20041017 +-# I,0x000006D8,0x00000021,20060831 +-# I,0x000006E0,0x00000008,20050215 +-# I,0x000006E1,0x0000000C,20050413 +-# I,0x000006E4,0x00000026,20050816 +-# I,0x000006E8,0x0000003C,20060208 +-# I,0x000006EC,0x0000005B,20070208 +-# I,0x000006F0,0x00000005,20050818 +-# I,0x000006F1,0x00000012,20051129 +-# I,0x000006F2,0x0000005D,20101002 +-# I,0x000006F4,0x00000028,20060417 +-# I,0x000006F5,0x00000039,20060727 +-# I,0x000006F6,0x000000D2,20101001 +-# I,0x000006F7,0x0000006B,20101002 +-# I,0x000006F9,0x00000084,20061012 +-# I,0x000006FA,0x00000095,20101002 +-# I,0x000006FB,0x000000C1,20111004 +-# I,0x000006FD,0x000000A4,20101002 +-# I,0x00000F00,0xFFFF0001,20000130 +-# I,0x00000F01,0xFFFF0007,20000404 +-# I,0x00000F02,0xFFFF000B,20000518 +-# I,0x00000F03,0xFFFF0001,20000518 +-# I,0x00000F04,0xFFFF0010,20000803 +-# I,0x00000F05,0x0000000C,20000824 +-# I,0x00000F06,0x00000004,20000911 +-# I,0x00000F07,0x00000012,20020716 +-# I,0x00000F08,0x00000008,20001101 +-# I,0x00000F09,0x00000008,20010104 +-# I,0x00000F0A,0x00000015,20020821 +-# I,0x00000F11,0x0000000A,20030729 +-# I,0x00000F12,0x0000002F,20030502 +-# I,0x00000F13,0x00000005,20030508 +-# I,0x00000F20,0x00000001,20010423 +-# I,0x00000F21,0x00000003,20010529 +-# I,0x00000F22,0x00000005,20030729 +-# I,0x00000F23,0x0000000D,20010817 +-# I,0x00000F24,0x00000021,20030610 +-# I,0x00000F25,0x0000002C,20040826 +-# I,0x00000F26,0x00000010,20040805 +-# I,0x00000F27,0x00000039,20030604 +-# I,0x00000F29,0x0000002F,20040811 +-# I,0x00000F30,0x00000013,20030815 +-# I,0x00000F31,0x0000000B,20031021 +-# I,0x00000F32,0x0000000A,20040511 +-# I,0x00000F33,0x0000000C,20050421 +-# I,0x00000F34,0x00000017,20050421 +-# I,0x00000F36,0x00000007,20040309 +-# I,0x00000F37,0x00000003,20031218 +-# I,0x00000F40,0x00000006,20040318 +-# I,0x00000F41,0x00000017,20050422 +-# I,0x00000F42,0x00000003,20050421 +-# I,0x00000F43,0x00000005,20050421 +-# I,0x00000F44,0x00000006,20050421 +-# I,0x00000F46,0x00000004,20050411 +-# I,0x00000F47,0x00000003,20050421 +-# I,0x00000F48,0x0000000E,20080115 +-# I,0x00000F49,0x00000003,20050421 +-# I,0x00000F4A,0x00000004,20051214 +-# I,0x00000F60,0x00000005,20050124 +-# I,0x00000F61,0x00000008,20050610 +-# I,0x00000F62,0x0000000F,20051215 +-# I,0x00000F63,0x00000005,20051010 +-# I,0x00000F64,0x00000004,20051223 +-# I,0x00000F65,0x0000000B,20070510 +-# I,0x00000F66,0x0000001B,20060310 +-# I,0x00000F68,0x00000009,20060714 +-# I,0x00001632,0x00000002,19980610 +-# I,0x00010650,0x00000002,20060513 +-# I,0x00010660,0x00000004,20060612 +-# I,0x00010661,0x00000045,20101004 +-# I,0x00010670,0x00000005,20070209 +-# I,0x00010671,0x00000106,20070329 +-# I,0x00010674,0x84050100,20070726 +-# I,0x00010676,0x00000612,20150802 +-# I,0x00010677,0x0000070D,20150802 +-# I,0x0001067A,0x00000A0E,20150729 +-# I,0x000106A0,0xFFFF001A,20071128 +-# I,0x000106A1,0xFFFF000B,20080220 +-# I,0x000106A2,0xFFFF0019,20080714 +-# I,0x000106A4,0x00000013,20150630 +-# I,0x000106A5,0x0000001D,20180511 +-# I,0x000106C0,0x00000007,20070824 +-# I,0x000106C1,0x00000109,20071203 +-# I,0x000106C2,0x00000219,20090410 +-# I,0x000106C9,0x00000007,20090213 +-# I,0x000106CA,0x00000107,20090825 +-# I,0x000106D0,0x00000005,20071204 +-# I,0x000106D1,0x0000002A,20150803 +-# I,0x000106E0,0xFFFF0022,20090116 +-# I,0x000106E1,0xFFFF000D,20090206 +-# I,0x000106E2,0xFFFF0011,20090924 +-# I,0x000106E3,0xFFFF0011,20090512 +-# I,0x000106E4,0x00000003,20130701 +-# I,0x000106E5,0x0000000A,20180508 +-# I,0x000106F0,0xFFFF0009,20090210 +-# I,0x000106F1,0xFFFF0007,20090210 +-# I,0x00020650,0xFFFF0008,20090218 +-# I,0x00020651,0xFFFF0018,20090818 +-# I,0x00020652,0x00000011,20180508 +-# I,0x00020654,0xFFFF0007,20091124 +-# I,0x00020655,0x00000007,20180423 +-# I,0x00020661,0x00000105,20110718 +-# I,0x000206A0,0x00000029,20091102 +-# I,0x000206A1,0x00000007,20091223 +-# I,0x000206A2,0x00000027,20100502 +-# I,0x000206A3,0x00000009,20100609 +-# I,0x000206A4,0x00000022,20100414 +-# I,0x000206A5,0x00000007,20100722 +-# I,0x000206A6,0x90030028,20100924 +-# I,0x000206A7,0x0000002F,20190217 +-# I,0x000206C0,0xFFFF001C,20091214 +-# I,0x000206C1,0x00000006,20091222 +-# I,0x000206C2,0x0000001F,20180508 +-# I,0x000206D0,0x80000006,20100816 +-# I,0x000206D1,0x80000106,20101201 +-# I,0x000206D2,0xAF506958,20110714 +-# I,0x000206D3,0xAF50696A,20110816 +-# I,0x000206D5,0xAF5069E5,20120118 +-# I,0x000206D6,0x00000621,20200304 +-# I,0x000206D7,0x0000071A,20200324 +-# I,0x000206E0,0xE3493401,20090108 +-# I,0x000206E1,0xE3493402,20090224 +-# I,0x000206E2,0xFFFF0004,20081001 +-# I,0x000206E3,0xE4486547,20090701 +-# I,0x000206E4,0xFFFF0008,20090619 +-# I,0x000206E5,0xFFFF0018,20091215 +-# I,0x000206E6,0x0000000D,20180515 +-# I,0x000206F0,0x00000005,20100729 +-# I,0x000206F1,0x00000008,20101013 +-# I,0x000206F2,0x0000003B,20180516 +-# I,0x00030650,0x00000009,20120118 +-# I,0x00030651,0x00000110,20131014 +-# I,0x00030660,0x00000003,20101103 +-# I,0x00030661,0x0000010F,20150721 +-# I,0x00030669,0x0000010D,20130515 +-# I,0x00030671,0x00000117,20130410 +-# I,0x00030672,0x0000022E,20140401 +-# I,0x00030673,0x83290100,20190916 +-# I,0x00030678,0x00000838,20190422 +-# I,0x00030679,0x0000090D,20190710 +-# I,0x000306A0,0x00000007,20110407 +-# I,0x000306A2,0x0000000C,20110725 +-# I,0x000306A4,0x00000007,20110908 +-# I,0x000306A5,0x00000009,20111110 +-# I,0x000306A6,0x00000004,20111114 +-# I,0x000306A8,0x00000010,20120220 +-# I,0x000306A9,0x00000021,20190213 +-# I,0x000306C0,0xFFFF0013,20111110 +-# I,0x000306C1,0xFFFF0014,20120725 +-# I,0x000306C2,0xFFFF0006,20121017 +-# I,0x000306C3,0x00000028,20191112 +-# I,0x000306D1,0xFFFF0009,20131015 +-# I,0x000306D2,0xFFFF0009,20131219 +-# I,0x000306D3,0xE3121338,20140825 +-# I,0x000306D4,0x0000002F,20191112 +-# I,0x000306E0,0xE920080F,20121113 +-# I,0x000306E2,0xE9220827,20130523 +-# I,0x000306E3,0x00000308,20130321 +-# I,0x000306E4,0x0000042E,20190314 +-# I,0x000306E6,0x00000600,20130619 +-# I,0x000306E7,0x00000715,20190314 +-# I,0x000306F0,0xFFFF0017,20130730 +-# I,0x000306F1,0xD141D629,20140416 +-# I,0x000306F2,0x00000049,20210811 +-# I,0x000306F3,0x0000000D,20160211 +-# I,0x000306F4,0x0000001A,20210524 +-# I,0x00040650,0xFFFF000B,20121206 +-# I,0x00040651,0x00000026,20191112 +-# I,0x00040660,0xFFFF0011,20121012 +-# I,0x00040661,0x0000001C,20191112 +-# I,0x00040670,0xFFFF0006,20140304 +-# I,0x00040671,0x00000022,20191112 +-# I,0x000406A0,0x80124001,20130521 +-# I,0x000406A8,0x0000081F,20140812 +-# I,0x000406A9,0x0000081F,20140812 +-# I,0x000406C1,0x0000010B,20140814 +-# I,0x000406C2,0x00000221,20150218 +-# I,0x000406C3,0x00000368,20190423 +-# I,0x000406C4,0x00000411,20190423 +-# I,0x000406D0,0x0000000E,20130612 +-# I,0x000406D8,0x0000012D,20190916 +-# I,0x000406E1,0x00000020,20141111 +-# I,0x000406E2,0x0000002C,20150521 +-# I,0x000406E3,0x000000EC,20210428 +-# I,0x000406E8,0x00000026,20160414 +-# I,0x000406F0,0x00000014,20150702 +-# I,0x000406F1,0x0B000040,20210519 +-# I,0x00050650,0x8000002B,20160208 +-# I,0x00050651,0x8000002B,20160208 +-# I,0x00050652,0x80000037,20170502 +-# I,0x00050653,0x0100015C,20210526 +-# I,0x00050654,0x02006C0A,20210616 +-# I,0x00050655,0x03000012,20190412 +-# I,0x00050656,0x0400320A,20210813 +-# I,0x00050657,0x0500320A,20210813 +-# I,0x0005065A,0x86002302,20210416 +-# I,0x0005065B,0x07002402,20210604 +-# I,0x00050661,0xF1000008,20150130 +-# I,0x00050662,0x0000001C,20190617 +-# I,0x00050663,0x0700001C,20210612 +-# I,0x00050664,0x0F00001A,20210612 +-# I,0x00050665,0x0E000014,20210918 +-# I,0x00050670,0xFFFF0030,20151113 +-# I,0x00050671,0x000001B6,20180108 +-# I,0x000506A0,0x00000038,20150112 +-# I,0x000506C2,0x00000014,20180511 +-# I,0x000506C8,0x90011010,20160323 +-# I,0x000506C9,0x00000046,20210510 +-# I,0x000506CA,0x00000022,20210622 +-# I,0x000506D1,0x00000102,20150605 +-# I,0x000506E0,0x00000018,20141119 +-# I,0x000506E1,0x0000002A,20150602 +-# I,0x000506E2,0x0000002E,20150815 +-# I,0x000506E3,0x000000F0,20211112 +-# I,0x000506E8,0x00000034,20160710 +-# I,0x000506F0,0x00000010,20160607 +-# I,0x000506F1,0x00000036,20210510 +-# I,0x00060660,0x0000000C,20160821 +-# I,0x00060661,0x0000000E,20170128 +-# I,0x00060662,0x00000022,20171129 +-# I,0x00060663,0x0000002A,20180417 +-# I,0x000606A0,0x80000031,20200308 +-# I,0x000606A4,0x0B000280,20200817 +-# I,0x000606A5,0x0C0002F0,20210308 +-# I,0x000606A6,0x0D000332,20211217 +-# I,0x000606E0,0x0000000B,20161104 +-# I,0x000606E1,0x00000108,20190423 +-# I,0x000706A0,0x00000026,20170712 +-# I,0x000706A1,0x00000038,20210510 +-# I,0x000706A8,0x0000001C,20210510 +-# I,0x000706E0,0x0000002C,20180614 +-# I,0x000706E1,0x00000042,20190420 +-# I,0x000706E2,0x00000042,20190420 +-# I,0x000706E3,0x81000008,20181002 +-# I,0x000706E4,0x00000046,20190905 +-# I,0x000706E5,0x000000A8,20210526 +-# I,0x00080650,0x00000018,20180108 +-# I,0x00080664,0x0B00000F,20210217 +-# I,0x00080665,0x0B00000F,20210217 +-# I,0x000806A0,0x00000010,20190507 +-# I,0x000806A1,0x0000002D,20210902 +-# I,0x000806C0,0x00000068,20200402 +-# I,0x000806C1,0x0000009C,20211026 +-# I,0x000806C2,0x00000022,20210716 +-# I,0x000806D0,0x00000050,20201217 +-# I,0x000806D1,0x0000003C,20210716 +-# I,0x000806E9,0x000000EC,20210428 +-# I,0x000806EA,0x000000EC,20210428 +-# I,0x000806EB,0x000000EC,20210428 +-# I,0x000806EC,0x000000EC,20210428 +-# I,0x00090660,0x00000009,20200617 +-# I,0x00090661,0x00000015,20210921 +-# I,0x00090670,0x00000019,20201111 +-# I,0x00090671,0x0000001C,20210614 +-# I,0x00090672,0x0000001F,20220303 +-# I,0x00090674,0x00000219,20210425 +-# I,0x00090675,0x0000001F,20220303 +-# I,0x000906A0,0x0000001C,20210614 +-# I,0x000906A1,0x0000011F,20211104 +-# I,0x000906A2,0x00000315,20220102 +-# I,0x000906A3,0x0000041B,20220308 +-# I,0x000906A4,0x0000041B,20220308 +-# I,0x000906C0,0x2400001F,20210809 +-# I,0x000906E9,0x000000F0,20211112 +-# I,0x000906EA,0x000000EC,20210428 +-# I,0x000906EB,0x000000EC,20210428 +-# I,0x000906EC,0x000000EC,20210428 +-# I,0x000906ED,0x000000EC,20210428 +-# I,0x000A0650,0x000000BE,20191010 +-# I,0x000A0651,0x000000C2,20191113 +-# I,0x000A0652,0x000000EC,20210428 +-# I,0x000A0653,0x000000EC,20210428 +-# I,0x000A0654,0x000000C6,20200123 +-# I,0x000A0655,0x000000EE,20210428 +-# I,0x000A0660,0x000000EA,20210428 +-# I,0x000A0661,0x000000EC,20210429 +-# I,0x000A0670,0x0000002C,20201124 +-# I,0x000A0671,0x00000050,20210829 +-# I,0x000A0680,0x80000002,20200121 +-# I,0x000B0670,0x00000009,20211115 +-# I,0x000B06F2,0x0000001F,20220303 +-# I,0x000B06F5,0x0000001F,20220303 +-# A,0x00000F00,0x02000008,20070614 +-# A,0x00000F01,0x0000001C,20021031 +-# A,0x00000F10,0x00000003,20020325 +-# A,0x00000F11,0x0000001F,20030220 +-# A,0x00000F48,0x00000046,20040719 +-# A,0x00000F4A,0x00000047,20040719 +-# A,0x00000F50,0x00000024,20021212 +-# A,0x00000F51,0x00000025,20030115 +-# A,0x00010F50,0x00000041,20040225 +-# A,0x00020F10,0x0000004D,20050428 +-# A,0x00040F01,0xC0012102,20050916 +-# A,0x00040F0A,0x00000068,20060920 +-# A,0x00040F13,0x0000007A,20080508 +-# A,0x00040F14,0x00000062,20060127 +-# A,0x00040F1B,0x0000006D,20060920 +-# A,0x00040F33,0x0000007B,20080514 +-# A,0x00060F80,0x00000083,20060929 +-# A,0x000C0F1B,0x0000006E,20060921 +-# A,0x000F0F00,0x00000005,20020627 +-# A,0x000F0F01,0x00000015,20020627 +-# A,0x00100F00,0x01000020,20070326 +-# A,0x00100F20,0x010000CA,20100331 +-# A,0x00100F22,0x010000C9,20100331 +-# A,0x00100F40,0x01000085,20080501 +-# A,0x00100F41,0x010000DB,20111024 +-# A,0x00100F42,0x01000092,20081021 +-# A,0x00100F43,0x010000C8,20100311 +-# A,0x00100F62,0x010000C7,20100311 +-# A,0x00100F80,0x010000DA,20111024 +-# A,0x00100F81,0x010000D9,20111012 +-# A,0x00100FA0,0x010000DC,20111024 +-# A,0x00120F00,0x03000002,20100324 +-# A,0x00200F30,0x02000018,20070921 +-# A,0x00200F31,0x02000057,20080502 +-# A,0x00200F32,0x02000034,20080307 +-# A,0x00300F01,0x0300000E,20101004 +-# A,0x00300F10,0x03000027,20111309 +-# A,0x00500F00,0x0500000B,20100601 +-# A,0x00500F01,0x0500001A,20100908 +-# A,0x00500F10,0x05000029,20130121 +-# A,0x00500F20,0x05000119,20130118 +-# A,0x00580F00,0x0500000B,20100601 +-# A,0x00580F01,0x0500001A,20100908 +-# A,0x00580F10,0x05000028,20101124 +-# A,0x00580F20,0x05000103,20110526 +-# A,0x00600F00,0x06000017,20101029 +-# A,0x00600F01,0x0600011F,20110227 +-# A,0x00600F10,0x06000425,20110408 +-# A,0x00600F11,0x0600050D,20110627 +-# A,0x00600F12,0x0600063E,20180207 +-# A,0x00600F20,0x06000852,20180206 +-# A,0x00610F00,0x0600100E,20111102 +-# A,0x00610F01,0x0600111F,20180305 +-# A,0x00630F00,0x0600301C,20130817 +-# A,0x00630F01,0x06003109,20180227 +-# A,0x00660F00,0x06006012,20141014 +-# A,0x00660F01,0x0600611A,20180126 +-# A,0x00670F00,0x06006705,20180220 +-# A,0x00680F00,0x06000017,20101029 +-# A,0x00680F01,0x0600011F,20110227 +-# A,0x00680F10,0x06000410,20110314 +-# A,0x00690F00,0x06001009,20110613 +-# A,0x00700F00,0x0700002A,20121218 +-# A,0x00700F01,0x07000110,20180209 +-# A,0x00730F00,0x07030009,20131206 +-# A,0x00730F01,0x07030106,20180209 +-# A,0x00800F00,0x0800002A,20161006 +-# A,0x00800F10,0x0800100C,20170131 +-# A,0x00800F11,0x08001138,20190204 +-# A,0x00800F12,0x0800126E,20211111 +-# A,0x00800F82,0x0800820D,20190416 +-# A,0x00810F00,0x08100004,20161120 +-# A,0x00810F10,0x08101016,20190430 +-# A,0x00810F11,0x08101103,20190417 +-# A,0x00810F80,0x08108002,20180605 +-# A,0x00810F81,0x08108109,20190417 +-# A,0x00820F00,0x08200002,20180214 +-# A,0x00820F01,0x08200103,20190417 +-# A,0x00830F00,0x08300027,20190401 +-# A,0x00830F10,0x08301052,20211111 +-# A,0x00850F00,0x08500004,20180212 +-# A,0x00860F00,0x0860000E,20200127 +-# A,0x00860F01,0x08600106,20200619 +-# A,0x00860F81,0x08608103,20200702 +-# A,0x00870F00,0x08700004,20181206 +-# A,0x00870F10,0x08701021,20200125 +-# A,0x00A00F00,0x0A000033,20200413 +-# A,0x00A00F10,0x0A001053,20211217 +-# A,0x00A00F11,0x0A00115D,20211119 +-# A,0x00A00F12,0x0A001227,20211215 +-# A,0x00A00F80,0x0A008003,20211015 +-# A,0x00A00F82,0x0A008204,20211015 +-# A,0x00A20F00,0x0A200025,20200121 +-# A,0x00A20F10,0x0A201016,20210408 +-# A,0x00A20F12,0x0A201205,20210719 +-# A,0x00A50F00,0x0A50000C,20201208 +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch new file mode 100644 index 0000000000..a2f13e4195 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch @@ -0,0 +1,1947 @@ +From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Fri, 11 Nov 2022 18:49:50 +0800 +Subject: [PATCH 1/2] Stage commands for later substitution. + +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent, +grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, +nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, +strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which, +whoami, xargs. +--- + spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------ + 1 file changed, 324 insertions(+), 324 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 30f760c..82cf1b6 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT + exit_cleanup() + { + # cleanup the temp decompressed config & kernel image +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp" +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2" +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp" +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp" +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config" ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp" ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2" ++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp" ++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp" ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null + } + + # if we were git clone'd, adjust VERSION +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null) +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//) ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null) ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//) + fi + + show_usage() + { + # shellcheck disable=SC2086 +- cat <<EOF ++ @cat@ <<EOF + Usage: +- Live mode (auto): $(basename $0) [options] +- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live +- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> ++ Live mode (auto): $(@basename@ $0) [options] ++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live ++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> + + Modes: + Two modes are available. +@@ -110,7 +110,7 @@ EOF + + show_disclaimer() + { +- cat <<EOF ++ @cat@ <<EOF + Disclaimer: + + This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the +@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t + EOF + } + +-os=$(uname -s) ++os=$(@uname@ -s) + + # parse options + opt_kernel='' +@@ -207,7 +207,7 @@ __echo() + _interpret_chars='-e' + fi + _ctrlchar=$($echo_cmd $_interpret_chars "\033") +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") + fi + if [ "$echo_cmd_type" = printf ]; then + if [ "$opt" = "-n" ]; then +@@ -383,7 +383,7 @@ is_cpu_affected() + # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected + # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected + # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then ++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then + variant1=vuln + [ -z "$variant2" ] && variant2=immune + variant3=vuln +@@ -486,7 +486,7 @@ is_cpu_affected() + i=$(( i + 1 )) + # do NOT quote $cpu_arch_list below + # shellcheck disable=SC2086 +- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }') ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }') + _debug "checking cpu$i: <$cpupart> <$cpuarch>" + # some kernels report AArch64 instead of 8 + [ "$cpuarch" = "AArch64" ] && cpuarch=8 +@@ -497,49 +497,49 @@ is_cpu_affected() + # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d + # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8 + # +- # Whitelist identified non-affected processors, use vulnerability information from ++ # Whitelist identified non-affected processors, use vulnerability information from + # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability + # Partnumbers can be found here: + # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in + # + # Maintain cumulative check of vulnerabilities - + # if at least one of the cpu is affected, then the system is affected +- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then ++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + [ -z "$variant3a" ] && variant3a=immune + [ -z "$variant4" ] && variant4=immune + _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4" +- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then ++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + variant3a=vuln + [ -z "$variant4" ] && variant4=immune + _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + variant3a=vuln + variant4=vuln + _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + [ -z "$variant3a" ] && variant3a=immune + variant4=vuln + _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then + variant1=vuln + variant2=vuln + variant3=vuln + [ -z "$variant3a" ] && variant3a=immune + variant4=vuln + _debug "checking cpu$i: armv8 A75 non affected to variant 3a" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then + variant1=vuln + [ -z "$variant2" ] && variant2=immune + [ -z "$variant3" ] && variant3=immune +@@ -820,7 +820,7 @@ is_cpu_ssb_free() + if [ "$cpu_family" = "18" ] || \ + [ "$cpu_family" = "17" ] || \ + [ "$cpu_family" = "16" ] || \ +- [ "$cpu_family" = "15" ]; then ++ [ "$cpu_family" = "15" ]; then + return 0 + fi + fi +@@ -837,7 +837,7 @@ show_header() + _info + } + +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" ++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)" + mcedb_cache="$HOME/.mcedb" + update_fwdb() + { +@@ -846,11 +846,11 @@ update_fwdb() + set -e + + if [ -r "$mcedb_cache" ]; then +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") ++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") + fi + + # first, download the MCE.db from the excellent platomav's MCExtractor project +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" ++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)" + mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' + _info_nol "Fetching MCE.db from the MCExtractor project... " + if command -v wget >/dev/null 2>&1; then +@@ -870,7 +870,7 @@ update_fwdb() + echo DONE + + # second, get the Intel firmwares from GitHub +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)" ++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)" + intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip" + _info_nol "Fetching Intel firmwares... " + ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git +@@ -930,20 +930,20 @@ update_fwdb() + fi + # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120 + # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120 +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line ++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line + do +- _line=$( echo "$_line" | tr -d ',') +- _cpuid=$( echo "$_line" | awk '{print $3}') ++ _line=$( echo "$_line" | @tr@ -d ',') ++ _cpuid=$( echo "$_line" | @awk@ '{print $3}') + _cpuid=$(( _cpuid )) + _cpuid=$(printf "0x%08X" "$_cpuid") +- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-') +- _version=$(echo "$_line" | awk '{print $8}') ++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-') ++ _version=$(echo "$_line" | @awk@ '{print $8}') + _version=$(( _version )) + _version=$(printf "0x%08X" "$_version") + _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")" + sqlite3 "$mcedb_tmp" "$_sqlstm" + done +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) ++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) + if [ -n "$_intel_timestamp" ]; then + # use this date, it matches the last commit date + _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp") +@@ -964,17 +964,17 @@ update_fwdb() + { + echo "# Spectre & Meltdown Checker"; + echo "# %%% MCEDB v$dbversion"; +- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; +- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; ++ sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; ++ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; + } > "$mcedb_cache" + echo DONE "(version $dbversion)" + + if [ "$1" = builtin ]; then +- newfile=$(mktemp -t smc-builtin-XXXXXX) +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" +- cat "$newfile" > "$0" +- rm -f "$newfile" ++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX) ++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" ++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" ++ @cat@ "$newfile" > "$0" ++ @rm@ -f "$newfile" + fi + } + +@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do + elif [ "$1" = "--cpu" ]; then + opt_cpu=$2 + if [ "$opt_cpu" != all ]; then +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then + opt_cpu=$(( opt_cpu )) + else + echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2 +@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do + echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2 + exit 255 + fi +- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2") ++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2") + if [ -n "$selected_cve" ]; then + opt_cve_list="$opt_cve_list $selected_cve" + opt_cve_all=0 +@@ -1308,14 +1308,14 @@ check_kernel() + # a damaged ELF file and validate it, check for stderr warnings too + + # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$? +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init) +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000) ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$? ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init) ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000) + _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings" + if [ "$_mode" = desperate ]; then +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then + _debug "check_kernel (desperate): ... matched!" +- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then + _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options" + objdump_options="-D -b binary -marm" + else +@@ -1348,7 +1348,7 @@ try_decompress() + + # Try to find the header ($1) and decompress from here + _debug "try_decompress: looking for $3 magic in $6" +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2") ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2") + do + _debug "try_decompress: magic for $3 found at offset $pos" + if ! command -v "$3" >/dev/null 2>&1; then +@@ -1375,11 +1375,11 @@ try_decompress() + kernel="$kerneltmp" + _debug "try_decompress: decompressed with $3 successfully!" + return 0 +- elif [ "$3" != "cat" ]; then ++ elif [ "$3" != "@cat@" ]; then + _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset" +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX) +- cat "$kerneltmp" > "$kerneltmp2" +- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0 ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX) ++ @cat@ "$kerneltmp" > "$kerneltmp2" ++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0 + else + _debug "try_decompress: decompression with $3 worked but result is not a kernel" + fi +@@ -1391,12 +1391,12 @@ extract_kernel() + { + [ -n "${1:-}" ] || return 1 + # Prepare temp files: +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)" ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)" + + # Initial attempt for uncompressed images or objects: + if check_kernel "$1"; then + _debug "extract_kernel: found kernel is valid, no decompression needed" +- cat "$1" > "$kerneltmp" ++ @cat@ "$1" > "$kerneltmp" + kernel=$kerneltmp + return 0 + fi +@@ -1405,14 +1405,14 @@ extract_kernel() + for pass in 1 2; do + for mode in normal desperate; do + _debug "extract_kernel: pass $pass $mode mode" +- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0 +- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 +- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0 +- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0 +- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0 +- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0 +- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0 +- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0 ++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0 ++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 ++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0 ++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0 ++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0 ++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0 ++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0 ++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0 + done + done + # kernel_err might already have been populated by try_decompress() if we're missing one of the tools +@@ -1429,7 +1429,7 @@ mount_debugfs() + { + if [ ! -e /sys/kernel/debug/sched_features ]; then + # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards +- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 ++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 + fi + } + +@@ -1440,12 +1440,12 @@ load_msr() + load_msr_once=1 + + if [ "$os" = Linux ]; then +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then +- modprobe msr 2>/dev/null && insmod_msr=1 ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then ++ @modprobe@ msr 2>/dev/null && insmod_msr=1 + _debug "attempted to load module msr, insmod_msr=$insmod_msr" + else + _debug "msr module already loaded" +- fi ++ fi + else + if ! kldstat -q -m cpuctl; then + kldload cpuctl 2>/dev/null && kldload_cpuctl=1 +@@ -1463,12 +1463,12 @@ load_cpuid() + load_cpuid_once=1 + + if [ "$os" = Linux ]; then +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then +- modprobe cpuid 2>/dev/null && insmod_cpuid=1 ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then ++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1 + _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid" + else + _debug "cpuid module already loaded" +- fi ++ fi + else + if ! kldstat -q -m cpuctl; then + kldload cpuctl 2>/dev/null && kldload_cpuctl=1 +@@ -1557,7 +1557,7 @@ read_cpuid_one_core() + fi + # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error, + # we use that fact to load the module if dd returns an error +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then + load_cpuid + fi + # we need _leaf to be converted to decimal for dd +@@ -1568,14 +1568,14 @@ read_cpuid_one_core() + _ddskip=$(( _position / 16 )) + _odskip=$(( _position - _ddskip * 16 )) + # now read the value +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4) ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4) + elif [ -e /dev/cpuctl0 ]; then + # BSD + if [ ! -r /dev/cpuctl0 ]; then + read_cpuid_msg="Couldn't read cpuid info from cpuctl" + return $READ_CPUID_RET_ERR + fi +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-) ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-) + # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000 + else + read_cpuid_msg="Found no way to read cpuid info" +@@ -1598,7 +1598,7 @@ read_cpuid_one_core() + fi + + # get the value of the register we want +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}') ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}') + # Linux returns it as decimal, BSD as hex, normalize to decimal + _reg=$(( _reg )) + # shellcheck disable=SC2046 +@@ -1626,11 +1626,11 @@ dmesg_grep() + # grep for something in dmesg, ensuring that the dmesg buffer + # has not been truncated + dmesg_grepped='' +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then + # dmesg truncated + return 2 + fi +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1) ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1) + # not found: + [ -z "$dmesg_grepped" ] && return 1 + # found, output is in $dmesg_grepped +@@ -1647,12 +1647,12 @@ parse_cpu_details() + { + [ "${parse_cpu_details_done:-}" = 1 ] && return 0 + +- if command -v nproc >/dev/null; then +- number_of_cores=$(nproc) +- elif echo "$os" | grep -q BSD; then +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1) ++ if command -v @nproc@ >/dev/null; then ++ number_of_cores=$(@nproc@) ++ elif echo "$os" | @grep@ -q BSD; then ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1) + elif [ -e "$procfs/cpuinfo" ]; then +- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1) ++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1) + else + # if we don't know, default to 1 CPU + number_of_cores=1 +@@ -1660,43 +1660,43 @@ parse_cpu_details() + max_core_id=$(( number_of_cores - 1 )) + + if [ -e "$procfs/cpuinfo" ]; then +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1) +- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//') ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1) ++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//') + # special case for ARM follows +- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then ++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then + cpu_vendor='ARM' + # some devices (phones or other) have several ARMs and as such different part numbers, + # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected +- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo") +- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo") ++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo") ++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo") + # take the first one to fill the friendly name, do NOT quote the vars below + # shellcheck disable=SC2086 +- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }') ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }') + # shellcheck disable=SC2086 +- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }') ++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }') + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8 + cpu_friendly_name="ARM" + [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch" + [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part" + +- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then ++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then + cpu_vendor='CAVIUM' +- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then ++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then + cpu_vendor='PHYTIUM' + fi + +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1) +- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1) +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1) +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1) ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1) + else +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" ) +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= ) ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" ) ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= ) + cpu_family=$(( cpu_family )) +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= ) ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= ) + cpu_model=$(( cpu_model )) +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= ) +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null) ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= ) ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null) + fi + + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then +@@ -1751,7 +1751,7 @@ parse_cpu_details() + # call CPUID + cpucontrol -i 1 /dev/cpuctl0 >/dev/null + # read MSR +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}') ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}') + # convert to decimal + cpu_ucode=$(( cpu_ucode )) + # convert back to hex +@@ -1770,7 +1770,7 @@ parse_cpu_details() + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'") + fi + +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode )) ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode )) + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid") + + # also define those that we will need in other funcs +@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled() + { + # SMT / HyperThreading is enabled if siblings != cpucores + if [ -e "$procfs/cpuinfo" ]; then +- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo") +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo") ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo") ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo") + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then + if [ "$_siblings" = "$_cpucores" ]; then + return 1 +@@ -1916,10 +1916,10 @@ is_ucode_blacklisted() + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \ + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712 + do +- model=$(echo "$tuple" | cut -d, -f1) +- stepping=$(( $(echo "$tuple" | cut -d, -f2) )) ++ model=$(echo "$tuple" | @cut@ -d, -f1) ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) )) + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) + if [ "$cpu_ucode" = "$ucode" ]; then + _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)" + return 0 +@@ -2007,7 +2007,7 @@ is_xen_dom0() + return 1 + fi + +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then + return 0 + else + return 1 +@@ -2033,12 +2033,12 @@ is_xen_domU() + fi + } + +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0") ++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") + # sort -V sorts by version number +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1) ++ older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1) + if [ "$older_dbversion" = "$builtin_dbversion" ]; then + mcedb_source="$mcedb_cache" + mcedb_info="local firmwares DB $local_dbversion" +@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then + fi + read_mcedb() + { +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" + } + + is_latest_known_ucode() +@@ -2070,10 +2070,10 @@ is_latest_known_ucode() + else + return 2 + fi +- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") ++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") + do +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=') ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=') + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date" + ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode") + if [ "$cpu_ucode" -ge "$ucode" ]; then +@@ -2098,7 +2098,7 @@ get_cmdline() + kernel_cmdline="$SMC_MOCK_CMDLINE" + return + else +- kernel_cmdline=$(cat "$procfs/cmdline") ++ kernel_cmdline=$(@cat@ "$procfs/cmdline") + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'") + fi + } +@@ -2106,7 +2106,7 @@ get_cmdline() + # ENTRYPOINT + + # we can't do anything useful under WSL +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then + _warn "This script doesn't work under Windows Subsystem for Linux" + _warn "You should use the official Microsoft tool instead." + _warn "It can be found under https://aka.ms/SpeculationControlPS" +@@ -2155,15 +2155,15 @@ fi + + # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo" + procfs=/proc +-if echo "$os" | grep -q BSD; then ++if echo "$os" | @grep@ -q BSD; then + _debug "We're under BSD, check if we have procfs" +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }') ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }') + if [ -z "$procfs" ]; then + _debug "we don't, try to mount it" + procfs=/proc + [ -d /compat/linux/proc ] && procfs=/compat/linux/proc + test -d $procfs || mkdir $procfs +- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then ++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then + mounted_procfs=1 + _debug "procfs just mounted at $procfs" + else +@@ -2195,14 +2195,14 @@ fi + + if [ "$opt_live" = 1 ]; then + # root check (only for live mode, for offline mode, we already checked if we could read the files) +- if [ "$(id -u)" -ne 0 ]; then ++ if [ "$(@id@ -u)" -ne 0 ]; then + _warn "Note that you should launch this script with root privileges to get accurate information." + _warn "We'll proceed but you might see permission denied errors." + _warn "To run it as root, you can try the following command: sudo $0" + _warn + fi + _info "Checking for vulnerabilities on current system" +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m" ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m" + _info "CPU is \033[35m$cpu_friendly_name\033[0m" + + # try to find the image of the current running kernel +@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then + # specified by user on cmdline, with --live, don't override + : + # first, look for the BOOT_IMAGE hint in the kernel cmdline +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2) ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2) + _debug "found opt_kernel=$opt_kernel in $procfs/cmdline" + # if the boot partition is within a btrfs subvolume, strip the subvolume name + # if /boot is a separate subvolume, the remainder of the code in this section should handle it +- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi + # if we have a dedicated /boot partition, our bootloader might have just called it / + # so try to prepend /boot and see if we find anything + [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel" +@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then + # if we didn't find a kernel, default to guessing + if [ ! -e "$opt_kernel" ]; then + # Fedora: +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz" ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz" + # Slackware: + [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz" + # Arch aarch64: +@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then + # pine64 + [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image" + # generic: +- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)" +- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)" +- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)" ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)" ++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)" ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)" + # Gentoo: +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" + # Guix System: + [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" + # Clear Linux: +- str_uname=$(uname -r) ++ str_uname=$(@uname@ -r) + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}" + [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel + # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage", + # with actual \'s instead of /'s: +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]') ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]') + if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then + opt_kernel="$custom_arch_kernel" + fi +@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then + : + elif [ -e "$procfs/kallsyms" ] ; then + opt_map="$procfs/kallsyms" +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then +- opt_map="/lib/modules/$(uname -r)/System.map" +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then +- opt_map="/boot/System.map-$(uname -r)" +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then +- opt_map="/lib/kernel/System.map-$(uname -r)" ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then ++ opt_map="/lib/modules/$(@uname@ -r)/System.map" ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then ++ opt_map="/boot/System.map-$(@uname@ -r)" ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)" + fi + + # config +@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then + # specified by user on cmdline, with --live, don't override + : + elif [ -e "$procfs/config.gz" ] ; then +- dumped_config="$(mktemp -t smc-config-XXXXXX)" +- gunzip -c "$procfs/config.gz" > "$dumped_config" ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)" ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config" + # dumped_config will be deleted at the end of the script + opt_config="$dumped_config" +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then +- opt_config="/lib/modules/$(uname -r)/config" +- elif [ -e "/boot/config-$(uname -r)" ]; then +- opt_config="/boot/config-$(uname -r)" +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then +- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then +- opt_config="/lib/kernel/config-$(uname -r)" ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then ++ opt_config="/lib/modules/$(@uname@ -r)/config" ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then ++ opt_config="/boot/config-$(@uname@ -r)" ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then ++ opt_config="/lib/kernel/config-$(@uname@ -r)" + fi + else + _info "Checking for vulnerabilities against specified kernel" +@@ -2311,7 +2311,7 @@ else + fi + + if [ "$os" = Linux ]; then +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then + # given file is invalid! + _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!" + opt_config='' +@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then + fi + + if [ -e "$opt_kernel" ]; then +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then ++ if ! command -v "@readelf@" >/dev/null 2>&1; then + _debug "readelf not found" + kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package" + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then +@@ -2357,20 +2357,20 @@ else + # vanilla kernels have with ^Linux version + # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string + # and check for FreeBSD +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \ ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \ + -e '^Linux version ' \ + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \ +- -e '^FreeBSD [0-9]' | head -1) ++ -e '^FreeBSD [0-9]' | @head@ -1) + if [ -z "$kernel_version" ]; then + # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ") ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ") + fi + if [ -n "$kernel_version" ]; then + # in live mode, check if the img we found is the correct one + if [ "$opt_live" = 1 ]; then + _verbose "Kernel image is \033[35m$kernel_version" +- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then +- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect" ++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then ++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect" + fi + else + _info "Kernel image is \033[35m$kernel_version" +@@ -2398,11 +2398,11 @@ sys_interface_check() + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then + : + else +- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") ++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1") + return 1 + fi + +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET" ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)" +@@ -2411,17 +2411,17 @@ sys_interface_check() + fi + + [ -n "$regex" ] || regex='.*' +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")" ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + fullmsg="$(eval echo \$$_mockvarname)" +- msg=$(echo "$fullmsg" | grep -Eo "$regex") ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex") + _debug "sysfs: MOCKING enabled for $file, will return $fullmsg" + mocked=1 + else +- fullmsg=$(cat "$file") +- msg=$(grep -Eo "$regex" "$file") +- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'") ++ fullmsg=$(@cat@ "$file") ++ msg=$(@grep@ -Eo "$regex" "$file") ++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'") + fi + if [ "$mode" = silent ]; then + return 0 +@@ -2430,15 +2430,15 @@ sys_interface_check() + return 0 + fi + _info_nol "* Mitigated according to the /sys interface: " +- if echo "$msg" | grep -qi '^not affected'; then ++ if echo "$msg" | @grep@ -qi '^not affected'; then + # Not affected + status=OK + pstatus green YES "$fullmsg" +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then + # Mitigation: PTI + status=OK + pstatus green YES "$fullmsg" +- elif echo "$msg" | grep -qi '^vulnerable'; then ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then + # Vulnerable + status=VULN + pstatus yellow NO "$fullmsg" +@@ -2526,20 +2526,20 @@ write_msr_one_core() + # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off + [ "$ret" = 127 ] && _write_denied=1 + # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO +- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then + _debug "write_msr: using dd" +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? + # if it failed, inspect stderrto look for EPERM + if [ "$ret" != 0 ]; then +- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then ++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then + _write_denied=1 + fi + fi + # or if we have perl, use it, any 5.x version will work +- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then ++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then + _debug "write_msr: using perl" + ret=1 +- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 + else + _debug "write_msr: got no wrmsr, perl or recent enough dd!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") +@@ -2561,13 +2561,13 @@ write_msr_one_core() + msr_locked_down=1 + write_msr_msg="your kernel is configured to deny writes to MSRs from user space" + return $WRITE_MSR_RET_LOCKDOWN +- elif dmesg | grep -qF "msr: Direct access to MSR"; then ++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then + _debug "write_msr: locked down kernel detected (Red Hat / Fedora)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 + write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry" + return $WRITE_MSR_RET_LOCKDOWN +- elif dmesg | grep -qF "raw MSR access is restricted"; then ++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then + _debug "write_msr: locked down kernel detected (vanilla)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 +@@ -2666,8 +2666,8 @@ read_msr_one_core() + return $READ_MSR_RET_KO + fi + # MSR 0x10: 0x000003e1 0xb106dded +- _msr_h=$(echo "$_msr" | awk '{print $3}'); +- _msr_l=$(echo "$_msr" | awk '{print $4}'); ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}'); ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}'); + read_msr_value=$(( _msr_h << 32 | _msr_l )) + else + # for Linux +@@ -2678,15 +2678,15 @@ read_msr_one_core() + # if rdmsr is available, use it + elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then + _debug "read_msr: using rdmsr on $_msr" +- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) ++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n) + # or if we have perl, use it, any 5.x version will work +- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then ++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then + _debug "read_msr: using perl on $_msr" +- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) ++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n) + # fallback to dd if it supports skip_bytes +- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then + _debug "read_msr: using dd on $_msr" +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) ++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n) + else + _debug "read_msr: got no rdmsr, perl or recent enough dd!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") +@@ -2710,7 +2710,7 @@ check_cpu() + { + _info "\033[1;34mHardware check\033[0m" + +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then + return + fi + +@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre() + # if we were already called, don't do it again + [ -n "${redhat_canonical_spectre:-}" ] && return + +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + redhat_canonical_spectre=-1 + elif [ -n "$kernel_err" ]; then + redhat_canonical_spectre=-2 + else + # Red Hat / Ubuntu specific variant1 patch is difficult to detect, + # let's use the two same tricks than the official Red Hat detection script uses: +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then ++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then + # 1) detect their specific variant2 patch. If it's present, it means + # that the variant1 patch is also present (both were merged at the same time) + _debug "found redhat/canonical version of the variant2 patch (implies variant1)" + redhat_canonical_spectre=1 +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then + # 2) detect their specific variant3 patch. If it's present, but the variant2 + # is not, it means that only variant1 is present in addition to variant3 + _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)" +@@ -3363,13 +3363,13 @@ check_has_vmm() + # If we find no evidence that this is the case, assume we're not (to avoid scaring users), + # this can always be overridden with --vmm in any case. + has_vmm=0 +- if command -v pgrep >/dev/null 2>&1; then ++ if command -v @pgrep@ >/dev/null 2>&1; then + # remove xenbus and xenwatch, also present inside domU + # remove libvirtd as it can also be used to manage containers and not VMs + # for each binary we want to grep, get the pids + for _binary in qemu kvm xenstored xenconsoled + do +- for _pid in $(pgrep -x $_binary) ++ for _pid in $(@pgrep@ -x $_binary) + do + # resolve the exe symlink, if it doesn't resolve with -m, + # which doesn't even need the dest to exist, it means the symlink +@@ -3385,7 +3385,7 @@ check_has_vmm() + else + # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed + # shellcheck disable=SC2009 +- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then ++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then + has_vmm=1 + fi + fi +@@ -3417,7 +3417,7 @@ check_CVE_2017_5753() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5753_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5753_bsd + else + _warn "Unsupported OS ($os)" +@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux() + v1_mask_nospec='' + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" + else +- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? ++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? + if [ $ret -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()" + v1_mask_nospec="x86 64 bits array_index_mask_nospec" + else +- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? ++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? + if [ $ret -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()" + v1_mask_nospec="x86 32 bits array_index_mask_nospec" + else +- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp) ++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp) + if [ "$ret" -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()" + v1_mask_nospec="arm 32 bits array_index_mask_nospec" +@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux() + pstatus yellow NO + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" +- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else +- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? ++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? + if [ "$ret" -eq 9 ]; then + pstatus green YES "mask_nospec64 macro is present and used" + v1_mask_nospec="arm64 mask_nospec64" +@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux() + pstatus yellow NO + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" +- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else +- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$? ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$? + if [ "$ret" -eq 9 ]; then + pstatus green YES "array_index_nospec macro is present and used" + v1_mask_nospec="arm64 array_index_nospec" +@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ if ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else + # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode +@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux() + # so let's push the threshold to 70. + # v0.33+: now only count lfence opcodes after a jump, way less error-prone + # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45 +- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je') ++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je') + if [ "$nb_lfence" -lt 30 ]; then + pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)" + else +@@ -3655,7 +3655,7 @@ check_CVE_2017_5715() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5715_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5715_bsd + else + _warn "Unsupported OS ($os)" +@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux() + # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed + specex_knob_dir=$dir + ibrs_supported="$dir/ibrs_enabled exists" +- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null) ++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null) + _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled" + # if ibrs_enabled is there, ibpb_enabled will be in the same dir + if [ -e "$dir/ibpb_enabled" ]; then + # if the file is there, we have IBPB compiled-in (see note above for IBRS) + ibpb_supported="$dir/ibpb_enabled exists" +- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null) ++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null) + _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled" + else + _debug "ibpb: $dir/ibpb_enabled file doesn't exist" +@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux() + # which in that case means ibrs is supported *and* enabled for kernel & user + # as per the ibrs patch series v3 + if [ -z "$ibrs_supported" ]; then +- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then + _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo" + ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo" + # enabled=2 -> kernel & user +@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux() + fi + if [ -n "$fullmsg" ]; then + # when IBPB is enabled on 4.15+, we can see it in sysfs +- if echo "$fullmsg" | grep -q 'IBPB'; then ++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then + _debug "ibpb: found enabled in sysfs" + [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs' + [ -z "$ibpb_enabled" ] && ibpb_enabled=1 + fi + # when IBRS_FW is enabled on 4.15+, we can see it in sysfs +- if echo "$fullmsg" | grep -q ', IBRS_FW'; then ++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then + _debug "ibrs: found IBRS_FW in sysfs" + [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs' + ibrs_fw_enabled=1 +@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux() + # when IBRS is enabled on 4.15+, we can see it in sysfs + # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact. + # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag) +- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then ++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then + _debug "ibrs: found IBRS in sysfs" + [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs' + [ -z "$ibrs_enabled" ] && ibrs_enabled=3 + fi + # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL +- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then ++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then + [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs' + # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file, + # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled" +@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux() + fi + fi + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + : + else + ibrs_can_tell=1 +- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1) ++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1) + if [ -n "$ibrs_supported" ]; then + _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)" + ibrs_supported="found '$ibrs_supported' in kernel image" +@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux() + fi + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then + ibrs_can_tell=1 +- if grep -q spec_ctrl "$opt_map"; then ++ if @grep@ -q spec_ctrl "$opt_map"; then + ibrs_supported="found spec_ctrl in symbols file" + _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map" + fi +@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux() + # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat + # we can detect it directly in the image + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + : + else + ibpb_can_tell=1 +- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1) ++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1) + if [ -n "$ibpb_supported" ]; then + _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)" + ibpb_supported="found '$ibpb_supported' in kernel image" +@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux() + 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;; + 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;; + 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";; +- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ]; +- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; +- else ++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ]; ++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; ++ else + pstatus yellow UNKNOWN; fi;; + esac + fi +@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux() + bp_harden='' + if [ -r "$opt_config" ]; then + bp_harden_can_tell=1 +- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") ++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") + if [ -n "$bp_harden" ]; then + pstatus green YES + _debug "bp_harden: found '$bp_harden' in $opt_config" +@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux() + fi + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then + bp_harden_can_tell=1 +- bp_harden=$(grep -w bp_hardening_data "$opt_map") ++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map") + if [ -n "$bp_harden" ]; then + pstatus green YES + _debug "bp_harden: found '$bp_harden' in $opt_map" +@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux() + # We check the RETPOLINE kernel options + retpoline=0 + if [ -r "$opt_config" ]; then +- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then ++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then + pstatus green YES + retpoline=1 + # shellcheck disable=SC2046 +- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" ++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" + else + pstatus yellow NO + fi +@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux() + # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one, + # so we look for both "retpoline" and "retpolines" + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then +- if echo "$fullmsg" | grep -qwi minimal; then ++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then ++ if echo "$fullmsg" | @grep@ -qwi minimal; then + retpoline_compiler=0 + retpoline_compiler_reason="kernel reports minimal retpoline compilation" + else +@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux() + fi + elif [ -n "$opt_map" ]; then + # look for the symbol +- if grep -qw noretpoline_setup "$opt_map"; then ++ if @grep@ -qw noretpoline_setup "$opt_map"; then + retpoline_compiler=1 + retpoline_compiler_reason="noretpoline_setup symbol found in System.map" + fi + elif [ -n "$kernel" ]; then + # look for the symbol +- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then ++ if command -v "@nm@" >/dev/null 2>&1; then + # the proper way: use nm and look for the symbol +- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then ++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then + retpoline_compiler=1 + retpoline_compiler_reason="noretpoline_setup found in kernel symbols" + fi +- elif grep -q noretpoline_setup "$kernel"; then ++ elif @grep@ -q noretpoline_setup "$kernel"; then + # if we don't have nm, nevermind, the symbol name is long enough to not have + # any false positive using good old grep directly on the binary + retpoline_compiler=1 +@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux() + retp_enabled=-1 + if [ "$opt_live" = 1 ]; then + if [ -e "$specex_knob_dir/retp_enabled" ]; then +- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null) ++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null) + _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled" + _info_nol " * Retpoline is enabled: " + if [ "$retp_enabled" = 1 ]; then +@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux() + rsb_filling=0 + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then + # if we're live and we aren't denied looking into /sys, let's do it +- if echo "$msg" | grep -qw RSB; then ++ if echo "$msg" | @grep@ -qw RSB; then + rsb_filling=1 + pstatus green YES + fi +@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then ++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then + rsb_filling=1 + pstatus green YES + else +@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd() + { + _info "* Mitigation 1" + _info_nol " * Kernel supports IBRS: " +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null) ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null) + if [ -z "$ibrs_disabled" ]; then + pstatus yellow NO + else +@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd() + fi + + _info_nol " * IBRS enabled and active: " +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null) ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null) + if [ "$ibrs_active" = 1 ]; then + pstatus green YES + else +@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then ++ if ! command -v "@readelf@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package" + else +- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) + if [ "$nb_thunks" -gt 0 ]; then + retpoline=1 + pstatus green YES "found $nb_thunks thunk(s)" +@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd() + pti_performance_check() + { + _info_nol " * Reduced performance impact of PTI: " +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then + cpu_pcid=1 + else + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$? +@@ -4272,7 +4272,7 @@ pti_performance_check() + fi + fi + +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then + cpu_invpcid=1 + else + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$? +@@ -4297,7 +4297,7 @@ check_CVE_2017_5754() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5754_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5754_bsd + else + _warn "Unsupported OS ($os)" +@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux() + kpti_can_tell=0 + if [ -n "$opt_config" ]; then + kpti_can_tell=1 +- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") ++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found option '$kpti_support' in $opt_config" + fi +@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux() + # so we try to find an exported symbol that is part of the PTI patch in System.map + # parse_kpti: arm + kpti_can_tell=1 +- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map") ++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map") + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found '$kpti_support' in $opt_map" + fi +@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux() + # nopti option that is part of the patch (kernel command line option) + # 'kpti=': arm + kpti_can_tell=1 +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" + else +- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=) ++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=) + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found '$kpti_support' in $kernel" + fi +@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux() + dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" + # aarch64 + dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)" +- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then + # vanilla PTI patch sets the 'pti' flag in cpuinfo + _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo" + kpti_enabled=1 +- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then + # kernel line 4.9 sets the 'kaiser' flag in cpuinfo + _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo" + kpti_enabled=1 + elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then + # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 +- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) ++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null) + _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" + elif is_xen_dom0; then +- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1) ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1) + + [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1 + fi +@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux() + if [ -n "$kpti_support" ]; then + if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then + explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`" +- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then ++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then + explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration" + else + explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it" +@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux() + check_CVE_2017_5754_bsd() + { + _info_nol "* Kernel supports Page Table Isolation (PTI): " +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null) ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null) + if [ -z "$kpti_enabled" ]; then + pstatus yellow NO + else +@@ -4579,7 +4579,7 @@ check_CVE_2018_3639() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3639_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3639_bsd + else + _warn "Unsupported OS ($os)" +@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux() + if [ "$opt_sysfs_only" != 1 ]; then + _info_nol "* Kernel supports disabling speculative store bypass (SSB): " + if [ "$opt_live" = 1 ]; then +- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then + kernel_ssb="found in $procfs/self/status" + _debug "found Speculation.Store.Bypass: in $procfs/self/status" + fi + fi + # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then +- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1); ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then ++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1); + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel" + fi + # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then +- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1) ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then ++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1) + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" + fi + # arm64 only: + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then +- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1) ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1) + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" + fi + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config") ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config") + [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig" + fi + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then + # this string only appears in kernel if CONFIG_ARM64_SSBD is set +- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel") ++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel") + [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel" + fi + # /arm64 only +@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux() + if [ "$opt_live" = 1 ]; then + # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 + _info_nol "* SSB mitigation is enabled and active: " +- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=1 + pstatus green YES "per-thread through prctl" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=2 + pstatus green YES "global" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=0 + pstatus yellow NO +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=-2 + pstatus blue NO "not vulnerable" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=0 + pstatus blue NO + else +- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)" ++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)" + fi + + if [ "$kernel_ssbd_enabled" = 1 ]; then + _info_nol "* SSB mitigation currently active for selected processes: " + # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the * +- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ +- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \ +- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//') ++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ ++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \ ++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//') + if [ -n "$mitigated_processes" ]; then + pstatus green YES "$mitigated_processes" + else +@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux() + check_CVE_2018_3639_bsd() + { + _info_nol "* Kernel supports speculation store bypass: " +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then + kernel_ssb=1 + pstatus green YES + else +@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd() + fi + + _info_nol "* Speculation store bypass is administratively enabled: " +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null) ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null) + _debug "hw.spec_store_bypass_disable=$ssb_enabled" + case "$ssb_enabled" in + 0) pstatus yellow NO "disabled";; +@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd() + esac + + _info_nol "* Speculation store bypass is currently active: " +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null) ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null) + _debug "hw.spec_store_bypass_disable_active=$ssb_active" + case "$ssb_active" in + 1) pstatus green YES;; +@@ -4806,7 +4806,7 @@ check_CVE_2018_3620() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3620_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3620_bsd + else + _warn "Unsupported OS ($os)" +@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux() + fi + if [ "$opt_sysfs_only" != 1 ]; then + _info_nol "* Kernel supports PTE inversion: " +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'strings' tool, please install it" + pteinv_supported=-1 + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "$kernel_err" + pteinv_supported=-1 + else +- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then + pstatus green YES "found in kernel image" + _debug "pteinv: found pte inversion evidence in kernel image" + pteinv_supported=1 +@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux() + _info_nol "* PTE inversion enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then ++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then + pstatus green YES + pteinv_active=1 + else +@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd() + else + _debug "vmm module already loaded" + fi +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then + # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch + # this is very difficult to detect that the kernel reserved the 0 page, but this fix + # is part of the exact same patch than the other L1TF CVE, so we detect it +@@ -4922,7 +4922,7 @@ check_CVE_2018_3646() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3646_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3646_bsd + else + _warn "Unsupported OS ($os)" +@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux() + if [ "$opt_live" = 1 ]; then + if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then + pstatus blue N/A "the kvm_intel module is not loaded" +- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then ++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then + pstatus green YES + ept_disabled=1 + else +@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux() + + _info "* Mitigation 2" + _info_nol " * L1D flush is supported by kernel: " +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then + l1d_kernel="found flush_l1d in $procfs/cpuinfo" + fi + if [ -z "$l1d_kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" + elif [ -n "$kernel_err" ]; then + l1d_kernel_err="$kernel_err" +- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then ++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then + l1d_kernel='found flush_l1d in kernel image' + fi + fi +@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux() + # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary) + # $smtstatus is one of (vulnerable|disabled) + # can also just be "Not affected" +- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then ++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then + l1d_mode=0 + pstatus yellow NO +- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then ++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then + l1d_mode=1 + pstatus green YES "conditional flushes" +- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then ++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then + l1d_mode=2 + pstatus green YES "unconditional flushes" + else + if is_xen_dom0; then +- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1) +- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1) +- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1) ++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1) ++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1) ++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1) + + if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then + l1d_mode=5 +@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux() + + _info_nol " * Hardware-backed L1D flush supported: " + if [ "$opt_live" = 1 ]; then +- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then + pstatus green YES "performance impact of the mitigation will be greatly reduced" + else + pstatus blue NO "flush will be done in software, this is slower" +@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux() + check_CVE_2018_3646_bsd() + { + _info_nol "* Kernel supports L1D flushing: " +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then + pstatus green YES + kernel_l1d_supported=1 + else +@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd() + fi + + _info_nol "* L1D flushing is enabled: " +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null) ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null) + case "$kernel_l1d_enabled" in + 0) pstatus yellow NO;; + 1) pstatus green YES;; +@@ -5168,7 +5168,7 @@ check_CVE_2018_12127() + ################### + # MDSUM SECTION + +-# Microarchitectural Data Sampling Uncacheable Memory ++# Microarchitectural Data Sampling Uncacheable Memory + check_CVE_2019_11091() + { + cve='CVE-2019-11091' +@@ -5182,7 +5182,7 @@ check_mds() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_mds_linux "$cve" +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_mds_bsd "$cve" + else + _warn "Unsupported OS ($os)" +@@ -5193,7 +5193,7 @@ check_mds_bsd() + { + _info_nol "* Kernel supports using MD_CLEAR mitigation: " + if [ "$opt_live" = 1 ]; then +- if sysctl hw.mds_disable >/dev/null 2>&1; then ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then + pstatus green YES + kernel_md_clear=1 + else +@@ -5201,7 +5201,7 @@ check_mds_bsd() + kernel_md_clear=0 + fi + else +- if grep -Fq hw.mds_disable $opt_kernel; then ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then + pstatus green YES + kernel_md_clear=1 + else +@@ -5211,8 +5211,8 @@ check_mds_bsd() + fi + + _info_nol "* CPU Hyper-Threading (SMT) is disabled: " +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then +- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null) ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then ++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null) + if [ "$kernel_smt_allowed" = 1 ]; then + pstatus yellow NO + else +@@ -5224,7 +5224,7 @@ check_mds_bsd() + + _info_nol "* Kernel mitigation is enabled: " + if [ "$kernel_md_clear" = 1 ]; then +- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null) ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null) + else + kernel_mds_enabled=0 + fi +@@ -5238,7 +5238,7 @@ check_mds_bsd() + + _info_nol "* Kernel mitigation is active: " + if [ "$kernel_md_clear" = 1 ]; then +- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null) ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null) + else + kernel_mds_state=inactive + fi +@@ -5296,16 +5296,16 @@ check_mds_linux() + _info_nol "* Kernel supports using MD_CLEAR mitigation: " + kernel_md_clear='' + kernel_md_clear_can_tell=1 +- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then ++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then + kernel_md_clear="md_clear found in $procfs/cpuinfo" + pstatus green YES "$kernel_md_clear" + fi + if [ -z "$kernel_md_clear" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + kernel_md_clear_can_tell=0 + elif [ -n "$kernel_err" ]; then + kernel_md_clear_can_tell=0 +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then + _debug "md_clear: found 'Clear CPU buffers' string in kernel image" + kernel_md_clear='found md_clear implementation evidence in kernel image' + pstatus green YES "$kernel_md_clear" +@@ -5321,7 +5321,7 @@ check_mds_linux() + + if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then + _info_nol "* Kernel mitigation is enabled and active: " +- if echo "$fullmsg" | grep -qi ^mitigation; then ++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then + mds_mitigated=1 + pstatus green YES + else +@@ -5329,7 +5329,7 @@ check_mds_linux() + pstatus yellow NO + fi + _info_nol "* SMT is either mitigated or disabled: " +- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then ++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then + mds_smt_mitigated=1 + pstatus green YES + else +@@ -5415,7 +5415,7 @@ check_CVE_2019_11135() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2019_11135_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2019_11135_bsd + else + _warn "Unsupported OS ($os)" +@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux() + kernel_taa='' + if [ -n "$kernel_err" ]; then + kernel_taa_err="$kernel_err" +- elif grep -q 'tsx_async_abort' "$kernel"; then ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then + kernel_taa="found tsx_async_abort in kernel image" + fi + if [ -n "$kernel_taa" ]; then +@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux() + _info_nol "* TAA mitigation enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qE '^Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux() + else + if [ "$opt_paranoid" = 1 ]; then + # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated +- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then + pvulnstatus $cve VULN "TSX must be disabled for full mitigation" +- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then ++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then + pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation" + else + pvulnstatus $cve "$status" "$msg" +@@ -5517,7 +5517,7 @@ check_CVE_2018_12207() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_12207_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_12207_bsd + else + _warn "Unsupported OS ($os)" +@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux() + if [ -n "$kernel_err" ]; then + kernel_itlbmh_err="$kernel_err" + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 +- elif grep -q 'itlb_multihit' "$kernel"; then ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then + kernel_itlbmh="found itlb_multihit in kernel image" + fi + if [ -n "$kernel_itlbmh" ]; then +@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux() + _info_nol "* iTLB Multihit mitigation enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qF 'Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux() + check_CVE_2018_12207_bsd() + { + _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null) ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null) + if [ -z "$kernel_2m_x_ept" ]; then + pstatus yellow NO + else +@@ -5634,7 +5634,7 @@ check_CVE_2020_0543() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2020_0543_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2020_0543_bsd + else + _warn "Unsupported OS ($os)" +@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux() + kernel_srbds='' + if [ -n "$kernel_err" ]; then + kernel_srbds_err="$kernel_err" +- elif grep -q 'Dependent on hypervisor' "$kernel"; then ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then + kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation" + fi + if [ -n "$kernel_srbds" ]; then +@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux() + _info_nol "* SRBDS mitigation control is enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qE '^Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5758,8 +5758,8 @@ fi + # now run the checks the user asked for + for cve in $supported_cve_list + do +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then +- check_"$(echo "$cve" | tr - _)" ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then ++ check_"$(echo "$cve" | @tr@ - _)" + _info + fi + done +@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then + _warn "We're missing some kernel info (see -v), accuracy might be reduced" + fi + +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|') ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|') + _debug "variables at end of script: $_vars" + + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then +- if command -v "gzip" >/dev/null 2>&1; then ++ if command -v "@gzip@" >/dev/null 2>&1; then + # not a useless use of cat: gzipping cpuinfo directly doesn't work well + # shellcheck disable=SC2002 +- if command -v "base64" >/dev/null 2>&1; then +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)" +- elif command -v "uuencode" >/dev/null 2>&1; then +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")" ++ if command -v "@base64@" >/dev/null 2>&1; then ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)" ++ elif command -v "@uuencode@" >/dev/null 2>&1; then ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")" + fi + fi + if [ -n "$mock_cpuinfo" ]; then +@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then + fi + _info "" + # shellcheck disable=SC2046 +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u) ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u) + fi + + if [ "$opt_explain" = 0 ]; then +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch new file mode 100644 index 0000000000..afec52b418 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch @@ -0,0 +1,26 @@ +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 5 Nov 2022 23:22:31 +0800 +Subject: [PATCH] Add support for Guix System kernel. + +--- + spectre-meltdown-checker.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 248a444..855a090 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" ++ # Guix System: ++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" + # Clear Linux: + +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 +-- +2.38.0 base-commit: 70df5c47a89f4f353a1df94467581a0f0da599a4 -- 2.38.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v2] gnu: Add spectre-meltdown-checker. 2022-11-11 11:10 ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via @ 2022-11-11 15:13 ` Liliana Marie Prikler 2022-11-12 12:14 ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Liliana Marie Prikler @ 2022-11-11 15:13 UTC (permalink / raw) To: Hilton Chain; +Cc: 59053 Hi, Am Freitag, dem 11.11.2022 um 19:10 +0800 schrieb Hilton Chain: > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: > New file. > * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for- > substitution.patch: > New file. > * gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch: > New file. > * gnu/local.mk (dist_patch_DATA): Add patches. > --- > v1 -> v2: > > gnu/local.mk | 3 + > gnu/packages/linux.scm | 53 + > ...ker-remove-builtin-firmware-database.patch | 554 +++++ > ...cker-stage-commands-for-substitution.patch | 1947 > +++++++++++++++++ > ...n-checker-support-guix-system-kernel.patch | 26 + > 5 files changed, 2583 insertions(+) > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > remove-builtin-firmware-database.patch > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > stage-commands-for-substitution.patch > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index 27b31ea27f..d518cd8641 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1851,6 +1851,9 @@ dist_patch_DATA > = \ > %D%/packages/patches/syslinux-strip-gnu-property.patch \ > %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch \ > %D%/packages/patches/snappy-add-inline-for-GCC.patch \ > + %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ > + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for- > substitution.patch \ > + %D%/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch \ > %D%/packages/patches/sphinxbase-fix-doxygen.patch \ > %D%/packages/patches/spice-vdagent-glib-2.68.patch \ > %D%/packages/patches/sssd-optional-systemd.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index 2c06269504..5a0d55833a 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9595,3 +9595,56 @@ (define-public edac-utils > error detection and correction (EDAC).") > (home-page "https://github.com/grondo/edac-utils") > (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > + (package > + (name "spectre-meltdown-checker") > + (version "0.45") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url > "https://github.com/speed47/spectre-meltdown-checker") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (patches > + (search-patches > + ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > + "spectre-meltdown-checker-support-guix-system- > kernel.patch" > + ;; NOTE: Update these patches when updating. > + "spectre-meltdown-checker-stage-commands-for- > substitution.patch" > + "spectre-meltdown-checker-remove-builtin-firmware- > database.patch")) > + (sha256 > + (base32 > + > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > + (build-system copy-build-system) > + (arguments > + (list #:install-plan > + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'fixpath > + (lambda* (#:key inputs #:allow-other-keys) > + (substitute* "spectre-meltdown-checker.sh" > + (("@sysctl@") (search-input-file inputs > "/sbin/sysctl")) > + (("@([a-z0-9]*)@" _ m _) > + (search-input-file inputs (string-append > "/bin/" m))))))))) I'd prefer "command" instead of m as a variable name here. > + (inputs > + (list binutils > + coreutils > + grep > + kmod > + lz4 > + lzop > + perl > + procps > + sharutils > + util-linux > + which > + zstd)) > + (home-page > "https://github.com/speed47/spectre-meltdown-checker") > + (synopsis "CPU vulnerability / mitigation checker") > + (description > + "This package provides a shell script to assess your system's > resilience > +against the several transient execution CVEs that were published > since early > +2018, and give you guidance as to how to mitigate them.") > + (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove- > builtin-firmware-database.patch b/gnu/packages/patches/spectre- > meltdown-checker-remove-builtin-firmware-database.patch > new file mode 100644 > index 0000000000..e926551550 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch > @@ -0,0 +1,554 @@ > +From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Fri, 11 Nov 2022 18:55:25 +0800 > +Subject: [PATCH 2/2] Remove builtin firmware database. > + > +--- > + spectre-meltdown-checker.sh | 477 ++------------------------------- > --- > + 1 file changed, 27 insertions(+), 450 deletions(-) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 82cf1b6..79c4bb7 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -95,7 +95,6 @@ show_usage() > + --cpu [#,all] interact with CPUID and MSR > of CPU core number #, or all (default: CPU core 0) > + --update-fwdb update our local copy of the > CPU microcodes versions database (using the awesome > + MCExtractor project and the > Intel firmwares GitHub repository) > +- --update-builtin-fwdb same as --update-fwdb but > update builtin DB inside the script itself > + --dump-mock-data used to mimick a CPU on an > other system, mainly used to help debugging this script > + > + Return codes: > +@@ -853,9 +852,9 @@ update_fwdb() > + mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)" > + mcedb_url=' > https://github.com/platomav/MCExtractor/raw/master/MCE.db' > + _info_nol "Fetching MCE.db from the MCExtractor project... " > +- if command -v wget >/dev/null 2>&1; then > +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? > +- elif command -v curl >/dev/null 2>&1; then > ++ # if command -v wget >/dev/null 2>&1; then > ++ # wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? > ++ if command -v curl >/dev/null 2>&1; then > + curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? > + elif command -v fetch >/dev/null 2>&1; then > + fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? The curl line and fetch line do the same thing as the wget line. Prefer removal over commenting. > +@@ -874,9 +873,9 @@ update_fwdb() > + intel_url=" > https://github.com/intel/Intel-Linux-Processor-Microcode-Data- > Files/archive/main.zip" > + _info_nol "Fetching Intel firmwares... " > + ## > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git > +- if command -v wget >/dev/null 2>&1; then > +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? > +- elif command -v curl >/dev/null 2>&1; then > ++ # if command -v wget >/dev/null 2>&1; then > ++ # wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? > ++ if command -v curl >/dev/null 2>&1; then > + curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? > + elif command -v fetch >/dev/null 2>&1; then > + fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? Same here. > +@@ -969,13 +968,13 @@ update_fwdb() > + } > "$mcedb_cache" > + echo DONE "(version $dbversion)" > + > +- if [ "$1" = builtin ]; then > +- newfile=$(@mktemp@ -t smc-builtin-XXXXXX) > +- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > > "$newfile" > +- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> > "$newfile" > +- @cat@ "$newfile" > "$0" > +- @rm@ -f "$newfile" > +- fi > ++ # if [ "$1" = builtin ]; then > ++ # newfile=$(@mktemp@ -t smc-builtin-XXXXXX) > ++ # @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > > "$newfile" > ++ # @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> > "$newfile" > ++ # @cat@ "$newfile" > "$0" > ++ # @rm@ -f "$newfile" > ++ # fi This time, it seems completely removed, but still prefer removal over commenting. > + } > + > + parse_opt_file() > +@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do > + elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" > ]; then > + update_fwdb > + exit $? > +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "-- > update-builtin-mcedb" ]; then > +- update_fwdb builtin > +- exit $? > ++ # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "-- > update-builtin-mcedb" ]; then > ++ # update_fwdb builtin > ++ # exit $? > + elif [ "$1" = "--dump-mock-data" ]; then > + opt_mock=1 > + shift > +@@ -2033,22 +2032,22 @@ is_xen_domU() > + fi > + } > + > +-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") > ++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") > + if [ -r "$mcedb_cache" ]; then > + # we have a local cache file, but it might be older than the > builtin version we have > + local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' > "$mcedb_cache") > + # sort -V sorts by version number > +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" > "$builtin_dbversion" | @sort@ -V | @head@ -n1) > +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then > ++ # older_dbversion=$(printf "%b\n%b" "$local_dbversion" > "$builtin_dbversion" | @sort@ -V | @head@ -n1) > ++ # if [ "$older_dbversion" = "$builtin_dbversion" ]; then > + mcedb_source="$mcedb_cache" > + mcedb_info="local firmwares DB $local_dbversion" > +- fi > ++ # fi > + fi > + # if mcedb_source is not set, either we don't have a local cached > db, or it is older than the builtin db > +-if [ -z "${mcedb_source:-}" ]; then > +- mcedb_source="$0" > +- mcedb_info="builtin firmwares DB $builtin_dbversion" > +-fi > ++# if [ -z "${mcedb_source:-}" ]; then > ++# mcedb_source="$0" > ++# mcedb_info="builtin firmwares DB $builtin_dbversion" > ++# fi I'm not sure whether this is correctly patched. > + read_mcedb() > + { > + @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { > DELIM=1 }' "$mcedb_source" > +@@ -2070,6 +2069,9 @@ is_latest_known_ucode() > + else > + return 2 > + fi > ++ if [ -z "$mcedb_source" ]; then > ++ return 2 > ++ fi Here neither, what does the return 2 above do? > + for tuple in $(read_mcedb | @grep@ "$(printf > "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") > + do > + ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) > +@@ -5833,428 +5835,3 @@ fi > + [ "$global_critical" = 1 ] && exit 2 # critical > + [ "$global_unknown" = 1 ] && exit 3 # unknown > + exit 0 # ok > +- > +-# We're using MCE.db from the excellent platomav's MCExtractor > project > +-# The builtin version follows, but the user can download an up-to- > date copy (to be stored in his $HOME) by using --update-fwdb > +-# To update the builtin version itself (by *modifying* this very > file), use --update-builtin-fwdb > +- Can we remove this builtin version without a patch, i.e. a snippet? I think that doing so would be more robust than keeping the patch up to date. > +-# %%% MCEDB v222+i20220208 > +-# I,0x00000611,0x00000B27,19961218 > +-# I,0x00000612,0x000000C6,19961210 > +-# I,0x00000616,0x000000C6,19961210 > +-# I,0x00000617,0x000000C6,19961210 > +-# I,0x00000619,0x000000D2,19980218 > +-# I,0x00000630,0x00000013,19960827 > +-# I,0x00000632,0x00000020,19960903 > +-# I,0x00000633,0x00000036,19980923 > +-# I,0x00000634,0x00000037,19980923 > +-# I,0x00000650,0x00000045,19990525 > +-# I,0x00000651,0x00000042,19990525 > +-# I,0x00000652,0x0000002D,19990518 > +-# I,0x00000653,0x00000010,19990628 > +-# I,0x00000660,0x0000000A,19990505 > +-# I,0x00000665,0x00000003,19990505 > +-# I,0x0000066A,0x0000000D,19990505 > +-# I,0x0000066D,0x00000007,19990505 > +-# I,0x00000670,0x00000007,19980602 > +-# I,0x00000671,0x00000014,19980811 > +-# I,0x00000672,0x00000038,19990922 > +-# I,0x00000673,0x0000002E,19990910 > +-# I,0x00000680,0x00000017,19990610 > +-# I,0x00000681,0x00000014,19991209 > +-# I,0x00000683,0x00000014,20010206 > +-# I,0x00000686,0x00000008,20000505 > +-# I,0x0000068A,0x00000005,20001207 > +-# I,0x00000690,0x00000004,20000206 > +-# I,0x00000691,0x00000001,20020527 > +-# I,0x00000692,0x00000001,20020620 > +-# I,0x00000694,0x00000002,20020926 > +-# I,0x00000695,0x00000047,20041109 > +-# I,0x00000696,0x00000001,20000707 > +-# I,0x000006A0,0x00000003,20000110 > +-# I,0x000006A1,0x00000001,20000306 > +-# I,0x000006A4,0x00000001,20000616 > +-# I,0x000006B0,0x0000001A,20010129 > +-# I,0x000006B1,0x0000001D,20010220 > +-# I,0x000006B4,0x00000002,20020111 > +-# I,0x000006D0,0x00000006,20030522 > +-# I,0x000006D1,0x00000009,20030709 > +-# I,0x000006D2,0x00000010,20030814 > +-# I,0x000006D6,0x00000018,20041017 > +-# I,0x000006D8,0x00000021,20060831 > +-# I,0x000006E0,0x00000008,20050215 > +-# I,0x000006E1,0x0000000C,20050413 > +-# I,0x000006E4,0x00000026,20050816 > +-# I,0x000006E8,0x0000003C,20060208 > +-# I,0x000006EC,0x0000005B,20070208 > +-# I,0x000006F0,0x00000005,20050818 > +-# I,0x000006F1,0x00000012,20051129 > +-# I,0x000006F2,0x0000005D,20101002 > +-# I,0x000006F4,0x00000028,20060417 > +-# I,0x000006F5,0x00000039,20060727 > +-# I,0x000006F6,0x000000D2,20101001 > +-# I,0x000006F7,0x0000006B,20101002 > +-# I,0x000006F9,0x00000084,20061012 > +-# I,0x000006FA,0x00000095,20101002 > +-# I,0x000006FB,0x000000C1,20111004 > +-# I,0x000006FD,0x000000A4,20101002 > +-# I,0x00000F00,0xFFFF0001,20000130 > +-# I,0x00000F01,0xFFFF0007,20000404 > +-# I,0x00000F02,0xFFFF000B,20000518 > +-# I,0x00000F03,0xFFFF0001,20000518 > +-# I,0x00000F04,0xFFFF0010,20000803 > +-# I,0x00000F05,0x0000000C,20000824 > +-# I,0x00000F06,0x00000004,20000911 > +-# I,0x00000F07,0x00000012,20020716 > +-# I,0x00000F08,0x00000008,20001101 > +-# I,0x00000F09,0x00000008,20010104 > +-# I,0x00000F0A,0x00000015,20020821 > +-# I,0x00000F11,0x0000000A,20030729 > +-# I,0x00000F12,0x0000002F,20030502 > +-# I,0x00000F13,0x00000005,20030508 > +-# I,0x00000F20,0x00000001,20010423 > +-# I,0x00000F21,0x00000003,20010529 > +-# I,0x00000F22,0x00000005,20030729 > +-# I,0x00000F23,0x0000000D,20010817 > +-# I,0x00000F24,0x00000021,20030610 > +-# I,0x00000F25,0x0000002C,20040826 > +-# I,0x00000F26,0x00000010,20040805 > +-# I,0x00000F27,0x00000039,20030604 > +-# I,0x00000F29,0x0000002F,20040811 > +-# I,0x00000F30,0x00000013,20030815 > +-# I,0x00000F31,0x0000000B,20031021 > +-# I,0x00000F32,0x0000000A,20040511 > +-# I,0x00000F33,0x0000000C,20050421 > +-# I,0x00000F34,0x00000017,20050421 > +-# I,0x00000F36,0x00000007,20040309 > +-# I,0x00000F37,0x00000003,20031218 > +-# I,0x00000F40,0x00000006,20040318 > +-# I,0x00000F41,0x00000017,20050422 > +-# I,0x00000F42,0x00000003,20050421 > +-# I,0x00000F43,0x00000005,20050421 > +-# I,0x00000F44,0x00000006,20050421 > +-# I,0x00000F46,0x00000004,20050411 > +-# I,0x00000F47,0x00000003,20050421 > +-# I,0x00000F48,0x0000000E,20080115 > +-# I,0x00000F49,0x00000003,20050421 > +-# I,0x00000F4A,0x00000004,20051214 > +-# I,0x00000F60,0x00000005,20050124 > +-# I,0x00000F61,0x00000008,20050610 > +-# I,0x00000F62,0x0000000F,20051215 > +-# I,0x00000F63,0x00000005,20051010 > +-# I,0x00000F64,0x00000004,20051223 > +-# I,0x00000F65,0x0000000B,20070510 > +-# I,0x00000F66,0x0000001B,20060310 > +-# I,0x00000F68,0x00000009,20060714 > +-# I,0x00001632,0x00000002,19980610 > +-# I,0x00010650,0x00000002,20060513 > +-# I,0x00010660,0x00000004,20060612 > +-# I,0x00010661,0x00000045,20101004 > +-# I,0x00010670,0x00000005,20070209 > +-# I,0x00010671,0x00000106,20070329 > +-# I,0x00010674,0x84050100,20070726 > +-# I,0x00010676,0x00000612,20150802 > +-# I,0x00010677,0x0000070D,20150802 > +-# I,0x0001067A,0x00000A0E,20150729 > +-# I,0x000106A0,0xFFFF001A,20071128 > +-# I,0x000106A1,0xFFFF000B,20080220 > +-# I,0x000106A2,0xFFFF0019,20080714 > +-# I,0x000106A4,0x00000013,20150630 > +-# I,0x000106A5,0x0000001D,20180511 > +-# I,0x000106C0,0x00000007,20070824 > +-# I,0x000106C1,0x00000109,20071203 > +-# I,0x000106C2,0x00000219,20090410 > +-# I,0x000106C9,0x00000007,20090213 > +-# I,0x000106CA,0x00000107,20090825 > +-# I,0x000106D0,0x00000005,20071204 > +-# I,0x000106D1,0x0000002A,20150803 > +-# I,0x000106E0,0xFFFF0022,20090116 > +-# I,0x000106E1,0xFFFF000D,20090206 > +-# I,0x000106E2,0xFFFF0011,20090924 > +-# I,0x000106E3,0xFFFF0011,20090512 > +-# I,0x000106E4,0x00000003,20130701 > +-# I,0x000106E5,0x0000000A,20180508 > +-# I,0x000106F0,0xFFFF0009,20090210 > +-# I,0x000106F1,0xFFFF0007,20090210 > +-# I,0x00020650,0xFFFF0008,20090218 > +-# I,0x00020651,0xFFFF0018,20090818 > +-# I,0x00020652,0x00000011,20180508 > +-# I,0x00020654,0xFFFF0007,20091124 > +-# I,0x00020655,0x00000007,20180423 > +-# I,0x00020661,0x00000105,20110718 > +-# I,0x000206A0,0x00000029,20091102 > +-# I,0x000206A1,0x00000007,20091223 > +-# I,0x000206A2,0x00000027,20100502 > +-# I,0x000206A3,0x00000009,20100609 > +-# I,0x000206A4,0x00000022,20100414 > +-# I,0x000206A5,0x00000007,20100722 > +-# I,0x000206A6,0x90030028,20100924 > +-# I,0x000206A7,0x0000002F,20190217 > +-# I,0x000206C0,0xFFFF001C,20091214 > +-# I,0x000206C1,0x00000006,20091222 > +-# I,0x000206C2,0x0000001F,20180508 > +-# I,0x000206D0,0x80000006,20100816 > +-# I,0x000206D1,0x80000106,20101201 > +-# I,0x000206D2,0xAF506958,20110714 > +-# I,0x000206D3,0xAF50696A,20110816 > +-# I,0x000206D5,0xAF5069E5,20120118 > +-# I,0x000206D6,0x00000621,20200304 > +-# I,0x000206D7,0x0000071A,20200324 > +-# I,0x000206E0,0xE3493401,20090108 > +-# I,0x000206E1,0xE3493402,20090224 > +-# I,0x000206E2,0xFFFF0004,20081001 > +-# I,0x000206E3,0xE4486547,20090701 > +-# I,0x000206E4,0xFFFF0008,20090619 > +-# I,0x000206E5,0xFFFF0018,20091215 > +-# I,0x000206E6,0x0000000D,20180515 > +-# I,0x000206F0,0x00000005,20100729 > +-# I,0x000206F1,0x00000008,20101013 > +-# I,0x000206F2,0x0000003B,20180516 > +-# I,0x00030650,0x00000009,20120118 > +-# I,0x00030651,0x00000110,20131014 > +-# I,0x00030660,0x00000003,20101103 > +-# I,0x00030661,0x0000010F,20150721 > +-# I,0x00030669,0x0000010D,20130515 > +-# I,0x00030671,0x00000117,20130410 > +-# I,0x00030672,0x0000022E,20140401 > +-# I,0x00030673,0x83290100,20190916 > +-# I,0x00030678,0x00000838,20190422 > +-# I,0x00030679,0x0000090D,20190710 > +-# I,0x000306A0,0x00000007,20110407 > +-# I,0x000306A2,0x0000000C,20110725 > +-# I,0x000306A4,0x00000007,20110908 > +-# I,0x000306A5,0x00000009,20111110 > +-# I,0x000306A6,0x00000004,20111114 > +-# I,0x000306A8,0x00000010,20120220 > +-# I,0x000306A9,0x00000021,20190213 > +-# I,0x000306C0,0xFFFF0013,20111110 > +-# I,0x000306C1,0xFFFF0014,20120725 > +-# I,0x000306C2,0xFFFF0006,20121017 > +-# I,0x000306C3,0x00000028,20191112 > +-# I,0x000306D1,0xFFFF0009,20131015 > +-# I,0x000306D2,0xFFFF0009,20131219 > +-# I,0x000306D3,0xE3121338,20140825 > +-# I,0x000306D4,0x0000002F,20191112 > +-# I,0x000306E0,0xE920080F,20121113 > +-# I,0x000306E2,0xE9220827,20130523 > +-# I,0x000306E3,0x00000308,20130321 > +-# I,0x000306E4,0x0000042E,20190314 > +-# I,0x000306E6,0x00000600,20130619 > +-# I,0x000306E7,0x00000715,20190314 > +-# I,0x000306F0,0xFFFF0017,20130730 > +-# I,0x000306F1,0xD141D629,20140416 > +-# I,0x000306F2,0x00000049,20210811 > +-# I,0x000306F3,0x0000000D,20160211 > +-# I,0x000306F4,0x0000001A,20210524 > +-# I,0x00040650,0xFFFF000B,20121206 > +-# I,0x00040651,0x00000026,20191112 > +-# I,0x00040660,0xFFFF0011,20121012 > +-# I,0x00040661,0x0000001C,20191112 > +-# I,0x00040670,0xFFFF0006,20140304 > +-# I,0x00040671,0x00000022,20191112 > +-# I,0x000406A0,0x80124001,20130521 > +-# I,0x000406A8,0x0000081F,20140812 > +-# I,0x000406A9,0x0000081F,20140812 > +-# I,0x000406C1,0x0000010B,20140814 > +-# I,0x000406C2,0x00000221,20150218 > +-# I,0x000406C3,0x00000368,20190423 > +-# I,0x000406C4,0x00000411,20190423 > +-# I,0x000406D0,0x0000000E,20130612 > +-# I,0x000406D8,0x0000012D,20190916 > +-# I,0x000406E1,0x00000020,20141111 > +-# I,0x000406E2,0x0000002C,20150521 > +-# I,0x000406E3,0x000000EC,20210428 > +-# I,0x000406E8,0x00000026,20160414 > +-# I,0x000406F0,0x00000014,20150702 > +-# I,0x000406F1,0x0B000040,20210519 > +-# I,0x00050650,0x8000002B,20160208 > +-# I,0x00050651,0x8000002B,20160208 > +-# I,0x00050652,0x80000037,20170502 > +-# I,0x00050653,0x0100015C,20210526 > +-# I,0x00050654,0x02006C0A,20210616 > +-# I,0x00050655,0x03000012,20190412 > +-# I,0x00050656,0x0400320A,20210813 > +-# I,0x00050657,0x0500320A,20210813 > +-# I,0x0005065A,0x86002302,20210416 > +-# I,0x0005065B,0x07002402,20210604 > +-# I,0x00050661,0xF1000008,20150130 > +-# I,0x00050662,0x0000001C,20190617 > +-# I,0x00050663,0x0700001C,20210612 > +-# I,0x00050664,0x0F00001A,20210612 > +-# I,0x00050665,0x0E000014,20210918 > +-# I,0x00050670,0xFFFF0030,20151113 > +-# I,0x00050671,0x000001B6,20180108 > +-# I,0x000506A0,0x00000038,20150112 > +-# I,0x000506C2,0x00000014,20180511 > +-# I,0x000506C8,0x90011010,20160323 > +-# I,0x000506C9,0x00000046,20210510 > +-# I,0x000506CA,0x00000022,20210622 > +-# I,0x000506D1,0x00000102,20150605 > +-# I,0x000506E0,0x00000018,20141119 > +-# I,0x000506E1,0x0000002A,20150602 > +-# I,0x000506E2,0x0000002E,20150815 > +-# I,0x000506E3,0x000000F0,20211112 > +-# I,0x000506E8,0x00000034,20160710 > +-# I,0x000506F0,0x00000010,20160607 > +-# I,0x000506F1,0x00000036,20210510 > +-# I,0x00060660,0x0000000C,20160821 > +-# I,0x00060661,0x0000000E,20170128 > +-# I,0x00060662,0x00000022,20171129 > +-# I,0x00060663,0x0000002A,20180417 > +-# I,0x000606A0,0x80000031,20200308 > +-# I,0x000606A4,0x0B000280,20200817 > +-# I,0x000606A5,0x0C0002F0,20210308 > +-# I,0x000606A6,0x0D000332,20211217 > +-# I,0x000606E0,0x0000000B,20161104 > +-# I,0x000606E1,0x00000108,20190423 > +-# I,0x000706A0,0x00000026,20170712 > +-# I,0x000706A1,0x00000038,20210510 > +-# I,0x000706A8,0x0000001C,20210510 > +-# I,0x000706E0,0x0000002C,20180614 > +-# I,0x000706E1,0x00000042,20190420 > +-# I,0x000706E2,0x00000042,20190420 > +-# I,0x000706E3,0x81000008,20181002 > +-# I,0x000706E4,0x00000046,20190905 > +-# I,0x000706E5,0x000000A8,20210526 > +-# I,0x00080650,0x00000018,20180108 > +-# I,0x00080664,0x0B00000F,20210217 > +-# I,0x00080665,0x0B00000F,20210217 > +-# I,0x000806A0,0x00000010,20190507 > +-# I,0x000806A1,0x0000002D,20210902 > +-# I,0x000806C0,0x00000068,20200402 > +-# I,0x000806C1,0x0000009C,20211026 > +-# I,0x000806C2,0x00000022,20210716 > +-# I,0x000806D0,0x00000050,20201217 > +-# I,0x000806D1,0x0000003C,20210716 > +-# I,0x000806E9,0x000000EC,20210428 > +-# I,0x000806EA,0x000000EC,20210428 > +-# I,0x000806EB,0x000000EC,20210428 > +-# I,0x000806EC,0x000000EC,20210428 > +-# I,0x00090660,0x00000009,20200617 > +-# I,0x00090661,0x00000015,20210921 > +-# I,0x00090670,0x00000019,20201111 > +-# I,0x00090671,0x0000001C,20210614 > +-# I,0x00090672,0x0000001F,20220303 > +-# I,0x00090674,0x00000219,20210425 > +-# I,0x00090675,0x0000001F,20220303 > +-# I,0x000906A0,0x0000001C,20210614 > +-# I,0x000906A1,0x0000011F,20211104 > +-# I,0x000906A2,0x00000315,20220102 > +-# I,0x000906A3,0x0000041B,20220308 > +-# I,0x000906A4,0x0000041B,20220308 > +-# I,0x000906C0,0x2400001F,20210809 > +-# I,0x000906E9,0x000000F0,20211112 > +-# I,0x000906EA,0x000000EC,20210428 > +-# I,0x000906EB,0x000000EC,20210428 > +-# I,0x000906EC,0x000000EC,20210428 > +-# I,0x000906ED,0x000000EC,20210428 > +-# I,0x000A0650,0x000000BE,20191010 > +-# I,0x000A0651,0x000000C2,20191113 > +-# I,0x000A0652,0x000000EC,20210428 > +-# I,0x000A0653,0x000000EC,20210428 > +-# I,0x000A0654,0x000000C6,20200123 > +-# I,0x000A0655,0x000000EE,20210428 > +-# I,0x000A0660,0x000000EA,20210428 > +-# I,0x000A0661,0x000000EC,20210429 > +-# I,0x000A0670,0x0000002C,20201124 > +-# I,0x000A0671,0x00000050,20210829 > +-# I,0x000A0680,0x80000002,20200121 > +-# I,0x000B0670,0x00000009,20211115 > +-# I,0x000B06F2,0x0000001F,20220303 > +-# I,0x000B06F5,0x0000001F,20220303 > +-# A,0x00000F00,0x02000008,20070614 > +-# A,0x00000F01,0x0000001C,20021031 > +-# A,0x00000F10,0x00000003,20020325 > +-# A,0x00000F11,0x0000001F,20030220 > +-# A,0x00000F48,0x00000046,20040719 > +-# A,0x00000F4A,0x00000047,20040719 > +-# A,0x00000F50,0x00000024,20021212 > +-# A,0x00000F51,0x00000025,20030115 > +-# A,0x00010F50,0x00000041,20040225 > +-# A,0x00020F10,0x0000004D,20050428 > +-# A,0x00040F01,0xC0012102,20050916 > +-# A,0x00040F0A,0x00000068,20060920 > +-# A,0x00040F13,0x0000007A,20080508 > +-# A,0x00040F14,0x00000062,20060127 > +-# A,0x00040F1B,0x0000006D,20060920 > +-# A,0x00040F33,0x0000007B,20080514 > +-# A,0x00060F80,0x00000083,20060929 > +-# A,0x000C0F1B,0x0000006E,20060921 > +-# A,0x000F0F00,0x00000005,20020627 > +-# A,0x000F0F01,0x00000015,20020627 > +-# A,0x00100F00,0x01000020,20070326 > +-# A,0x00100F20,0x010000CA,20100331 > +-# A,0x00100F22,0x010000C9,20100331 > +-# A,0x00100F40,0x01000085,20080501 > +-# A,0x00100F41,0x010000DB,20111024 > +-# A,0x00100F42,0x01000092,20081021 > +-# A,0x00100F43,0x010000C8,20100311 > +-# A,0x00100F62,0x010000C7,20100311 > +-# A,0x00100F80,0x010000DA,20111024 > +-# A,0x00100F81,0x010000D9,20111012 > +-# A,0x00100FA0,0x010000DC,20111024 > +-# A,0x00120F00,0x03000002,20100324 > +-# A,0x00200F30,0x02000018,20070921 > +-# A,0x00200F31,0x02000057,20080502 > +-# A,0x00200F32,0x02000034,20080307 > +-# A,0x00300F01,0x0300000E,20101004 > +-# A,0x00300F10,0x03000027,20111309 > +-# A,0x00500F00,0x0500000B,20100601 > +-# A,0x00500F01,0x0500001A,20100908 > +-# A,0x00500F10,0x05000029,20130121 > +-# A,0x00500F20,0x05000119,20130118 > +-# A,0x00580F00,0x0500000B,20100601 > +-# A,0x00580F01,0x0500001A,20100908 > +-# A,0x00580F10,0x05000028,20101124 > +-# A,0x00580F20,0x05000103,20110526 > +-# A,0x00600F00,0x06000017,20101029 > +-# A,0x00600F01,0x0600011F,20110227 > +-# A,0x00600F10,0x06000425,20110408 > +-# A,0x00600F11,0x0600050D,20110627 > +-# A,0x00600F12,0x0600063E,20180207 > +-# A,0x00600F20,0x06000852,20180206 > +-# A,0x00610F00,0x0600100E,20111102 > +-# A,0x00610F01,0x0600111F,20180305 > +-# A,0x00630F00,0x0600301C,20130817 > +-# A,0x00630F01,0x06003109,20180227 > +-# A,0x00660F00,0x06006012,20141014 > +-# A,0x00660F01,0x0600611A,20180126 > +-# A,0x00670F00,0x06006705,20180220 > +-# A,0x00680F00,0x06000017,20101029 > +-# A,0x00680F01,0x0600011F,20110227 > +-# A,0x00680F10,0x06000410,20110314 > +-# A,0x00690F00,0x06001009,20110613 > +-# A,0x00700F00,0x0700002A,20121218 > +-# A,0x00700F01,0x07000110,20180209 > +-# A,0x00730F00,0x07030009,20131206 > +-# A,0x00730F01,0x07030106,20180209 > +-# A,0x00800F00,0x0800002A,20161006 > +-# A,0x00800F10,0x0800100C,20170131 > +-# A,0x00800F11,0x08001138,20190204 > +-# A,0x00800F12,0x0800126E,20211111 > +-# A,0x00800F82,0x0800820D,20190416 > +-# A,0x00810F00,0x08100004,20161120 > +-# A,0x00810F10,0x08101016,20190430 > +-# A,0x00810F11,0x08101103,20190417 > +-# A,0x00810F80,0x08108002,20180605 > +-# A,0x00810F81,0x08108109,20190417 > +-# A,0x00820F00,0x08200002,20180214 > +-# A,0x00820F01,0x08200103,20190417 > +-# A,0x00830F00,0x08300027,20190401 > +-# A,0x00830F10,0x08301052,20211111 > +-# A,0x00850F00,0x08500004,20180212 > +-# A,0x00860F00,0x0860000E,20200127 > +-# A,0x00860F01,0x08600106,20200619 > +-# A,0x00860F81,0x08608103,20200702 > +-# A,0x00870F00,0x08700004,20181206 > +-# A,0x00870F10,0x08701021,20200125 > +-# A,0x00A00F00,0x0A000033,20200413 > +-# A,0x00A00F10,0x0A001053,20211217 > +-# A,0x00A00F11,0x0A00115D,20211119 > +-# A,0x00A00F12,0x0A001227,20211215 > +-# A,0x00A00F80,0x0A008003,20211015 > +-# A,0x00A00F82,0x0A008204,20211015 > +-# A,0x00A20F00,0x0A200025,20200121 > +-# A,0x00A20F10,0x0A201016,20210408 > +-# A,0x00A20F12,0x0A201205,20210719 > +-# A,0x00A50F00,0x0A50000C,20201208 > +-- > +2.38.1 > + > diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage- > commands-for-substitution.patch b/gnu/packages/patches/spectre- > meltdown-checker-stage-commands-for-substitution.patch > new file mode 100644 > index 0000000000..a2f13e4195 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands- > for-substitution.patch > @@ -0,0 +1,1947 @@ > +From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Fri, 11 Nov 2022 18:49:50 +0800 > +Subject: [PATCH 1/2] Stage commands for later substitution. > + > +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, > getent, > +grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, > nm, > +nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, > stat, > +strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, > which, > +whoami, xargs. > +--- > + spectre-meltdown-checker.sh | 648 ++++++++++++++++++--------------- > --- > + 1 file changed, 324 insertions(+), 324 deletions(-) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 30f760c..82cf1b6 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; > exit_cleanup; exit 1' INT > + exit_cleanup() > + { > + # cleanup the temp decompressed config & kernel image > +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm > -f "$dumped_config" > +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm > -f "$kerneltmp" > +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm > -f "$kerneltmp2" > +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm > -f "$mcedb_tmp" > +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm > -rf "$intel_tmp" > +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug > 2>/dev/null > +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" > 2>/dev/null > +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null > +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null > ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && > @rm@ -f "$dumped_config" > ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && > @rm@ -f "$kerneltmp" > ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && > @rm@ -f "$kerneltmp2" > ++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && > @rm@ -f "$mcedb_tmp" > ++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && > @rm@ -rf "$intel_tmp" > ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug > 2>/dev/null > ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" > 2>/dev/null > ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null > ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null > + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl > 2>/dev/null > + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm > 2>/dev/null > + } > + > + # if we were git clone'd, adjust VERSION > +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; > then > +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty > 2>/dev/null) > +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e > s/^v//) > ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null > 2>&1; then > ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty > 2>/dev/null) > ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e > s/^v//) > + fi > + > + show_usage() > + { > + # shellcheck disable=SC2086 > +- cat <<EOF > ++ @cat@ <<EOF > + Usage: > +- Live mode (auto): $(basename $0) [options] > +- Live mode (manual): $(basename $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live > +- Offline mode: $(basename $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> > ++ Live mode (auto): $(@basename@ $0) [options] > ++ Live mode (manual): $(@basename@ $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live > ++ Offline mode: $(@basename@ $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> > + > + Modes: > + Two modes are available. > +@@ -110,7 +110,7 @@ EOF > + > + show_disclaimer() > + { > +- cat <<EOF > ++ @cat@ <<EOF > + Disclaimer: > + > + This tool does its best to determine whether your system is immune > (or has proper mitigations in place) for the > +@@ -138,7 +138,7 @@ This tool has been released in the hope that > it'll be useful, but don't use it t > + EOF > + } > + > +-os=$(uname -s) > ++os=$(@uname@ -s) > + > + # parse options > + opt_kernel='' > +@@ -207,7 +207,7 @@ __echo() > + _interpret_chars='-e' > + fi > + _ctrlchar=$($echo_cmd $_interpret_chars "\033") > +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r > "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") > ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r > "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") > + fi > + if [ "$echo_cmd_type" = printf ]; then > + if [ "$opt" = "-n" ]; then > +@@ -383,7 +383,7 @@ is_cpu_affected() > + # https://github.com/crozone/SpectrePoC/issues/1 ^F > E5200 => spectre 2 not affected > + # > https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => > meltdown affected > + # model name : Pentium(R) Dual-Core CPU E5200 > @ 2.50GHz > +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) > Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then > ++ if echo "$cpu_friendly_name" | @grep@ -qE > 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then > + variant1=vuln > + [ -z "$variant2" ] && variant2=immune > + variant3=vuln > +@@ -486,7 +486,7 @@ is_cpu_affected() > + i=$(( i + 1 )) > + # do NOT quote $cpu_arch_list below > + # shellcheck disable=SC2086 > +- cpuarch=$(echo $cpu_arch_list | awk '{ print > $'$i' }') > ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ > print $'$i' }') > + _debug "checking cpu$i: <$cpupart> > <$cpuarch>" > + # some kernels report AArch64 instead of 8 > + [ "$cpuarch" = "AArch64" ] && cpuarch=8 > +@@ -497,49 +497,49 @@ is_cpu_affected() > + # part ? ? c08 c09 c0d c0f c0e d07 > d08 d09 d0a d0b d0c d0d > + # arch 7? 7? 7 7 7 7 7 8 > 8 8 8 8 8 8 > + # > +- # Whitelist identified non-affected > processors, use vulnerability information from > ++ # Whitelist identified non-affected > processors, use vulnerability information from > + # > https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability > + # Partnumbers can be found here: > + # > https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in > + # > + # Maintain cumulative check of > vulnerabilities - > + # if at least one of the cpu is > affected, then the system is affected > +- if [ "$cpuarch" = 7 ] && echo > "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then > ++ if [ "$cpuarch" = 7 ] && echo > "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + [ -z "$variant3a" ] && > variant3a=immune > + [ -z "$variant4" ] && > variant4=immune > + _debug "checking cpu$i: armv7 > A8/A9/A12/A17 non affected to variants 3, 3a & 4" > +- elif [ "$cpuarch" = 7 ] && echo > "$cpupart" | grep -q -w -e 0xc0f; then > ++ elif [ "$cpuarch" = 7 ] && echo > "$cpupart" | @grep@ -q -w -e 0xc0f; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + variant3a=vuln > + [ -z "$variant4" ] && > variant4=immune > + _debug "checking cpu$i: armv7 > A15 non affected to variants 3 & 4" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + variant3a=vuln > + variant4=vuln > + _debug "checking cpu$i: armv8 > A57/A72 non affected to variants 3" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd09; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd09; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + [ -z "$variant3a" ] && > variant3a=immune > + variant4=vuln > + _debug "checking cpu$i: armv8 > A73 non affected to variants 3 & 3a" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd0a; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd0a; then > + variant1=vuln > + variant2=vuln > + variant3=vuln > + [ -z "$variant3a" ] && > variant3a=immune > + variant4=vuln > + _debug "checking cpu$i: armv8 > A75 non affected to variant 3a" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then > + variant1=vuln > + [ -z "$variant2" ] && > variant2=immune > + [ -z "$variant3" ] && > variant3=immune > +@@ -820,7 +820,7 @@ is_cpu_ssb_free() > + if [ "$cpu_family" = "18" ] || \ > + [ "$cpu_family" = "17" ] || \ > + [ "$cpu_family" = "16" ] || \ > +- [ "$cpu_family" = "15" ]; then > ++ [ "$cpu_family" = "15" ]; then > + return 0 > + fi > + fi > +@@ -837,7 +837,7 @@ show_header() > + _info > + } > + > +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" > ++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: > -f6)" > + mcedb_cache="$HOME/.mcedb" > + update_fwdb() > + { > +@@ -846,11 +846,11 @@ update_fwdb() > + set -e > + > + if [ -r "$mcedb_cache" ]; then > +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 > }' "$mcedb_cache") > ++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print > $4 }' "$mcedb_cache") > + fi > + > + # first, download the MCE.db from the excellent platomav's > MCExtractor project > +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" > ++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)" > + mcedb_url=' > https://github.com/platomav/MCExtractor/raw/master/MCE.db' > + _info_nol "Fetching MCE.db from the MCExtractor project... " > + if command -v wget >/dev/null 2>&1; then > +@@ -870,7 +870,7 @@ update_fwdb() > + echo DONE > + > + # second, get the Intel firmwares from GitHub > +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)" > ++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)" > + intel_url=" > https://github.com/intel/Intel-Linux-Processor-Microcode-Data- > Files/archive/main.zip" > + _info_nol "Fetching Intel firmwares... " > + ## > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git > +@@ -930,20 +930,20 @@ update_fwdb() > + fi > + # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev > 0x0217, size 5120 > + # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev > 0x0107, size 5120 > +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode- > Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line > ++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode- > Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line > + do > +- _line=$( echo "$_line" | tr -d ',') > +- _cpuid=$( echo "$_line" | awk '{print $3}') > ++ _line=$( echo "$_line" | @tr@ -d ',') > ++ _cpuid=$( echo "$_line" | @awk@ '{print $3}') > + _cpuid=$(( _cpuid )) > + _cpuid=$(printf "0x%08X" "$_cpuid") > +- _date=$( echo "$_line" | awk '{print $6}' | tr -d > '-') > +- _version=$(echo "$_line" | awk '{print $8}') > ++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@ > -d '-') > ++ _version=$(echo "$_line" | @awk@ '{print $8}') > + _version=$(( _version )) > + _version=$(printf "0x%08X" "$_version") > + _sqlstm="$(printf "INSERT INTO Intel > (origin,cpuid,version,yyyymmdd) VALUES > (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" > "$(printf "%08X" "$_version")" "$_date")" > + sqlite3 "$mcedb_tmp" "$_sqlstm" > + done > +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux- > Processor-Microcode-Data-Files-main/license" 2>/dev/null) > ++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux- > Processor-Microcode-Data-Files-main/license" 2>/dev/null) > + if [ -n "$_intel_timestamp" ]; then > + # use this date, it matches the last commit date > + _intel_latest_date=$(date +%Y%m%d -d > @"$_intel_timestamp") > +@@ -964,17 +964,17 @@ update_fwdb() > + { > + echo "# Spectre & Meltdown Checker"; > + echo "# %%% MCEDB v$dbversion"; > +- sqlite3 "$mcedb_tmp" "SELECT '# > I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel > AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND > t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid > ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; > +- sqlite3 "$mcedb_tmp" "SELECT '# > A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD > AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND > t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid > ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; > ++ sqlite3 "$mcedb_tmp" "SELECT '# > I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel > AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND > t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid > ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; > ++ sqlite3 "$mcedb_tmp" "SELECT '# > A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD > AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND > t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid > ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; > + } > "$mcedb_cache" > + echo DONE "(version $dbversion)" > + > + if [ "$1" = builtin ]; then > +- newfile=$(mktemp -t smc-builtin-XXXXXX) > +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > > "$newfile" > +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> > "$newfile" > +- cat "$newfile" > "$0" > +- rm -f "$newfile" > ++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX) > ++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > > "$newfile" > ++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> > "$newfile" > ++ @cat@ "$newfile" > "$0" > ++ @rm@ -f "$newfile" > + fi > + } > + > +@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do > + elif [ "$1" = "--cpu" ]; then > + opt_cpu=$2 > + if [ "$opt_cpu" != all ]; then > +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then > ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; > then > + opt_cpu=$(( opt_cpu )) > + else > + echo "$0: error: --cpu should be an > integer or 'all', got '$opt_cpu'" >&2 > +@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do > + echo "$0: error: option --cve expects a > parameter, supported CVEs are: $supported_cve_list" >&2 > + exit 255 > + fi > +- selected_cve=$(echo "$supported_cve_list" | grep -iwo > "$2") > ++ selected_cve=$(echo "$supported_cve_list" | @grep@ - > iwo "$2") > + if [ -n "$selected_cve" ]; then > + opt_cve_list="$opt_cve_list $selected_cve" > + opt_cve_all=0 > +@@ -1308,14 +1308,14 @@ check_kernel() > + # a damaged ELF file and validate it, check for stderr > warnings too > + > + # the warning "readelf: Warning: [16]: Link field (0) should > index a symtab section./" can appear on valid kernels, ignore it > +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" > 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" > "/"); ret=$? > +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" > 2>/dev/null | grep -c -e data -e text -e init) > +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z > "$_file" 2>/dev/null || echo 10000) > ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | > @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$? > ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | > @grep@ -c -e data -e text -e init) > ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f > %z "$_file" 2>/dev/null || echo 10000) > + _debug "check_kernel: ret=$? size=$_kernel_size > sections=$_readelf_sections warnings=$_readelf_warnings" > + if [ "$_mode" = desperate ]; then > +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq > '^Linux version '; then > ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version > '; then > + _debug "check_kernel (desperate): ... > matched!" > +- if [ "$_readelf_sections" = 0 ] && grep -qF - > e armv6 -e armv7 "$_file"; then > ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF > -e armv6 -e armv7 "$_file"; then > + _debug "check_kernel (desperate): raw > arm binary found, adjusting objdump options" > + objdump_options="-D -b binary -marm" > + else > +@@ -1348,7 +1348,7 @@ try_decompress() > + > + # Try to find the header ($1) and decompress from here > + _debug "try_decompress: looking for $3 magic in $6" > +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo > "^$2") > ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo > "^$2") > + do > + _debug "try_decompress: magic for $3 found at offset > $pos" > + if ! command -v "$3" >/dev/null 2>&1; then > +@@ -1375,11 +1375,11 @@ try_decompress() > + kernel="$kerneltmp" > + _debug "try_decompress: decompressed with $3 > successfully!" > + return 0 > +- elif [ "$3" != "cat" ]; then > ++ elif [ "$3" != "@cat@" ]; then > + _debug "try_decompress: decompression with $3 > worked but result is not a kernel, trying with an offset" > +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp - > t smc-kernel-XXXXXX) > +- cat "$kerneltmp" > "$kerneltmp2" > +- try_decompress '\177ELF' xxy 'cat' '' cat > "$kerneltmp2" && return 0 > ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ > -t smc-kernel-XXXXXX) > ++ @cat@ "$kerneltmp" > "$kerneltmp2" > ++ try_decompress '\177ELF' xxy '@cat@' '' cat > "$kerneltmp2" && return 0 > + else > + _debug "try_decompress: decompression with $3 > worked but result is not a kernel" > + fi > +@@ -1391,12 +1391,12 @@ extract_kernel() > + { > + [ -n "${1:-}" ] || return 1 > + # Prepare temp files: > +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)" > ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)" > + > + # Initial attempt for uncompressed images or objects: > + if check_kernel "$1"; then > + _debug "extract_kernel: found kernel is valid, no > decompression needed" > +- cat "$1" > "$kerneltmp" > ++ @cat@ "$1" > "$kerneltmp" > + kernel=$kerneltmp > + return 0 > + fi > +@@ -1405,14 +1405,14 @@ extract_kernel() > + for pass in 1 2; do > + for mode in normal desperate; do > + _debug "extract_kernel: pass $pass $mode > mode" > +- try_decompress '\037\213\010' xy > gunzip '' gunzip "$1" "$mode" "$pass" && return 0 > +- try_decompress '\002\041\114\030' xyy > 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 > +- try_decompress '\3757zXZ\000' abcde > unxz '' xz-utils "$1" "$mode" "$pass" && return 0 > +- try_decompress 'BZh' xy > bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0 > +- try_decompress '\135\0\0\0' xxx > unlzma '' xz-utils "$1" "$mode" "$pass" && return 0 > +- try_decompress '\211\114\132' xy > 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0 > +- try_decompress '\177ELF' xxy > 'cat' '' cat "$1" "$mode" "$pass" && return 0 > +- try_decompress '(\265/\375' xxy > unzstd '' zstd "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\037\213\010' xy > @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\002\041\114\030' xyy > '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\3757zXZ\000' abcde > @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0 > ++ try_decompress 'BZh' xy > @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\135\0\0\0' xxx > @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\211\114\132' xy > '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\177ELF' xxy > '@cat@' '' cat "$1" "$mode" "$pass" && return 0 > ++ try_decompress '(\265/\375' xxy > @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0 > + done > + done > + # kernel_err might already have been populated by > try_decompress() if we're missing one of the tools > +@@ -1429,7 +1429,7 @@ mount_debugfs() > + { > + if [ ! -e /sys/kernel/debug/sched_features ]; then > + # try to mount the debugfs hierarchy ourselves and > remember it to umount afterwards > +- mount -t debugfs debugfs /sys/kernel/debug > 2>/dev/null && mounted_debugfs=1 > ++ @mount@ -t debugfs debugfs /sys/kernel/debug > 2>/dev/null && mounted_debugfs=1 > + fi > + } > + > +@@ -1440,12 +1440,12 @@ load_msr() > + load_msr_once=1 > + > + if [ "$os" = Linux ]; then > +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then > +- modprobe msr 2>/dev/null && insmod_msr=1 > ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; > then > ++ @modprobe@ msr 2>/dev/null && insmod_msr=1 > + _debug "attempted to load module msr, > insmod_msr=$insmod_msr" > + else > + _debug "msr module already loaded" > +- fi > ++ fi > + else > + if ! kldstat -q -m cpuctl; then > + kldload cpuctl 2>/dev/null && > kldload_cpuctl=1 > +@@ -1463,12 +1463,12 @@ load_cpuid() > + load_cpuid_once=1 > + > + if [ "$os" = Linux ]; then > +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; > then > +- modprobe cpuid 2>/dev/null && insmod_cpuid=1 > ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; > then > ++ @modprobe@ cpuid 2>/dev/null && > insmod_cpuid=1 > + _debug "attempted to load module cpuid, > insmod_cpuid=$insmod_cpuid" > + else > + _debug "cpuid module already loaded" > +- fi > ++ fi > + else > + if ! kldstat -q -m cpuctl; then > + kldload cpuctl 2>/dev/null && > kldload_cpuctl=1 > +@@ -1557,7 +1557,7 @@ read_cpuid_one_core() > + fi > + # on some kernel versions, /dev/cpu/0/cpuid doesn't > imply that the cpuid module is loaded, in that case dd returns an > error, > + # we use that fact to load the module if dd returns > an error > +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null > 2>&1; then > ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 > >/dev/null 2>&1; then > + load_cpuid > + fi > + # we need _leaf to be converted to decimal for dd > +@@ -1568,14 +1568,14 @@ read_cpuid_one_core() > + _ddskip=$(( _position / 16 )) > + _odskip=$(( _position - _ddskip * 16 )) > + # now read the value > +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 > skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * > 16)) -A n -t u4) > ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 > skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip > * 16)) -A n -t u4) > + elif [ -e /dev/cpuctl0 ]; then > + # BSD > + if [ ! -r /dev/cpuctl0 ]; then > + read_cpuid_msg="Couldn't read cpuid info from > cpuctl" > + return $READ_CPUID_RET_ERR > + fi > +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" > "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-) > ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" > "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-) You're missing cpucontrol here. > + # cpuid level 0x4, level_type 0x2: 0x1c004143 > 0x01c0003f 0x000001ff 0x00000000 > + else > + read_cpuid_msg="Found no way to read cpuid info" > +@@ -1598,7 +1598,7 @@ read_cpuid_one_core() > + fi > + > + # get the value of the register we want > +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}') > ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}') > + # Linux returns it as decimal, BSD as hex, normalize to > decimal > + _reg=$(( _reg )) > + # shellcheck disable=SC2046 > +@@ -1626,11 +1626,11 @@ dmesg_grep() > + # grep for something in dmesg, ensuring that the dmesg buffer > + # has not been truncated > + dmesg_grepped='' > +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e > '^FreeBSD is a registered' ; then > ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e > '^FreeBSD is a registered' ; then > + # dmesg truncated > + return 2 > + fi > +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1) > ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1) > + # not found: > + [ -z "$dmesg_grepped" ] && return 1 > + # found, output is in $dmesg_grepped > +@@ -1647,12 +1647,12 @@ parse_cpu_details() > + { > + [ "${parse_cpu_details_done:-}" = 1 ] && return 0 > + > +- if command -v nproc >/dev/null; then > +- number_of_cores=$(nproc) > +- elif echo "$os" | grep -q BSD; then > +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || > echo 1) > ++ if command -v @nproc@ >/dev/null; then > ++ number_of_cores=$(@nproc@) > ++ elif echo "$os" | @grep@ -q BSD; then > ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || > echo 1) > + elif [ -e "$procfs/cpuinfo" ]; then > +- number_of_cores=$(grep -c ^processor > "$procfs/cpuinfo" 2>/dev/null || echo 1) > ++ number_of_cores=$(@grep@ -c ^processor > "$procfs/cpuinfo" 2>/dev/null || echo 1) > + else > + # if we don't know, default to 1 CPU > + number_of_cores=1 > +@@ -1660,43 +1660,43 @@ parse_cpu_details() > + max_core_id=$(( number_of_cores - 1 )) > + > + if [ -e "$procfs/cpuinfo" ]; then > +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | > awk '{print $3}' | head -1) > +- cpu_friendly_name=$(grep '^model name' > "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//') > ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @head@ -1) > ++ cpu_friendly_name=$(@grep@ '^model name' > "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//') > + # special case for ARM follows > +- if grep -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then > ++ if @grep@ -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then > + cpu_vendor='ARM' > + # some devices (phones or other) have several > ARMs and as such different part numbers, > + # an example is "bigLITTLE", so we need to > store the whole list, this is needed for is_cpu_affected > +- cpu_part_list=$(awk '/CPU part/ > {print $4}' "$procfs/cpuinfo") > +- cpu_arch_list=$(awk '/CPU architecture/ > {print $3}' "$procfs/cpuinfo") > ++ cpu_part_list=$(@awk@ '/CPU part/ > {print $4}' "$procfs/cpuinfo") > ++ cpu_arch_list=$(@awk@ '/CPU architecture/ > {print $3}' "$procfs/cpuinfo") > + # take the first one to fill the friendly > name, do NOT quote the vars below > + # shellcheck disable=SC2086 > +- cpu_arch=$(echo $cpu_arch_list | awk '{ print > $1 }') > ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ > print $1 }') > + # shellcheck disable=SC2086 > +- cpu_part=$(echo $cpu_part_list | awk '{ print > $1 }') > ++ cpu_part=$(echo $cpu_part_list | @awk@ '{ > print $1 }') > + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8 > + cpu_friendly_name="ARM" > + [ -n "$cpu_arch" ] && > cpu_friendly_name="$cpu_friendly_name v$cpu_arch" > + [ -n "$cpu_part" ] && > cpu_friendly_name="$cpu_friendly_name model $cpu_part" > + > +- elif grep -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then > ++ elif @grep@ -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then > + cpu_vendor='CAVIUM' > +- elif grep -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then > ++ elif @grep@ -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then > + cpu_vendor='PHYTIUM' > + fi > + > +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | > awk '{print $4}' | grep -E '^[0-9]+$' | head -1) > +- cpu_model=$( grep '^model' "$procfs/cpuinfo" | > awk '{print $3}' | grep -E '^[0-9]+$' | head -1) > +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | > awk '{print $3}' | grep -E '^[0-9]+$' | head -1) > +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | > awk '{print $3}' | head -1) > ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" > | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1) > ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) > ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) > ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @head@ -1) > + else > +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 > -w | cut -f2 -d= | cut -f2 -d\" ) > +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 > -w | cut -f2 -d= ) > ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | > @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" ) > ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | > @cut@ -f4 -w | @cut@ -f2 -d= ) > + cpu_family=$(( cpu_family )) > +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 - > w | cut -f2 -d= ) > ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ > -f5 -w | @cut@ -f2 -d= ) > + cpu_model=$(( cpu_model )) > +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut > -f6 -w | cut -f2 -d= ) > +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null) > ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | > @cut@ -f6 -w | @cut@ -f2 -d= ) > ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null) > + fi > + > + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then > +@@ -1751,7 +1751,7 @@ parse_cpu_details() > + # call CPUID > + cpucontrol -i 1 /dev/cpuctl0 >/dev/null > + # read MSR > +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | > awk '{print $3}') > ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | > @awk@ '{print $3}') > + # convert to decimal > + cpu_ucode=$(( cpu_ucode )) > + # convert back to hex > +@@ -1770,7 +1770,7 @@ parse_cpu_details() > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_CPU_UCODE='$cpu_ucode'") > + fi > + > +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode )) > ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode > )) > + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x > ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" > "$cpu_ucode" "$cpu_cpuid") > + > + # also define those that we will need in other funcs > +@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled() > + { > + # SMT / HyperThreading is enabled if siblings != cpucores > + if [ -e "$procfs/cpuinfo" ]; then > +- _siblings=$(awk '/^siblings/ {print $3;exit}' > "$procfs/cpuinfo") > +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' > "$procfs/cpuinfo") > ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' > "$procfs/cpuinfo") > ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' > "$procfs/cpuinfo") > + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then > + if [ "$_siblings" = "$_cpucores" ]; then > + return 1 > +@@ -1916,10 +1916,10 @@ is_ucode_blacklisted() > + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \ > + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712 > + do > +- model=$(echo "$tuple" | cut -d, -f1) > +- stepping=$(( $(echo "$tuple" | cut -d, -f2) )) > ++ model=$(echo "$tuple" | @cut@ -d, -f1) > ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) )) > + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = > "$stepping" ]; then > +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) > ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) > + if [ "$cpu_ucode" = "$ucode" ]; then > + _debug "is_ucode_blacklisted: we have > a match! ($cpu_model/$cpu_stepping/$cpu_ucode)" > + return 0 > +@@ -2007,7 +2007,7 @@ is_xen_dom0() > + return 1 > + fi > + > +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" > "$procfs/xen/capabilities"; then > ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" > "$procfs/xen/capabilities"; then > + return 0 > + else > + return 1 > +@@ -2033,12 +2033,12 @@ is_xen_domU() > + fi > + } > + > +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0") > ++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") > + if [ -r "$mcedb_cache" ]; then > + # we have a local cache file, but it might be older than the > builtin version we have > +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' > "$mcedb_cache") > ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' > "$mcedb_cache") > + # sort -V sorts by version number > +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" > "$builtin_dbversion" | sort -V | head -n1) > ++ older_dbversion=$(printf "%b\n%b" "$local_dbversion" > "$builtin_dbversion" | @sort@ -V | @head@ -n1) > + if [ "$older_dbversion" = "$builtin_dbversion" ]; then > + mcedb_source="$mcedb_cache" > + mcedb_info="local firmwares DB $local_dbversion" > +@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then > + fi > + read_mcedb() > + { > +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 > }' "$mcedb_source" > ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { > DELIM=1 }' "$mcedb_source" > + } > + > + is_latest_known_ucode() > +@@ -2070,10 +2070,10 @@ is_latest_known_ucode() > + else > + return 2 > + fi > +- for tuple in $(read_mcedb | grep "$(printf > "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") > ++ for tuple in $(read_mcedb | @grep@ "$(printf > "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") > + do > +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) > +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r > 's=(....)(..)(..)=\1/\2/\3=') > ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) > ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r > 's=(....)(..)(..)=\1/\2/\3=') > + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid > has ucode $cpu_ucode, last known is $ucode from $ucode_date" > + ucode_latest=$(printf "latest version is 0x%x dated > $ucode_date according to $mcedb_info" "$ucode") > + if [ "$cpu_ucode" -ge "$ucode" ]; then > +@@ -2098,7 +2098,7 @@ get_cmdline() > + kernel_cmdline="$SMC_MOCK_CMDLINE" > + return > + else > +- kernel_cmdline=$(cat "$procfs/cmdline") > ++ kernel_cmdline=$(@cat@ "$procfs/cmdline") > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_CMDLINE='$kernel_cmdline'") > + fi > + } > +@@ -2106,7 +2106,7 @@ get_cmdline() > + # ENTRYPOINT > + > + # we can't do anything useful under WSL > +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then > ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then > + _warn "This script doesn't work under Windows Subsystem for > Linux" > + _warn "You should use the official Microsoft tool instead." > + _warn "It can be found under > https://aka.ms/SpeculationControlPS" > +@@ -2155,15 +2155,15 @@ fi > + > + # if we're under a BSD, try to mount linprocfs for > "$procfs/cpuinfo" > + procfs=/proc > +-if echo "$os" | grep -q BSD; then > ++if echo "$os" | @grep@ -q BSD; then > + _debug "We're under BSD, check if we have procfs" > +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }') > ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }') > + if [ -z "$procfs" ]; then > + _debug "we don't, try to mount it" > + procfs=/proc > + [ -d /compat/linux/proc ] && > procfs=/compat/linux/proc > + test -d $procfs || mkdir $procfs > +- if mount -t linprocfs linprocfs $procfs 2>/dev/null; > then > ++ if @mount@ -t linprocfs linprocfs $procfs > 2>/dev/null; then > + mounted_procfs=1 > + _debug "procfs just mounted at $procfs" > + else > +@@ -2195,14 +2195,14 @@ fi > + > + if [ "$opt_live" = 1 ]; then > + # root check (only for live mode, for offline mode, we > already checked if we could read the files) > +- if [ "$(id -u)" -ne 0 ]; then > ++ if [ "$(@id@ -u)" -ne 0 ]; then > + _warn "Note that you should launch this script with > root privileges to get accurate information." > + _warn "We'll proceed but you might see permission > denied errors." > + _warn "To run it as root, you can try the following > command: sudo $0" > + _warn > + fi > + _info "Checking for vulnerabilities on current system" > +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname > -m)\033[0m" > ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) > $(@uname@ -m)\033[0m" > + _info "CPU is \033[35m$cpu_friendly_name\033[0m" > + > + # try to find the image of the current running kernel > +@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then > + # specified by user on cmdline, with --live, don't > override > + : > + # first, look for the BOOT_IMAGE hint in the kernel cmdline > +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then > +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo > 'BOOT_IMAGE=[^ ]+' | cut -d= -f2) > ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then > ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo > 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2) > + _debug "found opt_kernel=$opt_kernel in > $procfs/cmdline" > + # if the boot partition is within a btrfs subvolume, > strip the subvolume name > + # if /boot is a separate subvolume, the remainder of > the code in this section should handle it > +- if echo "$opt_kernel" | grep -q "^/@"; then > opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi > ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then > opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi > + # if we have a dedicated /boot partition, our > bootloader might have just called it / > + # so try to prepend /boot and see if we find anything > + [ -e "/boot/$opt_kernel" ] && > opt_kernel="/boot/$opt_kernel" > +@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then > + # if we didn't find a kernel, default to guessing > + if [ ! -e "$opt_kernel" ]; then > + # Fedora: > +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && > opt_kernel="/lib/modules/$(uname -r)/vmlinuz" > ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && > opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz" > + # Slackware: > + [ -e "/boot/vmlinuz" ] && > opt_kernel="/boot/vmlinuz" > + # Arch aarch64: > +@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then > + # pine64 > + [ -e "/boot/pine64/Image" ] && > opt_kernel="/boot/pine64/Image" > + # generic: > +- [ -e "/boot/vmlinuz-$(uname -r)" ] && > opt_kernel="/boot/vmlinuz-$(uname -r)" > +- [ -e "/boot/kernel-$( uname -r)" ] && > opt_kernel="/boot/kernel-$( uname -r)" > +- [ -e "/boot/bzImage-$(uname -r)" ] && > opt_kernel="/boot/bzImage-$(uname -r)" > ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && > opt_kernel="/boot/vmlinuz-$(@uname@ -r)" > ++ [ -e "/boot/kernel-$( @uname@ -r)" ] && > opt_kernel="/boot/kernel-$( @uname@ -r)" > ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && > opt_kernel="/boot/bzImage-$(@uname@ -r)" > + # Gentoo: > +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ > -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ > -r)" > + # NixOS: > + [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > + # Guix System: > + [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > + # systemd kernel-install: > +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ > /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ > /etc/machine-id)/$(@uname@ -r)/linux" > + # Clear Linux: > +- str_uname=$(uname -r) > ++ str_uname=$(@uname@ -r) > + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_ > uname##*.}.${str_uname%.*}" > + [ -e "$clear_linux_kernel" ] && > opt_kernel=$clear_linux_kernel > + # Custom Arch seems to have the kernel path in its > cmdline in the form "\directory\kernelimage", > + # with actual \'s instead of /'s: > +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep - > Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d > '[:space:]') > ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ > -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d > '[:space:]') > + if [ -n "$custom_arch_kernel" ] && [ -e > "$custom_arch_kernel" ]; then > + opt_kernel="$custom_arch_kernel" > + fi > +@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then > + : > + elif [ -e "$procfs/kallsyms" ] ; then > + opt_map="$procfs/kallsyms" > +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then > +- opt_map="/lib/modules/$(uname -r)/System.map" > +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then > +- opt_map="/boot/System.map-$(uname -r)" > +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then > +- opt_map="/lib/kernel/System.map-$(uname -r)" > ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then > ++ opt_map="/lib/modules/$(@uname@ -r)/System.map" > ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then > ++ opt_map="/boot/System.map-$(@uname@ -r)" > ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then > ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)" > + fi > + > + # config > +@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then > + # specified by user on cmdline, with --live, don't > override > + : > + elif [ -e "$procfs/config.gz" ] ; then > +- dumped_config="$(mktemp -t smc-config-XXXXXX)" > +- gunzip -c "$procfs/config.gz" > "$dumped_config" > ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)" > ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config" > + # dumped_config will be deleted at the end of the > script > + opt_config="$dumped_config" > +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then > +- opt_config="/lib/modules/$(uname -r)/config" > +- elif [ -e "/boot/config-$(uname -r)" ]; then > +- opt_config="/boot/config-$(uname -r)" > +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname - > r)" ]; then > +- opt_config="/etc/kernels/kernel-config-$(uname -m)- > $(uname -r)" > +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then > +- opt_config="/lib/kernel/config-$(uname -r)" > ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then > ++ opt_config="/lib/modules/$(@uname@ -r)/config" > ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then > ++ opt_config="/boot/config-$(@uname@ -r)" > ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ > -r)" ]; then > ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)- > $(@uname@ -r)" > ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then > ++ opt_config="/lib/kernel/config-$(@uname@ -r)" > + fi > + else > + _info "Checking for vulnerabilities against specified kernel" > +@@ -2311,7 +2311,7 @@ else > + fi > + > + if [ "$os" = Linux ]; then > +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' > "$opt_config"; then > ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' > "$opt_config"; then > + # given file is invalid! > + _warn "The kernel config file seems invalid, was > expecting a plain-text file, ignoring it!" > + opt_config='' > +@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then > + fi > + > + if [ -e "$opt_kernel" ]; then > +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; > then > ++ if ! command -v "@readelf@" >/dev/null 2>&1; then > + _debug "readelf not found" > + kernel_err="missing '${opt_arch_prefix}readelf' tool, > please install it, usually it's in the 'binutils' package" > + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; > then > +@@ -2357,20 +2357,20 @@ else > + # vanilla kernels have with ^Linux version > + # also try harder with some kernels (such as Red Hat) that > don't have ^Linux version before their version string > + # and check for FreeBSD > +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" > 2>/dev/null | grep -E \ > ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ - > E \ > + -e '^Linux version ' \ > + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0- > 9]+ .+ (19|20)[0-9][0-9]$' \ > +- -e '^FreeBSD [0-9]' | head -1) > ++ -e '^FreeBSD [0-9]' | @head@ -1) > + if [ -z "$kernel_version" ]; then > + # try even harder with some kernels (such as ARM) > that split the release (uname -r) and version (uname -v) in 2 > adjacent strings > +- kernel_version=$("${opt_arch_prefix}strings" > "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' > | tr "\n" " ") > ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | > @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ") > + fi > + if [ -n "$kernel_version" ]; then > + # in live mode, check if the img we found is the > correct one > + if [ "$opt_live" = 1 ]; then > + _verbose "Kernel image is > \033[35m$kernel_version" > +- if ! echo "$kernel_version" | grep -qF > "$(uname -r)"; then > +- _warn "Possible discrepancy between > your running kernel '$(uname -r)' and the image '$kernel_version' we > found ($opt_kernel), results might be incorrect" > ++ if ! echo "$kernel_version" | @grep@ -qF > "$(@uname@ -r)"; then > ++ _warn "Possible discrepancy between > your running kernel '$(@uname@ -r)' and the image '$kernel_version' > we found ($opt_kernel), results might be incorrect" > + fi > + else > + _info "Kernel image is > \033[35m$kernel_version" > +@@ -2398,11 +2398,11 @@ sys_interface_check() > + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r > "$file" ]; then > + : > + else > +- mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") > ++ mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1") > + return 1 > + fi > + > +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET" > ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET" > + # shellcheck disable=SC2086,SC1083 > + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then > + _debug "sysfs: MOCKING enabled for $file func returns > $(eval echo \$$_mockvarname)" > +@@ -2411,17 +2411,17 @@ sys_interface_check() > + fi > + > + [ -n "$regex" ] || regex='.*' > +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")" > ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")" > + # shellcheck disable=SC2086,SC1083 > + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then > + fullmsg="$(eval echo \$$_mockvarname)" > +- msg=$(echo "$fullmsg" | grep -Eo "$regex") > ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex") > + _debug "sysfs: MOCKING enabled for $file, will return > $fullmsg" > + mocked=1 > + else > +- fullmsg=$(cat "$file") > +- msg=$(grep -Eo "$regex" "$file") > +- mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'") > ++ fullmsg=$(@cat@ "$file") > ++ msg=$(@grep@ -Eo "$regex" "$file") > ++ mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'") > + fi > + if [ "$mode" = silent ]; then > + return 0 > +@@ -2430,15 +2430,15 @@ sys_interface_check() > + return 0 > + fi > + _info_nol "* Mitigated according to the /sys interface: " > +- if echo "$msg" | grep -qi '^not affected'; then > ++ if echo "$msg" | @grep@ -qi '^not affected'; then > + # Not affected > + status=OK > + pstatus green YES "$fullmsg" > +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then > ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then > + # Mitigation: PTI > + status=OK > + pstatus green YES "$fullmsg" > +- elif echo "$msg" | grep -qi '^vulnerable'; then > ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then > + # Vulnerable > + status=VULN > + pstatus yellow NO "$fullmsg" > +@@ -2526,20 +2526,20 @@ write_msr_one_core() > + # ret=4: msr doesn't exist, ret=127: > msr.allow_writes=off > + [ "$ret" = 127 ] && _write_denied=1 > + # or fallback to dd if it supports seek_bytes, we > prefer it over perl because we can tell the difference between EPERM > and EIO > +- elif dd if=/dev/null of=/dev/null bs=8 count=1 > seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" > != 1 ]; then > ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 > seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" > != 1 ]; then > + _debug "write_msr: using dd" > +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 > count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? > ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr > bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? > + # if it failed, inspect stderrto look for > EPERM > + if [ "$ret" != 0 ]; then > +- if dd if=/dev/zero > of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" > oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then > ++ if @dd@ if=/dev/zero > of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" > oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then > + _write_denied=1 > + fi > + fi > + # or if we have perl, use it, any 5.x version will > work > +- elif command -v perl >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > ++ elif command -v @perl@ >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > + _debug "write_msr: using perl" > + ret=1 > +- perl -e "open(M,'>','/dev/cpu/$_core/msr') > and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? - > eq 8 ] && ret=0 > ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') > and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? - > eq 8 ] && ret=0 > + else > + _debug "write_msr: got no wrmsr, perl or > recent enough dd!" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") > +@@ -2561,13 +2561,13 @@ write_msr_one_core() > + msr_locked_down=1 > + write_msr_msg="your kernel is > configured to deny writes to MSRs from user space" > + return $WRITE_MSR_RET_LOCKDOWN > +- elif dmesg | grep -qF "msr: Direct access to > MSR"; then > ++ elif @dmesg@ | @grep@ -qF "msr: Direct access > to MSR"; then > + _debug "write_msr: locked down kernel > detected (Red Hat / Fedora)" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") > + msr_locked_down=1 > + write_msr_msg="your kernel is locked > down (Fedora/Red Hat), please reboot without secure boot and retry" > + return $WRITE_MSR_RET_LOCKDOWN > +- elif dmesg | grep -qF "raw MSR access is > restricted"; then > ++ elif @dmesg@ | @grep@ -qF "raw MSR access is > restricted"; then > + _debug "write_msr: locked down kernel > detected (vanilla)" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") > + msr_locked_down=1 > +@@ -2666,8 +2666,8 @@ read_msr_one_core() > + return $READ_MSR_RET_KO > + fi > + # MSR 0x10: 0x000003e1 0xb106dded > +- _msr_h=$(echo "$_msr" | awk '{print $3}'); > +- _msr_l=$(echo "$_msr" | awk '{print $4}'); > ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}'); > ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}'); > + read_msr_value=$(( _msr_h << 32 | _msr_l )) > + else > + # for Linux > +@@ -2678,15 +2678,15 @@ read_msr_one_core() > + # if rdmsr is available, use it > + elif command -v rdmsr >/dev/null 2>&1 && [ > "${SMC_NO_RDMSR:-}" != 1 ]; then > + _debug "read_msr: using rdmsr on $_msr" > +- read_msr_value=$(rdmsr -r $_msr_dec > 2>/dev/null | od -t u8 -A n) > ++ read_msr_value=$(rdmsr -r $_msr_dec > 2>/dev/null | @od@ -t u8 -A n) > + # or if we have perl, use it, any 5.x version will > work > +- elif command -v perl >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > ++ elif command -v @perl@ >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > + _debug "read_msr: using perl on $_msr" > +- read_msr_value=$(perl -e > "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and > read(M,\$_,8) and print" | od -t u8 -A n) > ++ read_msr_value=$(@perl@ -e > "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and > read(M,\$_,8) and print" | @od@ -t u8 -A n) > + # fallback to dd if it supports skip_bytes > +- elif dd if=/dev/null of=/dev/null bs=8 count=1 > skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then > ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 > skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then > + _debug "read_msr: using dd on $_msr" > +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr > bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 > -A n) > ++ read_msr_value=$(@dd@ > if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" > iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n) > + else > + _debug "read_msr: got no rdmsr, perl or > recent enough dd!" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") > +@@ -2710,7 +2710,7 @@ check_cpu() > + { > + _info "\033[1;34mHardware check\033[0m" > + > +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then > ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then > + return > + fi > + > +@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre() > + # if we were already called, don't do it again > + [ -n "${redhat_canonical_spectre:-}" ] && return > + > +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; > then > ++ if ! command -v "@strings@" >/dev/null 2>&1; then > + redhat_canonical_spectre=-1 > + elif [ -n "$kernel_err" ]; then > + redhat_canonical_spectre=-2 > + else > + # Red Hat / Ubuntu specific variant1 patch is > difficult to detect, > + # let's use the two same tricks than the official Red > Hat detection script uses: > +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw > noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; > then > ++ if "@strings@" "$kernel" | @grep@ -qw noibrs && > "@strings@" "$kernel" | @grep@ -qw noibpb; then > + # 1) detect their specific variant2 patch. If > it's present, it means > + # that the variant1 patch is also present > (both were merged at the same time) > + _debug "found redhat/canonical version of the > variant2 patch (implies variant1)" > + redhat_canonical_spectre=1 > +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q > 'x86/pti:'; then > ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; > then > + # 2) detect their specific variant3 patch. If > it's present, but the variant2 > + # is not, it means that only variant1 is > present in addition to variant3 > + _debug "found redhat/canonical version of the > variant3 patch (implies variant1 but not variant2)" > +@@ -3363,13 +3363,13 @@ check_has_vmm() > + # If we find no evidence that this is the case, > assume we're not (to avoid scaring users), > + # this can always be overridden with --vmm in any > case. > + has_vmm=0 > +- if command -v pgrep >/dev/null 2>&1; then > ++ if command -v @pgrep@ >/dev/null 2>&1; then > + # remove xenbus and xenwatch, also present > inside domU > + # remove libvirtd as it can also be used to > manage containers and not VMs > + # for each binary we want to grep, get the > pids > + for _binary in qemu kvm xenstored xenconsoled > + do > +- for _pid in $(pgrep -x $_binary) > ++ for _pid in $(@pgrep@ -x $_binary) > + do > + # resolve the exe symlink, if > it doesn't resolve with -m, > + # which doesn't even need the > dest to exist, it means the symlink > +@@ -3385,7 +3385,7 @@ check_has_vmm() > + else > + # ignore SC2009 as `ps ax` is actually used > as a fallback if `pgrep` isn't installed > + # shellcheck disable=SC2009 > +- if command -v ps >/devnull && ps ax | grep - > vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e > '/xenstored' -e '/xenconsoled'; then > ++ if command -v ps >/devnull && ps ax | @grep@ > -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e > '/xenstored' -e '/xenconsoled'; then > + has_vmm=1 > + fi > + fi > +@@ -3417,7 +3417,7 @@ check_CVE_2017_5753() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2017_5753_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2017_5753_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux() > + v1_mask_nospec='' > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check > ($kernel_err)" > +- elif ! command -v perl >/dev/null 2>&1; then > ++ elif ! command -v @perl@ >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'perl' > binary, please install it" > + else > +- perl -ne > '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > ++ @perl@ -ne > '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > + if [ $ret -gt 0 ]; then > + pstatus green YES "$ret occurrence(s) > found of x86 64 bits array_index_mask_nospec()" > + v1_mask_nospec="x86 64 bits > array_index_mask_nospec" > + else > +- perl -ne > '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > ++ @perl@ -ne > '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > + if [ $ret -gt 0 ]; then > + pstatus green YES "$ret > occurrence(s) found of x86 32 bits array_index_mask_nospec()" > + v1_mask_nospec="x86 32 bits > array_index_mask_nospec" > + else > +- > ret=$("${opt_arch_prefix}objdum > p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | > grep -B1 -w sbc | grep -w -c cmp) > ++ ret=$("@objdump@" > $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | > @grep@ -B1 -w sbc | @grep@ -w -c cmp) > + if [ "$ret" -gt 0 ]; then > + pstatus green YES > "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()" > + v1_mask_nospec="arm > 32 bits array_index_mask_nospec" > +@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux() > + pstatus yellow NO > + elif [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check > ($kernel_err)" > +- elif ! command -v perl >/dev/null 2>&1; then > ++ elif ! command -v @perl@ >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'perl' > binary, please install it" > +- elif ! command -v "${opt_arch_prefix}objdump" > >/dev/null 2>&1; then > ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}objdump' tool, please install it, usually it's in > the binutils package" > + else > +- "${opt_arch_prefix}objdump" $objdump_options > "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && > $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && > $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? > ++ "@objdump@" $objdump_options "$kernel" | > @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ > && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift > @r if @r>3'; ret=$? > + if [ "$ret" -eq 9 ]; then > + pstatus green YES "mask_nospec64 > macro is present and used" > + v1_mask_nospec="arm64 mask_nospec64" > +@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux() > + pstatus yellow NO > + elif [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check > ($kernel_err)" > +- elif ! command -v perl >/dev/null 2>&1; then > ++ elif ! command -v @perl@ >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'perl' > binary, please install it" > +- elif ! command -v "${opt_arch_prefix}objdump" > >/dev/null 2>&1; then > ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}objdump' tool, please install it, usually it's in > the binutils package" > + else > +- "${opt_arch_prefix}objdump" -d "$kernel" | > perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && > $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && > $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); > shift @r if @r>3'; ret=$? > ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push > @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && > $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); > shift @r if @r>3'; ret=$? > + if [ "$ret" -eq 9 ]; then > + pstatus green YES "array_index_nospec > macro is present and used" > + v1_mask_nospec="arm64 > array_index_nospec" > +@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux() > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't > check ($kernel_err)" > + else > +- if ! command -v > "${opt_arch_prefix}objdump" >/dev/null 2>&1; then > ++ if ! command -v "@objdump@" > >/dev/null 2>&1; then > + pstatus yellow UNKNOWN > "missing '${opt_arch_prefix}objdump' tool, please install it, usually > it's in the binutils package" > + else > + # here we disassemble the > kernel and count the number of occurrences of the LFENCE opcode > +@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux() > + # so let's push the threshold > to 70. > + # v0.33+: now only count > lfence opcodes after a jump, way less error-prone > + # non patched kernel have > between 0 and 20 matches, patched ones have at least 40-45 > +- > nb_lfence=$("${opt_arch_prefix} > objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence > | grep -Ewc 'jmp|jne|je') > ++ nb_lfence=$("@objdump@" > $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | > @grep@ -Ewc 'jmp|jne|je') > + if [ "$nb_lfence" -lt 30 ]; > then > + pstatus yellow NO > "only $nb_lfence jump-then-lfence instructions found, should be >= 30 > (heuristic)" > + else > +@@ -3655,7 +3655,7 @@ check_CVE_2017_5715() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2017_5715_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2017_5715_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux() > + # > /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed > + specex_knob_dir=$dir > + ibrs_supported="$dir/ibrs_ena > bled exists" > +- ibrs_enabled=$(cat > "$dir/ibrs_enabled" 2>/dev/null) > ++ ibrs_enabled=$(@cat@ > "$dir/ibrs_enabled" 2>/dev/null) > + _debug "ibrs: found > $dir/ibrs_enabled=$ibrs_enabled" > + # if ibrs_enabled is there, > ibpb_enabled will be in the same dir > + if [ -e "$dir/ibpb_enabled" > ]; then > + # if the file is > there, we have IBPB compiled-in (see note above for IBRS) > + ibpb_supported="$dir/ > ibpb_enabled exists" > +- ibpb_enabled=$(cat > "$dir/ibpb_enabled" 2>/dev/null) > ++ ibpb_enabled=$(@cat@ > "$dir/ibpb_enabled" 2>/dev/null) > + _debug "ibpb: found > $dir/ibpb_enabled=$ibpb_enabled" > + else > + _debug "ibpb: > $dir/ibpb_enabled file doesn't exist" > +@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux() > + # which in that case means ibrs is supported > *and* enabled for kernel & user > + # as per the ibrs patch series v3 > + if [ -z "$ibrs_supported" ]; then > +- if grep ^flags "$procfs/cpuinfo" | > grep -qw spec_ctrl_ibrs; then > ++ if @grep@ ^flags "$procfs/cpuinfo" | > @grep@ -qw spec_ctrl_ibrs; then > + _debug "ibrs: found > spec_ctrl_ibrs flag in $procfs/cpuinfo" > + ibrs_supported="spec_ctrl_ibr > s flag in $procfs/cpuinfo" > + # enabled=2 -> kernel & user > +@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux() > + fi > + if [ -n "$fullmsg" ]; then > + # when IBPB is enabled on 4.15+, we > can see it in sysfs > +- if echo "$fullmsg" | grep -q 'IBPB'; > then > ++ if echo "$fullmsg" | @grep@ -q > 'IBPB'; then > + _debug "ibpb: found enabled > in sysfs" > + [ -z "$ibpb_supported" ] && > ibpb_supported='IBPB found enabled in sysfs' > + [ -z "$ibpb_enabled" ] && > ibpb_enabled=1 > + fi > + # when IBRS_FW is enabled on 4.15+, > we can see it in sysfs > +- if echo "$fullmsg" | grep -q ', > IBRS_FW'; then > ++ if echo "$fullmsg" | @grep@ -q ', > IBRS_FW'; then > + _debug "ibrs: found IBRS_FW > in sysfs" > + [ -z "$ibrs_supported" ] && > ibrs_supported='found IBRS_FW in sysfs' > + ibrs_fw_enabled=1 > +@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux() > + # when IBRS is enabled on 4.15+, we > can see it in sysfs > + # on a more recent kernel, classic > "IBRS" is not even longer an option, because of the performance > impact. > + # only "Enhanced IBRS" is available > (on CPUs with the IBRS_ALL flag) > +- if echo "$fullmsg" | grep -q -e > '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then > ++ if echo "$fullmsg" | @grep@ -q -e > '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then > + _debug "ibrs: found IBRS in > sysfs" > + [ -z "$ibrs_supported" ] && > ibrs_supported='found IBRS in sysfs' > + [ -z "$ibrs_enabled" ] && > ibrs_enabled=3 > + fi > + # checking for 'Enhanced IBRS' in > sysfs, enabled on CPUs with IBRS_ALL > +- if echo "$fullmsg" | grep -q -e > 'Enhanced IBRS'; then > ++ if echo "$fullmsg" | @grep@ -q -e > 'Enhanced IBRS'; then > + [ -z "$ibrs_supported" ] && > ibrs_supported='found Enhanced IBRS in sysfs' > + # 4 isn't actually a valid > value of the now extinct "ibrs_enabled" flag file, > + # that only went from 0 to 3, > so we use 4 as "enhanced ibrs is enabled" > +@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux() > + fi > + fi > + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + : > + else > + ibrs_can_tell=1 > +- > ibrs_supported=$("${opt_arch_prefix}str > ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1) > ++ ibrs_supported=$("@strings@" > "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1) > + if [ -n "$ibrs_supported" ]; then > + _debug "ibrs: found ibrs > evidence in kernel image ($ibrs_supported)" > + ibrs_supported="found > '$ibrs_supported' in kernel image" > +@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux() > + fi > + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; > then > + ibrs_can_tell=1 > +- if grep -q spec_ctrl "$opt_map"; then > ++ if @grep@ -q spec_ctrl "$opt_map"; then > + ibrs_supported="found spec_ctrl in > symbols file" > + _debug "ibrs: found '*spec_ctrl*' > symbol in $opt_map" > + fi > +@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux() > + # recent (4.15) vanilla kernels have IBPB but not > IBRS, and without the debugfs tunables of Red Hat > + # we can detect it directly in the image > + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + : > + else > + ibpb_can_tell=1 > +- > ibpb_supported=$("${opt_arch_prefix}str > ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1) > ++ ibpb_supported=$("@strings@" > "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1) > + if [ -n "$ibpb_supported" ]; then > + _debug "ibpb: found ibpb > evidence in kernel image ($ibpb_supported)" > + ibpb_supported="found > '$ibpb_supported' in kernel image" > +@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux() > + 2) if [ > "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user > space, and firmware code" ; else pstatus green YES "for both kernel > and user space"; fi;; > + 3) if [ > "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and > firmware code"; else pstatus green YES; fi;; > + 4) pstatus green YES > "Enhanced flavor, performance impact will be greatly reduced";; > +- *) if [ "$cpuid_ibrs" != > 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ > "$cpuid_spec_ctrl" != -1 ]; > +- then pstatus > yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; > +- else > ++ *) if [ "$cpuid_ibrs" != > 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ > "$cpuid_spec_ctrl" != -1 ]; > ++ then pstatus > yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; > ++ else > + pstatus > yellow UNKNOWN; fi;; > + esac > + fi > +@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux() > + bp_harden='' > + if [ -r "$opt_config" ]; then > + bp_harden_can_tell=1 > +- bp_harden=$(grep -w > 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") > ++ bp_harden=$(@grep@ -w > 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") > + if [ -n "$bp_harden" ]; then > + pstatus green YES > + _debug "bp_harden: found '$bp_harden' > in $opt_config" > +@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux() > + fi > + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then > + bp_harden_can_tell=1 > +- bp_harden=$(grep -w bp_hardening_data > "$opt_map") > ++ bp_harden=$(@grep@ -w bp_hardening_data > "$opt_map") > + if [ -n "$bp_harden" ]; then > + pstatus green YES > + _debug "bp_harden: found '$bp_harden' > in $opt_map" > +@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux() > + # We check the RETPOLINE kernel options > + retpoline=0 > + if [ -r "$opt_config" ]; then > +- if grep -q '^CONFIG_RETPOLINE=y' > "$opt_config"; then > ++ if @grep@ -q '^CONFIG_RETPOLINE=y' > "$opt_config"; then > + pstatus green YES > + retpoline=1 > + # shellcheck disable=SC2046 > +- _debug 'retpoline: found '$(grep > '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" > ++ _debug 'retpoline: found '$(@grep@ > '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" > + else > + pstatus yellow NO > + fi > +@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux() > + # since 5.15.28, this is now "Retpolines" as > the implementation was switched to a generic one, > + # so we look for both "retpoline" and > "retpolines" > + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; > then > +- if echo "$fullmsg" | grep -qwi -e > retpoline -e retpolines; then > +- if echo "$fullmsg" | grep - > qwi minimal; then > ++ if echo "$fullmsg" | @grep@ -qwi -e > retpoline -e retpolines; then > ++ if echo "$fullmsg" | @grep@ - > qwi minimal; then > + retpoline_compiler=0 > + retpoline_compiler_re > ason="kernel reports minimal retpoline compilation" > + else > +@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux() > + fi > + elif [ -n "$opt_map" ]; then > + # look for the symbol > +- if grep -qw noretpoline_setup > "$opt_map"; then > ++ if @grep@ -qw noretpoline_setup > "$opt_map"; then > + retpoline_compiler=1 > + retpoline_compiler_reason="no > retpoline_setup symbol found in System.map" > + fi > + elif [ -n "$kernel" ]; then > + # look for the symbol > +- if command -v "${opt_arch_prefix}nm" > >/dev/null 2>&1; then > ++ if command -v "@nm@" >/dev/null 2>&1; > then > + # the proper way: use nm and > look for the symbol > +- if "${opt_arch_prefix}nm" > "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then > ++ if "@nm@" "$kernel" > 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then > + retpoline_compiler=1 > + retpoline_compiler_re > ason="noretpoline_setup found in kernel symbols" > + fi > +- elif grep -q noretpoline_setup > "$kernel"; then > ++ elif @grep@ -q noretpoline_setup > "$kernel"; then > + # if we don't have nm, > nevermind, the symbol name is long enough to not have > + # any false positive using > good old grep directly on the binary > + retpoline_compiler=1 > +@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux() > + retp_enabled=-1 > + if [ "$opt_live" = 1 ]; then > + if [ -e "$specex_knob_dir/retp_enabled" ]; > then > +- retp_enabled=$(cat > "$specex_knob_dir/retp_enabled" 2>/dev/null) > ++ retp_enabled=$(@cat@ > "$specex_knob_dir/retp_enabled" 2>/dev/null) > + _debug "retpoline: found > $specex_knob_dir/retp_enabled=$retp_enabled" > + _info_nol " * Retpoline is > enabled: " > + if [ "$retp_enabled" = 1 ]; then > +@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux() > + rsb_filling=0 > + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" > != 1 ]; then > + # if we're live and we aren't denied > looking into /sys, let's do it > +- if echo "$msg" | grep -qw RSB; then > ++ if echo "$msg" | @grep@ -qw RSB; then > + rsb_filling=1 > + pstatus green YES > + fi > +@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux() > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN > "couldn't check ($kernel_err)" > + else > +- if grep -qw -e 'Filling RSB > on context switch' "$kernel"; then > ++ if @grep@ -qw -e 'Filling RSB > on context switch' "$kernel"; then > + rsb_filling=1 > + pstatus green YES > + else > +@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd() > + { > + _info "* Mitigation 1" > + _info_nol " * Kernel supports IBRS: " > +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null) > ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null) > + if [ -z "$ibrs_disabled" ]; then > + pstatus yellow NO > + else > +@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd() > + fi > + > + _info_nol " * IBRS enabled and active: " > +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null) > ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null) > + if [ "$ibrs_active" = 1 ]; then > + pstatus green YES > + else > +@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd() > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" > + else > +- if ! command -v "${opt_arch_prefix}readelf" > >/dev/null 2>&1; then > ++ if ! command -v "@readelf@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}readelf' tool, please install it, usually it's in > the binutils package" > + else > +- nb_thunks=$("${opt_arch_prefix}readelf" -s > "$kernel" | grep -c -e __llvm_retpoline_ -e > __llvm_external_retpoline_ -e __x86_indirect_thunk_) > ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ > -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e > __x86_indirect_thunk_) > + if [ "$nb_thunks" -gt 0 ]; then > + retpoline=1 > + pstatus green YES "found $nb_thunks > thunk(s)" > +@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd() > + pti_performance_check() > + { > + _info_nol " * Reduced performance impact of PTI: " > +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" > | grep -qw pcid; then > ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags > "$procfs/cpuinfo" | @grep@ -qw pcid; then > + cpu_pcid=1 > + else > + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$? > +@@ -4272,7 +4272,7 @@ pti_performance_check() > + fi > + fi > + > +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" > | grep -qw invpcid; then > ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags > "$procfs/cpuinfo" | @grep@ -qw invpcid; then > + cpu_invpcid=1 > + else > + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$? > +@@ -4297,7 +4297,7 @@ check_CVE_2017_5754() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2017_5754_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2017_5754_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux() > + kpti_can_tell=0 > + if [ -n "$opt_config" ]; then > + kpti_can_tell=1 > +- kpti_support=$(grep -w -e > CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e > CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") > ++ kpti_support=$(@grep@ -w -e > CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e > CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") > + if [ -n "$kpti_support" ]; then > + _debug "kpti_support: found option > '$kpti_support' in $opt_config" > + fi > +@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux() > + # so we try to find an exported symbol that > is part of the PTI patch in System.map > + # parse_kpti: arm > + kpti_can_tell=1 > +- kpti_support=$(grep -w -e kpti_force_enabled > -e parse_kpti "$opt_map") > ++ kpti_support=$(@grep@ -w -e > kpti_force_enabled -e parse_kpti "$opt_map") > + if [ -n "$kpti_support" ]; then > + _debug "kpti_support: found > '$kpti_support' in $opt_map" > + fi > +@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux() > + # nopti option that is part of the patch > (kernel command line option) > + # 'kpti=': arm > + kpti_can_tell=1 > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}strings' tool, please install it, usually it's in > the binutils package" > + else > +- > kpti_support=$("${opt_arch_prefix}strin > gs" "$kernel" | grep -w -e nopti -e kpti=) > ++ kpti_support=$("@strings@" "$kernel" > | @grep@ -w -e nopti -e kpti=) > + if [ -n "$kpti_support" ]; then > + _debug "kpti_support: found > '$kpti_support' in $kernel" > + fi > +@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux() > + dmesg_grep="$dmesg_grep|x86/pti: Unmapping > kernel while in userspace" > + # aarch64 > + dmesg_grep="$dmesg_grep|CPU features: > detected( feature)?: Kernel page table isolation \(KPTI\)" > +- if grep ^flags "$procfs/cpuinfo" | grep -qw > pti; then > ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ - > qw pti; then > + # vanilla PTI patch sets the 'pti' > flag in cpuinfo > + _debug "kpti_enabled: found 'pti' > flag in $procfs/cpuinfo" > + kpti_enabled=1 > +- elif grep ^flags "$procfs/cpuinfo" | grep -qw > kaiser; then > ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ > -qw kaiser; then > + # kernel line 4.9 sets the 'kaiser' > flag in cpuinfo > + _debug "kpti_enabled: found 'kaiser' > flag in $procfs/cpuinfo" > + kpti_enabled=1 > + elif [ -e /sys/kernel/debug/x86/pti_enabled > ]; then > + # Red Hat Backport creates a > dedicated file, see https://access.redhat.com/articles/3311301 > +- kpti_enabled=$(cat > /sys/kernel/debug/x86/pti_enabled 2>/dev/null) > ++ kpti_enabled=$(@cat@ > /sys/kernel/debug/x86/pti_enabled 2>/dev/null) > + _debug "kpti_enabled: file > /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" > + elif is_xen_dom0; then > +- pti_xen_pv_domU=$(xl dmesg | grep > 'XPTI' | grep 'DomU enabled' | head -1) > ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ > 'XPTI' | @grep@ 'DomU enabled' | @head@ -1) > + > + [ -n "$pti_xen_pv_domU" ] && > kpti_enabled=1 > + fi > +@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux() > + if [ -n "$kpti_support" ]; then > + if [ -e > "/sys/kernel/debug/x86/pti_enabled" ]; then > + explain "Your kernel > supports PTI but it's disabled, you can enable it with \`echo 1 > > /sys/kernel/debug/x86/pti_enabled\`" > +- elif echo "$kernel_cmdline" | > grep -q -w -e nopti -e pti=off; then > ++ elif echo "$kernel_cmdline" | > @grep@ -q -w -e nopti -e pti=off; then > + explain "Your kernel > supports PTI but it has been disabled on command-line, remove the > nopti or pti=off option from your bootloader configuration" > + else > + explain "Your kernel > supports PTI but it has been disabled, check \`dmesg\` right after > boot to find clues why the system disabled it" > +@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux() > + check_CVE_2017_5754_bsd() > + { > + _info_nol "* Kernel supports Page Table Isolation (PTI): " > +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null) > ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null) > + if [ -z "$kpti_enabled" ]; then > + pstatus yellow NO > + else > +@@ -4579,7 +4579,7 @@ check_CVE_2018_3639() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_3639_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_3639_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux() > + if [ "$opt_sysfs_only" != 1 ]; then > + _info_nol "* Kernel supports disabling speculative > store bypass (SSB): " > + if [ "$opt_live" = 1 ]; then > +- if grep -Eq 'Speculation.?Store.?Bypass:' > "$procfs/self/status" 2>/dev/null; then > ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssb="found in > $procfs/self/status" > + _debug "found > Speculation.Store.Bypass: in $procfs/self/status" > + fi > + fi > + # arm64 kernels can have cpu_show_spec_store_bypass > with ARM64_SSBD, so exclude them > +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep > -q 'arm64_sys_' "$kernel"; then > +- kernel_ssb=$("${opt_arch_prefix}strings" > "$kernel" | grep spec_store_bypass | head -n1); > ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! > @grep@ -q 'arm64_sys_' "$kernel"; then > ++ kernel_ssb=$("@strings@" "$kernel" | @grep@ > spec_store_bypass | @head@ -n1); > + [ -n "$kernel_ssb" ] && kernel_ssb="found > $kernel_ssb in kernel" > + fi > + # arm64 kernels can have cpu_show_spec_store_bypass > with ARM64_SSBD, so exclude them > +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! > grep -q 'arm64_sys_' "$opt_map"; then > +- kernel_ssb=$(grep spec_store_bypass > "$opt_map" | awk '{print $3}' | head -n1) > ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! > @grep@ -q 'arm64_sys_' "$opt_map"; then > ++ kernel_ssb=$(@grep@ spec_store_bypass > "$opt_map" | @awk@ '{print $3}' | @head@ -n1) > + [ -n "$kernel_ssb" ] && kernel_ssb="found > $kernel_ssb in System.map" > + fi > + # arm64 only: > + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then > +- kernel_ssb=$(grep -w cpu_enable_ssbs > "$opt_map" | awk '{print $3}' | head -n1) > ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs > "$opt_map" | @awk@ '{print $3}' | @head@ -n1) > + [ -n "$kernel_ssb" ] && kernel_ssb="found > $kernel_ssb in System.map" > + fi > + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then > +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' > "$opt_config") > ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' > "$opt_config") > + [ -n "$kernel_ssb" ] && > kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig" > + fi > + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then > + # this string only appears in kernel if > CONFIG_ARM64_SSBD is set > +- kernel_ssb=$(grep -w "Speculative Store > Bypassing Safe (SSBS)" "$kernel") > ++ kernel_ssb=$(@grep@ -w "Speculative Store > Bypassing Safe (SSBS)" "$kernel") > + [ -n "$kernel_ssb" ] && kernel_ssb="found > 'Speculative Store Bypassing Safe (SSBS)' in kernel" > + fi > + # /arm64 only > +@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux() > + if [ "$opt_live" = 1 ]; then > + # > https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 > + _info_nol "* SSB mitigation is enabled and > active: " > +- if grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" > 2>/dev/null; then > ++ if @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" > 2>/dev/null; then > + kernel_ssbd_enabled=1 > + pstatus green YES "per-thread through > prctl" > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=2 > + pstatus green YES "global" > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=0 > + pstatus yellow NO > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=-2 > + pstatus blue NO "not vulnerable" > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+unknown' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+unknown' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=0 > + pstatus blue NO > + else > +- pstatus blue UNKNOWN "unknown value: > $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" > 2>/dev/null | cut -d: -f2-)" > ++ pstatus blue UNKNOWN "unknown value: > $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" > 2>/dev/null | @cut@ -d: -f2-)" > + fi > + > + if [ "$kernel_ssbd_enabled" = 1 ]; then > + _info_nol "* SSB mitigation currently > active for selected processes: " > + # silence grep's stderr here to avoid > ENOENT errors from processes that have exited since the shell's > expansion of the * > +- mitigated_processes=$(find /proc - > mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ > +- | xargs -r0 grep -El > 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' > 2>/dev/null \ > +- | sed s/status/exe/ | xargs - > r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr > "\n" " " | sed 's/ $//') > ++ mitigated_processes=$(@find@ /proc - > mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ > ++ | @xargs@ -r0 @grep@ -El > 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' > 2>/dev/null \ > ++ | @sed@ s/status/exe/ | > @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | > @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//') > + if [ -n "$mitigated_processes" ]; > then > + pstatus green YES > "$mitigated_processes" > + else > +@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux() > + check_CVE_2018_3639_bsd() > + { > + _info_nol "* Kernel supports speculation store bypass: " > +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then > ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; > then > + kernel_ssb=1 > + pstatus green YES > + else > +@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd() > + fi > + > + _info_nol "* Speculation store bypass is administratively > enabled: " > +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable > 2>/dev/null) > ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable > 2>/dev/null) > + _debug "hw.spec_store_bypass_disable=$ssb_enabled" > + case "$ssb_enabled" in > + 0) pstatus yellow NO "disabled";; > +@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd() > + esac > + > + _info_nol "* Speculation store bypass is currently active: " > +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active > 2>/dev/null) > ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active > 2>/dev/null) > + _debug "hw.spec_store_bypass_disable_active=$ssb_active" > + case "$ssb_active" in > + 1) pstatus green YES;; > +@@ -4806,7 +4806,7 @@ check_CVE_2018_3620() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_3620_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_3620_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux() > + fi > + if [ "$opt_sysfs_only" != 1 ]; then > + _info_nol "* Kernel supports PTE inversion: " > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'strings' > tool, please install it" > + pteinv_supported=-1 > + elif [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "$kernel_err" > + pteinv_supported=-1 > + else > +- if "${opt_arch_prefix}strings" "$kernel" | > grep -Fq 'PTE Inversion'; then > ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE > Inversion'; then > + pstatus green YES "found in kernel > image" > + _debug "pteinv: found pte inversion > evidence in kernel image" > + pteinv_supported=1 > +@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux() > + _info_nol "* PTE inversion enabled and active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -q > 'Mitigation: PTE Inversion'; then > ++ if echo "$fullmsg" | @grep@ -q > 'Mitigation: PTE Inversion'; then > + pstatus green YES > + pteinv_active=1 > + else > +@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd() > + else > + _debug "vmm module already loaded" > + fi > +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > + # > https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch > + # this is very difficult to detect that the kernel > reserved the 0 page, but this fix > + # is part of the exact same patch than the other L1TF > CVE, so we detect it > +@@ -4922,7 +4922,7 @@ check_CVE_2018_3646() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_3646_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_3646_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux() > + if [ "$opt_live" = 1 ]; then > + if ! [ -r > /sys/module/kvm_intel/parameters/ept ]; then > + pstatus blue N/A "the kvm_intel > module is not loaded" > +- elif [ "$(cat > /sys/module/kvm_intel/parameters/ept)" = N ]; then > ++ elif [ "$(@cat@ > /sys/module/kvm_intel/parameters/ept)" = N ]; then > + pstatus green YES > + ept_disabled=1 > + else > +@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux() > + > + _info "* Mitigation 2" > + _info_nol " * L1D flush is supported by kernel: " > +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d > "$procfs/cpuinfo"; then > ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d > "$procfs/cpuinfo"; then > + l1d_kernel="found flush_l1d in > $procfs/cpuinfo" > + fi > + if [ -z "$l1d_kernel" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + l1d_kernel_err="missing > '${opt_arch_prefix}strings' tool, please install it, usually it's in > the binutils package" > + elif [ -n "$kernel_err" ]; then > + l1d_kernel_err="$kernel_err" > +- elif "${opt_arch_prefix}strings" "$kernel" | > grep -qw flush_l1d; then > ++ elif "@strings@" "$kernel" | @grep@ -qw > flush_l1d; then > + l1d_kernel='found flush_l1d in kernel > image' > + fi > + fi > +@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux() > + # $l1dstatus is one of > (auto|vulnerable|conditional cache flushes|cache flushes|EPT > disabled|flush not necessary) > + # $smtstatus is one of > (vulnerable|disabled) > + # can also just be "Not affected" > +- if echo "$fullmsg" | grep -Eq -e 'Not > affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not > necessary)'; then > ++ if echo "$fullmsg" | @grep@ -Eq -e > 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not > necessary)'; then > + l1d_mode=0 > + pstatus yellow NO > +- elif echo "$fullmsg" | grep -Eq > '(VMX:|L1D) conditional cache flushes'; then > ++ elif echo "$fullmsg" | @grep@ -Eq > '(VMX:|L1D) conditional cache flushes'; then > + l1d_mode=1 > + pstatus green YES > "conditional flushes" > +- elif echo "$fullmsg" | grep -Eq > '(VMX:|L1D) cache flushes'; then > ++ elif echo "$fullmsg" | @grep@ -Eq > '(VMX:|L1D) cache flushes'; then > + l1d_mode=2 > + pstatus green YES > "unconditional flushes" > + else > + if is_xen_dom0; then > +- l1d_xen_hardware=$(xl > dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1) > +- > l1d_xen_hypervisor=$(xl > dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1) > +- l1d_xen_pv_domU=$(xl > dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1) > ++ l1d_xen_hardware=$(xl > @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ - > 1) > ++ l1d_xen_hypervisor=$( > xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1) > ++ l1d_xen_pv_domU=$(xl > @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | > @head@ -1) > + > + if [ -n > "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n > "$l1d_xen_pv_domU" ]; then > + l1d_mode=5 > +@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux() > + > + _info_nol " * Hardware-backed L1D flush supported: " > + if [ "$opt_live" = 1 ]; then > +- if grep -qw flush_l1d "$procfs/cpuinfo" || [ > -n "$l1d_xen_hardware" ]; then > ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || > [ -n "$l1d_xen_hardware" ]; then > + pstatus green YES "performance impact > of the mitigation will be greatly reduced" > + else > + pstatus blue NO "flush will be done > in software, this is slower" > +@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux() > + check_CVE_2018_3646_bsd() > + { > + _info_nol "* Kernel supports L1D flushing: " > +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > + pstatus green YES > + kernel_l1d_supported=1 > + else > +@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd() > + fi > + > + _info_nol "* L1D flushing is enabled: " > +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush > 2>/dev/null) > ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush > 2>/dev/null) > + case "$kernel_l1d_enabled" in > + 0) pstatus yellow NO;; > + 1) pstatus green YES;; > +@@ -5168,7 +5168,7 @@ check_CVE_2018_12127() > + ################### > + # MDSUM SECTION > + > +-# Microarchitectural Data Sampling Uncacheable Memory > ++# Microarchitectural Data Sampling Uncacheable Memory > + check_CVE_2019_11091() > + { > + cve='CVE-2019-11091' > +@@ -5182,7 +5182,7 @@ check_mds() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_mds_linux "$cve" > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_mds_bsd "$cve" > + else > + _warn "Unsupported OS ($os)" > +@@ -5193,7 +5193,7 @@ check_mds_bsd() > + { > + _info_nol "* Kernel supports using MD_CLEAR mitigation: " > + if [ "$opt_live" = 1 ]; then > +- if sysctl hw.mds_disable >/dev/null 2>&1; then > ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then > + pstatus green YES > + kernel_md_clear=1 > + else > +@@ -5201,7 +5201,7 @@ check_mds_bsd() > + kernel_md_clear=0 > + fi > + else > +- if grep -Fq hw.mds_disable $opt_kernel; then > ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then > + pstatus green YES > + kernel_md_clear=1 > + else > +@@ -5211,8 +5211,8 @@ check_mds_bsd() > + fi > + > + _info_nol "* CPU Hyper-Threading (SMT) is disabled: " > +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; > then > +- kernel_smt_allowed=$(sysctl -n > machdep.hyperthreading_allowed 2>/dev/null) > ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; > then > ++ kernel_smt_allowed=$(@sysctl@ -n > machdep.hyperthreading_allowed 2>/dev/null) > + if [ "$kernel_smt_allowed" = 1 ]; then > + pstatus yellow NO > + else > +@@ -5224,7 +5224,7 @@ check_mds_bsd() > + > + _info_nol "* Kernel mitigation is enabled: " > + if [ "$kernel_md_clear" = 1 ]; then > +- kernel_mds_enabled=$(sysctl -n hw.mds_disable > 2>/dev/null) > ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable > 2>/dev/null) > + else > + kernel_mds_enabled=0 > + fi > +@@ -5238,7 +5238,7 @@ check_mds_bsd() > + > + _info_nol "* Kernel mitigation is active: " > + if [ "$kernel_md_clear" = 1 ]; then > +- kernel_mds_state=$(sysctl -n hw.mds_disable_state > 2>/dev/null) > ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state > 2>/dev/null) > + else > + kernel_mds_state=inactive > + fi > +@@ -5296,16 +5296,16 @@ check_mds_linux() > + _info_nol "* Kernel supports using MD_CLEAR > mitigation: " > + kernel_md_clear='' > + kernel_md_clear_can_tell=1 > +- if [ "$opt_live" = 1 ] && grep ^flags > "$procfs/cpuinfo" | grep -qw md_clear; then > ++ if [ "$opt_live" = 1 ] && @grep@ ^flags > "$procfs/cpuinfo" | @grep@ -qw md_clear; then > + kernel_md_clear="md_clear found in > $procfs/cpuinfo" > + pstatus green YES "$kernel_md_clear" > + fi > + if [ -z "$kernel_md_clear" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + kernel_md_clear_can_tell=0 > + elif [ -n "$kernel_err" ]; then > + kernel_md_clear_can_tell=0 > +- elif "${opt_arch_prefix}strings" "$kernel" | > grep -q 'Clear CPU buffers'; then > ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear > CPU buffers'; then > + _debug "md_clear: found 'Clear CPU > buffers' string in kernel image" > + kernel_md_clear='found md_clear > implementation evidence in kernel image' > + pstatus green YES "$kernel_md_clear" > +@@ -5321,7 +5321,7 @@ check_mds_linux() > + > + if [ "$opt_live" = 1 ] && [ > "$sys_interface_available" = 1 ]; then > + _info_nol "* Kernel mitigation is enabled and > active: " > +- if echo "$fullmsg" | grep -qi ^mitigation; > then > ++ if echo "$fullmsg" | @grep@ -qi ^mitigation; > then > + mds_mitigated=1 > + pstatus green YES > + else > +@@ -5329,7 +5329,7 @@ check_mds_linux() > + pstatus yellow NO > + fi > + _info_nol "* SMT is either mitigated or > disabled: " > +- if echo "$fullmsg" | grep -Eq 'SMT > (disabled|mitigated)'; then > ++ if echo "$fullmsg" | @grep@ -Eq 'SMT > (disabled|mitigated)'; then > + mds_smt_mitigated=1 > + pstatus green YES > + else > +@@ -5415,7 +5415,7 @@ check_CVE_2019_11135() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2019_11135_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2019_11135_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux() > + kernel_taa='' > + if [ -n "$kernel_err" ]; then > + kernel_taa_err="$kernel_err" > +- elif grep -q 'tsx_async_abort' "$kernel"; then > ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then > + kernel_taa="found tsx_async_abort in kernel > image" > + fi > + if [ -n "$kernel_taa" ]; then > +@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux() > + _info_nol "* TAA mitigation enabled and active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -qE > '^Mitigation'; then > ++ if echo "$fullmsg" | @grep@ -qE > '^Mitigation'; then > + pstatus green YES "$fullmsg" > + else > + pstatus yellow NO > +@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux() > + else > + if [ "$opt_paranoid" = 1 ]; then > + # in paranoid mode, TSX or SMT enabled are > not OK, even if TAA is mitigated > +- if ! echo "$fullmsg" | grep -qF 'TSX > disabled'; then > ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX > disabled'; then > + pvulnstatus $cve VULN "TSX must be > disabled for full mitigation" > +- elif echo "$fullmsg" | grep -qF 'SMT > vulnerable'; then > ++ elif echo "$fullmsg" | @grep@ -qF 'SMT > vulnerable'; then > + pvulnstatus $cve VULN "SMT > (HyperThreading) must be disabled for full mitigation" > + else > + pvulnstatus $cve "$status" "$msg" > +@@ -5517,7 +5517,7 @@ check_CVE_2018_12207() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_12207_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_12207_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux() > + if [ -n "$kernel_err" ]; then > + kernel_itlbmh_err="$kernel_err" > + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 > +- elif grep -q 'itlb_multihit' "$kernel"; then > ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then > + kernel_itlbmh="found itlb_multihit in kernel > image" > + fi > + if [ -n "$kernel_itlbmh" ]; then > +@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux() > + _info_nol "* iTLB Multihit mitigation enabled and > active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -qF > 'Mitigation'; then > ++ if echo "$fullmsg" | @grep@ -qF > 'Mitigation'; then > + pstatus green YES "$fullmsg" > + else > + pstatus yellow NO > +@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux() > + check_CVE_2018_12207_bsd() > + { > + _info_nol "* Kernel supports disabling superpages for > executable mappings under EPT: " > +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept > 2>/dev/null) > ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept > 2>/dev/null) > + if [ -z "$kernel_2m_x_ept" ]; then > + pstatus yellow NO > + else > +@@ -5634,7 +5634,7 @@ check_CVE_2020_0543() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2020_0543_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2020_0543_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux() > + kernel_srbds='' > + if [ -n "$kernel_err" ]; then > + kernel_srbds_err="$kernel_err" > +- elif grep -q 'Dependent on hypervisor' "$kernel"; > then > ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; > then > + kernel_srbds="found SRBDS implementation > evidence in kernel image. Your kernel is up to date for SRBDS > mitigation" > + fi > + if [ -n "$kernel_srbds" ]; then > +@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux() > + _info_nol "* SRBDS mitigation control is enabled and > active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -qE > '^Mitigation'; then > ++ if echo "$fullmsg" | @grep@ -qE > '^Mitigation'; then > + pstatus green YES "$fullmsg" > + else > + pstatus yellow NO > +@@ -5758,8 +5758,8 @@ fi > + # now run the checks the user asked for > + for cve in $supported_cve_list > + do > +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw > "$cve"; then > +- check_"$(echo "$cve" | tr - _)" > ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ - > qw "$cve"; then > ++ check_"$(echo "$cve" | @tr@ - _)" > + _info > + fi > + done > +@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then > + _warn "We're missing some kernel info (see -v), accuracy > might be reduced" > + fi > + > +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | > sort | tr "\n" '|') > ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F > 'mockme=' | @sort@ | @tr@ "\n" '|') > + _debug "variables at end of script: $_vars" > + > + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then > +- if command -v "gzip" >/dev/null 2>&1; then > ++ if command -v "@gzip@" >/dev/null 2>&1; then > + # not a useless use of cat: gzipping cpuinfo directly > doesn't work well > + # shellcheck disable=SC2002 > +- if command -v "base64" >/dev/null 2>&1; then > +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | > base64 -w0)" > +- elif command -v "uuencode" >/dev/null 2>&1; then > +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | > uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d > "\n")" > ++ if command -v "@base64@" >/dev/null 2>&1; then > ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ > -c | @base64@ -w0)" > ++ elif command -v "@uuencode@" >/dev/null 2>&1; then > ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ > -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- > '====' | @tr@ -d "\n")" > + fi > + fi > + if [ -n "$mock_cpuinfo" ]; then > +@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; > then > + fi > + _info "" > + # shellcheck disable=SC2046 > +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | > sort -u) > ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | > @sort@ -u) > + fi > + > + if [ "$opt_explain" = 0 ]; then > +-- > +2.38.1 > + > diff --git a/gnu/packages/patches/spectre-meltdown-checker-support- > guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown- > checker-support-guix-system-kernel.patch > new file mode 100644 > index 0000000000..afec52b418 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix- > system-kernel.patch > @@ -0,0 +1,26 @@ > +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Sat, 5 Nov 2022 23:22:31 +0800 > +Subject: [PATCH] Add support for Guix System kernel. > + > +--- > + spectre-meltdown-checker.sh | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 248a444..855a090 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then > + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > + # NixOS: > + [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > ++ # Guix System: > ++ [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > + # systemd kernel-install: > + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > + # Clear Linux: > + > +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 > +-- > +2.38.0 > > base-commit: 70df5c47a89f4f353a1df94467581a0f0da599a4 > -- > 2.38.1 Haven't looked at all the other substituted commands, but otherwise seems good to me. Cheers ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker. 2022-11-11 15:13 ` Liliana Marie Prikler @ 2022-11-12 12:14 ` Hilton Chain via Guix-patches via 2022-11-12 12:28 ` Liliana Marie Prikler 0 siblings, 1 reply; 12+ messages in thread From: Hilton Chain via Guix-patches via @ 2022-11-12 12:14 UTC (permalink / raw) To: Liliana Marie Prikler; +Cc: 59053 * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patches. --- v2 -> v3: 1. Use curl as default downloader (It seems that wget doesn't work out of the box for TLS?). 2. Remove instead of commenting. 3. Remove builtin firmware database via a snippet. 4. Adjust position of the "return 2" statement. For the purpose, it's there to stop the version checking function, as later steps assumes a valid firmware database. For the very value, it's that return value of is_latest_known_ucode() other than 0 or 1, is considered "unknown" in the final output. gnu/local.mk | 3 + gnu/packages/linux.scm | 58 + ...ker-remove-builtin-firmware-database.patch | 113 + ...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++ ...n-checker-support-guix-system-kernel.patch | 26 + 5 files changed, 2147 insertions(+) create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch diff --git a/gnu/local.mk b/gnu/local.mk index e3e02314bb..46b299d0d6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1857,6 +1857,9 @@ dist_patch_DATA = \ %D%/packages/patches/syslinux-strip-gnu-property.patch \ %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \ + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \ + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ %D%/packages/patches/sssd-optional-systemd.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fea33dfa0b..b15899baf6 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -9595,3 +9595,61 @@ (define-public edac-utils error detection and correction (EDAC).") (home-page "https://github.com/grondo/edac-utils") (license license:gpl2+))) + +(define-public spectre-meltdown-checker + (package + (name "spectre-meltdown-checker") + (version "0.45") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches + (search-patches + ;; https://github.com/speed47/spectre-meltdown-checker/pull/441 + "spectre-meltdown-checker-support-guix-system-kernel.patch" + ;; NOTE: Update these patches when updating. + "spectre-meltdown-checker-stage-commands-for-substitution.patch" + "spectre-meltdown-checker-remove-builtin-firmware-database.patch")) + ;; Remove builtin firmware database. + (modules '((guix build utils))) + (snippet '(substitute* "spectre-meltdown-checker.sh" + (("^# [AI],.*") ""))) + (sha256 + (base32 + "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) + (build-system copy-build-system) + (arguments + (list #:install-plan + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'fixpath + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "spectre-meltdown-checker.sh" + (("@sysctl@") (search-input-file inputs "/sbin/sysctl")) + (("@([a-z0-9]*)@" _ command _) + (search-input-file + inputs (string-append "/bin/" command))))))))) + (inputs + (list binutils + coreutils + grep + kmod + lz4 + lzop + perl + procps + sharutils + util-linux + which + zstd)) + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (synopsis "CPU vulnerability / mitigation checker") + (description + "This package provides a shell script to assess your system's resilience +against the several transient execution CVEs that were published since early +2018, and give you guidance as to how to mitigate them.") + (license license:gpl3))) diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch new file mode 100644 index 0000000000..400d8d3a07 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch @@ -0,0 +1,113 @@ +From e2cc68814cf658638946e069406ef6a6032ab318 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 12 Nov 2022 19:49:36 +0800 +Subject: [PATCH 2/2] Remove references to the builtin firmware database. + +--- + spectre-meltdown-checker.sh | 43 +++++++++++-------------------------- + 1 file changed, 12 insertions(+), 31 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 82cf1b6..5104599 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -95,7 +95,6 @@ show_usage() + --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0) + --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome + MCExtractor project and the Intel firmwares GitHub repository) +- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself + --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script + + Return codes: +@@ -853,10 +852,10 @@ update_fwdb() + mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)" + mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' + _info_nol "Fetching MCE.db from the MCExtractor project... " +- if command -v wget >/dev/null 2>&1; then +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? +- elif command -v curl >/dev/null 2>&1; then ++ if command -v curl >/dev/null 2>&1; then + curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? ++ elif command -v wget >/dev/null 2>&1; then ++ wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? + elif command -v fetch >/dev/null 2>&1; then + fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? + else +@@ -874,10 +873,10 @@ update_fwdb() + intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip" + _info_nol "Fetching Intel firmwares... " + ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git +- if command -v wget >/dev/null 2>&1; then +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? +- elif command -v curl >/dev/null 2>&1; then ++ if command -v curl >/dev/null 2>&1; then + curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? ++ elif command -v wget >/dev/null 2>&1; then ++ wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? + elif command -v fetch >/dev/null 2>&1; then + fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? + else +@@ -968,14 +967,6 @@ update_fwdb() + sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; + } > "$mcedb_cache" + echo DONE "(version $dbversion)" +- +- if [ "$1" = builtin ]; then +- newfile=$(@mktemp@ -t smc-builtin-XXXXXX) +- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" +- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" +- @cat@ "$newfile" > "$0" +- @rm@ -f "$newfile" +- fi + } + + parse_opt_file() +@@ -1070,9 +1061,6 @@ while [ -n "${1:-}" ]; do + elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then + update_fwdb + exit $? +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then +- update_fwdb builtin +- exit $? + elif [ "$1" = "--dump-mock-data" ]; then + opt_mock=1 + shift +@@ -2033,21 +2021,11 @@ is_xen_domU() + fi + } + +-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have + local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") +- # sort -V sorts by version number +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1) +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then +- mcedb_source="$mcedb_cache" +- mcedb_info="local firmwares DB $local_dbversion" +- fi +-fi +-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db +-if [ -z "${mcedb_source:-}" ]; then +- mcedb_source="$0" +- mcedb_info="builtin firmwares DB $builtin_dbversion" ++ mcedb_source="$mcedb_cache" ++ mcedb_info="local firmwares DB $local_dbversion" + fi + read_mcedb() + { +@@ -2063,7 +2041,10 @@ is_latest_known_ucode() + return 2 + fi + ucode_latest="latest microcode version for your CPU model is unknown" +- if is_intel; then ++ if [ -z "$mcedb_source" ]; then ++ # When $mcedb_source is not set, skip version checking and report unknown. ++ return 2 ++ elif is_intel; then + cpu_brand_prefix=I + elif is_amd; then + cpu_brand_prefix=A +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch new file mode 100644 index 0000000000..a2f13e4195 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch @@ -0,0 +1,1947 @@ +From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Fri, 11 Nov 2022 18:49:50 +0800 +Subject: [PATCH 1/2] Stage commands for later substitution. + +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent, +grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, +nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, +strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which, +whoami, xargs. +--- + spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------ + 1 file changed, 324 insertions(+), 324 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 30f760c..82cf1b6 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT + exit_cleanup() + { + # cleanup the temp decompressed config & kernel image +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp" +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2" +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp" +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp" +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config" ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp" ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2" ++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp" ++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp" ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null + } + + # if we were git clone'd, adjust VERSION +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null) +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//) ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null) ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//) + fi + + show_usage() + { + # shellcheck disable=SC2086 +- cat <<EOF ++ @cat@ <<EOF + Usage: +- Live mode (auto): $(basename $0) [options] +- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live +- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> ++ Live mode (auto): $(@basename@ $0) [options] ++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live ++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> + + Modes: + Two modes are available. +@@ -110,7 +110,7 @@ EOF + + show_disclaimer() + { +- cat <<EOF ++ @cat@ <<EOF + Disclaimer: + + This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the +@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t + EOF + } + +-os=$(uname -s) ++os=$(@uname@ -s) + + # parse options + opt_kernel='' +@@ -207,7 +207,7 @@ __echo() + _interpret_chars='-e' + fi + _ctrlchar=$($echo_cmd $_interpret_chars "\033") +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") + fi + if [ "$echo_cmd_type" = printf ]; then + if [ "$opt" = "-n" ]; then +@@ -383,7 +383,7 @@ is_cpu_affected() + # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected + # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected + # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then ++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then + variant1=vuln + [ -z "$variant2" ] && variant2=immune + variant3=vuln +@@ -486,7 +486,7 @@ is_cpu_affected() + i=$(( i + 1 )) + # do NOT quote $cpu_arch_list below + # shellcheck disable=SC2086 +- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }') ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }') + _debug "checking cpu$i: <$cpupart> <$cpuarch>" + # some kernels report AArch64 instead of 8 + [ "$cpuarch" = "AArch64" ] && cpuarch=8 +@@ -497,49 +497,49 @@ is_cpu_affected() + # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d + # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8 + # +- # Whitelist identified non-affected processors, use vulnerability information from ++ # Whitelist identified non-affected processors, use vulnerability information from + # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability + # Partnumbers can be found here: + # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in + # + # Maintain cumulative check of vulnerabilities - + # if at least one of the cpu is affected, then the system is affected +- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then ++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + [ -z "$variant3a" ] && variant3a=immune + [ -z "$variant4" ] && variant4=immune + _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4" +- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then ++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + variant3a=vuln + [ -z "$variant4" ] && variant4=immune + _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + variant3a=vuln + variant4=vuln + _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + [ -z "$variant3a" ] && variant3a=immune + variant4=vuln + _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then + variant1=vuln + variant2=vuln + variant3=vuln + [ -z "$variant3a" ] && variant3a=immune + variant4=vuln + _debug "checking cpu$i: armv8 A75 non affected to variant 3a" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then + variant1=vuln + [ -z "$variant2" ] && variant2=immune + [ -z "$variant3" ] && variant3=immune +@@ -820,7 +820,7 @@ is_cpu_ssb_free() + if [ "$cpu_family" = "18" ] || \ + [ "$cpu_family" = "17" ] || \ + [ "$cpu_family" = "16" ] || \ +- [ "$cpu_family" = "15" ]; then ++ [ "$cpu_family" = "15" ]; then + return 0 + fi + fi +@@ -837,7 +837,7 @@ show_header() + _info + } + +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" ++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)" + mcedb_cache="$HOME/.mcedb" + update_fwdb() + { +@@ -846,11 +846,11 @@ update_fwdb() + set -e + + if [ -r "$mcedb_cache" ]; then +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") ++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") + fi + + # first, download the MCE.db from the excellent platomav's MCExtractor project +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" ++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)" + mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' + _info_nol "Fetching MCE.db from the MCExtractor project... " + if command -v wget >/dev/null 2>&1; then +@@ -870,7 +870,7 @@ update_fwdb() + echo DONE + + # second, get the Intel firmwares from GitHub +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)" ++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)" + intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip" + _info_nol "Fetching Intel firmwares... " + ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git +@@ -930,20 +930,20 @@ update_fwdb() + fi + # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120 + # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120 +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line ++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line + do +- _line=$( echo "$_line" | tr -d ',') +- _cpuid=$( echo "$_line" | awk '{print $3}') ++ _line=$( echo "$_line" | @tr@ -d ',') ++ _cpuid=$( echo "$_line" | @awk@ '{print $3}') + _cpuid=$(( _cpuid )) + _cpuid=$(printf "0x%08X" "$_cpuid") +- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-') +- _version=$(echo "$_line" | awk '{print $8}') ++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-') ++ _version=$(echo "$_line" | @awk@ '{print $8}') + _version=$(( _version )) + _version=$(printf "0x%08X" "$_version") + _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")" + sqlite3 "$mcedb_tmp" "$_sqlstm" + done +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) ++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) + if [ -n "$_intel_timestamp" ]; then + # use this date, it matches the last commit date + _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp") +@@ -964,17 +964,17 @@ update_fwdb() + { + echo "# Spectre & Meltdown Checker"; + echo "# %%% MCEDB v$dbversion"; +- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; +- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; ++ sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; ++ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,'; + } > "$mcedb_cache" + echo DONE "(version $dbversion)" + + if [ "$1" = builtin ]; then +- newfile=$(mktemp -t smc-builtin-XXXXXX) +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" +- cat "$newfile" > "$0" +- rm -f "$newfile" ++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX) ++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" ++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" ++ @cat@ "$newfile" > "$0" ++ @rm@ -f "$newfile" + fi + } + +@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do + elif [ "$1" = "--cpu" ]; then + opt_cpu=$2 + if [ "$opt_cpu" != all ]; then +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then + opt_cpu=$(( opt_cpu )) + else + echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2 +@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do + echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2 + exit 255 + fi +- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2") ++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2") + if [ -n "$selected_cve" ]; then + opt_cve_list="$opt_cve_list $selected_cve" + opt_cve_all=0 +@@ -1308,14 +1308,14 @@ check_kernel() + # a damaged ELF file and validate it, check for stderr warnings too + + # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$? +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init) +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000) ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$? ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init) ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000) + _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings" + if [ "$_mode" = desperate ]; then +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then + _debug "check_kernel (desperate): ... matched!" +- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then + _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options" + objdump_options="-D -b binary -marm" + else +@@ -1348,7 +1348,7 @@ try_decompress() + + # Try to find the header ($1) and decompress from here + _debug "try_decompress: looking for $3 magic in $6" +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2") ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2") + do + _debug "try_decompress: magic for $3 found at offset $pos" + if ! command -v "$3" >/dev/null 2>&1; then +@@ -1375,11 +1375,11 @@ try_decompress() + kernel="$kerneltmp" + _debug "try_decompress: decompressed with $3 successfully!" + return 0 +- elif [ "$3" != "cat" ]; then ++ elif [ "$3" != "@cat@" ]; then + _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset" +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX) +- cat "$kerneltmp" > "$kerneltmp2" +- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0 ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX) ++ @cat@ "$kerneltmp" > "$kerneltmp2" ++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0 + else + _debug "try_decompress: decompression with $3 worked but result is not a kernel" + fi +@@ -1391,12 +1391,12 @@ extract_kernel() + { + [ -n "${1:-}" ] || return 1 + # Prepare temp files: +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)" ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)" + + # Initial attempt for uncompressed images or objects: + if check_kernel "$1"; then + _debug "extract_kernel: found kernel is valid, no decompression needed" +- cat "$1" > "$kerneltmp" ++ @cat@ "$1" > "$kerneltmp" + kernel=$kerneltmp + return 0 + fi +@@ -1405,14 +1405,14 @@ extract_kernel() + for pass in 1 2; do + for mode in normal desperate; do + _debug "extract_kernel: pass $pass $mode mode" +- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0 +- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 +- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0 +- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0 +- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0 +- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0 +- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0 +- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0 ++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0 ++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 ++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0 ++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0 ++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0 ++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0 ++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0 ++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0 + done + done + # kernel_err might already have been populated by try_decompress() if we're missing one of the tools +@@ -1429,7 +1429,7 @@ mount_debugfs() + { + if [ ! -e /sys/kernel/debug/sched_features ]; then + # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards +- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 ++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 + fi + } + +@@ -1440,12 +1440,12 @@ load_msr() + load_msr_once=1 + + if [ "$os" = Linux ]; then +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then +- modprobe msr 2>/dev/null && insmod_msr=1 ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then ++ @modprobe@ msr 2>/dev/null && insmod_msr=1 + _debug "attempted to load module msr, insmod_msr=$insmod_msr" + else + _debug "msr module already loaded" +- fi ++ fi + else + if ! kldstat -q -m cpuctl; then + kldload cpuctl 2>/dev/null && kldload_cpuctl=1 +@@ -1463,12 +1463,12 @@ load_cpuid() + load_cpuid_once=1 + + if [ "$os" = Linux ]; then +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then +- modprobe cpuid 2>/dev/null && insmod_cpuid=1 ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then ++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1 + _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid" + else + _debug "cpuid module already loaded" +- fi ++ fi + else + if ! kldstat -q -m cpuctl; then + kldload cpuctl 2>/dev/null && kldload_cpuctl=1 +@@ -1557,7 +1557,7 @@ read_cpuid_one_core() + fi + # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error, + # we use that fact to load the module if dd returns an error +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then + load_cpuid + fi + # we need _leaf to be converted to decimal for dd +@@ -1568,14 +1568,14 @@ read_cpuid_one_core() + _ddskip=$(( _position / 16 )) + _odskip=$(( _position - _ddskip * 16 )) + # now read the value +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4) ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4) + elif [ -e /dev/cpuctl0 ]; then + # BSD + if [ ! -r /dev/cpuctl0 ]; then + read_cpuid_msg="Couldn't read cpuid info from cpuctl" + return $READ_CPUID_RET_ERR + fi +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-) ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-) + # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000 + else + read_cpuid_msg="Found no way to read cpuid info" +@@ -1598,7 +1598,7 @@ read_cpuid_one_core() + fi + + # get the value of the register we want +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}') ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}') + # Linux returns it as decimal, BSD as hex, normalize to decimal + _reg=$(( _reg )) + # shellcheck disable=SC2046 +@@ -1626,11 +1626,11 @@ dmesg_grep() + # grep for something in dmesg, ensuring that the dmesg buffer + # has not been truncated + dmesg_grepped='' +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then + # dmesg truncated + return 2 + fi +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1) ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1) + # not found: + [ -z "$dmesg_grepped" ] && return 1 + # found, output is in $dmesg_grepped +@@ -1647,12 +1647,12 @@ parse_cpu_details() + { + [ "${parse_cpu_details_done:-}" = 1 ] && return 0 + +- if command -v nproc >/dev/null; then +- number_of_cores=$(nproc) +- elif echo "$os" | grep -q BSD; then +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1) ++ if command -v @nproc@ >/dev/null; then ++ number_of_cores=$(@nproc@) ++ elif echo "$os" | @grep@ -q BSD; then ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1) + elif [ -e "$procfs/cpuinfo" ]; then +- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1) ++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1) + else + # if we don't know, default to 1 CPU + number_of_cores=1 +@@ -1660,43 +1660,43 @@ parse_cpu_details() + max_core_id=$(( number_of_cores - 1 )) + + if [ -e "$procfs/cpuinfo" ]; then +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1) +- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//') ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1) ++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//') + # special case for ARM follows +- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then ++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then + cpu_vendor='ARM' + # some devices (phones or other) have several ARMs and as such different part numbers, + # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected +- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo") +- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo") ++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo") ++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo") + # take the first one to fill the friendly name, do NOT quote the vars below + # shellcheck disable=SC2086 +- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }') ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }') + # shellcheck disable=SC2086 +- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }') ++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }') + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8 + cpu_friendly_name="ARM" + [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch" + [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part" + +- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then ++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then + cpu_vendor='CAVIUM' +- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then ++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then + cpu_vendor='PHYTIUM' + fi + +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1) +- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1) +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1) +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1) ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1) + else +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" ) +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= ) ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" ) ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= ) + cpu_family=$(( cpu_family )) +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= ) ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= ) + cpu_model=$(( cpu_model )) +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= ) +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null) ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= ) ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null) + fi + + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then +@@ -1751,7 +1751,7 @@ parse_cpu_details() + # call CPUID + cpucontrol -i 1 /dev/cpuctl0 >/dev/null + # read MSR +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}') ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}') + # convert to decimal + cpu_ucode=$(( cpu_ucode )) + # convert back to hex +@@ -1770,7 +1770,7 @@ parse_cpu_details() + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'") + fi + +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode )) ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode )) + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid") + + # also define those that we will need in other funcs +@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled() + { + # SMT / HyperThreading is enabled if siblings != cpucores + if [ -e "$procfs/cpuinfo" ]; then +- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo") +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo") ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo") ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo") + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then + if [ "$_siblings" = "$_cpucores" ]; then + return 1 +@@ -1916,10 +1916,10 @@ is_ucode_blacklisted() + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \ + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712 + do +- model=$(echo "$tuple" | cut -d, -f1) +- stepping=$(( $(echo "$tuple" | cut -d, -f2) )) ++ model=$(echo "$tuple" | @cut@ -d, -f1) ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) )) + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) + if [ "$cpu_ucode" = "$ucode" ]; then + _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)" + return 0 +@@ -2007,7 +2007,7 @@ is_xen_dom0() + return 1 + fi + +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then + return 0 + else + return 1 +@@ -2033,12 +2033,12 @@ is_xen_domU() + fi + } + +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0") ++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0") + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") + # sort -V sorts by version number +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1) ++ older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1) + if [ "$older_dbversion" = "$builtin_dbversion" ]; then + mcedb_source="$mcedb_cache" + mcedb_info="local firmwares DB $local_dbversion" +@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then + fi + read_mcedb() + { +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" + } + + is_latest_known_ucode() +@@ -2070,10 +2070,10 @@ is_latest_known_ucode() + else + return 2 + fi +- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") ++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") + do +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=') ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=') + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date" + ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode") + if [ "$cpu_ucode" -ge "$ucode" ]; then +@@ -2098,7 +2098,7 @@ get_cmdline() + kernel_cmdline="$SMC_MOCK_CMDLINE" + return + else +- kernel_cmdline=$(cat "$procfs/cmdline") ++ kernel_cmdline=$(@cat@ "$procfs/cmdline") + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'") + fi + } +@@ -2106,7 +2106,7 @@ get_cmdline() + # ENTRYPOINT + + # we can't do anything useful under WSL +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then + _warn "This script doesn't work under Windows Subsystem for Linux" + _warn "You should use the official Microsoft tool instead." + _warn "It can be found under https://aka.ms/SpeculationControlPS" +@@ -2155,15 +2155,15 @@ fi + + # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo" + procfs=/proc +-if echo "$os" | grep -q BSD; then ++if echo "$os" | @grep@ -q BSD; then + _debug "We're under BSD, check if we have procfs" +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }') ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }') + if [ -z "$procfs" ]; then + _debug "we don't, try to mount it" + procfs=/proc + [ -d /compat/linux/proc ] && procfs=/compat/linux/proc + test -d $procfs || mkdir $procfs +- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then ++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then + mounted_procfs=1 + _debug "procfs just mounted at $procfs" + else +@@ -2195,14 +2195,14 @@ fi + + if [ "$opt_live" = 1 ]; then + # root check (only for live mode, for offline mode, we already checked if we could read the files) +- if [ "$(id -u)" -ne 0 ]; then ++ if [ "$(@id@ -u)" -ne 0 ]; then + _warn "Note that you should launch this script with root privileges to get accurate information." + _warn "We'll proceed but you might see permission denied errors." + _warn "To run it as root, you can try the following command: sudo $0" + _warn + fi + _info "Checking for vulnerabilities on current system" +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m" ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m" + _info "CPU is \033[35m$cpu_friendly_name\033[0m" + + # try to find the image of the current running kernel +@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then + # specified by user on cmdline, with --live, don't override + : + # first, look for the BOOT_IMAGE hint in the kernel cmdline +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2) ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2) + _debug "found opt_kernel=$opt_kernel in $procfs/cmdline" + # if the boot partition is within a btrfs subvolume, strip the subvolume name + # if /boot is a separate subvolume, the remainder of the code in this section should handle it +- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi + # if we have a dedicated /boot partition, our bootloader might have just called it / + # so try to prepend /boot and see if we find anything + [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel" +@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then + # if we didn't find a kernel, default to guessing + if [ ! -e "$opt_kernel" ]; then + # Fedora: +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz" ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz" + # Slackware: + [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz" + # Arch aarch64: +@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then + # pine64 + [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image" + # generic: +- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)" +- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)" +- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)" ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)" ++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)" ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)" + # Gentoo: +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" + # Guix System: + [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" + # Clear Linux: +- str_uname=$(uname -r) ++ str_uname=$(@uname@ -r) + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}" + [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel + # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage", + # with actual \'s instead of /'s: +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]') ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]') + if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then + opt_kernel="$custom_arch_kernel" + fi +@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then + : + elif [ -e "$procfs/kallsyms" ] ; then + opt_map="$procfs/kallsyms" +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then +- opt_map="/lib/modules/$(uname -r)/System.map" +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then +- opt_map="/boot/System.map-$(uname -r)" +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then +- opt_map="/lib/kernel/System.map-$(uname -r)" ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then ++ opt_map="/lib/modules/$(@uname@ -r)/System.map" ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then ++ opt_map="/boot/System.map-$(@uname@ -r)" ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)" + fi + + # config +@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then + # specified by user on cmdline, with --live, don't override + : + elif [ -e "$procfs/config.gz" ] ; then +- dumped_config="$(mktemp -t smc-config-XXXXXX)" +- gunzip -c "$procfs/config.gz" > "$dumped_config" ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)" ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config" + # dumped_config will be deleted at the end of the script + opt_config="$dumped_config" +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then +- opt_config="/lib/modules/$(uname -r)/config" +- elif [ -e "/boot/config-$(uname -r)" ]; then +- opt_config="/boot/config-$(uname -r)" +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then +- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then +- opt_config="/lib/kernel/config-$(uname -r)" ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then ++ opt_config="/lib/modules/$(@uname@ -r)/config" ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then ++ opt_config="/boot/config-$(@uname@ -r)" ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then ++ opt_config="/lib/kernel/config-$(@uname@ -r)" + fi + else + _info "Checking for vulnerabilities against specified kernel" +@@ -2311,7 +2311,7 @@ else + fi + + if [ "$os" = Linux ]; then +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then + # given file is invalid! + _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!" + opt_config='' +@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then + fi + + if [ -e "$opt_kernel" ]; then +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then ++ if ! command -v "@readelf@" >/dev/null 2>&1; then + _debug "readelf not found" + kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package" + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then +@@ -2357,20 +2357,20 @@ else + # vanilla kernels have with ^Linux version + # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string + # and check for FreeBSD +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \ ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \ + -e '^Linux version ' \ + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \ +- -e '^FreeBSD [0-9]' | head -1) ++ -e '^FreeBSD [0-9]' | @head@ -1) + if [ -z "$kernel_version" ]; then + # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ") ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ") + fi + if [ -n "$kernel_version" ]; then + # in live mode, check if the img we found is the correct one + if [ "$opt_live" = 1 ]; then + _verbose "Kernel image is \033[35m$kernel_version" +- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then +- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect" ++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then ++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect" + fi + else + _info "Kernel image is \033[35m$kernel_version" +@@ -2398,11 +2398,11 @@ sys_interface_check() + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then + : + else +- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") ++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1") + return 1 + fi + +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET" ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)" +@@ -2411,17 +2411,17 @@ sys_interface_check() + fi + + [ -n "$regex" ] || regex='.*' +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")" ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + fullmsg="$(eval echo \$$_mockvarname)" +- msg=$(echo "$fullmsg" | grep -Eo "$regex") ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex") + _debug "sysfs: MOCKING enabled for $file, will return $fullmsg" + mocked=1 + else +- fullmsg=$(cat "$file") +- msg=$(grep -Eo "$regex" "$file") +- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'") ++ fullmsg=$(@cat@ "$file") ++ msg=$(@grep@ -Eo "$regex" "$file") ++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'") + fi + if [ "$mode" = silent ]; then + return 0 +@@ -2430,15 +2430,15 @@ sys_interface_check() + return 0 + fi + _info_nol "* Mitigated according to the /sys interface: " +- if echo "$msg" | grep -qi '^not affected'; then ++ if echo "$msg" | @grep@ -qi '^not affected'; then + # Not affected + status=OK + pstatus green YES "$fullmsg" +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then + # Mitigation: PTI + status=OK + pstatus green YES "$fullmsg" +- elif echo "$msg" | grep -qi '^vulnerable'; then ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then + # Vulnerable + status=VULN + pstatus yellow NO "$fullmsg" +@@ -2526,20 +2526,20 @@ write_msr_one_core() + # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off + [ "$ret" = 127 ] && _write_denied=1 + # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO +- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then + _debug "write_msr: using dd" +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? + # if it failed, inspect stderrto look for EPERM + if [ "$ret" != 0 ]; then +- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then ++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then + _write_denied=1 + fi + fi + # or if we have perl, use it, any 5.x version will work +- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then ++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then + _debug "write_msr: using perl" + ret=1 +- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 + else + _debug "write_msr: got no wrmsr, perl or recent enough dd!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") +@@ -2561,13 +2561,13 @@ write_msr_one_core() + msr_locked_down=1 + write_msr_msg="your kernel is configured to deny writes to MSRs from user space" + return $WRITE_MSR_RET_LOCKDOWN +- elif dmesg | grep -qF "msr: Direct access to MSR"; then ++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then + _debug "write_msr: locked down kernel detected (Red Hat / Fedora)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 + write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry" + return $WRITE_MSR_RET_LOCKDOWN +- elif dmesg | grep -qF "raw MSR access is restricted"; then ++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then + _debug "write_msr: locked down kernel detected (vanilla)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 +@@ -2666,8 +2666,8 @@ read_msr_one_core() + return $READ_MSR_RET_KO + fi + # MSR 0x10: 0x000003e1 0xb106dded +- _msr_h=$(echo "$_msr" | awk '{print $3}'); +- _msr_l=$(echo "$_msr" | awk '{print $4}'); ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}'); ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}'); + read_msr_value=$(( _msr_h << 32 | _msr_l )) + else + # for Linux +@@ -2678,15 +2678,15 @@ read_msr_one_core() + # if rdmsr is available, use it + elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then + _debug "read_msr: using rdmsr on $_msr" +- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) ++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n) + # or if we have perl, use it, any 5.x version will work +- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then ++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then + _debug "read_msr: using perl on $_msr" +- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) ++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n) + # fallback to dd if it supports skip_bytes +- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then + _debug "read_msr: using dd on $_msr" +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) ++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n) + else + _debug "read_msr: got no rdmsr, perl or recent enough dd!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") +@@ -2710,7 +2710,7 @@ check_cpu() + { + _info "\033[1;34mHardware check\033[0m" + +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then + return + fi + +@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre() + # if we were already called, don't do it again + [ -n "${redhat_canonical_spectre:-}" ] && return + +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + redhat_canonical_spectre=-1 + elif [ -n "$kernel_err" ]; then + redhat_canonical_spectre=-2 + else + # Red Hat / Ubuntu specific variant1 patch is difficult to detect, + # let's use the two same tricks than the official Red Hat detection script uses: +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then ++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then + # 1) detect their specific variant2 patch. If it's present, it means + # that the variant1 patch is also present (both were merged at the same time) + _debug "found redhat/canonical version of the variant2 patch (implies variant1)" + redhat_canonical_spectre=1 +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then + # 2) detect their specific variant3 patch. If it's present, but the variant2 + # is not, it means that only variant1 is present in addition to variant3 + _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)" +@@ -3363,13 +3363,13 @@ check_has_vmm() + # If we find no evidence that this is the case, assume we're not (to avoid scaring users), + # this can always be overridden with --vmm in any case. + has_vmm=0 +- if command -v pgrep >/dev/null 2>&1; then ++ if command -v @pgrep@ >/dev/null 2>&1; then + # remove xenbus and xenwatch, also present inside domU + # remove libvirtd as it can also be used to manage containers and not VMs + # for each binary we want to grep, get the pids + for _binary in qemu kvm xenstored xenconsoled + do +- for _pid in $(pgrep -x $_binary) ++ for _pid in $(@pgrep@ -x $_binary) + do + # resolve the exe symlink, if it doesn't resolve with -m, + # which doesn't even need the dest to exist, it means the symlink +@@ -3385,7 +3385,7 @@ check_has_vmm() + else + # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed + # shellcheck disable=SC2009 +- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then ++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then + has_vmm=1 + fi + fi +@@ -3417,7 +3417,7 @@ check_CVE_2017_5753() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5753_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5753_bsd + else + _warn "Unsupported OS ($os)" +@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux() + v1_mask_nospec='' + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" + else +- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? ++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? + if [ $ret -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()" + v1_mask_nospec="x86 64 bits array_index_mask_nospec" + else +- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? ++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? + if [ $ret -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()" + v1_mask_nospec="x86 32 bits array_index_mask_nospec" + else +- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp) ++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp) + if [ "$ret" -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()" + v1_mask_nospec="arm 32 bits array_index_mask_nospec" +@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux() + pstatus yellow NO + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" +- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else +- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? ++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? + if [ "$ret" -eq 9 ]; then + pstatus green YES "mask_nospec64 macro is present and used" + v1_mask_nospec="arm64 mask_nospec64" +@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux() + pstatus yellow NO + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" +- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else +- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$? ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$? + if [ "$ret" -eq 9 ]; then + pstatus green YES "array_index_nospec macro is present and used" + v1_mask_nospec="arm64 array_index_nospec" +@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ if ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else + # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode +@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux() + # so let's push the threshold to 70. + # v0.33+: now only count lfence opcodes after a jump, way less error-prone + # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45 +- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je') ++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je') + if [ "$nb_lfence" -lt 30 ]; then + pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)" + else +@@ -3655,7 +3655,7 @@ check_CVE_2017_5715() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5715_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5715_bsd + else + _warn "Unsupported OS ($os)" +@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux() + # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed + specex_knob_dir=$dir + ibrs_supported="$dir/ibrs_enabled exists" +- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null) ++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null) + _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled" + # if ibrs_enabled is there, ibpb_enabled will be in the same dir + if [ -e "$dir/ibpb_enabled" ]; then + # if the file is there, we have IBPB compiled-in (see note above for IBRS) + ibpb_supported="$dir/ibpb_enabled exists" +- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null) ++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null) + _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled" + else + _debug "ibpb: $dir/ibpb_enabled file doesn't exist" +@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux() + # which in that case means ibrs is supported *and* enabled for kernel & user + # as per the ibrs patch series v3 + if [ -z "$ibrs_supported" ]; then +- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then + _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo" + ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo" + # enabled=2 -> kernel & user +@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux() + fi + if [ -n "$fullmsg" ]; then + # when IBPB is enabled on 4.15+, we can see it in sysfs +- if echo "$fullmsg" | grep -q 'IBPB'; then ++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then + _debug "ibpb: found enabled in sysfs" + [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs' + [ -z "$ibpb_enabled" ] && ibpb_enabled=1 + fi + # when IBRS_FW is enabled on 4.15+, we can see it in sysfs +- if echo "$fullmsg" | grep -q ', IBRS_FW'; then ++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then + _debug "ibrs: found IBRS_FW in sysfs" + [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs' + ibrs_fw_enabled=1 +@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux() + # when IBRS is enabled on 4.15+, we can see it in sysfs + # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact. + # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag) +- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then ++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then + _debug "ibrs: found IBRS in sysfs" + [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs' + [ -z "$ibrs_enabled" ] && ibrs_enabled=3 + fi + # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL +- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then ++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then + [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs' + # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file, + # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled" +@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux() + fi + fi + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + : + else + ibrs_can_tell=1 +- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1) ++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1) + if [ -n "$ibrs_supported" ]; then + _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)" + ibrs_supported="found '$ibrs_supported' in kernel image" +@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux() + fi + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then + ibrs_can_tell=1 +- if grep -q spec_ctrl "$opt_map"; then ++ if @grep@ -q spec_ctrl "$opt_map"; then + ibrs_supported="found spec_ctrl in symbols file" + _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map" + fi +@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux() + # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat + # we can detect it directly in the image + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + : + else + ibpb_can_tell=1 +- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1) ++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1) + if [ -n "$ibpb_supported" ]; then + _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)" + ibpb_supported="found '$ibpb_supported' in kernel image" +@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux() + 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;; + 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;; + 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";; +- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ]; +- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; +- else ++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ]; ++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; ++ else + pstatus yellow UNKNOWN; fi;; + esac + fi +@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux() + bp_harden='' + if [ -r "$opt_config" ]; then + bp_harden_can_tell=1 +- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") ++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") + if [ -n "$bp_harden" ]; then + pstatus green YES + _debug "bp_harden: found '$bp_harden' in $opt_config" +@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux() + fi + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then + bp_harden_can_tell=1 +- bp_harden=$(grep -w bp_hardening_data "$opt_map") ++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map") + if [ -n "$bp_harden" ]; then + pstatus green YES + _debug "bp_harden: found '$bp_harden' in $opt_map" +@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux() + # We check the RETPOLINE kernel options + retpoline=0 + if [ -r "$opt_config" ]; then +- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then ++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then + pstatus green YES + retpoline=1 + # shellcheck disable=SC2046 +- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" ++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" + else + pstatus yellow NO + fi +@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux() + # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one, + # so we look for both "retpoline" and "retpolines" + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then +- if echo "$fullmsg" | grep -qwi minimal; then ++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then ++ if echo "$fullmsg" | @grep@ -qwi minimal; then + retpoline_compiler=0 + retpoline_compiler_reason="kernel reports minimal retpoline compilation" + else +@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux() + fi + elif [ -n "$opt_map" ]; then + # look for the symbol +- if grep -qw noretpoline_setup "$opt_map"; then ++ if @grep@ -qw noretpoline_setup "$opt_map"; then + retpoline_compiler=1 + retpoline_compiler_reason="noretpoline_setup symbol found in System.map" + fi + elif [ -n "$kernel" ]; then + # look for the symbol +- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then ++ if command -v "@nm@" >/dev/null 2>&1; then + # the proper way: use nm and look for the symbol +- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then ++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then + retpoline_compiler=1 + retpoline_compiler_reason="noretpoline_setup found in kernel symbols" + fi +- elif grep -q noretpoline_setup "$kernel"; then ++ elif @grep@ -q noretpoline_setup "$kernel"; then + # if we don't have nm, nevermind, the symbol name is long enough to not have + # any false positive using good old grep directly on the binary + retpoline_compiler=1 +@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux() + retp_enabled=-1 + if [ "$opt_live" = 1 ]; then + if [ -e "$specex_knob_dir/retp_enabled" ]; then +- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null) ++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null) + _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled" + _info_nol " * Retpoline is enabled: " + if [ "$retp_enabled" = 1 ]; then +@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux() + rsb_filling=0 + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then + # if we're live and we aren't denied looking into /sys, let's do it +- if echo "$msg" | grep -qw RSB; then ++ if echo "$msg" | @grep@ -qw RSB; then + rsb_filling=1 + pstatus green YES + fi +@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then ++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then + rsb_filling=1 + pstatus green YES + else +@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd() + { + _info "* Mitigation 1" + _info_nol " * Kernel supports IBRS: " +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null) ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null) + if [ -z "$ibrs_disabled" ]; then + pstatus yellow NO + else +@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd() + fi + + _info_nol " * IBRS enabled and active: " +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null) ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null) + if [ "$ibrs_active" = 1 ]; then + pstatus green YES + else +@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then ++ if ! command -v "@readelf@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package" + else +- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) + if [ "$nb_thunks" -gt 0 ]; then + retpoline=1 + pstatus green YES "found $nb_thunks thunk(s)" +@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd() + pti_performance_check() + { + _info_nol " * Reduced performance impact of PTI: " +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then + cpu_pcid=1 + else + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$? +@@ -4272,7 +4272,7 @@ pti_performance_check() + fi + fi + +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then + cpu_invpcid=1 + else + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$? +@@ -4297,7 +4297,7 @@ check_CVE_2017_5754() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5754_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5754_bsd + else + _warn "Unsupported OS ($os)" +@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux() + kpti_can_tell=0 + if [ -n "$opt_config" ]; then + kpti_can_tell=1 +- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") ++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found option '$kpti_support' in $opt_config" + fi +@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux() + # so we try to find an exported symbol that is part of the PTI patch in System.map + # parse_kpti: arm + kpti_can_tell=1 +- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map") ++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map") + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found '$kpti_support' in $opt_map" + fi +@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux() + # nopti option that is part of the patch (kernel command line option) + # 'kpti=': arm + kpti_can_tell=1 +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" + else +- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=) ++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=) + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found '$kpti_support' in $kernel" + fi +@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux() + dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" + # aarch64 + dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)" +- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then + # vanilla PTI patch sets the 'pti' flag in cpuinfo + _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo" + kpti_enabled=1 +- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then + # kernel line 4.9 sets the 'kaiser' flag in cpuinfo + _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo" + kpti_enabled=1 + elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then + # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 +- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) ++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null) + _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" + elif is_xen_dom0; then +- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1) ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1) + + [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1 + fi +@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux() + if [ -n "$kpti_support" ]; then + if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then + explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`" +- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then ++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then + explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration" + else + explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it" +@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux() + check_CVE_2017_5754_bsd() + { + _info_nol "* Kernel supports Page Table Isolation (PTI): " +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null) ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null) + if [ -z "$kpti_enabled" ]; then + pstatus yellow NO + else +@@ -4579,7 +4579,7 @@ check_CVE_2018_3639() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3639_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3639_bsd + else + _warn "Unsupported OS ($os)" +@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux() + if [ "$opt_sysfs_only" != 1 ]; then + _info_nol "* Kernel supports disabling speculative store bypass (SSB): " + if [ "$opt_live" = 1 ]; then +- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then + kernel_ssb="found in $procfs/self/status" + _debug "found Speculation.Store.Bypass: in $procfs/self/status" + fi + fi + # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then +- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1); ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then ++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1); + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel" + fi + # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then +- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1) ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then ++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1) + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" + fi + # arm64 only: + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then +- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1) ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1) + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" + fi + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config") ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config") + [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig" + fi + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then + # this string only appears in kernel if CONFIG_ARM64_SSBD is set +- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel") ++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel") + [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel" + fi + # /arm64 only +@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux() + if [ "$opt_live" = 1 ]; then + # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 + _info_nol "* SSB mitigation is enabled and active: " +- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=1 + pstatus green YES "per-thread through prctl" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=2 + pstatus green YES "global" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=0 + pstatus yellow NO +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=-2 + pstatus blue NO "not vulnerable" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=0 + pstatus blue NO + else +- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)" ++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)" + fi + + if [ "$kernel_ssbd_enabled" = 1 ]; then + _info_nol "* SSB mitigation currently active for selected processes: " + # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the * +- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ +- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \ +- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//') ++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ ++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \ ++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//') + if [ -n "$mitigated_processes" ]; then + pstatus green YES "$mitigated_processes" + else +@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux() + check_CVE_2018_3639_bsd() + { + _info_nol "* Kernel supports speculation store bypass: " +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then + kernel_ssb=1 + pstatus green YES + else +@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd() + fi + + _info_nol "* Speculation store bypass is administratively enabled: " +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null) ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null) + _debug "hw.spec_store_bypass_disable=$ssb_enabled" + case "$ssb_enabled" in + 0) pstatus yellow NO "disabled";; +@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd() + esac + + _info_nol "* Speculation store bypass is currently active: " +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null) ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null) + _debug "hw.spec_store_bypass_disable_active=$ssb_active" + case "$ssb_active" in + 1) pstatus green YES;; +@@ -4806,7 +4806,7 @@ check_CVE_2018_3620() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3620_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3620_bsd + else + _warn "Unsupported OS ($os)" +@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux() + fi + if [ "$opt_sysfs_only" != 1 ]; then + _info_nol "* Kernel supports PTE inversion: " +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'strings' tool, please install it" + pteinv_supported=-1 + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "$kernel_err" + pteinv_supported=-1 + else +- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then + pstatus green YES "found in kernel image" + _debug "pteinv: found pte inversion evidence in kernel image" + pteinv_supported=1 +@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux() + _info_nol "* PTE inversion enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then ++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then + pstatus green YES + pteinv_active=1 + else +@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd() + else + _debug "vmm module already loaded" + fi +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then + # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch + # this is very difficult to detect that the kernel reserved the 0 page, but this fix + # is part of the exact same patch than the other L1TF CVE, so we detect it +@@ -4922,7 +4922,7 @@ check_CVE_2018_3646() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3646_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3646_bsd + else + _warn "Unsupported OS ($os)" +@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux() + if [ "$opt_live" = 1 ]; then + if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then + pstatus blue N/A "the kvm_intel module is not loaded" +- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then ++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then + pstatus green YES + ept_disabled=1 + else +@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux() + + _info "* Mitigation 2" + _info_nol " * L1D flush is supported by kernel: " +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then + l1d_kernel="found flush_l1d in $procfs/cpuinfo" + fi + if [ -z "$l1d_kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" + elif [ -n "$kernel_err" ]; then + l1d_kernel_err="$kernel_err" +- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then ++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then + l1d_kernel='found flush_l1d in kernel image' + fi + fi +@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux() + # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary) + # $smtstatus is one of (vulnerable|disabled) + # can also just be "Not affected" +- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then ++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then + l1d_mode=0 + pstatus yellow NO +- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then ++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then + l1d_mode=1 + pstatus green YES "conditional flushes" +- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then ++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then + l1d_mode=2 + pstatus green YES "unconditional flushes" + else + if is_xen_dom0; then +- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1) +- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1) +- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1) ++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1) ++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1) ++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1) + + if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then + l1d_mode=5 +@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux() + + _info_nol " * Hardware-backed L1D flush supported: " + if [ "$opt_live" = 1 ]; then +- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then + pstatus green YES "performance impact of the mitigation will be greatly reduced" + else + pstatus blue NO "flush will be done in software, this is slower" +@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux() + check_CVE_2018_3646_bsd() + { + _info_nol "* Kernel supports L1D flushing: " +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then + pstatus green YES + kernel_l1d_supported=1 + else +@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd() + fi + + _info_nol "* L1D flushing is enabled: " +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null) ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null) + case "$kernel_l1d_enabled" in + 0) pstatus yellow NO;; + 1) pstatus green YES;; +@@ -5168,7 +5168,7 @@ check_CVE_2018_12127() + ################### + # MDSUM SECTION + +-# Microarchitectural Data Sampling Uncacheable Memory ++# Microarchitectural Data Sampling Uncacheable Memory + check_CVE_2019_11091() + { + cve='CVE-2019-11091' +@@ -5182,7 +5182,7 @@ check_mds() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_mds_linux "$cve" +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_mds_bsd "$cve" + else + _warn "Unsupported OS ($os)" +@@ -5193,7 +5193,7 @@ check_mds_bsd() + { + _info_nol "* Kernel supports using MD_CLEAR mitigation: " + if [ "$opt_live" = 1 ]; then +- if sysctl hw.mds_disable >/dev/null 2>&1; then ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then + pstatus green YES + kernel_md_clear=1 + else +@@ -5201,7 +5201,7 @@ check_mds_bsd() + kernel_md_clear=0 + fi + else +- if grep -Fq hw.mds_disable $opt_kernel; then ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then + pstatus green YES + kernel_md_clear=1 + else +@@ -5211,8 +5211,8 @@ check_mds_bsd() + fi + + _info_nol "* CPU Hyper-Threading (SMT) is disabled: " +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then +- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null) ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then ++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null) + if [ "$kernel_smt_allowed" = 1 ]; then + pstatus yellow NO + else +@@ -5224,7 +5224,7 @@ check_mds_bsd() + + _info_nol "* Kernel mitigation is enabled: " + if [ "$kernel_md_clear" = 1 ]; then +- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null) ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null) + else + kernel_mds_enabled=0 + fi +@@ -5238,7 +5238,7 @@ check_mds_bsd() + + _info_nol "* Kernel mitigation is active: " + if [ "$kernel_md_clear" = 1 ]; then +- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null) ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null) + else + kernel_mds_state=inactive + fi +@@ -5296,16 +5296,16 @@ check_mds_linux() + _info_nol "* Kernel supports using MD_CLEAR mitigation: " + kernel_md_clear='' + kernel_md_clear_can_tell=1 +- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then ++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then + kernel_md_clear="md_clear found in $procfs/cpuinfo" + pstatus green YES "$kernel_md_clear" + fi + if [ -z "$kernel_md_clear" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + kernel_md_clear_can_tell=0 + elif [ -n "$kernel_err" ]; then + kernel_md_clear_can_tell=0 +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then + _debug "md_clear: found 'Clear CPU buffers' string in kernel image" + kernel_md_clear='found md_clear implementation evidence in kernel image' + pstatus green YES "$kernel_md_clear" +@@ -5321,7 +5321,7 @@ check_mds_linux() + + if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then + _info_nol "* Kernel mitigation is enabled and active: " +- if echo "$fullmsg" | grep -qi ^mitigation; then ++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then + mds_mitigated=1 + pstatus green YES + else +@@ -5329,7 +5329,7 @@ check_mds_linux() + pstatus yellow NO + fi + _info_nol "* SMT is either mitigated or disabled: " +- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then ++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then + mds_smt_mitigated=1 + pstatus green YES + else +@@ -5415,7 +5415,7 @@ check_CVE_2019_11135() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2019_11135_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2019_11135_bsd + else + _warn "Unsupported OS ($os)" +@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux() + kernel_taa='' + if [ -n "$kernel_err" ]; then + kernel_taa_err="$kernel_err" +- elif grep -q 'tsx_async_abort' "$kernel"; then ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then + kernel_taa="found tsx_async_abort in kernel image" + fi + if [ -n "$kernel_taa" ]; then +@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux() + _info_nol "* TAA mitigation enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qE '^Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux() + else + if [ "$opt_paranoid" = 1 ]; then + # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated +- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then + pvulnstatus $cve VULN "TSX must be disabled for full mitigation" +- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then ++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then + pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation" + else + pvulnstatus $cve "$status" "$msg" +@@ -5517,7 +5517,7 @@ check_CVE_2018_12207() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_12207_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_12207_bsd + else + _warn "Unsupported OS ($os)" +@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux() + if [ -n "$kernel_err" ]; then + kernel_itlbmh_err="$kernel_err" + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 +- elif grep -q 'itlb_multihit' "$kernel"; then ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then + kernel_itlbmh="found itlb_multihit in kernel image" + fi + if [ -n "$kernel_itlbmh" ]; then +@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux() + _info_nol "* iTLB Multihit mitigation enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qF 'Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux() + check_CVE_2018_12207_bsd() + { + _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null) ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null) + if [ -z "$kernel_2m_x_ept" ]; then + pstatus yellow NO + else +@@ -5634,7 +5634,7 @@ check_CVE_2020_0543() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2020_0543_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2020_0543_bsd + else + _warn "Unsupported OS ($os)" +@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux() + kernel_srbds='' + if [ -n "$kernel_err" ]; then + kernel_srbds_err="$kernel_err" +- elif grep -q 'Dependent on hypervisor' "$kernel"; then ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then + kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation" + fi + if [ -n "$kernel_srbds" ]; then +@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux() + _info_nol "* SRBDS mitigation control is enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qE '^Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5758,8 +5758,8 @@ fi + # now run the checks the user asked for + for cve in $supported_cve_list + do +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then +- check_"$(echo "$cve" | tr - _)" ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then ++ check_"$(echo "$cve" | @tr@ - _)" + _info + fi + done +@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then + _warn "We're missing some kernel info (see -v), accuracy might be reduced" + fi + +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|') ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|') + _debug "variables at end of script: $_vars" + + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then +- if command -v "gzip" >/dev/null 2>&1; then ++ if command -v "@gzip@" >/dev/null 2>&1; then + # not a useless use of cat: gzipping cpuinfo directly doesn't work well + # shellcheck disable=SC2002 +- if command -v "base64" >/dev/null 2>&1; then +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)" +- elif command -v "uuencode" >/dev/null 2>&1; then +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")" ++ if command -v "@base64@" >/dev/null 2>&1; then ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)" ++ elif command -v "@uuencode@" >/dev/null 2>&1; then ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")" + fi + fi + if [ -n "$mock_cpuinfo" ]; then +@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then + fi + _info "" + # shellcheck disable=SC2046 +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u) ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u) + fi + + if [ "$opt_explain" = 0 ]; then +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch new file mode 100644 index 0000000000..afec52b418 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch @@ -0,0 +1,26 @@ +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 5 Nov 2022 23:22:31 +0800 +Subject: [PATCH] Add support for Guix System kernel. + +--- + spectre-meltdown-checker.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 248a444..855a090 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" ++ # Guix System: ++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" + # Clear Linux: + +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 +-- +2.38.0 base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78 -- 2.38.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker. 2022-11-12 12:14 ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via @ 2022-11-12 12:28 ` Liliana Marie Prikler 2022-11-12 12:50 ` Hilton Chain via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Liliana Marie Prikler @ 2022-11-12 12:28 UTC (permalink / raw) To: Hilton Chain; +Cc: 59053 Am Samstag, dem 12.11.2022 um 20:14 +0800 schrieb Hilton Chain: > 1. Use curl as default downloader (It seems that wget doesn't work > out of the box for TLS?). Uhm, what exactly is the checker downloading that it needs wget or curl for? ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker. 2022-11-12 12:28 ` Liliana Marie Prikler @ 2022-11-12 12:50 ` Hilton Chain via Guix-patches via 2022-11-12 13:40 ` Liliana Marie Prikler 0 siblings, 1 reply; 12+ messages in thread From: Hilton Chain via Guix-patches via @ 2022-11-12 12:50 UTC (permalink / raw) To: Liliana Marie Prikler; +Cc: 59053 On Sat, 12 Nov 2022 20:28:58 +0800, Liliana Marie Prikler wrote: > Uhm, what exactly is the checker downloading that it needs wget or curl > for? With option "--update-fwdb", the checker fetches source files and builds the firmware database. ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker. 2022-11-12 12:50 ` Hilton Chain via Guix-patches via @ 2022-11-12 13:40 ` Liliana Marie Prikler 2022-11-12 15:15 ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Liliana Marie Prikler @ 2022-11-12 13:40 UTC (permalink / raw) To: Hilton Chain; +Cc: 59053 Am Samstag, dem 12.11.2022 um 20:50 +0800 schrieb Hilton Chain: > On Sat, 12 Nov 2022 20:28:58 +0800, > Liliana Marie Prikler wrote: > > Uhm, what exactly is the checker downloading that it needs wget or > > curl for? > With option "--update-fwdb", the checker fetches source files and > builds the firmware database. You mean proprietary firmware? ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v4] gnu: Add spectre-meltdown-checker. 2022-11-12 13:40 ` Liliana Marie Prikler @ 2022-11-12 15:15 ` Hilton Chain via Guix-patches via 2022-11-12 16:58 ` Liliana Marie Prikler 0 siblings, 1 reply; 12+ messages in thread From: Hilton Chain via Guix-patches via @ 2022-11-12 15:15 UTC (permalink / raw) To: Liliana Marie Prikler; +Cc: 59053 * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patches. --- v3 -> v4: 1. Remove downloading function. 2. Add option for supplying a local database. gnu/local.mk | 3 + gnu/packages/linux.scm | 54 + ...ker-remove-builtin-firmware-database.patch | 243 +++ ...cker-stage-commands-for-substitution.patch | 1849 +++++++++++++++++ ...n-checker-support-guix-system-kernel.patch | 26 + 5 files changed, 2175 insertions(+) create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch diff --git a/gnu/local.mk b/gnu/local.mk index e3e02314bb..46b299d0d6 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1857,6 +1857,9 @@ dist_patch_DATA = \ %D%/packages/patches/syslinux-strip-gnu-property.patch \ %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \ + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \ + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ %D%/packages/patches/sssd-optional-systemd.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fea33dfa0b..1807fd5655 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -9595,3 +9595,57 @@ (define-public edac-utils error detection and correction (EDAC).") (home-page "https://github.com/grondo/edac-utils") (license license:gpl2+))) + +(define-public spectre-meltdown-checker + (package + (name "spectre-meltdown-checker") + (version "0.45") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches + (search-patches + ;; https://github.com/speed47/spectre-meltdown-checker/pull/441 + "spectre-meltdown-checker-support-guix-system-kernel.patch" + ;; NOTE: Update these patches when updating. + "spectre-meltdown-checker-remove-builtin-firmware-database.patch" + "spectre-meltdown-checker-stage-commands-for-substitution.patch")) + ;; Remove builtin firmware database. + (modules '((guix build utils))) + (snippet '(substitute* "spectre-meltdown-checker.sh" + (("^# [AI],.*") ""))) + (sha256 + (base32 + "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) + (build-system copy-build-system) + (arguments + (list #:install-plan + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'fixpath + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "spectre-meltdown-checker.sh" + (("@sysctl@") (search-input-file inputs "/sbin/sysctl")) + (("@([a-z0-9]*)@" _ command _) + (search-input-file + inputs (string-append "/bin/" command))))))))) + (inputs + (list kmod + lz4 + lzop + perl + procps + sharutils + util-linux + zstd)) + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (synopsis "CPU vulnerability / mitigation checker") + (description + "This package provides a shell script to assess your system's resilience +against the several transient execution CVEs that were published since early +2018, and give you guidance as to how to mitigate them.") + (license license:gpl3))) diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch new file mode 100644 index 0000000000..888bb0c2b1 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch @@ -0,0 +1,243 @@ +From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 12 Nov 2022 22:45:24 +0800 +Subject: [PATCH 1/2] Remove builtin firmware database. + +1. Remove downloading function. +2. Add option for supplying a local database. +--- + spectre-meltdown-checker.sh | 180 +++--------------------------------- + 1 file changed, 15 insertions(+), 165 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 30f760c..ce46970 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -22,8 +22,6 @@ exit_cleanup() + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp" + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2" +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp" +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp" + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null +@@ -93,9 +91,7 @@ show_usage() + --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto + --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system + --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0) +- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome +- MCExtractor project and the Intel firmwares GitHub repository) +- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself ++ --with-fwdb FILE supply the CPU microcodes versions database + --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script + + Return codes: +@@ -837,147 +833,6 @@ show_header() + _info + } + +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" +-mcedb_cache="$HOME/.mcedb" +-update_fwdb() +-{ +- show_header +- +- set -e +- +- if [ -r "$mcedb_cache" ]; then +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") +- fi +- +- # first, download the MCE.db from the excellent platomav's MCExtractor project +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" +- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' +- _info_nol "Fetching MCE.db from the MCExtractor project... " +- if command -v wget >/dev/null 2>&1; then +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? +- elif command -v curl >/dev/null 2>&1; then +- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? +- elif command -v fetch >/dev/null 2>&1; then +- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? +- else +- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs" +- return 1 +- fi +- if [ "$ret" != 0 ]; then +- echo ERROR "error $ret while downloading MCE.db" +- return $ret +- fi +- echo DONE +- +- # second, get the Intel firmwares from GitHub +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)" +- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip" +- _info_nol "Fetching Intel firmwares... " +- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git +- if command -v wget >/dev/null 2>&1; then +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? +- elif command -v curl >/dev/null 2>&1; then +- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? +- elif command -v fetch >/dev/null 2>&1; then +- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? +- else +- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs" +- return 1 +- fi +- if [ "$ret" != 0 ]; then +- echo ERROR "error $ret while downloading Intel firmwares" +- return $ret +- fi +- echo DONE +- +- # now extract MCEdb contents using sqlite +- _info_nol "Extracting MCEdb data... " +- if ! command -v sqlite3 >/dev/null 2>&1; then +- echo ERROR "please install the \`sqlite3\` program" +- return 1 +- fi +- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE") +- if [ -z "$mcedb_revision" ]; then +- echo ERROR "downloaded file seems invalid" +- return 1 +- fi +- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text" +- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'" +- +- echo OK "MCExtractor database revision $mcedb_revision" +- +- # parse Intel firmwares to get their versions +- _info_nol "Integrating Intel firmwares data to db... " +- if ! command -v unzip >/dev/null 2>&1; then +- echo ERROR "please install the \`unzip\` program" +- return 1 +- fi +- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; ) +- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then +- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file" +- return 1 +- fi +- +- if ! command -v iucode_tool >/dev/null 2>&1; then +- if ! command -v iucode-tool >/dev/null 2>&1; then +- echo ERROR "please install the \`iucode-tool\` program" +- return 1 +- else +- iucode_tool="iucode-tool" +- fi +- else +- iucode_tool="iucode_tool" +- fi +- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120 +- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120 +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line +- do +- _line=$( echo "$_line" | tr -d ',') +- _cpuid=$( echo "$_line" | awk '{print $3}') +- _cpuid=$(( _cpuid )) +- _cpuid=$(printf "0x%08X" "$_cpuid") +- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-') +- _version=$(echo "$_line" | awk '{print $8}') +- _version=$(( _version )) +- _version=$(printf "0x%08X" "$_version") +- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")" +- sqlite3 "$mcedb_tmp" "$_sqlstm" +- done +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) +- if [ -n "$_intel_timestamp" ]; then +- # use this date, it matches the last commit date +- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp") +- else +- echo "Falling back to the latest microcode date" +- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;") +- fi +- echo DONE "(version $_intel_latest_date)" +- +- dbversion="$mcedb_revision+i$_intel_latest_date" +- +- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then +- echo "We already have this version locally, no update needed" +- return 0 +- fi +- +- _info_nol "Building local database... " +- { +- echo "# Spectre & Meltdown Checker"; +- echo "# %%% MCEDB v$dbversion"; +- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; +- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; +- } > "$mcedb_cache" +- echo DONE "(version $dbversion)" +- +- if [ "$1" = builtin ]; then +- newfile=$(mktemp -t smc-builtin-XXXXXX) +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" +- cat "$newfile" > "$0" +- rm -f "$newfile" +- fi +-} +- + parse_opt_file() + { + # parse_opt_file option_name option_value +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do + # deprecated, kept for compatibility + opt_explain=0 + shift +- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then +- update_fwdb +- exit $? +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then +- update_fwdb builtin +- exit $? ++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then ++ opt_fwdb=$2 ++ if [ -f "$opt_fwdb" ]; then ++ mcedb_cache=$2 ++ else ++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2 ++ exit 255 ++ fi ++ shift 2 + elif [ "$1" = "--dump-mock-data" ]; then + opt_mock=1 + shift +@@ -2033,21 +1891,11 @@ is_xen_domU() + fi + } + +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0") + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have + local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") +- # sort -V sorts by version number +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1) +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then +- mcedb_source="$mcedb_cache" +- mcedb_info="local firmwares DB $local_dbversion" +- fi +-fi +-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db +-if [ -z "${mcedb_source:-}" ]; then +- mcedb_source="$0" +- mcedb_info="builtin firmwares DB $builtin_dbversion" ++ mcedb_source="$mcedb_cache" ++ mcedb_info="local firmwares DB $local_dbversion" + fi + read_mcedb() + { +@@ -2063,7 +1911,9 @@ is_latest_known_ucode() + return 2 + fi + ucode_latest="latest microcode version for your CPU model is unknown" +- if is_intel; then ++ if [ -z "$mcedb_source" ]; then ++ return 2 ++ elif is_intel; then + cpu_brand_prefix=I + elif is_amd; then + cpu_brand_prefix=A +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch new file mode 100644 index 0000000000..a8e7531f32 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch @@ -0,0 +1,1849 @@ +From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Fri, 11 Nov 2022 18:49:50 +0800 +Subject: [PATCH 2/2] Stage commands for later substitution. + +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, grep, +gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, nproc, +objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, strings, +sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs. +--- + spectre-meltdown-checker.sh | 606 ++++++++++++++++++------------------ + 1 file changed, 303 insertions(+), 303 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index ce46970..4889ebb 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT + exit_cleanup() + { + # cleanup the temp decompressed config & kernel image +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp" +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2" +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config" ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp" ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2" ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null + } + + # if we were git clone'd, adjust VERSION +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null) +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//) ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null) ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//) + fi + + show_usage() + { + # shellcheck disable=SC2086 +- cat <<EOF ++ @cat@ <<EOF + Usage: +- Live mode (auto): $(basename $0) [options] +- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live +- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> ++ Live mode (auto): $(@basename@ $0) [options] ++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live ++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> + + Modes: + Two modes are available. +@@ -106,7 +106,7 @@ EOF + + show_disclaimer() + { +- cat <<EOF ++ @cat@ <<EOF + Disclaimer: + + This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the +@@ -134,7 +134,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t + EOF + } + +-os=$(uname -s) ++os=$(@uname@ -s) + + # parse options + opt_kernel='' +@@ -203,7 +203,7 @@ __echo() + _interpret_chars='-e' + fi + _ctrlchar=$($echo_cmd $_interpret_chars "\033") +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") + fi + if [ "$echo_cmd_type" = printf ]; then + if [ "$opt" = "-n" ]; then +@@ -379,7 +379,7 @@ is_cpu_affected() + # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected + # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected + # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then ++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then + variant1=vuln + [ -z "$variant2" ] && variant2=immune + variant3=vuln +@@ -482,7 +482,7 @@ is_cpu_affected() + i=$(( i + 1 )) + # do NOT quote $cpu_arch_list below + # shellcheck disable=SC2086 +- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }') ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }') + _debug "checking cpu$i: <$cpupart> <$cpuarch>" + # some kernels report AArch64 instead of 8 + [ "$cpuarch" = "AArch64" ] && cpuarch=8 +@@ -493,49 +493,49 @@ is_cpu_affected() + # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d + # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8 + # +- # Whitelist identified non-affected processors, use vulnerability information from ++ # Whitelist identified non-affected processors, use vulnerability information from + # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability + # Partnumbers can be found here: + # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in + # + # Maintain cumulative check of vulnerabilities - + # if at least one of the cpu is affected, then the system is affected +- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then ++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + [ -z "$variant3a" ] && variant3a=immune + [ -z "$variant4" ] && variant4=immune + _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4" +- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then ++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + variant3a=vuln + [ -z "$variant4" ] && variant4=immune + _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + variant3a=vuln + variant4=vuln + _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then + variant1=vuln + variant2=vuln + [ -z "$variant3" ] && variant3=immune + [ -z "$variant3a" ] && variant3a=immune + variant4=vuln + _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then + variant1=vuln + variant2=vuln + variant3=vuln + [ -z "$variant3a" ] && variant3a=immune + variant4=vuln + _debug "checking cpu$i: armv8 A75 non affected to variant 3a" +- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then ++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then + variant1=vuln + [ -z "$variant2" ] && variant2=immune + [ -z "$variant3" ] && variant3=immune +@@ -816,7 +816,7 @@ is_cpu_ssb_free() + if [ "$cpu_family" = "18" ] || \ + [ "$cpu_family" = "17" ] || \ + [ "$cpu_family" = "16" ] || \ +- [ "$cpu_family" = "15" ]; then ++ [ "$cpu_family" = "15" ]; then + return 0 + fi + fi +@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do + elif [ "$1" = "--cpu" ]; then + opt_cpu=$2 + if [ "$opt_cpu" != all ]; then +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then + opt_cpu=$(( opt_cpu )) + else + echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2 +@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do + echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2 + exit 255 + fi +- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2") ++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2") + if [ -n "$selected_cve" ]; then + opt_cve_list="$opt_cve_list $selected_cve" + opt_cve_all=0 +@@ -1166,14 +1166,14 @@ check_kernel() + # a damaged ELF file and validate it, check for stderr warnings too + + # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$? +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init) +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000) ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$? ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init) ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000) + _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings" + if [ "$_mode" = desperate ]; then +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then + _debug "check_kernel (desperate): ... matched!" +- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then + _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options" + objdump_options="-D -b binary -marm" + else +@@ -1206,7 +1206,7 @@ try_decompress() + + # Try to find the header ($1) and decompress from here + _debug "try_decompress: looking for $3 magic in $6" +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2") ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2") + do + _debug "try_decompress: magic for $3 found at offset $pos" + if ! command -v "$3" >/dev/null 2>&1; then +@@ -1233,11 +1233,11 @@ try_decompress() + kernel="$kerneltmp" + _debug "try_decompress: decompressed with $3 successfully!" + return 0 +- elif [ "$3" != "cat" ]; then ++ elif [ "$3" != "@cat@" ]; then + _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset" +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX) +- cat "$kerneltmp" > "$kerneltmp2" +- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0 ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX) ++ @cat@ "$kerneltmp" > "$kerneltmp2" ++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0 + else + _debug "try_decompress: decompression with $3 worked but result is not a kernel" + fi +@@ -1249,12 +1249,12 @@ extract_kernel() + { + [ -n "${1:-}" ] || return 1 + # Prepare temp files: +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)" ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)" + + # Initial attempt for uncompressed images or objects: + if check_kernel "$1"; then + _debug "extract_kernel: found kernel is valid, no decompression needed" +- cat "$1" > "$kerneltmp" ++ @cat@ "$1" > "$kerneltmp" + kernel=$kerneltmp + return 0 + fi +@@ -1263,14 +1263,14 @@ extract_kernel() + for pass in 1 2; do + for mode in normal desperate; do + _debug "extract_kernel: pass $pass $mode mode" +- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0 +- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 +- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0 +- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0 +- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0 +- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0 +- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0 +- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0 ++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0 ++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 ++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0 ++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0 ++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0 ++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0 ++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0 ++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0 + done + done + # kernel_err might already have been populated by try_decompress() if we're missing one of the tools +@@ -1287,7 +1287,7 @@ mount_debugfs() + { + if [ ! -e /sys/kernel/debug/sched_features ]; then + # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards +- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 ++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1 + fi + } + +@@ -1298,12 +1298,12 @@ load_msr() + load_msr_once=1 + + if [ "$os" = Linux ]; then +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then +- modprobe msr 2>/dev/null && insmod_msr=1 ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then ++ @modprobe@ msr 2>/dev/null && insmod_msr=1 + _debug "attempted to load module msr, insmod_msr=$insmod_msr" + else + _debug "msr module already loaded" +- fi ++ fi + else + if ! kldstat -q -m cpuctl; then + kldload cpuctl 2>/dev/null && kldload_cpuctl=1 +@@ -1321,12 +1321,12 @@ load_cpuid() + load_cpuid_once=1 + + if [ "$os" = Linux ]; then +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then +- modprobe cpuid 2>/dev/null && insmod_cpuid=1 ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then ++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1 + _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid" + else + _debug "cpuid module already loaded" +- fi ++ fi + else + if ! kldstat -q -m cpuctl; then + kldload cpuctl 2>/dev/null && kldload_cpuctl=1 +@@ -1415,7 +1415,7 @@ read_cpuid_one_core() + fi + # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error, + # we use that fact to load the module if dd returns an error +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then + load_cpuid + fi + # we need _leaf to be converted to decimal for dd +@@ -1426,14 +1426,14 @@ read_cpuid_one_core() + _ddskip=$(( _position / 16 )) + _odskip=$(( _position - _ddskip * 16 )) + # now read the value +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4) ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4) + elif [ -e /dev/cpuctl0 ]; then + # BSD + if [ ! -r /dev/cpuctl0 ]; then + read_cpuid_msg="Couldn't read cpuid info from cpuctl" + return $READ_CPUID_RET_ERR + fi +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-) ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-) + # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000 + else + read_cpuid_msg="Found no way to read cpuid info" +@@ -1456,7 +1456,7 @@ read_cpuid_one_core() + fi + + # get the value of the register we want +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}') ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}') + # Linux returns it as decimal, BSD as hex, normalize to decimal + _reg=$(( _reg )) + # shellcheck disable=SC2046 +@@ -1484,11 +1484,11 @@ dmesg_grep() + # grep for something in dmesg, ensuring that the dmesg buffer + # has not been truncated + dmesg_grepped='' +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then + # dmesg truncated + return 2 + fi +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1) ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1) + # not found: + [ -z "$dmesg_grepped" ] && return 1 + # found, output is in $dmesg_grepped +@@ -1505,12 +1505,12 @@ parse_cpu_details() + { + [ "${parse_cpu_details_done:-}" = 1 ] && return 0 + +- if command -v nproc >/dev/null; then +- number_of_cores=$(nproc) +- elif echo "$os" | grep -q BSD; then +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1) ++ if command -v @nproc@ >/dev/null; then ++ number_of_cores=$(@nproc@) ++ elif echo "$os" | @grep@ -q BSD; then ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1) + elif [ -e "$procfs/cpuinfo" ]; then +- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1) ++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1) + else + # if we don't know, default to 1 CPU + number_of_cores=1 +@@ -1518,43 +1518,43 @@ parse_cpu_details() + max_core_id=$(( number_of_cores - 1 )) + + if [ -e "$procfs/cpuinfo" ]; then +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1) +- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//') ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1) ++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//') + # special case for ARM follows +- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then ++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then + cpu_vendor='ARM' + # some devices (phones or other) have several ARMs and as such different part numbers, + # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected +- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo") +- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo") ++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo") ++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo") + # take the first one to fill the friendly name, do NOT quote the vars below + # shellcheck disable=SC2086 +- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }') ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }') + # shellcheck disable=SC2086 +- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }') ++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }') + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8 + cpu_friendly_name="ARM" + [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch" + [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part" + +- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then ++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then + cpu_vendor='CAVIUM' +- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then ++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then + cpu_vendor='PHYTIUM' + fi + +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1) +- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1) +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1) +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1) ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1) + else +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" ) +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= ) ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" ) ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= ) + cpu_family=$(( cpu_family )) +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= ) ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= ) + cpu_model=$(( cpu_model )) +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= ) +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null) ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= ) ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null) + fi + + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then +@@ -1609,7 +1609,7 @@ parse_cpu_details() + # call CPUID + cpucontrol -i 1 /dev/cpuctl0 >/dev/null + # read MSR +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}') ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}') + # convert to decimal + cpu_ucode=$(( cpu_ucode )) + # convert back to hex +@@ -1628,7 +1628,7 @@ parse_cpu_details() + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'") + fi + +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode )) ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode )) + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid") + + # also define those that we will need in other funcs +@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled() + { + # SMT / HyperThreading is enabled if siblings != cpucores + if [ -e "$procfs/cpuinfo" ]; then +- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo") +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo") ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo") ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo") + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then + if [ "$_siblings" = "$_cpucores" ]; then + return 1 +@@ -1774,10 +1774,10 @@ is_ucode_blacklisted() + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \ + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712 + do +- model=$(echo "$tuple" | cut -d, -f1) +- stepping=$(( $(echo "$tuple" | cut -d, -f2) )) ++ model=$(echo "$tuple" | @cut@ -d, -f1) ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) )) + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) + if [ "$cpu_ucode" = "$ucode" ]; then + _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)" + return 0 +@@ -1865,7 +1865,7 @@ is_xen_dom0() + return 1 + fi + +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then + return 0 + else + return 1 +@@ -1893,13 +1893,13 @@ is_xen_domU() + + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") + mcedb_source="$mcedb_cache" + mcedb_info="local firmwares DB $local_dbversion" + fi + read_mcedb() + { +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source" + } + + is_latest_known_ucode() +@@ -1920,10 +1920,10 @@ is_latest_known_ucode() + else + return 2 + fi +- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") ++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") + do +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=') ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=') + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date" + ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode") + if [ "$cpu_ucode" -ge "$ucode" ]; then +@@ -1948,7 +1948,7 @@ get_cmdline() + kernel_cmdline="$SMC_MOCK_CMDLINE" + return + else +- kernel_cmdline=$(cat "$procfs/cmdline") ++ kernel_cmdline=$(@cat@ "$procfs/cmdline") + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'") + fi + } +@@ -1956,7 +1956,7 @@ get_cmdline() + # ENTRYPOINT + + # we can't do anything useful under WSL +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then + _warn "This script doesn't work under Windows Subsystem for Linux" + _warn "You should use the official Microsoft tool instead." + _warn "It can be found under https://aka.ms/SpeculationControlPS" +@@ -2005,15 +2005,15 @@ fi + + # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo" + procfs=/proc +-if echo "$os" | grep -q BSD; then ++if echo "$os" | @grep@ -q BSD; then + _debug "We're under BSD, check if we have procfs" +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }') ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }') + if [ -z "$procfs" ]; then + _debug "we don't, try to mount it" + procfs=/proc + [ -d /compat/linux/proc ] && procfs=/compat/linux/proc + test -d $procfs || mkdir $procfs +- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then ++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then + mounted_procfs=1 + _debug "procfs just mounted at $procfs" + else +@@ -2045,14 +2045,14 @@ fi + + if [ "$opt_live" = 1 ]; then + # root check (only for live mode, for offline mode, we already checked if we could read the files) +- if [ "$(id -u)" -ne 0 ]; then ++ if [ "$(@id@ -u)" -ne 0 ]; then + _warn "Note that you should launch this script with root privileges to get accurate information." + _warn "We'll proceed but you might see permission denied errors." + _warn "To run it as root, you can try the following command: sudo $0" + _warn + fi + _info "Checking for vulnerabilities on current system" +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m" ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m" + _info "CPU is \033[35m$cpu_friendly_name\033[0m" + + # try to find the image of the current running kernel +@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then + # specified by user on cmdline, with --live, don't override + : + # first, look for the BOOT_IMAGE hint in the kernel cmdline +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2) ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2) + _debug "found opt_kernel=$opt_kernel in $procfs/cmdline" + # if the boot partition is within a btrfs subvolume, strip the subvolume name + # if /boot is a separate subvolume, the remainder of the code in this section should handle it +- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi + # if we have a dedicated /boot partition, our bootloader might have just called it / + # so try to prepend /boot and see if we find anything + [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel" +@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then + # if we didn't find a kernel, default to guessing + if [ ! -e "$opt_kernel" ]; then + # Fedora: +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz" ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz" + # Slackware: + [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz" + # Arch aarch64: +@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then + # pine64 + [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image" + # generic: +- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)" +- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)" +- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)" ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)" ++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)" ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)" + # Gentoo: +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" + # Guix System: + [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" + # Clear Linux: +- str_uname=$(uname -r) ++ str_uname=$(@uname@ -r) + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}" + [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel + # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage", + # with actual \'s instead of /'s: +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]') ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]') + if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then + opt_kernel="$custom_arch_kernel" + fi +@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then + : + elif [ -e "$procfs/kallsyms" ] ; then + opt_map="$procfs/kallsyms" +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then +- opt_map="/lib/modules/$(uname -r)/System.map" +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then +- opt_map="/boot/System.map-$(uname -r)" +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then +- opt_map="/lib/kernel/System.map-$(uname -r)" ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then ++ opt_map="/lib/modules/$(@uname@ -r)/System.map" ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then ++ opt_map="/boot/System.map-$(@uname@ -r)" ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)" + fi + + # config +@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then + # specified by user on cmdline, with --live, don't override + : + elif [ -e "$procfs/config.gz" ] ; then +- dumped_config="$(mktemp -t smc-config-XXXXXX)" +- gunzip -c "$procfs/config.gz" > "$dumped_config" ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)" ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config" + # dumped_config will be deleted at the end of the script + opt_config="$dumped_config" +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then +- opt_config="/lib/modules/$(uname -r)/config" +- elif [ -e "/boot/config-$(uname -r)" ]; then +- opt_config="/boot/config-$(uname -r)" +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then +- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then +- opt_config="/lib/kernel/config-$(uname -r)" ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then ++ opt_config="/lib/modules/$(@uname@ -r)/config" ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then ++ opt_config="/boot/config-$(@uname@ -r)" ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then ++ opt_config="/lib/kernel/config-$(@uname@ -r)" + fi + else + _info "Checking for vulnerabilities against specified kernel" +@@ -2161,7 +2161,7 @@ else + fi + + if [ "$os" = Linux ]; then +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then + # given file is invalid! + _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!" + opt_config='' +@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then + fi + + if [ -e "$opt_kernel" ]; then +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then ++ if ! command -v "@readelf@" >/dev/null 2>&1; then + _debug "readelf not found" + kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package" + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then +@@ -2207,20 +2207,20 @@ else + # vanilla kernels have with ^Linux version + # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string + # and check for FreeBSD +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \ ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \ + -e '^Linux version ' \ + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \ +- -e '^FreeBSD [0-9]' | head -1) ++ -e '^FreeBSD [0-9]' | @head@ -1) + if [ -z "$kernel_version" ]; then + # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ") ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ") + fi + if [ -n "$kernel_version" ]; then + # in live mode, check if the img we found is the correct one + if [ "$opt_live" = 1 ]; then + _verbose "Kernel image is \033[35m$kernel_version" +- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then +- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect" ++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then ++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect" + fi + else + _info "Kernel image is \033[35m$kernel_version" +@@ -2248,11 +2248,11 @@ sys_interface_check() + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then + : + else +- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") ++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1") + return 1 + fi + +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET" ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)" +@@ -2261,17 +2261,17 @@ sys_interface_check() + fi + + [ -n "$regex" ] || regex='.*' +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")" ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")" + # shellcheck disable=SC2086,SC1083 + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then + fullmsg="$(eval echo \$$_mockvarname)" +- msg=$(echo "$fullmsg" | grep -Eo "$regex") ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex") + _debug "sysfs: MOCKING enabled for $file, will return $fullmsg" + mocked=1 + else +- fullmsg=$(cat "$file") +- msg=$(grep -Eo "$regex" "$file") +- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'") ++ fullmsg=$(@cat@ "$file") ++ msg=$(@grep@ -Eo "$regex" "$file") ++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'") + fi + if [ "$mode" = silent ]; then + return 0 +@@ -2280,15 +2280,15 @@ sys_interface_check() + return 0 + fi + _info_nol "* Mitigated according to the /sys interface: " +- if echo "$msg" | grep -qi '^not affected'; then ++ if echo "$msg" | @grep@ -qi '^not affected'; then + # Not affected + status=OK + pstatus green YES "$fullmsg" +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then + # Mitigation: PTI + status=OK + pstatus green YES "$fullmsg" +- elif echo "$msg" | grep -qi '^vulnerable'; then ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then + # Vulnerable + status=VULN + pstatus yellow NO "$fullmsg" +@@ -2376,20 +2376,20 @@ write_msr_one_core() + # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off + [ "$ret" = 127 ] && _write_denied=1 + # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO +- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then + _debug "write_msr: using dd" +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? + # if it failed, inspect stderrto look for EPERM + if [ "$ret" != 0 ]; then +- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then ++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then + _write_denied=1 + fi + fi + # or if we have perl, use it, any 5.x version will work +- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then ++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then + _debug "write_msr: using perl" + ret=1 +- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0 + else + _debug "write_msr: got no wrmsr, perl or recent enough dd!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") +@@ -2411,13 +2411,13 @@ write_msr_one_core() + msr_locked_down=1 + write_msr_msg="your kernel is configured to deny writes to MSRs from user space" + return $WRITE_MSR_RET_LOCKDOWN +- elif dmesg | grep -qF "msr: Direct access to MSR"; then ++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then + _debug "write_msr: locked down kernel detected (Red Hat / Fedora)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 + write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry" + return $WRITE_MSR_RET_LOCKDOWN +- elif dmesg | grep -qF "raw MSR access is restricted"; then ++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then + _debug "write_msr: locked down kernel detected (vanilla)" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") + msr_locked_down=1 +@@ -2516,8 +2516,8 @@ read_msr_one_core() + return $READ_MSR_RET_KO + fi + # MSR 0x10: 0x000003e1 0xb106dded +- _msr_h=$(echo "$_msr" | awk '{print $3}'); +- _msr_l=$(echo "$_msr" | awk '{print $4}'); ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}'); ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}'); + read_msr_value=$(( _msr_h << 32 | _msr_l )) + else + # for Linux +@@ -2528,15 +2528,15 @@ read_msr_one_core() + # if rdmsr is available, use it + elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then + _debug "read_msr: using rdmsr on $_msr" +- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n) ++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n) + # or if we have perl, use it, any 5.x version will work +- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then ++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then + _debug "read_msr: using perl on $_msr" +- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n) ++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n) + # fallback to dd if it supports skip_bytes +- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then + _debug "read_msr: using dd on $_msr" +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n) ++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n) + else + _debug "read_msr: got no rdmsr, perl or recent enough dd!" + mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") +@@ -2560,7 +2560,7 @@ check_cpu() + { + _info "\033[1;34mHardware check\033[0m" + +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then + return + fi + +@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre() + # if we were already called, don't do it again + [ -n "${redhat_canonical_spectre:-}" ] && return + +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + redhat_canonical_spectre=-1 + elif [ -n "$kernel_err" ]; then + redhat_canonical_spectre=-2 + else + # Red Hat / Ubuntu specific variant1 patch is difficult to detect, + # let's use the two same tricks than the official Red Hat detection script uses: +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then ++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then + # 1) detect their specific variant2 patch. If it's present, it means + # that the variant1 patch is also present (both were merged at the same time) + _debug "found redhat/canonical version of the variant2 patch (implies variant1)" + redhat_canonical_spectre=1 +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then + # 2) detect their specific variant3 patch. If it's present, but the variant2 + # is not, it means that only variant1 is present in addition to variant3 + _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)" +@@ -3213,13 +3213,13 @@ check_has_vmm() + # If we find no evidence that this is the case, assume we're not (to avoid scaring users), + # this can always be overridden with --vmm in any case. + has_vmm=0 +- if command -v pgrep >/dev/null 2>&1; then ++ if command -v @pgrep@ >/dev/null 2>&1; then + # remove xenbus and xenwatch, also present inside domU + # remove libvirtd as it can also be used to manage containers and not VMs + # for each binary we want to grep, get the pids + for _binary in qemu kvm xenstored xenconsoled + do +- for _pid in $(pgrep -x $_binary) ++ for _pid in $(@pgrep@ -x $_binary) + do + # resolve the exe symlink, if it doesn't resolve with -m, + # which doesn't even need the dest to exist, it means the symlink +@@ -3235,7 +3235,7 @@ check_has_vmm() + else + # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed + # shellcheck disable=SC2009 +- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then ++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then + has_vmm=1 + fi + fi +@@ -3267,7 +3267,7 @@ check_CVE_2017_5753() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5753_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5753_bsd + else + _warn "Unsupported OS ($os)" +@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux() + v1_mask_nospec='' + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" + else +- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? ++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? + if [ $ret -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()" + v1_mask_nospec="x86 64 bits array_index_mask_nospec" + else +- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? ++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$? + if [ $ret -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()" + v1_mask_nospec="x86 32 bits array_index_mask_nospec" + else +- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp) ++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp) + if [ "$ret" -gt 0 ]; then + pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()" + v1_mask_nospec="arm 32 bits array_index_mask_nospec" +@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux() + pstatus yellow NO + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" +- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else +- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? ++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? + if [ "$ret" -eq 9 ]; then + pstatus green YES "mask_nospec64 macro is present and used" + v1_mask_nospec="arm64 mask_nospec64" +@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux() + pstatus yellow NO + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" +- elif ! command -v perl >/dev/null 2>&1; then ++ elif ! command -v @perl@ >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'perl' binary, please install it" +- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else +- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$? ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$? + if [ "$ret" -eq 9 ]; then + pstatus green YES "array_index_nospec macro is present and used" + v1_mask_nospec="arm64 array_index_nospec" +@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then ++ if ! command -v "@objdump@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package" + else + # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode +@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux() + # so let's push the threshold to 70. + # v0.33+: now only count lfence opcodes after a jump, way less error-prone + # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45 +- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je') ++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je') + if [ "$nb_lfence" -lt 30 ]; then + pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)" + else +@@ -3505,7 +3505,7 @@ check_CVE_2017_5715() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5715_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5715_bsd + else + _warn "Unsupported OS ($os)" +@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux() + # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed + specex_knob_dir=$dir + ibrs_supported="$dir/ibrs_enabled exists" +- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null) ++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null) + _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled" + # if ibrs_enabled is there, ibpb_enabled will be in the same dir + if [ -e "$dir/ibpb_enabled" ]; then + # if the file is there, we have IBPB compiled-in (see note above for IBRS) + ibpb_supported="$dir/ibpb_enabled exists" +- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null) ++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null) + _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled" + else + _debug "ibpb: $dir/ibpb_enabled file doesn't exist" +@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux() + # which in that case means ibrs is supported *and* enabled for kernel & user + # as per the ibrs patch series v3 + if [ -z "$ibrs_supported" ]; then +- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then + _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo" + ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo" + # enabled=2 -> kernel & user +@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux() + fi + if [ -n "$fullmsg" ]; then + # when IBPB is enabled on 4.15+, we can see it in sysfs +- if echo "$fullmsg" | grep -q 'IBPB'; then ++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then + _debug "ibpb: found enabled in sysfs" + [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs' + [ -z "$ibpb_enabled" ] && ibpb_enabled=1 + fi + # when IBRS_FW is enabled on 4.15+, we can see it in sysfs +- if echo "$fullmsg" | grep -q ', IBRS_FW'; then ++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then + _debug "ibrs: found IBRS_FW in sysfs" + [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs' + ibrs_fw_enabled=1 +@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux() + # when IBRS is enabled on 4.15+, we can see it in sysfs + # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact. + # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag) +- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then ++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then + _debug "ibrs: found IBRS in sysfs" + [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs' + [ -z "$ibrs_enabled" ] && ibrs_enabled=3 + fi + # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL +- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then ++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then + [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs' + # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file, + # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled" +@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux() + fi + fi + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + : + else + ibrs_can_tell=1 +- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1) ++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1) + if [ -n "$ibrs_supported" ]; then + _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)" + ibrs_supported="found '$ibrs_supported' in kernel image" +@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux() + fi + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then + ibrs_can_tell=1 +- if grep -q spec_ctrl "$opt_map"; then ++ if @grep@ -q spec_ctrl "$opt_map"; then + ibrs_supported="found spec_ctrl in symbols file" + _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map" + fi +@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux() + # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat + # we can detect it directly in the image + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + : + else + ibpb_can_tell=1 +- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1) ++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1) + if [ -n "$ibpb_supported" ]; then + _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)" + ibpb_supported="found '$ibpb_supported' in kernel image" +@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux() + 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;; + 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;; + 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";; +- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ]; +- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; +- else ++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ]; ++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; ++ else + pstatus yellow UNKNOWN; fi;; + esac + fi +@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux() + bp_harden='' + if [ -r "$opt_config" ]; then + bp_harden_can_tell=1 +- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") ++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") + if [ -n "$bp_harden" ]; then + pstatus green YES + _debug "bp_harden: found '$bp_harden' in $opt_config" +@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux() + fi + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then + bp_harden_can_tell=1 +- bp_harden=$(grep -w bp_hardening_data "$opt_map") ++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map") + if [ -n "$bp_harden" ]; then + pstatus green YES + _debug "bp_harden: found '$bp_harden' in $opt_map" +@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux() + # We check the RETPOLINE kernel options + retpoline=0 + if [ -r "$opt_config" ]; then +- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then ++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then + pstatus green YES + retpoline=1 + # shellcheck disable=SC2046 +- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" ++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" + else + pstatus yellow NO + fi +@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux() + # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one, + # so we look for both "retpoline" and "retpolines" + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then +- if echo "$fullmsg" | grep -qwi minimal; then ++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then ++ if echo "$fullmsg" | @grep@ -qwi minimal; then + retpoline_compiler=0 + retpoline_compiler_reason="kernel reports minimal retpoline compilation" + else +@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux() + fi + elif [ -n "$opt_map" ]; then + # look for the symbol +- if grep -qw noretpoline_setup "$opt_map"; then ++ if @grep@ -qw noretpoline_setup "$opt_map"; then + retpoline_compiler=1 + retpoline_compiler_reason="noretpoline_setup symbol found in System.map" + fi + elif [ -n "$kernel" ]; then + # look for the symbol +- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then ++ if command -v "@nm@" >/dev/null 2>&1; then + # the proper way: use nm and look for the symbol +- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then ++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then + retpoline_compiler=1 + retpoline_compiler_reason="noretpoline_setup found in kernel symbols" + fi +- elif grep -q noretpoline_setup "$kernel"; then ++ elif @grep@ -q noretpoline_setup "$kernel"; then + # if we don't have nm, nevermind, the symbol name is long enough to not have + # any false positive using good old grep directly on the binary + retpoline_compiler=1 +@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux() + retp_enabled=-1 + if [ "$opt_live" = 1 ]; then + if [ -e "$specex_knob_dir/retp_enabled" ]; then +- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null) ++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null) + _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled" + _info_nol " * Retpoline is enabled: " + if [ "$retp_enabled" = 1 ]; then +@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux() + rsb_filling=0 + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then + # if we're live and we aren't denied looking into /sys, let's do it +- if echo "$msg" | grep -qw RSB; then ++ if echo "$msg" | @grep@ -qw RSB; then + rsb_filling=1 + pstatus green YES + fi +@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then ++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then + rsb_filling=1 + pstatus green YES + else +@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd() + { + _info "* Mitigation 1" + _info_nol " * Kernel supports IBRS: " +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null) ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null) + if [ -z "$ibrs_disabled" ]; then + pstatus yellow NO + else +@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd() + fi + + _info_nol " * IBRS enabled and active: " +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null) ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null) + if [ "$ibrs_active" = 1 ]; then + pstatus green YES + else +@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd() + if [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" + else +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then ++ if ! command -v "@readelf@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package" + else +- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_) + if [ "$nb_thunks" -gt 0 ]; then + retpoline=1 + pstatus green YES "found $nb_thunks thunk(s)" +@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd() + pti_performance_check() + { + _info_nol " * Reduced performance impact of PTI: " +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then + cpu_pcid=1 + else + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$? +@@ -4122,7 +4122,7 @@ pti_performance_check() + fi + fi + +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then + cpu_invpcid=1 + else + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$? +@@ -4147,7 +4147,7 @@ check_CVE_2017_5754() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2017_5754_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2017_5754_bsd + else + _warn "Unsupported OS ($os)" +@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux() + kpti_can_tell=0 + if [ -n "$opt_config" ]; then + kpti_can_tell=1 +- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") ++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found option '$kpti_support' in $opt_config" + fi +@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux() + # so we try to find an exported symbol that is part of the PTI patch in System.map + # parse_kpti: arm + kpti_can_tell=1 +- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map") ++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map") + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found '$kpti_support' in $opt_map" + fi +@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux() + # nopti option that is part of the patch (kernel command line option) + # 'kpti=': arm + kpti_can_tell=1 +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" + else +- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=) ++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=) + if [ -n "$kpti_support" ]; then + _debug "kpti_support: found '$kpti_support' in $kernel" + fi +@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux() + dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace" + # aarch64 + dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)" +- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then + # vanilla PTI patch sets the 'pti' flag in cpuinfo + _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo" + kpti_enabled=1 +- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then + # kernel line 4.9 sets the 'kaiser' flag in cpuinfo + _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo" + kpti_enabled=1 + elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then + # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301 +- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null) ++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null) + _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" + elif is_xen_dom0; then +- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1) ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1) + + [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1 + fi +@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux() + if [ -n "$kpti_support" ]; then + if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then + explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`" +- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then ++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then + explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration" + else + explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it" +@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux() + check_CVE_2017_5754_bsd() + { + _info_nol "* Kernel supports Page Table Isolation (PTI): " +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null) ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null) + if [ -z "$kpti_enabled" ]; then + pstatus yellow NO + else +@@ -4429,7 +4429,7 @@ check_CVE_2018_3639() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3639_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3639_bsd + else + _warn "Unsupported OS ($os)" +@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux() + if [ "$opt_sysfs_only" != 1 ]; then + _info_nol "* Kernel supports disabling speculative store bypass (SSB): " + if [ "$opt_live" = 1 ]; then +- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then + kernel_ssb="found in $procfs/self/status" + _debug "found Speculation.Store.Bypass: in $procfs/self/status" + fi + fi + # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then +- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1); ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then ++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1); + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel" + fi + # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then +- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1) ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then ++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1) + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" + fi + # arm64 only: + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then +- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1) ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1) + [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map" + fi + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config") ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config") + [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig" + fi + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then + # this string only appears in kernel if CONFIG_ARM64_SSBD is set +- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel") ++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel") + [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel" + fi + # /arm64 only +@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux() + if [ "$opt_live" = 1 ]; then + # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 + _info_nol "* SSB mitigation is enabled and active: " +- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=1 + pstatus green YES "per-thread through prctl" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=2 + pstatus green YES "global" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=0 + pstatus yellow NO +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=-2 + pstatus blue NO "not vulnerable" +- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then ++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then + kernel_ssbd_enabled=0 + pstatus blue NO + else +- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)" ++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)" + fi + + if [ "$kernel_ssbd_enabled" = 1 ]; then + _info_nol "* SSB mitigation currently active for selected processes: " + # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the * +- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ +- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \ +- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//') ++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ ++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \ ++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//') + if [ -n "$mitigated_processes" ]; then + pstatus green YES "$mitigated_processes" + else +@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux() + check_CVE_2018_3639_bsd() + { + _info_nol "* Kernel supports speculation store bypass: " +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then + kernel_ssb=1 + pstatus green YES + else +@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd() + fi + + _info_nol "* Speculation store bypass is administratively enabled: " +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null) ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null) + _debug "hw.spec_store_bypass_disable=$ssb_enabled" + case "$ssb_enabled" in + 0) pstatus yellow NO "disabled";; +@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd() + esac + + _info_nol "* Speculation store bypass is currently active: " +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null) ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null) + _debug "hw.spec_store_bypass_disable_active=$ssb_active" + case "$ssb_active" in + 1) pstatus green YES;; +@@ -4656,7 +4656,7 @@ check_CVE_2018_3620() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3620_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3620_bsd + else + _warn "Unsupported OS ($os)" +@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux() + fi + if [ "$opt_sysfs_only" != 1 ]; then + _info_nol "* Kernel supports PTE inversion: " +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + pstatus yellow UNKNOWN "missing 'strings' tool, please install it" + pteinv_supported=-1 + elif [ -n "$kernel_err" ]; then + pstatus yellow UNKNOWN "$kernel_err" + pteinv_supported=-1 + else +- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then + pstatus green YES "found in kernel image" + _debug "pteinv: found pte inversion evidence in kernel image" + pteinv_supported=1 +@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux() + _info_nol "* PTE inversion enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then ++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then + pstatus green YES + pteinv_active=1 + else +@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd() + else + _debug "vmm module already loaded" + fi +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then + # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch + # this is very difficult to detect that the kernel reserved the 0 page, but this fix + # is part of the exact same patch than the other L1TF CVE, so we detect it +@@ -4772,7 +4772,7 @@ check_CVE_2018_3646() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_3646_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_3646_bsd + else + _warn "Unsupported OS ($os)" +@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux() + if [ "$opt_live" = 1 ]; then + if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then + pstatus blue N/A "the kvm_intel module is not loaded" +- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then ++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then + pstatus green YES + ept_disabled=1 + else +@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux() + + _info "* Mitigation 2" + _info_nol " * L1D flush is supported by kernel: " +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then + l1d_kernel="found flush_l1d in $procfs/cpuinfo" + fi + if [ -z "$l1d_kernel" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package" + elif [ -n "$kernel_err" ]; then + l1d_kernel_err="$kernel_err" +- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then ++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then + l1d_kernel='found flush_l1d in kernel image' + fi + fi +@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux() + # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary) + # $smtstatus is one of (vulnerable|disabled) + # can also just be "Not affected" +- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then ++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then + l1d_mode=0 + pstatus yellow NO +- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then ++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then + l1d_mode=1 + pstatus green YES "conditional flushes" +- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then ++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then + l1d_mode=2 + pstatus green YES "unconditional flushes" + else + if is_xen_dom0; then +- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1) +- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1) +- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1) ++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1) ++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1) ++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1) + + if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then + l1d_mode=5 +@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux() + + _info_nol " * Hardware-backed L1D flush supported: " + if [ "$opt_live" = 1 ]; then +- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then + pstatus green YES "performance impact of the mitigation will be greatly reduced" + else + pstatus blue NO "flush will be done in software, this is slower" +@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux() + check_CVE_2018_3646_bsd() + { + _info_nol "* Kernel supports L1D flushing: " +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then + pstatus green YES + kernel_l1d_supported=1 + else +@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd() + fi + + _info_nol "* L1D flushing is enabled: " +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null) ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null) + case "$kernel_l1d_enabled" in + 0) pstatus yellow NO;; + 1) pstatus green YES;; +@@ -5018,7 +5018,7 @@ check_CVE_2018_12127() + ################### + # MDSUM SECTION + +-# Microarchitectural Data Sampling Uncacheable Memory ++# Microarchitectural Data Sampling Uncacheable Memory + check_CVE_2019_11091() + { + cve='CVE-2019-11091' +@@ -5032,7 +5032,7 @@ check_mds() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_mds_linux "$cve" +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_mds_bsd "$cve" + else + _warn "Unsupported OS ($os)" +@@ -5043,7 +5043,7 @@ check_mds_bsd() + { + _info_nol "* Kernel supports using MD_CLEAR mitigation: " + if [ "$opt_live" = 1 ]; then +- if sysctl hw.mds_disable >/dev/null 2>&1; then ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then + pstatus green YES + kernel_md_clear=1 + else +@@ -5051,7 +5051,7 @@ check_mds_bsd() + kernel_md_clear=0 + fi + else +- if grep -Fq hw.mds_disable $opt_kernel; then ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then + pstatus green YES + kernel_md_clear=1 + else +@@ -5061,8 +5061,8 @@ check_mds_bsd() + fi + + _info_nol "* CPU Hyper-Threading (SMT) is disabled: " +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then +- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null) ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then ++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null) + if [ "$kernel_smt_allowed" = 1 ]; then + pstatus yellow NO + else +@@ -5074,7 +5074,7 @@ check_mds_bsd() + + _info_nol "* Kernel mitigation is enabled: " + if [ "$kernel_md_clear" = 1 ]; then +- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null) ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null) + else + kernel_mds_enabled=0 + fi +@@ -5088,7 +5088,7 @@ check_mds_bsd() + + _info_nol "* Kernel mitigation is active: " + if [ "$kernel_md_clear" = 1 ]; then +- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null) ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null) + else + kernel_mds_state=inactive + fi +@@ -5146,16 +5146,16 @@ check_mds_linux() + _info_nol "* Kernel supports using MD_CLEAR mitigation: " + kernel_md_clear='' + kernel_md_clear_can_tell=1 +- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then ++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then + kernel_md_clear="md_clear found in $procfs/cpuinfo" + pstatus green YES "$kernel_md_clear" + fi + if [ -z "$kernel_md_clear" ]; then +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then ++ if ! command -v "@strings@" >/dev/null 2>&1; then + kernel_md_clear_can_tell=0 + elif [ -n "$kernel_err" ]; then + kernel_md_clear_can_tell=0 +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then + _debug "md_clear: found 'Clear CPU buffers' string in kernel image" + kernel_md_clear='found md_clear implementation evidence in kernel image' + pstatus green YES "$kernel_md_clear" +@@ -5171,7 +5171,7 @@ check_mds_linux() + + if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then + _info_nol "* Kernel mitigation is enabled and active: " +- if echo "$fullmsg" | grep -qi ^mitigation; then ++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then + mds_mitigated=1 + pstatus green YES + else +@@ -5179,7 +5179,7 @@ check_mds_linux() + pstatus yellow NO + fi + _info_nol "* SMT is either mitigated or disabled: " +- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then ++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then + mds_smt_mitigated=1 + pstatus green YES + else +@@ -5265,7 +5265,7 @@ check_CVE_2019_11135() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2019_11135_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2019_11135_bsd + else + _warn "Unsupported OS ($os)" +@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux() + kernel_taa='' + if [ -n "$kernel_err" ]; then + kernel_taa_err="$kernel_err" +- elif grep -q 'tsx_async_abort' "$kernel"; then ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then + kernel_taa="found tsx_async_abort in kernel image" + fi + if [ -n "$kernel_taa" ]; then +@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux() + _info_nol "* TAA mitigation enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qE '^Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux() + else + if [ "$opt_paranoid" = 1 ]; then + # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated +- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then + pvulnstatus $cve VULN "TSX must be disabled for full mitigation" +- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then ++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then + pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation" + else + pvulnstatus $cve "$status" "$msg" +@@ -5367,7 +5367,7 @@ check_CVE_2018_12207() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2018_12207_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2018_12207_bsd + else + _warn "Unsupported OS ($os)" +@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux() + if [ -n "$kernel_err" ]; then + kernel_itlbmh_err="$kernel_err" + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 +- elif grep -q 'itlb_multihit' "$kernel"; then ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then + kernel_itlbmh="found itlb_multihit in kernel image" + fi + if [ -n "$kernel_itlbmh" ]; then +@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux() + _info_nol "* iTLB Multihit mitigation enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qF 'Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux() + check_CVE_2018_12207_bsd() + { + _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: " +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null) ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null) + if [ -z "$kernel_2m_x_ept" ]; then + pstatus yellow NO + else +@@ -5484,7 +5484,7 @@ check_CVE_2020_0543() + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" + if [ "$os" = Linux ]; then + check_CVE_2020_0543_linux +- elif echo "$os" | grep -q BSD; then ++ elif echo "$os" | @grep@ -q BSD; then + check_CVE_2020_0543_bsd + else + _warn "Unsupported OS ($os)" +@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux() + kernel_srbds='' + if [ -n "$kernel_err" ]; then + kernel_srbds_err="$kernel_err" +- elif grep -q 'Dependent on hypervisor' "$kernel"; then ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then + kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation" + fi + if [ -n "$kernel_srbds" ]; then +@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux() + _info_nol "* SRBDS mitigation control is enabled and active: " + if [ "$opt_live" = 1 ]; then + if [ -n "$fullmsg" ]; then +- if echo "$fullmsg" | grep -qE '^Mitigation'; then ++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then + pstatus green YES "$fullmsg" + else + pstatus yellow NO +@@ -5608,8 +5608,8 @@ fi + # now run the checks the user asked for + for cve in $supported_cve_list + do +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then +- check_"$(echo "$cve" | tr - _)" ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then ++ check_"$(echo "$cve" | @tr@ - _)" + _info + fi + done +@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then + _warn "We're missing some kernel info (see -v), accuracy might be reduced" + fi + +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|') ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|') + _debug "variables at end of script: $_vars" + + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then +- if command -v "gzip" >/dev/null 2>&1; then ++ if command -v "@gzip@" >/dev/null 2>&1; then + # not a useless use of cat: gzipping cpuinfo directly doesn't work well + # shellcheck disable=SC2002 +- if command -v "base64" >/dev/null 2>&1; then +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)" +- elif command -v "uuencode" >/dev/null 2>&1; then +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")" ++ if command -v "@base64@" >/dev/null 2>&1; then ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)" ++ elif command -v "@uuencode@" >/dev/null 2>&1; then ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")" + fi + fi + if [ -n "$mock_cpuinfo" ]; then +@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then + fi + _info "" + # shellcheck disable=SC2046 +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u) ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u) + fi + + if [ "$opt_explain" = 0 ]; then +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch new file mode 100644 index 0000000000..afec52b418 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch @@ -0,0 +1,26 @@ +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 5 Nov 2022 23:22:31 +0800 +Subject: [PATCH] Add support for Guix System kernel. + +--- + spectre-meltdown-checker.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 248a444..855a090 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" ++ # Guix System: ++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" + # Clear Linux: + +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 +-- +2.38.0 base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78 -- 2.38.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v4] gnu: Add spectre-meltdown-checker. 2022-11-12 15:15 ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via @ 2022-11-12 16:58 ` Liliana Marie Prikler 2022-11-13 13:09 ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via 0 siblings, 1 reply; 12+ messages in thread From: Liliana Marie Prikler @ 2022-11-12 16:58 UTC (permalink / raw) To: Hilton Chain; +Cc: 59053 Am Samstag, dem 12.11.2022 um 23:15 +0800 schrieb Hilton Chain: > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: > New file. > * gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch: > New file. > * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for- > substitution.patch: > New file. > * gnu/local.mk (dist_patch_DATA): Add patches. > --- > v3 -> v4: > 1. Remove downloading function. > 2. Add option for supplying a local database. > > gnu/local.mk | 3 + > gnu/packages/linux.scm | 54 + > ...ker-remove-builtin-firmware-database.patch | 243 +++ > ...cker-stage-commands-for-substitution.patch | 1849 > +++++++++++++++++ > ...n-checker-support-guix-system-kernel.patch | 26 + > 5 files changed, 2175 insertions(+) > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > remove-builtin-firmware-database.patch > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > stage-commands-for-substitution.patch > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index e3e02314bb..46b299d0d6 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1857,6 +1857,9 @@ dist_patch_DATA > = \ > %D%/packages/patches/syslinux-strip-gnu-property.patch \ > %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch \ > %D%/packages/patches/snappy-add-inline-for-GCC.patch \ > + %D%/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch \ > + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for- > substitution.patch \ > + %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ > %D%/packages/patches/sphinxbase-fix-doxygen.patch \ > %D%/packages/patches/spice-vdagent-glib-2.68.patch \ > %D%/packages/patches/sssd-optional-systemd.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index fea33dfa0b..1807fd5655 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9595,3 +9595,57 @@ (define-public edac-utils > error detection and correction (EDAC).") > (home-page "https://github.com/grondo/edac-utils") > (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > + (package > + (name "spectre-meltdown-checker") > + (version "0.45") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url > "https://github.com/speed47/spectre-meltdown-checker") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (patches > + (search-patches > + ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > + "spectre-meltdown-checker-support-guix-system- > kernel.patch" > + ;; NOTE: Update these patches when updating. > + "spectre-meltdown-checker-remove-builtin-firmware- > database.patch" Is this comment still needed? > + "spectre-meltdown-checker-stage-commands-for- > substitution.patch")) > + ;; Remove builtin firmware database. > + (modules '((guix build utils))) > + (snippet '(substitute* "spectre-meltdown-checker.sh" > + (("^# [AI],.*") ""))) > + (sha256 > + (base32 > + > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > + (build-system copy-build-system) > + (arguments > + (list #:install-plan > + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'fixpath > + (lambda* (#:key inputs #:allow-other-keys) > + (substitute* "spectre-meltdown-checker.sh" > + (("@sysctl@") (search-input-file inputs > "/sbin/sysctl")) > + (("@([a-z0-9]*)@" _ command _) > + (search-input-file > + inputs (string-append "/bin/" > command))))))))) > + (inputs > + (list kmod > + lz4 > + lzop > + perl > + procps > + sharutils > + util-linux > + zstd)) > + (home-page > "https://github.com/speed47/spectre-meltdown-checker") > + (synopsis "CPU vulnerability / mitigation checker") > + (description > + "This package provides a shell script to assess your system's > resilience > +against the several transient execution CVEs that were published > since early > +2018, and give you guidance as to how to mitigate them.") > + (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove- > builtin-firmware-database.patch b/gnu/packages/patches/spectre- > meltdown-checker-remove-builtin-firmware-database.patch > new file mode 100644 > index 0000000000..888bb0c2b1 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch > @@ -0,0 +1,243 @@ > +From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Sat, 12 Nov 2022 22:45:24 +0800 > +Subject: [PATCH 1/2] Remove builtin firmware database. > + > +1. Remove downloading function. > +2. Add option for supplying a local database. > +--- > + spectre-meltdown-checker.sh | 180 +++------------------------------ > --- > + 1 file changed, 15 insertions(+), 165 deletions(-) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 30f760c..ce46970 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -22,8 +22,6 @@ exit_cleanup() > + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm > -f "$dumped_config" > + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm > -f "$kerneltmp" > + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm > -f "$kerneltmp2" > +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm > -f "$mcedb_tmp" > +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm > -rf "$intel_tmp" > + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug > 2>/dev/null > + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" > 2>/dev/null > + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null > +@@ -93,9 +91,7 @@ show_usage() > + --vmm [auto,yes,no] override the detection of the > presence of a hypervisor, default: auto > + --allow-msr-write allow probing for write-only > MSRs, this might produce kernel logs or be blocked by your system > + --cpu [#,all] interact with CPUID and MSR > of CPU core number #, or all (default: CPU core 0) > +- --update-fwdb update our local copy of the > CPU microcodes versions database (using the awesome > +- MCExtractor project and the > Intel firmwares GitHub repository) > +- --update-builtin-fwdb same as --update-fwdb but > update builtin DB inside the script itself > ++ --with-fwdb FILE supply the CPU microcodes > versions database > + --dump-mock-data used to mimick a CPU on an > other system, mainly used to help debugging this script > + > + Return codes: > +@@ -837,147 +833,6 @@ show_header() > + _info > + } > + > +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" > +-mcedb_cache="$HOME/.mcedb" > +-update_fwdb() > +-{ > +- show_header > +- > +- set -e > +- > +- if [ -r "$mcedb_cache" ]; then > +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 > }' "$mcedb_cache") > +- fi > +- > +- # first, download the MCE.db from the excellent platomav's > MCExtractor project > +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" > +- > mcedb_url='https://github.com/platomav/MCExtractor/raw/master/M > CE.db' > +- _info_nol "Fetching MCE.db from the MCExtractor project... " > +- if command -v wget >/dev/null 2>&1; then > +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? > +- elif command -v curl >/dev/null 2>&1; then > +- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? > +- elif command -v fetch >/dev/null 2>&1; then > +- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? > +- else > +- echo ERROR "please install one of \`wget\`, \`curl\` > of \`fetch\` programs" > +- return 1 > +- fi > +- if [ "$ret" != 0 ]; then > +- echo ERROR "error $ret while downloading MCE.db" > +- return $ret > +- fi > +- echo DONE > +- > +- # second, get the Intel firmwares from GitHub > +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)" > +- > intel_url="https://github.com/intel/Intel-Linux-Processor-Micro > code-Data-Files/archive/main.zip" > +- _info_nol "Fetching Intel firmwares... " > +- ## > https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git > +- if command -v wget >/dev/null 2>&1; then > +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? > +- elif command -v curl >/dev/null 2>&1; then > +- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? > +- elif command -v fetch >/dev/null 2>&1; then > +- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? > +- else > +- echo ERROR "please install one of \`wget\`, \`curl\` > of \`fetch\` programs" > +- return 1 > +- fi > +- if [ "$ret" != 0 ]; then > +- echo ERROR "error $ret while downloading Intel > firmwares" > +- return $ret > +- fi > +- echo DONE > +- > +- # now extract MCEdb contents using sqlite > +- _info_nol "Extracting MCEdb data... " > +- if ! command -v sqlite3 >/dev/null 2>&1; then > +- echo ERROR "please install the \`sqlite3\` program" > +- return 1 > +- fi > +- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from > MCE") > +- if [ -z "$mcedb_revision" ]; then > +- echo ERROR "downloaded file seems invalid" > +- return 1 > +- fi > +- sqlite3 "$mcedb_tmp" "alter table Intel add column origin > text" > +- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'" > +- > +- echo OK "MCExtractor database revision $mcedb_revision" > +- > +- # parse Intel firmwares to get their versions > +- _info_nol "Integrating Intel firmwares data to db... " > +- if ! command -v unzip >/dev/null 2>&1; then > +- echo ERROR "please install the \`unzip\` program" > +- return 1 > +- fi > +- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; ) > +- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data- > Files-main/intel-ucode" ]; then > +- echo ERROR "expected the 'intel-ucode' folder in the > downloaded zip file" > +- return 1 > +- fi > +- > +- if ! command -v iucode_tool >/dev/null 2>&1; then > +- if ! command -v iucode-tool >/dev/null 2>&1; then > +- echo ERROR "please install the \`iucode- > tool\` program" > +- return 1 > +- else > +- iucode_tool="iucode-tool" > +- fi > +- else > +- iucode_tool="iucode_tool" > +- fi > +- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev > 0x0217, size 5120 > +- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev > 0x0107, size 5120 > +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode- > Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line > +- do > +- _line=$( echo "$_line" | tr -d ',') > +- _cpuid=$( echo "$_line" | awk '{print $3}') > +- _cpuid=$(( _cpuid )) > +- _cpuid=$(printf "0x%08X" "$_cpuid") > +- _date=$( echo "$_line" | awk '{print $6}' | tr -d > '-') > +- _version=$(echo "$_line" | awk '{print $8}') > +- _version=$(( _version )) > +- _version=$(printf "0x%08X" "$_version") > +- _sqlstm="$(printf "INSERT INTO Intel > (origin,cpuid,version,yyyymmdd) VALUES > (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" > "$(printf "%08X" "$_version")" "$_date")" > +- sqlite3 "$mcedb_tmp" "$_sqlstm" > +- done > +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux- > Processor-Microcode-Data-Files-main/license" 2>/dev/null) > +- if [ -n "$_intel_timestamp" ]; then > +- # use this date, it matches the last commit date > +- _intel_latest_date=$(date +%Y%m%d -d > @"$_intel_timestamp") > +- else > +- echo "Falling back to the latest microcode date" > +- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT > yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC > LIMIT 1;") > +- fi > +- echo DONE "(version $_intel_latest_date)" > +- > +- dbversion="$mcedb_revision+i$_intel_latest_date" > +- > +- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ > "$previous_dbversion" = "v$dbversion" ]; then > +- echo "We already have this version locally, no update > needed" > +- return 0 > +- fi > +- > +- _info_nol "Building local database... " > +- { > +- echo "# Spectre & Meltdown Checker"; > +- echo "# %%% MCEDB v$dbversion"; > +- sqlite3 "$mcedb_tmp" "SELECT '# > I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel > AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND > t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid > ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; > +- sqlite3 "$mcedb_tmp" "SELECT '# > A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD > AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND > t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid > ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; > +- } > "$mcedb_cache" > +- echo DONE "(version $dbversion)" > +- > +- if [ "$1" = builtin ]; then > +- newfile=$(mktemp -t smc-builtin-XXXXXX) > +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > > "$newfile" > +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> > "$newfile" > +- cat "$newfile" > "$0" > +- rm -f "$newfile" > +- fi > +-} > +- > + parse_opt_file() > + { > + # parse_opt_file option_name option_value > +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do > + # deprecated, kept for compatibility > + opt_explain=0 > + shift > +- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" > ]; then > +- update_fwdb > +- exit $? > +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "-- > update-builtin-mcedb" ]; then > +- update_fwdb builtin > +- exit $? > ++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; > then > ++ opt_fwdb=$2 > ++ if [ -f "$opt_fwdb" ]; then > ++ mcedb_cache=$2 > ++ else > ++ echo "$0: error: --with-fwdb should be a > file, got '$opt_fwdb'" >&2 > ++ exit 255 > ++ fi > ++ shift 2 > + elif [ "$1" = "--dump-mock-data" ]; then > + opt_mock=1 > + shift > +@@ -2033,21 +1891,11 @@ is_xen_domU() > + fi > + } > + > +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0") > + if [ -r "$mcedb_cache" ]; then > + # we have a local cache file, but it might be older than the > builtin version we have > + local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' > "$mcedb_cache") > +- # sort -V sorts by version number > +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" > "$builtin_dbversion" | sort -V | head -n1) > +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then > +- mcedb_source="$mcedb_cache" > +- mcedb_info="local firmwares DB $local_dbversion" > +- fi > +-fi > +-# if mcedb_source is not set, either we don't have a local cached > db, or it is older than the builtin db > +-if [ -z "${mcedb_source:-}" ]; then > +- mcedb_source="$0" > +- mcedb_info="builtin firmwares DB $builtin_dbversion" > ++ mcedb_source="$mcedb_cache" > ++ mcedb_info="local firmwares DB $local_dbversion" > + fi > + read_mcedb() > + { > +@@ -2063,7 +1911,9 @@ is_latest_known_ucode() > + return 2 > + fi > + ucode_latest="latest microcode version for your CPU model is > unknown" > +- if is_intel; then > ++ if [ -z "$mcedb_source" ]; then > ++ return 2 > ++ elif is_intel; then > + cpu_brand_prefix=I > + elif is_amd; then > + cpu_brand_prefix=A > +-- > +2.38.1 > + LGTM. > diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage- > commands-for-substitution.patch b/gnu/packages/patches/spectre- > meltdown-checker-stage-commands-for-substitution.patch > new file mode 100644 > index 0000000000..a8e7531f32 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands- > for-substitution.patch > @@ -0,0 +1,1849 @@ > +From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Fri, 11 Nov 2022 18:49:50 +0800 > +Subject: [PATCH 2/2] Stage commands for later substitution. > + > +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, > grep, > +gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, > nproc, > +objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, > strings, > +sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs. > +--- I think it'd better to provide a little more information in the patch note, e.g. "The following commands are taken from the environment and thus need to be substituted: - awk - base64 - basename - ... The following are shell built-ins and can remain as is - command - echo - ..." By the way, I feel like it'd be an improvement to crank down on the number of context lines or translate this into an equivalent substitute*, i.e. (substitute* "spectre-meltdown-checker.sh" (("\\<(awk|base64|...)\\>" all cmd) (find-command inputs cmd)) (("\\<(gzip|gunzip|...)\\>" all cmd) (find-command inputs cmd)) ...) where (define* (find-command inputs cmd #:optional (bin "bin")) (search-input-file inputs (string-append bin "/" cmd))) > + spectre-meltdown-checker.sh | 606 ++++++++++++++++++--------------- > --- > + 1 file changed, 303 insertions(+), 303 deletions(-) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index ce46970..4889ebb 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; > exit_cleanup; exit 1' INT > + exit_cleanup() > + { > + # cleanup the temp decompressed config & kernel image > +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm > -f "$dumped_config" > +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm > -f "$kerneltmp" > +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm > -f "$kerneltmp2" > +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug > 2>/dev/null > +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" > 2>/dev/null > +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null > +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null > ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && > @rm@ -f "$dumped_config" > ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && > @rm@ -f "$kerneltmp" > ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && > @rm@ -f "$kerneltmp2" > ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug > 2>/dev/null > ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" > 2>/dev/null > ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null > ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null > + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl > 2>/dev/null > + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm > 2>/dev/null > + } > + > + # if we were git clone'd, adjust VERSION > +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; > then > +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty > 2>/dev/null) > +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e > s/^v//) > ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null > 2>&1; then > ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty > 2>/dev/null) > ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e > s/^v//) > + fi > + > + show_usage() > + { > + # shellcheck disable=SC2086 > +- cat <<EOF > ++ @cat@ <<EOF > + Usage: > +- Live mode (auto): $(basename $0) [options] > +- Live mode (manual): $(basename $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live > +- Offline mode: $(basename $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> > ++ Live mode (auto): $(@basename@ $0) [options] > ++ Live mode (manual): $(@basename@ $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live > ++ Offline mode: $(@basename@ $0) [options] <[-- > kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> > + > + Modes: > + Two modes are available. > +@@ -106,7 +106,7 @@ EOF > + > + show_disclaimer() > + { > +- cat <<EOF > ++ @cat@ <<EOF > + Disclaimer: > + > + This tool does its best to determine whether your system is immune > (or has proper mitigations in place) for the > +@@ -134,7 +134,7 @@ This tool has been released in the hope that > it'll be useful, but don't use it t > + EOF > + } > + > +-os=$(uname -s) > ++os=$(@uname@ -s) > + > + # parse options > + opt_kernel='' > +@@ -203,7 +203,7 @@ __echo() > + _interpret_chars='-e' > + fi > + _ctrlchar=$($echo_cmd $_interpret_chars "\033") > +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r > "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") > ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r > "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g") > + fi > + if [ "$echo_cmd_type" = printf ]; then > + if [ "$opt" = "-n" ]; then > +@@ -379,7 +379,7 @@ is_cpu_affected() > + # https://github.com/crozone/SpectrePoC/issues/1 ^F > E5200 => spectre 2 not affected > + # > https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => > meltdown affected > + # model name : Pentium(R) Dual-Core CPU E5200 > @ 2.50GHz > +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) > Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then > ++ if echo "$cpu_friendly_name" | @grep@ -qE > 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then > + variant1=vuln > + [ -z "$variant2" ] && variant2=immune > + variant3=vuln > +@@ -482,7 +482,7 @@ is_cpu_affected() > + i=$(( i + 1 )) > + # do NOT quote $cpu_arch_list below > + # shellcheck disable=SC2086 > +- cpuarch=$(echo $cpu_arch_list | awk '{ print > $'$i' }') > ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ > print $'$i' }') > + _debug "checking cpu$i: <$cpupart> > <$cpuarch>" > + # some kernels report AArch64 instead of 8 > + [ "$cpuarch" = "AArch64" ] && cpuarch=8 > +@@ -493,49 +493,49 @@ is_cpu_affected() > + # part ? ? c08 c09 c0d c0f c0e d07 > d08 d09 d0a d0b d0c d0d > + # arch 7? 7? 7 7 7 7 7 8 > 8 8 8 8 8 8 > + # > +- # Whitelist identified non-affected > processors, use vulnerability information from > ++ # Whitelist identified non-affected > processors, use vulnerability information from > + # > https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability > + # Partnumbers can be found here: > + # > https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in > + # > + # Maintain cumulative check of > vulnerabilities - > + # if at least one of the cpu is > affected, then the system is affected > +- if [ "$cpuarch" = 7 ] && echo > "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then > ++ if [ "$cpuarch" = 7 ] && echo > "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + [ -z "$variant3a" ] && > variant3a=immune > + [ -z "$variant4" ] && > variant4=immune > + _debug "checking cpu$i: armv7 > A8/A9/A12/A17 non affected to variants 3, 3a & 4" > +- elif [ "$cpuarch" = 7 ] && echo > "$cpupart" | grep -q -w -e 0xc0f; then > ++ elif [ "$cpuarch" = 7 ] && echo > "$cpupart" | @grep@ -q -w -e 0xc0f; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + variant3a=vuln > + [ -z "$variant4" ] && > variant4=immune > + _debug "checking cpu$i: armv7 > A15 non affected to variants 3 & 4" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + variant3a=vuln > + variant4=vuln > + _debug "checking cpu$i: armv8 > A57/A72 non affected to variants 3" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd09; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd09; then > + variant1=vuln > + variant2=vuln > + [ -z "$variant3" ] && > variant3=immune > + [ -z "$variant3a" ] && > variant3a=immune > + variant4=vuln > + _debug "checking cpu$i: armv8 > A73 non affected to variants 3 & 3a" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd0a; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd0a; then > + variant1=vuln > + variant2=vuln > + variant3=vuln > + [ -z "$variant3a" ] && > variant3a=immune > + variant4=vuln > + _debug "checking cpu$i: armv8 > A75 non affected to variant 3a" > +- elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then > ++ elif [ "$cpuarch" = 8 ] && echo > "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then > + variant1=vuln > + [ -z "$variant2" ] && > variant2=immune > + [ -z "$variant3" ] && > variant3=immune > +@@ -816,7 +816,7 @@ is_cpu_ssb_free() > + if [ "$cpu_family" = "18" ] || \ > + [ "$cpu_family" = "17" ] || \ > + [ "$cpu_family" = "16" ] || \ > +- [ "$cpu_family" = "15" ]; then > ++ [ "$cpu_family" = "15" ]; then > + return 0 > + fi > + fi > +@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do > + elif [ "$1" = "--cpu" ]; then > + opt_cpu=$2 > + if [ "$opt_cpu" != all ]; then > +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then > ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; > then > + opt_cpu=$(( opt_cpu )) > + else > + echo "$0: error: --cpu should be an > integer or 'all', got '$opt_cpu'" >&2 > +@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do > + echo "$0: error: option --cve expects a > parameter, supported CVEs are: $supported_cve_list" >&2 > + exit 255 > + fi > +- selected_cve=$(echo "$supported_cve_list" | grep -iwo > "$2") > ++ selected_cve=$(echo "$supported_cve_list" | @grep@ - > iwo "$2") > + if [ -n "$selected_cve" ]; then > + opt_cve_list="$opt_cve_list $selected_cve" > + opt_cve_all=0 > +@@ -1166,14 +1166,14 @@ check_kernel() > + # a damaged ELF file and validate it, check for stderr > warnings too > + > + # the warning "readelf: Warning: [16]: Link field (0) should > index a symtab section./" can appear on valid kernels, ignore it > +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" > 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" > "/"); ret=$? > +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" > 2>/dev/null | grep -c -e data -e text -e init) > +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z > "$_file" 2>/dev/null || echo 10000) > ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | > @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$? > ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | > @grep@ -c -e data -e text -e init) > ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f > %z "$_file" 2>/dev/null || echo 10000) > + _debug "check_kernel: ret=$? size=$_kernel_size > sections=$_readelf_sections warnings=$_readelf_warnings" > + if [ "$_mode" = desperate ]; then > +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq > '^Linux version '; then > ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version > '; then > + _debug "check_kernel (desperate): ... > matched!" > +- if [ "$_readelf_sections" = 0 ] && grep -qF - > e armv6 -e armv7 "$_file"; then > ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF > -e armv6 -e armv7 "$_file"; then > + _debug "check_kernel (desperate): raw > arm binary found, adjusting objdump options" > + objdump_options="-D -b binary -marm" > + else > +@@ -1206,7 +1206,7 @@ try_decompress() > + > + # Try to find the header ($1) and decompress from here > + _debug "try_decompress: looking for $3 magic in $6" > +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo > "^$2") > ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo > "^$2") > + do > + _debug "try_decompress: magic for $3 found at offset > $pos" > + if ! command -v "$3" >/dev/null 2>&1; then > +@@ -1233,11 +1233,11 @@ try_decompress() > + kernel="$kerneltmp" > + _debug "try_decompress: decompressed with $3 > successfully!" > + return 0 > +- elif [ "$3" != "cat" ]; then > ++ elif [ "$3" != "@cat@" ]; then > + _debug "try_decompress: decompression with $3 > worked but result is not a kernel, trying with an offset" > +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp - > t smc-kernel-XXXXXX) > +- cat "$kerneltmp" > "$kerneltmp2" > +- try_decompress '\177ELF' xxy 'cat' '' cat > "$kerneltmp2" && return 0 > ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ > -t smc-kernel-XXXXXX) > ++ @cat@ "$kerneltmp" > "$kerneltmp2" > ++ try_decompress '\177ELF' xxy '@cat@' '' cat > "$kerneltmp2" && return 0 > + else > + _debug "try_decompress: decompression with $3 > worked but result is not a kernel" > + fi > +@@ -1249,12 +1249,12 @@ extract_kernel() > + { > + [ -n "${1:-}" ] || return 1 > + # Prepare temp files: > +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)" > ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)" > + > + # Initial attempt for uncompressed images or objects: > + if check_kernel "$1"; then > + _debug "extract_kernel: found kernel is valid, no > decompression needed" > +- cat "$1" > "$kerneltmp" > ++ @cat@ "$1" > "$kerneltmp" > + kernel=$kerneltmp > + return 0 > + fi > +@@ -1263,14 +1263,14 @@ extract_kernel() > + for pass in 1 2; do > + for mode in normal desperate; do > + _debug "extract_kernel: pass $pass $mode > mode" > +- try_decompress '\037\213\010' xy > gunzip '' gunzip "$1" "$mode" "$pass" && return 0 > +- try_decompress '\002\041\114\030' xyy > 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 > +- try_decompress '\3757zXZ\000' abcde > unxz '' xz-utils "$1" "$mode" "$pass" && return 0 > +- try_decompress 'BZh' xy > bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0 > +- try_decompress '\135\0\0\0' xxx > unlzma '' xz-utils "$1" "$mode" "$pass" && return 0 > +- try_decompress '\211\114\132' xy > 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0 > +- try_decompress '\177ELF' xxy > 'cat' '' cat "$1" "$mode" "$pass" && return 0 > +- try_decompress '(\265/\375' xxy > unzstd '' zstd "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\037\213\010' xy > @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\002\041\114\030' xyy > '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\3757zXZ\000' abcde > @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0 > ++ try_decompress 'BZh' xy > @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\135\0\0\0' xxx > @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\211\114\132' xy > '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0 > ++ try_decompress '\177ELF' xxy > '@cat@' '' cat "$1" "$mode" "$pass" && return 0 > ++ try_decompress '(\265/\375' xxy > @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0 > + done > + done > + # kernel_err might already have been populated by > try_decompress() if we're missing one of the tools > +@@ -1287,7 +1287,7 @@ mount_debugfs() > + { > + if [ ! -e /sys/kernel/debug/sched_features ]; then > + # try to mount the debugfs hierarchy ourselves and > remember it to umount afterwards > +- mount -t debugfs debugfs /sys/kernel/debug > 2>/dev/null && mounted_debugfs=1 > ++ @mount@ -t debugfs debugfs /sys/kernel/debug > 2>/dev/null && mounted_debugfs=1 > + fi > + } > + > +@@ -1298,12 +1298,12 @@ load_msr() > + load_msr_once=1 > + > + if [ "$os" = Linux ]; then > +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then > +- modprobe msr 2>/dev/null && insmod_msr=1 > ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; > then > ++ @modprobe@ msr 2>/dev/null && insmod_msr=1 > + _debug "attempted to load module msr, > insmod_msr=$insmod_msr" > + else > + _debug "msr module already loaded" > +- fi > ++ fi > + else > + if ! kldstat -q -m cpuctl; then > + kldload cpuctl 2>/dev/null && > kldload_cpuctl=1 > +@@ -1321,12 +1321,12 @@ load_cpuid() > + load_cpuid_once=1 > + > + if [ "$os" = Linux ]; then > +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; > then > +- modprobe cpuid 2>/dev/null && insmod_cpuid=1 > ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; > then > ++ @modprobe@ cpuid 2>/dev/null && > insmod_cpuid=1 > + _debug "attempted to load module cpuid, > insmod_cpuid=$insmod_cpuid" > + else > + _debug "cpuid module already loaded" > +- fi > ++ fi > + else > + if ! kldstat -q -m cpuctl; then > + kldload cpuctl 2>/dev/null && > kldload_cpuctl=1 > +@@ -1415,7 +1415,7 @@ read_cpuid_one_core() > + fi > + # on some kernel versions, /dev/cpu/0/cpuid doesn't > imply that the cpuid module is loaded, in that case dd returns an > error, > + # we use that fact to load the module if dd returns > an error > +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null > 2>&1; then > ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 > >/dev/null 2>&1; then > + load_cpuid > + fi > + # we need _leaf to be converted to decimal for dd > +@@ -1426,14 +1426,14 @@ read_cpuid_one_core() > + _ddskip=$(( _position / 16 )) > + _odskip=$(( _position - _ddskip * 16 )) > + # now read the value > +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 > skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * > 16)) -A n -t u4) > ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 > skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip > * 16)) -A n -t u4) > + elif [ -e /dev/cpuctl0 ]; then > + # BSD > + if [ ! -r /dev/cpuctl0 ]; then > + read_cpuid_msg="Couldn't read cpuid info from > cpuctl" > + return $READ_CPUID_RET_ERR > + fi > +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" > "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-) > ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" > "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-) > + # cpuid level 0x4, level_type 0x2: 0x1c004143 > 0x01c0003f 0x000001ff 0x00000000 > + else > + read_cpuid_msg="Found no way to read cpuid info" > +@@ -1456,7 +1456,7 @@ read_cpuid_one_core() > + fi > + > + # get the value of the register we want > +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}') > ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}') > + # Linux returns it as decimal, BSD as hex, normalize to > decimal > + _reg=$(( _reg )) > + # shellcheck disable=SC2046 > +@@ -1484,11 +1484,11 @@ dmesg_grep() > + # grep for something in dmesg, ensuring that the dmesg buffer > + # has not been truncated > + dmesg_grepped='' > +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e > '^FreeBSD is a registered' ; then > ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e > '^FreeBSD is a registered' ; then > + # dmesg truncated > + return 2 > + fi > +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1) > ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1) > + # not found: > + [ -z "$dmesg_grepped" ] && return 1 > + # found, output is in $dmesg_grepped > +@@ -1505,12 +1505,12 @@ parse_cpu_details() > + { > + [ "${parse_cpu_details_done:-}" = 1 ] && return 0 > + > +- if command -v nproc >/dev/null; then > +- number_of_cores=$(nproc) > +- elif echo "$os" | grep -q BSD; then > +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || > echo 1) > ++ if command -v @nproc@ >/dev/null; then > ++ number_of_cores=$(@nproc@) > ++ elif echo "$os" | @grep@ -q BSD; then > ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || > echo 1) > + elif [ -e "$procfs/cpuinfo" ]; then > +- number_of_cores=$(grep -c ^processor > "$procfs/cpuinfo" 2>/dev/null || echo 1) > ++ number_of_cores=$(@grep@ -c ^processor > "$procfs/cpuinfo" 2>/dev/null || echo 1) > + else > + # if we don't know, default to 1 CPU > + number_of_cores=1 > +@@ -1518,43 +1518,43 @@ parse_cpu_details() > + max_core_id=$(( number_of_cores - 1 )) > + > + if [ -e "$procfs/cpuinfo" ]; then > +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | > awk '{print $3}' | head -1) > +- cpu_friendly_name=$(grep '^model name' > "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//') > ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @head@ -1) > ++ cpu_friendly_name=$(@grep@ '^model name' > "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//') > + # special case for ARM follows > +- if grep -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then > ++ if @grep@ -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then > + cpu_vendor='ARM' > + # some devices (phones or other) have several > ARMs and as such different part numbers, > + # an example is "bigLITTLE", so we need to > store the whole list, this is needed for is_cpu_affected > +- cpu_part_list=$(awk '/CPU part/ > {print $4}' "$procfs/cpuinfo") > +- cpu_arch_list=$(awk '/CPU architecture/ > {print $3}' "$procfs/cpuinfo") > ++ cpu_part_list=$(@awk@ '/CPU part/ > {print $4}' "$procfs/cpuinfo") > ++ cpu_arch_list=$(@awk@ '/CPU architecture/ > {print $3}' "$procfs/cpuinfo") > + # take the first one to fill the friendly > name, do NOT quote the vars below > + # shellcheck disable=SC2086 > +- cpu_arch=$(echo $cpu_arch_list | awk '{ print > $1 }') > ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ > print $1 }') > + # shellcheck disable=SC2086 > +- cpu_part=$(echo $cpu_part_list | awk '{ print > $1 }') > ++ cpu_part=$(echo $cpu_part_list | @awk@ '{ > print $1 }') > + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8 > + cpu_friendly_name="ARM" > + [ -n "$cpu_arch" ] && > cpu_friendly_name="$cpu_friendly_name v$cpu_arch" > + [ -n "$cpu_part" ] && > cpu_friendly_name="$cpu_friendly_name model $cpu_part" > + > +- elif grep -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then > ++ elif @grep@ -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then > + cpu_vendor='CAVIUM' > +- elif grep -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then > ++ elif @grep@ -qi 'CPU > implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then > + cpu_vendor='PHYTIUM' > + fi > + > +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | > awk '{print $4}' | grep -E '^[0-9]+$' | head -1) > +- cpu_model=$( grep '^model' "$procfs/cpuinfo" | > awk '{print $3}' | grep -E '^[0-9]+$' | head -1) > +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | > awk '{print $3}' | grep -E '^[0-9]+$' | head -1) > +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | > awk '{print $3}' | head -1) > ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" > | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1) > ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) > ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1) > ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" > | @awk@ '{print $3}' | @head@ -1) > + else > +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 > -w | cut -f2 -d= | cut -f2 -d\" ) > +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 > -w | cut -f2 -d= ) > ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | > @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" ) > ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | > @cut@ -f4 -w | @cut@ -f2 -d= ) > + cpu_family=$(( cpu_family )) > +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 - > w | cut -f2 -d= ) > ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ > -f5 -w | @cut@ -f2 -d= ) > + cpu_model=$(( cpu_model )) > +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut > -f6 -w | cut -f2 -d= ) > +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null) > ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | > @cut@ -f6 -w | @cut@ -f2 -d= ) > ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null) > + fi > + > + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then > +@@ -1609,7 +1609,7 @@ parse_cpu_details() > + # call CPUID > + cpucontrol -i 1 /dev/cpuctl0 >/dev/null > + # read MSR > +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | > awk '{print $3}') > ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | > @awk@ '{print $3}') > + # convert to decimal > + cpu_ucode=$(( cpu_ucode )) > + # convert back to hex > +@@ -1628,7 +1628,7 @@ parse_cpu_details() > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_CPU_UCODE='$cpu_ucode'") > + fi > + > +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode )) > ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode > )) > + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x > ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" > "$cpu_ucode" "$cpu_cpuid") > + > + # also define those that we will need in other funcs > +@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled() > + { > + # SMT / HyperThreading is enabled if siblings != cpucores > + if [ -e "$procfs/cpuinfo" ]; then > +- _siblings=$(awk '/^siblings/ {print $3;exit}' > "$procfs/cpuinfo") > +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' > "$procfs/cpuinfo") > ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' > "$procfs/cpuinfo") > ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' > "$procfs/cpuinfo") > + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then > + if [ "$_siblings" = "$_cpucores" ]; then > + return 1 > +@@ -1774,10 +1774,10 @@ is_ucode_blacklisted() > + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \ > + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712 > + do > +- model=$(echo "$tuple" | cut -d, -f1) > +- stepping=$(( $(echo "$tuple" | cut -d, -f2) )) > ++ model=$(echo "$tuple" | @cut@ -d, -f1) > ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) )) > + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = > "$stepping" ]; then > +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) > ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) > + if [ "$cpu_ucode" = "$ucode" ]; then > + _debug "is_ucode_blacklisted: we have > a match! ($cpu_model/$cpu_stepping/$cpu_ucode)" > + return 0 > +@@ -1865,7 +1865,7 @@ is_xen_dom0() > + return 1 > + fi > + > +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" > "$procfs/xen/capabilities"; then > ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" > "$procfs/xen/capabilities"; then > + return 0 > + else > + return 1 > +@@ -1893,13 +1893,13 @@ is_xen_domU() > + > + if [ -r "$mcedb_cache" ]; then > + # we have a local cache file, but it might be older than the > builtin version we have > +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' > "$mcedb_cache") > ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' > "$mcedb_cache") > + mcedb_source="$mcedb_cache" > + mcedb_info="local firmwares DB $local_dbversion" > + fi > + read_mcedb() > + { > +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 > }' "$mcedb_source" > ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { > DELIM=1 }' "$mcedb_source" > + } > + > + is_latest_known_ucode() > +@@ -1920,10 +1920,10 @@ is_latest_known_ucode() > + else > + return 2 > + fi > +- for tuple in $(read_mcedb | grep "$(printf > "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") > ++ for tuple in $(read_mcedb | @grep@ "$(printf > "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")") > + do > +- ucode=$(( $(echo "$tuple" | cut -d, -f3) )) > +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r > 's=(....)(..)(..)=\1/\2/\3=') > ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) )) > ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r > 's=(....)(..)(..)=\1/\2/\3=') > + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid > has ucode $cpu_ucode, last known is $ucode from $ucode_date" > + ucode_latest=$(printf "latest version is 0x%x dated > $ucode_date according to $mcedb_info" "$ucode") > + if [ "$cpu_ucode" -ge "$ucode" ]; then > +@@ -1948,7 +1948,7 @@ get_cmdline() > + kernel_cmdline="$SMC_MOCK_CMDLINE" > + return > + else > +- kernel_cmdline=$(cat "$procfs/cmdline") > ++ kernel_cmdline=$(@cat@ "$procfs/cmdline") > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_CMDLINE='$kernel_cmdline'") > + fi > + } > +@@ -1956,7 +1956,7 @@ get_cmdline() > + # ENTRYPOINT > + > + # we can't do anything useful under WSL > +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then > ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then > + _warn "This script doesn't work under Windows Subsystem for > Linux" > + _warn "You should use the official Microsoft tool instead." > + _warn "It can be found under > https://aka.ms/SpeculationControlPS" > +@@ -2005,15 +2005,15 @@ fi > + > + # if we're under a BSD, try to mount linprocfs for > "$procfs/cpuinfo" > + procfs=/proc > +-if echo "$os" | grep -q BSD; then > ++if echo "$os" | @grep@ -q BSD; then > + _debug "We're under BSD, check if we have procfs" > +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }') > ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }') > + if [ -z "$procfs" ]; then > + _debug "we don't, try to mount it" > + procfs=/proc > + [ -d /compat/linux/proc ] && > procfs=/compat/linux/proc > + test -d $procfs || mkdir $procfs > +- if mount -t linprocfs linprocfs $procfs 2>/dev/null; > then > ++ if @mount@ -t linprocfs linprocfs $procfs > 2>/dev/null; then > + mounted_procfs=1 > + _debug "procfs just mounted at $procfs" > + else > +@@ -2045,14 +2045,14 @@ fi > + > + if [ "$opt_live" = 1 ]; then > + # root check (only for live mode, for offline mode, we > already checked if we could read the files) > +- if [ "$(id -u)" -ne 0 ]; then > ++ if [ "$(@id@ -u)" -ne 0 ]; then > + _warn "Note that you should launch this script with > root privileges to get accurate information." > + _warn "We'll proceed but you might see permission > denied errors." > + _warn "To run it as root, you can try the following > command: sudo $0" > + _warn > + fi > + _info "Checking for vulnerabilities on current system" > +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname > -m)\033[0m" > ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) > $(@uname@ -m)\033[0m" > + _info "CPU is \033[35m$cpu_friendly_name\033[0m" > + > + # try to find the image of the current running kernel > +@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then > + # specified by user on cmdline, with --live, don't > override > + : > + # first, look for the BOOT_IMAGE hint in the kernel cmdline > +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then > +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo > 'BOOT_IMAGE=[^ ]+' | cut -d= -f2) > ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then > ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo > 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2) > + _debug "found opt_kernel=$opt_kernel in > $procfs/cmdline" > + # if the boot partition is within a btrfs subvolume, > strip the subvolume name > + # if /boot is a separate subvolume, the remainder of > the code in this section should handle it > +- if echo "$opt_kernel" | grep -q "^/@"; then > opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi > ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then > opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi > + # if we have a dedicated /boot partition, our > bootloader might have just called it / > + # so try to prepend /boot and see if we find anything > + [ -e "/boot/$opt_kernel" ] && > opt_kernel="/boot/$opt_kernel" > +@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then > + # if we didn't find a kernel, default to guessing > + if [ ! -e "$opt_kernel" ]; then > + # Fedora: > +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && > opt_kernel="/lib/modules/$(uname -r)/vmlinuz" > ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && > opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz" > + # Slackware: > + [ -e "/boot/vmlinuz" ] && > opt_kernel="/boot/vmlinuz" > + # Arch aarch64: > +@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then > + # pine64 > + [ -e "/boot/pine64/Image" ] && > opt_kernel="/boot/pine64/Image" > + # generic: > +- [ -e "/boot/vmlinuz-$(uname -r)" ] && > opt_kernel="/boot/vmlinuz-$(uname -r)" > +- [ -e "/boot/kernel-$( uname -r)" ] && > opt_kernel="/boot/kernel-$( uname -r)" > +- [ -e "/boot/bzImage-$(uname -r)" ] && > opt_kernel="/boot/bzImage-$(uname -r)" > ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && > opt_kernel="/boot/vmlinuz-$(@uname@ -r)" > ++ [ -e "/boot/kernel-$( @uname@ -r)" ] && > opt_kernel="/boot/kernel-$( @uname@ -r)" > ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && > opt_kernel="/boot/bzImage-$(@uname@ -r)" > + # Gentoo: > +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ > -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ > -r)" > + # NixOS: > + [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > + # Guix System: > + [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > + # systemd kernel-install: > +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ > /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ > /etc/machine-id)/$(@uname@ -r)/linux" > + # Clear Linux: > +- str_uname=$(uname -r) > ++ str_uname=$(@uname@ -r) > + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_ > uname##*.}.${str_uname%.*}" > + [ -e "$clear_linux_kernel" ] && > opt_kernel=$clear_linux_kernel > + # Custom Arch seems to have the kernel path in its > cmdline in the form "\directory\kernelimage", > + # with actual \'s instead of /'s: > +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep - > Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d > '[:space:]') > ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ > -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d > '[:space:]') > + if [ -n "$custom_arch_kernel" ] && [ -e > "$custom_arch_kernel" ]; then > + opt_kernel="$custom_arch_kernel" > + fi > +@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then > + : > + elif [ -e "$procfs/kallsyms" ] ; then > + opt_map="$procfs/kallsyms" > +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then > +- opt_map="/lib/modules/$(uname -r)/System.map" > +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then > +- opt_map="/boot/System.map-$(uname -r)" > +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then > +- opt_map="/lib/kernel/System.map-$(uname -r)" > ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then > ++ opt_map="/lib/modules/$(@uname@ -r)/System.map" > ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then > ++ opt_map="/boot/System.map-$(@uname@ -r)" > ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then > ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)" > + fi > + > + # config > +@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then > + # specified by user on cmdline, with --live, don't > override > + : > + elif [ -e "$procfs/config.gz" ] ; then > +- dumped_config="$(mktemp -t smc-config-XXXXXX)" > +- gunzip -c "$procfs/config.gz" > "$dumped_config" > ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)" > ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config" > + # dumped_config will be deleted at the end of the > script > + opt_config="$dumped_config" > +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then > +- opt_config="/lib/modules/$(uname -r)/config" > +- elif [ -e "/boot/config-$(uname -r)" ]; then > +- opt_config="/boot/config-$(uname -r)" > +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname - > r)" ]; then > +- opt_config="/etc/kernels/kernel-config-$(uname -m)- > $(uname -r)" > +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then > +- opt_config="/lib/kernel/config-$(uname -r)" > ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then > ++ opt_config="/lib/modules/$(@uname@ -r)/config" > ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then > ++ opt_config="/boot/config-$(@uname@ -r)" > ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ > -r)" ]; then > ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)- > $(@uname@ -r)" > ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then > ++ opt_config="/lib/kernel/config-$(@uname@ -r)" > + fi > + else > + _info "Checking for vulnerabilities against specified kernel" > +@@ -2161,7 +2161,7 @@ else > + fi > + > + if [ "$os" = Linux ]; then > +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' > "$opt_config"; then > ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' > "$opt_config"; then > + # given file is invalid! > + _warn "The kernel config file seems invalid, was > expecting a plain-text file, ignoring it!" > + opt_config='' > +@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then > + fi > + > + if [ -e "$opt_kernel" ]; then > +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; > then > ++ if ! command -v "@readelf@" >/dev/null 2>&1; then > + _debug "readelf not found" > + kernel_err="missing '${opt_arch_prefix}readelf' tool, > please install it, usually it's in the 'binutils' package" > + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; > then > +@@ -2207,20 +2207,20 @@ else > + # vanilla kernels have with ^Linux version > + # also try harder with some kernels (such as Red Hat) that > don't have ^Linux version before their version string > + # and check for FreeBSD > +- kernel_version=$("${opt_arch_prefix}strings" "$kernel" > 2>/dev/null | grep -E \ > ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ - > E \ > + -e '^Linux version ' \ > + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0- > 9]+ .+ (19|20)[0-9][0-9]$' \ > +- -e '^FreeBSD [0-9]' | head -1) > ++ -e '^FreeBSD [0-9]' | @head@ -1) > + if [ -z "$kernel_version" ]; then > + # try even harder with some kernels (such as ARM) > that split the release (uname -r) and version (uname -v) in 2 > adjacent strings > +- kernel_version=$("${opt_arch_prefix}strings" > "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' > | tr "\n" " ") > ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | > @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ") > + fi > + if [ -n "$kernel_version" ]; then > + # in live mode, check if the img we found is the > correct one > + if [ "$opt_live" = 1 ]; then > + _verbose "Kernel image is > \033[35m$kernel_version" > +- if ! echo "$kernel_version" | grep -qF > "$(uname -r)"; then > +- _warn "Possible discrepancy between > your running kernel '$(uname -r)' and the image '$kernel_version' we > found ($opt_kernel), results might be incorrect" > ++ if ! echo "$kernel_version" | @grep@ -qF > "$(@uname@ -r)"; then > ++ _warn "Possible discrepancy between > your running kernel '$(@uname@ -r)' and the image '$kernel_version' > we found ($opt_kernel), results might be incorrect" > + fi > + else > + _info "Kernel image is > \033[35m$kernel_version" > +@@ -2248,11 +2248,11 @@ sys_interface_check() > + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r > "$file" ]; then > + : > + else > +- mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(basename "$file")_RET=1") > ++ mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1") > + return 1 > + fi > + > +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET" > ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET" > + # shellcheck disable=SC2086,SC1083 > + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then > + _debug "sysfs: MOCKING enabled for $file func returns > $(eval echo \$$_mockvarname)" > +@@ -2261,17 +2261,17 @@ sys_interface_check() > + fi > + > + [ -n "$regex" ] || regex='.*' > +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")" > ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")" > + # shellcheck disable=SC2086,SC1083 > + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then > + fullmsg="$(eval echo \$$_mockvarname)" > +- msg=$(echo "$fullmsg" | grep -Eo "$regex") > ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex") > + _debug "sysfs: MOCKING enabled for $file, will return > $fullmsg" > + mocked=1 > + else > +- fullmsg=$(cat "$file") > +- msg=$(grep -Eo "$regex" "$file") > +- mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'") > ++ fullmsg=$(@cat@ "$file") > ++ msg=$(@grep@ -Eo "$regex" "$file") > ++ mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'") > + fi > + if [ "$mode" = silent ]; then > + return 0 > +@@ -2280,15 +2280,15 @@ sys_interface_check() > + return 0 > + fi > + _info_nol "* Mitigated according to the /sys interface: " > +- if echo "$msg" | grep -qi '^not affected'; then > ++ if echo "$msg" | @grep@ -qi '^not affected'; then > + # Not affected > + status=OK > + pstatus green YES "$fullmsg" > +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then > ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then > + # Mitigation: PTI > + status=OK > + pstatus green YES "$fullmsg" > +- elif echo "$msg" | grep -qi '^vulnerable'; then > ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then > + # Vulnerable > + status=VULN > + pstatus yellow NO "$fullmsg" > +@@ -2376,20 +2376,20 @@ write_msr_one_core() > + # ret=4: msr doesn't exist, ret=127: > msr.allow_writes=off > + [ "$ret" = 127 ] && _write_denied=1 > + # or fallback to dd if it supports seek_bytes, we > prefer it over perl because we can tell the difference between EPERM > and EIO > +- elif dd if=/dev/null of=/dev/null bs=8 count=1 > seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" > != 1 ]; then > ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 > seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" > != 1 ]; then > + _debug "write_msr: using dd" > +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 > count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? > ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr > bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$? > + # if it failed, inspect stderrto look for > EPERM > + if [ "$ret" != 0 ]; then > +- if dd if=/dev/zero > of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" > oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then > ++ if @dd@ if=/dev/zero > of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" > oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then > + _write_denied=1 > + fi > + fi > + # or if we have perl, use it, any 5.x version will > work > +- elif command -v perl >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > ++ elif command -v @perl@ >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > + _debug "write_msr: using perl" > + ret=1 > +- perl -e "open(M,'>','/dev/cpu/$_core/msr') > and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? - > eq 8 ] && ret=0 > ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') > and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? - > eq 8 ] && ret=0 > + else > + _debug "write_msr: got no wrmsr, perl or > recent enough dd!" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR") > +@@ -2411,13 +2411,13 @@ write_msr_one_core() > + msr_locked_down=1 > + write_msr_msg="your kernel is > configured to deny writes to MSRs from user space" > + return $WRITE_MSR_RET_LOCKDOWN > +- elif dmesg | grep -qF "msr: Direct access to > MSR"; then > ++ elif @dmesg@ | @grep@ -qF "msr: Direct access > to MSR"; then > + _debug "write_msr: locked down kernel > detected (Red Hat / Fedora)" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") > + msr_locked_down=1 > + write_msr_msg="your kernel is locked > down (Fedora/Red Hat), please reboot without secure boot and retry" > + return $WRITE_MSR_RET_LOCKDOWN > +- elif dmesg | grep -qF "raw MSR access is > restricted"; then > ++ elif @dmesg@ | @grep@ -qF "raw MSR access is > restricted"; then > + _debug "write_msr: locked down kernel > detected (vanilla)" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN") > + msr_locked_down=1 > +@@ -2516,8 +2516,8 @@ read_msr_one_core() > + return $READ_MSR_RET_KO > + fi > + # MSR 0x10: 0x000003e1 0xb106dded > +- _msr_h=$(echo "$_msr" | awk '{print $3}'); > +- _msr_l=$(echo "$_msr" | awk '{print $4}'); > ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}'); > ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}'); > + read_msr_value=$(( _msr_h << 32 | _msr_l )) > + else > + # for Linux > +@@ -2528,15 +2528,15 @@ read_msr_one_core() > + # if rdmsr is available, use it > + elif command -v rdmsr >/dev/null 2>&1 && [ > "${SMC_NO_RDMSR:-}" != 1 ]; then > + _debug "read_msr: using rdmsr on $_msr" > +- read_msr_value=$(rdmsr -r $_msr_dec > 2>/dev/null | od -t u8 -A n) > ++ read_msr_value=$(rdmsr -r $_msr_dec > 2>/dev/null | @od@ -t u8 -A n) > + # or if we have perl, use it, any 5.x version will > work > +- elif command -v perl >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > ++ elif command -v @perl@ >/dev/null 2>&1 && [ > "${SMC_NO_PERL:-}" != 1 ]; then > + _debug "read_msr: using perl on $_msr" > +- read_msr_value=$(perl -e > "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and > read(M,\$_,8) and print" | od -t u8 -A n) > ++ read_msr_value=$(@perl@ -e > "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and > read(M,\$_,8) and print" | @od@ -t u8 -A n) > + # fallback to dd if it supports skip_bytes > +- elif dd if=/dev/null of=/dev/null bs=8 count=1 > skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then > ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 > skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then > + _debug "read_msr: using dd on $_msr" > +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr > bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 > -A n) > ++ read_msr_value=$(@dd@ > if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" > iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n) > + else > + _debug "read_msr: got no rdmsr, perl or > recent enough dd!" > + mockme=$(printf "%b\n%b" "$mockme" > "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR") > +@@ -2560,7 +2560,7 @@ check_cpu() > + { > + _info "\033[1;34mHardware check\033[0m" > + > +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then > ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then > + return > + fi > + > +@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre() > + # if we were already called, don't do it again > + [ -n "${redhat_canonical_spectre:-}" ] && return > + > +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; > then > ++ if ! command -v "@strings@" >/dev/null 2>&1; then > + redhat_canonical_spectre=-1 > + elif [ -n "$kernel_err" ]; then > + redhat_canonical_spectre=-2 > + else > + # Red Hat / Ubuntu specific variant1 patch is > difficult to detect, > + # let's use the two same tricks than the official Red > Hat detection script uses: > +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw > noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; > then > ++ if "@strings@" "$kernel" | @grep@ -qw noibrs && > "@strings@" "$kernel" | @grep@ -qw noibpb; then > + # 1) detect their specific variant2 patch. If > it's present, it means > + # that the variant1 patch is also present > (both were merged at the same time) > + _debug "found redhat/canonical version of the > variant2 patch (implies variant1)" > + redhat_canonical_spectre=1 > +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q > 'x86/pti:'; then > ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; > then > + # 2) detect their specific variant3 patch. If > it's present, but the variant2 > + # is not, it means that only variant1 is > present in addition to variant3 > + _debug "found redhat/canonical version of the > variant3 patch (implies variant1 but not variant2)" > +@@ -3213,13 +3213,13 @@ check_has_vmm() > + # If we find no evidence that this is the case, > assume we're not (to avoid scaring users), > + # this can always be overridden with --vmm in any > case. > + has_vmm=0 > +- if command -v pgrep >/dev/null 2>&1; then > ++ if command -v @pgrep@ >/dev/null 2>&1; then > + # remove xenbus and xenwatch, also present > inside domU > + # remove libvirtd as it can also be used to > manage containers and not VMs > + # for each binary we want to grep, get the > pids > + for _binary in qemu kvm xenstored xenconsoled > + do > +- for _pid in $(pgrep -x $_binary) > ++ for _pid in $(@pgrep@ -x $_binary) > + do > + # resolve the exe symlink, if > it doesn't resolve with -m, > + # which doesn't even need the > dest to exist, it means the symlink > +@@ -3235,7 +3235,7 @@ check_has_vmm() > + else > + # ignore SC2009 as `ps ax` is actually used > as a fallback if `pgrep` isn't installed > + # shellcheck disable=SC2009 > +- if command -v ps >/devnull && ps ax | grep - > vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e > '/xenstored' -e '/xenconsoled'; then > ++ if command -v ps >/devnull && ps ax | @grep@ > -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e > '/xenstored' -e '/xenconsoled'; then > + has_vmm=1 > + fi > + fi > +@@ -3267,7 +3267,7 @@ check_CVE_2017_5753() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2017_5753_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2017_5753_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux() > + v1_mask_nospec='' > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check > ($kernel_err)" > +- elif ! command -v perl >/dev/null 2>&1; then > ++ elif ! command -v @perl@ >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'perl' > binary, please install it" > + else > +- perl -ne > '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > ++ @perl@ -ne > '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > + if [ $ret -gt 0 ]; then > + pstatus green YES "$ret occurrence(s) > found of x86 64 bits array_index_mask_nospec()" > + v1_mask_nospec="x86 64 bits > array_index_mask_nospec" > + else > +- perl -ne > '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > ++ @perl@ -ne > '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { > exit($found) }' "$kernel"; ret=$? > + if [ $ret -gt 0 ]; then > + pstatus green YES "$ret > occurrence(s) found of x86 32 bits array_index_mask_nospec()" > + v1_mask_nospec="x86 32 bits > array_index_mask_nospec" > + else > +- > ret=$("${opt_arch_prefix}objdum > p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | > grep -B1 -w sbc | grep -w -c cmp) > ++ ret=$("@objdump@" > $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | > @grep@ -B1 -w sbc | @grep@ -w -c cmp) > + if [ "$ret" -gt 0 ]; then > + pstatus green YES > "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()" > + v1_mask_nospec="arm > 32 bits array_index_mask_nospec" > +@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux() > + pstatus yellow NO > + elif [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check > ($kernel_err)" > +- elif ! command -v perl >/dev/null 2>&1; then > ++ elif ! command -v @perl@ >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'perl' > binary, please install it" > +- elif ! command -v "${opt_arch_prefix}objdump" > >/dev/null 2>&1; then > ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}objdump' tool, please install it, usually it's in > the binutils package" > + else > +- "${opt_arch_prefix}objdump" $objdump_options > "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && > $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && > $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$? > ++ "@objdump@" $objdump_options "$kernel" | > @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ > && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift > @r if @r>3'; ret=$? > + if [ "$ret" -eq 9 ]; then > + pstatus green YES "mask_nospec64 > macro is present and used" > + v1_mask_nospec="arm64 mask_nospec64" > +@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux() > + pstatus yellow NO > + elif [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check > ($kernel_err)" > +- elif ! command -v perl >/dev/null 2>&1; then > ++ elif ! command -v @perl@ >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'perl' > binary, please install it" > +- elif ! command -v "${opt_arch_prefix}objdump" > >/dev/null 2>&1; then > ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}objdump' tool, please install it, usually it's in > the binutils package" > + else > +- "${opt_arch_prefix}objdump" -d "$kernel" | > perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && > $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && > $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); > shift @r if @r>3'; ret=$? > ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push > @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && > $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); > shift @r if @r>3'; ret=$? > + if [ "$ret" -eq 9 ]; then > + pstatus green YES "array_index_nospec > macro is present and used" > + v1_mask_nospec="arm64 > array_index_nospec" > +@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux() > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't > check ($kernel_err)" > + else > +- if ! command -v > "${opt_arch_prefix}objdump" >/dev/null 2>&1; then > ++ if ! command -v "@objdump@" > >/dev/null 2>&1; then > + pstatus yellow UNKNOWN > "missing '${opt_arch_prefix}objdump' tool, please install it, usually > it's in the binutils package" > + else > + # here we disassemble the > kernel and count the number of occurrences of the LFENCE opcode > +@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux() > + # so let's push the threshold > to 70. > + # v0.33+: now only count > lfence opcodes after a jump, way less error-prone > + # non patched kernel have > between 0 and 20 matches, patched ones have at least 40-45 > +- > nb_lfence=$("${opt_arch_prefix} > objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence > | grep -Ewc 'jmp|jne|je') > ++ nb_lfence=$("@objdump@" > $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | > @grep@ -Ewc 'jmp|jne|je') > + if [ "$nb_lfence" -lt 30 ]; > then > + pstatus yellow NO > "only $nb_lfence jump-then-lfence instructions found, should be >= 30 > (heuristic)" > + else > +@@ -3505,7 +3505,7 @@ check_CVE_2017_5715() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2017_5715_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2017_5715_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux() > + # > /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed > + specex_knob_dir=$dir > + ibrs_supported="$dir/ibrs_ena > bled exists" > +- ibrs_enabled=$(cat > "$dir/ibrs_enabled" 2>/dev/null) > ++ ibrs_enabled=$(@cat@ > "$dir/ibrs_enabled" 2>/dev/null) > + _debug "ibrs: found > $dir/ibrs_enabled=$ibrs_enabled" > + # if ibrs_enabled is there, > ibpb_enabled will be in the same dir > + if [ -e "$dir/ibpb_enabled" > ]; then > + # if the file is > there, we have IBPB compiled-in (see note above for IBRS) > + ibpb_supported="$dir/ > ibpb_enabled exists" > +- ibpb_enabled=$(cat > "$dir/ibpb_enabled" 2>/dev/null) > ++ ibpb_enabled=$(@cat@ > "$dir/ibpb_enabled" 2>/dev/null) > + _debug "ibpb: found > $dir/ibpb_enabled=$ibpb_enabled" > + else > + _debug "ibpb: > $dir/ibpb_enabled file doesn't exist" > +@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux() > + # which in that case means ibrs is supported > *and* enabled for kernel & user > + # as per the ibrs patch series v3 > + if [ -z "$ibrs_supported" ]; then > +- if grep ^flags "$procfs/cpuinfo" | > grep -qw spec_ctrl_ibrs; then > ++ if @grep@ ^flags "$procfs/cpuinfo" | > @grep@ -qw spec_ctrl_ibrs; then > + _debug "ibrs: found > spec_ctrl_ibrs flag in $procfs/cpuinfo" > + ibrs_supported="spec_ctrl_ibr > s flag in $procfs/cpuinfo" > + # enabled=2 -> kernel & user > +@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux() > + fi > + if [ -n "$fullmsg" ]; then > + # when IBPB is enabled on 4.15+, we > can see it in sysfs > +- if echo "$fullmsg" | grep -q 'IBPB'; > then > ++ if echo "$fullmsg" | @grep@ -q > 'IBPB'; then > + _debug "ibpb: found enabled > in sysfs" > + [ -z "$ibpb_supported" ] && > ibpb_supported='IBPB found enabled in sysfs' > + [ -z "$ibpb_enabled" ] && > ibpb_enabled=1 > + fi > + # when IBRS_FW is enabled on 4.15+, > we can see it in sysfs > +- if echo "$fullmsg" | grep -q ', > IBRS_FW'; then > ++ if echo "$fullmsg" | @grep@ -q ', > IBRS_FW'; then > + _debug "ibrs: found IBRS_FW > in sysfs" > + [ -z "$ibrs_supported" ] && > ibrs_supported='found IBRS_FW in sysfs' > + ibrs_fw_enabled=1 > +@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux() > + # when IBRS is enabled on 4.15+, we > can see it in sysfs > + # on a more recent kernel, classic > "IBRS" is not even longer an option, because of the performance > impact. > + # only "Enhanced IBRS" is available > (on CPUs with the IBRS_ALL flag) > +- if echo "$fullmsg" | grep -q -e > '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then > ++ if echo "$fullmsg" | @grep@ -q -e > '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then > + _debug "ibrs: found IBRS in > sysfs" > + [ -z "$ibrs_supported" ] && > ibrs_supported='found IBRS in sysfs' > + [ -z "$ibrs_enabled" ] && > ibrs_enabled=3 > + fi > + # checking for 'Enhanced IBRS' in > sysfs, enabled on CPUs with IBRS_ALL > +- if echo "$fullmsg" | grep -q -e > 'Enhanced IBRS'; then > ++ if echo "$fullmsg" | @grep@ -q -e > 'Enhanced IBRS'; then > + [ -z "$ibrs_supported" ] && > ibrs_supported='found Enhanced IBRS in sysfs' > + # 4 isn't actually a valid > value of the now extinct "ibrs_enabled" flag file, > + # that only went from 0 to 3, > so we use 4 as "enhanced ibrs is enabled" > +@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux() > + fi > + fi > + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + : > + else > + ibrs_can_tell=1 > +- > ibrs_supported=$("${opt_arch_prefix}str > ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1) > ++ ibrs_supported=$("@strings@" > "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1) > + if [ -n "$ibrs_supported" ]; then > + _debug "ibrs: found ibrs > evidence in kernel image ($ibrs_supported)" > + ibrs_supported="found > '$ibrs_supported' in kernel image" > +@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux() > + fi > + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; > then > + ibrs_can_tell=1 > +- if grep -q spec_ctrl "$opt_map"; then > ++ if @grep@ -q spec_ctrl "$opt_map"; then > + ibrs_supported="found spec_ctrl in > symbols file" > + _debug "ibrs: found '*spec_ctrl*' > symbol in $opt_map" > + fi > +@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux() > + # recent (4.15) vanilla kernels have IBPB but not > IBRS, and without the debugfs tunables of Red Hat > + # we can detect it directly in the image > + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + : > + else > + ibpb_can_tell=1 > +- > ibpb_supported=$("${opt_arch_prefix}str > ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1) > ++ ibpb_supported=$("@strings@" > "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1) > + if [ -n "$ibpb_supported" ]; then > + _debug "ibpb: found ibpb > evidence in kernel image ($ibpb_supported)" > + ibpb_supported="found > '$ibpb_supported' in kernel image" > +@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux() > + 2) if [ > "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user > space, and firmware code" ; else pstatus green YES "for both kernel > and user space"; fi;; > + 3) if [ > "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and > firmware code"; else pstatus green YES; fi;; > + 4) pstatus green YES > "Enhanced flavor, performance impact will be greatly reduced";; > +- *) if [ "$cpuid_ibrs" != > 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ > "$cpuid_spec_ctrl" != -1 ]; > +- then pstatus > yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; > +- else > ++ *) if [ "$cpuid_ibrs" != > 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ > "$cpuid_spec_ctrl" != -1 ]; > ++ then pstatus > yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS"; > ++ else > + pstatus > yellow UNKNOWN; fi;; > + esac > + fi > +@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux() > + bp_harden='' > + if [ -r "$opt_config" ]; then > + bp_harden_can_tell=1 > +- bp_harden=$(grep -w > 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") > ++ bp_harden=$(@grep@ -w > 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config") > + if [ -n "$bp_harden" ]; then > + pstatus green YES > + _debug "bp_harden: found '$bp_harden' > in $opt_config" > +@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux() > + fi > + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then > + bp_harden_can_tell=1 > +- bp_harden=$(grep -w bp_hardening_data > "$opt_map") > ++ bp_harden=$(@grep@ -w bp_hardening_data > "$opt_map") > + if [ -n "$bp_harden" ]; then > + pstatus green YES > + _debug "bp_harden: found '$bp_harden' > in $opt_map" > +@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux() > + # We check the RETPOLINE kernel options > + retpoline=0 > + if [ -r "$opt_config" ]; then > +- if grep -q '^CONFIG_RETPOLINE=y' > "$opt_config"; then > ++ if @grep@ -q '^CONFIG_RETPOLINE=y' > "$opt_config"; then > + pstatus green YES > + retpoline=1 > + # shellcheck disable=SC2046 > +- _debug 'retpoline: found '$(grep > '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" > ++ _debug 'retpoline: found '$(@grep@ > '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config" > + else > + pstatus yellow NO > + fi > +@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux() > + # since 5.15.28, this is now "Retpolines" as > the implementation was switched to a generic one, > + # so we look for both "retpoline" and > "retpolines" > + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; > then > +- if echo "$fullmsg" | grep -qwi -e > retpoline -e retpolines; then > +- if echo "$fullmsg" | grep - > qwi minimal; then > ++ if echo "$fullmsg" | @grep@ -qwi -e > retpoline -e retpolines; then > ++ if echo "$fullmsg" | @grep@ - > qwi minimal; then > + retpoline_compiler=0 > + retpoline_compiler_re > ason="kernel reports minimal retpoline compilation" > + else > +@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux() > + fi > + elif [ -n "$opt_map" ]; then > + # look for the symbol > +- if grep -qw noretpoline_setup > "$opt_map"; then > ++ if @grep@ -qw noretpoline_setup > "$opt_map"; then > + retpoline_compiler=1 > + retpoline_compiler_reason="no > retpoline_setup symbol found in System.map" > + fi > + elif [ -n "$kernel" ]; then > + # look for the symbol > +- if command -v "${opt_arch_prefix}nm" > >/dev/null 2>&1; then > ++ if command -v "@nm@" >/dev/null 2>&1; > then > + # the proper way: use nm and > look for the symbol > +- if "${opt_arch_prefix}nm" > "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then > ++ if "@nm@" "$kernel" > 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then > + retpoline_compiler=1 > + retpoline_compiler_re > ason="noretpoline_setup found in kernel symbols" > + fi > +- elif grep -q noretpoline_setup > "$kernel"; then > ++ elif @grep@ -q noretpoline_setup > "$kernel"; then > + # if we don't have nm, > nevermind, the symbol name is long enough to not have > + # any false positive using > good old grep directly on the binary > + retpoline_compiler=1 > +@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux() > + retp_enabled=-1 > + if [ "$opt_live" = 1 ]; then > + if [ -e "$specex_knob_dir/retp_enabled" ]; > then > +- retp_enabled=$(cat > "$specex_knob_dir/retp_enabled" 2>/dev/null) > ++ retp_enabled=$(@cat@ > "$specex_knob_dir/retp_enabled" 2>/dev/null) > + _debug "retpoline: found > $specex_knob_dir/retp_enabled=$retp_enabled" > + _info_nol " * Retpoline is > enabled: " > + if [ "$retp_enabled" = 1 ]; then > +@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux() > + rsb_filling=0 > + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" > != 1 ]; then > + # if we're live and we aren't denied > looking into /sys, let's do it > +- if echo "$msg" | grep -qw RSB; then > ++ if echo "$msg" | @grep@ -qw RSB; then > + rsb_filling=1 > + pstatus green YES > + fi > +@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux() > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN > "couldn't check ($kernel_err)" > + else > +- if grep -qw -e 'Filling RSB > on context switch' "$kernel"; then > ++ if @grep@ -qw -e 'Filling RSB > on context switch' "$kernel"; then > + rsb_filling=1 > + pstatus green YES > + else > +@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd() > + { > + _info "* Mitigation 1" > + _info_nol " * Kernel supports IBRS: " > +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null) > ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null) > + if [ -z "$ibrs_disabled" ]; then > + pstatus yellow NO > + else > +@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd() > + fi > + > + _info_nol " * IBRS enabled and active: " > +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null) > ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null) > + if [ "$ibrs_active" = 1 ]; then > + pstatus green YES > + else > +@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd() > + if [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "couldn't check ($kernel_err)" > + else > +- if ! command -v "${opt_arch_prefix}readelf" > >/dev/null 2>&1; then > ++ if ! command -v "@readelf@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}readelf' tool, please install it, usually it's in > the binutils package" > + else > +- nb_thunks=$("${opt_arch_prefix}readelf" -s > "$kernel" | grep -c -e __llvm_retpoline_ -e > __llvm_external_retpoline_ -e __x86_indirect_thunk_) > ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ > -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e > __x86_indirect_thunk_) > + if [ "$nb_thunks" -gt 0 ]; then > + retpoline=1 > + pstatus green YES "found $nb_thunks > thunk(s)" > +@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd() > + pti_performance_check() > + { > + _info_nol " * Reduced performance impact of PTI: " > +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" > | grep -qw pcid; then > ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags > "$procfs/cpuinfo" | @grep@ -qw pcid; then > + cpu_pcid=1 > + else > + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$? > +@@ -4122,7 +4122,7 @@ pti_performance_check() > + fi > + fi > + > +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" > | grep -qw invpcid; then > ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags > "$procfs/cpuinfo" | @grep@ -qw invpcid; then > + cpu_invpcid=1 > + else > + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$? > +@@ -4147,7 +4147,7 @@ check_CVE_2017_5754() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2017_5754_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2017_5754_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux() > + kpti_can_tell=0 > + if [ -n "$opt_config" ]; then > + kpti_can_tell=1 > +- kpti_support=$(grep -w -e > CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e > CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") > ++ kpti_support=$(@grep@ -w -e > CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e > CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config") > + if [ -n "$kpti_support" ]; then > + _debug "kpti_support: found option > '$kpti_support' in $opt_config" > + fi > +@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux() > + # so we try to find an exported symbol that > is part of the PTI patch in System.map > + # parse_kpti: arm > + kpti_can_tell=1 > +- kpti_support=$(grep -w -e kpti_force_enabled > -e parse_kpti "$opt_map") > ++ kpti_support=$(@grep@ -w -e > kpti_force_enabled -e parse_kpti "$opt_map") > + if [ -n "$kpti_support" ]; then > + _debug "kpti_support: found > '$kpti_support' in $opt_map" > + fi > +@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux() > + # nopti option that is part of the patch > (kernel command line option) > + # 'kpti=': arm > + kpti_can_tell=1 > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + pstatus yellow UNKNOWN "missing > '${opt_arch_prefix}strings' tool, please install it, usually it's in > the binutils package" > + else > +- > kpti_support=$("${opt_arch_prefix}strin > gs" "$kernel" | grep -w -e nopti -e kpti=) > ++ kpti_support=$("@strings@" "$kernel" > | @grep@ -w -e nopti -e kpti=) > + if [ -n "$kpti_support" ]; then > + _debug "kpti_support: found > '$kpti_support' in $kernel" > + fi > +@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux() > + dmesg_grep="$dmesg_grep|x86/pti: Unmapping > kernel while in userspace" > + # aarch64 > + dmesg_grep="$dmesg_grep|CPU features: > detected( feature)?: Kernel page table isolation \(KPTI\)" > +- if grep ^flags "$procfs/cpuinfo" | grep -qw > pti; then > ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ - > qw pti; then > + # vanilla PTI patch sets the 'pti' > flag in cpuinfo > + _debug "kpti_enabled: found 'pti' > flag in $procfs/cpuinfo" > + kpti_enabled=1 > +- elif grep ^flags "$procfs/cpuinfo" | grep -qw > kaiser; then > ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ > -qw kaiser; then > + # kernel line 4.9 sets the 'kaiser' > flag in cpuinfo > + _debug "kpti_enabled: found 'kaiser' > flag in $procfs/cpuinfo" > + kpti_enabled=1 > + elif [ -e /sys/kernel/debug/x86/pti_enabled > ]; then > + # Red Hat Backport creates a > dedicated file, see https://access.redhat.com/articles/3311301 > +- kpti_enabled=$(cat > /sys/kernel/debug/x86/pti_enabled 2>/dev/null) > ++ kpti_enabled=$(@cat@ > /sys/kernel/debug/x86/pti_enabled 2>/dev/null) > + _debug "kpti_enabled: file > /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled" > + elif is_xen_dom0; then > +- pti_xen_pv_domU=$(xl dmesg | grep > 'XPTI' | grep 'DomU enabled' | head -1) > ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ > 'XPTI' | @grep@ 'DomU enabled' | @head@ -1) > + > + [ -n "$pti_xen_pv_domU" ] && > kpti_enabled=1 > + fi > +@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux() > + if [ -n "$kpti_support" ]; then > + if [ -e > "/sys/kernel/debug/x86/pti_enabled" ]; then > + explain "Your kernel > supports PTI but it's disabled, you can enable it with \`echo 1 > > /sys/kernel/debug/x86/pti_enabled\`" > +- elif echo "$kernel_cmdline" | > grep -q -w -e nopti -e pti=off; then > ++ elif echo "$kernel_cmdline" | > @grep@ -q -w -e nopti -e pti=off; then > + explain "Your kernel > supports PTI but it has been disabled on command-line, remove the > nopti or pti=off option from your bootloader configuration" > + else > + explain "Your kernel > supports PTI but it has been disabled, check \`dmesg\` right after > boot to find clues why the system disabled it" > +@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux() > + check_CVE_2017_5754_bsd() > + { > + _info_nol "* Kernel supports Page Table Isolation (PTI): " > +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null) > ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null) > + if [ -z "$kpti_enabled" ]; then > + pstatus yellow NO > + else > +@@ -4429,7 +4429,7 @@ check_CVE_2018_3639() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_3639_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_3639_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux() > + if [ "$opt_sysfs_only" != 1 ]; then > + _info_nol "* Kernel supports disabling speculative > store bypass (SSB): " > + if [ "$opt_live" = 1 ]; then > +- if grep -Eq 'Speculation.?Store.?Bypass:' > "$procfs/self/status" 2>/dev/null; then > ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssb="found in > $procfs/self/status" > + _debug "found > Speculation.Store.Bypass: in $procfs/self/status" > + fi > + fi > + # arm64 kernels can have cpu_show_spec_store_bypass > with ARM64_SSBD, so exclude them > +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep > -q 'arm64_sys_' "$kernel"; then > +- kernel_ssb=$("${opt_arch_prefix}strings" > "$kernel" | grep spec_store_bypass | head -n1); > ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! > @grep@ -q 'arm64_sys_' "$kernel"; then > ++ kernel_ssb=$("@strings@" "$kernel" | @grep@ > spec_store_bypass | @head@ -n1); > + [ -n "$kernel_ssb" ] && kernel_ssb="found > $kernel_ssb in kernel" > + fi > + # arm64 kernels can have cpu_show_spec_store_bypass > with ARM64_SSBD, so exclude them > +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! > grep -q 'arm64_sys_' "$opt_map"; then > +- kernel_ssb=$(grep spec_store_bypass > "$opt_map" | awk '{print $3}' | head -n1) > ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! > @grep@ -q 'arm64_sys_' "$opt_map"; then > ++ kernel_ssb=$(@grep@ spec_store_bypass > "$opt_map" | @awk@ '{print $3}' | @head@ -n1) > + [ -n "$kernel_ssb" ] && kernel_ssb="found > $kernel_ssb in System.map" > + fi > + # arm64 only: > + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then > +- kernel_ssb=$(grep -w cpu_enable_ssbs > "$opt_map" | awk '{print $3}' | head -n1) > ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs > "$opt_map" | @awk@ '{print $3}' | @head@ -n1) > + [ -n "$kernel_ssb" ] && kernel_ssb="found > $kernel_ssb in System.map" > + fi > + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then > +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' > "$opt_config") > ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' > "$opt_config") > + [ -n "$kernel_ssb" ] && > kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig" > + fi > + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then > + # this string only appears in kernel if > CONFIG_ARM64_SSBD is set > +- kernel_ssb=$(grep -w "Speculative Store > Bypassing Safe (SSBS)" "$kernel") > ++ kernel_ssb=$(@grep@ -w "Speculative Store > Bypassing Safe (SSBS)" "$kernel") > + [ -n "$kernel_ssb" ] && kernel_ssb="found > 'Speculative Store Bypassing Safe (SSBS)' in kernel" > + fi > + # /arm64 only > +@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux() > + if [ "$opt_live" = 1 ]; then > + # > https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340 > + _info_nol "* SSB mitigation is enabled and > active: " > +- if grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" > 2>/dev/null; then > ++ if @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" > 2>/dev/null; then > + kernel_ssbd_enabled=1 > + pstatus green YES "per-thread through > prctl" > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=2 > + pstatus green YES "global" > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=0 > + pstatus yellow NO > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=-2 > + pstatus blue NO "not vulnerable" > +- elif grep -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+unknown' > "$procfs/self/status" 2>/dev/null; then > ++ elif @grep@ -Eq > 'Speculation.?Store.?Bypass:[[:space:]]+unknown' > "$procfs/self/status" 2>/dev/null; then > + kernel_ssbd_enabled=0 > + pstatus blue NO > + else > +- pstatus blue UNKNOWN "unknown value: > $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" > 2>/dev/null | cut -d: -f2-)" > ++ pstatus blue UNKNOWN "unknown value: > $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" > 2>/dev/null | @cut@ -d: -f2-)" > + fi > + > + if [ "$kernel_ssbd_enabled" = 1 ]; then > + _info_nol "* SSB mitigation currently > active for selected processes: " > + # silence grep's stderr here to avoid > ENOENT errors from processes that have exited since the shell's > expansion of the * > +- mitigated_processes=$(find /proc - > mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ > +- | xargs -r0 grep -El > 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' > 2>/dev/null \ > +- | sed s/status/exe/ | xargs - > r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr > "\n" " " | sed 's/ $//') > ++ mitigated_processes=$(@find@ /proc - > mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \ > ++ | @xargs@ -r0 @grep@ -El > 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' > 2>/dev/null \ > ++ | @sed@ s/status/exe/ | > @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | > @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//') > + if [ -n "$mitigated_processes" ]; > then > + pstatus green YES > "$mitigated_processes" > + else > +@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux() > + check_CVE_2018_3639_bsd() > + { > + _info_nol "* Kernel supports speculation store bypass: " > +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then > ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; > then > + kernel_ssb=1 > + pstatus green YES > + else > +@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd() > + fi > + > + _info_nol "* Speculation store bypass is administratively > enabled: " > +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable > 2>/dev/null) > ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable > 2>/dev/null) > + _debug "hw.spec_store_bypass_disable=$ssb_enabled" > + case "$ssb_enabled" in > + 0) pstatus yellow NO "disabled";; > +@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd() > + esac > + > + _info_nol "* Speculation store bypass is currently active: " > +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active > 2>/dev/null) > ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active > 2>/dev/null) > + _debug "hw.spec_store_bypass_disable_active=$ssb_active" > + case "$ssb_active" in > + 1) pstatus green YES;; > +@@ -4656,7 +4656,7 @@ check_CVE_2018_3620() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_3620_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_3620_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux() > + fi > + if [ "$opt_sysfs_only" != 1 ]; then > + _info_nol "* Kernel supports PTE inversion: " > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; then > + pstatus yellow UNKNOWN "missing 'strings' > tool, please install it" > + pteinv_supported=-1 > + elif [ -n "$kernel_err" ]; then > + pstatus yellow UNKNOWN "$kernel_err" > + pteinv_supported=-1 > + else > +- if "${opt_arch_prefix}strings" "$kernel" | > grep -Fq 'PTE Inversion'; then > ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE > Inversion'; then > + pstatus green YES "found in kernel > image" > + _debug "pteinv: found pte inversion > evidence in kernel image" > + pteinv_supported=1 > +@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux() > + _info_nol "* PTE inversion enabled and active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -q > 'Mitigation: PTE Inversion'; then > ++ if echo "$fullmsg" | @grep@ -q > 'Mitigation: PTE Inversion'; then > + pstatus green YES > + pteinv_active=1 > + else > +@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd() > + else > + _debug "vmm module already loaded" > + fi > +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > + # > https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch > + # this is very difficult to detect that the kernel > reserved the 0 page, but this fix > + # is part of the exact same patch than the other L1TF > CVE, so we detect it > +@@ -4772,7 +4772,7 @@ check_CVE_2018_3646() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_3646_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_3646_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux() > + if [ "$opt_live" = 1 ]; then > + if ! [ -r > /sys/module/kvm_intel/parameters/ept ]; then > + pstatus blue N/A "the kvm_intel > module is not loaded" > +- elif [ "$(cat > /sys/module/kvm_intel/parameters/ept)" = N ]; then > ++ elif [ "$(@cat@ > /sys/module/kvm_intel/parameters/ept)" = N ]; then > + pstatus green YES > + ept_disabled=1 > + else > +@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux() > + > + _info "* Mitigation 2" > + _info_nol " * L1D flush is supported by kernel: " > +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d > "$procfs/cpuinfo"; then > ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d > "$procfs/cpuinfo"; then > + l1d_kernel="found flush_l1d in > $procfs/cpuinfo" > + fi > + if [ -z "$l1d_kernel" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + l1d_kernel_err="missing > '${opt_arch_prefix}strings' tool, please install it, usually it's in > the binutils package" > + elif [ -n "$kernel_err" ]; then > + l1d_kernel_err="$kernel_err" > +- elif "${opt_arch_prefix}strings" "$kernel" | > grep -qw flush_l1d; then > ++ elif "@strings@" "$kernel" | @grep@ -qw > flush_l1d; then > + l1d_kernel='found flush_l1d in kernel > image' > + fi > + fi > +@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux() > + # $l1dstatus is one of > (auto|vulnerable|conditional cache flushes|cache flushes|EPT > disabled|flush not necessary) > + # $smtstatus is one of > (vulnerable|disabled) > + # can also just be "Not affected" > +- if echo "$fullmsg" | grep -Eq -e 'Not > affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not > necessary)'; then > ++ if echo "$fullmsg" | @grep@ -Eq -e > 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not > necessary)'; then > + l1d_mode=0 > + pstatus yellow NO > +- elif echo "$fullmsg" | grep -Eq > '(VMX:|L1D) conditional cache flushes'; then > ++ elif echo "$fullmsg" | @grep@ -Eq > '(VMX:|L1D) conditional cache flushes'; then > + l1d_mode=1 > + pstatus green YES > "conditional flushes" > +- elif echo "$fullmsg" | grep -Eq > '(VMX:|L1D) cache flushes'; then > ++ elif echo "$fullmsg" | @grep@ -Eq > '(VMX:|L1D) cache flushes'; then > + l1d_mode=2 > + pstatus green YES > "unconditional flushes" > + else > + if is_xen_dom0; then > +- l1d_xen_hardware=$(xl > dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1) > +- > l1d_xen_hypervisor=$(xl > dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1) > +- l1d_xen_pv_domU=$(xl > dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1) > ++ l1d_xen_hardware=$(xl > @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ - > 1) > ++ l1d_xen_hypervisor=$( > xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1) > ++ l1d_xen_pv_domU=$(xl > @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | > @head@ -1) > + > + if [ -n > "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n > "$l1d_xen_pv_domU" ]; then > + l1d_mode=5 > +@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux() > + > + _info_nol " * Hardware-backed L1D flush supported: " > + if [ "$opt_live" = 1 ]; then > +- if grep -qw flush_l1d "$procfs/cpuinfo" || [ > -n "$l1d_xen_hardware" ]; then > ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || > [ -n "$l1d_xen_hardware" ]; then > + pstatus green YES "performance impact > of the mitigation will be greatly reduced" > + else > + pstatus blue NO "flush will be done > in software, this is slower" > +@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux() > + check_CVE_2018_3646_bsd() > + { > + _info_nol "* Kernel supports L1D flushing: " > +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then > + pstatus green YES > + kernel_l1d_supported=1 > + else > +@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd() > + fi > + > + _info_nol "* L1D flushing is enabled: " > +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush > 2>/dev/null) > ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush > 2>/dev/null) > + case "$kernel_l1d_enabled" in > + 0) pstatus yellow NO;; > + 1) pstatus green YES;; > +@@ -5018,7 +5018,7 @@ check_CVE_2018_12127() > + ################### > + # MDSUM SECTION > + > +-# Microarchitectural Data Sampling Uncacheable Memory > ++# Microarchitectural Data Sampling Uncacheable Memory > + check_CVE_2019_11091() > + { > + cve='CVE-2019-11091' > +@@ -5032,7 +5032,7 @@ check_mds() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_mds_linux "$cve" > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_mds_bsd "$cve" > + else > + _warn "Unsupported OS ($os)" > +@@ -5043,7 +5043,7 @@ check_mds_bsd() > + { > + _info_nol "* Kernel supports using MD_CLEAR mitigation: " > + if [ "$opt_live" = 1 ]; then > +- if sysctl hw.mds_disable >/dev/null 2>&1; then > ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then > + pstatus green YES > + kernel_md_clear=1 > + else > +@@ -5051,7 +5051,7 @@ check_mds_bsd() > + kernel_md_clear=0 > + fi > + else > +- if grep -Fq hw.mds_disable $opt_kernel; then > ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then > + pstatus green YES > + kernel_md_clear=1 > + else > +@@ -5061,8 +5061,8 @@ check_mds_bsd() > + fi > + > + _info_nol "* CPU Hyper-Threading (SMT) is disabled: " > +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; > then > +- kernel_smt_allowed=$(sysctl -n > machdep.hyperthreading_allowed 2>/dev/null) > ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; > then > ++ kernel_smt_allowed=$(@sysctl@ -n > machdep.hyperthreading_allowed 2>/dev/null) > + if [ "$kernel_smt_allowed" = 1 ]; then > + pstatus yellow NO > + else > +@@ -5074,7 +5074,7 @@ check_mds_bsd() > + > + _info_nol "* Kernel mitigation is enabled: " > + if [ "$kernel_md_clear" = 1 ]; then > +- kernel_mds_enabled=$(sysctl -n hw.mds_disable > 2>/dev/null) > ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable > 2>/dev/null) > + else > + kernel_mds_enabled=0 > + fi > +@@ -5088,7 +5088,7 @@ check_mds_bsd() > + > + _info_nol "* Kernel mitigation is active: " > + if [ "$kernel_md_clear" = 1 ]; then > +- kernel_mds_state=$(sysctl -n hw.mds_disable_state > 2>/dev/null) > ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state > 2>/dev/null) > + else > + kernel_mds_state=inactive > + fi > +@@ -5146,16 +5146,16 @@ check_mds_linux() > + _info_nol "* Kernel supports using MD_CLEAR > mitigation: " > + kernel_md_clear='' > + kernel_md_clear_can_tell=1 > +- if [ "$opt_live" = 1 ] && grep ^flags > "$procfs/cpuinfo" | grep -qw md_clear; then > ++ if [ "$opt_live" = 1 ] && @grep@ ^flags > "$procfs/cpuinfo" | @grep@ -qw md_clear; then > + kernel_md_clear="md_clear found in > $procfs/cpuinfo" > + pstatus green YES "$kernel_md_clear" > + fi > + if [ -z "$kernel_md_clear" ]; then > +- if ! command -v "${opt_arch_prefix}strings" > >/dev/null 2>&1; then > ++ if ! command -v "@strings@" >/dev/null 2>&1; > then > + kernel_md_clear_can_tell=0 > + elif [ -n "$kernel_err" ]; then > + kernel_md_clear_can_tell=0 > +- elif "${opt_arch_prefix}strings" "$kernel" | > grep -q 'Clear CPU buffers'; then > ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear > CPU buffers'; then > + _debug "md_clear: found 'Clear CPU > buffers' string in kernel image" > + kernel_md_clear='found md_clear > implementation evidence in kernel image' > + pstatus green YES "$kernel_md_clear" > +@@ -5171,7 +5171,7 @@ check_mds_linux() > + > + if [ "$opt_live" = 1 ] && [ > "$sys_interface_available" = 1 ]; then > + _info_nol "* Kernel mitigation is enabled and > active: " > +- if echo "$fullmsg" | grep -qi ^mitigation; > then > ++ if echo "$fullmsg" | @grep@ -qi ^mitigation; > then > + mds_mitigated=1 > + pstatus green YES > + else > +@@ -5179,7 +5179,7 @@ check_mds_linux() > + pstatus yellow NO > + fi > + _info_nol "* SMT is either mitigated or > disabled: " > +- if echo "$fullmsg" | grep -Eq 'SMT > (disabled|mitigated)'; then > ++ if echo "$fullmsg" | @grep@ -Eq 'SMT > (disabled|mitigated)'; then > + mds_smt_mitigated=1 > + pstatus green YES > + else > +@@ -5265,7 +5265,7 @@ check_CVE_2019_11135() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2019_11135_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2019_11135_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux() > + kernel_taa='' > + if [ -n "$kernel_err" ]; then > + kernel_taa_err="$kernel_err" > +- elif grep -q 'tsx_async_abort' "$kernel"; then > ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then > + kernel_taa="found tsx_async_abort in kernel > image" > + fi > + if [ -n "$kernel_taa" ]; then > +@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux() > + _info_nol "* TAA mitigation enabled and active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -qE > '^Mitigation'; then > ++ if echo "$fullmsg" | @grep@ -qE > '^Mitigation'; then > + pstatus green YES "$fullmsg" > + else > + pstatus yellow NO > +@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux() > + else > + if [ "$opt_paranoid" = 1 ]; then > + # in paranoid mode, TSX or SMT enabled are > not OK, even if TAA is mitigated > +- if ! echo "$fullmsg" | grep -qF 'TSX > disabled'; then > ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX > disabled'; then > + pvulnstatus $cve VULN "TSX must be > disabled for full mitigation" > +- elif echo "$fullmsg" | grep -qF 'SMT > vulnerable'; then > ++ elif echo "$fullmsg" | @grep@ -qF 'SMT > vulnerable'; then > + pvulnstatus $cve VULN "SMT > (HyperThreading) must be disabled for full mitigation" > + else > + pvulnstatus $cve "$status" "$msg" > +@@ -5367,7 +5367,7 @@ check_CVE_2018_12207() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2018_12207_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2018_12207_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux() > + if [ -n "$kernel_err" ]; then > + kernel_itlbmh_err="$kernel_err" > + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9 > +- elif grep -q 'itlb_multihit' "$kernel"; then > ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then > + kernel_itlbmh="found itlb_multihit in kernel > image" > + fi > + if [ -n "$kernel_itlbmh" ]; then > +@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux() > + _info_nol "* iTLB Multihit mitigation enabled and > active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -qF > 'Mitigation'; then > ++ if echo "$fullmsg" | @grep@ -qF > 'Mitigation'; then > + pstatus green YES "$fullmsg" > + else > + pstatus yellow NO > +@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux() > + check_CVE_2018_12207_bsd() > + { > + _info_nol "* Kernel supports disabling superpages for > executable mappings under EPT: " > +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept > 2>/dev/null) > ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept > 2>/dev/null) > + if [ -z "$kernel_2m_x_ept" ]; then > + pstatus yellow NO > + else > +@@ -5484,7 +5484,7 @@ check_CVE_2020_0543() > + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m" > + if [ "$os" = Linux ]; then > + check_CVE_2020_0543_linux > +- elif echo "$os" | grep -q BSD; then > ++ elif echo "$os" | @grep@ -q BSD; then > + check_CVE_2020_0543_bsd > + else > + _warn "Unsupported OS ($os)" > +@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux() > + kernel_srbds='' > + if [ -n "$kernel_err" ]; then > + kernel_srbds_err="$kernel_err" > +- elif grep -q 'Dependent on hypervisor' "$kernel"; > then > ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; > then > + kernel_srbds="found SRBDS implementation > evidence in kernel image. Your kernel is up to date for SRBDS > mitigation" > + fi > + if [ -n "$kernel_srbds" ]; then > +@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux() > + _info_nol "* SRBDS mitigation control is enabled and > active: " > + if [ "$opt_live" = 1 ]; then > + if [ -n "$fullmsg" ]; then > +- if echo "$fullmsg" | grep -qE > '^Mitigation'; then > ++ if echo "$fullmsg" | @grep@ -qE > '^Mitigation'; then > + pstatus green YES "$fullmsg" > + else > + pstatus yellow NO > +@@ -5608,8 +5608,8 @@ fi > + # now run the checks the user asked for > + for cve in $supported_cve_list > + do > +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw > "$cve"; then > +- check_"$(echo "$cve" | tr - _)" > ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ - > qw "$cve"; then > ++ check_"$(echo "$cve" | @tr@ - _)" > + _info > + fi > + done > +@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then > + _warn "We're missing some kernel info (see -v), accuracy > might be reduced" > + fi > + > +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | > sort | tr "\n" '|') > ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F > 'mockme=' | @sort@ | @tr@ "\n" '|') > + _debug "variables at end of script: $_vars" > + > + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then > +- if command -v "gzip" >/dev/null 2>&1; then > ++ if command -v "@gzip@" >/dev/null 2>&1; then > + # not a useless use of cat: gzipping cpuinfo directly > doesn't work well > + # shellcheck disable=SC2002 > +- if command -v "base64" >/dev/null 2>&1; then > +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | > base64 -w0)" > +- elif command -v "uuencode" >/dev/null 2>&1; then > +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | > uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d > "\n")" > ++ if command -v "@base64@" >/dev/null 2>&1; then > ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ > -c | @base64@ -w0)" > ++ elif command -v "@uuencode@" >/dev/null 2>&1; then > ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ > -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- > '====' | @tr@ -d "\n")" > + fi > + fi > + if [ -n "$mock_cpuinfo" ]; then > +@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; > then > + fi > + _info "" > + # shellcheck disable=SC2046 > +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | > sort -u) > ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | > @sort@ -u) > + fi > + > + if [ "$opt_explain" = 0 ]; then > +-- > +2.38.1 > + > diff --git a/gnu/packages/patches/spectre-meltdown-checker-support- > guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown- > checker-support-guix-system-kernel.patch > new file mode 100644 > index 0000000000..afec52b418 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix- > system-kernel.patch > @@ -0,0 +1,26 @@ > +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Sat, 5 Nov 2022 23:22:31 +0800 > +Subject: [PATCH] Add support for Guix System kernel. > + > +--- > + spectre-meltdown-checker.sh | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 248a444..855a090 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then > + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > + # NixOS: > + [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > ++ # Guix System: > ++ [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > + # systemd kernel-install: > + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > + # Clear Linux: > + > +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 > +-- > +2.38.0 > > base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78 > -- > 2.38.1 Cheers ^ permalink raw reply [flat|nested] 12+ messages in thread
* [bug#59053] [PATCH v5] gnu: Add spectre-meltdown-checker. 2022-11-12 16:58 ` Liliana Marie Prikler @ 2022-11-13 13:09 ` Hilton Chain via Guix-patches via 2022-11-13 22:02 ` bug#59053: " Liliana Marie Prikler 0 siblings, 1 reply; 12+ messages in thread From: Hilton Chain via Guix-patches via @ 2022-11-13 13:09 UTC (permalink / raw) To: Liliana Marie Prikler; +Cc: 59053 * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file. * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch: New file. * gnu/local.mk (dist_patch_DATA): Add patches. --- v4 -> v5: No more an extra patch for substitution. gnu/local.mk | 2 + gnu/packages/linux.scm | 130 ++++++++++ ...ker-remove-builtin-firmware-database.patch | 243 ++++++++++++++++++ ...n-checker-support-guix-system-kernel.patch | 26 ++ 4 files changed, 401 insertions(+) create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch diff --git a/gnu/local.mk b/gnu/local.mk index e3e02314bb..1e85790983 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1857,6 +1857,8 @@ dist_patch_DATA = \ %D%/packages/patches/syslinux-strip-gnu-property.patch \ %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \ + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ %D%/packages/patches/sssd-optional-systemd.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index fea33dfa0b..03b7ce46b0 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -9595,3 +9595,133 @@ (define-public edac-utils error detection and correction (EDAC).") (home-page "https://github.com/grondo/edac-utils") (license license:gpl2+))) + +(define-public spectre-meltdown-checker + (package + (name "spectre-meltdown-checker") + (version "0.45") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches + (search-patches + "spectre-meltdown-checker-remove-builtin-firmware-database.patch" + ;; https://github.com/speed47/spectre-meltdown-checker/pull/441 + "spectre-meltdown-checker-support-guix-system-kernel.patch")) + ;; Remove builtin firmware database. + (modules '((guix build utils))) + (snippet '(substitute* "spectre-meltdown-checker.sh" + (("^# [AI],.*") ""))) + (sha256 + (base32 + "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) + (build-system copy-build-system) + (arguments + (list + #:install-plan + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'fixpath + (lambda* (#:key inputs #:allow-other-keys) + (define* (find-command inputs cmd #:optional (bin "bin") + #:key (prefix "") (suffix "")) + (string-append + prefix (search-input-file inputs (string-append bin "/" cmd)) + suffix)) + (substitute* "spectre-meltdown-checker.sh" + ;; ${opt_arch_prefix}CMD + (((string-append + "\\$\\{opt_arch_prefix\\}" + "\\<(nm|objdump|readelf|strings)\\>") all cmd) + (find-command inputs cmd)) + + ;; dd + (("(dd)( if=)" all cmd suffix) + (find-command inputs cmd #:suffix suffix)) + + ;; Commands safe to substitute directly. + (((string-append "\\<(" (string-join + (list "awk" + "basename" + "dirname" + "bunzip2" + "gunzip" + "gzip" + "lz4" + "lzop" + "modprobe" + "pgrep" + "rmmod" + "umount" + "unlzma" + "unxz" + "unzstd" + "uuencode") + "|") + ")\\>") all cmd) + (find-command inputs cmd)) + + ;; Search by suffix. + ;; CMD - + ;; CMD ^ + (((string-append "\\<(" (string-join + (list "base64" + "cut" + "grep" + "head" + "id" + "mount" + "mktemp" + "od" + "perl" + "rm" + "uname" + "xargs") + "|") + ")\\>( [-^])") all cmd suffix) + (find-command inputs cmd #:suffix suffix)) + ;; CMD | + (("(dmesg)( \\|)" all cmd suffix) + (find-command inputs cmd #:suffix suffix)) + + ;; Then prefix + ;; | CMD + (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix cmd) + (find-command inputs cmd #:prefix prefix)) + ;; $(CMD + (("(\\$\\( *)(sysctl)" all prefix cmd) + (find-command inputs cmd "sbin" #:prefix prefix)) + (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd) + (find-command inputs cmd #:prefix prefix)) + ;; if CMD + (("(if )(sysctl)" all prefix cmd) + (find-command inputs cmd "sbin" #:prefix prefix)) + ;; command -v CMD + (("(command -v) \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd) + (find-command inputs cmd #:prefix prefix)) + + ;; Cats are mysterious... + ;; cat <<EOF + (("(cat)( <<EOF)" all cmd suffix) + (find-command inputs cmd #:suffix suffix)) + ;; cat "$ + (("(cat)(\"\\$)" all cmd suffix) + (find-command inputs cmd #:suffix suffix)) + ;; 'cat' + (("(')(cat)(')" all prefix cmd suffix) + (find-command inputs cmd #:prefix prefix #:suffix suffix)) + ;; "cat" + (("(\")(cat)(\")" all prefix cmd suffix) + (find-command inputs cmd #:prefix prefix #:suffix suffix)))))))) + (inputs (list kmod lz4 lzop perl procps sharutils util-linux zstd)) + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (synopsis "CPU vulnerability / mitigation checker") + (description + "This package provides a shell script to assess your system's resilience +against the several transient execution CVEs that were published since early +2018, and give you guidance as to how to mitigate them.") + (license license:gpl3))) diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch new file mode 100644 index 0000000000..809763cf4f --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch @@ -0,0 +1,243 @@ +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 12 Nov 2022 22:45:24 +0800 +Subject: [PATCH] Remove builtin firmware database. + +1. Remove downloading function. +2. Add option for supplying a local database. +--- + spectre-meltdown-checker.sh | 180 +++--------------------------------- + 1 file changed, 15 insertions(+), 165 deletions(-) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 30f760c..ce46970 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -22,8 +22,6 @@ exit_cleanup() + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp" + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2" +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp" +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp" + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null +@@ -93,9 +91,7 @@ show_usage() + --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto + --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system + --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0) +- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome +- MCExtractor project and the Intel firmwares GitHub repository) +- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself ++ --with-fwdb FILE supply the CPU microcodes versions database + --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script + + Return codes: +@@ -837,147 +833,6 @@ show_header() + _info + } + +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" +-mcedb_cache="$HOME/.mcedb" +-update_fwdb() +-{ +- show_header +- +- set -e +- +- if [ -r "$mcedb_cache" ]; then +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") +- fi +- +- # first, download the MCE.db from the excellent platomav's MCExtractor project +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)" +- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db' +- _info_nol "Fetching MCE.db from the MCExtractor project... " +- if command -v wget >/dev/null 2>&1; then +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$? +- elif command -v curl >/dev/null 2>&1; then +- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$? +- elif command -v fetch >/dev/null 2>&1; then +- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$? +- else +- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs" +- return 1 +- fi +- if [ "$ret" != 0 ]; then +- echo ERROR "error $ret while downloading MCE.db" +- return $ret +- fi +- echo DONE +- +- # second, get the Intel firmwares from GitHub +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)" +- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip" +- _info_nol "Fetching Intel firmwares... " +- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git +- if command -v wget >/dev/null 2>&1; then +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$? +- elif command -v curl >/dev/null 2>&1; then +- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? +- elif command -v fetch >/dev/null 2>&1; then +- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$? +- else +- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs" +- return 1 +- fi +- if [ "$ret" != 0 ]; then +- echo ERROR "error $ret while downloading Intel firmwares" +- return $ret +- fi +- echo DONE +- +- # now extract MCEdb contents using sqlite +- _info_nol "Extracting MCEdb data... " +- if ! command -v sqlite3 >/dev/null 2>&1; then +- echo ERROR "please install the \`sqlite3\` program" +- return 1 +- fi +- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE") +- if [ -z "$mcedb_revision" ]; then +- echo ERROR "downloaded file seems invalid" +- return 1 +- fi +- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text" +- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'" +- +- echo OK "MCExtractor database revision $mcedb_revision" +- +- # parse Intel firmwares to get their versions +- _info_nol "Integrating Intel firmwares data to db... " +- if ! command -v unzip >/dev/null 2>&1; then +- echo ERROR "please install the \`unzip\` program" +- return 1 +- fi +- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; ) +- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then +- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file" +- return 1 +- fi +- +- if ! command -v iucode_tool >/dev/null 2>&1; then +- if ! command -v iucode-tool >/dev/null 2>&1; then +- echo ERROR "please install the \`iucode-tool\` program" +- return 1 +- else +- iucode_tool="iucode-tool" +- fi +- else +- iucode_tool="iucode_tool" +- fi +- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120 +- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120 +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line +- do +- _line=$( echo "$_line" | tr -d ',') +- _cpuid=$( echo "$_line" | awk '{print $3}') +- _cpuid=$(( _cpuid )) +- _cpuid=$(printf "0x%08X" "$_cpuid") +- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-') +- _version=$(echo "$_line" | awk '{print $8}') +- _version=$(( _version )) +- _version=$(printf "0x%08X" "$_version") +- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")" +- sqlite3 "$mcedb_tmp" "$_sqlstm" +- done +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) +- if [ -n "$_intel_timestamp" ]; then +- # use this date, it matches the last commit date +- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp") +- else +- echo "Falling back to the latest microcode date" +- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;") +- fi +- echo DONE "(version $_intel_latest_date)" +- +- dbversion="$mcedb_revision+i$_intel_latest_date" +- +- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then +- echo "We already have this version locally, no update needed" +- return 0 +- fi +- +- _info_nol "Building local database... " +- { +- echo "# Spectre & Meltdown Checker"; +- echo "# %%% MCEDB v$dbversion"; +- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; +- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; +- } > "$mcedb_cache" +- echo DONE "(version $dbversion)" +- +- if [ "$1" = builtin ]; then +- newfile=$(mktemp -t smc-builtin-XXXXXX) +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile" +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile" +- cat "$newfile" > "$0" +- rm -f "$newfile" +- fi +-} +- + parse_opt_file() + { + # parse_opt_file option_name option_value +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do + # deprecated, kept for compatibility + opt_explain=0 + shift +- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then +- update_fwdb +- exit $? +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then +- update_fwdb builtin +- exit $? ++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then ++ opt_fwdb=$2 ++ if [ -f "$opt_fwdb" ]; then ++ mcedb_cache=$2 ++ else ++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2 ++ exit 255 ++ fi ++ shift 2 + elif [ "$1" = "--dump-mock-data" ]; then + opt_mock=1 + shift +@@ -2033,21 +1891,11 @@ is_xen_domU() + fi + } + +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0") + if [ -r "$mcedb_cache" ]; then + # we have a local cache file, but it might be older than the builtin version we have + local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache") +- # sort -V sorts by version number +- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1) +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then +- mcedb_source="$mcedb_cache" +- mcedb_info="local firmwares DB $local_dbversion" +- fi +-fi +-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db +-if [ -z "${mcedb_source:-}" ]; then +- mcedb_source="$0" +- mcedb_info="builtin firmwares DB $builtin_dbversion" ++ mcedb_source="$mcedb_cache" ++ mcedb_info="local firmwares DB $local_dbversion" + fi + read_mcedb() + { +@@ -2063,7 +1911,9 @@ is_latest_known_ucode() + return 2 + fi + ucode_latest="latest microcode version for your CPU model is unknown" +- if is_intel; then ++ if [ -z "$mcedb_source" ]; then ++ return 2 ++ elif is_intel; then + cpu_brand_prefix=I + elif is_amd; then + cpu_brand_prefix=A +-- +2.38.1 + diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch new file mode 100644 index 0000000000..afec52b418 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch @@ -0,0 +1,26 @@ +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 5 Nov 2022 23:22:31 +0800 +Subject: [PATCH] Add support for Guix System kernel. + +--- + spectre-meltdown-checker.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 248a444..855a090 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" ++ # Guix System: ++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" + # Clear Linux: + +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 +-- +2.38.0 base-commit: 80d10fa413cf43439f9ab94b6f69fe68811156da -- 2.38.1 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* bug#59053: [PATCH v5] gnu: Add spectre-meltdown-checker. 2022-11-13 13:09 ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via @ 2022-11-13 22:02 ` Liliana Marie Prikler 0 siblings, 0 replies; 12+ messages in thread From: Liliana Marie Prikler @ 2022-11-13 22:02 UTC (permalink / raw) To: Hilton Chain; +Cc: 59053-done Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain: > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: > New file. > * gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch: > New file. > * gnu/local.mk (dist_patch_DATA): Add patches. I renamed the patches for the ChangeLog, slightly rewrote their explanations, ... > gnu/local.mk | 2 + > gnu/packages/linux.scm | 130 ++++++++++ > ...ker-remove-builtin-firmware-database.patch | 243 > ++++++++++++++++++ > ...n-checker-support-guix-system-kernel.patch | 26 ++ > 4 files changed, 401 insertions(+) > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > remove-builtin-firmware-database.patch > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index e3e02314bb..1e85790983 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1857,6 +1857,8 @@ dist_patch_DATA > = \ > %D%/packages/patches/syslinux-strip-gnu-property.patch \ > %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch \ > %D%/packages/patches/snappy-add-inline-for-GCC.patch \ > + %D%/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch \ > + %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ > %D%/packages/patches/sphinxbase-fix-doxygen.patch \ > %D%/packages/patches/spice-vdagent-glib-2.68.patch \ > %D%/packages/patches/sssd-optional-systemd.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index fea33dfa0b..03b7ce46b0 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9595,3 +9595,133 @@ (define-public edac-utils > error detection and correction (EDAC).") > (home-page "https://github.com/grondo/edac-utils") > (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > + (package > + (name "spectre-meltdown-checker") > + (version "0.45") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url > "https://github.com/speed47/spectre-meltdown-checker") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (patches > + (search-patches > + "spectre-meltdown-checker-remove-builtin-firmware- > database.patch" > + ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > + "spectre-meltdown-checker-support-guix-system- > kernel.patch")) > + ;; Remove builtin firmware database. > + (modules '((guix build utils))) > + (snippet '(substitute* "spectre-meltdown-checker.sh" > + (("^# [AI],.*") ""))) > + (sha256 > + (base32 > + > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > + (build-system copy-build-system) > + (arguments > + (list > + #:install-plan > + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'fixpath > + (lambda* (#:key inputs #:allow-other-keys) > + (define* (find-command inputs cmd #:optional (bin > "bin") > + #:key (prefix "") (suffix "")) > + (string-append > + prefix (search-input-file inputs (string-append bin > "/" cmd)) > + suffix)) > + (substitute* "spectre-meltdown-checker.sh" > + ;; ${opt_arch_prefix}CMD > + (((string-append > + "\\$\\{opt_arch_prefix\\}" > + "\\<(nm|objdump|readelf|strings)\\>") all cmd) > + (find-command inputs cmd)) > + > + ;; dd > + (("(dd)( if=)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + > + ;; Commands safe to substitute directly. > + (((string-append "\\<(" (string-join > + (list "awk" > + "basename" > + "dirname" > + "bunzip2" > + "gunzip" > + "gzip" > + "lz4" > + "lzop" > + "modprobe" > + "pgrep" > + "rmmod" > + "umount" > + "unlzma" > + "unxz" > + "unzstd" > + "uuencode") > + "|") > + ")\\>") all cmd) replaced these "clever" tricks with dumber ones, > + (find-command inputs cmd)) > + > + ;; Search by suffix. > + ;; CMD - > + ;; CMD ^ > + (((string-append "\\<(" (string-join > + (list "base64" > + "cut" > + "grep" > + "head" > + "id" > + "mount" > + "mktemp" > + "od" > + "perl" > + "rm" > + "uname" > + "xargs") > + "|") > + ")\\>( [-^])") all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + ;; CMD | > + (("(dmesg)( \\|)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + > + ;; Then prefix > + ;; | CMD > + (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix > cmd) > + (find-command inputs cmd #:prefix prefix)) > + ;; $(CMD > + (("(\\$\\( *)(sysctl)" all prefix cmd) > + (find-command inputs cmd "sbin" #:prefix prefix)) > + > (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd) > + (find-command inputs cmd #:prefix prefix)) > + ;; if CMD > + (("(if )(sysctl)" all prefix cmd) > + (find-command inputs cmd "sbin" #:prefix prefix)) > + ;; command -v CMD > + (("(command -v) > \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd) > + (find-command inputs cmd #:prefix prefix)) > + > + ;; Cats are mysterious... > + ;; cat <<EOF > + (("(cat)( <<EOF)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + ;; cat "$ > + (("(cat)(\"\\$)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + ;; 'cat' > + (("(')(cat)(')" all prefix cmd suffix) > + (find-command inputs cmd #:prefix prefix #:suffix > suffix)) > + ;; "cat" > + (("(\")(cat)(\")" all prefix cmd suffix) > + (find-command inputs cmd #:prefix prefix #:suffix > suffix)))))))) > + (inputs (list kmod lz4 lzop perl procps sharutils util-linux > zstd)) > + (home-page > "https://github.com/speed47/spectre-meltdown-checker") > + (synopsis "CPU vulnerability / mitigation checker") > + (description > + "This package provides a shell script to assess your system's > resilience > +against the several transient execution CVEs that were published > since early > +2018, and give you guidance as to how to mitigate them.") > + (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove- > builtin-firmware-database.patch b/gnu/packages/patches/spectre- > meltdown-checker-remove-builtin-firmware-database.patch > new file mode 100644 > index 0000000000..809763cf4f > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch > @@ -0,0 +1,243 @@ > +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Sat, 12 Nov 2022 22:45:24 +0800 > +Subject: [PATCH] Remove builtin firmware database. > + > +1. Remove downloading function. > +2. Add option for supplying a local database. > +--- > + spectre-meltdown-checker.sh | 180 +++------------------------------ > --- > + 1 file changed, 15 insertions(+), 165 deletions(-) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 30f760c..ce46970 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -22,8 +22,6 @@ exit_cleanup() > + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm > -f "$dumped_config" > + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm > -f "$kerneltmp" > + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm > -f "$kerneltmp2" > +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm > -f "$mcedb_tmp" > +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm > -rf "$intel_tmp" > + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug > 2>/dev/null > + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" > 2>/dev/null > + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null > +@@ -93,9 +91,7 @@ show_usage() > + --vmm [auto,yes,no] override the detection of the > presence of a hypervisor, default: auto > + --allow-msr-write allow probing for write-only > MSRs, this might produce kernel logs or be blocked by your system > + --cpu [#,all] interact with CPUID and MSR > of CPU core number #, or all (default: CPU core 0) > +- --update-fwdb update our local copy of the > CPU microcodes versions database (using the awesome > +- MCExtractor project and the > Intel firmwares GitHub repository) > +- --update-builtin-fwdb same as --update-fwdb but > update builtin DB inside the script itself > ++ --with-fwdb FILE supply the CPU microcodes > versions database and added a note regarding the (lack of) freedom for proprietary microcode. I also added your name and email to the authors of linux.scm, since this was a very non-trivial package. Cheers ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2022-11-13 22:03 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-11-05 15:57 [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker Hilton Chain via Guix-patches via 2022-11-05 16:45 ` Liliana Marie Prikler 2022-11-11 11:10 ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via 2022-11-11 15:13 ` Liliana Marie Prikler 2022-11-12 12:14 ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via 2022-11-12 12:28 ` Liliana Marie Prikler 2022-11-12 12:50 ` Hilton Chain via Guix-patches via 2022-11-12 13:40 ` Liliana Marie Prikler 2022-11-12 15:15 ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via 2022-11-12 16:58 ` Liliana Marie Prikler 2022-11-13 13:09 ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via 2022-11-13 22:02 ` bug#59053: " Liliana Marie Prikler
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).