all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker.
@ 2021-08-05 17:00 phodina via Guix-patches via
  2021-08-06 13:58 ` Leo Prikler
                   ` (3 more replies)
  0 siblings, 4 replies; 13+ messages in thread
From: phodina via Guix-patches via @ 2021-08-05 17:00 UTC (permalink / raw)
  To: 49898

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..f89f6f259e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
 ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -148,6 +149,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7191,6 +7193,44 @@ interfaces in parallel environments.")
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+  (name "spectre-meltdown-checker")
+  (version "v0.44")
+  (source (origin
+            (method git-fetch)
+            (uri (git-reference
+                  (url "https://github.com/speed47/spectre-meltdown-checker")
+                  (commit version)))
+            (file-name (git-file-name name version))
+            (sha256
+             (base32
+              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+  (build-system copy-build-system)
+  (inputs `(("util-linux" ,util-linux)
+            ("binutils" ,binutils)))
+  (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+  (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.
+@enumerate
+@item Bounds Check Bypass
+@item Branch Target Injection
+@item Rogue Data Cache Load
+@item Rogue System Register Read
+@item Speculative Store Bypass
+@item L1 Terminal Fault (SGX, OS, VMM)
+@item Microarchitectural Store Buffer Data Sampling
+@item Microarchitectural Fill Buffer Data Sampling
+@item Microarchitectural Load Port Data Sampling
+@item Microarchitectural Data Sampling Uncacheable Memory
+@item TSX asynchronous abort
+@item Machine Mheck Exception on Page Size Changes
+@item Special Register Buffer Data Sampling
+@end enumerate")
+  (home-page "https://github.com/speed47/spectre-meltdown-checker")
+  (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
--
2.32.0




^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker.
  2021-08-05 17:00 [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker phodina via Guix-patches via
@ 2021-08-06 13:58 ` Leo Prikler
  2021-08-07  9:04 ` [bug#49898] [PATCH v2] " phodina via Guix-patches via
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 13+ messages in thread
From: Leo Prikler @ 2021-08-06 13:58 UTC (permalink / raw)
  To: phodina, 49898

Hi,

Am Donnerstag, den 05.08.2021, 17:00 +0000 schrieb phodina:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> 
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..f89f6f259e 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
>  ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
>  ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
>  ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -148,6 +149,7 @@
>    #:use-module (guix build-system cmake)
>    #:use-module (guix build-system gnu)
>    #:use-module (guix build-system go)
> +  #:use-module (guix build-system copy)
>    #:use-module (guix build-system meson)
>    #:use-module (guix build-system python)
>    #:use-module (guix build-system trivial)
> @@ -7191,6 +7193,44 @@ interfaces in parallel environments.")
>      (supported-systems '("i686-linux" "x86_64-linux"))
>      (license (list license:bsd-2 license:gpl2)))) ;dual
> 
> +(define-public spectre-meltdown-checker
> +(package
> +  (name "spectre-meltdown-checker")
> +  (version "v0.44")
Version should be "0.44".
> +  (source (origin
> +            (method git-fetch)
> +            (uri (git-reference
> +                  (url "
> https://github.com/speed47/spectre-meltdown-checker")
> +                  (commit version)))
Use (string-append "v" version).
> +            (file-name (git-file-name name version))
> +            (sha256
> +             (base32
> +              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> +  (build-system copy-build-system)
copy-build-system needs an install plan to be meaningful.
> +  (inputs `(("util-linux" ,util-linux)
> +            ("binutils" ,binutils)))
> +  (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> checker")
> +  (description "A shell script to assess your system's resilience
> against
> +the several transient execution CVEs that were published since early
> 2018,
"the several CVEs" is quite an obscure formulation if correct English. 
Just "several CVEs" should mean about the same while being more
understandable.
> +and give you guidance as to how to mitigate them.
> +@enumerate
> +@item Bounds Check Bypass
> +@item Branch Target Injection
> +@item Rogue Data Cache Load
> +@item Rogue System Register Read
> +@item Speculative Store Bypass
> +@item L1 Terminal Fault (SGX, OS, VMM)
> +@item Microarchitectural Store Buffer Data Sampling
> +@item Microarchitectural Fill Buffer Data Sampling
> +@item Microarchitectural Load Port Data Sampling
> +@item Microarchitectural Data Sampling Uncacheable Memory
> +@item TSX asynchronous abort
> +@item Machine Mheck Exception on Page Size Changes
> +@item Special Register Buffer Data Sampling
> +@end enumerate")
Not sure if we want to maintain this enumeration tbh.
> +  (home-page "https://github.com/speed47/spectre-meltdown-checker")
> +  (license license:gpl3)))

Regards





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v2] gnu: Add spectre-meltdown-checker.
  2021-08-05 17:00 [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker phodina via Guix-patches via
  2021-08-06 13:58 ` Leo Prikler
@ 2021-08-07  9:04 ` phodina via Guix-patches via
  2021-08-07  9:50   ` Leo Prikler
  2021-08-08 11:05 ` [bug#49898] [PATCH v3] " phodina via Guix-patches via
  2021-09-18 15:25 ` [bug#49898] [PATCH v4] " phodina via Guix-patches via
  3 siblings, 1 reply; 13+ messages in thread
From: phodina via Guix-patches via @ 2021-08-07  9:04 UTC (permalink / raw)
  To: 49898; +Cc: Leo Prikler

Thanks Leo for the suggestions!
-------------------
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..3529fa02e2 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
 ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -148,6 +149,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7191,6 +7193,32 @@ interfaces in parallel environments.")
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+  (name "spectre-meltdown-checker")
+  (version "0.44")
+  (source (origin
+            (method git-fetch)
+            (uri (git-reference
+                  (url "https://github.com/speed47/spectre-meltdown-checker")
+                  (commit (string-append "v" version))))
+            (file-name (git-file-name name version))
+            (sha256
+             (base32
+              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+  (build-system copy-build-system)
+  (arguments
+   `(#:install-plan '(("spectre-meltdown-checker.sh"
+                       "bin/spectre-meltdown-checker.sh"))))
+  (inputs `(("util-linux" ,util-linux)
+            ("binutils" ,binutils)))
+  (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+  (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+  (home-page "https://github.com/speed47/spectre-meltdown-checker")
+  (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
--
2.32.0




^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v2] gnu: Add spectre-meltdown-checker.
  2021-08-07  9:04 ` [bug#49898] [PATCH v2] " phodina via Guix-patches via
@ 2021-08-07  9:50   ` Leo Prikler
  0 siblings, 0 replies; 13+ messages in thread
From: Leo Prikler @ 2021-08-07  9:50 UTC (permalink / raw)
  To: phodina, 49898

Hi,

Am Samstag, den 07.08.2021, 09:04 +0000 schrieb phodina:
> Thanks Leo for the suggestions!
> -------------------
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> 
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..3529fa02e2 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
>  ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
>  ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
>  ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -148,6 +149,7 @@
>    #:use-module (guix build-system cmake)
>    #:use-module (guix build-system gnu)
>    #:use-module (guix build-system go)
> +  #:use-module (guix build-system copy)
>    #:use-module (guix build-system meson)
>    #:use-module (guix build-system python)
>    #:use-module (guix build-system trivial)
> @@ -7191,6 +7193,32 @@ interfaces in parallel environments.")
>      (supported-systems '("i686-linux" "x86_64-linux"))
>      (license (list license:bsd-2 license:gpl2)))) ;dual
> 
> +(define-public spectre-meltdown-checker
> +(package
> +  (name "spectre-meltdown-checker")
> +  (version "0.44")
> +  (source (origin
> +            (method git-fetch)
> +            (uri (git-reference
> +                  (url "
> https://github.com/speed47/spectre-meltdown-checker")
> +                  (commit (string-append "v" version))))
> +            (file-name (git-file-name name version))
> +            (sha256
> +             (base32
> +              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> +  (build-system copy-build-system)
> +  (arguments
> +   `(#:install-plan '(("spectre-meltdown-checker.sh"
> +                       "bin/spectre-meltdown-checker.sh"))))
> +  (inputs `(("util-linux" ,util-linux)
> +            ("binutils" ,binutils)))
We typically sort inputs alphabetically.
> +  (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> checker")
> +  (description "A shell script to assess your system's resilience
> against
> +the several transient execution CVEs that were published since early
> 2018,
> +and give you guidance as to how to mitigate them.")
> +  (home-page "https://github.com/speed47/spectre-meltdown-checker")
> +  (license license:gpl3)))
This looks better, but after running the checker in a few
configurations (it doesn't appear to make a difference whether with or
without root, but judging from the papers some attacks would require
sudo) I've noticed that commands are insufficiently hardcoded.  
For instance, the check for Spectre Variant 1 requires perl, which is
not available and the line stating so is hidden well among a large wall
of output.
Likewise, I don't think simply including binutils does anything, you'll
have to patch those in as well if you want them.

Regards,





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v3] gnu: Add spectre-meltdown-checker.
  2021-08-05 17:00 [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker phodina via Guix-patches via
  2021-08-06 13:58 ` Leo Prikler
  2021-08-07  9:04 ` [bug#49898] [PATCH v2] " phodina via Guix-patches via
@ 2021-08-08 11:05 ` phodina via Guix-patches via
  2021-08-08 21:42   ` Leo Prikler
  2021-09-18 15:25 ` [bug#49898] [PATCH v4] " phodina via Guix-patches via
  3 siblings, 1 reply; 13+ messages in thread
From: phodina via Guix-patches via @ 2021-08-08 11:05 UTC (permalink / raw)
  To: 49898; +Cc: Leo Prikler

>
> This looks better, but after running the checker in a few
>
> configurations (it doesn't appear to make a difference whether with or
>
> without root, but judging from the papers some attacks would require
>
> sudo) I've noticed that commands are insufficiently hardcoded.
>
> For instance, the check for Spectre Variant 1 requires perl, which is
>
> not available and the line stating so is hidden well among a large wall
>
> of output.
>
> Likewise, I don't think simply including binutils does anything, you'll
>
> have to patch those in as well if you want them.
>
> Regards,

Yes, it's unfortunately well hidden and there seems to be a mix of tools also
available only for BSD. I wanted to run it in pure environment and with =-e=
but there are many condtitions that exit at once.

So I went throught the whole script and listed the commands.
Not sure regarding the admin priviledges. I'll create issue on the upstream
regarding the requirements. The Dockerfile gives some hints but it's not exhaustive.

Kind regards,
Petr

-----------------------------------------------------

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..24f7d43b33 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
 ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -137,6 +138,7 @@
   #:use-module (gnu packages video)
   #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
+  #:use-module (gnu packages wget)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xdisorg)
@@ -148,6 +150,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7191,6 +7194,44 @@ interfaces in parallel environments.")
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+  (name "spectre-meltdown-checker")
+  (version "0.44")
+  (source (origin
+            (method git-fetch)
+            (uri (git-reference
+                  (url "https://github.com/speed47/spectre-meltdown-checker")
+                  (commit (string-append "v" version))))
+            (file-name (git-file-name name version))
+            (sha256
+             (base32
+              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+  (build-system copy-build-system)
+  (arguments
+   `(#:install-plan '(("spectre-meltdown-checker.sh"
+                       "bin/spectre-meltdown-checker.sh"))))
+   (inputs `(("binutils" ,binutils)
+             ("coreutils",coreutils)
+             ("gawk" ,gawk)
+             ("gzip" ,gzip)
+             ("lzop" ,lzop)
+             ("perl" ,perl)
+             ("procps" ,procps)
+             ("sqlite" ,sqlite)
+             ("util-linux" ,util-linux)
+             ("util-linux-with-udev" ,util-linux+udev)
+             ("wget" ,wget)
+             ("which" ,which)
+             ("xz" ,xz)
+             ("zstd" ,zstd)))
+  (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+  (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+  (home-page "https://github.com/speed47/spectre-meltdown-checker")
+  (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
--
2.32.0




^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v3] gnu: Add spectre-meltdown-checker.
  2021-08-08 11:05 ` [bug#49898] [PATCH v3] " phodina via Guix-patches via
@ 2021-08-08 21:42   ` Leo Prikler
  0 siblings, 0 replies; 13+ messages in thread
From: Leo Prikler @ 2021-08-08 21:42 UTC (permalink / raw)
  To: phodina, 49898

Hi,

Am Sonntag, den 08.08.2021, 11:05 +0000 schrieb phodina:
> Yes, it's unfortunately well hidden and there seems to be a mix of
> tools also available only for BSD. I wanted to run it in pure
> environment and with =-e= but there are many condtitions that exit at
> once.
I don't think the BSD ones should be too much of an issue, but if we
ever decide to ship a BSD kernel, that might become relevant.
> So I went throught the whole script and listed the commands.
> Not sure regarding the admin priviledges. I'll create issue on the
> upstream regarding the requirements. The Dockerfile gives some hints
> but it's not exhaustive.
As far as I can see, I don't think it claims sudo on your behalf, so
that should be fine.

> -----------------------------------------------------
> 
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> 
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..24f7d43b33 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
>  ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
>  ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
>  ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -137,6 +138,7 @@
>    #:use-module (gnu packages video)
>    #:use-module (gnu packages vulkan)
>    #:use-module (gnu packages web)
> +  #:use-module (gnu packages wget)
>    #:use-module (gnu packages xiph)
>    #:use-module (gnu packages xml)
>    #:use-module (gnu packages xdisorg)
> @@ -148,6 +150,7 @@
>    #:use-module (guix build-system cmake)
>    #:use-module (guix build-system gnu)
>    #:use-module (guix build-system go)
> +  #:use-module (guix build-system copy)
>    #:use-module (guix build-system meson)
>    #:use-module (guix build-system python)
>    #:use-module (guix build-system trivial)
> @@ -7191,6 +7194,44 @@ interfaces in parallel environments.")
>      (supported-systems '("i686-linux" "x86_64-linux"))
>      (license (list license:bsd-2 license:gpl2)))) ;dual
> 
> +(define-public spectre-meltdown-checker
> +(package
> +  (name "spectre-meltdown-checker")
> +  (version "0.44")
> +  (source (origin
> +            (method git-fetch)
> +            (uri (git-reference
> +                  (url "
> https://github.com/speed47/spectre-meltdown-checker")
> +                  (commit (string-append "v" version))))
> +            (file-name (git-file-name name version))
> +            (sha256
> +             (base32
> +              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> +  (build-system copy-build-system)
> +  (arguments
> +   `(#:install-plan '(("spectre-meltdown-checker.sh"
> +                       "bin/spectre-meltdown-checker.sh"))))
> +   (inputs `(("binutils" ,binutils)
> +             ("coreutils",coreutils)
> +             ("gawk" ,gawk)
> +             ("gzip" ,gzip)
> +             ("lzop" ,lzop)
> +             ("perl" ,perl)
> +             ("procps" ,procps)
> +             ("sqlite" ,sqlite)
> +             ("util-linux" ,util-linux)
> +             ("util-linux-with-udev" ,util-linux+udev)
Why both?
> +             ("wget" ,wget)
> +             ("which" ,which)
> +             ("xz" ,xz)
> +             ("zstd" ,zstd)))
Are you sure that mere presence of these packages as inputs will do
anything to patch them?  Because I'm not so much.

Regards





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v4] gnu: Add spectre-meltdown-checker.
  2021-08-05 17:00 [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker phodina via Guix-patches via
                   ` (2 preceding siblings ...)
  2021-08-08 11:05 ` [bug#49898] [PATCH v3] " phodina via Guix-patches via
@ 2021-09-18 15:25 ` phodina via Guix-patches via
  2021-09-18 17:03   ` Liliana Marie Prikler
  3 siblings, 1 reply; 13+ messages in thread
From: phodina via Guix-patches via @ 2021-09-18 15:25 UTC (permalink / raw)
  To: Leo Prikler; +Cc: 49898

Hi Leo,

I've substituted most of the commands. The only commands at the moment are echo and printf. I haven't found regexp that would work as they are text is also used for variables.

Otherwise the rest of the commands should be covered.
--8<---------------cut here---------------start------------->8--
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 46c9f817a8..905048a5be 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
 ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -138,6 +139,7 @@
   #:use-module (gnu packages video)
   #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
+  #:use-module (gnu packages wget)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xdisorg)
@@ -149,6 +151,7 @@
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7372,6 +7375,93 @@ interfaces in parallel environments.")
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.44")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+    (build-system copy-build-system)
+    (arguments
+     `(#:install-plan '(("spectre-meltdown-checker.sh"
+                         "bin/spectre-meltdown-checker.sh"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'fix-relative-locations
+           (lambda* (#:key outputs #:allow-other-keys)
+             (let ((icoreutils (assoc-ref %build-inputs "coreutils"))
+                   (igrep (assoc-ref %build-inputs "grep"))
+                   (iutil-linux (assoc-ref %build-inputs "util-linux"))
+                   (iutil-linux-with-udev
+                     (assoc-ref %build-inputs "util-linux-with-udev"))
+                   (igawk (assoc-ref %build-inputs "gawk"))
+                   (igzip (assoc-ref %build-inputs "gzip"))
+                   (iunzip (assoc-ref %build-inputs "unzip"))
+                   (ilzop (assoc-ref %build-inputs "lzop"))
+                   (iperl (assoc-ref %build-inputs "perl"))
+                   (iprocps (assoc-ref %build-inputs "procps"))
+                   (isqlite (assoc-ref %build-inputs "sqlite"))
+                   (iwget (assoc-ref %build-inputs "wget"))
+                   (iwhich (assoc-ref %build-inputs "which"))
+                   (ixz (assoc-ref %build-inputs "xz"))
+                   (izstd (assoc-ref %build-inputs "zstd")))
+               (substitute* "spectre-meltdown-checker.sh"
+                ; TODO: Find regexp what will work
+                ;(("echo") (string-append icoreutils "/bin/echo"))
+                ;(("printf") (string-append icoreutils "/bin/printf"))
+                 (("dirname") (string-append icoreutils "/bin/dirname"))
+                 (("cat") (string-append icoreutils "/bin/cat"))
+                 (("grep[ ]+") (string-append igrep "/bin/grep "))
+                 (("cut") (string-append icoreutils "/bin/cut"))
+                 (("mktemp") (string-append icoreutils "/bin/mktemp"))
+                 (("stat[ ]+") (string-append icoreutils "/bin/stat " ))
+                 (("tail[ ]+") (string-append icoreutils "/bin/tail " ))
+                 (("head[ ]+") (string-append icoreutils "/bin/head " ))
+                 (("mount[ ]+")  "/run/setuid-programs/mount ")
+                 (("modprobe") (string-append iutil-linux "/bin/modprobe"))
+                 (("dd") (string-append icoreutils "/bin/dd"))
+                 (("dmesg[ ]+") (string-append iutil-linux-with-udev "/bin/dmesg "))
+                 (("awk") (string-append igawk "/bin/awk"))
+                 (("gzip") (string-append igzip "/bin/gzip"))
+                 (("unzip") (string-append iunzip "/bin/unzip"))
+                 (("lzop") (string-append ilzop "/bin/lzop"))
+                 (("perl") (string-append iperl "/bin/perl"))
+                 (("ps[ ]+") (string-append iprocps "/bin/ps "))
+                 (("sqlite3") (string-append isqlite "/bin/sqlite3"))
+                 (("wget") (string-append iwget "/bin/wget"))
+                 (("which") (string-append iwhich "/bin/which"))
+                 (("xz") (string-append ixz "/bin/xz"))
+                 (("zstd") (string-append izstd "/bin/zstd")))))))))
+    (inputs `(("binutils" ,binutils)
+              ("coreutils",coreutils)
+              ("gawk" ,gawk)
+              ("grep" ,grep)
+              ("gzip" ,gzip)
+              ("unzip" ,unzip)
+              ("lzop" ,lzop)
+              ("perl" ,perl)
+              ("procps" ,procps)
+              ("sqlite" ,sqlite)
+              ("util-linux" ,util-linux)
+              ("util-linux-with-udev" ,util-linux+udev)
+              ("wget" ,wget)
+              ("which" ,which)
+              ("xz" ,xz)
+              ("zstd" ,zstd)))
+    (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+    (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
--
2.32.0




^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v4] gnu: Add spectre-meltdown-checker.
  2021-09-18 15:25 ` [bug#49898] [PATCH v4] " phodina via Guix-patches via
@ 2021-09-18 17:03   ` Liliana Marie Prikler
  2021-12-07 22:04     ` [bug#49898] [PATCH v5] " phodina via Guix-patches via
  0 siblings, 1 reply; 13+ messages in thread
From: Liliana Marie Prikler @ 2021-09-18 17:03 UTC (permalink / raw)
  To: phodina; +Cc: 49898

Hi Petr,

Am Samstag, den 18.09.2021, 15:25 +0000 schrieb phodina:
> [...]
> 
> 

> +         (add-after 'unpack 'fix-relative-locations
> +           (lambda* (#:key outputs #:allow-other-keys)
> +             (let ((icoreutils (assoc-ref %build-inputs
> "coreutils"))
> +                   (igrep (assoc-ref %build-inputs "grep"))
> +                   (iutil-linux (assoc-ref %build-inputs "util-
> linux"))
> +                   (iutil-linux-with-udev
> +                     (assoc-ref %build-inputs "util-linux-with-
> udev"))
> +                   (igawk (assoc-ref %build-inputs "gawk"))
> +                   (igzip (assoc-ref %build-inputs "gzip"))
> +                   (iunzip (assoc-ref %build-inputs "unzip"))
> +                   (ilzop (assoc-ref %build-inputs "lzop"))
> +                   (iperl (assoc-ref %build-inputs "perl"))
> +                   (iprocps (assoc-ref %build-inputs "procps"))
> +                   (isqlite (assoc-ref %build-inputs "sqlite"))
> +                   (iwget (assoc-ref %build-inputs "wget"))
> +                   (iwhich (assoc-ref %build-inputs "which"))
> +                   (ixz (assoc-ref %build-inputs "xz"))
> +                   (izstd (assoc-ref %build-inputs "zstd")))
I don't think Hungarian notation is very helpful here.
> +               (substitute* "spectre-meltdown-checker.sh"
> +                ; TODO: Find regexp what will work
> +                ;(("echo") (string-append icoreutils "/bin/echo"))
> +                ;(("printf") (string-append icoreutils
> "/bin/printf"))
There are multiple ways of handling this, but I thing the best one
would be to substitute both `command -v printf' and `which echo' with
the path to false, then match the line 
  [ -z "$echo_cmd" ] && echo_cmd='echo'
and instead put there
  echo_cmd_type='printf'
  echo_cmd=(path-to "/bin/printf")

> +                 (("dirname") (string-append icoreutils
> "/bin/dirname"))
> +                 (("cat") (string-append icoreutils "/bin/cat"))
> +                 (("grep[ ]+") (string-append igrep "/bin/grep "))
> +                 (("cut") (string-append icoreutils "/bin/cut"))
> +                 (("mktemp") (string-append icoreutils
> "/bin/mktemp"))
> +                 (("stat[ ]+") (string-append icoreutils "/bin/stat
> " ))
> +                 (("tail[ ]+") (string-append icoreutils "/bin/tail
> " ))
> +                 (("head[ ]+") (string-append icoreutils "/bin/head
> " ))
> +                 (("mount[ ]+")  "/run/setuid-programs/mount ")
> +                 (("modprobe") (string-append iutil-linux
> "/bin/modprobe"))
> +                 (("dd") (string-append icoreutils "/bin/dd"))
> +                 (("dmesg[ ]+") (string-append iutil-linux-with-udev 
> "/bin/dmesg "))
> +                 (("awk") (string-append igawk "/bin/awk"))
> +                 (("gzip") (string-append igzip "/bin/gzip"))
> +                 (("unzip") (string-append iunzip "/bin/unzip"))
> +                 (("lzop") (string-append ilzop "/bin/lzop"))
> +                 (("perl") (string-append iperl "/bin/perl"))
> +                 (("ps[ ]+") (string-append iprocps "/bin/ps "))
> +                 (("sqlite3") (string-append isqlite
> "/bin/sqlite3"))
> +                 (("wget") (string-append iwget "/bin/wget"))
> +                 (("which") (string-append iwhich "/bin/which"))
> +                 (("xz") (string-append ixz "/bin/xz"))
> +                 (("zstd") (string-append izstd "/bin/zstd")))))))))
Group those that need spaces and those that don't together, with an
explanation as to why those two groups exist.
> +    (inputs `(("binutils" ,binutils)
> +              ("coreutils",coreutils)
> +              ("gawk" ,gawk)
> +              ("grep" ,grep)
> +              ("gzip" ,gzip)
> +              ("unzip" ,unzip)
> +              ("lzop" ,lzop)
> +              ("perl" ,perl)
> +              ("procps" ,procps)
> +              ("sqlite" ,sqlite)
> +              ("util-linux" ,util-linux)
> +              ("util-linux-with-udev" ,util-linux+udev)
Why both?
> +              ("wget" ,wget)
> +              ("which" ,which)
> +              ("xz" ,xz)
> +              ("zstd" ,zstd)))
> +    (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> checker")
> +    (description "A shell script to assess your system's resilience
> against
> +the several transient execution CVEs that were published since early
> 2018,
> +and give you guidance as to how to mitigate them.")
> +    (home-page "https://github.com/speed47/spectre-meltdown-checker"
> )
> +    (license license:gpl3)))
> +
>  (define-public snapscreenshot
>    (package
>      (name "snapscreenshot")
> --
> 2.32.0





^ permalink raw reply	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v5] gnu: Add spectre-meltdown-checker.
  2021-09-18 17:03   ` Liliana Marie Prikler
@ 2021-12-07 22:04     ` phodina via Guix-patches via
  2022-06-26 10:23       ` Liliana Marie Prikler
  0 siblings, 1 reply; 13+ messages in thread
From: phodina via Guix-patches via @ 2021-12-07 22:04 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 49898

[-- Attachment #1: Type: text/plain, Size: 6759 bytes --]

Hi Liliana,

> Hi Petr,
>
> Am Samstag, den 18.09.2021, 15:25 +0000 schrieb phodina:
>
> > [...]
>
> > -           (add-after 'unpack 'fix-relative-locations
> >
> >
> > -             (lambda* (#:key outputs #:allow-other-keys)
> >
> >
> > -               (let ((icoreutils (assoc-ref %build-inputs
> >
> >
> >
> > "coreutils"))
> >
> > -                     (igrep (assoc-ref %build-inputs "grep"))
> >
> >
> > -                     (iutil-linux (assoc-ref %build-inputs "util-
> >
> >
> >
> > linux"))
> >
> > -                     (iutil-linux-with-udev
> >
> >
> > -                       (assoc-ref %build-inputs "util-linux-with-
> >
> >
> >
> > udev"))
> >
> > -                     (igawk (assoc-ref %build-inputs "gawk"))
> >
> >
> > -                     (igzip (assoc-ref %build-inputs "gzip"))
> >
> >
> > -                     (iunzip (assoc-ref %build-inputs "unzip"))
> >
> >
> > -                     (ilzop (assoc-ref %build-inputs "lzop"))
> >
> >
> > -                     (iperl (assoc-ref %build-inputs "perl"))
> >
> >
> > -                     (iprocps (assoc-ref %build-inputs "procps"))
> >
> >
> > -                     (isqlite (assoc-ref %build-inputs "sqlite"))
> >
> >
> > -                     (iwget (assoc-ref %build-inputs "wget"))
> >
> >
> > -                     (iwhich (assoc-ref %build-inputs "which"))
> >
> >
> > -                     (ixz (assoc-ref %build-inputs "xz"))
> >
> >
> > -                     (izstd (assoc-ref %build-inputs "zstd")))
> >
> >
>
> I don't think Hungarian notation is very helpful here.
>
> > -                 (substitute* "spectre-meltdown-checker.sh"
> >
> >
> > -                  ; TODO: Find regexp what will work
> >
> >
> > -                  ;(("echo") (string-append icoreutils "/bin/echo"))
> >
> >
> > -                  ;(("printf") (string-append icoreutils
> >
> >
> >
> > "/bin/printf"))
>
> There are multiple ways of handling this, but I thing the best one
>
> would be to substitute both `command -v printf' and` which echo' with
>
> the path to false, then match the line
>
> [ -z "$echo_cmd" ] && echo_cmd='echo'
>
> and instead put there
>
> echo_cmd_type='printf'
>
> echo_cmd=(path-to "/bin/printf")
>
> > -                   (("dirname") (string-append icoreutils
> >
> >
> >
> > "/bin/dirname"))
> >
> > -                   (("cat") (string-append icoreutils "/bin/cat"))
> >
> >
> > -                   (("grep[ ]+") (string-append igrep "/bin/grep "))
> >
> >
> > -                   (("cut") (string-append icoreutils "/bin/cut"))
> >
> >
> > -                   (("mktemp") (string-append icoreutils
> >
> >
> >
> > "/bin/mktemp"))
> >
> > -                   (("stat[ ]+") (string-append icoreutils "/bin/stat
> >
> >
> >
> > " ))
> >
> > -                   (("tail[ ]+") (string-append icoreutils "/bin/tail
> >
> >
> >
> > " ))
> >
> > -                   (("head[ ]+") (string-append icoreutils "/bin/head
> >
> >
> >
> > " ))
> >
> > -                   (("mount[ ]+")  "/run/setuid-programs/mount ")
> >
> >
> > -                   (("modprobe") (string-append iutil-linux
> >
> >
> >
> > "/bin/modprobe"))
> >
> > -                   (("dd") (string-append icoreutils "/bin/dd"))
> >
> >
> > -                   (("dmesg[ ]+") (string-append iutil-linux-with-udev
> >
> >
> >
> > "/bin/dmesg "))
> >
> > -                   (("awk") (string-append igawk "/bin/awk"))
> >
> >
> > -                   (("gzip") (string-append igzip "/bin/gzip"))
> >
> >
> > -                   (("unzip") (string-append iunzip "/bin/unzip"))
> >
> >
> > -                   (("lzop") (string-append ilzop "/bin/lzop"))
> >
> >
> > -                   (("perl") (string-append iperl "/bin/perl"))
> >
> >
> > -                   (("ps[ ]+") (string-append iprocps "/bin/ps "))
> >
> >
> > -                   (("sqlite3") (string-append isqlite
> >
> >
> >
> > "/bin/sqlite3"))
> >
> > -                   (("wget") (string-append iwget "/bin/wget"))
> >
> >
> > -                   (("which") (string-append iwhich "/bin/which"))
> >
> >
> > -                   (("xz") (string-append ixz "/bin/xz"))
> >
> >
> > -                   (("zstd") (string-append izstd "/bin/zstd")))))))))
> >
> >
>
> Group those that need spaces and those that don't together, with an
>
> explanation as to why those two groups exist.
>
> > -   (inputs `(("binutils" ,binutils)
> > -                ("coreutils",coreutils)
> >
> >
> > -                ("gawk" ,gawk)
> >
> >
> > -                ("grep" ,grep)
> >
> >
> > -                ("gzip" ,gzip)
> >
> >
> > -                ("unzip" ,unzip)
> >
> >
> > -                ("lzop" ,lzop)
> >
> >
> > -                ("perl" ,perl)
> >
> >
> > -                ("procps" ,procps)
> >
> >
> > -                ("sqlite" ,sqlite)
> >
> >
> > -                ("util-linux" ,util-linux)
> >
> >
> > -                ("util-linux-with-udev" ,util-linux+udev)
> >
> >
>
> Why both?
>
> > -                ("wget" ,wget)
> >
> >
> > -                ("which" ,which)
> >
> >
> > -                ("xz" ,xz)
> >
> >
> > -                ("zstd" ,zstd)))
> >
> >
> > -   (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> >
> >     checker")
> > -   (description "A shell script to assess your system's resilience
> >
> >     against
> >
> >     +the several transient execution CVEs that were published since early
> >
> >     2018,
> >
> >     +and give you guidance as to how to mitigate them.")
> > -   (home-page "https://github.com/speed47/spectre-meltdown-checker"
> >
> >     )
> > -   (license license:gpl3)))
> >
> > (define-public snapscreenshot
> >
> > (package
> >
> > (name "snapscreenshot")
> > ----------------------------------------------------------------
> >
> > 2.32.0

I've used the wrap-program as an alternative to the your suggested solution.

Going through the program there is a function update_fwdb [1] that downloads and updates database files when the script is executed with the --update-fwdb argument.

I've added both files [2][3] in question to the lists of inputs.

However, since they are supposed to be updated at runtime (stored in $HOME) I don't know to represent this in the package definition.

Could you please suggest how to proceed?

----
Petr

[1] https://github.com/speed47/spectre-meltdown-checker/blob/master/spectre-meltdown-checker.sh#L838
[2] https://github.com/platomav/MCExtractor/raw/master/MCE.db
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: v5-0001-gnu-Add-spectre-meltdown-checker.patch --]
[-- Type: text/x-patch; name=v5-0001-gnu-Add-spectre-meltdown-checker.patch, Size: 5008 bytes --]

From 83a93beffb9e4493c361d126fdb7564c662525c7 Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Thu, 5 Aug 2021 18:23:47 +0200
Subject: [PATCH v5] gnu: Add spectre-meltdown-checker.

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 03e84a0a79..19999ef8e0 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
 ;;; Copyright © 2021 Olivier Dion <olivier.dion@polymtl.ca>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -139,6 +140,7 @@ (define-module (gnu packages linux)
   #:use-module (gnu packages video)
   #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
+  #:use-module (gnu packages wget)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xdisorg)
@@ -150,6 +152,7 @@ (define-module (gnu packages linux)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7325,6 +7328,81 @@ (define-public psm
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual
 
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.44")
+    (source 
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/speed47/spectre-meltdown-checker")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+    (build-system copy-build-system)
+    (arguments
+     `(#:install-plan '(("spectre-meltdown-checker.sh"
+                         "bin/spectre-meltdown-checker.sh"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'unzip-intelfw
+           (lambda* (#:key inputs #:allow-other-keys)
+             (invoke "unzip" (assoc-ref inputs "intelfw"))))
+         (add-after 'install 'patch-paths
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((out (assoc-ref %outputs "out"))
+                   (paths (map
+                           (lambda (input)
+                             (string-append (assoc-ref inputs input) "/bin"))
+                           '("coreutils" "grep" "util-linux" "iucode-tool"
+                             "util-linux-with-udev" "gawk" "gzip" "lzop"
+                             "lzop" "perl" "procps" "sqlite" "wget" "which" "xz" "zstd"))))
+               (for-each
+                (lambda (program)
+                  (wrap-program
+                      (string-append out "/" program)
+                    `("PATH" prefix ,paths)))
+                '("bin/spectre-meltdown-checker.sh"))))))))
+    (inputs `(("binutils" ,binutils)
+              ("coreutils",coreutils)
+              ("gawk" ,gawk)
+              ("grep" ,grep)
+              ("gzip" ,gzip)
+              ("intelfw", (origin
+                            (method url-fetch)
+                            (uri
+                             "https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip")
+                            (sha256
+                             (base32
+                              "1zpf1h864f9lqdjf867xg5cw3xpq4l335g7dqpyl2zhb13kk0dhy"))))
+              ("iucode-tool" ,iucode-tool)
+              ("lzop" ,lzop)
+              ("mcedb", (origin
+                          (method url-fetch)
+                          (uri "https://github.com/platomav/MCExtractor/raw/master/MCE.db")
+                          (sha256
+                           (base32
+                            "1lms4q6g17jz7pqvl8fcbpbsxxz84nax18zhn9b532svldxg7gh2"))))
+              ("perl" ,perl)
+              ("procps" ,procps)
+              ("sqlite" ,sqlite)
+              ("unzip" ,unzip)
+              ("util-linux" ,util-linux)
+              ("util-linux-with-udev" ,util-linux+udev)
+              ("wget" ,wget)
+              ("which" ,which)
+              ("xz" ,xz)
+              ("zstd" ,zstd)))
+    (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+    (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
-- 
2.34.0


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v5] gnu: Add spectre-meltdown-checker.
  2021-12-07 22:04     ` [bug#49898] [PATCH v5] " phodina via Guix-patches via
@ 2022-06-26 10:23       ` Liliana Marie Prikler
  2022-06-26 11:07         ` phodina via Guix-patches via
  0 siblings, 1 reply; 13+ messages in thread
From: Liliana Marie Prikler @ 2022-06-26 10:23 UTC (permalink / raw)
  To: phodina; +Cc: 49898

Hi Petr,

sorry for the very late reply.  Are you still interested in adding
spectre-meltdown-checker?  If so, there's a new version out.  Also...

Am Dienstag, dem 07.12.2021 um 22:04 +0000 schrieb phodina:
> I've used the wrap-program as an alternative to the your suggested
> solution.
That does work, but remains quite inelegant.

> Going through the program there is a function update_fwdb [1] that
> downloads and updates database files when the script is executed with
> the --update-fwdb argument.
> 
> I've added both files [2][3] in question to the lists of inputs.
> 
> However, since they are supposed to be updated at runtime (stored in
> $HOME) I don't know to represent this in the package definition.
> 
> Could you please suggest how to proceed?
I'd suggest removing that functionality as well as the associated
inputs (i.e. curl etc., not the databases).  Even if it's treated as
"just data", users should be able to specify on their own the data to
check against.  Perhaps you could suggest to upstream that adding --
fwdb /path/to/fwdb might be useful?

Since this patch is rather old, there are a few style-related changes
that should also be incorporated:


> +    (arguments
> +     `(...))
Use a list of G-Expressions.

> +                   (paths (map
> +                           (lambda (input)
> +                             (string-append (assoc-ref inputs input)
> "/bin"))
> +                           '("coreutils" "grep" "util-linux"
> "iucode-tool"
> +                             "util-linux-with-udev" "gawk" "gzip"
> "lzop"
> +                             "lzop" "perl" "procps" "sqlite" "wget"
> "which" "xz" "zstd"))))
You can use (search-input-file inputs "/bin/CMD") to search CMD from
inputs.
> +    (inputs `(("binutils" ,binutils)
> +              ("coreutils",coreutils)
> +              [...])
You can drop the input labels, but you'll have to find another way to
pass the firmware databases.  Speaking of which, is anything even done
with those?  Could we add (a) separate package(s) with those databases
instead?

Cheers 




^ permalink raw reply	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v5] gnu: Add spectre-meltdown-checker.
  2022-06-26 10:23       ` Liliana Marie Prikler
@ 2022-06-26 11:07         ` phodina via Guix-patches via
  2022-07-01 21:57           ` [bug#49898] [PATCH v6] " phodina via Guix-patches via
  0 siblings, 1 reply; 13+ messages in thread
From: phodina via Guix-patches via @ 2022-06-26 11:07 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 49898

Hi,

Yes I'm still interested in upstreaming this package. True, in the meantime a lot has happened and I'll prepare a patch with simplified inputs and Gexps.

Also the databases will be in separate packages and just put into the inputs and linked correctly.

And I'll also update the package version.

Unfortunately HW issues will remain with us for long and it's useful to have some way to check for them.

FIY I'm currently also in process of packaging other stuff so it might take some time.

----
Petr






^ permalink raw reply	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v6] gnu: Add spectre-meltdown-checker.
  2022-06-26 11:07         ` phodina via Guix-patches via
@ 2022-07-01 21:57           ` phodina via Guix-patches via
  2022-07-01 23:02             ` Liliana Marie Prikler
  0 siblings, 1 reply; 13+ messages in thread
From: phodina via Guix-patches via @ 2022-07-01 21:57 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 49898

[-- Attachment #1: Type: text/plain, Size: 453 bytes --]

Hi!

here's updated patch set:

- The version has been updated.
- It uses gexps.
- There are now 3 packages (intelfw and mcextractor are new).

There is the issue with Intel license. Not sure if it can be included.

The intelfw and mcextractor are used in the shell function update_fwdb. It might be better to create a patch, remove the download functionality and point it to /gnu/store for the package inputs. What do you think?

----
Petr

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: v6-0001-gnu-Add-intelfw.patch --]
[-- Type: text/x-patch; name=v6-0001-gnu-Add-intelfw.patch, Size: 1534 bytes --]

From fbee544b00de49e7c26e125ec2f1061524cc19ab Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Fri, 1 Jul 2022 23:18:13 +0200
Subject: [PATCH v6 1/3] gnu: Add intelfw.

* gnu/packages/linux.scm (intelfw): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 58d33140bd..98333c5be2 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -7983,6 +7983,29 @@ (define-public psm
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual
 
+(define-public intelfw
+  (package
+    (name "intelfw")
+    (version "20220510")
+    (home-page "https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files")
+    (source 
+              (origin
+                            (method url-fetch)
+                            (uri
+                             (string-append home-page
+							 "/archive/refs/tags/microcode-"
+							 version ".tar.gz"))
+                            (sha256
+                             (base32
+                              "0akd526rrkskz7l0kihbymmjzcmf56pv7kh0nbdviywqnmqxqk95"))))
+    (build-system copy-build-system)
+    (synopsis "Intel Processor Microcode")
+    (description "This package provides Intel Processor Microcode provides
+a mechanism to release updates for security advisories and functional issues,
+including errata.")
+	;; TODO: Intel nonfree license
+    (license #f)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
-- 
2.36.1


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: v6-0002-gnu-Add-mcextractor.patch --]
[-- Type: text/x-patch; name=v6-0002-gnu-Add-mcextractor.patch, Size: 1785 bytes --]

From cca59fd7281ce832daa46f201ad7d68058e6c2da Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Fri, 1 Jul 2022 23:18:23 +0200
Subject: [PATCH v6 2/3] gnu: Add mcextractor.

* gnu/packages/linux.scm (mcextractor): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 98333c5be2..5f634824bf 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -8006,6 +8006,38 @@ (define-public intelfw
 	;; TODO: Intel nonfree license
     (license #f)))
 
+(define-public mcextractor
+  (package
+    (name "mcextractor")
+    (version "1.74.1")
+    (home-page "https://github.com/platomav/MCExtractor")
+    (source 
+              (origin
+                          (method git-fetch)
+                          (uri (git-reference
+						  (url home-page)
+						  (commit (string-append "v" version "-r232"))))
+              (file-name (git-file-name name version))
+                          (sha256
+                           (base32
+                            "09pxa23kdsy8apnxay7v1wmds5879rj6hx779rrqmspllwgg79hj"))))
+    (build-system python-build-system)
+	(arguments
+	 (list #:use-setuptools? #f
+	       #:tests? #f
+	       #:phases
+           #~(modify-phases %standard-phases
+		      (delete 'build)
+			  (replace 'install
+			   (lambda* _
+			   (install-file "MCE.py" (string-append #$output "/bin"))
+			   (install-file "MCE.db" (string-append #$output
+			   "/share/")))))))
+    (synopsis "Intel, AMD, VIA & Freescale Microcode Extraction Tool")
+    (description "This package provides a tool MC Extractor which parses Intel,
+AMD, VIA and Freescale processor microcode binaries")
+    (license license:bsd-2)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
-- 
2.36.1


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #4: v6-0003-gnu-Add-spectre-meltdown-checker.patch --]
[-- Type: text/x-patch; name=v6-0003-gnu-Add-spectre-meltdown-checker.patch, Size: 4984 bytes --]

From 4ec64ebd0dbaed7de220a6d0bb6a1845060b7a51 Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Thu, 5 Aug 2021 18:23:47 +0200
Subject: [PATCH v6 3/3] gnu: Add spectre-meltdown-checker.

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 5f634824bf..f9c7a0c93a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -154,6 +154,7 @@ (define-module (gnu packages linux)
   #:use-module (gnu packages video)
   #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
+  #:use-module (gnu packages wget)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xdisorg)
@@ -167,6 +168,7 @@ (define-module (gnu packages linux)
   #:use-module (guix build-system copy)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -8038,6 +8040,84 @@ (define-public mcextractor
 AMD, VIA and Freescale processor microcode binaries")
     (license license:bsd-2)))
 
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.45")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (sha256
+               (base32
+                "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+    (build-system copy-build-system)
+    (arguments
+     (list #:install-plan #~`(("spectre-meltdown-checker.sh"
+                             "bin/spectre-meltdown-checker.sh"))
+           #:phases #~(modify-phases %standard-phases
+                        (add-after 'unpack 'replace-paths
+                          (lambda* (#:key inputs #:allow-other-keys)
+                            (substitute* "spectre-meltdown-checker.sh"
+							(("mcedb_cache=") (string-append "mcedb_cache="
+							#$mcextractor "/share/MCE.db"))
+							(("intel_tmp=") (string-append "intel_tmp="
+                                    #$intelfw)))))
+                        (add-after 'install 'patch-paths
+                          (lambda* (#:key inputs #:allow-other-keys)
+                            (let ((paths (map (lambda (input)
+                                                (string-append (assoc-ref
+                                                                inputs input)
+                                                               "/bin"))
+                                              '("coreutils" "grep"
+                                                "util-linux"
+                                                "iucode-tool"
+                                                "util-linux-with-udev"
+                                                "gawk"
+                                                "gzip"
+                                                "lzop"
+                                                "lzop"
+                                                "perl"
+                                                "procps"
+                                                "sqlite"
+                                                "wget"
+                                                "which"
+                                                "xz"
+                                                "zstd"))))
+                                          (wrap-program (string-append #$output
+										  "/bin/spectre-meltdown-checker.sh")
+                                                        `("PATH" prefix
+                                                          ,paths))))))))
+    (inputs (list bash-minimal
+                  binutils
+                  coreutils
+                  gawk
+                  grep
+                  gzip
+                  iucode-tool
+                  intelfw
+                  lzop
+                  mcextractor
+                  perl
+                  procps
+                  sqlite
+                  unzip
+                  util-linux
+                  util-linux+udev
+                  wget
+                  which
+                  xz
+                  zstd))
+    (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+    (description
+     "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
-- 
2.36.1


^ permalink raw reply related	[flat|nested] 13+ messages in thread

* [bug#49898] [PATCH v6] gnu: Add spectre-meltdown-checker.
  2022-07-01 21:57           ` [bug#49898] [PATCH v6] " phodina via Guix-patches via
@ 2022-07-01 23:02             ` Liliana Marie Prikler
  0 siblings, 0 replies; 13+ messages in thread
From: Liliana Marie Prikler @ 2022-07-01 23:02 UTC (permalink / raw)
  To: phodina; +Cc: 49898

Am Freitag, dem 01.07.2022 um 21:57 +0000 schrieb phodina:
> Hi!
> 
> here's updated patch set:
> 
> - The version has been updated.
> - It uses gexps.
> - There are now 3 packages (intelfw and mcextractor are new).
> 
> There is the issue with Intel license. Not sure if it can be
> included.
I don't think it can.  In my humble opinion, microcode counts as very
functional data and should thus be distributed under a free license. 
mcextractor OTOH looks good to me, even if its main purpose is to
handle these binary blobs.

> The intelfw and mcextractor are used in the shell function
> update_fwdb. It might be better to create a patch, remove the
> download functionality and point it to /gnu/store for the package
> inputs. What do you think?
As already outlined, I think we should go with a "please provide your
firmware via command line option if you think that makes a difference"
approach, assuming unpatched firmware if none is passed.  Since Guix
doesn't actually distribute any of Intel's or AMD's blobs, that is the
correct behaviour, both ethically and functionally.

Cheers




^ permalink raw reply	[flat|nested] 13+ messages in thread

end of thread, other threads:[~2022-07-01 23:03 UTC | newest]

Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-08-05 17:00 [bug#49898] [PATCH] gnu: Add spectre-meltdown-checker phodina via Guix-patches via
2021-08-06 13:58 ` Leo Prikler
2021-08-07  9:04 ` [bug#49898] [PATCH v2] " phodina via Guix-patches via
2021-08-07  9:50   ` Leo Prikler
2021-08-08 11:05 ` [bug#49898] [PATCH v3] " phodina via Guix-patches via
2021-08-08 21:42   ` Leo Prikler
2021-09-18 15:25 ` [bug#49898] [PATCH v4] " phodina via Guix-patches via
2021-09-18 17:03   ` Liliana Marie Prikler
2021-12-07 22:04     ` [bug#49898] [PATCH v5] " phodina via Guix-patches via
2022-06-26 10:23       ` Liliana Marie Prikler
2022-06-26 11:07         ` phodina via Guix-patches via
2022-07-01 21:57           ` [bug#49898] [PATCH v6] " phodina via Guix-patches via
2022-07-01 23:02             ` Liliana Marie Prikler

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.