From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id yNLdMaC6D2HdAAAAgWs5BA (envelope-from ) for ; Sun, 08 Aug 2021 13:06:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id YHTQLaC6D2GRNAAA1q6Kng (envelope-from ) for ; Sun, 08 Aug 2021 11:06:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 13728164A5 for ; Sun, 8 Aug 2021 13:06:08 +0200 (CEST) Received: from localhost ([::1]:43882 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mCgd5-0007gw-4x for larch@yhetil.org; Sun, 08 Aug 2021 07:06:07 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49330) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mCgd0-0007gC-SW for guix-patches@gnu.org; Sun, 08 Aug 2021 07:06:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42186) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mCgd0-0003pO-Lb for guix-patches@gnu.org; Sun, 08 Aug 2021 07:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mCgd0-00066a-GM for guix-patches@gnu.org; Sun, 08 Aug 2021 07:06:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49898] [PATCH v3] gnu: Add spectre-meltdown-checker. References: In-Reply-To: Resent-From: phodina Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 08 Aug 2021 11:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49898 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 49898@debbugs.gnu.org Cc: Leo Prikler Received: via spool by 49898-submit@debbugs.gnu.org id=B49898.162842076123461 (code B ref 49898); Sun, 08 Aug 2021 11:06:02 +0000 Received: (at 49898) by debbugs.gnu.org; 8 Aug 2021 11:06:01 +0000 Received: from localhost ([127.0.0.1]:53732 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mCgcy-00066K-Hs for submit@debbugs.gnu.org; Sun, 08 Aug 2021 07:06:00 -0400 Received: from mail1.protonmail.ch ([185.70.40.18]:49772) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mCgcw-000660-6B for 49898@debbugs.gnu.org; Sun, 08 Aug 2021 07:05:59 -0400 Date: Sun, 08 Aug 2021 11:05:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1628420751; bh=+i5xuq4ar/QHhNmkNd926g1e66Iz+WR1cjYzRJgx7aY=; h=Date:To:From:Cc:Reply-To:Subject:From; b=mI3BAWuuGGDlgWrtyta7HBoG4opehbNRnpQ4U8f2F2Yr7tAD/o/cXrFTH4patGqks yHql8qFTpkbxZhX88Hs6AeTwjrTNllRuvIMW+A9GO0rmglE6GPkMlk8GhWeYL0Vu4Q kYRjS01ihJYcWpnBcADrWn0kMoGbha5kyjKImhbE= Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: phodina X-ACL-Warn: , phodina via Guix-patches From: phodina via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1628420768; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=+i5xuq4ar/QHhNmkNd926g1e66Iz+WR1cjYzRJgx7aY=; b=lEE3QjQejClEhm17gRU0fuVKrqRk5UdjKSzbP6smHoSInYotlOoDwUJ1pOgAvlhOYfOM8l XmIBpVBMI7oNO+VPP2R+x5EpzuSftcfexGbepW+ALSYc7ce9IVPMVF6f99nt54quhOBmHK 13CFxQuVjoR+1NRycFN3hXEnsuR4fHVfKlHbRJpU7dgW47ki3qX140rLi2G5G0aDimyIEf amf9r20tBnlbFMbD0C06myl+R/8fCkyeFN+6/2VoVbovqnPEHm2LrjI951qC3XANVC3N1G oNKwc5HCllVd8ZFPGn+Xt2ZPI30Sva677sxMQv4JFdkfYQDiYeoReiVBhGmQ2g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1628420768; a=rsa-sha256; cv=none; b=Y6ci5L8aDXg2w0qUa6D6ITUu2kqdsfWszzLOglgLrmOOg7ptS0TWrfgcN3+5l0w/jYv1a9 JnnTbpdyaS7jJCzGHqIOYd+meZQIrIzpsm6EUjMSRc62sEVE+3Jeo56T90WKYDQ1B/9+2C aZGXY4UordpKayJqNcnhK18de9TUrG1fqbx0MqovMowIxKxNbGE4GcP4xVfbChSi/cx00x BobPAp6+jr67rlERb91lssXhqCtez7ZkJvIj3Z8RmXkn+5JyjAgviH5UnZQtRDd3v6bdyF bjP1WLOnxnTjjjKUchtRy3EBD2LI4qCrJXUA9rp9SwGaCE6m/zYHeF0UcQjDmw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail header.b=mI3BAWuu; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.91 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=protonmail.com header.s=protonmail header.b=mI3BAWuu; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 13728164A5 X-Spam-Score: -2.91 X-Migadu-Scanner: scn1.migadu.com X-TUID: ozThmnDwIjOn > > This looks better, but after running the checker in a few > > configurations (it doesn't appear to make a difference whether with or > > without root, but judging from the papers some attacks would require > > sudo) I've noticed that commands are insufficiently hardcoded. > > For instance, the check for Spectre Variant 1 requires perl, which is > > not available and the line stating so is hidden well among a large wall > > of output. > > Likewise, I don't think simply including binutils does anything, you'll > > have to patch those in as well if you want them. > > Regards, Yes, it's unfortunately well hidden and there seems to be a mix of tools al= so available only for BSD. I wanted to run it in pure environment and with =3D= -e=3D but there are many condtitions that exit at once. So I went throught the whole script and listed the commands. Not sure regarding the admin priviledges. I'll create issue on the upstream regarding the requirements. The Dockerfile gives some hints but it's not ex= haustive. Kind regards, Petr ----------------------------------------------------- * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 4ca2a386e1..24f7d43b33 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -53,6 +53,7 @@ ;;; Copyright =C2=A9 2020 pukkamustard ;;; Copyright =C2=A9 2021 B. Wilson ;;; Copyright =C2=A9 2021 Ivan Gankevich +;;; Copyright =C2=A9 2021 Petr Hodina ;;; ;;; This file is part of GNU Guix. ;;; @@ -137,6 +138,7 @@ #:use-module (gnu packages video) #:use-module (gnu packages vulkan) #:use-module (gnu packages web) + #:use-module (gnu packages wget) #:use-module (gnu packages xiph) #:use-module (gnu packages xml) #:use-module (gnu packages xdisorg) @@ -148,6 +150,7 @@ #:use-module (guix build-system cmake) #:use-module (guix build-system gnu) #:use-module (guix build-system go) + #:use-module (guix build-system copy) #:use-module (guix build-system meson) #:use-module (guix build-system python) #:use-module (guix build-system trivial) @@ -7191,6 +7194,44 @@ interfaces in parallel environments.") (supported-systems '("i686-linux" "x86_64-linux")) (license (list license:bsd-2 license:gpl2)))) ;dual +(define-public spectre-meltdown-checker +(package + (name "spectre-meltdown-checker") + (version "0.44") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checke= r") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam")))) + (build-system copy-build-system) + (arguments + `(#:install-plan '(("spectre-meltdown-checker.sh" + "bin/spectre-meltdown-checker.sh")))) + (inputs `(("binutils" ,binutils) + ("coreutils",coreutils) + ("gawk" ,gawk) + ("gzip" ,gzip) + ("lzop" ,lzop) + ("perl" ,perl) + ("procps" ,procps) + ("sqlite" ,sqlite) + ("util-linux" ,util-linux) + ("util-linux-with-udev" ,util-linux+udev) + ("wget" ,wget) + ("which" ,which) + ("xz" ,xz) + ("zstd" ,zstd))) + (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker") + (description "A shell script to assess your system's resilience against +the several transient execution CVEs that were published since early 2018, +and give you guidance as to how to mitigate them.") + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (license license:gpl3))) + (define-public snapscreenshot (package (name "snapscreenshot") -- 2.32.0