all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker.
@ 2022-11-05 15:57 Hilton Chain via Guix-patches via
  2022-11-05 16:45 ` Liliana Marie Prikler
  0 siblings, 1 reply; 12+ messages in thread
From: Hilton Chain via Guix-patches via @ 2022-11-05 15:57 UTC (permalink / raw)
  To: 59053

* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file.
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/local.mk (dist_patch_DATA): Add it.
---
 gnu/local.mk                                  |  1 +
 gnu/packages/linux.scm                        | 41 +++++++++++++++++++
 ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
 3 files changed, 68 insertions(+)
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index eb6ac3df58..88c1fa6278 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1848,6 +1848,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/syslinux-strip-gnu-property.patch	\
   %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
+  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
   %D%/packages/patches/sssd-optional-systemd.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index cf11a7fc1b..db199869a7 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
 @acronym{SMAPI, System Management Application Program Interface} and direct
 access to the embedded controller.")
     (license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.45")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (patches
+               (search-patches
+                ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+                "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+              (sha256
+               (base32
+                "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+    (build-system copy-build-system)
+    (arguments
+     (list #:install-plan
+           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-after 'unpack 'fixpath
+                 (lambda* (#:key inputs #:allow-other-keys)
+                   (substitute* "spectre-meltdown-checker.sh"
+                     (("\\$\\{opt_arch_prefix\\}readelf")
+                      (search-input-file inputs "/bin/readelf"))
+                     (("perl")
+                      (search-input-file inputs "/bin/perl"))))))))
+    (inputs (list binutils perl))
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (synopsis
+     "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability /
+mitigation checker for Linux & BSD")
+    (description
+     "A shell script to assess your system's resilience against the several
+transient execution CVEs that were published since early 2018, and give you
+guidance as to how to mitigate them.")
+    (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ 		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++		# Guix System:
++		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+ 		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ 		# Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
-- 
2.38.0





^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker.
  2022-11-05 15:57 [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker Hilton Chain via Guix-patches via
@ 2022-11-05 16:45 ` Liliana Marie Prikler
  2022-11-11 11:10   ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via
  0 siblings, 1 reply; 12+ messages in thread
From: Liliana Marie Prikler @ 2022-11-05 16:45 UTC (permalink / raw)
  To: Hilton Chain, 59053; +Cc: control

merge 59053 49898
thanks

Hi Hilton,

thanks for the renewed interest in spectre-meltdown-checker.  See the
other thread for a general discussion, but I'll repeat the most
important points.

Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch: New file.
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/local.mk (dist_patch_DATA): Add it.
Note that "Add it" lost its context because the new variable is between
it and the file added.
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/linux.scm                        | 41
> +++++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
>  3 files changed, 68 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index eb6ac3df58..88c1fa6278 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1848,6 +1848,7 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index cf11a7fc1b..db199869a7 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
>  @acronym{SMAPI, System Management Application Program Interface} and
> direct
>  access to the embedded controller.")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("\\$\\{opt_arch_prefix\\}readelf")
> +                      (search-input-file inputs "/bin/readelf"))
> +                     (("perl")
> +                      (search-input-file inputs "/bin/perl"))))))))
I'm pretty sure readelf and perl are not the only commands invoked.


> +    (inputs (list binutils perl))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis
> +     "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad
> vulnerability /
> +mitigation checker for Linux & BSD")
"for Linux & BSD" is gratuitous information imho.
As for the vulnerabilities listed in the synopsis surely there must be
a way of shortening that.
> +    (description
> +     "A shell script to assess your system's resilience against the
> several
> +transient execution CVEs that were published since early 2018, and
> give you
> +guidance as to how to mitigate them.")
Not a full sentence.
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++              # Guix System:
> ++              [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> +               # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
> 
> base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
This patch LGTM.

Note that as discussed in the other thread, we'd also want the checker
to not download proprietary firmware.  Could you adjust the package
accordingly?

Cheers


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v2] gnu: Add spectre-meltdown-checker.
  2022-11-05 16:45 ` Liliana Marie Prikler
@ 2022-11-11 11:10   ` Hilton Chain via Guix-patches via
  2022-11-11 15:13     ` Liliana Marie Prikler
  0 siblings, 1 reply; 12+ messages in thread
From: Hilton Chain via Guix-patches via @ 2022-11-11 11:10 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: control, 59053

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v1 -> v2:

 gnu/local.mk                                  |    3 +
 gnu/packages/linux.scm                        |   53 +
 ...ker-remove-builtin-firmware-database.patch |  554 +++++
 ...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++
 ...n-checker-support-guix-system-kernel.patch |   26 +
 5 files changed, 2583 insertions(+)
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 27b31ea27f..d518cd8641 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1851,6 +1851,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/syslinux-strip-gnu-property.patch	\
   %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
+  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
+  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
   %D%/packages/patches/sssd-optional-systemd.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2c06269504..5a0d55833a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,56 @@ (define-public edac-utils
 error detection and correction (EDAC).")
     (home-page "https://github.com/grondo/edac-utils")
     (license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.45")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (patches
+               (search-patches
+                ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+                "spectre-meltdown-checker-support-guix-system-kernel.patch"
+                ;; NOTE: Update these patches when updating.
+                "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+                "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+              (sha256
+               (base32
+                "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+    (build-system copy-build-system)
+    (arguments
+     (list #:install-plan
+           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-after 'unpack 'fixpath
+                 (lambda* (#:key inputs #:allow-other-keys)
+                   (substitute* "spectre-meltdown-checker.sh"
+                     (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+                     (("@([a-z0-9]*)@" _ m _)
+                      (search-input-file inputs (string-append "/bin/" m)))))))))
+    (inputs
+     (list binutils
+           coreutils
+           grep
+           kmod
+           lz4
+           lzop
+           perl
+           procps
+           sharutils
+           util-linux
+           which
+           zstd))
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (synopsis "CPU vulnerability / mitigation checker")
+    (description
+     "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+    (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..e926551550
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,554 @@
+From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:55:25 +0800
+Subject: [PATCH 2/2] Remove builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 477 ++----------------------------------
+ 1 file changed, 27 insertions(+), 450 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..79c4bb7 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ 		--cpu [#,all]		interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ 		--update-fwdb		update our local copy of the CPU microcodes versions database (using the awesome
+ 					MCExtractor project and the Intel firmwares GitHub repository)
+-		--update-builtin-fwdb	same as --update-fwdb but update builtin DB inside the script itself
+ 		--dump-mock-data	used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ 	Return codes:
+@@ -853,9 +852,9 @@ update_fwdb()
+ 	mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ 	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ 	_info_nol "Fetching MCE.db from the MCExtractor project... "
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
++	# if command -v wget >/dev/null 2>&1; then
++	# 	wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
++	if command -v curl >/dev/null 2>&1; then
+ 		curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ 	elif command -v fetch >/dev/null 2>&1; then
+ 		fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+@@ -874,9 +873,9 @@ update_fwdb()
+ 	intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ 	_info_nol "Fetching Intel firmwares... "
+ 	## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
++	# if command -v wget >/dev/null 2>&1; then
++	# 	wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
++	if command -v curl >/dev/null 2>&1; then
+ 		curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ 	elif command -v fetch >/dev/null 2>&1; then
+ 		fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+@@ -969,13 +968,13 @@ update_fwdb()
+ 	} > "$mcedb_cache"
+ 	echo DONE "(version $dbversion)"
+
+-	if [ "$1" = builtin ]; then
+-		newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+-		@awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+-		@awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+-		@cat@ "$newfile" > "$0"
+-		@rm@ -f "$newfile"
+-	fi
++	# if [ "$1" = builtin ]; then
++	# 	newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++	# 	@awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++	# 	@awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++	# 	@cat@ "$newfile" > "$0"
++	# 	@rm@ -f "$newfile"
++	# fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do
+ 	elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ 		update_fwdb
+ 		exit $?
+-	elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+-		update_fwdb builtin
+-		exit $?
++	# elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
++	# 	update_fwdb builtin
++	# 	exit $?
+ 	elif [ "$1" = "--dump-mock-data" ]; then
+ 		opt_mock=1
+ 		shift
+@@ -2033,22 +2032,22 @@ is_xen_domU()
+ 	fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+ 	local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ 	# sort -V sorts by version number
+-	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+-	if [ "$older_dbversion" = "$builtin_dbversion" ]; then
++	# older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
++	# if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ 		mcedb_source="$mcedb_cache"
+ 		mcedb_info="local firmwares DB $local_dbversion"
+-	fi
++	# fi
+ fi
+ # if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+-	mcedb_source="$0"
+-	mcedb_info="builtin firmwares DB $builtin_dbversion"
+-fi
++# if [ -z "${mcedb_source:-}" ]; then
++# 	mcedb_source="$0"
++# 	mcedb_info="builtin firmwares DB $builtin_dbversion"
++# fi
+ read_mcedb()
+ {
+ 	@awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+@@ -2070,6 +2069,9 @@ is_latest_known_ucode()
+ 	else
+ 		return 2
+ 	fi
++	if [ -z "$mcedb_source" ]; then
++	        return 2
++	fi
+ 	for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ 	do
+ 		ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
+@@ -5833,428 +5835,3 @@ fi
+ [ "$global_critical" = 1 ] && exit 2  # critical
+ [ "$global_unknown"  = 1 ] && exit 3  # unknown
+ exit 0  # ok
+-
+-# We're using MCE.db from the excellent platomav's MCExtractor project
+-# The builtin version follows, but the user can download an up-to-date copy (to be stored in his $HOME) by using --update-fwdb
+-# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb
+-
+-# %%% MCEDB v222+i20220208
+-# I,0x00000611,0x00000B27,19961218
+-# I,0x00000612,0x000000C6,19961210
+-# I,0x00000616,0x000000C6,19961210
+-# I,0x00000617,0x000000C6,19961210
+-# I,0x00000619,0x000000D2,19980218
+-# I,0x00000630,0x00000013,19960827
+-# I,0x00000632,0x00000020,19960903
+-# I,0x00000633,0x00000036,19980923
+-# I,0x00000634,0x00000037,19980923
+-# I,0x00000650,0x00000045,19990525
+-# I,0x00000651,0x00000042,19990525
+-# I,0x00000652,0x0000002D,19990518
+-# I,0x00000653,0x00000010,19990628
+-# I,0x00000660,0x0000000A,19990505
+-# I,0x00000665,0x00000003,19990505
+-# I,0x0000066A,0x0000000D,19990505
+-# I,0x0000066D,0x00000007,19990505
+-# I,0x00000670,0x00000007,19980602
+-# I,0x00000671,0x00000014,19980811
+-# I,0x00000672,0x00000038,19990922
+-# I,0x00000673,0x0000002E,19990910
+-# I,0x00000680,0x00000017,19990610
+-# I,0x00000681,0x00000014,19991209
+-# I,0x00000683,0x00000014,20010206
+-# I,0x00000686,0x00000008,20000505
+-# I,0x0000068A,0x00000005,20001207
+-# I,0x00000690,0x00000004,20000206
+-# I,0x00000691,0x00000001,20020527
+-# I,0x00000692,0x00000001,20020620
+-# I,0x00000694,0x00000002,20020926
+-# I,0x00000695,0x00000047,20041109
+-# I,0x00000696,0x00000001,20000707
+-# I,0x000006A0,0x00000003,20000110
+-# I,0x000006A1,0x00000001,20000306
+-# I,0x000006A4,0x00000001,20000616
+-# I,0x000006B0,0x0000001A,20010129
+-# I,0x000006B1,0x0000001D,20010220
+-# I,0x000006B4,0x00000002,20020111
+-# I,0x000006D0,0x00000006,20030522
+-# I,0x000006D1,0x00000009,20030709
+-# I,0x000006D2,0x00000010,20030814
+-# I,0x000006D6,0x00000018,20041017
+-# I,0x000006D8,0x00000021,20060831
+-# I,0x000006E0,0x00000008,20050215
+-# I,0x000006E1,0x0000000C,20050413
+-# I,0x000006E4,0x00000026,20050816
+-# I,0x000006E8,0x0000003C,20060208
+-# I,0x000006EC,0x0000005B,20070208
+-# I,0x000006F0,0x00000005,20050818
+-# I,0x000006F1,0x00000012,20051129
+-# I,0x000006F2,0x0000005D,20101002
+-# I,0x000006F4,0x00000028,20060417
+-# I,0x000006F5,0x00000039,20060727
+-# I,0x000006F6,0x000000D2,20101001
+-# I,0x000006F7,0x0000006B,20101002
+-# I,0x000006F9,0x00000084,20061012
+-# I,0x000006FA,0x00000095,20101002
+-# I,0x000006FB,0x000000C1,20111004
+-# I,0x000006FD,0x000000A4,20101002
+-# I,0x00000F00,0xFFFF0001,20000130
+-# I,0x00000F01,0xFFFF0007,20000404
+-# I,0x00000F02,0xFFFF000B,20000518
+-# I,0x00000F03,0xFFFF0001,20000518
+-# I,0x00000F04,0xFFFF0010,20000803
+-# I,0x00000F05,0x0000000C,20000824
+-# I,0x00000F06,0x00000004,20000911
+-# I,0x00000F07,0x00000012,20020716
+-# I,0x00000F08,0x00000008,20001101
+-# I,0x00000F09,0x00000008,20010104
+-# I,0x00000F0A,0x00000015,20020821
+-# I,0x00000F11,0x0000000A,20030729
+-# I,0x00000F12,0x0000002F,20030502
+-# I,0x00000F13,0x00000005,20030508
+-# I,0x00000F20,0x00000001,20010423
+-# I,0x00000F21,0x00000003,20010529
+-# I,0x00000F22,0x00000005,20030729
+-# I,0x00000F23,0x0000000D,20010817
+-# I,0x00000F24,0x00000021,20030610
+-# I,0x00000F25,0x0000002C,20040826
+-# I,0x00000F26,0x00000010,20040805
+-# I,0x00000F27,0x00000039,20030604
+-# I,0x00000F29,0x0000002F,20040811
+-# I,0x00000F30,0x00000013,20030815
+-# I,0x00000F31,0x0000000B,20031021
+-# I,0x00000F32,0x0000000A,20040511
+-# I,0x00000F33,0x0000000C,20050421
+-# I,0x00000F34,0x00000017,20050421
+-# I,0x00000F36,0x00000007,20040309
+-# I,0x00000F37,0x00000003,20031218
+-# I,0x00000F40,0x00000006,20040318
+-# I,0x00000F41,0x00000017,20050422
+-# I,0x00000F42,0x00000003,20050421
+-# I,0x00000F43,0x00000005,20050421
+-# I,0x00000F44,0x00000006,20050421
+-# I,0x00000F46,0x00000004,20050411
+-# I,0x00000F47,0x00000003,20050421
+-# I,0x00000F48,0x0000000E,20080115
+-# I,0x00000F49,0x00000003,20050421
+-# I,0x00000F4A,0x00000004,20051214
+-# I,0x00000F60,0x00000005,20050124
+-# I,0x00000F61,0x00000008,20050610
+-# I,0x00000F62,0x0000000F,20051215
+-# I,0x00000F63,0x00000005,20051010
+-# I,0x00000F64,0x00000004,20051223
+-# I,0x00000F65,0x0000000B,20070510
+-# I,0x00000F66,0x0000001B,20060310
+-# I,0x00000F68,0x00000009,20060714
+-# I,0x00001632,0x00000002,19980610
+-# I,0x00010650,0x00000002,20060513
+-# I,0x00010660,0x00000004,20060612
+-# I,0x00010661,0x00000045,20101004
+-# I,0x00010670,0x00000005,20070209
+-# I,0x00010671,0x00000106,20070329
+-# I,0x00010674,0x84050100,20070726
+-# I,0x00010676,0x00000612,20150802
+-# I,0x00010677,0x0000070D,20150802
+-# I,0x0001067A,0x00000A0E,20150729
+-# I,0x000106A0,0xFFFF001A,20071128
+-# I,0x000106A1,0xFFFF000B,20080220
+-# I,0x000106A2,0xFFFF0019,20080714
+-# I,0x000106A4,0x00000013,20150630
+-# I,0x000106A5,0x0000001D,20180511
+-# I,0x000106C0,0x00000007,20070824
+-# I,0x000106C1,0x00000109,20071203
+-# I,0x000106C2,0x00000219,20090410
+-# I,0x000106C9,0x00000007,20090213
+-# I,0x000106CA,0x00000107,20090825
+-# I,0x000106D0,0x00000005,20071204
+-# I,0x000106D1,0x0000002A,20150803
+-# I,0x000106E0,0xFFFF0022,20090116
+-# I,0x000106E1,0xFFFF000D,20090206
+-# I,0x000106E2,0xFFFF0011,20090924
+-# I,0x000106E3,0xFFFF0011,20090512
+-# I,0x000106E4,0x00000003,20130701
+-# I,0x000106E5,0x0000000A,20180508
+-# I,0x000106F0,0xFFFF0009,20090210
+-# I,0x000106F1,0xFFFF0007,20090210
+-# I,0x00020650,0xFFFF0008,20090218
+-# I,0x00020651,0xFFFF0018,20090818
+-# I,0x00020652,0x00000011,20180508
+-# I,0x00020654,0xFFFF0007,20091124
+-# I,0x00020655,0x00000007,20180423
+-# I,0x00020661,0x00000105,20110718
+-# I,0x000206A0,0x00000029,20091102
+-# I,0x000206A1,0x00000007,20091223
+-# I,0x000206A2,0x00000027,20100502
+-# I,0x000206A3,0x00000009,20100609
+-# I,0x000206A4,0x00000022,20100414
+-# I,0x000206A5,0x00000007,20100722
+-# I,0x000206A6,0x90030028,20100924
+-# I,0x000206A7,0x0000002F,20190217
+-# I,0x000206C0,0xFFFF001C,20091214
+-# I,0x000206C1,0x00000006,20091222
+-# I,0x000206C2,0x0000001F,20180508
+-# I,0x000206D0,0x80000006,20100816
+-# I,0x000206D1,0x80000106,20101201
+-# I,0x000206D2,0xAF506958,20110714
+-# I,0x000206D3,0xAF50696A,20110816
+-# I,0x000206D5,0xAF5069E5,20120118
+-# I,0x000206D6,0x00000621,20200304
+-# I,0x000206D7,0x0000071A,20200324
+-# I,0x000206E0,0xE3493401,20090108
+-# I,0x000206E1,0xE3493402,20090224
+-# I,0x000206E2,0xFFFF0004,20081001
+-# I,0x000206E3,0xE4486547,20090701
+-# I,0x000206E4,0xFFFF0008,20090619
+-# I,0x000206E5,0xFFFF0018,20091215
+-# I,0x000206E6,0x0000000D,20180515
+-# I,0x000206F0,0x00000005,20100729
+-# I,0x000206F1,0x00000008,20101013
+-# I,0x000206F2,0x0000003B,20180516
+-# I,0x00030650,0x00000009,20120118
+-# I,0x00030651,0x00000110,20131014
+-# I,0x00030660,0x00000003,20101103
+-# I,0x00030661,0x0000010F,20150721
+-# I,0x00030669,0x0000010D,20130515
+-# I,0x00030671,0x00000117,20130410
+-# I,0x00030672,0x0000022E,20140401
+-# I,0x00030673,0x83290100,20190916
+-# I,0x00030678,0x00000838,20190422
+-# I,0x00030679,0x0000090D,20190710
+-# I,0x000306A0,0x00000007,20110407
+-# I,0x000306A2,0x0000000C,20110725
+-# I,0x000306A4,0x00000007,20110908
+-# I,0x000306A5,0x00000009,20111110
+-# I,0x000306A6,0x00000004,20111114
+-# I,0x000306A8,0x00000010,20120220
+-# I,0x000306A9,0x00000021,20190213
+-# I,0x000306C0,0xFFFF0013,20111110
+-# I,0x000306C1,0xFFFF0014,20120725
+-# I,0x000306C2,0xFFFF0006,20121017
+-# I,0x000306C3,0x00000028,20191112
+-# I,0x000306D1,0xFFFF0009,20131015
+-# I,0x000306D2,0xFFFF0009,20131219
+-# I,0x000306D3,0xE3121338,20140825
+-# I,0x000306D4,0x0000002F,20191112
+-# I,0x000306E0,0xE920080F,20121113
+-# I,0x000306E2,0xE9220827,20130523
+-# I,0x000306E3,0x00000308,20130321
+-# I,0x000306E4,0x0000042E,20190314
+-# I,0x000306E6,0x00000600,20130619
+-# I,0x000306E7,0x00000715,20190314
+-# I,0x000306F0,0xFFFF0017,20130730
+-# I,0x000306F1,0xD141D629,20140416
+-# I,0x000306F2,0x00000049,20210811
+-# I,0x000306F3,0x0000000D,20160211
+-# I,0x000306F4,0x0000001A,20210524
+-# I,0x00040650,0xFFFF000B,20121206
+-# I,0x00040651,0x00000026,20191112
+-# I,0x00040660,0xFFFF0011,20121012
+-# I,0x00040661,0x0000001C,20191112
+-# I,0x00040670,0xFFFF0006,20140304
+-# I,0x00040671,0x00000022,20191112
+-# I,0x000406A0,0x80124001,20130521
+-# I,0x000406A8,0x0000081F,20140812
+-# I,0x000406A9,0x0000081F,20140812
+-# I,0x000406C1,0x0000010B,20140814
+-# I,0x000406C2,0x00000221,20150218
+-# I,0x000406C3,0x00000368,20190423
+-# I,0x000406C4,0x00000411,20190423
+-# I,0x000406D0,0x0000000E,20130612
+-# I,0x000406D8,0x0000012D,20190916
+-# I,0x000406E1,0x00000020,20141111
+-# I,0x000406E2,0x0000002C,20150521
+-# I,0x000406E3,0x000000EC,20210428
+-# I,0x000406E8,0x00000026,20160414
+-# I,0x000406F0,0x00000014,20150702
+-# I,0x000406F1,0x0B000040,20210519
+-# I,0x00050650,0x8000002B,20160208
+-# I,0x00050651,0x8000002B,20160208
+-# I,0x00050652,0x80000037,20170502
+-# I,0x00050653,0x0100015C,20210526
+-# I,0x00050654,0x02006C0A,20210616
+-# I,0x00050655,0x03000012,20190412
+-# I,0x00050656,0x0400320A,20210813
+-# I,0x00050657,0x0500320A,20210813
+-# I,0x0005065A,0x86002302,20210416
+-# I,0x0005065B,0x07002402,20210604
+-# I,0x00050661,0xF1000008,20150130
+-# I,0x00050662,0x0000001C,20190617
+-# I,0x00050663,0x0700001C,20210612
+-# I,0x00050664,0x0F00001A,20210612
+-# I,0x00050665,0x0E000014,20210918
+-# I,0x00050670,0xFFFF0030,20151113
+-# I,0x00050671,0x000001B6,20180108
+-# I,0x000506A0,0x00000038,20150112
+-# I,0x000506C2,0x00000014,20180511
+-# I,0x000506C8,0x90011010,20160323
+-# I,0x000506C9,0x00000046,20210510
+-# I,0x000506CA,0x00000022,20210622
+-# I,0x000506D1,0x00000102,20150605
+-# I,0x000506E0,0x00000018,20141119
+-# I,0x000506E1,0x0000002A,20150602
+-# I,0x000506E2,0x0000002E,20150815
+-# I,0x000506E3,0x000000F0,20211112
+-# I,0x000506E8,0x00000034,20160710
+-# I,0x000506F0,0x00000010,20160607
+-# I,0x000506F1,0x00000036,20210510
+-# I,0x00060660,0x0000000C,20160821
+-# I,0x00060661,0x0000000E,20170128
+-# I,0x00060662,0x00000022,20171129
+-# I,0x00060663,0x0000002A,20180417
+-# I,0x000606A0,0x80000031,20200308
+-# I,0x000606A4,0x0B000280,20200817
+-# I,0x000606A5,0x0C0002F0,20210308
+-# I,0x000606A6,0x0D000332,20211217
+-# I,0x000606E0,0x0000000B,20161104
+-# I,0x000606E1,0x00000108,20190423
+-# I,0x000706A0,0x00000026,20170712
+-# I,0x000706A1,0x00000038,20210510
+-# I,0x000706A8,0x0000001C,20210510
+-# I,0x000706E0,0x0000002C,20180614
+-# I,0x000706E1,0x00000042,20190420
+-# I,0x000706E2,0x00000042,20190420
+-# I,0x000706E3,0x81000008,20181002
+-# I,0x000706E4,0x00000046,20190905
+-# I,0x000706E5,0x000000A8,20210526
+-# I,0x00080650,0x00000018,20180108
+-# I,0x00080664,0x0B00000F,20210217
+-# I,0x00080665,0x0B00000F,20210217
+-# I,0x000806A0,0x00000010,20190507
+-# I,0x000806A1,0x0000002D,20210902
+-# I,0x000806C0,0x00000068,20200402
+-# I,0x000806C1,0x0000009C,20211026
+-# I,0x000806C2,0x00000022,20210716
+-# I,0x000806D0,0x00000050,20201217
+-# I,0x000806D1,0x0000003C,20210716
+-# I,0x000806E9,0x000000EC,20210428
+-# I,0x000806EA,0x000000EC,20210428
+-# I,0x000806EB,0x000000EC,20210428
+-# I,0x000806EC,0x000000EC,20210428
+-# I,0x00090660,0x00000009,20200617
+-# I,0x00090661,0x00000015,20210921
+-# I,0x00090670,0x00000019,20201111
+-# I,0x00090671,0x0000001C,20210614
+-# I,0x00090672,0x0000001F,20220303
+-# I,0x00090674,0x00000219,20210425
+-# I,0x00090675,0x0000001F,20220303
+-# I,0x000906A0,0x0000001C,20210614
+-# I,0x000906A1,0x0000011F,20211104
+-# I,0x000906A2,0x00000315,20220102
+-# I,0x000906A3,0x0000041B,20220308
+-# I,0x000906A4,0x0000041B,20220308
+-# I,0x000906C0,0x2400001F,20210809
+-# I,0x000906E9,0x000000F0,20211112
+-# I,0x000906EA,0x000000EC,20210428
+-# I,0x000906EB,0x000000EC,20210428
+-# I,0x000906EC,0x000000EC,20210428
+-# I,0x000906ED,0x000000EC,20210428
+-# I,0x000A0650,0x000000BE,20191010
+-# I,0x000A0651,0x000000C2,20191113
+-# I,0x000A0652,0x000000EC,20210428
+-# I,0x000A0653,0x000000EC,20210428
+-# I,0x000A0654,0x000000C6,20200123
+-# I,0x000A0655,0x000000EE,20210428
+-# I,0x000A0660,0x000000EA,20210428
+-# I,0x000A0661,0x000000EC,20210429
+-# I,0x000A0670,0x0000002C,20201124
+-# I,0x000A0671,0x00000050,20210829
+-# I,0x000A0680,0x80000002,20200121
+-# I,0x000B0670,0x00000009,20211115
+-# I,0x000B06F2,0x0000001F,20220303
+-# I,0x000B06F5,0x0000001F,20220303
+-# A,0x00000F00,0x02000008,20070614
+-# A,0x00000F01,0x0000001C,20021031
+-# A,0x00000F10,0x00000003,20020325
+-# A,0x00000F11,0x0000001F,20030220
+-# A,0x00000F48,0x00000046,20040719
+-# A,0x00000F4A,0x00000047,20040719
+-# A,0x00000F50,0x00000024,20021212
+-# A,0x00000F51,0x00000025,20030115
+-# A,0x00010F50,0x00000041,20040225
+-# A,0x00020F10,0x0000004D,20050428
+-# A,0x00040F01,0xC0012102,20050916
+-# A,0x00040F0A,0x00000068,20060920
+-# A,0x00040F13,0x0000007A,20080508
+-# A,0x00040F14,0x00000062,20060127
+-# A,0x00040F1B,0x0000006D,20060920
+-# A,0x00040F33,0x0000007B,20080514
+-# A,0x00060F80,0x00000083,20060929
+-# A,0x000C0F1B,0x0000006E,20060921
+-# A,0x000F0F00,0x00000005,20020627
+-# A,0x000F0F01,0x00000015,20020627
+-# A,0x00100F00,0x01000020,20070326
+-# A,0x00100F20,0x010000CA,20100331
+-# A,0x00100F22,0x010000C9,20100331
+-# A,0x00100F40,0x01000085,20080501
+-# A,0x00100F41,0x010000DB,20111024
+-# A,0x00100F42,0x01000092,20081021
+-# A,0x00100F43,0x010000C8,20100311
+-# A,0x00100F62,0x010000C7,20100311
+-# A,0x00100F80,0x010000DA,20111024
+-# A,0x00100F81,0x010000D9,20111012
+-# A,0x00100FA0,0x010000DC,20111024
+-# A,0x00120F00,0x03000002,20100324
+-# A,0x00200F30,0x02000018,20070921
+-# A,0x00200F31,0x02000057,20080502
+-# A,0x00200F32,0x02000034,20080307
+-# A,0x00300F01,0x0300000E,20101004
+-# A,0x00300F10,0x03000027,20111309
+-# A,0x00500F00,0x0500000B,20100601
+-# A,0x00500F01,0x0500001A,20100908
+-# A,0x00500F10,0x05000029,20130121
+-# A,0x00500F20,0x05000119,20130118
+-# A,0x00580F00,0x0500000B,20100601
+-# A,0x00580F01,0x0500001A,20100908
+-# A,0x00580F10,0x05000028,20101124
+-# A,0x00580F20,0x05000103,20110526
+-# A,0x00600F00,0x06000017,20101029
+-# A,0x00600F01,0x0600011F,20110227
+-# A,0x00600F10,0x06000425,20110408
+-# A,0x00600F11,0x0600050D,20110627
+-# A,0x00600F12,0x0600063E,20180207
+-# A,0x00600F20,0x06000852,20180206
+-# A,0x00610F00,0x0600100E,20111102
+-# A,0x00610F01,0x0600111F,20180305
+-# A,0x00630F00,0x0600301C,20130817
+-# A,0x00630F01,0x06003109,20180227
+-# A,0x00660F00,0x06006012,20141014
+-# A,0x00660F01,0x0600611A,20180126
+-# A,0x00670F00,0x06006705,20180220
+-# A,0x00680F00,0x06000017,20101029
+-# A,0x00680F01,0x0600011F,20110227
+-# A,0x00680F10,0x06000410,20110314
+-# A,0x00690F00,0x06001009,20110613
+-# A,0x00700F00,0x0700002A,20121218
+-# A,0x00700F01,0x07000110,20180209
+-# A,0x00730F00,0x07030009,20131206
+-# A,0x00730F01,0x07030106,20180209
+-# A,0x00800F00,0x0800002A,20161006
+-# A,0x00800F10,0x0800100C,20170131
+-# A,0x00800F11,0x08001138,20190204
+-# A,0x00800F12,0x0800126E,20211111
+-# A,0x00800F82,0x0800820D,20190416
+-# A,0x00810F00,0x08100004,20161120
+-# A,0x00810F10,0x08101016,20190430
+-# A,0x00810F11,0x08101103,20190417
+-# A,0x00810F80,0x08108002,20180605
+-# A,0x00810F81,0x08108109,20190417
+-# A,0x00820F00,0x08200002,20180214
+-# A,0x00820F01,0x08200103,20190417
+-# A,0x00830F00,0x08300027,20190401
+-# A,0x00830F10,0x08301052,20211111
+-# A,0x00850F00,0x08500004,20180212
+-# A,0x00860F00,0x0860000E,20200127
+-# A,0x00860F01,0x08600106,20200619
+-# A,0x00860F81,0x08608103,20200702
+-# A,0x00870F00,0x08700004,20181206
+-# A,0x00870F10,0x08701021,20200125
+-# A,0x00A00F00,0x0A000033,20200413
+-# A,0x00A00F10,0x0A001053,20211217
+-# A,0x00A00F11,0x0A00115D,20211119
+-# A,0x00A00F12,0x0A001227,20211215
+-# A,0x00A00F80,0x0A008003,20211015
+-# A,0x00A00F82,0x0A008204,20211015
+-# A,0x00A20F00,0x0A200025,20200121
+-# A,0x00A20F10,0x0A201016,20210408
+-# A,0x00A20F12,0x0A201205,20210719
+-# A,0x00A50F00,0x0A50000C,20201208
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a2f13e4195
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1947 @@
+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 1/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,
+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,
+whoami, xargs.
+---
+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------
+ 1 file changed, 324 insertions(+), 324 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..82cf1b6 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ 	# cleanup the temp decompressed config & kernel image
+-	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+-	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
+-	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
+-	[ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm -f "$mcedb_tmp"
+-	[ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm -rf "$intel_tmp"
+-	[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+-	[ "${mounted_procfs:-}"  = 1 ] && umount "$procfs" 2>/dev/null
+-	[ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
+-	[ "${insmod_msr:-}"      = 1 ] && rmmod msr 2>/dev/null
++	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && @rm@ -f "$kerneltmp"
++	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && @rm@ -f "$kerneltmp2"
++	[ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && @rm@ -f "$mcedb_tmp"
++	[ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && @rm@ -rf "$intel_tmp"
++	[ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++	[ "${mounted_procfs:-}"  = 1 ] && @umount@ "$procfs" 2>/dev/null
++	[ "${insmod_cpuid:-}"    = 1 ] && @rmmod@ cpuid 2>/dev/null
++	[ "${insmod_msr:-}"      = 1 ] && @rmmod@ msr 2>/dev/null
+ 	[ "${kldload_cpuctl:-}"  = 1 ] && kldunload cpuctl 2>/dev/null
+ 	[ "${kldload_vmm:-}"     = 1 ] && kldunload vmm    2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+-	describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+-	[ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++	describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++	[ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ 	# shellcheck disable=SC2086
+-	cat <<EOF
++	@cat@ <<EOF
+ 	Usage:
+-		Live mode (auto):   $(basename $0) [options]
+-		Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+-		Offline mode:       $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++		Live mode (auto):   $(@basename@ $0) [options]
++		Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++		Offline mode:       $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ 	Modes:
+ 		Two modes are available.
+@@ -110,7 +110,7 @@ EOF
+
+ show_disclaimer()
+ {
+-	cat <<EOF
++	@cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -207,7 +207,7 @@ __echo()
+ 			_interpret_chars='-e'
+ 		fi
+ 		_ctrlchar=$($echo_cmd $_interpret_chars "\033")
+-		_msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++		_msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ 	fi
+ 	if [ "$echo_cmd_type" = printf ]; then
+ 		if [ "$opt" = "-n" ]; then
+@@ -383,7 +383,7 @@ is_cpu_affected()
+ 		# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ 		# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ 		# model name : Pentium(R) Dual-Core  CPU      E5200  @ 2.50GHz
+-		if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++		if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ 			variant1=vuln
+ 			[ -z "$variant2" ] && variant2=immune
+ 			variant3=vuln
+@@ -486,7 +486,7 @@ is_cpu_affected()
+ 			i=$(( i + 1 ))
+ 			# do NOT quote $cpu_arch_list below
+ 			# shellcheck disable=SC2086
+-			cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++			cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ 			_debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ 			# some kernels report AArch64 instead of 8
+ 			[ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -497,49 +497,49 @@ is_cpu_affected()
+ 				# part   ?  ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c         d0d
+ 				# arch  7? 7? 7   7   7   7   7   8   8   8   8   8   8           8
+ 				#
+-				# Whitelist identified non-affected processors, use vulnerability information from
++				# Whitelist identified non-affected processors, use vulnerability information from
+ 				# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ 				# Partnumbers can be found here:
+ 				# https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ 				#
+ 				# Maintain cumulative check of vulnerabilities -
+ 				# if at least one of the cpu is affected, then the system is affected
+-				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++				if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					[ -z "$variant4" ] && variant4=immune
+ 					_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+-				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					variant3a=vuln
+ 					[ -z "$variant4" ] && variant4=immune
+ 					_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					variant3a=vuln
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					variant3=vuln
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ 					variant1=vuln
+ 					[ -z "$variant2" ] && variant2=immune
+ 					[ -z "$variant3" ] && variant3=immune
+@@ -820,7 +820,7 @@ is_cpu_ssb_free()
+ 		if [ "$cpu_family" = "18" ] || \
+ 			[ "$cpu_family" = "17" ] || \
+ 			[ "$cpu_family" = "16" ] || \
+-			[ "$cpu_family" = "15" ]; then
++			[ "$cpu_family" = "15" ]; then
+ 			return 0
+ 		fi
+ 	fi
+@@ -837,7 +837,7 @@ show_header()
+ 	_info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"
+ mcedb_cache="$HOME/.mcedb"
+ update_fwdb()
+ {
+@@ -846,11 +846,11 @@ update_fwdb()
+ 	set -e
+
+ 	if [ -r "$mcedb_cache" ]; then
+-		previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++		previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ 	fi
+
+ 	# first, download the MCE.db from the excellent platomav's MCExtractor project
+-	mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
++	mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ 	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ 	_info_nol "Fetching MCE.db from the MCExtractor project... "
+ 	if command -v wget >/dev/null 2>&1; then
+@@ -870,7 +870,7 @@ update_fwdb()
+ 	echo DONE
+
+ 	# second, get the Intel firmwares from GitHub
+-	intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
++	intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
+ 	intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ 	_info_nol "Fetching Intel firmwares... "
+ 	## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+@@ -930,20 +930,20 @@ update_fwdb()
+ 	fi
+ 	#  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+ 	#  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+-	$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
++	$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
+ 	do
+-		_line=$(   echo "$_line" | tr -d ',')
+-		_cpuid=$(  echo "$_line" | awk '{print $3}')
++		_line=$(   echo "$_line" | @tr@ -d ',')
++		_cpuid=$(  echo "$_line" | @awk@ '{print $3}')
+ 		_cpuid=$(( _cpuid ))
+ 		_cpuid=$(printf "0x%08X" "$_cpuid")
+-		_date=$(   echo "$_line" | awk '{print $6}' | tr -d '-')
+-		_version=$(echo "$_line" | awk '{print $8}')
++		_date=$(   echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-')
++		_version=$(echo "$_line" | @awk@ '{print $8}')
+ 		_version=$(( _version ))
+ 		_version=$(printf "0x%08X" "$_version")
+ 		_sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+ 		sqlite3 "$mcedb_tmp" "$_sqlstm"
+ 	done
+-	_intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
++	_intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+ 	if [ -n "$_intel_timestamp" ]; then
+ 		# use this date, it matches the last commit date
+ 		_intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+@@ -964,17 +964,17 @@ update_fwdb()
+ 	{
+ 		echo "# Spectre & Meltdown Checker";
+ 		echo "# %%% MCEDB v$dbversion";
+-		sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+-		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
++		sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
++		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ 	} > "$mcedb_cache"
+ 	echo DONE "(version $dbversion)"
+
+ 	if [ "$1" = builtin ]; then
+-		newfile=$(mktemp -t smc-builtin-XXXXXX)
+-		awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+-		awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+-		cat "$newfile" > "$0"
+-		rm -f "$newfile"
++		newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++		@awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++		@awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++		@cat@ "$newfile" > "$0"
++		@rm@ -f "$newfile"
+ 	fi
+ }
+
+@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
+ 	elif [ "$1" = "--cpu" ]; then
+ 		opt_cpu=$2
+ 		if [ "$opt_cpu" != all ]; then
+-			if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++			if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ 				opt_cpu=$(( opt_cpu ))
+ 			else
+ 				echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
+ 			echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ 			exit 255
+ 		fi
+-		selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++		selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ 		if [ -n "$selected_cve" ]; then
+ 			opt_cve_list="$opt_cve_list $selected_cve"
+ 			opt_cve_all=0
+@@ -1308,14 +1308,14 @@ check_kernel()
+ 	# a damaged ELF file and validate it, check for stderr warnings too
+
+ 	# the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+-	_readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+-	_readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+-	_kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++	_readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++	_readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++	_kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ 	_debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ 	if [ "$_mode" = desperate ]; then
+-		if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++		if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ 			_debug "check_kernel (desperate): ... matched!"
+-			if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++			if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ 				_debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ 				objdump_options="-D -b binary -marm"
+ 			else
+@@ -1348,7 +1348,7 @@ try_decompress()
+
+ 	# Try to find the header ($1) and decompress from here
+ 	_debug "try_decompress: looking for $3 magic in $6"
+-	for     pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++	for     pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ 	do
+ 		_debug "try_decompress: magic for $3 found at offset $pos"
+ 		if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1375,11 +1375,11 @@ try_decompress()
+ 			kernel="$kerneltmp"
+ 			_debug "try_decompress: decompressed with $3 successfully!"
+ 			return 0
+-		elif [ "$3" != "cat" ]; then
++		elif [ "$3" != "@cat@" ]; then
+ 			_debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+-			[ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+-			cat "$kerneltmp" > "$kerneltmp2"
+-			try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++			[ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++			@cat@ "$kerneltmp" > "$kerneltmp2"
++			try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ 		else
+ 			_debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ 		fi
+@@ -1391,12 +1391,12 @@ extract_kernel()
+ {
+ 	[ -n "${1:-}" ] || return 1
+ 	# Prepare temp files:
+-	kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++	kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ 	# Initial attempt for uncompressed images or objects:
+ 	if check_kernel "$1"; then
+ 		_debug "extract_kernel: found kernel is valid, no decompression needed"
+-		cat "$1" > "$kerneltmp"
++		@cat@ "$1" > "$kerneltmp"
+ 		kernel=$kerneltmp
+ 		return 0
+ 	fi
+@@ -1405,14 +1405,14 @@ extract_kernel()
+ 	for pass in 1 2; do
+ 		for mode in normal desperate; do
+ 			_debug "extract_kernel: pass $pass $mode mode"
+-			try_decompress '\037\213\010'     xy    gunzip  ''      gunzip      "$1" "$mode" "$pass" && return 0
+-			try_decompress '\002\041\114\030' xyy   'lz4'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+-			try_decompress '\3757zXZ\000'     abcde unxz    ''      xz-utils    "$1" "$mode" "$pass" && return 0
+-			try_decompress 'BZh'              xy    bunzip2 ''      bzip2       "$1" "$mode" "$pass" && return 0
+-			try_decompress '\135\0\0\0'       xxx   unlzma  ''      xz-utils    "$1" "$mode" "$pass" && return 0
+-			try_decompress '\211\114\132'     xy    'lzop'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
+-			try_decompress '\177ELF'          xxy   'cat'   ''      cat         "$1" "$mode" "$pass" && return 0
+-			try_decompress '(\265/\375'       xxy   unzstd  ''      zstd        "$1" "$mode" "$pass" && return 0
++			try_decompress '\037\213\010'     xy    @gunzip@  ''      gunzip      "$1" "$mode" "$pass" && return 0
++			try_decompress '\002\041\114\030' xyy   '@lz4@'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++			try_decompress '\3757zXZ\000'     abcde @unxz@    ''      xz-utils    "$1" "$mode" "$pass" && return 0
++			try_decompress 'BZh'              xy    @bunzip2@ ''      bzip2       "$1" "$mode" "$pass" && return 0
++			try_decompress '\135\0\0\0'       xxx   @unlzma@  ''      xz-utils    "$1" "$mode" "$pass" && return 0
++			try_decompress '\211\114\132'     xy    '@lzop@'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
++			try_decompress '\177ELF'          xxy   '@cat@'   ''      cat         "$1" "$mode" "$pass" && return 0
++			try_decompress '(\265/\375'       xxy   @unzstd@  ''      zstd        "$1" "$mode" "$pass" && return 0
+ 		done
+ 	done
+ 	# kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1429,7 +1429,7 @@ mount_debugfs()
+ {
+ 	if [ ! -e /sys/kernel/debug/sched_features ]; then
+ 		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++		@mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ 	fi
+ }
+
+@@ -1440,12 +1440,12 @@ load_msr()
+ 	load_msr_once=1
+
+ 	if [ "$os" = Linux ]; then
+-		if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+-			modprobe msr 2>/dev/null && insmod_msr=1
++		if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++			@modprobe@ msr 2>/dev/null && insmod_msr=1
+ 			_debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ 		else
+ 			_debug "msr module already loaded"
+-		fi
++		fi
+ 	else
+ 		if ! kldstat -q -m cpuctl; then
+ 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1463,12 +1463,12 @@ load_cpuid()
+ 	load_cpuid_once=1
+
+ 	if [ "$os" = Linux ]; then
+-		if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+-			modprobe cpuid 2>/dev/null && insmod_cpuid=1
++		if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++			@modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ 			_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ 		else
+ 			_debug "cpuid module already loaded"
+-		fi
++		fi
+ 	else
+ 		if ! kldstat -q -m cpuctl; then
+ 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
+ 		fi
+ 		# on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ 		# we use that fact to load the module if dd returns an error
+-		if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++		if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ 			load_cpuid
+ 		fi
+ 		# we need _leaf to be converted to decimal for dd
+@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
+ 		_ddskip=$(( _position / 16 ))
+ 		_odskip=$(( _position - _ddskip * 16 ))
+ 		# now read the value
+-		_cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++		_cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ 	elif [ -e /dev/cpuctl0 ]; then
+ 		# BSD
+ 		if [ ! -r /dev/cpuctl0 ]; then
+ 			read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ 			return $READ_CPUID_RET_ERR
+ 		fi
+-		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ 		# cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ 	else
+ 		read_cpuid_msg="Found no way to read cpuid info"
+@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
+ 	fi
+
+ 	# get the value of the register we want
+-	_reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++	_reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ 	# Linux returns it as decimal, BSD as hex, normalize to decimal
+ 	_reg=$(( _reg ))
+ 	# shellcheck disable=SC2046
+@@ -1626,11 +1626,11 @@ dmesg_grep()
+ 	# grep for something in dmesg, ensuring that the dmesg buffer
+ 	# has not been truncated
+ 	dmesg_grepped=''
+-	if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++	if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ 		# dmesg truncated
+ 		return 2
+ 	fi
+-	dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++	dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ 	# not found:
+ 	[ -z "$dmesg_grepped" ] && return 1
+ 	# found, output is in $dmesg_grepped
+@@ -1647,12 +1647,12 @@ parse_cpu_details()
+ {
+ 	[ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+-	if command -v nproc >/dev/null; then
+-		number_of_cores=$(nproc)
+-	elif echo "$os" | grep -q BSD; then
+-		number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++	if command -v @nproc@ >/dev/null; then
++		number_of_cores=$(@nproc@)
++	elif echo "$os" | @grep@ -q BSD; then
++		number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ 	elif [ -e "$procfs/cpuinfo" ]; then
+-		number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++		number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ 	else
+ 		# if we don't know, default to 1 CPU
+ 		number_of_cores=1
+@@ -1660,43 +1660,43 @@ parse_cpu_details()
+ 	max_core_id=$(( number_of_cores - 1 ))
+
+ 	if [ -e "$procfs/cpuinfo" ]; then
+-		cpu_vendor=$(  grep '^vendor_id'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+-		cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++		cpu_vendor=$(  @grep@ '^vendor_id'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++		cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ 		# special case for ARM follows
+-		if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++		if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ 			cpu_vendor='ARM'
+ 			# some devices (phones or other) have several ARMs and as such different part numbers,
+ 			# an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+-			cpu_part_list=$(awk '/CPU part/         {print $4}' "$procfs/cpuinfo")
+-			cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++			cpu_part_list=$(@awk@ '/CPU part/         {print $4}' "$procfs/cpuinfo")
++			cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ 			# take the first one to fill the friendly name, do NOT quote the vars below
+ 			# shellcheck disable=SC2086
+-			cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++			cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ 			# shellcheck disable=SC2086
+-			cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++			cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ 			[ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ 			cpu_friendly_name="ARM"
+ 			[ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ 			[ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ 			cpu_vendor='CAVIUM'
+-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ 			cpu_vendor='PHYTIUM'
+ 		fi
+
+-		cpu_family=$(  grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_model=$(   grep '^model'      "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_stepping=$(grep '^stepping'   "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_ucode=$(   grep '^microcode'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++		cpu_family=$(  @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_model=$(   @grep@ '^model'      "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_stepping=$(@grep@ '^stepping'   "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_ucode=$(   @grep@ '^microcode'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ 	else
+-		cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+-		cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++		cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++		cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ 		cpu_family=$(( cpu_family ))
+-		cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++		cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ 		cpu_model=$(( cpu_model ))
+-		cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+-		cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++		cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++		cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ 	fi
+
+ 	if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1751,7 +1751,7 @@ parse_cpu_details()
+ 			# call CPUID
+ 			cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ 			# read MSR
+-			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ 			# convert to decimal
+ 			cpu_ucode=$(( cpu_ucode ))
+ 			# convert back to hex
+@@ -1770,7 +1770,7 @@ parse_cpu_details()
+ 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ 	fi
+
+-	echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++	echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ 	ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ 	# also define those that we will need in other funcs
+@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
+ {
+ 	# SMT / HyperThreading is enabled if siblings != cpucores
+ 	if [ -e "$procfs/cpuinfo" ]; then
+-		_siblings=$(awk '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
+-		_cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++		_siblings=$(@awk@ '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
++		_cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ 		if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ 			if [ "$_siblings" = "$_cpucores" ]; then
+ 				return 1
+@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
+ 		$INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b   \
+ 		$INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ 	do
+-		model=$(echo "$tuple" | cut -d, -f1)
+-		stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++		model=$(echo "$tuple" | @cut@ -d, -f1)
++		stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ 		if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+-			ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++			ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ 			if [ "$cpu_ucode" = "$ucode" ]; then
+ 				_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ 				return 0
+@@ -2007,7 +2007,7 @@ is_xen_dom0()
+ 		return 1
+ 	fi
+
+-	if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++	if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ 		return 0
+ 	else
+ 		return 1
+@@ -2033,12 +2033,12 @@ is_xen_domU()
+ 	fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+-	local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++	local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ 	# sort -V sorts by version number
+-	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
++	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+ 	if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ 		mcedb_source="$mcedb_cache"
+ 		mcedb_info="local firmwares DB $local_dbversion"
+@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
+ fi
+ read_mcedb()
+ {
+-	awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++	@awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
+ 	else
+ 		return 2
+ 	fi
+-	for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++	for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ 	do
+-		ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
+-		ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++		ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
++		ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ 		_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ 		ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ 		if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -2098,7 +2098,7 @@ get_cmdline()
+ 		kernel_cmdline="$SMC_MOCK_CMDLINE"
+ 		return
+ 	else
+-		kernel_cmdline=$(cat "$procfs/cmdline")
++		kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ 	fi
+ }
+@@ -2106,7 +2106,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ 	_warn "This script doesn't work under Windows Subsystem for Linux"
+ 	_warn "You should use the official Microsoft tool instead."
+ 	_warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2155,15 +2155,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ 	_debug "We're under BSD, check if we have procfs"
+-	procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++	procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ 	if [ -z "$procfs" ]; then
+ 		_debug "we don't, try to mount it"
+ 		procfs=/proc
+ 		[ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ 		test -d $procfs || mkdir $procfs
+-		if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++		if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ 			mounted_procfs=1
+ 			_debug "procfs just mounted at $procfs"
+ 		else
+@@ -2195,14 +2195,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ 	# root check (only for live mode, for offline mode, we already checked if we could read the files)
+-	if [ "$(id -u)" -ne 0 ]; then
++	if [ "$(@id@ -u)" -ne 0 ]; then
+ 		_warn "Note that you should launch this script with root privileges to get accurate information."
+ 		_warn "We'll proceed but you might see permission denied errors."
+ 		_warn "To run it as root, you can try the following command: sudo $0"
+ 		_warn
+ 	fi
+ 	_info "Checking for vulnerabilities on current system"
+-	_info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++	_info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ 	_info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ 	# try to find the image of the current running kernel
+@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
+ 		# specified by user on cmdline, with --live, don't override
+ 		:
+ 	# first, look for the BOOT_IMAGE hint in the kernel cmdline
+-	elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+-		opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++	elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++		opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ 		_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ 		# if the boot partition is within a btrfs subvolume, strip the subvolume name
+ 		# if /boot is a separate subvolume, the remainder of the code in this section should handle it
+-		if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++		if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ 		# if we have a dedicated /boot partition, our bootloader might have just called it /
+ 		# so try to prepend /boot and see if we find anything
+ 		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
+ 	# if we didn't find a kernel, default to guessing
+ 	if [ ! -e "$opt_kernel" ]; then
+ 		# Fedora:
+-		[ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++		[ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ 		# Slackware:
+ 		[ -e "/boot/vmlinuz"             ] && opt_kernel="/boot/vmlinuz"
+ 		# Arch aarch64:
+@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
+ 		# pine64
+ 		[ -e "/boot/pine64/Image"        ] && opt_kernel="/boot/pine64/Image"
+ 		# generic:
+-		[ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+-		[ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+-		[ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++		[ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++		[ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++		[ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ 		# Gentoo:
+-		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++		[ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ 		# Guix System:
+ 		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+-		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++		[ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ 		# Clear Linux:
+-		str_uname=$(uname -r)
++		str_uname=$(@uname@ -r)
+ 		clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ 		[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ 		# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ 		# with actual \'s instead of /'s:
+-		custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++		custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ 		if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ 			opt_kernel="$custom_arch_kernel"
+ 		fi
+@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
+ 		:
+ 	elif [ -e "$procfs/kallsyms" ] ; then
+ 		opt_map="$procfs/kallsyms"
+-	elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+-		opt_map="/lib/modules/$(uname -r)/System.map"
+-	elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+-		opt_map="/boot/System.map-$(uname -r)"
+-	elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+-		opt_map="/lib/kernel/System.map-$(uname -r)"
++	elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++		opt_map="/lib/modules/$(@uname@ -r)/System.map"
++	elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++		opt_map="/boot/System.map-$(@uname@ -r)"
++	elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++		opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ 	fi
+
+ 	# config
+@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
+ 		# specified by user on cmdline, with --live, don't override
+ 		:
+ 	elif [ -e "$procfs/config.gz" ] ; then
+-		dumped_config="$(mktemp -t smc-config-XXXXXX)"
+-		gunzip -c "$procfs/config.gz" > "$dumped_config"
++		dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++		@gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ 		# dumped_config will be deleted at the end of the script
+ 		opt_config="$dumped_config"
+-	elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+-		opt_config="/lib/modules/$(uname -r)/config"
+-	elif [ -e "/boot/config-$(uname -r)" ]; then
+-		opt_config="/boot/config-$(uname -r)"
+-	elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+-		opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+-	elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+-		opt_config="/lib/kernel/config-$(uname -r)"
++	elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++		opt_config="/lib/modules/$(@uname@ -r)/config"
++	elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++		opt_config="/boot/config-$(@uname@ -r)"
++	elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++		opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++	elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++		opt_config="/lib/kernel/config-$(@uname@ -r)"
+ 	fi
+ else
+ 	_info "Checking for vulnerabilities against specified kernel"
+@@ -2311,7 +2311,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+-	if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++	if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ 		# given file is invalid!
+ 		_warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ 		opt_config=''
+@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+-	if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++	if ! command -v "@readelf@" >/dev/null 2>&1; then
+ 		_debug "readelf not found"
+ 		kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ 	elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2357,20 +2357,20 @@ else
+ 	# vanilla kernels have with ^Linux version
+ 	# also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ 	# and check for FreeBSD
+-	kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++	kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ 		-e '^Linux version ' \
+ 		-e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+-		-e '^FreeBSD [0-9]' | head -1)
++		-e '^FreeBSD [0-9]' | @head@ -1)
+ 	if [ -z "$kernel_version" ]; then
+ 		# try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+-		kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++		kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ 	fi
+ 	if [ -n "$kernel_version" ]; then
+ 		# in live mode, check if the img we found is the correct one
+ 		if [ "$opt_live" = 1 ]; then
+ 			_verbose "Kernel image is \033[35m$kernel_version"
+-			if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+-				_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++			if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++				_warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ 			fi
+ 		else
+ 			_info "Kernel image is \033[35m$kernel_version"
+@@ -2398,11 +2398,11 @@ sys_interface_check()
+ 	if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ 		:
+ 	else
+-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ 		return 1
+ 	fi
+
+-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ 	# shellcheck disable=SC2086,SC1083
+ 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ 		_debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2411,17 +2411,17 @@ sys_interface_check()
+ 	fi
+
+ 	[ -n "$regex" ] || regex='.*'
+-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ 	# shellcheck disable=SC2086,SC1083
+ 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ 		fullmsg="$(eval echo \$$_mockvarname)"
+-		msg=$(echo "$fullmsg" | grep -Eo "$regex")
++		msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ 		_debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ 		mocked=1
+ 	else
+-		fullmsg=$(cat "$file")
+-		msg=$(grep -Eo "$regex" "$file")
+-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++		fullmsg=$(@cat@ "$file")
++		msg=$(@grep@ -Eo "$regex" "$file")
++		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ 	fi
+ 	if [ "$mode" = silent ]; then
+ 		return 0
+@@ -2430,15 +2430,15 @@ sys_interface_check()
+ 		return 0
+ 	fi
+ 	_info_nol "* Mitigated according to the /sys interface: "
+-	if echo "$msg" | grep -qi '^not affected'; then
++	if echo "$msg" | @grep@ -qi '^not affected'; then
+ 		# Not affected
+ 		status=OK
+ 		pstatus green YES "$fullmsg"
+-	elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++	elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ 		# Mitigation: PTI
+ 		status=OK
+ 		pstatus green YES "$fullmsg"
+-	elif echo "$msg" | grep -qi '^vulnerable'; then
++	elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ 		# Vulnerable
+ 		status=VULN
+ 		pstatus yellow NO "$fullmsg"
+@@ -2526,20 +2526,20 @@ write_msr_one_core()
+ 			# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ 			[ "$ret" = 127 ] && _write_denied=1
+ 		# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+-		elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ 			_debug "write_msr: using dd"
+-			dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++			@dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ 			# if it failed, inspect stderrto look for EPERM
+ 			if [ "$ret" != 0 ]; then
+-				if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++				if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ 					_write_denied=1
+ 				fi
+ 			fi
+ 		# or if we have perl, use it, any 5.x version will work
+-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ 			_debug "write_msr: using perl"
+ 			ret=1
+-			perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++			@perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ 		else
+ 			_debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2561,13 +2561,13 @@ write_msr_one_core()
+ 				msr_locked_down=1
+ 				write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ 				return $WRITE_MSR_RET_LOCKDOWN
+-			elif dmesg | grep -qF "msr: Direct access to MSR"; then
++			elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ 				_debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ 				msr_locked_down=1
+ 				write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ 				return $WRITE_MSR_RET_LOCKDOWN
+-			elif dmesg | grep -qF "raw MSR access is restricted"; then
++			elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ 				_debug "write_msr: locked down kernel detected (vanilla)"
+ 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ 				msr_locked_down=1
+@@ -2666,8 +2666,8 @@ read_msr_one_core()
+ 			return $READ_MSR_RET_KO
+ 		fi
+ 		# MSR 0x10: 0x000003e1 0xb106dded
+-		_msr_h=$(echo "$_msr" | awk '{print $3}');
+-		_msr_l=$(echo "$_msr" | awk '{print $4}');
++		_msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++		_msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ 		read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ 	else
+ 		# for Linux
+@@ -2678,15 +2678,15 @@ read_msr_one_core()
+ 		# if rdmsr is available, use it
+ 		elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ 			_debug "read_msr: using rdmsr on $_msr"
+-			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ 		# or if we have perl, use it, any 5.x version will work
+-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ 			_debug "read_msr: using perl on $_msr"
+-			read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++			read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ 		# fallback to dd if it supports skip_bytes
+-		elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ 			_debug "read_msr: using dd on $_msr"
+-			read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++			read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ 		else
+ 			_debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2710,7 +2710,7 @@ check_cpu()
+ {
+ 	_info "\033[1;34mHardware check\033[0m"
+
+-	if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++	if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ 		return
+ 	fi
+
+@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
+ 	# if we were already called, don't do it again
+ 	[ -n "${redhat_canonical_spectre:-}" ] && return
+
+-	if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++	if ! command -v "@strings@" >/dev/null 2>&1; then
+ 		redhat_canonical_spectre=-1
+ 	elif [ -n "$kernel_err" ]; then
+ 		redhat_canonical_spectre=-2
+ 	else
+ 		# Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ 		# let's use the two same tricks than the official Red Hat detection script uses:
+-		if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++		if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ 			# 1) detect their specific variant2 patch. If it's present, it means
+ 			# that the variant1 patch is also present (both were merged at the same time)
+ 			_debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ 			redhat_canonical_spectre=1
+-		elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++		elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ 			# 2) detect their specific variant3 patch. If it's present, but the variant2
+ 			# is not, it means that only variant1 is present in addition to variant3
+ 			_debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3363,13 +3363,13 @@ check_has_vmm()
+ 		# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ 		# this can always be overridden with --vmm in any case.
+ 		has_vmm=0
+-		if command -v pgrep >/dev/null 2>&1; then
++		if command -v @pgrep@ >/dev/null 2>&1; then
+ 			# remove xenbus and xenwatch, also present inside domU
+ 			# remove libvirtd as it can also be used to manage containers and not VMs
+ 			# for each binary we want to grep, get the pids
+ 			for _binary in qemu kvm xenstored xenconsoled
+ 			do
+-				for _pid in $(pgrep -x $_binary)
++				for _pid in $(@pgrep@ -x $_binary)
+ 				do
+ 					# resolve the exe symlink, if it doesn't resolve with -m,
+ 					# which doesn't even need the dest to exist, it means the symlink
+@@ -3385,7 +3385,7 @@ check_has_vmm()
+ 		else
+ 			# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ 			# shellcheck disable=SC2009
+-			if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++			if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ 				has_vmm=1
+ 			fi
+ 		fi
+@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5753_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5753_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
+ 		v1_mask_nospec=''
+ 		if [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ 		else
+-			perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++			@perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ 			if [ $ret -gt 0 ]; then
+ 				pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ 				v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ 			else
+-				perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++				@perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ 				if [ $ret -gt 0 ]; then
+ 					pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ 					v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ 				else
+-					ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++					ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ 					if [ "$ret" -gt 0 ]; then
+ 						pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ 						v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
+ 			pstatus yellow NO
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++		elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 		else
+-			"${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++			"@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ 			if [ "$ret" -eq 9 ]; then
+ 				pstatus green YES "mask_nospec64 macro is present and used"
+ 				v1_mask_nospec="arm64 mask_nospec64"
+@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
+ 			pstatus yellow NO
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++		elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 		else
+-			"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++			"@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ 			if [ "$ret" -eq 9 ]; then
+ 				pstatus green YES "array_index_nospec macro is present and used"
+ 				v1_mask_nospec="arm64 array_index_nospec"
+@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
+ 			if [ -n "$kernel_err" ]; then
+ 				pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 			else
+-				if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++				if ! command -v "@objdump@" >/dev/null 2>&1; then
+ 					pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 				else
+ 					# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
+ 					# so let's push the threshold to 70.
+ 					# v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ 					# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+-					nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++					nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ 					if [ "$nb_lfence" -lt 30 ]; then
+ 						pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ 					else
+@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5715_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5715_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
+ 					# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ 					specex_knob_dir=$dir
+ 					ibrs_supported="$dir/ibrs_enabled exists"
+-					ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++					ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ 					_debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ 					# if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ 					if [ -e "$dir/ibpb_enabled" ]; then
+ 						# if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ 						ibpb_supported="$dir/ibpb_enabled exists"
+-						ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++						ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ 						_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ 					else
+ 						_debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
+ 			# which in that case means ibrs is supported *and* enabled for kernel & user
+ 			# as per the ibrs patch series v3
+ 			if [ -z "$ibrs_supported" ]; then
+-				if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++				if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ 					_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ 					ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ 					# enabled=2 -> kernel & user
+@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
+ 			fi
+ 			if [ -n "$fullmsg" ]; then
+ 				# when IBPB is enabled on 4.15+, we can see it in sysfs
+-				if echo "$fullmsg" | grep -q 'IBPB'; then
++				if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ 					_debug "ibpb: found enabled in sysfs"
+ 					[ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ 					[ -z "$ibpb_enabled"   ] && ibpb_enabled=1
+ 				fi
+ 				# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+-				if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++				if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ 					_debug "ibrs: found IBRS_FW in sysfs"
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ 					ibrs_fw_enabled=1
+@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
+ 				# when IBRS is enabled on 4.15+, we can see it in sysfs
+ 				# on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ 				# only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+-				if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++				if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ 					_debug "ibrs: found IBRS in sysfs"
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ 					[ -z "$ibrs_enabled"   ] && ibrs_enabled=3
+ 				fi
+ 				# checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+-				if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++				if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ 					# 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ 					# that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
+ 			fi
+ 		fi
+ 		if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				:
+ 			else
+ 				ibrs_can_tell=1
+-				ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++				ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ 				if [ -n "$ibrs_supported" ]; then
+ 					_debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ 					ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
+ 		fi
+ 		if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ 			ibrs_can_tell=1
+-			if grep -q spec_ctrl "$opt_map"; then
++			if @grep@ -q spec_ctrl "$opt_map"; then
+ 				ibrs_supported="found spec_ctrl in symbols file"
+ 				_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ 			fi
+@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
+ 		# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ 		# we can detect it directly in the image
+ 		if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				:
+ 			else
+ 				ibpb_can_tell=1
+-				ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++				ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ 				if [ -n "$ibpb_supported" ]; then
+ 					_debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ 					ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
+ 					2)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 					3)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 					4)	pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+-					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+-							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+-						else
++					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++						else
+ 							pstatus yellow UNKNOWN; fi;;
+ 				esac
+ 			fi
+@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
+ 		bp_harden=''
+ 		if [ -r "$opt_config" ]; then
+ 			bp_harden_can_tell=1
+-			bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++			bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ 			if [ -n "$bp_harden" ]; then
+ 				pstatus green YES
+ 				_debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
+ 		fi
+ 		if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ 			bp_harden_can_tell=1
+-			bp_harden=$(grep -w bp_hardening_data "$opt_map")
++			bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ 			if [ -n "$bp_harden" ]; then
+ 				pstatus green YES
+ 				_debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
+ 		# We check the RETPOLINE kernel options
+ 		retpoline=0
+ 		if [ -r "$opt_config" ]; then
+-			if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++			if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ 				pstatus green YES
+ 				retpoline=1
+ 				# shellcheck disable=SC2046
+-				_debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++				_debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ 			else
+ 				pstatus yellow NO
+ 			fi
+@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
+ 			# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ 			# so we look for both "retpoline" and "retpolines"
+ 			if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+-					if echo "$fullmsg" | grep -qwi minimal; then
++				if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++					if echo "$fullmsg" | @grep@ -qwi minimal; then
+ 						retpoline_compiler=0
+ 						retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ 					else
+@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
+ 				fi
+ 			elif [ -n "$opt_map" ]; then
+ 				# look for the symbol
+-				if grep -qw noretpoline_setup "$opt_map"; then
++				if @grep@ -qw noretpoline_setup "$opt_map"; then
+ 					retpoline_compiler=1
+ 					retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ 				fi
+ 			elif [ -n "$kernel" ]; then
+ 				# look for the symbol
+-				if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++				if command -v "@nm@" >/dev/null 2>&1; then
+ 					# the proper way: use nm and look for the symbol
+-					if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++					if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ 						retpoline_compiler=1
+ 						retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ 					fi
+-				elif grep -q noretpoline_setup "$kernel"; then
++				elif @grep@ -q noretpoline_setup "$kernel"; then
+ 					# if we don't have nm, nevermind, the symbol name is long enough to not have
+ 					# any false positive using good old grep directly on the binary
+ 					retpoline_compiler=1
+@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
+ 		retp_enabled=-1
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -e "$specex_knob_dir/retp_enabled" ]; then
+-				retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++				retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ 				_debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ 				_info_nol "    * Retpoline is enabled: "
+ 				if [ "$retp_enabled" = 1 ]; then
+@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
+ 			rsb_filling=0
+ 			if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ 				# if we're live and we aren't denied looking into /sys, let's do it
+-				if echo "$msg" | grep -qw RSB; then
++				if echo "$msg" | @grep@ -qw RSB; then
+ 					rsb_filling=1
+ 					pstatus green YES
+ 				fi
+@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
+ 				if [ -n "$kernel_err" ]; then
+ 					pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 				else
+-					if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++					if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ 						rsb_filling=1
+ 						pstatus green YES
+ 					else
+@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
+ {
+ 	_info     "* Mitigation 1"
+ 	_info_nol "  * Kernel supports IBRS: "
+-	ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++	ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ 	if [ -z "$ibrs_disabled" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
+ 	fi
+
+ 	_info_nol "  * IBRS enabled and active: "
+-	ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++	ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ 	if [ "$ibrs_active" = 1 ]; then
+ 		pstatus green YES
+ 	else
+@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
+ 	if [ -n "$kernel_err" ]; then
+ 		pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 	else
+-		if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++		if ! command -v "@readelf@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ 		else
+-			nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++			nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ 			if [ "$nb_thunks" -gt 0 ]; then
+ 				retpoline=1
+ 				pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ 	_info_nol "  * Reduced performance impact of PTI: "
+-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ 		cpu_pcid=1
+ 	else
+ 		read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4272,7 +4272,7 @@ pti_performance_check()
+ 		fi
+ 	fi
+
+-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ 		cpu_invpcid=1
+ 	else
+ 		read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5754_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5754_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
+ 		kpti_can_tell=0
+ 		if [ -n "$opt_config" ]; then
+ 			kpti_can_tell=1
+-			kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++			kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ 			if [ -n "$kpti_support" ]; then
+ 				_debug "kpti_support: found option '$kpti_support' in $opt_config"
+ 			fi
+@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
+ 			# so we try to find an exported symbol that is part of the PTI patch in System.map
+ 			# parse_kpti: arm
+ 			kpti_can_tell=1
+-			kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++			kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ 			if [ -n "$kpti_support" ]; then
+ 				_debug "kpti_support: found '$kpti_support' in $opt_map"
+ 			fi
+@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
+ 			# nopti option that is part of the patch (kernel command line option)
+ 			# 'kpti=': arm
+ 			kpti_can_tell=1
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ 			else
+-				kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++				kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ 				if [ -n "$kpti_support" ]; then
+ 					_debug "kpti_support: found '$kpti_support' in $kernel"
+ 				fi
+@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
+ 			dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ 			# aarch64
+ 			dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+-			if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++			if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ 				# vanilla PTI patch sets the 'pti' flag in cpuinfo
+ 				_debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ 				kpti_enabled=1
+-			elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++			elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ 				# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ 				_debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ 				kpti_enabled=1
+ 			elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ 				# Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+-				kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++				kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ 				_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ 			elif is_xen_dom0; then
+-				pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++				pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ 				[ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ 			fi
+@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
+ 				if [ -n "$kpti_support" ]; then
+ 					if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ 						explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+-					elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++					elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ 						explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ 					else
+ 						explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ 	_info_nol "* Kernel supports Page Table Isolation (PTI): "
+-	kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++	kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ 	if [ -z "$kpti_enabled" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3639_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3639_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
+ 	if [ "$opt_sysfs_only" != 1 ]; then
+ 		_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ 		if [ "$opt_live" = 1 ]; then
+-			if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++			if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssb="found in $procfs/self/status"
+ 				_debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ 			fi
+ 		fi
+ 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+-		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+-			kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++			kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ 		fi
+ 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+-		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+-			kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++			kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ 		fi
+ 		# arm64 only:
+ 		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+-			kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++			kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ 		fi
+ 		if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+-			kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++			kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ 		fi
+ 		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ 			# this string only appears in kernel if CONFIG_ARM64_SSBD is set
+-			kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++			kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ 		fi
+ 		# /arm64 only
+@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
+ 		if [ "$opt_live" = 1 ]; then
+ 			# https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ 			_info_nol "* SSB mitigation is enabled and active: "
+-			if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++			if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=1
+ 				pstatus green YES "per-thread through prctl"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=2
+ 				pstatus green YES "global"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=0
+ 				pstatus yellow NO
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=-2
+ 				pstatus blue NO "not vulnerable"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=0
+ 				pstatus blue NO
+ 			else
+-				pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++				pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ 			fi
+
+ 			if [ "$kernel_ssbd_enabled" = 1 ]; then
+ 				_info_nol "* SSB mitigation currently active for selected processes: "
+ 				# silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+-				mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+-					| xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+-					| sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++				mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++					| @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++					| @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ 				if [ -n "$mitigated_processes" ]; then
+ 					pstatus green YES "$mitigated_processes"
+ 				else
+@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ 	_info_nol "* Kernel supports speculation store bypass: "
+-	if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++	if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ 		kernel_ssb=1
+ 		pstatus green YES
+ 	else
+@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
+ 	fi
+
+ 	_info_nol "* Speculation store bypass is administratively enabled: "
+-	ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++	ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ 	_debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ 	case "$ssb_enabled" in
+ 		0) pstatus yellow NO "disabled";;
+@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
+ 	esac
+
+ 	_info_nol "* Speculation store bypass is currently active: "
+-	ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++	ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ 	_debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ 	case "$ssb_active" in
+ 		1) pstatus green YES;;
+@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3620_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3620_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
+ 	fi
+ 	if [ "$opt_sysfs_only" != 1 ]; then
+ 		_info_nol "* Kernel supports PTE inversion: "
+-		if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++		if ! command -v "@strings@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ 			pteinv_supported=-1
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "$kernel_err"
+ 			pteinv_supported=-1
+ 		else
+-			if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++			if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ 				pstatus green YES "found in kernel image"
+ 				_debug "pteinv: found pte inversion evidence in kernel image"
+ 				pteinv_supported=1
+@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
+ 		_info_nol "* PTE inversion enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++				if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ 					pstatus green YES
+ 					pteinv_active=1
+ 				else
+@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
+ 	else
+ 		_debug "vmm module already loaded"
+ 	fi
+-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ 		# https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ 		# this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ 		# is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3646_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3646_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
+ 		if [ "$opt_live" = 1 ]; then
+ 			if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ 				pstatus blue N/A "the kvm_intel module is not loaded"
+-			elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++			elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ 				pstatus green YES
+ 				ept_disabled=1
+ 			else
+@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
+
+ 		_info "* Mitigation 2"
+ 		_info_nol "  * L1D flush is supported by kernel: "
+-		if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++		if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ 			l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ 		fi
+ 		if [ -z "$l1d_kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ 			elif [ -n "$kernel_err" ]; then
+ 				l1d_kernel_err="$kernel_err"
+-			elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++			elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ 				l1d_kernel='found flush_l1d in kernel image'
+ 			fi
+ 		fi
+@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
+ 				# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ 				# $smtstatus is one of (vulnerable|disabled)
+ 				# can also just be "Not affected"
+-				if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++				if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ 					l1d_mode=0
+ 					pstatus yellow NO
+-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ 					l1d_mode=1
+ 					pstatus green YES "conditional flushes"
+-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ 					l1d_mode=2
+ 					pstatus green YES "unconditional flushes"
+ 				else
+ 					if is_xen_dom0; then
+-						l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+-						l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+-						l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++						l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++						l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++						l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ 						if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ 							l1d_mode=5
+@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
+
+ 		_info_nol "  * Hardware-backed L1D flush supported: "
+ 		if [ "$opt_live" = 1 ]; then
+-			if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++			if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ 				pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ 			else
+ 				pstatus blue NO "flush will be done in software, this is slower"
+@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ 	_info_nol "* Kernel supports L1D flushing: "
+-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ 		pstatus green YES
+ 		kernel_l1d_supported=1
+ 	else
+@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
+ 	fi
+
+ 	_info_nol "* L1D flushing is enabled: "
+-	kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++	kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ 	case "$kernel_l1d_enabled" in
+ 		0) pstatus yellow NO;;
+ 		1) pstatus green YES;;
+@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ 	cve='CVE-2019-11091'
+@@ -5182,7 +5182,7 @@ check_mds()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_mds_linux "$cve"
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_mds_bsd "$cve"
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5193,7 +5193,7 @@ check_mds_bsd()
+ {
+ 	_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ 	if [ "$opt_live" = 1 ]; then
+-		if sysctl hw.mds_disable >/dev/null 2>&1; then
++		if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ 			pstatus green YES
+ 			kernel_md_clear=1
+ 		else
+@@ -5201,7 +5201,7 @@ check_mds_bsd()
+ 			kernel_md_clear=0
+ 		fi
+ 	else
+-		if grep -Fq hw.mds_disable $opt_kernel; then
++		if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ 			pstatus green YES
+ 			kernel_md_clear=1
+ 		else
+@@ -5211,8 +5211,8 @@ check_mds_bsd()
+ 	fi
+
+ 	_info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+-	if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+-		kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++	if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++		kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ 		if [ "$kernel_smt_allowed" = 1 ]; then
+ 			pstatus yellow NO
+ 		else
+@@ -5224,7 +5224,7 @@ check_mds_bsd()
+
+ 	_info_nol "* Kernel mitigation is enabled: "
+ 	if [ "$kernel_md_clear" = 1 ]; then
+-		kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++		kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ 	else
+ 		kernel_mds_enabled=0
+ 	fi
+@@ -5238,7 +5238,7 @@ check_mds_bsd()
+
+ 	_info_nol "* Kernel mitigation is active: "
+ 	if [ "$kernel_md_clear" = 1 ]; then
+-		kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++		kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ 	else
+ 		kernel_mds_state=inactive
+ 	fi
+@@ -5296,16 +5296,16 @@ check_mds_linux()
+ 		_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ 		kernel_md_clear=''
+ 		kernel_md_clear_can_tell=1
+-		if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++		if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ 			kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ 			pstatus green YES "$kernel_md_clear"
+ 		fi
+ 		if [ -z "$kernel_md_clear" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				kernel_md_clear_can_tell=0
+ 			elif [ -n "$kernel_err" ]; then
+ 				kernel_md_clear_can_tell=0
+-			elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++			elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ 				_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ 				kernel_md_clear='found md_clear implementation evidence in kernel image'
+ 				pstatus green YES "$kernel_md_clear"
+@@ -5321,7 +5321,7 @@ check_mds_linux()
+
+ 		if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ 			_info_nol "* Kernel mitigation is enabled and active: "
+-			if echo "$fullmsg" | grep -qi ^mitigation; then
++			if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ 				mds_mitigated=1
+ 				pstatus green YES
+ 			else
+@@ -5329,7 +5329,7 @@ check_mds_linux()
+ 				pstatus yellow NO
+ 			fi
+ 			_info_nol "* SMT is either mitigated or disabled: "
+-			if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++			if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ 				mds_smt_mitigated=1
+ 				pstatus green YES
+ 			else
+@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2019_11135_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2019_11135_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
+ 		kernel_taa=''
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_taa_err="$kernel_err"
+-		elif grep -q 'tsx_async_abort' "$kernel"; then
++		elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ 			kernel_taa="found tsx_async_abort in kernel image"
+ 		fi
+ 		if [ -n "$kernel_taa" ]; then
+@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
+ 		_info_nol "* TAA mitigation enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
+ 	else
+ 		if [ "$opt_paranoid" = 1 ]; then
+ 			# in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+-			if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++			if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ 				pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+-			elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++			elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ 				pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ 			else
+ 				pvulnstatus $cve "$status" "$msg"
+@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_12207_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_12207_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_itlbmh_err="$kernel_err"
+ 		# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+-		elif grep -q 'itlb_multihit' "$kernel"; then
++		elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ 			kernel_itlbmh="found itlb_multihit in kernel image"
+ 		fi
+ 		if [ -n "$kernel_itlbmh" ]; then
+@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
+ 		_info_nol "* iTLB Multihit mitigation enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qF 'Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ 	_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+-	kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++	kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ 	if [ -z "$kernel_2m_x_ept" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2020_0543_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2020_0543_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
+ 		kernel_srbds=''
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_srbds_err="$kernel_err"
+-		elif grep -q 'Dependent on hypervisor' "$kernel"; then
++		elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ 			kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ 		fi
+ 		if [ -n "$kernel_srbds" ]; then
+@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
+ 		_info_nol "* SRBDS mitigation control is enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5758,8 +5758,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+-	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+-		check_"$(echo "$cve" | tr - _)"
++	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++		check_"$(echo "$cve" | @tr@ - _)"
+ 		_info
+ 	fi
+ done
+@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ 	_warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+-	if command -v "gzip" >/dev/null 2>&1; then
++	if command -v "@gzip@" >/dev/null 2>&1; then
+ 		# not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ 		# shellcheck disable=SC2002
+-		if command -v "base64" >/dev/null 2>&1; then
+-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+-		elif command -v "uuencode" >/dev/null 2>&1; then
+-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++		if command -v "@base64@" >/dev/null 2>&1; then
++			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++		elif command -v "@uuencode@" >/dev/null 2>&1; then
++			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ 		fi
+ 	fi
+ 	if [ -n "$mock_cpuinfo" ]; then
+@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ 	fi
+ 	_info ""
+ 	# shellcheck disable=SC2046
+-	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ 		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++		# Guix System:
++		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+ 		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ 		# Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 70df5c47a89f4f353a1df94467581a0f0da599a4
--
2.38.1




^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v2] gnu: Add spectre-meltdown-checker.
  2022-11-11 11:10   ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via
@ 2022-11-11 15:13     ` Liliana Marie Prikler
  2022-11-12 12:14       ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via
  0 siblings, 1 reply; 12+ messages in thread
From: Liliana Marie Prikler @ 2022-11-11 15:13 UTC (permalink / raw)
  To: Hilton Chain; +Cc: 59053

Hi,

Am Freitag, dem 11.11.2022 um 19:10 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v1 -> v2:
> 
>  gnu/local.mk                                  |    3 +
>  gnu/packages/linux.scm                        |   53 +
>  ...ker-remove-builtin-firmware-database.patch |  554 +++++
>  ...cker-stage-commands-for-substitution.patch | 1947
> +++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch |   26 +
>  5 files changed, 2583 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 27b31ea27f..d518cd8641 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1851,6 +1851,9 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 2c06269504..5a0d55833a 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,56 @@ (define-public edac-utils
>  error detection and correction (EDAC).")
>      (home-page "https://github.com/grondo/edac-utils")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> +                ;; NOTE: Update these patches when updating.
> +                "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"
> +                "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> +                     (("@([a-z0-9]*)@" _ m _)
> +                      (search-input-file inputs (string-append
> "/bin/" m)))))))))
I'd prefer "command" instead of m as a variable name here.
> +    (inputs
> +     (list binutils
> +           coreutils
> +           grep
> +           kmod
> +           lz4
> +           lzop
> +           perl
> +           procps
> +           sharutils
> +           util-linux
> +           which
> +           zstd))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis "CPU vulnerability / mitigation checker")
> +    (description
> +     "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..e926551550
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,554 @@
> +From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:55:25 +0800
> +Subject: [PATCH 2/2] Remove builtin firmware database.
> +
> +---
> + spectre-meltdown-checker.sh | 477 ++-------------------------------
> ---
> + 1 file changed, 27 insertions(+), 450 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 82cf1b6..79c4bb7 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -95,7 +95,6 @@ show_usage()
> +               --cpu [#,all]           interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +               --update-fwdb           update our local copy of the
> CPU microcodes versions database (using the awesome
> +                                       MCExtractor project and the
> Intel firmwares GitHub repository)
> +-              --update-builtin-fwdb   same as --update-fwdb but
> update builtin DB inside the script itself
> +               --dump-mock-data        used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> +       Return codes:
> +@@ -853,9 +852,9 @@ update_fwdb()
> +       mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
> +       mcedb_url='
> https://github.com/platomav/MCExtractor/raw/master/MCE.db'
> +       _info_nol "Fetching MCE.db from the MCExtractor project... "
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> ++      # if command -v wget >/dev/null 2>&1; then
> ++      #       wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> ++      if command -v curl >/dev/null 2>&1; then
> +               curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +       elif command -v fetch >/dev/null 2>&1; then
> +               fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
The curl line and fetch line do the same thing as the wget line. 
Prefer removal over commenting.
> +@@ -874,9 +873,9 @@ update_fwdb()
> +       intel_url="
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
> Files/archive/main.zip"
> +       _info_nol "Fetching Intel firmwares... "
> +       ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> ++      # if command -v wget >/dev/null 2>&1; then
> ++      #       wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> ++      if command -v curl >/dev/null 2>&1; then
> +               curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +       elif command -v fetch >/dev/null 2>&1; then
> +               fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
Same here.
> +@@ -969,13 +968,13 @@ update_fwdb()
> +       } > "$mcedb_cache"
> +       echo DONE "(version $dbversion)"
> +
> +-      if [ "$1" = builtin ]; then
> +-              newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> +-              @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +-              @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +-              @cat@ "$newfile" > "$0"
> +-              @rm@ -f "$newfile"
> +-      fi
> ++      # if [ "$1" = builtin ]; then
> ++      #       newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> ++      #       @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> ++      #       @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> ++      #       @cat@ "$newfile" > "$0"
> ++      #       @rm@ -f "$newfile"
> ++      # fi
This time, it seems completely removed, but still prefer removal over
commenting.
> + }
> +
> + parse_opt_file()
> +@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do
> +       elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> +               update_fwdb
> +               exit $?
> +-      elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +-              update_fwdb builtin
> +-              exit $?
> ++      # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> ++      #       update_fwdb builtin
> ++      #       exit $?
> +       elif [ "$1" = "--dump-mock-data" ]; then
> +               opt_mock=1
> +               shift
> +@@ -2033,22 +2032,22 @@ is_xen_domU()
> +       fi
> + }
> +
> +-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> ++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> +       # we have a local cache file, but it might be older than the
> builtin version we have
> +       local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +       # sort -V sorts by version number
> +-      older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> +-      if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> ++      # older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> ++      # if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +               mcedb_source="$mcedb_cache"
> +               mcedb_info="local firmwares DB $local_dbversion"
> +-      fi
> ++      # fi
> + fi
> + # if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +-      mcedb_source="$0"
> +-      mcedb_info="builtin firmwares DB $builtin_dbversion"
> +-fi
> ++# if [ -z "${mcedb_source:-}" ]; then
> ++#     mcedb_source="$0"
> ++#     mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++# fi
I'm not sure whether this is correctly patched.
> + read_mcedb()
> + {
> +       @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> +@@ -2070,6 +2069,9 @@ is_latest_known_ucode()
> +       else
> +               return 2
> +       fi
> ++      if [ -z "$mcedb_source" ]; then
> ++              return 2
> ++      fi
Here neither, what does the return 2 above do?
> +       for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> +       do
> +               ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
> +@@ -5833,428 +5835,3 @@ fi
> + [ "$global_critical" = 1 ] && exit 2  # critical
> + [ "$global_unknown"  = 1 ] && exit 3  # unknown
> + exit 0  # ok
> +-
> +-# We're using MCE.db from the excellent platomav's MCExtractor
> project
> +-# The builtin version follows, but the user can download an up-to-
> date copy (to be stored in his $HOME) by using --update-fwdb
> +-# To update the builtin version itself (by *modifying* this very
> file), use --update-builtin-fwdb
> +-
Can we remove this builtin version without a patch, i.e. a snippet?
I think that doing so would be more robust than keeping the patch up to
date.
> +-# %%% MCEDB v222+i20220208
> +-# I,0x00000611,0x00000B27,19961218
> +-# I,0x00000612,0x000000C6,19961210
> +-# I,0x00000616,0x000000C6,19961210
> +-# I,0x00000617,0x000000C6,19961210
> +-# I,0x00000619,0x000000D2,19980218
> +-# I,0x00000630,0x00000013,19960827
> +-# I,0x00000632,0x00000020,19960903
> +-# I,0x00000633,0x00000036,19980923
> +-# I,0x00000634,0x00000037,19980923
> +-# I,0x00000650,0x00000045,19990525
> +-# I,0x00000651,0x00000042,19990525
> +-# I,0x00000652,0x0000002D,19990518
> +-# I,0x00000653,0x00000010,19990628
> +-# I,0x00000660,0x0000000A,19990505
> +-# I,0x00000665,0x00000003,19990505
> +-# I,0x0000066A,0x0000000D,19990505
> +-# I,0x0000066D,0x00000007,19990505
> +-# I,0x00000670,0x00000007,19980602
> +-# I,0x00000671,0x00000014,19980811
> +-# I,0x00000672,0x00000038,19990922
> +-# I,0x00000673,0x0000002E,19990910
> +-# I,0x00000680,0x00000017,19990610
> +-# I,0x00000681,0x00000014,19991209
> +-# I,0x00000683,0x00000014,20010206
> +-# I,0x00000686,0x00000008,20000505
> +-# I,0x0000068A,0x00000005,20001207
> +-# I,0x00000690,0x00000004,20000206
> +-# I,0x00000691,0x00000001,20020527
> +-# I,0x00000692,0x00000001,20020620
> +-# I,0x00000694,0x00000002,20020926
> +-# I,0x00000695,0x00000047,20041109
> +-# I,0x00000696,0x00000001,20000707
> +-# I,0x000006A0,0x00000003,20000110
> +-# I,0x000006A1,0x00000001,20000306
> +-# I,0x000006A4,0x00000001,20000616
> +-# I,0x000006B0,0x0000001A,20010129
> +-# I,0x000006B1,0x0000001D,20010220
> +-# I,0x000006B4,0x00000002,20020111
> +-# I,0x000006D0,0x00000006,20030522
> +-# I,0x000006D1,0x00000009,20030709
> +-# I,0x000006D2,0x00000010,20030814
> +-# I,0x000006D6,0x00000018,20041017
> +-# I,0x000006D8,0x00000021,20060831
> +-# I,0x000006E0,0x00000008,20050215
> +-# I,0x000006E1,0x0000000C,20050413
> +-# I,0x000006E4,0x00000026,20050816
> +-# I,0x000006E8,0x0000003C,20060208
> +-# I,0x000006EC,0x0000005B,20070208
> +-# I,0x000006F0,0x00000005,20050818
> +-# I,0x000006F1,0x00000012,20051129
> +-# I,0x000006F2,0x0000005D,20101002
> +-# I,0x000006F4,0x00000028,20060417
> +-# I,0x000006F5,0x00000039,20060727
> +-# I,0x000006F6,0x000000D2,20101001
> +-# I,0x000006F7,0x0000006B,20101002
> +-# I,0x000006F9,0x00000084,20061012
> +-# I,0x000006FA,0x00000095,20101002
> +-# I,0x000006FB,0x000000C1,20111004
> +-# I,0x000006FD,0x000000A4,20101002
> +-# I,0x00000F00,0xFFFF0001,20000130
> +-# I,0x00000F01,0xFFFF0007,20000404
> +-# I,0x00000F02,0xFFFF000B,20000518
> +-# I,0x00000F03,0xFFFF0001,20000518
> +-# I,0x00000F04,0xFFFF0010,20000803
> +-# I,0x00000F05,0x0000000C,20000824
> +-# I,0x00000F06,0x00000004,20000911
> +-# I,0x00000F07,0x00000012,20020716
> +-# I,0x00000F08,0x00000008,20001101
> +-# I,0x00000F09,0x00000008,20010104
> +-# I,0x00000F0A,0x00000015,20020821
> +-# I,0x00000F11,0x0000000A,20030729
> +-# I,0x00000F12,0x0000002F,20030502
> +-# I,0x00000F13,0x00000005,20030508
> +-# I,0x00000F20,0x00000001,20010423
> +-# I,0x00000F21,0x00000003,20010529
> +-# I,0x00000F22,0x00000005,20030729
> +-# I,0x00000F23,0x0000000D,20010817
> +-# I,0x00000F24,0x00000021,20030610
> +-# I,0x00000F25,0x0000002C,20040826
> +-# I,0x00000F26,0x00000010,20040805
> +-# I,0x00000F27,0x00000039,20030604
> +-# I,0x00000F29,0x0000002F,20040811
> +-# I,0x00000F30,0x00000013,20030815
> +-# I,0x00000F31,0x0000000B,20031021
> +-# I,0x00000F32,0x0000000A,20040511
> +-# I,0x00000F33,0x0000000C,20050421
> +-# I,0x00000F34,0x00000017,20050421
> +-# I,0x00000F36,0x00000007,20040309
> +-# I,0x00000F37,0x00000003,20031218
> +-# I,0x00000F40,0x00000006,20040318
> +-# I,0x00000F41,0x00000017,20050422
> +-# I,0x00000F42,0x00000003,20050421
> +-# I,0x00000F43,0x00000005,20050421
> +-# I,0x00000F44,0x00000006,20050421
> +-# I,0x00000F46,0x00000004,20050411
> +-# I,0x00000F47,0x00000003,20050421
> +-# I,0x00000F48,0x0000000E,20080115
> +-# I,0x00000F49,0x00000003,20050421
> +-# I,0x00000F4A,0x00000004,20051214
> +-# I,0x00000F60,0x00000005,20050124
> +-# I,0x00000F61,0x00000008,20050610
> +-# I,0x00000F62,0x0000000F,20051215
> +-# I,0x00000F63,0x00000005,20051010
> +-# I,0x00000F64,0x00000004,20051223
> +-# I,0x00000F65,0x0000000B,20070510
> +-# I,0x00000F66,0x0000001B,20060310
> +-# I,0x00000F68,0x00000009,20060714
> +-# I,0x00001632,0x00000002,19980610
> +-# I,0x00010650,0x00000002,20060513
> +-# I,0x00010660,0x00000004,20060612
> +-# I,0x00010661,0x00000045,20101004
> +-# I,0x00010670,0x00000005,20070209
> +-# I,0x00010671,0x00000106,20070329
> +-# I,0x00010674,0x84050100,20070726
> +-# I,0x00010676,0x00000612,20150802
> +-# I,0x00010677,0x0000070D,20150802
> +-# I,0x0001067A,0x00000A0E,20150729
> +-# I,0x000106A0,0xFFFF001A,20071128
> +-# I,0x000106A1,0xFFFF000B,20080220
> +-# I,0x000106A2,0xFFFF0019,20080714
> +-# I,0x000106A4,0x00000013,20150630
> +-# I,0x000106A5,0x0000001D,20180511
> +-# I,0x000106C0,0x00000007,20070824
> +-# I,0x000106C1,0x00000109,20071203
> +-# I,0x000106C2,0x00000219,20090410
> +-# I,0x000106C9,0x00000007,20090213
> +-# I,0x000106CA,0x00000107,20090825
> +-# I,0x000106D0,0x00000005,20071204
> +-# I,0x000106D1,0x0000002A,20150803
> +-# I,0x000106E0,0xFFFF0022,20090116
> +-# I,0x000106E1,0xFFFF000D,20090206
> +-# I,0x000106E2,0xFFFF0011,20090924
> +-# I,0x000106E3,0xFFFF0011,20090512
> +-# I,0x000106E4,0x00000003,20130701
> +-# I,0x000106E5,0x0000000A,20180508
> +-# I,0x000106F0,0xFFFF0009,20090210
> +-# I,0x000106F1,0xFFFF0007,20090210
> +-# I,0x00020650,0xFFFF0008,20090218
> +-# I,0x00020651,0xFFFF0018,20090818
> +-# I,0x00020652,0x00000011,20180508
> +-# I,0x00020654,0xFFFF0007,20091124
> +-# I,0x00020655,0x00000007,20180423
> +-# I,0x00020661,0x00000105,20110718
> +-# I,0x000206A0,0x00000029,20091102
> +-# I,0x000206A1,0x00000007,20091223
> +-# I,0x000206A2,0x00000027,20100502
> +-# I,0x000206A3,0x00000009,20100609
> +-# I,0x000206A4,0x00000022,20100414
> +-# I,0x000206A5,0x00000007,20100722
> +-# I,0x000206A6,0x90030028,20100924
> +-# I,0x000206A7,0x0000002F,20190217
> +-# I,0x000206C0,0xFFFF001C,20091214
> +-# I,0x000206C1,0x00000006,20091222
> +-# I,0x000206C2,0x0000001F,20180508
> +-# I,0x000206D0,0x80000006,20100816
> +-# I,0x000206D1,0x80000106,20101201
> +-# I,0x000206D2,0xAF506958,20110714
> +-# I,0x000206D3,0xAF50696A,20110816
> +-# I,0x000206D5,0xAF5069E5,20120118
> +-# I,0x000206D6,0x00000621,20200304
> +-# I,0x000206D7,0x0000071A,20200324
> +-# I,0x000206E0,0xE3493401,20090108
> +-# I,0x000206E1,0xE3493402,20090224
> +-# I,0x000206E2,0xFFFF0004,20081001
> +-# I,0x000206E3,0xE4486547,20090701
> +-# I,0x000206E4,0xFFFF0008,20090619
> +-# I,0x000206E5,0xFFFF0018,20091215
> +-# I,0x000206E6,0x0000000D,20180515
> +-# I,0x000206F0,0x00000005,20100729
> +-# I,0x000206F1,0x00000008,20101013
> +-# I,0x000206F2,0x0000003B,20180516
> +-# I,0x00030650,0x00000009,20120118
> +-# I,0x00030651,0x00000110,20131014
> +-# I,0x00030660,0x00000003,20101103
> +-# I,0x00030661,0x0000010F,20150721
> +-# I,0x00030669,0x0000010D,20130515
> +-# I,0x00030671,0x00000117,20130410
> +-# I,0x00030672,0x0000022E,20140401
> +-# I,0x00030673,0x83290100,20190916
> +-# I,0x00030678,0x00000838,20190422
> +-# I,0x00030679,0x0000090D,20190710
> +-# I,0x000306A0,0x00000007,20110407
> +-# I,0x000306A2,0x0000000C,20110725
> +-# I,0x000306A4,0x00000007,20110908
> +-# I,0x000306A5,0x00000009,20111110
> +-# I,0x000306A6,0x00000004,20111114
> +-# I,0x000306A8,0x00000010,20120220
> +-# I,0x000306A9,0x00000021,20190213
> +-# I,0x000306C0,0xFFFF0013,20111110
> +-# I,0x000306C1,0xFFFF0014,20120725
> +-# I,0x000306C2,0xFFFF0006,20121017
> +-# I,0x000306C3,0x00000028,20191112
> +-# I,0x000306D1,0xFFFF0009,20131015
> +-# I,0x000306D2,0xFFFF0009,20131219
> +-# I,0x000306D3,0xE3121338,20140825
> +-# I,0x000306D4,0x0000002F,20191112
> +-# I,0x000306E0,0xE920080F,20121113
> +-# I,0x000306E2,0xE9220827,20130523
> +-# I,0x000306E3,0x00000308,20130321
> +-# I,0x000306E4,0x0000042E,20190314
> +-# I,0x000306E6,0x00000600,20130619
> +-# I,0x000306E7,0x00000715,20190314
> +-# I,0x000306F0,0xFFFF0017,20130730
> +-# I,0x000306F1,0xD141D629,20140416
> +-# I,0x000306F2,0x00000049,20210811
> +-# I,0x000306F3,0x0000000D,20160211
> +-# I,0x000306F4,0x0000001A,20210524
> +-# I,0x00040650,0xFFFF000B,20121206
> +-# I,0x00040651,0x00000026,20191112
> +-# I,0x00040660,0xFFFF0011,20121012
> +-# I,0x00040661,0x0000001C,20191112
> +-# I,0x00040670,0xFFFF0006,20140304
> +-# I,0x00040671,0x00000022,20191112
> +-# I,0x000406A0,0x80124001,20130521
> +-# I,0x000406A8,0x0000081F,20140812
> +-# I,0x000406A9,0x0000081F,20140812
> +-# I,0x000406C1,0x0000010B,20140814
> +-# I,0x000406C2,0x00000221,20150218
> +-# I,0x000406C3,0x00000368,20190423
> +-# I,0x000406C4,0x00000411,20190423
> +-# I,0x000406D0,0x0000000E,20130612
> +-# I,0x000406D8,0x0000012D,20190916
> +-# I,0x000406E1,0x00000020,20141111
> +-# I,0x000406E2,0x0000002C,20150521
> +-# I,0x000406E3,0x000000EC,20210428
> +-# I,0x000406E8,0x00000026,20160414
> +-# I,0x000406F0,0x00000014,20150702
> +-# I,0x000406F1,0x0B000040,20210519
> +-# I,0x00050650,0x8000002B,20160208
> +-# I,0x00050651,0x8000002B,20160208
> +-# I,0x00050652,0x80000037,20170502
> +-# I,0x00050653,0x0100015C,20210526
> +-# I,0x00050654,0x02006C0A,20210616
> +-# I,0x00050655,0x03000012,20190412
> +-# I,0x00050656,0x0400320A,20210813
> +-# I,0x00050657,0x0500320A,20210813
> +-# I,0x0005065A,0x86002302,20210416
> +-# I,0x0005065B,0x07002402,20210604
> +-# I,0x00050661,0xF1000008,20150130
> +-# I,0x00050662,0x0000001C,20190617
> +-# I,0x00050663,0x0700001C,20210612
> +-# I,0x00050664,0x0F00001A,20210612
> +-# I,0x00050665,0x0E000014,20210918
> +-# I,0x00050670,0xFFFF0030,20151113
> +-# I,0x00050671,0x000001B6,20180108
> +-# I,0x000506A0,0x00000038,20150112
> +-# I,0x000506C2,0x00000014,20180511
> +-# I,0x000506C8,0x90011010,20160323
> +-# I,0x000506C9,0x00000046,20210510
> +-# I,0x000506CA,0x00000022,20210622
> +-# I,0x000506D1,0x00000102,20150605
> +-# I,0x000506E0,0x00000018,20141119
> +-# I,0x000506E1,0x0000002A,20150602
> +-# I,0x000506E2,0x0000002E,20150815
> +-# I,0x000506E3,0x000000F0,20211112
> +-# I,0x000506E8,0x00000034,20160710
> +-# I,0x000506F0,0x00000010,20160607
> +-# I,0x000506F1,0x00000036,20210510
> +-# I,0x00060660,0x0000000C,20160821
> +-# I,0x00060661,0x0000000E,20170128
> +-# I,0x00060662,0x00000022,20171129
> +-# I,0x00060663,0x0000002A,20180417
> +-# I,0x000606A0,0x80000031,20200308
> +-# I,0x000606A4,0x0B000280,20200817
> +-# I,0x000606A5,0x0C0002F0,20210308
> +-# I,0x000606A6,0x0D000332,20211217
> +-# I,0x000606E0,0x0000000B,20161104
> +-# I,0x000606E1,0x00000108,20190423
> +-# I,0x000706A0,0x00000026,20170712
> +-# I,0x000706A1,0x00000038,20210510
> +-# I,0x000706A8,0x0000001C,20210510
> +-# I,0x000706E0,0x0000002C,20180614
> +-# I,0x000706E1,0x00000042,20190420
> +-# I,0x000706E2,0x00000042,20190420
> +-# I,0x000706E3,0x81000008,20181002
> +-# I,0x000706E4,0x00000046,20190905
> +-# I,0x000706E5,0x000000A8,20210526
> +-# I,0x00080650,0x00000018,20180108
> +-# I,0x00080664,0x0B00000F,20210217
> +-# I,0x00080665,0x0B00000F,20210217
> +-# I,0x000806A0,0x00000010,20190507
> +-# I,0x000806A1,0x0000002D,20210902
> +-# I,0x000806C0,0x00000068,20200402
> +-# I,0x000806C1,0x0000009C,20211026
> +-# I,0x000806C2,0x00000022,20210716
> +-# I,0x000806D0,0x00000050,20201217
> +-# I,0x000806D1,0x0000003C,20210716
> +-# I,0x000806E9,0x000000EC,20210428
> +-# I,0x000806EA,0x000000EC,20210428
> +-# I,0x000806EB,0x000000EC,20210428
> +-# I,0x000806EC,0x000000EC,20210428
> +-# I,0x00090660,0x00000009,20200617
> +-# I,0x00090661,0x00000015,20210921
> +-# I,0x00090670,0x00000019,20201111
> +-# I,0x00090671,0x0000001C,20210614
> +-# I,0x00090672,0x0000001F,20220303
> +-# I,0x00090674,0x00000219,20210425
> +-# I,0x00090675,0x0000001F,20220303
> +-# I,0x000906A0,0x0000001C,20210614
> +-# I,0x000906A1,0x0000011F,20211104
> +-# I,0x000906A2,0x00000315,20220102
> +-# I,0x000906A3,0x0000041B,20220308
> +-# I,0x000906A4,0x0000041B,20220308
> +-# I,0x000906C0,0x2400001F,20210809
> +-# I,0x000906E9,0x000000F0,20211112
> +-# I,0x000906EA,0x000000EC,20210428
> +-# I,0x000906EB,0x000000EC,20210428
> +-# I,0x000906EC,0x000000EC,20210428
> +-# I,0x000906ED,0x000000EC,20210428
> +-# I,0x000A0650,0x000000BE,20191010
> +-# I,0x000A0651,0x000000C2,20191113
> +-# I,0x000A0652,0x000000EC,20210428
> +-# I,0x000A0653,0x000000EC,20210428
> +-# I,0x000A0654,0x000000C6,20200123
> +-# I,0x000A0655,0x000000EE,20210428
> +-# I,0x000A0660,0x000000EA,20210428
> +-# I,0x000A0661,0x000000EC,20210429
> +-# I,0x000A0670,0x0000002C,20201124
> +-# I,0x000A0671,0x00000050,20210829
> +-# I,0x000A0680,0x80000002,20200121
> +-# I,0x000B0670,0x00000009,20211115
> +-# I,0x000B06F2,0x0000001F,20220303
> +-# I,0x000B06F5,0x0000001F,20220303
> +-# A,0x00000F00,0x02000008,20070614
> +-# A,0x00000F01,0x0000001C,20021031
> +-# A,0x00000F10,0x00000003,20020325
> +-# A,0x00000F11,0x0000001F,20030220
> +-# A,0x00000F48,0x00000046,20040719
> +-# A,0x00000F4A,0x00000047,20040719
> +-# A,0x00000F50,0x00000024,20021212
> +-# A,0x00000F51,0x00000025,20030115
> +-# A,0x00010F50,0x00000041,20040225
> +-# A,0x00020F10,0x0000004D,20050428
> +-# A,0x00040F01,0xC0012102,20050916
> +-# A,0x00040F0A,0x00000068,20060920
> +-# A,0x00040F13,0x0000007A,20080508
> +-# A,0x00040F14,0x00000062,20060127
> +-# A,0x00040F1B,0x0000006D,20060920
> +-# A,0x00040F33,0x0000007B,20080514
> +-# A,0x00060F80,0x00000083,20060929
> +-# A,0x000C0F1B,0x0000006E,20060921
> +-# A,0x000F0F00,0x00000005,20020627
> +-# A,0x000F0F01,0x00000015,20020627
> +-# A,0x00100F00,0x01000020,20070326
> +-# A,0x00100F20,0x010000CA,20100331
> +-# A,0x00100F22,0x010000C9,20100331
> +-# A,0x00100F40,0x01000085,20080501
> +-# A,0x00100F41,0x010000DB,20111024
> +-# A,0x00100F42,0x01000092,20081021
> +-# A,0x00100F43,0x010000C8,20100311
> +-# A,0x00100F62,0x010000C7,20100311
> +-# A,0x00100F80,0x010000DA,20111024
> +-# A,0x00100F81,0x010000D9,20111012
> +-# A,0x00100FA0,0x010000DC,20111024
> +-# A,0x00120F00,0x03000002,20100324
> +-# A,0x00200F30,0x02000018,20070921
> +-# A,0x00200F31,0x02000057,20080502
> +-# A,0x00200F32,0x02000034,20080307
> +-# A,0x00300F01,0x0300000E,20101004
> +-# A,0x00300F10,0x03000027,20111309
> +-# A,0x00500F00,0x0500000B,20100601
> +-# A,0x00500F01,0x0500001A,20100908
> +-# A,0x00500F10,0x05000029,20130121
> +-# A,0x00500F20,0x05000119,20130118
> +-# A,0x00580F00,0x0500000B,20100601
> +-# A,0x00580F01,0x0500001A,20100908
> +-# A,0x00580F10,0x05000028,20101124
> +-# A,0x00580F20,0x05000103,20110526
> +-# A,0x00600F00,0x06000017,20101029
> +-# A,0x00600F01,0x0600011F,20110227
> +-# A,0x00600F10,0x06000425,20110408
> +-# A,0x00600F11,0x0600050D,20110627
> +-# A,0x00600F12,0x0600063E,20180207
> +-# A,0x00600F20,0x06000852,20180206
> +-# A,0x00610F00,0x0600100E,20111102
> +-# A,0x00610F01,0x0600111F,20180305
> +-# A,0x00630F00,0x0600301C,20130817
> +-# A,0x00630F01,0x06003109,20180227
> +-# A,0x00660F00,0x06006012,20141014
> +-# A,0x00660F01,0x0600611A,20180126
> +-# A,0x00670F00,0x06006705,20180220
> +-# A,0x00680F00,0x06000017,20101029
> +-# A,0x00680F01,0x0600011F,20110227
> +-# A,0x00680F10,0x06000410,20110314
> +-# A,0x00690F00,0x06001009,20110613
> +-# A,0x00700F00,0x0700002A,20121218
> +-# A,0x00700F01,0x07000110,20180209
> +-# A,0x00730F00,0x07030009,20131206
> +-# A,0x00730F01,0x07030106,20180209
> +-# A,0x00800F00,0x0800002A,20161006
> +-# A,0x00800F10,0x0800100C,20170131
> +-# A,0x00800F11,0x08001138,20190204
> +-# A,0x00800F12,0x0800126E,20211111
> +-# A,0x00800F82,0x0800820D,20190416
> +-# A,0x00810F00,0x08100004,20161120
> +-# A,0x00810F10,0x08101016,20190430
> +-# A,0x00810F11,0x08101103,20190417
> +-# A,0x00810F80,0x08108002,20180605
> +-# A,0x00810F81,0x08108109,20190417
> +-# A,0x00820F00,0x08200002,20180214
> +-# A,0x00820F01,0x08200103,20190417
> +-# A,0x00830F00,0x08300027,20190401
> +-# A,0x00830F10,0x08301052,20211111
> +-# A,0x00850F00,0x08500004,20180212
> +-# A,0x00860F00,0x0860000E,20200127
> +-# A,0x00860F01,0x08600106,20200619
> +-# A,0x00860F81,0x08608103,20200702
> +-# A,0x00870F00,0x08700004,20181206
> +-# A,0x00870F10,0x08701021,20200125
> +-# A,0x00A00F00,0x0A000033,20200413
> +-# A,0x00A00F10,0x0A001053,20211217
> +-# A,0x00A00F11,0x0A00115D,20211119
> +-# A,0x00A00F12,0x0A001227,20211215
> +-# A,0x00A00F80,0x0A008003,20211015
> +-# A,0x00A00F82,0x0A008204,20211015
> +-# A,0x00A20F00,0x0A200025,20200121
> +-# A,0x00A20F10,0x0A201016,20210408
> +-# A,0x00A20F12,0x0A201205,20210719
> +-# A,0x00A50F00,0x0A50000C,20201208
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-
> commands-for-substitution.patch b/gnu/packages/patches/spectre-
> meltdown-checker-stage-commands-for-substitution.patch
> new file mode 100644
> index 0000000000..a2f13e4195
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-
> for-substitution.patch
> @@ -0,0 +1,1947 @@
> +From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:49:50 +0800
> +Subject: [PATCH 1/2] Stage commands for later substitution.
> +
> +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find,
> getent,
> +grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount,
> nm,
> +nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort,
> stat,
> +strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode,
> which,
> +whoami, xargs.
> +---
> + spectre-meltdown-checker.sh | 648 ++++++++++++++++++---------------
> ---
> + 1 file changed, 324 insertions(+), 324 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..82cf1b6 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up...";
> exit_cleanup; exit 1' INT
> + exit_cleanup()
> + {
> +       # cleanup the temp decompressed config & kernel image
> +-      [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +-      [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
> +-      [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm
> -f "$kerneltmp2"
> +-      [ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm
> -f "$mcedb_tmp"
> +-      [ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm
> -rf "$intel_tmp"
> +-      [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +-      [ "${mounted_procfs:-}"  = 1 ] && umount "$procfs"
> 2>/dev/null
> +-      [ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
> +-      [ "${insmod_msr:-}"      = 1 ] && rmmod msr 2>/dev/null
> ++      [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] &&
> @rm@ -f "$dumped_config"
> ++      [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] &&
> @rm@ -f "$kerneltmp"
> ++      [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] &&
> @rm@ -f "$kerneltmp2"
> ++      [ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] &&
> @rm@ -f "$mcedb_tmp"
> ++      [ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] &&
> @rm@ -rf "$intel_tmp"
> ++      [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug
> 2>/dev/null
> ++      [ "${mounted_procfs:-}"  = 1 ] && @umount@ "$procfs"
> 2>/dev/null
> ++      [ "${insmod_cpuid:-}"    = 1 ] && @rmmod@ cpuid 2>/dev/null
> ++      [ "${insmod_msr:-}"      = 1 ] && @rmmod@ msr 2>/dev/null
> +       [ "${kldload_cpuctl:-}"  = 1 ] && kldunload cpuctl
> 2>/dev/null
> +       [ "${kldload_vmm:-}"     = 1 ] && kldunload vmm   
> 2>/dev/null
> + }
> +
> + # if we were git clone'd, adjust VERSION
> +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1;
> then
> +-      describe=$(git -C "$(dirname "$0")" describe --tags --dirty
> 2>/dev/null)
> +-      [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e
> s/^v//)
> ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null
> 2>&1; then
> ++      describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty
> 2>/dev/null)
> ++      [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e
> s/^v//)
> + fi
> +
> + show_usage()
> + {
> +       # shellcheck disable=SC2086
> +-      cat <<EOF
> ++      @cat@ <<EOF
> +       Usage:
> +-              Live mode (auto):   $(basename $0) [options]
> +-              Live mode (manual): $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> +-              Offline mode:       $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> ++              Live mode (auto):   $(@basename@ $0) [options]
> ++              Live mode (manual): $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> ++              Offline mode:       $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> +
> +       Modes:
> +               Two modes are available.
> +@@ -110,7 +110,7 @@ EOF
> +
> + show_disclaimer()
> + {
> +-      cat <<EOF
> ++      @cat@ <<EOF
> + Disclaimer:
> +
> + This tool does its best to determine whether your system is immune
> (or has proper mitigations in place) for the
> +@@ -138,7 +138,7 @@ This tool has been released in the hope that
> it'll be useful, but don't use it t
> + EOF
> + }
> +
> +-os=$(uname -s)
> ++os=$(@uname@ -s)
> +
> + # parse options
> + opt_kernel=''
> +@@ -207,7 +207,7 @@ __echo()
> +                       _interpret_chars='-e'
> +               fi
> +               _ctrlchar=$($echo_cmd $_interpret_chars "\033")
> +-              _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> ++              _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> +       fi
> +       if [ "$echo_cmd_type" = printf ]; then
> +               if [ "$opt" = "-n" ]; then
> +@@ -383,7 +383,7 @@ is_cpu_affected()
> +               # https://github.com/crozone/SpectrePoC/issues/1 ^F
> E5200 => spectre 2 not affected
> +               #
> https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 =>
> meltdown affected
> +               # model name : Pentium(R) Dual-Core  CPU      E5200 
> @ 2.50GHz
> +-              if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\)
> Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> ++              if echo "$cpu_friendly_name" | @grep@ -qE
> 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> +                       variant1=vuln
> +                       [ -z "$variant2" ] && variant2=immune
> +                       variant3=vuln
> +@@ -486,7 +486,7 @@ is_cpu_affected()
> +                       i=$(( i + 1 ))
> +                       # do NOT quote $cpu_arch_list below
> +                       # shellcheck disable=SC2086
> +-                      cpuarch=$(echo $cpu_arch_list | awk '{ print
> $'$i' }')
> ++                      cpuarch=$(echo $cpu_arch_list | @awk@ '{
> print $'$i' }')
> +                       _debug "checking cpu$i: <$cpupart>
> <$cpuarch>"
> +                       # some kernels report AArch64 instead of 8
> +                       [ "$cpuarch" = "AArch64" ] && cpuarch=8
> +@@ -497,49 +497,49 @@ is_cpu_affected()
> +                               # part   ?  ? c08 c09 c0d c0f c0e d07
> d08 d09 d0a d0b d0c         d0d
> +                               # arch  7? 7? 7   7   7   7   7   8  
> 8   8   8   8   8           8
> +                               #
> +-                              # Whitelist identified non-affected
> processors, use vulnerability information from
> ++                              # Whitelist identified non-affected
> processors, use vulnerability information from
> +                               #
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
> +                               # Partnumbers can be found here:
> +                               #
> https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
> +                               #
> +                               # Maintain cumulative check of
> vulnerabilities -
> +                               # if at least one of the cpu is
> affected, then the system is affected
> +-                              if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> ++                              if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       [ -z "$variant3a" ] &&
> variant3a=immune
> +                                       [ -z "$variant4" ] &&
> variant4=immune
> +                                       _debug "checking cpu$i: armv7
> A8/A9/A12/A17 non affected to variants 3, 3a & 4"
> +-                              elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc0f; then
> ++                              elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc0f; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       variant3a=vuln
> +                                       [ -z "$variant4" ] &&
> variant4=immune
> +                                       _debug "checking cpu$i: armv7
> A15 non affected to variants 3 & 4"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       variant3a=vuln
> +                                       variant4=vuln
> +                                       _debug "checking cpu$i: armv8
> A57/A72 non affected to variants 3"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd09; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd09; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       [ -z "$variant3a" ] &&
> variant3a=immune
> +                                       variant4=vuln
> +                                       _debug "checking cpu$i: armv8
> A73 non affected to variants 3 & 3a"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0a; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0a; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       variant3=vuln
> +                                       [ -z "$variant3a" ] &&
> variant3a=immune
> +                                       variant4=vuln
> +                                       _debug "checking cpu$i: armv8
> A75 non affected to variant 3a"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> +                                       variant1=vuln
> +                                       [ -z "$variant2" ] &&
> variant2=immune
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +@@ -820,7 +820,7 @@ is_cpu_ssb_free()
> +               if [ "$cpu_family" = "18" ] || \
> +                       [ "$cpu_family" = "17" ] || \
> +                       [ "$cpu_family" = "16" ] || \
> +-                      [ "$cpu_family" = "15" ]; then
> ++                      [ "$cpu_family" = "15" ]; then
> +                       return 0
> +               fi
> +       fi
> +@@ -837,7 +837,7 @@ show_header()
> +       _info
> + }
> +
> +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
> ++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d:
> -f6)"
> + mcedb_cache="$HOME/.mcedb"
> + update_fwdb()
> + {
> +@@ -846,11 +846,11 @@ update_fwdb()
> +       set -e
> +
> +       if [ -r "$mcedb_cache" ]; then
> +-              previous_dbversion=$(awk '/^# %%% MCEDB / { print $4
> }' "$mcedb_cache")
> ++              previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print
> $4 }' "$mcedb_cache")
> +       fi
> +
> +       # first, download the MCE.db from the excellent platomav's
> MCExtractor project
> +-      mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
> ++      mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
> +       mcedb_url='
> https://github.com/platomav/MCExtractor/raw/master/MCE.db'
> +       _info_nol "Fetching MCE.db from the MCExtractor project... "
> +       if command -v wget >/dev/null 2>&1; then
> +@@ -870,7 +870,7 @@ update_fwdb()
> +       echo DONE
> +
> +       # second, get the Intel firmwares from GitHub
> +-      intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
> ++      intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
> +       intel_url="
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
> Files/archive/main.zip"
> +       _info_nol "Fetching Intel firmwares... "
> +       ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +@@ -930,20 +930,20 @@ update_fwdb()
> +       fi
> +       #  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev
> 0x0217, size 5120
> +       #  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev
> 0x0107, size 5120
> +-      $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
> ++      $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
> +       do
> +-              _line=$(   echo "$_line" | tr -d ',')
> +-              _cpuid=$(  echo "$_line" | awk '{print $3}')
> ++              _line=$(   echo "$_line" | @tr@ -d ',')
> ++              _cpuid=$(  echo "$_line" | @awk@ '{print $3}')
> +               _cpuid=$(( _cpuid ))
> +               _cpuid=$(printf "0x%08X" "$_cpuid")
> +-              _date=$(   echo "$_line" | awk '{print $6}' | tr -d
> '-')
> +-              _version=$(echo "$_line" | awk '{print $8}')
> ++              _date=$(   echo "$_line" | @awk@ '{print $6}' | @tr@
> -d '-')
> ++              _version=$(echo "$_line" | @awk@ '{print $8}')
> +               _version=$(( _version ))
> +               _version=$(printf "0x%08X" "$_version")
> +               _sqlstm="$(printf "INSERT INTO Intel
> (origin,cpuid,version,yyyymmdd) VALUES
> (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")"
> "$(printf "%08X" "$_version")" "$_date")"
> +               sqlite3 "$mcedb_tmp" "$_sqlstm"
> +       done
> +-      _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> ++      _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> +       if [ -n "$_intel_timestamp" ]; then
> +               # use this date, it matches the last commit date
> +               _intel_latest_date=$(date +%Y%m%d -d
> @"$_intel_timestamp")
> +@@ -964,17 +964,17 @@ update_fwdb()
> +       {
> +               echo "# Spectre & Meltdown Checker";
> +               echo "# %%% MCEDB v$dbversion";
> +-              sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +-              sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD  
> AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> ++              sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
> ++              sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD  
> AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
> +       } > "$mcedb_cache"
> +       echo DONE "(version $dbversion)"
> +
> +       if [ "$1" = builtin ]; then
> +-              newfile=$(mktemp -t smc-builtin-XXXXXX)
> +-              awk '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +-              awk '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +-              cat "$newfile" > "$0"
> +-              rm -f "$newfile"
> ++              newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> ++              @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> ++              @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> ++              @cat@ "$newfile" > "$0"
> ++              @rm@ -f "$newfile"
> +       fi
> + }
> +
> +@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
> +       elif [ "$1" = "--cpu" ]; then
> +               opt_cpu=$2
> +               if [ "$opt_cpu" != all ]; then
> +-                      if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
> ++                      if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+';
> then
> +                               opt_cpu=$(( opt_cpu ))
> +                       else
> +                               echo "$0: error: --cpu should be an
> integer or 'all', got '$opt_cpu'" >&2
> +@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
> +                       echo "$0: error: option --cve expects a
> parameter, supported CVEs are: $supported_cve_list" >&2
> +                       exit 255
> +               fi
> +-              selected_cve=$(echo "$supported_cve_list" | grep -iwo
> "$2")
> ++              selected_cve=$(echo "$supported_cve_list" | @grep@ -
> iwo "$2")
> +               if [ -n "$selected_cve" ]; then
> +                       opt_cve_list="$opt_cve_list $selected_cve"
> +                       opt_cve_all=0
> +@@ -1308,14 +1308,14 @@ check_kernel()
> +       # a damaged ELF file and validate it, check for stderr
> warnings too
> +
> +       # the warning "readelf: Warning: [16]: Link field (0) should
> index a symtab section./" can appear on valid kernels, ignore it
> +-      _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n"
> "/"); ret=$?
> +-      _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>/dev/null | grep -c -e data -e text -e init)
> +-      _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z
> "$_file" 2>/dev/null || echo 10000)
> ++      _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null |
> @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
> ++      _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null |
> @grep@ -c -e data -e text -e init)
> ++      _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f
> %z "$_file" 2>/dev/null || echo 10000)
> +       _debug "check_kernel: ret=$? size=$_kernel_size
> sections=$_readelf_sections warnings=$_readelf_warnings"
> +       if [ "$_mode" = desperate ]; then
> +-              if "${opt_arch_prefix}strings" "$_file" | grep -Eq
> '^Linux version '; then
> ++              if "@strings@" "$_file" | @grep@ -Eq '^Linux version
> '; then
> +                       _debug "check_kernel (desperate): ...
> matched!"
> +-                      if [ "$_readelf_sections" = 0 ] && grep -qF -
> e armv6 -e armv7 "$_file"; then
> ++                      if [ "$_readelf_sections" = 0 ] && @grep@ -qF
> -e armv6 -e armv7 "$_file"; then
> +                               _debug "check_kernel (desperate): raw
> arm binary found, adjusting objdump options"
> +                               objdump_options="-D -b binary -marm"
> +                       else
> +@@ -1348,7 +1348,7 @@ try_decompress()
> +
> +       # Try to find the header ($1) and decompress from here
> +       _debug "try_decompress: looking for $3 magic in $6"
> +-      for     pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo
> "^$2")
> ++      for     pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo
> "^$2")
> +       do
> +               _debug "try_decompress: magic for $3 found at offset
> $pos"
> +               if ! command -v "$3" >/dev/null 2>&1; then
> +@@ -1375,11 +1375,11 @@ try_decompress()
> +                       kernel="$kerneltmp"
> +                       _debug "try_decompress: decompressed with $3
> successfully!"
> +                       return 0
> +-              elif [ "$3" != "cat" ]; then
> ++              elif [ "$3" != "@cat@" ]; then
> +                       _debug "try_decompress: decompression with $3
> worked but result is not a kernel, trying with an offset"
> +-                      [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -
> t smc-kernel-XXXXXX)
> +-                      cat "$kerneltmp" > "$kerneltmp2"
> +-                      try_decompress '\177ELF' xxy 'cat' '' cat
> "$kerneltmp2" && return 0
> ++                      [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@
> -t smc-kernel-XXXXXX)
> ++                      @cat@ "$kerneltmp" > "$kerneltmp2"
> ++                      try_decompress '\177ELF' xxy '@cat@' '' cat
> "$kerneltmp2" && return 0
> +               else
> +                       _debug "try_decompress: decompression with $3
> worked but result is not a kernel"
> +               fi
> +@@ -1391,12 +1391,12 @@ extract_kernel()
> + {
> +       [ -n "${1:-}" ] || return 1
> +       # Prepare temp files:
> +-      kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
> ++      kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
> +
> +       # Initial attempt for uncompressed images or objects:
> +       if check_kernel "$1"; then
> +               _debug "extract_kernel: found kernel is valid, no
> decompression needed"
> +-              cat "$1" > "$kerneltmp"
> ++              @cat@ "$1" > "$kerneltmp"
> +               kernel=$kerneltmp
> +               return 0
> +       fi
> +@@ -1405,14 +1405,14 @@ extract_kernel()
> +       for pass in 1 2; do
> +               for mode in normal desperate; do
> +                       _debug "extract_kernel: pass $pass $mode
> mode"
> +-                      try_decompress '\037\213\010'     xy   
> gunzip  ''      gunzip      "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\002\041\114\030' xyy  
> 'lz4'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\3757zXZ\000'     abcde
> unxz    ''      xz-utils    "$1" "$mode" "$pass" && return 0
> +-                      try_decompress 'BZh'              xy   
> bunzip2 ''      bzip2       "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\135\0\0\0'       xxx  
> unlzma  ''      xz-utils    "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\211\114\132'     xy   
> 'lzop'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\177ELF'          xxy  
> 'cat'   ''      cat         "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '(\265/\375'       xxy  
> unzstd  ''      zstd        "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\037\213\010'     xy   
> @gunzip@  ''      gunzip      "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\002\041\114\030' xyy  
> '@lz4@'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\3757zXZ\000'     abcde
> @unxz@    ''      xz-utils    "$1" "$mode" "$pass" && return 0
> ++                      try_decompress 'BZh'              xy   
> @bunzip2@ ''      bzip2       "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\135\0\0\0'       xxx  
> @unlzma@  ''      xz-utils    "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\211\114\132'     xy   
> '@lzop@'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\177ELF'          xxy  
> '@cat@'   ''      cat         "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '(\265/\375'       xxy  
> @unzstd@  ''      zstd        "$1" "$mode" "$pass" && return 0
> +               done
> +       done
> +       # kernel_err might already have been populated by
> try_decompress() if we're missing one of the tools
> +@@ -1429,7 +1429,7 @@ mount_debugfs()
> + {
> +       if [ ! -e /sys/kernel/debug/sched_features ]; then
> +               # try to mount the debugfs hierarchy ourselves and
> remember it to umount afterwards
> +-              mount -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> ++              @mount@ -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> +       fi
> + }
> +
> +@@ -1440,12 +1440,12 @@ load_msr()
> +       load_msr_once=1
> +
> +       if [ "$os" = Linux ]; then
> +-              if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
> +-                      modprobe msr 2>/dev/null && insmod_msr=1
> ++              if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null;
> then
> ++                      @modprobe@ msr 2>/dev/null && insmod_msr=1
> +                       _debug "attempted to load module msr,
> insmod_msr=$insmod_msr"
> +               else
> +                       _debug "msr module already loaded"
> +-              fi
> ++              fi
> +       else
> +               if ! kldstat -q -m cpuctl; then
> +                       kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1463,12 +1463,12 @@ load_cpuid()
> +       load_cpuid_once=1
> +
> +       if [ "$os" = Linux ]; then
> +-              if ! grep -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> +-                      modprobe cpuid 2>/dev/null && insmod_cpuid=1
> ++              if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> ++                      @modprobe@ cpuid 2>/dev/null &&
> insmod_cpuid=1
> +                       _debug "attempted to load module cpuid,
> insmod_cpuid=$insmod_cpuid"
> +               else
> +                       _debug "cpuid module already loaded"
> +-              fi
> ++              fi
> +       else
> +               if ! kldstat -q -m cpuctl; then
> +                       kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
> +               fi
> +               # on some kernel versions, /dev/cpu/0/cpuid doesn't
> imply that the cpuid module is loaded, in that case dd returns an
> error,
> +               # we use that fact to load the module if dd returns
> an error
> +-              if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null
> 2>&1; then
> ++              if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1
> >/dev/null 2>&1; then
> +                       load_cpuid
> +               fi
> +               # we need _leaf to be converted to decimal for dd
> +@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
> +               _ddskip=$(( _position / 16 ))
> +               _odskip=$(( _position - _ddskip * 16 ))
> +               # now read the value
> +-              _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip *
> 16)) -A n -t u4)
> ++              _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip
> * 16)) -A n -t u4)
> +       elif [ -e /dev/cpuctl0 ]; then
> +               # BSD
> +               if [ ! -r /dev/cpuctl0 ]; then
> +                       read_cpuid_msg="Couldn't read cpuid info from
> cpuctl"
> +                       return $READ_CPUID_RET_ERR
> +               fi
> +-              _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
> ++              _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
You're missing cpucontrol here.
> +               # cpuid level 0x4, level_type 0x2: 0x1c004143
> 0x01c0003f 0x000001ff 0x00000000
> +       else
> +               read_cpuid_msg="Found no way to read cpuid info"
> +@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
> +       fi
> +
> +       # get the value of the register we want
> +-      _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
> ++      _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
> +       # Linux returns it as decimal, BSD as hex, normalize to
> decimal
> +       _reg=$(( _reg ))
> +       # shellcheck disable=SC2046
> +@@ -1626,11 +1626,11 @@ dmesg_grep()
> +       # grep for something in dmesg, ensuring that the dmesg buffer
> +       # has not been truncated
> +       dmesg_grepped=''
> +-      if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> ++      if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> +               # dmesg truncated
> +               return 2
> +       fi
> +-      dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
> ++      dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
> +       # not found:
> +       [ -z "$dmesg_grepped" ] && return 1
> +       # found, output is in $dmesg_grepped
> +@@ -1647,12 +1647,12 @@ parse_cpu_details()
> + {
> +       [ "${parse_cpu_details_done:-}" = 1 ] && return 0
> +
> +-      if command -v nproc >/dev/null; then
> +-              number_of_cores=$(nproc)
> +-      elif echo "$os" | grep -q BSD; then
> +-              number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null ||
> echo 1)
> ++      if command -v @nproc@ >/dev/null; then
> ++              number_of_cores=$(@nproc@)
> ++      elif echo "$os" | @grep@ -q BSD; then
> ++              number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null ||
> echo 1)
> +       elif [ -e "$procfs/cpuinfo" ]; then
> +-              number_of_cores=$(grep -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> ++              number_of_cores=$(@grep@ -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> +       else
> +               # if we don't know, default to 1 CPU
> +               number_of_cores=1
> +@@ -1660,43 +1660,43 @@ parse_cpu_details()
> +       max_core_id=$(( number_of_cores - 1 ))
> +
> +       if [ -e "$procfs/cpuinfo" ]; then
> +-              cpu_vendor=$(  grep '^vendor_id'  "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> +-              cpu_friendly_name=$(grep '^model name'
> "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
> ++              cpu_vendor=$(  @grep@ '^vendor_id'  "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> ++              cpu_friendly_name=$(@grep@ '^model name'
> "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
> +               # special case for ARM follows
> +-              if grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> ++              if @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> +                       cpu_vendor='ARM'
> +                       # some devices (phones or other) have several
> ARMs and as such different part numbers,
> +                       # an example is "bigLITTLE", so we need to
> store the whole list, this is needed for is_cpu_affected
> +-                      cpu_part_list=$(awk '/CPU part/        
> {print $4}' "$procfs/cpuinfo")
> +-                      cpu_arch_list=$(awk '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> ++                      cpu_part_list=$(@awk@ '/CPU part/        
> {print $4}' "$procfs/cpuinfo")
> ++                      cpu_arch_list=$(@awk@ '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> +                       # take the first one to fill the friendly
> name, do NOT quote the vars below
> +                       # shellcheck disable=SC2086
> +-                      cpu_arch=$(echo $cpu_arch_list | awk '{ print
> $1 }')
> ++                      cpu_arch=$(echo $cpu_arch_list | @awk@ '{
> print $1 }')
> +                       # shellcheck disable=SC2086
> +-                      cpu_part=$(echo $cpu_part_list | awk '{ print
> $1 }')
> ++                      cpu_part=$(echo $cpu_part_list | @awk@ '{
> print $1 }')
> +                       [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
> +                       cpu_friendly_name="ARM"
> +                       [ -n "$cpu_arch" ] &&
> cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
> +                       [ -n "$cpu_part" ] &&
> cpu_friendly_name="$cpu_friendly_name model $cpu_part"
> +
> +-              elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> ++              elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> +                       cpu_vendor='CAVIUM'
> +-              elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> ++              elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> +                       cpu_vendor='PHYTIUM'
> +               fi
> +
> +-              cpu_family=$(  grep '^cpu family' "$procfs/cpuinfo" |
> awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
> +-              cpu_model=$(   grep '^model'      "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +-              cpu_stepping=$(grep '^stepping'   "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +-              cpu_ucode=$(   grep '^microcode'  "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> ++              cpu_family=$(  @grep@ '^cpu family' "$procfs/cpuinfo"
> | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++              cpu_model=$(   @grep@ '^model'      "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++              cpu_stepping=$(@grep@ '^stepping'   "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++              cpu_ucode=$(   @grep@ '^microcode'  "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> +       else
> +-              cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2
> -w | cut -f2 -d= | cut -f2 -d\" )
> +-              cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4
> -w | cut -f2 -d= )
> ++              cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' |
> @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
> ++              cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' |
> @cut@ -f4 -w | @cut@ -f2 -d= )
> +               cpu_family=$(( cpu_family ))
> +-              cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -
> w | cut -f2 -d= )
> ++              cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@
> -f5 -w | @cut@ -f2 -d= )
> +               cpu_model=$(( cpu_model ))
> +-              cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut
> -f6 -w | cut -f2 -d= )
> +-              cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
> ++              cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' |
> @cut@ -f6 -w | @cut@ -f2 -d= )
> ++              cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
> +       fi
> +
> +       if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
> +@@ -1751,7 +1751,7 @@ parse_cpu_details()
> +                       # call CPUID
> +                       cpucontrol -i 1 /dev/cpuctl0 >/dev/null
> +                       # read MSR
> +-                      cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> awk '{print $3}')
> ++                      cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> @awk@ '{print $3}')
> +                       # convert to decimal
> +                       cpu_ucode=$(( cpu_ucode ))
> +                       # convert back to hex
> +@@ -1770,7 +1770,7 @@ parse_cpu_details()
> +               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
> +       fi
> +
> +-      echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
> ++      echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode
> ))
> +       ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x
> ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping"
> "$cpu_ucode" "$cpu_cpuid")
> +
> +       # also define those that we will need in other funcs
> +@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
> + {
> +       # SMT / HyperThreading is enabled if siblings != cpucores
> +       if [ -e "$procfs/cpuinfo" ]; then
> +-              _siblings=$(awk '/^siblings/  {print $3;exit}'
> "$procfs/cpuinfo")
> +-              _cpucores=$(awk '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> ++              _siblings=$(@awk@ '/^siblings/  {print $3;exit}'
> "$procfs/cpuinfo")
> ++              _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> +               if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
> +                       if [ "$_siblings" = "$_cpucores" ]; then
> +                               return 1
> +@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
> +               $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b   \
> +               $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
> +       do
> +-              model=$(echo "$tuple" | cut -d, -f1)
> +-              stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
> ++              model=$(echo "$tuple" | @cut@ -d, -f1)
> ++              stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
> +               if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" =
> "$stepping" ]; then
> +-                      ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> ++                      ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> +                       if [ "$cpu_ucode" = "$ucode" ]; then
> +                               _debug "is_ucode_blacklisted: we have
> a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
> +                               return 0
> +@@ -2007,7 +2007,7 @@ is_xen_dom0()
> +               return 1
> +       fi
> +
> +-      if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d"
> "$procfs/xen/capabilities"; then
> ++      if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d"
> "$procfs/xen/capabilities"; then
> +               return 0
> +       else
> +               return 1
> +@@ -2033,12 +2033,12 @@ is_xen_domU()
> +       fi
> + }
> +
> +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
> ++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> +       # we have a local cache file, but it might be older than the
> builtin version we have
> +-      local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> ++      local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +       # sort -V sorts by version number
> +-      older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | sort -V | head -n1)
> ++      older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> +       if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +               mcedb_source="$mcedb_cache"
> +               mcedb_info="local firmwares DB $local_dbversion"
> +@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
> + fi
> + read_mcedb()
> + {
> +-      awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1
> }' "$mcedb_source"
> ++      @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> + }
> +
> + is_latest_known_ucode()
> +@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
> +       else
> +               return 2
> +       fi
> +-      for tuple in $(read_mcedb | grep "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> ++      for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> +       do
> +-              ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
> +-              ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r
> 's=(....)(..)(..)=\1/\2/\3=')
> ++              ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
> ++              ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r
> 's=(....)(..)(..)=\1/\2/\3=')
> +               _debug "is_latest_known_ucode: with cpuid $cpu_cpuid
> has ucode $cpu_ucode, last known is $ucode from $ucode_date"
> +               ucode_latest=$(printf "latest version is 0x%x dated
> $ucode_date according to $mcedb_info" "$ucode")
> +               if [ "$cpu_ucode" -ge "$ucode" ]; then
> +@@ -2098,7 +2098,7 @@ get_cmdline()
> +               kernel_cmdline="$SMC_MOCK_CMDLINE"
> +               return
> +       else
> +-              kernel_cmdline=$(cat "$procfs/cmdline")
> ++              kernel_cmdline=$(@cat@ "$procfs/cmdline")
> +               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CMDLINE='$kernel_cmdline'")
> +       fi
> + }
> +@@ -2106,7 +2106,7 @@ get_cmdline()
> + # ENTRYPOINT
> +
> + # we can't do anything useful under WSL
> +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> +       _warn "This script doesn't work under Windows Subsystem for
> Linux"
> +       _warn "You should use the official Microsoft tool instead."
> +       _warn "It can be found under
> https://aka.ms/SpeculationControlPS"
> +@@ -2155,15 +2155,15 @@ fi
> +
> + # if we're under a BSD, try to mount linprocfs for
> "$procfs/cpuinfo"
> + procfs=/proc
> +-if echo "$os" | grep -q BSD; then
> ++if echo "$os" | @grep@ -q BSD; then
> +       _debug "We're under BSD, check if we have procfs"
> +-      procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
> ++      procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
> +       if [ -z "$procfs" ]; then
> +               _debug "we don't, try to mount it"
> +               procfs=/proc
> +               [ -d /compat/linux/proc ] &&
> procfs=/compat/linux/proc
> +               test -d $procfs || mkdir $procfs
> +-              if mount -t linprocfs linprocfs $procfs 2>/dev/null;
> then
> ++              if @mount@ -t linprocfs linprocfs $procfs
> 2>/dev/null; then
> +                       mounted_procfs=1
> +                       _debug "procfs just mounted at $procfs"
> +               else
> +@@ -2195,14 +2195,14 @@ fi
> +
> + if [ "$opt_live" = 1 ]; then
> +       # root check (only for live mode, for offline mode, we
> already checked if we could read the files)
> +-      if [ "$(id -u)" -ne 0 ]; then
> ++      if [ "$(@id@ -u)" -ne 0 ]; then
> +               _warn "Note that you should launch this script with
> root privileges to get accurate information."
> +               _warn "We'll proceed but you might see permission
> denied errors."
> +               _warn "To run it as root, you can try the following
> command: sudo $0"
> +               _warn
> +       fi
> +       _info "Checking for vulnerabilities on current system"
> +-      _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname
> -m)\033[0m"
> ++      _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v)
> $(@uname@ -m)\033[0m"
> +       _info "CPU is \033[35m$cpu_friendly_name\033[0m"
> +
> +       # try to find the image of the current running kernel
> +@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
> +               # specified by user on cmdline, with --live, don't
> override
> +               :
> +       # first, look for the BOOT_IMAGE hint in the kernel cmdline
> +-      elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
> +-              opt_kernel=$(echo "$kernel_cmdline" | grep -Eo
> 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
> ++      elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
> ++              opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo
> 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
> +               _debug "found opt_kernel=$opt_kernel in
> $procfs/cmdline"
> +               # if the boot partition is within a btrfs subvolume,
> strip the subvolume name
> +               # if /boot is a separate subvolume, the remainder of
> the code in this section should handle it
> +-              if echo "$opt_kernel" | grep -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
> ++              if echo "$opt_kernel" | @grep@ -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
> +               # if we have a dedicated /boot partition, our
> bootloader might have just called it /
> +               # so try to prepend /boot and see if we find anything
> +               [ -e "/boot/$opt_kernel" ] &&
> opt_kernel="/boot/$opt_kernel"
> +@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
> +       # if we didn't find a kernel, default to guessing
> +       if [ ! -e "$opt_kernel" ]; then
> +               # Fedora:
> +-              [ -e "/lib/modules/$(uname -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
> ++              [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
> +               # Slackware:
> +               [ -e "/boot/vmlinuz"             ] &&
> opt_kernel="/boot/vmlinuz"
> +               # Arch aarch64:
> +@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
> +               # pine64
> +               [ -e "/boot/pine64/Image"        ] &&
> opt_kernel="/boot/pine64/Image"
> +               # generic:
> +-              [ -e "/boot/vmlinuz-$(uname -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(uname -r)"
> +-              [ -e "/boot/kernel-$( uname -r)" ] &&
> opt_kernel="/boot/kernel-$( uname -r)"
> +-              [ -e "/boot/bzImage-$(uname -r)" ] &&
> opt_kernel="/boot/bzImage-$(uname -r)"
> ++              [ -e "/boot/vmlinuz-$(@uname@ -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
> ++              [ -e "/boot/kernel-$( @uname@ -r)" ] &&
> opt_kernel="/boot/kernel-$( @uname@ -r)"
> ++              [ -e "/boot/bzImage-$(@uname@ -r)" ] &&
> opt_kernel="/boot/bzImage-$(@uname@ -r)"
> +               # Gentoo:
> +-              [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ++              [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> +               # Guix System:
> +               [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +-              [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> ++              [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux"
> +               # Clear Linux:
> +-              str_uname=$(uname -r)
> ++              str_uname=$(@uname@ -r)
> +               clear_linux_kernel="/lib/kernel/org.clearlinux.${str_
> uname##*.}.${str_uname%.*}"
> +               [ -e "$clear_linux_kernel" ] &&
> opt_kernel=$clear_linux_kernel
> +               # Custom Arch seems to have the kernel path in its
> cmdline in the form "\directory\kernelimage",
> +               # with actual \'s instead of /'s:
> +-              custom_arch_kernel=$(echo "$kernel_cmdline" | grep -
> Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d
> '[:space:]')
> ++              custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@
> -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d
> '[:space:]')
> +               if [ -n "$custom_arch_kernel" ] && [ -e
> "$custom_arch_kernel" ]; then
> +                       opt_kernel="$custom_arch_kernel"
> +               fi
> +@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
> +               :
> +       elif [ -e "$procfs/kallsyms" ] ; then
> +               opt_map="$procfs/kallsyms"
> +-      elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
> +-              opt_map="/lib/modules/$(uname -r)/System.map"
> +-      elif [ -e "/boot/System.map-$(uname -r)" ] ; then
> +-              opt_map="/boot/System.map-$(uname -r)"
> +-      elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
> +-              opt_map="/lib/kernel/System.map-$(uname -r)"
> ++      elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
> ++              opt_map="/lib/modules/$(@uname@ -r)/System.map"
> ++      elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
> ++              opt_map="/boot/System.map-$(@uname@ -r)"
> ++      elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
> ++              opt_map="/lib/kernel/System.map-$(@uname@ -r)"
> +       fi
> +
> +       # config
> +@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
> +               # specified by user on cmdline, with --live, don't
> override
> +               :
> +       elif [ -e "$procfs/config.gz" ] ; then
> +-              dumped_config="$(mktemp -t smc-config-XXXXXX)"
> +-              gunzip -c "$procfs/config.gz" > "$dumped_config"
> ++              dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
> ++              @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
> +               # dumped_config will be deleted at the end of the
> script
> +               opt_config="$dumped_config"
> +-      elif [ -e "/lib/modules/$(uname -r)/config" ]; then
> +-              opt_config="/lib/modules/$(uname -r)/config"
> +-      elif [ -e "/boot/config-$(uname -r)" ]; then
> +-              opt_config="/boot/config-$(uname -r)"
> +-      elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -
> r)" ]; then
> +-              opt_config="/etc/kernels/kernel-config-$(uname -m)-
> $(uname -r)"
> +-      elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
> +-              opt_config="/lib/kernel/config-$(uname -r)"
> ++      elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
> ++              opt_config="/lib/modules/$(@uname@ -r)/config"
> ++      elif [ -e "/boot/config-$(@uname@ -r)" ]; then
> ++              opt_config="/boot/config-$(@uname@ -r)"
> ++      elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@
> -r)" ]; then
> ++              opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-
> $(@uname@ -r)"
> ++      elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
> ++              opt_config="/lib/kernel/config-$(@uname@ -r)"
> +       fi
> + else
> +       _info "Checking for vulnerabilities against specified kernel"
> +@@ -2311,7 +2311,7 @@ else
> + fi
> +
> + if [ "$os" = Linux ]; then
> +-      if [ -n "$opt_config" ] && ! grep -q '^CONFIG_'
> "$opt_config"; then
> ++      if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_'
> "$opt_config"; then
> +               # given file is invalid!
> +               _warn "The kernel config file seems invalid, was
> expecting a plain-text file, ignoring it!"
> +               opt_config=''
> +@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
> + fi
> +
> + if [ -e "$opt_kernel" ]; then
> +-      if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1;
> then
> ++      if ! command -v "@readelf@" >/dev/null 2>&1; then
> +               _debug "readelf not found"
> +               kernel_err="missing '${opt_arch_prefix}readelf' tool,
> please install it, usually it's in the 'binutils' package"
> +       elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ];
> then
> +@@ -2357,20 +2357,20 @@ else
> +       # vanilla kernels have with ^Linux version
> +       # also try harder with some kernels (such as Red Hat) that
> don't have ^Linux version before their version string
> +       # and check for FreeBSD
> +-      kernel_version=$("${opt_arch_prefix}strings" "$kernel"
> 2>/dev/null | grep -E \
> ++      kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -
> E \
> +               -e '^Linux version ' \
> +               -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-
> 9]+ .+ (19|20)[0-9][0-9]$' \
> +-              -e '^FreeBSD [0-9]' | head -1)
> ++              -e '^FreeBSD [0-9]' | @head@ -1)
> +       if [ -z "$kernel_version" ]; then
> +               # try even harder with some kernels (such as ARM)
> that split the release (uname -r) and version (uname -v) in 2
> adjacent strings
> +-              kernel_version=$("${opt_arch_prefix}strings"
> "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$'
> | tr "\n" " ")
> ++              kernel_version=$("@strings@" "$kernel" 2>/dev/null |
> @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
> +       fi
> +       if [ -n "$kernel_version" ]; then
> +               # in live mode, check if the img we found is the
> correct one
> +               if [ "$opt_live" = 1 ]; then
> +                       _verbose "Kernel image is
> \033[35m$kernel_version"
> +-                      if ! echo "$kernel_version" | grep -qF
> "$(uname -r)"; then
> +-                              _warn "Possible discrepancy between
> your running kernel '$(uname -r)' and the image '$kernel_version' we
> found ($opt_kernel), results might be incorrect"
> ++                      if ! echo "$kernel_version" | @grep@ -qF
> "$(@uname@ -r)"; then
> ++                              _warn "Possible discrepancy between
> your running kernel '$(@uname@ -r)' and the image '$kernel_version'
> we found ($opt_kernel), results might be incorrect"
> +                       fi
> +               else
> +                       _info "Kernel image is
> \033[35m$kernel_version"
> +@@ -2398,11 +2398,11 @@ sys_interface_check()
> +       if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r
> "$file" ]; then
> +               :
> +       else
> +-              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
> ++              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
> +               return 1
> +       fi
> +
> +-      _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
> ++      _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
> +       # shellcheck disable=SC2086,SC1083
> +       if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> +               _debug "sysfs: MOCKING enabled for $file func returns
> $(eval echo \$$_mockvarname)"
> +@@ -2411,17 +2411,17 @@ sys_interface_check()
> +       fi
> +
> +       [ -n "$regex" ] || regex='.*'
> +-      _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
> ++      _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
> +       # shellcheck disable=SC2086,SC1083
> +       if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> +               fullmsg="$(eval echo \$$_mockvarname)"
> +-              msg=$(echo "$fullmsg" | grep -Eo "$regex")
> ++              msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
> +               _debug "sysfs: MOCKING enabled for $file, will return
> $fullmsg"
> +               mocked=1
> +       else
> +-              fullmsg=$(cat "$file")
> +-              msg=$(grep -Eo "$regex" "$file")
> +-              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
> ++              fullmsg=$(@cat@ "$file")
> ++              msg=$(@grep@ -Eo "$regex" "$file")
> ++              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
> +       fi
> +       if [ "$mode" = silent ]; then
> +               return 0
> +@@ -2430,15 +2430,15 @@ sys_interface_check()
> +               return 0
> +       fi
> +       _info_nol "* Mitigated according to the /sys interface: "
> +-      if echo "$msg" | grep -qi '^not affected'; then
> ++      if echo "$msg" | @grep@ -qi '^not affected'; then
> +               # Not affected
> +               status=OK
> +               pstatus green YES "$fullmsg"
> +-      elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
> ++      elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
> +               # Mitigation: PTI
> +               status=OK
> +               pstatus green YES "$fullmsg"
> +-      elif echo "$msg" | grep -qi '^vulnerable'; then
> ++      elif echo "$msg" | @grep@ -qi '^vulnerable'; then
> +               # Vulnerable
> +               status=VULN
> +               pstatus yellow NO "$fullmsg"
> +@@ -2526,20 +2526,20 @@ write_msr_one_core()
> +                       # ret=4: msr doesn't exist, ret=127:
> msr.allow_writes=off
> +                       [ "$ret" = 127 ] && _write_denied=1
> +               # or fallback to dd if it supports seek_bytes, we
> prefer it over perl because we can tell the difference between EPERM
> and EIO
> +-              elif dd if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> ++              elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> +                       _debug "write_msr: using dd"
> +-                      dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8
> count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> ++                      @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr
> bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> +                       # if it failed, inspect stderrto look for
> EPERM
> +                       if [ "$ret" != 0 ]; then
> +-                              if dd if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
> ++                              if @dd@ if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
> +                                       _write_denied=1
> +                               fi
> +                       fi
> +               # or if we have perl, use it, any 5.x version will
> work
> +-              elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++              elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> +                       _debug "write_msr: using perl"
> +                       ret=1
> +-                      perl -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> ++                      @perl@ -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> +               else
> +                       _debug "write_msr: got no wrmsr, perl or
> recent enough dd!"
> +                       mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
> +@@ -2561,13 +2561,13 @@ write_msr_one_core()
> +                               msr_locked_down=1
> +                               write_msr_msg="your kernel is
> configured to deny writes to MSRs from user space"
> +                               return $WRITE_MSR_RET_LOCKDOWN
> +-                      elif dmesg | grep -qF "msr: Direct access to
> MSR"; then
> ++                      elif @dmesg@ | @grep@ -qF "msr: Direct access
> to MSR"; then
> +                               _debug "write_msr: locked down kernel
> detected (Red Hat / Fedora)"
> +                               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> +                               msr_locked_down=1
> +                               write_msr_msg="your kernel is locked
> down (Fedora/Red Hat), please reboot without secure boot and retry"
> +                               return $WRITE_MSR_RET_LOCKDOWN
> +-                      elif dmesg | grep -qF "raw MSR access is
> restricted"; then
> ++                      elif @dmesg@ | @grep@ -qF "raw MSR access is
> restricted"; then
> +                               _debug "write_msr: locked down kernel
> detected (vanilla)"
> +                               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> +                               msr_locked_down=1
> +@@ -2666,8 +2666,8 @@ read_msr_one_core()
> +                       return $READ_MSR_RET_KO
> +               fi
> +               # MSR 0x10: 0x000003e1 0xb106dded
> +-              _msr_h=$(echo "$_msr" | awk '{print $3}');
> +-              _msr_l=$(echo "$_msr" | awk '{print $4}');
> ++              _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
> ++              _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
> +               read_msr_value=$(( _msr_h << 32 | _msr_l ))
> +       else
> +               # for Linux
> +@@ -2678,15 +2678,15 @@ read_msr_one_core()
> +               # if rdmsr is available, use it
> +               elif command -v rdmsr >/dev/null 2>&1 && [
> "${SMC_NO_RDMSR:-}" != 1 ]; then
> +                       _debug "read_msr: using rdmsr on $_msr"
> +-                      read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | od -t u8 -A n)
> ++                      read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | @od@ -t u8 -A n)
> +               # or if we have perl, use it, any 5.x version will
> work
> +-              elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++              elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> +                       _debug "read_msr: using perl on $_msr"
> +-                      read_msr_value=$(perl -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | od -t u8 -A n)
> ++                      read_msr_value=$(@perl@ -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | @od@ -t u8 -A n)
> +               # fallback to dd if it supports skip_bytes
> +-              elif dd if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> ++              elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> +                       _debug "read_msr: using dd on $_msr"
> +-                      read_msr_value=$(dd if=/dev/cpu/"$_core"/msr
> bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8
> -A n)
> ++                      read_msr_value=$(@dd@
> if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec"
> iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
> +               else
> +                       _debug "read_msr: got no rdmsr, perl or
> recent enough dd!"
> +                       mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
> +@@ -2710,7 +2710,7 @@ check_cpu()
> + {
> +       _info "\033[1;34mHardware check\033[0m"
> +
> +-      if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
> ++      if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
> +               return
> +       fi
> +
> +@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
> +       # if we were already called, don't do it again
> +       [ -n "${redhat_canonical_spectre:-}" ] && return
> +
> +-      if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1;
> then
> ++      if ! command -v "@strings@" >/dev/null 2>&1; then
> +               redhat_canonical_spectre=-1
> +       elif [ -n "$kernel_err" ]; then
> +               redhat_canonical_spectre=-2
> +       else
> +               # Red Hat / Ubuntu specific variant1 patch is
> difficult to detect,
> +               # let's use the two same tricks than the official Red
> Hat detection script uses:
> +-              if "${opt_arch_prefix}strings" "$kernel" | grep -qw
> noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb;
> then
> ++              if "@strings@" "$kernel" | @grep@ -qw noibrs &&
> "@strings@" "$kernel" | @grep@ -qw noibpb; then
> +                       # 1) detect their specific variant2 patch. If
> it's present, it means
> +                       # that the variant1 patch is also present
> (both were merged at the same time)
> +                       _debug "found redhat/canonical version of the
> variant2 patch (implies variant1)"
> +                       redhat_canonical_spectre=1
> +-              elif "${opt_arch_prefix}strings" "$kernel" | grep -q
> 'x86/pti:'; then
> ++              elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:';
> then
> +                       # 2) detect their specific variant3 patch. If
> it's present, but the variant2
> +                       # is not, it means that only variant1 is
> present in addition to variant3
> +                       _debug "found redhat/canonical version of the
> variant3 patch (implies variant1 but not variant2)"
> +@@ -3363,13 +3363,13 @@ check_has_vmm()
> +               # If we find no evidence that this is the case,
> assume we're not (to avoid scaring users),
> +               # this can always be overridden with --vmm in any
> case.
> +               has_vmm=0
> +-              if command -v pgrep >/dev/null 2>&1; then
> ++              if command -v @pgrep@ >/dev/null 2>&1; then
> +                       # remove xenbus and xenwatch, also present
> inside domU
> +                       # remove libvirtd as it can also be used to
> manage containers and not VMs
> +                       # for each binary we want to grep, get the
> pids
> +                       for _binary in qemu kvm xenstored xenconsoled
> +                       do
> +-                              for _pid in $(pgrep -x $_binary)
> ++                              for _pid in $(@pgrep@ -x $_binary)
> +                               do
> +                                       # resolve the exe symlink, if
> it doesn't resolve with -m,
> +                                       # which doesn't even need the
> dest to exist, it means the symlink
> +@@ -3385,7 +3385,7 @@ check_has_vmm()
> +               else
> +                       # ignore SC2009 as `ps ax` is actually used
> as a fallback if `pgrep` isn't installed
> +                       # shellcheck disable=SC2009
> +-                      if command -v ps >/devnull && ps ax | grep -
> vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> ++                      if command -v ps >/devnull && ps ax | @grep@
> -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> +                               has_vmm=1
> +                       fi
> +               fi
> +@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2017_5753_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2017_5753_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
> +               v1_mask_nospec=''
> +               if [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +-              elif ! command -v perl >/dev/null 2>&1; then
> ++              elif ! command -v @perl@ >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +               else
> +-                      perl -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++                      @perl@ -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> +                       if [ $ret -gt 0 ]; then
> +                               pstatus green YES "$ret occurrence(s)
> found of x86 64 bits array_index_mask_nospec()"
> +                               v1_mask_nospec="x86 64 bits
> array_index_mask_nospec"
> +                       else
> +-                              perl -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++                              @perl@ -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> +                               if [ $ret -gt 0 ]; then
> +                                       pstatus green YES "$ret
> occurrence(s) found of x86 32 bits array_index_mask_nospec()"
> +                                       v1_mask_nospec="x86 32 bits
> array_index_mask_nospec"
> +                               else
> +-
>                                       ret=$("${opt_arch_prefix}objdum
> p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 |
> grep -B1 -w sbc | grep -w -c cmp)
> ++                                      ret=$("@objdump@"
> $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 |
> @grep@ -B1 -w sbc | @grep@ -w -c cmp)
> +                                       if [ "$ret" -gt 0 ]; then
> +                                               pstatus green YES
> "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
> +                                               v1_mask_nospec="arm
> 32 bits array_index_mask_nospec"
> +@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
> +                       pstatus yellow NO
> +               elif [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +-              elif ! command -v perl >/dev/null 2>&1; then
> ++              elif ! command -v @perl@ >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +-              elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++              elif ! command -v "@objdump@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> +               else
> +-                      "${opt_arch_prefix}objdump" $objdump_options
> "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ &&
> $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
> ++                      "@objdump@" $objdump_options "$kernel" |
> @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/
> && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift
> @r if @r>3'; ret=$?
> +                       if [ "$ret" -eq 9 ]; then
> +                               pstatus green YES "mask_nospec64
> macro is present and used"
> +                               v1_mask_nospec="arm64 mask_nospec64"
> +@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
> +                       pstatus yellow NO
> +               elif [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +-              elif ! command -v perl >/dev/null 2>&1; then
> ++              elif ! command -v @perl@ >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +-              elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++              elif ! command -v "@objdump@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> +               else
> +-                      "${opt_arch_prefix}objdump" -d "$kernel" |
> perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> ++                      "@objdump@" -d "$kernel" | @perl@ -ne 'push
> @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> +                       if [ "$ret" -eq 9 ]; then
> +                               pstatus green YES "array_index_nospec
> macro is present and used"
> +                               v1_mask_nospec="arm64
> array_index_nospec"
> +@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
> +                       if [ -n "$kernel_err" ]; then
> +                               pstatus yellow UNKNOWN "couldn't
> check ($kernel_err)"
> +                       else
> +-                              if ! command -v
> "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
> ++                              if ! command -v "@objdump@"
> >/dev/null 2>&1; then
> +                                       pstatus yellow UNKNOWN
> "missing '${opt_arch_prefix}objdump' tool, please install it, usually
> it's in the binutils package"
> +                               else
> +                                       # here we disassemble the
> kernel and count the number of occurrences of the LFENCE opcode
> +@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
> +                                       # so let's push the threshold
> to 70.
> +                                       # v0.33+: now only count
> lfence opcodes after a jump, way less error-prone
> +                                       # non patched kernel have
> between 0 and 20 matches, patched ones have at least 40-45
> +-
>                                       nb_lfence=$("${opt_arch_prefix}
> objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence
> | grep -Ewc 'jmp|jne|je')
> ++                                      nb_lfence=$("@objdump@"
> $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence |
> @grep@ -Ewc 'jmp|jne|je')
> +                                       if [ "$nb_lfence" -lt 30 ];
> then
> +                                               pstatus yellow NO
> "only $nb_lfence jump-then-lfence instructions found, should be >= 30
> (heuristic)"
> +                                       else
> +@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2017_5715_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2017_5715_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
> +                                       #
> /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
> +                                       specex_knob_dir=$dir
> +                                       ibrs_supported="$dir/ibrs_ena
> bled exists"
> +-                                      ibrs_enabled=$(cat
> "$dir/ibrs_enabled" 2>/dev/null)
> ++                                      ibrs_enabled=$(@cat@
> "$dir/ibrs_enabled" 2>/dev/null)
> +                                       _debug "ibrs: found
> $dir/ibrs_enabled=$ibrs_enabled"
> +                                       # if ibrs_enabled is there,
> ibpb_enabled will be in the same dir
> +                                       if [ -e "$dir/ibpb_enabled"
> ]; then
> +                                               # if the file is
> there, we have IBPB compiled-in (see note above for IBRS)
> +                                               ibpb_supported="$dir/
> ibpb_enabled exists"
> +-                                              ibpb_enabled=$(cat
> "$dir/ibpb_enabled" 2>/dev/null)
> ++                                              ibpb_enabled=$(@cat@
> "$dir/ibpb_enabled" 2>/dev/null)
> +                                               _debug "ibpb: found
> $dir/ibpb_enabled=$ibpb_enabled"
> +                                       else
> +                                               _debug "ibpb:
> $dir/ibpb_enabled file doesn't exist"
> +@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
> +                       # which in that case means ibrs is supported
> *and* enabled for kernel & user
> +                       # as per the ibrs patch series v3
> +                       if [ -z "$ibrs_supported" ]; then
> +-                              if grep ^flags "$procfs/cpuinfo" |
> grep -qw spec_ctrl_ibrs; then
> ++                              if @grep@ ^flags "$procfs/cpuinfo" |
> @grep@ -qw spec_ctrl_ibrs; then
> +                                       _debug "ibrs: found
> spec_ctrl_ibrs flag in $procfs/cpuinfo"
> +                                       ibrs_supported="spec_ctrl_ibr
> s flag in $procfs/cpuinfo"
> +                                       # enabled=2 -> kernel & user
> +@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
> +                       fi
> +                       if [ -n "$fullmsg" ]; then
> +                               # when IBPB is enabled on 4.15+, we
> can see it in sysfs
> +-                              if echo "$fullmsg" | grep -q 'IBPB';
> then
> ++                              if echo "$fullmsg" | @grep@ -q
> 'IBPB'; then
> +                                       _debug "ibpb: found enabled
> in sysfs"
> +                                       [ -z "$ibpb_supported" ] &&
> ibpb_supported='IBPB found enabled in sysfs'
> +                                       [ -z "$ibpb_enabled"   ] &&
> ibpb_enabled=1
> +                               fi
> +                               # when IBRS_FW is enabled on 4.15+,
> we can see it in sysfs
> +-                              if echo "$fullmsg" | grep -q ',
> IBRS_FW'; then
> ++                              if echo "$fullmsg" | @grep@ -q ',
> IBRS_FW'; then
> +                                       _debug "ibrs: found IBRS_FW
> in sysfs"
> +                                       [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS_FW in sysfs'
> +                                       ibrs_fw_enabled=1
> +@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
> +                               # when IBRS is enabled on 4.15+, we
> can see it in sysfs
> +                               # on a more recent kernel, classic
> "IBRS" is not even longer an option, because of the performance
> impact.
> +                               # only "Enhanced IBRS" is available
> (on CPUs with the IBRS_ALL flag)
> +-                              if echo "$fullmsg" | grep -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> ++                              if echo "$fullmsg" | @grep@ -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> +                                       _debug "ibrs: found IBRS in
> sysfs"
> +                                       [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS in sysfs'
> +                                       [ -z "$ibrs_enabled"   ] &&
> ibrs_enabled=3
> +                               fi
> +                               # checking for 'Enhanced IBRS' in
> sysfs, enabled on CPUs with IBRS_ALL
> +-                              if echo "$fullmsg" | grep -q -e
> 'Enhanced IBRS'; then
> ++                              if echo "$fullmsg" | @grep@ -q -e
> 'Enhanced IBRS'; then
> +                                       [ -z "$ibrs_supported" ] &&
> ibrs_supported='found Enhanced IBRS in sysfs'
> +                                       # 4 isn't actually a valid
> value of the now extinct "ibrs_enabled" flag file,
> +                                       # that only went from 0 to 3,
> so we use 4 as "enhanced ibrs is enabled"
> +@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
> +                       fi
> +               fi
> +               if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               :
> +                       else
> +                               ibrs_can_tell=1
> +-
>                               ibrs_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
> ++                              ibrs_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
> +                               if [ -n "$ibrs_supported" ]; then
> +                                       _debug "ibrs: found ibrs
> evidence in kernel image ($ibrs_supported)"
> +                                       ibrs_supported="found
> '$ibrs_supported' in kernel image"
> +@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
> +               fi
> +               if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ];
> then
> +                       ibrs_can_tell=1
> +-                      if grep -q spec_ctrl "$opt_map"; then
> ++                      if @grep@ -q spec_ctrl "$opt_map"; then
> +                               ibrs_supported="found spec_ctrl in
> symbols file"
> +                               _debug "ibrs: found '*spec_ctrl*'
> symbol in $opt_map"
> +                       fi
> +@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
> +               # recent (4.15) vanilla kernels have IBPB but not
> IBRS, and without the debugfs tunables of Red Hat
> +               # we can detect it directly in the image
> +               if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               :
> +                       else
> +                               ibpb_can_tell=1
> +-
>                               ibpb_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
> ++                              ibpb_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
> +                               if [ -n "$ibpb_supported" ]; then
> +                                       _debug "ibpb: found ibpb
> evidence in kernel image ($ibpb_supported)"
> +                                       ibpb_supported="found
> '$ibpb_supported' in kernel image"
> +@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
> +                                       2)      if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user
> space, and firmware code" ; else pstatus green YES "for both kernel
> and user space"; fi;;
> +                                       3)      if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and
> firmware code"; else pstatus green YES; fi;;
> +                                       4)      pstatus green YES
> "Enhanced flavor, performance impact will be greatly reduced";;
> +-                                      *)      if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> +-                                                      then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> +-                                              else
> ++                                      *)      if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> ++                                                      then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> ++                                              else
> +                                                       pstatus
> yellow UNKNOWN; fi;;
> +                               esac
> +                       fi
> +@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
> +               bp_harden=''
> +               if [ -r "$opt_config" ]; then
> +                       bp_harden_can_tell=1
> +-                      bp_harden=$(grep -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> ++                      bp_harden=$(@grep@ -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> +                       if [ -n "$bp_harden" ]; then
> +                               pstatus green YES
> +                               _debug "bp_harden: found '$bp_harden'
> in $opt_config"
> +@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
> +               fi
> +               if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
> +                       bp_harden_can_tell=1
> +-                      bp_harden=$(grep -w bp_hardening_data
> "$opt_map")
> ++                      bp_harden=$(@grep@ -w bp_hardening_data
> "$opt_map")
> +                       if [ -n "$bp_harden" ]; then
> +                               pstatus green YES
> +                               _debug "bp_harden: found '$bp_harden'
> in $opt_map"
> +@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
> +               # We check the RETPOLINE kernel options
> +               retpoline=0
> +               if [ -r "$opt_config" ]; then
> +-                      if grep -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> ++                      if @grep@ -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> +                               pstatus green YES
> +                               retpoline=1
> +                               # shellcheck disable=SC2046
> +-                              _debug 'retpoline: found '$(grep
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> ++                              _debug 'retpoline: found '$(@grep@
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> +                       else
> +                               pstatus yellow NO
> +                       fi
> +@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
> +                       # since 5.15.28, this is now "Retpolines" as
> the implementation was switched to a generic one,
> +                       # so we look for both "retpoline" and
> "retpolines"
> +                       if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ];
> then
> +-                              if echo "$fullmsg" | grep -qwi -e
> retpoline -e retpolines; then
> +-                                      if echo "$fullmsg" | grep -
> qwi minimal; then
> ++                              if echo "$fullmsg" | @grep@ -qwi -e
> retpoline -e retpolines; then
> ++                                      if echo "$fullmsg" | @grep@ -
> qwi minimal; then
> +                                               retpoline_compiler=0
> +                                               retpoline_compiler_re
> ason="kernel reports minimal retpoline compilation"
> +                                       else
> +@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
> +                               fi
> +                       elif [ -n "$opt_map" ]; then
> +                               # look for the symbol
> +-                              if grep -qw noretpoline_setup
> "$opt_map"; then
> ++                              if @grep@ -qw noretpoline_setup
> "$opt_map"; then
> +                                       retpoline_compiler=1
> +                                       retpoline_compiler_reason="no
> retpoline_setup symbol found in System.map"
> +                               fi
> +                       elif [ -n "$kernel" ]; then
> +                               # look for the symbol
> +-                              if command -v "${opt_arch_prefix}nm"
> >/dev/null 2>&1; then
> ++                              if command -v "@nm@" >/dev/null 2>&1;
> then
> +                                       # the proper way: use nm and
> look for the symbol
> +-                                      if "${opt_arch_prefix}nm"
> "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
> ++                                      if "@nm@" "$kernel"
> 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
> +                                               retpoline_compiler=1
> +                                               retpoline_compiler_re
> ason="noretpoline_setup found in kernel symbols"
> +                                       fi
> +-                              elif grep -q noretpoline_setup
> "$kernel"; then
> ++                              elif @grep@ -q noretpoline_setup
> "$kernel"; then
> +                                       # if we don't have nm,
> nevermind, the symbol name is long enough to not have
> +                                       # any false positive using
> good old grep directly on the binary
> +                                       retpoline_compiler=1
> +@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
> +               retp_enabled=-1
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -e "$specex_knob_dir/retp_enabled" ];
> then
> +-                              retp_enabled=$(cat
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> ++                              retp_enabled=$(@cat@
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> +                               _debug "retpoline: found
> $specex_knob_dir/retp_enabled=$retp_enabled"
> +                               _info_nol "    * Retpoline is
> enabled: "
> +                               if [ "$retp_enabled" = 1 ]; then
> +@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
> +                       rsb_filling=0
> +                       if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs"
> != 1 ]; then
> +                               # if we're live and we aren't denied
> looking into /sys, let's do it
> +-                              if echo "$msg" | grep -qw RSB; then
> ++                              if echo "$msg" | @grep@ -qw RSB; then
> +                                       rsb_filling=1
> +                                       pstatus green YES
> +                               fi
> +@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
> +                               if [ -n "$kernel_err" ]; then
> +                                       pstatus yellow UNKNOWN
> "couldn't check ($kernel_err)"
> +                               else
> +-                                      if grep -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> ++                                      if @grep@ -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> +                                               rsb_filling=1
> +                                               pstatus green YES
> +                                       else
> +@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
> + {
> +       _info     "* Mitigation 1"
> +       _info_nol "  * Kernel supports IBRS: "
> +-      ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
> ++      ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
> +       if [ -z "$ibrs_disabled" ]; then
> +               pstatus yellow NO
> +       else
> +@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
> +       fi
> +
> +       _info_nol "  * IBRS enabled and active: "
> +-      ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
> ++      ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
> +       if [ "$ibrs_active" = 1 ]; then
> +               pstatus green YES
> +       else
> +@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
> +       if [ -n "$kernel_err" ]; then
> +               pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
> +       else
> +-              if ! command -v "${opt_arch_prefix}readelf"
> >/dev/null 2>&1; then
> ++              if ! command -v "@readelf@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}readelf' tool, please install it, usually it's in
> the binutils package"
> +               else
> +-                      nb_thunks=$("${opt_arch_prefix}readelf" -s
> "$kernel" | grep -c -e __llvm_retpoline_ -e
> __llvm_external_retpoline_ -e __x86_indirect_thunk_)
> ++                      nb_thunks=$("@readelf@" -s "$kernel" | @grep@
> -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e
> __x86_indirect_thunk_)
> +                       if [ "$nb_thunks" -gt 0 ]; then
> +                               retpoline=1
> +                               pstatus green YES "found $nb_thunks
> thunk(s)"
> +@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
> + pti_performance_check()
> + {
> +       _info_nol "  * Reduced performance impact of PTI: "
> +-      if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw pcid; then
> ++      if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw pcid; then
> +               cpu_pcid=1
> +       else
> +               read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
> +@@ -4272,7 +4272,7 @@ pti_performance_check()
> +               fi
> +       fi
> +
> +-      if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw invpcid; then
> ++      if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw invpcid; then
> +               cpu_invpcid=1
> +       else
> +               read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
> +@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2017_5754_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2017_5754_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
> +               kpti_can_tell=0
> +               if [ -n "$opt_config" ]; then
> +                       kpti_can_tell=1
> +-                      kpti_support=$(grep -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> ++                      kpti_support=$(@grep@ -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> +                       if [ -n "$kpti_support" ]; then
> +                               _debug "kpti_support: found option
> '$kpti_support' in $opt_config"
> +                       fi
> +@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
> +                       # so we try to find an exported symbol that
> is part of the PTI patch in System.map
> +                       # parse_kpti: arm
> +                       kpti_can_tell=1
> +-                      kpti_support=$(grep -w -e kpti_force_enabled
> -e parse_kpti "$opt_map")
> ++                      kpti_support=$(@grep@ -w -e
> kpti_force_enabled -e parse_kpti "$opt_map")
> +                       if [ -n "$kpti_support" ]; then
> +                               _debug "kpti_support: found
> '$kpti_support' in $opt_map"
> +                       fi
> +@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
> +                       # nopti option that is part of the patch
> (kernel command line option)
> +                       # 'kpti=': arm
> +                       kpti_can_tell=1
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> +                       else
> +-
>                               kpti_support=$("${opt_arch_prefix}strin
> gs" "$kernel" | grep -w -e nopti -e kpti=)
> ++                              kpti_support=$("@strings@" "$kernel"
> | @grep@ -w -e nopti -e kpti=)
> +                               if [ -n "$kpti_support" ]; then
> +                                       _debug "kpti_support: found
> '$kpti_support' in $kernel"
> +                               fi
> +@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
> +                       dmesg_grep="$dmesg_grep|x86/pti: Unmapping
> kernel while in userspace"
> +                       # aarch64
> +                       dmesg_grep="$dmesg_grep|CPU features:
> detected( feature)?: Kernel page table isolation \(KPTI\)"
> +-                      if grep ^flags "$procfs/cpuinfo" | grep -qw
> pti; then
> ++                      if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -
> qw pti; then
> +                               # vanilla PTI patch sets the 'pti'
> flag in cpuinfo
> +                               _debug "kpti_enabled: found 'pti'
> flag in $procfs/cpuinfo"
> +                               kpti_enabled=1
> +-                      elif grep ^flags "$procfs/cpuinfo" | grep -qw
> kaiser; then
> ++                      elif @grep@ ^flags "$procfs/cpuinfo" | @grep@
> -qw kaiser; then
> +                               # kernel line 4.9 sets the 'kaiser'
> flag in cpuinfo
> +                               _debug "kpti_enabled: found 'kaiser'
> flag in $procfs/cpuinfo"
> +                               kpti_enabled=1
> +                       elif [ -e /sys/kernel/debug/x86/pti_enabled
> ]; then
> +                               # Red Hat Backport creates a
> dedicated file, see https://access.redhat.com/articles/3311301
> +-                              kpti_enabled=$(cat
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> ++                              kpti_enabled=$(@cat@
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> +                               _debug "kpti_enabled: file
> /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
> +                       elif is_xen_dom0; then
> +-                              pti_xen_pv_domU=$(xl dmesg | grep
> 'XPTI' | grep 'DomU enabled' | head -1)
> ++                              pti_xen_pv_domU=$(xl @dmesg@ | @grep@
> 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
> +
> +                               [ -n "$pti_xen_pv_domU" ] &&
> kpti_enabled=1
> +                       fi
> +@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
> +                               if [ -n "$kpti_support" ]; then
> +                                       if [ -e
> "/sys/kernel/debug/x86/pti_enabled" ]; then
> +                                               explain "Your kernel
> supports PTI but it's disabled, you can enable it with \`echo 1 >
> /sys/kernel/debug/x86/pti_enabled\`"
> +-                                      elif echo "$kernel_cmdline" |
> grep -q -w -e nopti -e pti=off; then
> ++                                      elif echo "$kernel_cmdline" |
> @grep@ -q -w -e nopti -e pti=off; then
> +                                               explain "Your kernel
> supports PTI but it has been disabled on command-line, remove the
> nopti or pti=off option from your bootloader configuration"
> +                                       else
> +                                               explain "Your kernel
> supports PTI but it has been disabled, check \`dmesg\` right after
> boot to find clues why the system disabled it"
> +@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
> + check_CVE_2017_5754_bsd()
> + {
> +       _info_nol "* Kernel supports Page Table Isolation (PTI): "
> +-      kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
> ++      kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
> +       if [ -z "$kpti_enabled" ]; then
> +               pstatus yellow NO
> +       else
> +@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_3639_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_3639_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
> +       if [ "$opt_sysfs_only" != 1 ]; then
> +               _info_nol "* Kernel supports disabling speculative
> store bypass (SSB): "
> +               if [ "$opt_live" = 1 ]; then
> +-                      if grep -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> ++                      if @grep@ -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssb="found in
> $procfs/self/status"
> +                               _debug "found
> Speculation.Store.Bypass: in $procfs/self/status"
> +                       fi
> +               fi
> +               # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +-              if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep
> -q 'arm64_sys_' "$kernel"; then
> +-                      kernel_ssb=$("${opt_arch_prefix}strings"
> "$kernel" | grep spec_store_bypass | head -n1);
> ++              if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && !
> @grep@ -q 'arm64_sys_' "$kernel"; then
> ++                      kernel_ssb=$("@strings@" "$kernel" | @grep@
> spec_store_bypass | @head@ -n1);
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in kernel"
> +               fi
> +               # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +-              if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> grep -q 'arm64_sys_' "$opt_map"; then
> +-                      kernel_ssb=$(grep spec_store_bypass
> "$opt_map" | awk '{print $3}' | head -n1)
> ++              if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> @grep@ -q 'arm64_sys_' "$opt_map"; then
> ++                      kernel_ssb=$(@grep@ spec_store_bypass
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> +               fi
> +               # arm64 only:
> +               if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
> +-                      kernel_ssb=$(grep -w cpu_enable_ssbs
> "$opt_map" | awk '{print $3}' | head -n1)
> ++                      kernel_ssb=$(@grep@ -w cpu_enable_ssbs
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> +               fi
> +               if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
> +-                      kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> ++                      kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> +                       [ -n "$kernel_ssb" ] &&
> kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
> +               fi
> +               if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
> +                       # this string only appears in kernel if
> CONFIG_ARM64_SSBD is set
> +-                      kernel_ssb=$(grep -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> ++                      kernel_ssb=$(@grep@ -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> 'Speculative Store Bypassing Safe (SSBS)' in kernel"
> +               fi
> +               # /arm64 only
> +@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
> +               if [ "$opt_live" = 1 ]; then
> +                       #
> https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
> +                       _info_nol "* SSB mitigation is enabled and
> active: "
> +-                      if grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> ++                      if @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> +                               kernel_ssbd_enabled=1
> +                               pstatus green YES "per-thread through
> prctl"
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=2
> +                               pstatus green YES "global"
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=0
> +                               pstatus yellow NO
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=-2
> +                               pstatus blue NO "not vulnerable"
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=0
> +                               pstatus blue NO
> +                       else
> +-                              pstatus blue UNKNOWN "unknown value:
> $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | cut -d: -f2-)"
> ++                              pstatus blue UNKNOWN "unknown value:
> $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | @cut@ -d: -f2-)"
> +                       fi
> +
> +                       if [ "$kernel_ssbd_enabled" = 1 ]; then
> +                               _info_nol "* SSB mitigation currently
> active for selected processes: "
> +                               # silence grep's stderr here to avoid
> ENOENT errors from processes that have exited since the shell's
> expansion of the *
> +-                              mitigated_processes=$(find /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> +-                                      | xargs -r0 grep -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> +-                                      | sed s/status/exe/ | xargs -
> r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr
> "\n" " " | sed 's/ $//')
> ++                              mitigated_processes=$(@find@ /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> ++                                      | @xargs@ -r0 @grep@ -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> ++                                      | @sed@ s/status/exe/ |
> @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ |
> @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
> +                               if [ -n "$mitigated_processes" ];
> then
> +                                       pstatus green YES
> "$mitigated_processes"
> +                               else
> +@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
> + check_CVE_2018_3639_bsd()
> + {
> +       _info_nol "* Kernel supports speculation store bypass: "
> +-      if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
> ++      if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1;
> then
> +               kernel_ssb=1
> +               pstatus green YES
> +       else
> +@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
> +       fi
> +
> +       _info_nol "* Speculation store bypass is administratively
> enabled: "
> +-      ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable
> 2>/dev/null)
> ++      ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable
> 2>/dev/null)
> +       _debug "hw.spec_store_bypass_disable=$ssb_enabled"
> +       case "$ssb_enabled" in
> +               0) pstatus yellow NO "disabled";;
> +@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
> +       esac
> +
> +       _info_nol "* Speculation store bypass is currently active: "
> +-      ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> ++      ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> +       _debug "hw.spec_store_bypass_disable_active=$ssb_active"
> +       case "$ssb_active" in
> +               1) pstatus green YES;;
> +@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_3620_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_3620_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
> +       fi
> +       if [ "$opt_sysfs_only" != 1 ]; then
> +               _info_nol "* Kernel supports PTE inversion: "
> +-              if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++              if ! command -v "@strings@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'strings'
> tool, please install it"
> +                       pteinv_supported=-1
> +               elif [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "$kernel_err"
> +                       pteinv_supported=-1
> +               else
> +-                      if "${opt_arch_prefix}strings" "$kernel" |
> grep -Fq 'PTE Inversion'; then
> ++                      if "@strings@" "$kernel" | @grep@ -Fq 'PTE
> Inversion'; then
> +                               pstatus green YES "found in kernel
> image"
> +                               _debug "pteinv: found pte inversion
> evidence in kernel image"
> +                               pteinv_supported=1
> +@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
> +               _info_nol "* PTE inversion enabled and active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -q
> 'Mitigation: PTE Inversion'; then
> ++                              if echo "$fullmsg" | @grep@ -q
> 'Mitigation: PTE Inversion'; then
> +                                       pstatus green YES
> +                                       pteinv_active=1
> +                               else
> +@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
> +       else
> +               _debug "vmm module already loaded"
> +       fi
> +-      if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++      if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> +               #
> https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
> +               # this is very difficult to detect that the kernel
> reserved the 0 page, but this fix
> +               # is part of the exact same patch than the other L1TF
> CVE, so we detect it
> +@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_3646_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_3646_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
> +               if [ "$opt_live" = 1 ]; then
> +                       if ! [ -r
> /sys/module/kvm_intel/parameters/ept ]; then
> +                               pstatus blue N/A "the kvm_intel
> module is not loaded"
> +-                      elif [ "$(cat
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> ++                      elif [ "$(@cat@
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> +                               pstatus green YES
> +                               ept_disabled=1
> +                       else
> +@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
> +
> +               _info "* Mitigation 2"
> +               _info_nol "  * L1D flush is supported by kernel: "
> +-              if [ "$opt_live" = 1 ] && grep -qw flush_l1d
> "$procfs/cpuinfo"; then
> ++              if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d
> "$procfs/cpuinfo"; then
> +                       l1d_kernel="found flush_l1d in
> $procfs/cpuinfo"
> +               fi
> +               if [ -z "$l1d_kernel" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               l1d_kernel_err="missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> +                       elif [ -n "$kernel_err" ]; then
> +                               l1d_kernel_err="$kernel_err"
> +-                      elif "${opt_arch_prefix}strings" "$kernel" |
> grep -qw flush_l1d; then
> ++                      elif "@strings@" "$kernel" | @grep@ -qw
> flush_l1d; then
> +                               l1d_kernel='found flush_l1d in kernel
> image'
> +                       fi
> +               fi
> +@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
> +                               # $l1dstatus is one of
> (auto|vulnerable|conditional cache flushes|cache flushes|EPT
> disabled|flush not necessary)
> +                               # $smtstatus is one of
> (vulnerable|disabled)
> +                               # can also just be "Not affected"
> +-                              if echo "$fullmsg" | grep -Eq -e 'Not
> affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> ++                              if echo "$fullmsg" | @grep@ -Eq -e
> 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> +                                       l1d_mode=0
> +                                       pstatus yellow NO
> +-                              elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> ++                              elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> +                                       l1d_mode=1
> +                                       pstatus green YES
> "conditional flushes"
> +-                              elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) cache flushes'; then
> ++                              elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) cache flushes'; then
> +                                       l1d_mode=2
> +                                       pstatus green YES
> "unconditional flushes"
> +                               else
> +                                       if is_xen_dom0; then
> +-                                              l1d_xen_hardware=$(xl
> dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
> +-
>                                               l1d_xen_hypervisor=$(xl
> dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
> +-                                              l1d_xen_pv_domU=$(xl
> dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
> ++                                              l1d_xen_hardware=$(xl
> @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -
> 1)
> ++                                              l1d_xen_hypervisor=$(
> xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
> ++                                              l1d_xen_pv_domU=$(xl
> @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' |
> @head@ -1)
> +
> +                                               if [ -n
> "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n
> "$l1d_xen_pv_domU" ]; then
> +                                                       l1d_mode=5
> +@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
> +
> +               _info_nol "  * Hardware-backed L1D flush supported: "
> +               if [ "$opt_live" = 1 ]; then
> +-                      if grep -qw flush_l1d "$procfs/cpuinfo" || [
> -n "$l1d_xen_hardware" ]; then
> ++                      if @grep@ -qw flush_l1d "$procfs/cpuinfo" ||
> [ -n "$l1d_xen_hardware" ]; then
> +                               pstatus green YES "performance impact
> of the mitigation will be greatly reduced"
> +                       else
> +                               pstatus blue NO "flush will be done
> in software, this is slower"
> +@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
> + check_CVE_2018_3646_bsd()
> + {
> +       _info_nol "* Kernel supports L1D flushing: "
> +-      if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++      if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> +               pstatus green YES
> +               kernel_l1d_supported=1
> +       else
> +@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
> +       fi
> +
> +       _info_nol "* L1D flushing is enabled: "
> +-      kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> ++      kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> +       case "$kernel_l1d_enabled" in
> +               0) pstatus yellow NO;;
> +               1) pstatus green YES;;
> +@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
> + ###################
> + # MDSUM SECTION
> +
> +-# Microarchitectural Data Sampling Uncacheable Memory
> ++# Microarchitectural Data Sampling Uncacheable Memory
> + check_CVE_2019_11091()
> + {
> +       cve='CVE-2019-11091'
> +@@ -5182,7 +5182,7 @@ check_mds()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_mds_linux "$cve"
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_mds_bsd "$cve"
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5193,7 +5193,7 @@ check_mds_bsd()
> + {
> +       _info_nol "* Kernel supports using MD_CLEAR mitigation: "
> +       if [ "$opt_live" = 1 ]; then
> +-              if sysctl hw.mds_disable >/dev/null 2>&1; then
> ++              if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
> +                       pstatus green YES
> +                       kernel_md_clear=1
> +               else
> +@@ -5201,7 +5201,7 @@ check_mds_bsd()
> +                       kernel_md_clear=0
> +               fi
> +       else
> +-              if grep -Fq hw.mds_disable $opt_kernel; then
> ++              if @grep@ -Fq hw.mds_disable $opt_kernel; then
> +                       pstatus green YES
> +                       kernel_md_clear=1
> +               else
> +@@ -5211,8 +5211,8 @@ check_mds_bsd()
> +       fi
> +
> +       _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
> +-      if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> +-              kernel_smt_allowed=$(sysctl -n
> machdep.hyperthreading_allowed 2>/dev/null)
> ++      if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> ++              kernel_smt_allowed=$(@sysctl@ -n
> machdep.hyperthreading_allowed 2>/dev/null)
> +               if [ "$kernel_smt_allowed" = 1 ]; then
> +                       pstatus yellow NO
> +               else
> +@@ -5224,7 +5224,7 @@ check_mds_bsd()
> +
> +       _info_nol "* Kernel mitigation is enabled: "
> +       if [ "$kernel_md_clear" = 1 ]; then
> +-              kernel_mds_enabled=$(sysctl -n hw.mds_disable
> 2>/dev/null)
> ++              kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable
> 2>/dev/null)
> +       else
> +               kernel_mds_enabled=0
> +       fi
> +@@ -5238,7 +5238,7 @@ check_mds_bsd()
> +
> +       _info_nol "* Kernel mitigation is active: "
> +       if [ "$kernel_md_clear" = 1 ]; then
> +-              kernel_mds_state=$(sysctl -n hw.mds_disable_state
> 2>/dev/null)
> ++              kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state
> 2>/dev/null)
> +       else
> +               kernel_mds_state=inactive
> +       fi
> +@@ -5296,16 +5296,16 @@ check_mds_linux()
> +               _info_nol "* Kernel supports using MD_CLEAR
> mitigation: "
> +               kernel_md_clear=''
> +               kernel_md_clear_can_tell=1
> +-              if [ "$opt_live" = 1 ] && grep ^flags
> "$procfs/cpuinfo" | grep -qw md_clear; then
> ++              if [ "$opt_live" = 1 ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw md_clear; then
> +                       kernel_md_clear="md_clear found in
> $procfs/cpuinfo"
> +                       pstatus green YES "$kernel_md_clear"
> +               fi
> +               if [ -z "$kernel_md_clear" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               kernel_md_clear_can_tell=0
> +                       elif [ -n "$kernel_err" ]; then
> +                               kernel_md_clear_can_tell=0
> +-                      elif "${opt_arch_prefix}strings" "$kernel" |
> grep -q 'Clear CPU buffers'; then
> ++                      elif "@strings@" "$kernel" | @grep@ -q 'Clear
> CPU buffers'; then
> +                               _debug "md_clear: found 'Clear CPU
> buffers' string in kernel image"
> +                               kernel_md_clear='found md_clear
> implementation evidence in kernel image'
> +                               pstatus green YES "$kernel_md_clear"
> +@@ -5321,7 +5321,7 @@ check_mds_linux()
> +
> +               if [ "$opt_live" = 1 ] && [
> "$sys_interface_available" = 1 ]; then
> +                       _info_nol "* Kernel mitigation is enabled and
> active: "
> +-                      if echo "$fullmsg" | grep -qi ^mitigation;
> then
> ++                      if echo "$fullmsg" | @grep@ -qi ^mitigation;
> then
> +                               mds_mitigated=1
> +                               pstatus green YES
> +                       else
> +@@ -5329,7 +5329,7 @@ check_mds_linux()
> +                               pstatus yellow NO
> +                       fi
> +                       _info_nol "* SMT is either mitigated or
> disabled: "
> +-                      if echo "$fullmsg" | grep -Eq 'SMT
> (disabled|mitigated)'; then
> ++                      if echo "$fullmsg" | @grep@ -Eq 'SMT
> (disabled|mitigated)'; then
> +                               mds_smt_mitigated=1
> +                               pstatus green YES
> +                       else
> +@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2019_11135_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2019_11135_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
> +               kernel_taa=''
> +               if [ -n "$kernel_err" ]; then
> +                       kernel_taa_err="$kernel_err"
> +-              elif grep -q 'tsx_async_abort' "$kernel"; then
> ++              elif @grep@ -q 'tsx_async_abort' "$kernel"; then
> +                       kernel_taa="found tsx_async_abort in kernel
> image"
> +               fi
> +               if [ -n "$kernel_taa" ]; then
> +@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
> +               _info_nol "* TAA mitigation enabled and active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++                              if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> +                                       pstatus green YES "$fullmsg"
> +                               else
> +                                       pstatus yellow NO
> +@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
> +       else
> +               if [ "$opt_paranoid" = 1 ]; then
> +                       # in paranoid mode, TSX or SMT enabled are
> not OK, even if TAA is mitigated
> +-                      if ! echo "$fullmsg" | grep -qF 'TSX
> disabled'; then
> ++                      if ! echo "$fullmsg" | @grep@ -qF 'TSX
> disabled'; then
> +                               pvulnstatus $cve VULN "TSX must be
> disabled for full mitigation"
> +-                      elif echo "$fullmsg" | grep -qF 'SMT
> vulnerable'; then
> ++                      elif echo "$fullmsg" | @grep@ -qF 'SMT
> vulnerable'; then
> +                               pvulnstatus $cve VULN "SMT
> (HyperThreading) must be disabled for full mitigation"
> +                       else
> +                               pvulnstatus $cve "$status" "$msg"
> +@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_12207_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_12207_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
> +               if [ -n "$kernel_err" ]; then
> +                       kernel_itlbmh_err="$kernel_err"
> +               # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
> +-              elif grep -q 'itlb_multihit' "$kernel"; then
> ++              elif @grep@ -q 'itlb_multihit' "$kernel"; then
> +                       kernel_itlbmh="found itlb_multihit in kernel
> image"
> +               fi
> +               if [ -n "$kernel_itlbmh" ]; then
> +@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
> +               _info_nol "* iTLB Multihit mitigation enabled and
> active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -qF
> 'Mitigation'; then
> ++                              if echo "$fullmsg" | @grep@ -qF
> 'Mitigation'; then
> +                                       pstatus green YES "$fullmsg"
> +                               else
> +                                       pstatus yellow NO
> +@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
> + check_CVE_2018_12207_bsd()
> + {
> +       _info_nol "* Kernel supports disabling superpages for
> executable mappings under EPT: "
> +-      kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> ++      kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> +       if [ -z "$kernel_2m_x_ept" ]; then
> +               pstatus yellow NO
> +       else
> +@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2020_0543_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2020_0543_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
> +               kernel_srbds=''
> +               if [ -n "$kernel_err" ]; then
> +                       kernel_srbds_err="$kernel_err"
> +-              elif grep -q 'Dependent on hypervisor' "$kernel";
> then
> ++              elif @grep@ -q 'Dependent on hypervisor' "$kernel";
> then
> +                       kernel_srbds="found SRBDS implementation
> evidence in kernel image. Your kernel is up to date for SRBDS
> mitigation"
> +               fi
> +               if [ -n "$kernel_srbds" ]; then
> +@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
> +               _info_nol "* SRBDS mitigation control is enabled and
> active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++                              if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> +                                       pstatus green YES "$fullmsg"
> +                               else
> +                                       pstatus yellow NO
> +@@ -5758,8 +5758,8 @@ fi
> + # now run the checks the user asked for
> + for cve in $supported_cve_list
> + do
> +-      if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw
> "$cve"; then
> +-              check_"$(echo "$cve" | tr - _)"
> ++      if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -
> qw "$cve"; then
> ++              check_"$(echo "$cve" | @tr@ - _)"
> +               _info
> +       fi
> + done
> +@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
> +       _warn "We're missing some kernel info (see -v), accuracy
> might be reduced"
> + fi
> +
> +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' |
> sort | tr "\n" '|')
> ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F
> 'mockme=' | @sort@ | @tr@ "\n" '|')
> + _debug "variables at end of script: $_vars"
> +
> + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
> +-      if command -v "gzip" >/dev/null 2>&1; then
> ++      if command -v "@gzip@" >/dev/null 2>&1; then
> +               # not a useless use of cat: gzipping cpuinfo directly
> doesn't work well
> +               # shellcheck disable=SC2002
> +-              if command -v "base64" >/dev/null 2>&1; then
> +-                      mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> base64 -w0)"
> +-              elif command -v "uuencode" >/dev/null 2>&1; then
> +-                      mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d
> "\n")"
> ++              if command -v "@base64@" >/dev/null 2>&1; then
> ++                      mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @base64@ -w0)"
> ++              elif command -v "@uuencode@" >/dev/null 2>&1; then
> ++                      mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv --
> '====' | @tr@ -d "\n")"
> +               fi
> +       fi
> +       if [ -n "$mock_cpuinfo" ]; then
> +@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ];
> then
> +       fi
> +       _info ""
> +       # shellcheck disable=SC2046
> +-      _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> sort -u)
> ++      _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> @sort@ -u)
> + fi
> +
> + if [ "$opt_explain" = 0 ]; then
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++              # Guix System:
> ++              [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> +               # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
> 
> base-commit: 70df5c47a89f4f353a1df94467581a0f0da599a4
> --
> 2.38.1
Haven't looked at all the other substituted commands, but otherwise
seems good to me.

Cheers

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker.
  2022-11-11 15:13     ` Liliana Marie Prikler
@ 2022-11-12 12:14       ` Hilton Chain via Guix-patches via
  2022-11-12 12:28         ` Liliana Marie Prikler
  0 siblings, 1 reply; 12+ messages in thread
From: Hilton Chain via Guix-patches via @ 2022-11-12 12:14 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 59053

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v2 -> v3:
1. Use curl as default downloader (It seems that wget doesn't work out of the
box for TLS?).
2. Remove instead of commenting.
3. Remove builtin firmware database via a snippet.
4. Adjust position of the "return 2" statement. For the purpose, it's there to
stop the version checking function, as later steps assumes a valid firmware
database. For the very value, it's that return value of is_latest_known_ucode()
other than 0 or 1, is considered "unknown" in the final output.

 gnu/local.mk                                  |    3 +
 gnu/packages/linux.scm                        |   58 +
 ...ker-remove-builtin-firmware-database.patch |  113 +
 ...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++
 ...n-checker-support-guix-system-kernel.patch |   26 +
 5 files changed, 2147 insertions(+)
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..46b299d0d6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/syslinux-strip-gnu-property.patch	\
   %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
+  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
   %D%/packages/patches/sssd-optional-systemd.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..b15899baf6 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,61 @@ (define-public edac-utils
 error detection and correction (EDAC).")
     (home-page "https://github.com/grondo/edac-utils")
     (license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.45")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (patches
+               (search-patches
+                ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+                "spectre-meltdown-checker-support-guix-system-kernel.patch"
+                ;; NOTE: Update these patches when updating.
+                "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+                "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+              ;; Remove builtin firmware database.
+              (modules '((guix build utils)))
+              (snippet '(substitute* "spectre-meltdown-checker.sh"
+                          (("^# [AI],.*") "")))
+              (sha256
+               (base32
+                "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+    (build-system copy-build-system)
+    (arguments
+     (list #:install-plan
+           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-after 'unpack 'fixpath
+                 (lambda* (#:key inputs #:allow-other-keys)
+                   (substitute* "spectre-meltdown-checker.sh"
+                     (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+                     (("@([a-z0-9]*)@" _ command _)
+                      (search-input-file
+                       inputs (string-append "/bin/" command)))))))))
+    (inputs
+     (list binutils
+           coreutils
+           grep
+           kmod
+           lz4
+           lzop
+           perl
+           procps
+           sharutils
+           util-linux
+           which
+           zstd))
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (synopsis "CPU vulnerability / mitigation checker")
+    (description
+     "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+    (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..400d8d3a07
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,113 @@
+From e2cc68814cf658638946e069406ef6a6032ab318 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 19:49:36 +0800
+Subject: [PATCH 2/2] Remove references to the builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 43 +++++++++++--------------------------
+ 1 file changed, 12 insertions(+), 31 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..5104599 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ 		--cpu [#,all]		interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ 		--update-fwdb		update our local copy of the CPU microcodes versions database (using the awesome
+ 					MCExtractor project and the Intel firmwares GitHub repository)
+-		--update-builtin-fwdb	same as --update-fwdb but update builtin DB inside the script itself
+ 		--dump-mock-data	used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ 	Return codes:
+@@ -853,10 +852,10 @@ update_fwdb()
+ 	mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ 	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ 	_info_nol "Fetching MCE.db from the MCExtractor project... "
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
++	if command -v curl >/dev/null 2>&1; then
+ 		curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
++	elif command -v wget >/dev/null 2>&1; then
++		wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+ 	elif command -v fetch >/dev/null 2>&1; then
+ 		fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ 	else
+@@ -874,10 +873,10 @@ update_fwdb()
+ 	intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ 	_info_nol "Fetching Intel firmwares... "
+ 	## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
++	if command -v curl >/dev/null 2>&1; then
+ 		curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
++	elif command -v wget >/dev/null 2>&1; then
++		wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+ 	elif command -v fetch >/dev/null 2>&1; then
+ 		fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ 	else
+@@ -968,14 +967,6 @@ update_fwdb()
+ 		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ 	} > "$mcedb_cache"
+ 	echo DONE "(version $dbversion)"
+-
+-	if [ "$1" = builtin ]; then
+-		newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+-		@awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+-		@awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+-		@cat@ "$newfile" > "$0"
+-		@rm@ -f "$newfile"
+-	fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1061,6 @@ while [ -n "${1:-}" ]; do
+ 	elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ 		update_fwdb
+ 		exit $?
+-	elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+-		update_fwdb builtin
+-		exit $?
+ 	elif [ "$1" = "--dump-mock-data" ]; then
+ 		opt_mock=1
+ 		shift
+@@ -2033,21 +2021,11 @@ is_xen_domU()
+ 	fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+ 	local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+-	# sort -V sorts by version number
+-	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+-	if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+-		mcedb_source="$mcedb_cache"
+-		mcedb_info="local firmwares DB $local_dbversion"
+-	fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+-	mcedb_source="$0"
+-	mcedb_info="builtin firmwares DB $builtin_dbversion"
++	mcedb_source="$mcedb_cache"
++	mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +2041,10 @@ is_latest_known_ucode()
+ 		return 2
+ 	fi
+ 	ucode_latest="latest microcode version for your CPU model is unknown"
+-	if is_intel; then
++	if [ -z "$mcedb_source" ]; then
++	        # When $mcedb_source is not set, skip version checking and report unknown.
++	        return 2
++	elif is_intel; then
+ 		cpu_brand_prefix=I
+ 	elif is_amd; then
+ 		cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a2f13e4195
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1947 @@
+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 1/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,
+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,
+whoami, xargs.
+---
+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------
+ 1 file changed, 324 insertions(+), 324 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..82cf1b6 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ 	# cleanup the temp decompressed config & kernel image
+-	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+-	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
+-	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
+-	[ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm -f "$mcedb_tmp"
+-	[ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm -rf "$intel_tmp"
+-	[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+-	[ "${mounted_procfs:-}"  = 1 ] && umount "$procfs" 2>/dev/null
+-	[ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
+-	[ "${insmod_msr:-}"      = 1 ] && rmmod msr 2>/dev/null
++	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && @rm@ -f "$kerneltmp"
++	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && @rm@ -f "$kerneltmp2"
++	[ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && @rm@ -f "$mcedb_tmp"
++	[ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && @rm@ -rf "$intel_tmp"
++	[ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++	[ "${mounted_procfs:-}"  = 1 ] && @umount@ "$procfs" 2>/dev/null
++	[ "${insmod_cpuid:-}"    = 1 ] && @rmmod@ cpuid 2>/dev/null
++	[ "${insmod_msr:-}"      = 1 ] && @rmmod@ msr 2>/dev/null
+ 	[ "${kldload_cpuctl:-}"  = 1 ] && kldunload cpuctl 2>/dev/null
+ 	[ "${kldload_vmm:-}"     = 1 ] && kldunload vmm    2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+-	describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+-	[ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++	describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++	[ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ 	# shellcheck disable=SC2086
+-	cat <<EOF
++	@cat@ <<EOF
+ 	Usage:
+-		Live mode (auto):   $(basename $0) [options]
+-		Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+-		Offline mode:       $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++		Live mode (auto):   $(@basename@ $0) [options]
++		Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++		Offline mode:       $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ 	Modes:
+ 		Two modes are available.
+@@ -110,7 +110,7 @@ EOF
+
+ show_disclaimer()
+ {
+-	cat <<EOF
++	@cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -207,7 +207,7 @@ __echo()
+ 			_interpret_chars='-e'
+ 		fi
+ 		_ctrlchar=$($echo_cmd $_interpret_chars "\033")
+-		_msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++		_msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ 	fi
+ 	if [ "$echo_cmd_type" = printf ]; then
+ 		if [ "$opt" = "-n" ]; then
+@@ -383,7 +383,7 @@ is_cpu_affected()
+ 		# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ 		# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ 		# model name : Pentium(R) Dual-Core  CPU      E5200  @ 2.50GHz
+-		if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++		if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ 			variant1=vuln
+ 			[ -z "$variant2" ] && variant2=immune
+ 			variant3=vuln
+@@ -486,7 +486,7 @@ is_cpu_affected()
+ 			i=$(( i + 1 ))
+ 			# do NOT quote $cpu_arch_list below
+ 			# shellcheck disable=SC2086
+-			cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++			cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ 			_debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ 			# some kernels report AArch64 instead of 8
+ 			[ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -497,49 +497,49 @@ is_cpu_affected()
+ 				# part   ?  ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c         d0d
+ 				# arch  7? 7? 7   7   7   7   7   8   8   8   8   8   8           8
+ 				#
+-				# Whitelist identified non-affected processors, use vulnerability information from
++				# Whitelist identified non-affected processors, use vulnerability information from
+ 				# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ 				# Partnumbers can be found here:
+ 				# https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ 				#
+ 				# Maintain cumulative check of vulnerabilities -
+ 				# if at least one of the cpu is affected, then the system is affected
+-				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++				if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					[ -z "$variant4" ] && variant4=immune
+ 					_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+-				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					variant3a=vuln
+ 					[ -z "$variant4" ] && variant4=immune
+ 					_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					variant3a=vuln
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					variant3=vuln
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ 					variant1=vuln
+ 					[ -z "$variant2" ] && variant2=immune
+ 					[ -z "$variant3" ] && variant3=immune
+@@ -820,7 +820,7 @@ is_cpu_ssb_free()
+ 		if [ "$cpu_family" = "18" ] || \
+ 			[ "$cpu_family" = "17" ] || \
+ 			[ "$cpu_family" = "16" ] || \
+-			[ "$cpu_family" = "15" ]; then
++			[ "$cpu_family" = "15" ]; then
+ 			return 0
+ 		fi
+ 	fi
+@@ -837,7 +837,7 @@ show_header()
+ 	_info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"
+ mcedb_cache="$HOME/.mcedb"
+ update_fwdb()
+ {
+@@ -846,11 +846,11 @@ update_fwdb()
+ 	set -e
+
+ 	if [ -r "$mcedb_cache" ]; then
+-		previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++		previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ 	fi
+
+ 	# first, download the MCE.db from the excellent platomav's MCExtractor project
+-	mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
++	mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ 	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ 	_info_nol "Fetching MCE.db from the MCExtractor project... "
+ 	if command -v wget >/dev/null 2>&1; then
+@@ -870,7 +870,7 @@ update_fwdb()
+ 	echo DONE
+
+ 	# second, get the Intel firmwares from GitHub
+-	intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
++	intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
+ 	intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ 	_info_nol "Fetching Intel firmwares... "
+ 	## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+@@ -930,20 +930,20 @@ update_fwdb()
+ 	fi
+ 	#  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+ 	#  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+-	$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
++	$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
+ 	do
+-		_line=$(   echo "$_line" | tr -d ',')
+-		_cpuid=$(  echo "$_line" | awk '{print $3}')
++		_line=$(   echo "$_line" | @tr@ -d ',')
++		_cpuid=$(  echo "$_line" | @awk@ '{print $3}')
+ 		_cpuid=$(( _cpuid ))
+ 		_cpuid=$(printf "0x%08X" "$_cpuid")
+-		_date=$(   echo "$_line" | awk '{print $6}' | tr -d '-')
+-		_version=$(echo "$_line" | awk '{print $8}')
++		_date=$(   echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-')
++		_version=$(echo "$_line" | @awk@ '{print $8}')
+ 		_version=$(( _version ))
+ 		_version=$(printf "0x%08X" "$_version")
+ 		_sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+ 		sqlite3 "$mcedb_tmp" "$_sqlstm"
+ 	done
+-	_intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
++	_intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+ 	if [ -n "$_intel_timestamp" ]; then
+ 		# use this date, it matches the last commit date
+ 		_intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+@@ -964,17 +964,17 @@ update_fwdb()
+ 	{
+ 		echo "# Spectre & Meltdown Checker";
+ 		echo "# %%% MCEDB v$dbversion";
+-		sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+-		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
++		sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
++		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ 	} > "$mcedb_cache"
+ 	echo DONE "(version $dbversion)"
+
+ 	if [ "$1" = builtin ]; then
+-		newfile=$(mktemp -t smc-builtin-XXXXXX)
+-		awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+-		awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+-		cat "$newfile" > "$0"
+-		rm -f "$newfile"
++		newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++		@awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++		@awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++		@cat@ "$newfile" > "$0"
++		@rm@ -f "$newfile"
+ 	fi
+ }
+
+@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
+ 	elif [ "$1" = "--cpu" ]; then
+ 		opt_cpu=$2
+ 		if [ "$opt_cpu" != all ]; then
+-			if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++			if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ 				opt_cpu=$(( opt_cpu ))
+ 			else
+ 				echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
+ 			echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ 			exit 255
+ 		fi
+-		selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++		selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ 		if [ -n "$selected_cve" ]; then
+ 			opt_cve_list="$opt_cve_list $selected_cve"
+ 			opt_cve_all=0
+@@ -1308,14 +1308,14 @@ check_kernel()
+ 	# a damaged ELF file and validate it, check for stderr warnings too
+
+ 	# the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+-	_readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+-	_readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+-	_kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++	_readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++	_readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++	_kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ 	_debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ 	if [ "$_mode" = desperate ]; then
+-		if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++		if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ 			_debug "check_kernel (desperate): ... matched!"
+-			if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++			if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ 				_debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ 				objdump_options="-D -b binary -marm"
+ 			else
+@@ -1348,7 +1348,7 @@ try_decompress()
+
+ 	# Try to find the header ($1) and decompress from here
+ 	_debug "try_decompress: looking for $3 magic in $6"
+-	for     pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++	for     pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ 	do
+ 		_debug "try_decompress: magic for $3 found at offset $pos"
+ 		if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1375,11 +1375,11 @@ try_decompress()
+ 			kernel="$kerneltmp"
+ 			_debug "try_decompress: decompressed with $3 successfully!"
+ 			return 0
+-		elif [ "$3" != "cat" ]; then
++		elif [ "$3" != "@cat@" ]; then
+ 			_debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+-			[ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+-			cat "$kerneltmp" > "$kerneltmp2"
+-			try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++			[ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++			@cat@ "$kerneltmp" > "$kerneltmp2"
++			try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ 		else
+ 			_debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ 		fi
+@@ -1391,12 +1391,12 @@ extract_kernel()
+ {
+ 	[ -n "${1:-}" ] || return 1
+ 	# Prepare temp files:
+-	kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++	kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ 	# Initial attempt for uncompressed images or objects:
+ 	if check_kernel "$1"; then
+ 		_debug "extract_kernel: found kernel is valid, no decompression needed"
+-		cat "$1" > "$kerneltmp"
++		@cat@ "$1" > "$kerneltmp"
+ 		kernel=$kerneltmp
+ 		return 0
+ 	fi
+@@ -1405,14 +1405,14 @@ extract_kernel()
+ 	for pass in 1 2; do
+ 		for mode in normal desperate; do
+ 			_debug "extract_kernel: pass $pass $mode mode"
+-			try_decompress '\037\213\010'     xy    gunzip  ''      gunzip      "$1" "$mode" "$pass" && return 0
+-			try_decompress '\002\041\114\030' xyy   'lz4'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+-			try_decompress '\3757zXZ\000'     abcde unxz    ''      xz-utils    "$1" "$mode" "$pass" && return 0
+-			try_decompress 'BZh'              xy    bunzip2 ''      bzip2       "$1" "$mode" "$pass" && return 0
+-			try_decompress '\135\0\0\0'       xxx   unlzma  ''      xz-utils    "$1" "$mode" "$pass" && return 0
+-			try_decompress '\211\114\132'     xy    'lzop'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
+-			try_decompress '\177ELF'          xxy   'cat'   ''      cat         "$1" "$mode" "$pass" && return 0
+-			try_decompress '(\265/\375'       xxy   unzstd  ''      zstd        "$1" "$mode" "$pass" && return 0
++			try_decompress '\037\213\010'     xy    @gunzip@  ''      gunzip      "$1" "$mode" "$pass" && return 0
++			try_decompress '\002\041\114\030' xyy   '@lz4@'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++			try_decompress '\3757zXZ\000'     abcde @unxz@    ''      xz-utils    "$1" "$mode" "$pass" && return 0
++			try_decompress 'BZh'              xy    @bunzip2@ ''      bzip2       "$1" "$mode" "$pass" && return 0
++			try_decompress '\135\0\0\0'       xxx   @unlzma@  ''      xz-utils    "$1" "$mode" "$pass" && return 0
++			try_decompress '\211\114\132'     xy    '@lzop@'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
++			try_decompress '\177ELF'          xxy   '@cat@'   ''      cat         "$1" "$mode" "$pass" && return 0
++			try_decompress '(\265/\375'       xxy   @unzstd@  ''      zstd        "$1" "$mode" "$pass" && return 0
+ 		done
+ 	done
+ 	# kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1429,7 +1429,7 @@ mount_debugfs()
+ {
+ 	if [ ! -e /sys/kernel/debug/sched_features ]; then
+ 		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++		@mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ 	fi
+ }
+
+@@ -1440,12 +1440,12 @@ load_msr()
+ 	load_msr_once=1
+
+ 	if [ "$os" = Linux ]; then
+-		if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+-			modprobe msr 2>/dev/null && insmod_msr=1
++		if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++			@modprobe@ msr 2>/dev/null && insmod_msr=1
+ 			_debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ 		else
+ 			_debug "msr module already loaded"
+-		fi
++		fi
+ 	else
+ 		if ! kldstat -q -m cpuctl; then
+ 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1463,12 +1463,12 @@ load_cpuid()
+ 	load_cpuid_once=1
+
+ 	if [ "$os" = Linux ]; then
+-		if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+-			modprobe cpuid 2>/dev/null && insmod_cpuid=1
++		if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++			@modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ 			_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ 		else
+ 			_debug "cpuid module already loaded"
+-		fi
++		fi
+ 	else
+ 		if ! kldstat -q -m cpuctl; then
+ 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
+ 		fi
+ 		# on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ 		# we use that fact to load the module if dd returns an error
+-		if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++		if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ 			load_cpuid
+ 		fi
+ 		# we need _leaf to be converted to decimal for dd
+@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
+ 		_ddskip=$(( _position / 16 ))
+ 		_odskip=$(( _position - _ddskip * 16 ))
+ 		# now read the value
+-		_cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++		_cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ 	elif [ -e /dev/cpuctl0 ]; then
+ 		# BSD
+ 		if [ ! -r /dev/cpuctl0 ]; then
+ 			read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ 			return $READ_CPUID_RET_ERR
+ 		fi
+-		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ 		# cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ 	else
+ 		read_cpuid_msg="Found no way to read cpuid info"
+@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
+ 	fi
+
+ 	# get the value of the register we want
+-	_reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++	_reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ 	# Linux returns it as decimal, BSD as hex, normalize to decimal
+ 	_reg=$(( _reg ))
+ 	# shellcheck disable=SC2046
+@@ -1626,11 +1626,11 @@ dmesg_grep()
+ 	# grep for something in dmesg, ensuring that the dmesg buffer
+ 	# has not been truncated
+ 	dmesg_grepped=''
+-	if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++	if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ 		# dmesg truncated
+ 		return 2
+ 	fi
+-	dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++	dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ 	# not found:
+ 	[ -z "$dmesg_grepped" ] && return 1
+ 	# found, output is in $dmesg_grepped
+@@ -1647,12 +1647,12 @@ parse_cpu_details()
+ {
+ 	[ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+-	if command -v nproc >/dev/null; then
+-		number_of_cores=$(nproc)
+-	elif echo "$os" | grep -q BSD; then
+-		number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++	if command -v @nproc@ >/dev/null; then
++		number_of_cores=$(@nproc@)
++	elif echo "$os" | @grep@ -q BSD; then
++		number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ 	elif [ -e "$procfs/cpuinfo" ]; then
+-		number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++		number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ 	else
+ 		# if we don't know, default to 1 CPU
+ 		number_of_cores=1
+@@ -1660,43 +1660,43 @@ parse_cpu_details()
+ 	max_core_id=$(( number_of_cores - 1 ))
+
+ 	if [ -e "$procfs/cpuinfo" ]; then
+-		cpu_vendor=$(  grep '^vendor_id'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+-		cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++		cpu_vendor=$(  @grep@ '^vendor_id'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++		cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ 		# special case for ARM follows
+-		if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++		if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ 			cpu_vendor='ARM'
+ 			# some devices (phones or other) have several ARMs and as such different part numbers,
+ 			# an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+-			cpu_part_list=$(awk '/CPU part/         {print $4}' "$procfs/cpuinfo")
+-			cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++			cpu_part_list=$(@awk@ '/CPU part/         {print $4}' "$procfs/cpuinfo")
++			cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ 			# take the first one to fill the friendly name, do NOT quote the vars below
+ 			# shellcheck disable=SC2086
+-			cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++			cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ 			# shellcheck disable=SC2086
+-			cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++			cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ 			[ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ 			cpu_friendly_name="ARM"
+ 			[ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ 			[ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ 			cpu_vendor='CAVIUM'
+-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ 			cpu_vendor='PHYTIUM'
+ 		fi
+
+-		cpu_family=$(  grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_model=$(   grep '^model'      "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_stepping=$(grep '^stepping'   "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_ucode=$(   grep '^microcode'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++		cpu_family=$(  @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_model=$(   @grep@ '^model'      "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_stepping=$(@grep@ '^stepping'   "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_ucode=$(   @grep@ '^microcode'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ 	else
+-		cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+-		cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++		cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++		cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ 		cpu_family=$(( cpu_family ))
+-		cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++		cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ 		cpu_model=$(( cpu_model ))
+-		cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+-		cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++		cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++		cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ 	fi
+
+ 	if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1751,7 +1751,7 @@ parse_cpu_details()
+ 			# call CPUID
+ 			cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ 			# read MSR
+-			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ 			# convert to decimal
+ 			cpu_ucode=$(( cpu_ucode ))
+ 			# convert back to hex
+@@ -1770,7 +1770,7 @@ parse_cpu_details()
+ 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ 	fi
+
+-	echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++	echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ 	ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ 	# also define those that we will need in other funcs
+@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
+ {
+ 	# SMT / HyperThreading is enabled if siblings != cpucores
+ 	if [ -e "$procfs/cpuinfo" ]; then
+-		_siblings=$(awk '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
+-		_cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++		_siblings=$(@awk@ '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
++		_cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ 		if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ 			if [ "$_siblings" = "$_cpucores" ]; then
+ 				return 1
+@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
+ 		$INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b   \
+ 		$INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ 	do
+-		model=$(echo "$tuple" | cut -d, -f1)
+-		stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++		model=$(echo "$tuple" | @cut@ -d, -f1)
++		stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ 		if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+-			ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++			ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ 			if [ "$cpu_ucode" = "$ucode" ]; then
+ 				_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ 				return 0
+@@ -2007,7 +2007,7 @@ is_xen_dom0()
+ 		return 1
+ 	fi
+
+-	if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++	if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ 		return 0
+ 	else
+ 		return 1
+@@ -2033,12 +2033,12 @@ is_xen_domU()
+ 	fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+-	local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++	local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ 	# sort -V sorts by version number
+-	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
++	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+ 	if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ 		mcedb_source="$mcedb_cache"
+ 		mcedb_info="local firmwares DB $local_dbversion"
+@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
+ fi
+ read_mcedb()
+ {
+-	awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++	@awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
+ 	else
+ 		return 2
+ 	fi
+-	for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++	for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ 	do
+-		ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
+-		ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++		ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
++		ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ 		_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ 		ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ 		if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -2098,7 +2098,7 @@ get_cmdline()
+ 		kernel_cmdline="$SMC_MOCK_CMDLINE"
+ 		return
+ 	else
+-		kernel_cmdline=$(cat "$procfs/cmdline")
++		kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ 	fi
+ }
+@@ -2106,7 +2106,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ 	_warn "This script doesn't work under Windows Subsystem for Linux"
+ 	_warn "You should use the official Microsoft tool instead."
+ 	_warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2155,15 +2155,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ 	_debug "We're under BSD, check if we have procfs"
+-	procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++	procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ 	if [ -z "$procfs" ]; then
+ 		_debug "we don't, try to mount it"
+ 		procfs=/proc
+ 		[ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ 		test -d $procfs || mkdir $procfs
+-		if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++		if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ 			mounted_procfs=1
+ 			_debug "procfs just mounted at $procfs"
+ 		else
+@@ -2195,14 +2195,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ 	# root check (only for live mode, for offline mode, we already checked if we could read the files)
+-	if [ "$(id -u)" -ne 0 ]; then
++	if [ "$(@id@ -u)" -ne 0 ]; then
+ 		_warn "Note that you should launch this script with root privileges to get accurate information."
+ 		_warn "We'll proceed but you might see permission denied errors."
+ 		_warn "To run it as root, you can try the following command: sudo $0"
+ 		_warn
+ 	fi
+ 	_info "Checking for vulnerabilities on current system"
+-	_info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++	_info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ 	_info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ 	# try to find the image of the current running kernel
+@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
+ 		# specified by user on cmdline, with --live, don't override
+ 		:
+ 	# first, look for the BOOT_IMAGE hint in the kernel cmdline
+-	elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+-		opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++	elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++		opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ 		_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ 		# if the boot partition is within a btrfs subvolume, strip the subvolume name
+ 		# if /boot is a separate subvolume, the remainder of the code in this section should handle it
+-		if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++		if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ 		# if we have a dedicated /boot partition, our bootloader might have just called it /
+ 		# so try to prepend /boot and see if we find anything
+ 		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
+ 	# if we didn't find a kernel, default to guessing
+ 	if [ ! -e "$opt_kernel" ]; then
+ 		# Fedora:
+-		[ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++		[ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ 		# Slackware:
+ 		[ -e "/boot/vmlinuz"             ] && opt_kernel="/boot/vmlinuz"
+ 		# Arch aarch64:
+@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
+ 		# pine64
+ 		[ -e "/boot/pine64/Image"        ] && opt_kernel="/boot/pine64/Image"
+ 		# generic:
+-		[ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+-		[ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+-		[ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++		[ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++		[ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++		[ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ 		# Gentoo:
+-		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++		[ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ 		# Guix System:
+ 		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+-		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++		[ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ 		# Clear Linux:
+-		str_uname=$(uname -r)
++		str_uname=$(@uname@ -r)
+ 		clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ 		[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ 		# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ 		# with actual \'s instead of /'s:
+-		custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++		custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ 		if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ 			opt_kernel="$custom_arch_kernel"
+ 		fi
+@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
+ 		:
+ 	elif [ -e "$procfs/kallsyms" ] ; then
+ 		opt_map="$procfs/kallsyms"
+-	elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+-		opt_map="/lib/modules/$(uname -r)/System.map"
+-	elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+-		opt_map="/boot/System.map-$(uname -r)"
+-	elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+-		opt_map="/lib/kernel/System.map-$(uname -r)"
++	elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++		opt_map="/lib/modules/$(@uname@ -r)/System.map"
++	elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++		opt_map="/boot/System.map-$(@uname@ -r)"
++	elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++		opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ 	fi
+
+ 	# config
+@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
+ 		# specified by user on cmdline, with --live, don't override
+ 		:
+ 	elif [ -e "$procfs/config.gz" ] ; then
+-		dumped_config="$(mktemp -t smc-config-XXXXXX)"
+-		gunzip -c "$procfs/config.gz" > "$dumped_config"
++		dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++		@gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ 		# dumped_config will be deleted at the end of the script
+ 		opt_config="$dumped_config"
+-	elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+-		opt_config="/lib/modules/$(uname -r)/config"
+-	elif [ -e "/boot/config-$(uname -r)" ]; then
+-		opt_config="/boot/config-$(uname -r)"
+-	elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+-		opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+-	elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+-		opt_config="/lib/kernel/config-$(uname -r)"
++	elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++		opt_config="/lib/modules/$(@uname@ -r)/config"
++	elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++		opt_config="/boot/config-$(@uname@ -r)"
++	elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++		opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++	elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++		opt_config="/lib/kernel/config-$(@uname@ -r)"
+ 	fi
+ else
+ 	_info "Checking for vulnerabilities against specified kernel"
+@@ -2311,7 +2311,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+-	if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++	if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ 		# given file is invalid!
+ 		_warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ 		opt_config=''
+@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+-	if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++	if ! command -v "@readelf@" >/dev/null 2>&1; then
+ 		_debug "readelf not found"
+ 		kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ 	elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2357,20 +2357,20 @@ else
+ 	# vanilla kernels have with ^Linux version
+ 	# also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ 	# and check for FreeBSD
+-	kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++	kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ 		-e '^Linux version ' \
+ 		-e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+-		-e '^FreeBSD [0-9]' | head -1)
++		-e '^FreeBSD [0-9]' | @head@ -1)
+ 	if [ -z "$kernel_version" ]; then
+ 		# try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+-		kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++		kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ 	fi
+ 	if [ -n "$kernel_version" ]; then
+ 		# in live mode, check if the img we found is the correct one
+ 		if [ "$opt_live" = 1 ]; then
+ 			_verbose "Kernel image is \033[35m$kernel_version"
+-			if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+-				_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++			if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++				_warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ 			fi
+ 		else
+ 			_info "Kernel image is \033[35m$kernel_version"
+@@ -2398,11 +2398,11 @@ sys_interface_check()
+ 	if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ 		:
+ 	else
+-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ 		return 1
+ 	fi
+
+-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ 	# shellcheck disable=SC2086,SC1083
+ 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ 		_debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2411,17 +2411,17 @@ sys_interface_check()
+ 	fi
+
+ 	[ -n "$regex" ] || regex='.*'
+-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ 	# shellcheck disable=SC2086,SC1083
+ 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ 		fullmsg="$(eval echo \$$_mockvarname)"
+-		msg=$(echo "$fullmsg" | grep -Eo "$regex")
++		msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ 		_debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ 		mocked=1
+ 	else
+-		fullmsg=$(cat "$file")
+-		msg=$(grep -Eo "$regex" "$file")
+-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++		fullmsg=$(@cat@ "$file")
++		msg=$(@grep@ -Eo "$regex" "$file")
++		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ 	fi
+ 	if [ "$mode" = silent ]; then
+ 		return 0
+@@ -2430,15 +2430,15 @@ sys_interface_check()
+ 		return 0
+ 	fi
+ 	_info_nol "* Mitigated according to the /sys interface: "
+-	if echo "$msg" | grep -qi '^not affected'; then
++	if echo "$msg" | @grep@ -qi '^not affected'; then
+ 		# Not affected
+ 		status=OK
+ 		pstatus green YES "$fullmsg"
+-	elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++	elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ 		# Mitigation: PTI
+ 		status=OK
+ 		pstatus green YES "$fullmsg"
+-	elif echo "$msg" | grep -qi '^vulnerable'; then
++	elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ 		# Vulnerable
+ 		status=VULN
+ 		pstatus yellow NO "$fullmsg"
+@@ -2526,20 +2526,20 @@ write_msr_one_core()
+ 			# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ 			[ "$ret" = 127 ] && _write_denied=1
+ 		# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+-		elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ 			_debug "write_msr: using dd"
+-			dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++			@dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ 			# if it failed, inspect stderrto look for EPERM
+ 			if [ "$ret" != 0 ]; then
+-				if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++				if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ 					_write_denied=1
+ 				fi
+ 			fi
+ 		# or if we have perl, use it, any 5.x version will work
+-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ 			_debug "write_msr: using perl"
+ 			ret=1
+-			perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++			@perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ 		else
+ 			_debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2561,13 +2561,13 @@ write_msr_one_core()
+ 				msr_locked_down=1
+ 				write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ 				return $WRITE_MSR_RET_LOCKDOWN
+-			elif dmesg | grep -qF "msr: Direct access to MSR"; then
++			elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ 				_debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ 				msr_locked_down=1
+ 				write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ 				return $WRITE_MSR_RET_LOCKDOWN
+-			elif dmesg | grep -qF "raw MSR access is restricted"; then
++			elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ 				_debug "write_msr: locked down kernel detected (vanilla)"
+ 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ 				msr_locked_down=1
+@@ -2666,8 +2666,8 @@ read_msr_one_core()
+ 			return $READ_MSR_RET_KO
+ 		fi
+ 		# MSR 0x10: 0x000003e1 0xb106dded
+-		_msr_h=$(echo "$_msr" | awk '{print $3}');
+-		_msr_l=$(echo "$_msr" | awk '{print $4}');
++		_msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++		_msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ 		read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ 	else
+ 		# for Linux
+@@ -2678,15 +2678,15 @@ read_msr_one_core()
+ 		# if rdmsr is available, use it
+ 		elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ 			_debug "read_msr: using rdmsr on $_msr"
+-			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ 		# or if we have perl, use it, any 5.x version will work
+-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ 			_debug "read_msr: using perl on $_msr"
+-			read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++			read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ 		# fallback to dd if it supports skip_bytes
+-		elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ 			_debug "read_msr: using dd on $_msr"
+-			read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++			read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ 		else
+ 			_debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2710,7 +2710,7 @@ check_cpu()
+ {
+ 	_info "\033[1;34mHardware check\033[0m"
+
+-	if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++	if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ 		return
+ 	fi
+
+@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
+ 	# if we were already called, don't do it again
+ 	[ -n "${redhat_canonical_spectre:-}" ] && return
+
+-	if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++	if ! command -v "@strings@" >/dev/null 2>&1; then
+ 		redhat_canonical_spectre=-1
+ 	elif [ -n "$kernel_err" ]; then
+ 		redhat_canonical_spectre=-2
+ 	else
+ 		# Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ 		# let's use the two same tricks than the official Red Hat detection script uses:
+-		if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++		if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ 			# 1) detect their specific variant2 patch. If it's present, it means
+ 			# that the variant1 patch is also present (both were merged at the same time)
+ 			_debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ 			redhat_canonical_spectre=1
+-		elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++		elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ 			# 2) detect their specific variant3 patch. If it's present, but the variant2
+ 			# is not, it means that only variant1 is present in addition to variant3
+ 			_debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3363,13 +3363,13 @@ check_has_vmm()
+ 		# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ 		# this can always be overridden with --vmm in any case.
+ 		has_vmm=0
+-		if command -v pgrep >/dev/null 2>&1; then
++		if command -v @pgrep@ >/dev/null 2>&1; then
+ 			# remove xenbus and xenwatch, also present inside domU
+ 			# remove libvirtd as it can also be used to manage containers and not VMs
+ 			# for each binary we want to grep, get the pids
+ 			for _binary in qemu kvm xenstored xenconsoled
+ 			do
+-				for _pid in $(pgrep -x $_binary)
++				for _pid in $(@pgrep@ -x $_binary)
+ 				do
+ 					# resolve the exe symlink, if it doesn't resolve with -m,
+ 					# which doesn't even need the dest to exist, it means the symlink
+@@ -3385,7 +3385,7 @@ check_has_vmm()
+ 		else
+ 			# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ 			# shellcheck disable=SC2009
+-			if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++			if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ 				has_vmm=1
+ 			fi
+ 		fi
+@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5753_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5753_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
+ 		v1_mask_nospec=''
+ 		if [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ 		else
+-			perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++			@perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ 			if [ $ret -gt 0 ]; then
+ 				pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ 				v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ 			else
+-				perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++				@perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ 				if [ $ret -gt 0 ]; then
+ 					pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ 					v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ 				else
+-					ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++					ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ 					if [ "$ret" -gt 0 ]; then
+ 						pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ 						v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
+ 			pstatus yellow NO
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++		elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 		else
+-			"${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++			"@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ 			if [ "$ret" -eq 9 ]; then
+ 				pstatus green YES "mask_nospec64 macro is present and used"
+ 				v1_mask_nospec="arm64 mask_nospec64"
+@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
+ 			pstatus yellow NO
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++		elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 		else
+-			"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++			"@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ 			if [ "$ret" -eq 9 ]; then
+ 				pstatus green YES "array_index_nospec macro is present and used"
+ 				v1_mask_nospec="arm64 array_index_nospec"
+@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
+ 			if [ -n "$kernel_err" ]; then
+ 				pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 			else
+-				if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++				if ! command -v "@objdump@" >/dev/null 2>&1; then
+ 					pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 				else
+ 					# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
+ 					# so let's push the threshold to 70.
+ 					# v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ 					# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+-					nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++					nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ 					if [ "$nb_lfence" -lt 30 ]; then
+ 						pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ 					else
+@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5715_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5715_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
+ 					# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ 					specex_knob_dir=$dir
+ 					ibrs_supported="$dir/ibrs_enabled exists"
+-					ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++					ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ 					_debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ 					# if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ 					if [ -e "$dir/ibpb_enabled" ]; then
+ 						# if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ 						ibpb_supported="$dir/ibpb_enabled exists"
+-						ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++						ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ 						_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ 					else
+ 						_debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
+ 			# which in that case means ibrs is supported *and* enabled for kernel & user
+ 			# as per the ibrs patch series v3
+ 			if [ -z "$ibrs_supported" ]; then
+-				if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++				if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ 					_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ 					ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ 					# enabled=2 -> kernel & user
+@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
+ 			fi
+ 			if [ -n "$fullmsg" ]; then
+ 				# when IBPB is enabled on 4.15+, we can see it in sysfs
+-				if echo "$fullmsg" | grep -q 'IBPB'; then
++				if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ 					_debug "ibpb: found enabled in sysfs"
+ 					[ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ 					[ -z "$ibpb_enabled"   ] && ibpb_enabled=1
+ 				fi
+ 				# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+-				if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++				if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ 					_debug "ibrs: found IBRS_FW in sysfs"
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ 					ibrs_fw_enabled=1
+@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
+ 				# when IBRS is enabled on 4.15+, we can see it in sysfs
+ 				# on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ 				# only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+-				if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++				if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ 					_debug "ibrs: found IBRS in sysfs"
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ 					[ -z "$ibrs_enabled"   ] && ibrs_enabled=3
+ 				fi
+ 				# checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+-				if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++				if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ 					# 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ 					# that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
+ 			fi
+ 		fi
+ 		if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				:
+ 			else
+ 				ibrs_can_tell=1
+-				ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++				ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ 				if [ -n "$ibrs_supported" ]; then
+ 					_debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ 					ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
+ 		fi
+ 		if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ 			ibrs_can_tell=1
+-			if grep -q spec_ctrl "$opt_map"; then
++			if @grep@ -q spec_ctrl "$opt_map"; then
+ 				ibrs_supported="found spec_ctrl in symbols file"
+ 				_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ 			fi
+@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
+ 		# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ 		# we can detect it directly in the image
+ 		if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				:
+ 			else
+ 				ibpb_can_tell=1
+-				ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++				ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ 				if [ -n "$ibpb_supported" ]; then
+ 					_debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ 					ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
+ 					2)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 					3)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 					4)	pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+-					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+-							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+-						else
++					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++						else
+ 							pstatus yellow UNKNOWN; fi;;
+ 				esac
+ 			fi
+@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
+ 		bp_harden=''
+ 		if [ -r "$opt_config" ]; then
+ 			bp_harden_can_tell=1
+-			bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++			bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ 			if [ -n "$bp_harden" ]; then
+ 				pstatus green YES
+ 				_debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
+ 		fi
+ 		if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ 			bp_harden_can_tell=1
+-			bp_harden=$(grep -w bp_hardening_data "$opt_map")
++			bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ 			if [ -n "$bp_harden" ]; then
+ 				pstatus green YES
+ 				_debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
+ 		# We check the RETPOLINE kernel options
+ 		retpoline=0
+ 		if [ -r "$opt_config" ]; then
+-			if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++			if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ 				pstatus green YES
+ 				retpoline=1
+ 				# shellcheck disable=SC2046
+-				_debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++				_debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ 			else
+ 				pstatus yellow NO
+ 			fi
+@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
+ 			# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ 			# so we look for both "retpoline" and "retpolines"
+ 			if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+-					if echo "$fullmsg" | grep -qwi minimal; then
++				if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++					if echo "$fullmsg" | @grep@ -qwi minimal; then
+ 						retpoline_compiler=0
+ 						retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ 					else
+@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
+ 				fi
+ 			elif [ -n "$opt_map" ]; then
+ 				# look for the symbol
+-				if grep -qw noretpoline_setup "$opt_map"; then
++				if @grep@ -qw noretpoline_setup "$opt_map"; then
+ 					retpoline_compiler=1
+ 					retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ 				fi
+ 			elif [ -n "$kernel" ]; then
+ 				# look for the symbol
+-				if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++				if command -v "@nm@" >/dev/null 2>&1; then
+ 					# the proper way: use nm and look for the symbol
+-					if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++					if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ 						retpoline_compiler=1
+ 						retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ 					fi
+-				elif grep -q noretpoline_setup "$kernel"; then
++				elif @grep@ -q noretpoline_setup "$kernel"; then
+ 					# if we don't have nm, nevermind, the symbol name is long enough to not have
+ 					# any false positive using good old grep directly on the binary
+ 					retpoline_compiler=1
+@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
+ 		retp_enabled=-1
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -e "$specex_knob_dir/retp_enabled" ]; then
+-				retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++				retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ 				_debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ 				_info_nol "    * Retpoline is enabled: "
+ 				if [ "$retp_enabled" = 1 ]; then
+@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
+ 			rsb_filling=0
+ 			if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ 				# if we're live and we aren't denied looking into /sys, let's do it
+-				if echo "$msg" | grep -qw RSB; then
++				if echo "$msg" | @grep@ -qw RSB; then
+ 					rsb_filling=1
+ 					pstatus green YES
+ 				fi
+@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
+ 				if [ -n "$kernel_err" ]; then
+ 					pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 				else
+-					if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++					if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ 						rsb_filling=1
+ 						pstatus green YES
+ 					else
+@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
+ {
+ 	_info     "* Mitigation 1"
+ 	_info_nol "  * Kernel supports IBRS: "
+-	ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++	ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ 	if [ -z "$ibrs_disabled" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
+ 	fi
+
+ 	_info_nol "  * IBRS enabled and active: "
+-	ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++	ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ 	if [ "$ibrs_active" = 1 ]; then
+ 		pstatus green YES
+ 	else
+@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
+ 	if [ -n "$kernel_err" ]; then
+ 		pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 	else
+-		if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++		if ! command -v "@readelf@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ 		else
+-			nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++			nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ 			if [ "$nb_thunks" -gt 0 ]; then
+ 				retpoline=1
+ 				pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ 	_info_nol "  * Reduced performance impact of PTI: "
+-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ 		cpu_pcid=1
+ 	else
+ 		read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4272,7 +4272,7 @@ pti_performance_check()
+ 		fi
+ 	fi
+
+-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ 		cpu_invpcid=1
+ 	else
+ 		read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5754_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5754_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
+ 		kpti_can_tell=0
+ 		if [ -n "$opt_config" ]; then
+ 			kpti_can_tell=1
+-			kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++			kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ 			if [ -n "$kpti_support" ]; then
+ 				_debug "kpti_support: found option '$kpti_support' in $opt_config"
+ 			fi
+@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
+ 			# so we try to find an exported symbol that is part of the PTI patch in System.map
+ 			# parse_kpti: arm
+ 			kpti_can_tell=1
+-			kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++			kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ 			if [ -n "$kpti_support" ]; then
+ 				_debug "kpti_support: found '$kpti_support' in $opt_map"
+ 			fi
+@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
+ 			# nopti option that is part of the patch (kernel command line option)
+ 			# 'kpti=': arm
+ 			kpti_can_tell=1
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ 			else
+-				kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++				kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ 				if [ -n "$kpti_support" ]; then
+ 					_debug "kpti_support: found '$kpti_support' in $kernel"
+ 				fi
+@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
+ 			dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ 			# aarch64
+ 			dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+-			if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++			if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ 				# vanilla PTI patch sets the 'pti' flag in cpuinfo
+ 				_debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ 				kpti_enabled=1
+-			elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++			elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ 				# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ 				_debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ 				kpti_enabled=1
+ 			elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ 				# Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+-				kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++				kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ 				_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ 			elif is_xen_dom0; then
+-				pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++				pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ 				[ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ 			fi
+@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
+ 				if [ -n "$kpti_support" ]; then
+ 					if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ 						explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+-					elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++					elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ 						explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ 					else
+ 						explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ 	_info_nol "* Kernel supports Page Table Isolation (PTI): "
+-	kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++	kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ 	if [ -z "$kpti_enabled" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3639_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3639_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
+ 	if [ "$opt_sysfs_only" != 1 ]; then
+ 		_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ 		if [ "$opt_live" = 1 ]; then
+-			if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++			if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssb="found in $procfs/self/status"
+ 				_debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ 			fi
+ 		fi
+ 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+-		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+-			kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++			kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ 		fi
+ 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+-		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+-			kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++			kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ 		fi
+ 		# arm64 only:
+ 		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+-			kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++			kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ 		fi
+ 		if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+-			kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++			kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ 		fi
+ 		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ 			# this string only appears in kernel if CONFIG_ARM64_SSBD is set
+-			kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++			kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ 		fi
+ 		# /arm64 only
+@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
+ 		if [ "$opt_live" = 1 ]; then
+ 			# https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ 			_info_nol "* SSB mitigation is enabled and active: "
+-			if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++			if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=1
+ 				pstatus green YES "per-thread through prctl"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=2
+ 				pstatus green YES "global"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=0
+ 				pstatus yellow NO
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=-2
+ 				pstatus blue NO "not vulnerable"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=0
+ 				pstatus blue NO
+ 			else
+-				pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++				pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ 			fi
+
+ 			if [ "$kernel_ssbd_enabled" = 1 ]; then
+ 				_info_nol "* SSB mitigation currently active for selected processes: "
+ 				# silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+-				mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+-					| xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+-					| sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++				mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++					| @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++					| @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ 				if [ -n "$mitigated_processes" ]; then
+ 					pstatus green YES "$mitigated_processes"
+ 				else
+@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ 	_info_nol "* Kernel supports speculation store bypass: "
+-	if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++	if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ 		kernel_ssb=1
+ 		pstatus green YES
+ 	else
+@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
+ 	fi
+
+ 	_info_nol "* Speculation store bypass is administratively enabled: "
+-	ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++	ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ 	_debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ 	case "$ssb_enabled" in
+ 		0) pstatus yellow NO "disabled";;
+@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
+ 	esac
+
+ 	_info_nol "* Speculation store bypass is currently active: "
+-	ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++	ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ 	_debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ 	case "$ssb_active" in
+ 		1) pstatus green YES;;
+@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3620_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3620_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
+ 	fi
+ 	if [ "$opt_sysfs_only" != 1 ]; then
+ 		_info_nol "* Kernel supports PTE inversion: "
+-		if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++		if ! command -v "@strings@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ 			pteinv_supported=-1
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "$kernel_err"
+ 			pteinv_supported=-1
+ 		else
+-			if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++			if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ 				pstatus green YES "found in kernel image"
+ 				_debug "pteinv: found pte inversion evidence in kernel image"
+ 				pteinv_supported=1
+@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
+ 		_info_nol "* PTE inversion enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++				if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ 					pstatus green YES
+ 					pteinv_active=1
+ 				else
+@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
+ 	else
+ 		_debug "vmm module already loaded"
+ 	fi
+-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ 		# https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ 		# this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ 		# is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3646_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3646_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
+ 		if [ "$opt_live" = 1 ]; then
+ 			if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ 				pstatus blue N/A "the kvm_intel module is not loaded"
+-			elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++			elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ 				pstatus green YES
+ 				ept_disabled=1
+ 			else
+@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
+
+ 		_info "* Mitigation 2"
+ 		_info_nol "  * L1D flush is supported by kernel: "
+-		if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++		if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ 			l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ 		fi
+ 		if [ -z "$l1d_kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ 			elif [ -n "$kernel_err" ]; then
+ 				l1d_kernel_err="$kernel_err"
+-			elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++			elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ 				l1d_kernel='found flush_l1d in kernel image'
+ 			fi
+ 		fi
+@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
+ 				# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ 				# $smtstatus is one of (vulnerable|disabled)
+ 				# can also just be "Not affected"
+-				if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++				if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ 					l1d_mode=0
+ 					pstatus yellow NO
+-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ 					l1d_mode=1
+ 					pstatus green YES "conditional flushes"
+-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ 					l1d_mode=2
+ 					pstatus green YES "unconditional flushes"
+ 				else
+ 					if is_xen_dom0; then
+-						l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+-						l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+-						l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++						l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++						l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++						l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ 						if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ 							l1d_mode=5
+@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
+
+ 		_info_nol "  * Hardware-backed L1D flush supported: "
+ 		if [ "$opt_live" = 1 ]; then
+-			if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++			if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ 				pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ 			else
+ 				pstatus blue NO "flush will be done in software, this is slower"
+@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ 	_info_nol "* Kernel supports L1D flushing: "
+-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ 		pstatus green YES
+ 		kernel_l1d_supported=1
+ 	else
+@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
+ 	fi
+
+ 	_info_nol "* L1D flushing is enabled: "
+-	kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++	kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ 	case "$kernel_l1d_enabled" in
+ 		0) pstatus yellow NO;;
+ 		1) pstatus green YES;;
+@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ 	cve='CVE-2019-11091'
+@@ -5182,7 +5182,7 @@ check_mds()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_mds_linux "$cve"
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_mds_bsd "$cve"
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5193,7 +5193,7 @@ check_mds_bsd()
+ {
+ 	_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ 	if [ "$opt_live" = 1 ]; then
+-		if sysctl hw.mds_disable >/dev/null 2>&1; then
++		if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ 			pstatus green YES
+ 			kernel_md_clear=1
+ 		else
+@@ -5201,7 +5201,7 @@ check_mds_bsd()
+ 			kernel_md_clear=0
+ 		fi
+ 	else
+-		if grep -Fq hw.mds_disable $opt_kernel; then
++		if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ 			pstatus green YES
+ 			kernel_md_clear=1
+ 		else
+@@ -5211,8 +5211,8 @@ check_mds_bsd()
+ 	fi
+
+ 	_info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+-	if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+-		kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++	if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++		kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ 		if [ "$kernel_smt_allowed" = 1 ]; then
+ 			pstatus yellow NO
+ 		else
+@@ -5224,7 +5224,7 @@ check_mds_bsd()
+
+ 	_info_nol "* Kernel mitigation is enabled: "
+ 	if [ "$kernel_md_clear" = 1 ]; then
+-		kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++		kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ 	else
+ 		kernel_mds_enabled=0
+ 	fi
+@@ -5238,7 +5238,7 @@ check_mds_bsd()
+
+ 	_info_nol "* Kernel mitigation is active: "
+ 	if [ "$kernel_md_clear" = 1 ]; then
+-		kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++		kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ 	else
+ 		kernel_mds_state=inactive
+ 	fi
+@@ -5296,16 +5296,16 @@ check_mds_linux()
+ 		_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ 		kernel_md_clear=''
+ 		kernel_md_clear_can_tell=1
+-		if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++		if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ 			kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ 			pstatus green YES "$kernel_md_clear"
+ 		fi
+ 		if [ -z "$kernel_md_clear" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				kernel_md_clear_can_tell=0
+ 			elif [ -n "$kernel_err" ]; then
+ 				kernel_md_clear_can_tell=0
+-			elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++			elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ 				_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ 				kernel_md_clear='found md_clear implementation evidence in kernel image'
+ 				pstatus green YES "$kernel_md_clear"
+@@ -5321,7 +5321,7 @@ check_mds_linux()
+
+ 		if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ 			_info_nol "* Kernel mitigation is enabled and active: "
+-			if echo "$fullmsg" | grep -qi ^mitigation; then
++			if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ 				mds_mitigated=1
+ 				pstatus green YES
+ 			else
+@@ -5329,7 +5329,7 @@ check_mds_linux()
+ 				pstatus yellow NO
+ 			fi
+ 			_info_nol "* SMT is either mitigated or disabled: "
+-			if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++			if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ 				mds_smt_mitigated=1
+ 				pstatus green YES
+ 			else
+@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2019_11135_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2019_11135_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
+ 		kernel_taa=''
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_taa_err="$kernel_err"
+-		elif grep -q 'tsx_async_abort' "$kernel"; then
++		elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ 			kernel_taa="found tsx_async_abort in kernel image"
+ 		fi
+ 		if [ -n "$kernel_taa" ]; then
+@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
+ 		_info_nol "* TAA mitigation enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
+ 	else
+ 		if [ "$opt_paranoid" = 1 ]; then
+ 			# in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+-			if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++			if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ 				pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+-			elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++			elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ 				pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ 			else
+ 				pvulnstatus $cve "$status" "$msg"
+@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_12207_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_12207_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_itlbmh_err="$kernel_err"
+ 		# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+-		elif grep -q 'itlb_multihit' "$kernel"; then
++		elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ 			kernel_itlbmh="found itlb_multihit in kernel image"
+ 		fi
+ 		if [ -n "$kernel_itlbmh" ]; then
+@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
+ 		_info_nol "* iTLB Multihit mitigation enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qF 'Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ 	_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+-	kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++	kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ 	if [ -z "$kernel_2m_x_ept" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2020_0543_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2020_0543_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
+ 		kernel_srbds=''
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_srbds_err="$kernel_err"
+-		elif grep -q 'Dependent on hypervisor' "$kernel"; then
++		elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ 			kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ 		fi
+ 		if [ -n "$kernel_srbds" ]; then
+@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
+ 		_info_nol "* SRBDS mitigation control is enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5758,8 +5758,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+-	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+-		check_"$(echo "$cve" | tr - _)"
++	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++		check_"$(echo "$cve" | @tr@ - _)"
+ 		_info
+ 	fi
+ done
+@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ 	_warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+-	if command -v "gzip" >/dev/null 2>&1; then
++	if command -v "@gzip@" >/dev/null 2>&1; then
+ 		# not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ 		# shellcheck disable=SC2002
+-		if command -v "base64" >/dev/null 2>&1; then
+-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+-		elif command -v "uuencode" >/dev/null 2>&1; then
+-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++		if command -v "@base64@" >/dev/null 2>&1; then
++			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++		elif command -v "@uuencode@" >/dev/null 2>&1; then
++			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ 		fi
+ 	fi
+ 	if [ -n "$mock_cpuinfo" ]; then
+@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ 	fi
+ 	_info ""
+ 	# shellcheck disable=SC2046
+-	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ 		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++		# Guix System:
++		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+ 		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ 		# Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
--
2.38.1




^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker.
  2022-11-12 12:14       ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via
@ 2022-11-12 12:28         ` Liliana Marie Prikler
  2022-11-12 12:50           ` Hilton Chain via Guix-patches via
  0 siblings, 1 reply; 12+ messages in thread
From: Liliana Marie Prikler @ 2022-11-12 12:28 UTC (permalink / raw)
  To: Hilton Chain; +Cc: 59053

Am Samstag, dem 12.11.2022 um 20:14 +0800 schrieb Hilton Chain:
> 1. Use curl as default downloader (It seems that wget doesn't work
> out of the box for TLS?).
Uhm, what exactly is the checker downloading that it needs wget or curl
for?




^ permalink raw reply	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker.
  2022-11-12 12:28         ` Liliana Marie Prikler
@ 2022-11-12 12:50           ` Hilton Chain via Guix-patches via
  2022-11-12 13:40             ` Liliana Marie Prikler
  0 siblings, 1 reply; 12+ messages in thread
From: Hilton Chain via Guix-patches via @ 2022-11-12 12:50 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 59053

On Sat, 12 Nov 2022 20:28:58 +0800,
Liliana Marie Prikler wrote:
> Uhm, what exactly is the checker downloading that it needs wget or curl
> for?
With option "--update-fwdb", the checker fetches source files and builds the firmware database.




^ permalink raw reply	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v3] gnu: Add spectre-meltdown-checker.
  2022-11-12 12:50           ` Hilton Chain via Guix-patches via
@ 2022-11-12 13:40             ` Liliana Marie Prikler
  2022-11-12 15:15               ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via
  0 siblings, 1 reply; 12+ messages in thread
From: Liliana Marie Prikler @ 2022-11-12 13:40 UTC (permalink / raw)
  To: Hilton Chain; +Cc: 59053

Am Samstag, dem 12.11.2022 um 20:50 +0800 schrieb Hilton Chain:
> On Sat, 12 Nov 2022 20:28:58 +0800,
> Liliana Marie Prikler wrote:
> > Uhm, what exactly is the checker downloading that it needs wget or
> > curl for?
> With option "--update-fwdb", the checker fetches source files and
> builds the firmware database.
You mean proprietary firmware?




^ permalink raw reply	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v4] gnu: Add spectre-meltdown-checker.
  2022-11-12 13:40             ` Liliana Marie Prikler
@ 2022-11-12 15:15               ` Hilton Chain via Guix-patches via
  2022-11-12 16:58                 ` Liliana Marie Prikler
  0 siblings, 1 reply; 12+ messages in thread
From: Hilton Chain via Guix-patches via @ 2022-11-12 15:15 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 59053

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v3 -> v4:
1. Remove downloading function.
2. Add option for supplying a local database.

 gnu/local.mk                                  |    3 +
 gnu/packages/linux.scm                        |   54 +
 ...ker-remove-builtin-firmware-database.patch |  243 +++
 ...cker-stage-commands-for-substitution.patch | 1849 +++++++++++++++++
 ...n-checker-support-guix-system-kernel.patch |   26 +
 5 files changed, 2175 insertions(+)
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..46b299d0d6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,9 @@ dist_patch_DATA =						\
   %D%/packages/patches/syslinux-strip-gnu-property.patch	\
   %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
+  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
   %D%/packages/patches/sssd-optional-systemd.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..1807fd5655 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,57 @@ (define-public edac-utils
 error detection and correction (EDAC).")
     (home-page "https://github.com/grondo/edac-utils")
     (license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.45")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (patches
+               (search-patches
+                ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+                "spectre-meltdown-checker-support-guix-system-kernel.patch"
+                ;; NOTE: Update these patches when updating.
+                "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+                "spectre-meltdown-checker-stage-commands-for-substitution.patch"))
+              ;; Remove builtin firmware database.
+              (modules '((guix build utils)))
+              (snippet '(substitute* "spectre-meltdown-checker.sh"
+                          (("^# [AI],.*") "")))
+              (sha256
+               (base32
+                "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+    (build-system copy-build-system)
+    (arguments
+     (list #:install-plan
+           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+           #:phases
+           #~(modify-phases %standard-phases
+               (add-after 'unpack 'fixpath
+                 (lambda* (#:key inputs #:allow-other-keys)
+                   (substitute* "spectre-meltdown-checker.sh"
+                     (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+                     (("@([a-z0-9]*)@" _ command _)
+                      (search-input-file
+                       inputs (string-append "/bin/" command)))))))))
+    (inputs
+     (list kmod
+           lz4
+           lzop
+           perl
+           procps
+           sharutils
+           util-linux
+           zstd))
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (synopsis "CPU vulnerability / mitigation checker")
+    (description
+     "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+    (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..888bb0c2b1
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,243 @@
+From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH 1/2] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ 	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ 	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
+ 	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
+-	[ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm -f "$mcedb_tmp"
+-	[ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm -rf "$intel_tmp"
+ 	[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ 	[ "${mounted_procfs:-}"  = 1 ] && umount "$procfs" 2>/dev/null
+ 	[ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ 		--vmm [auto,yes,no]	override the detection of the presence of a hypervisor, default: auto
+ 		--allow-msr-write	allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ 		--cpu [#,all]		interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+-		--update-fwdb		update our local copy of the CPU microcodes versions database (using the awesome
+-					MCExtractor project and the Intel firmwares GitHub repository)
+-		--update-builtin-fwdb	same as --update-fwdb but update builtin DB inside the script itself
++		--with-fwdb FILE	supply the CPU microcodes versions database
+ 		--dump-mock-data	used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ 	Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ 	_info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+-	show_header
+-
+-	set -e
+-
+-	if [ -r "$mcedb_cache" ]; then
+-		previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+-	fi
+-
+-	# first, download the MCE.db from the excellent platomav's MCExtractor project
+-	mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+-	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+-	_info_nol "Fetching MCE.db from the MCExtractor project... "
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
+-		curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+-	elif command -v fetch >/dev/null 2>&1; then
+-		fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+-	else
+-		echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+-		return 1
+-	fi
+-	if [ "$ret" != 0 ]; then
+-		echo ERROR "error $ret while downloading MCE.db"
+-		return $ret
+-	fi
+-	echo DONE
+-
+-	# second, get the Intel firmwares from GitHub
+-	intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+-	intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+-	_info_nol "Fetching Intel firmwares... "
+-	## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
+-		curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+-	elif command -v fetch >/dev/null 2>&1; then
+-		fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+-	else
+-		echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+-		return 1
+-	fi
+-	if [ "$ret" != 0 ]; then
+-		echo ERROR "error $ret while downloading Intel firmwares"
+-		return $ret
+-	fi
+-	echo DONE
+-
+-	# now extract MCEdb contents using sqlite
+-	_info_nol "Extracting MCEdb data... "
+-	if ! command -v sqlite3 >/dev/null 2>&1; then
+-		echo ERROR "please install the \`sqlite3\` program"
+-		return 1
+-	fi
+-	mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+-	if [ -z "$mcedb_revision" ]; then
+-		echo ERROR "downloaded file seems invalid"
+-		return 1
+-	fi
+-	sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+-	sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+-	echo OK "MCExtractor database revision $mcedb_revision"
+-
+-	# parse Intel firmwares to get their versions
+-	_info_nol "Integrating Intel firmwares data to db... "
+-	if ! command -v unzip >/dev/null 2>&1; then
+-		echo ERROR "please install the \`unzip\` program"
+-		return 1
+-	fi
+-	( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+-	if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+-		echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+-		return 1
+-	fi
+-
+-	if ! command -v iucode_tool >/dev/null 2>&1; then
+-		if ! command -v iucode-tool >/dev/null 2>&1; then
+-			echo ERROR "please install the \`iucode-tool\` program"
+-			return 1
+-		else
+-			iucode_tool="iucode-tool"
+-		fi
+-	else
+-		iucode_tool="iucode_tool"
+-	fi
+-	#  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+-	#  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+-	$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+-	do
+-		_line=$(   echo "$_line" | tr -d ',')
+-		_cpuid=$(  echo "$_line" | awk '{print $3}')
+-		_cpuid=$(( _cpuid ))
+-		_cpuid=$(printf "0x%08X" "$_cpuid")
+-		_date=$(   echo "$_line" | awk '{print $6}' | tr -d '-')
+-		_version=$(echo "$_line" | awk '{print $8}')
+-		_version=$(( _version ))
+-		_version=$(printf "0x%08X" "$_version")
+-		_sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+-		sqlite3 "$mcedb_tmp" "$_sqlstm"
+-	done
+-	_intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+-	if [ -n "$_intel_timestamp" ]; then
+-		# use this date, it matches the last commit date
+-		_intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+-	else
+-		echo "Falling back to the latest microcode date"
+-		_intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+-	fi
+-	echo DONE "(version $_intel_latest_date)"
+-
+-	dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+-	if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+-		echo "We already have this version locally, no update needed"
+-		return 0
+-	fi
+-
+-	_info_nol "Building local database... "
+-	{
+-		echo "# Spectre & Meltdown Checker";
+-		echo "# %%% MCEDB v$dbversion";
+-		sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+-		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+-	} > "$mcedb_cache"
+-	echo DONE "(version $dbversion)"
+-
+-	if [ "$1" = builtin ]; then
+-		newfile=$(mktemp -t smc-builtin-XXXXXX)
+-		awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+-		awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+-		cat "$newfile" > "$0"
+-		rm -f "$newfile"
+-	fi
+-}
+-
+ parse_opt_file()
+ {
+ 	# parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ 		# deprecated, kept for compatibility
+ 		opt_explain=0
+ 		shift
+-	elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+-		update_fwdb
+-		exit $?
+-	elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+-		update_fwdb builtin
+-		exit $?
++	elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++	        opt_fwdb=$2
++		if [ -f "$opt_fwdb" ]; then
++		        mcedb_cache=$2
++		else
++		        echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++		        exit 255
++		fi
++		shift 2
+ 	elif [ "$1" = "--dump-mock-data" ]; then
+ 		opt_mock=1
+ 		shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ 	fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+ 	local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+-	# sort -V sorts by version number
+-	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+-	if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+-		mcedb_source="$mcedb_cache"
+-		mcedb_info="local firmwares DB $local_dbversion"
+-	fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+-	mcedb_source="$0"
+-	mcedb_info="builtin firmwares DB $builtin_dbversion"
++	mcedb_source="$mcedb_cache"
++	mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ 		return 2
+ 	fi
+ 	ucode_latest="latest microcode version for your CPU model is unknown"
+-	if is_intel; then
++	if [ -z "$mcedb_source" ]; then
++	        return 2
++	elif is_intel; then
+ 		cpu_brand_prefix=I
+ 	elif is_amd; then
+ 		cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a8e7531f32
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1849 @@
+From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 2/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, grep,
+gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, nproc,
+objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, strings,
+sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
+---
+ spectre-meltdown-checker.sh | 606 ++++++++++++++++++------------------
+ 1 file changed, 303 insertions(+), 303 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index ce46970..4889ebb 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ 	# cleanup the temp decompressed config & kernel image
+-	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+-	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
+-	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
+-	[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+-	[ "${mounted_procfs:-}"  = 1 ] && umount "$procfs" 2>/dev/null
+-	[ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
+-	[ "${insmod_msr:-}"      = 1 ] && rmmod msr 2>/dev/null
++	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && @rm@ -f "$kerneltmp"
++	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && @rm@ -f "$kerneltmp2"
++	[ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++	[ "${mounted_procfs:-}"  = 1 ] && @umount@ "$procfs" 2>/dev/null
++	[ "${insmod_cpuid:-}"    = 1 ] && @rmmod@ cpuid 2>/dev/null
++	[ "${insmod_msr:-}"      = 1 ] && @rmmod@ msr 2>/dev/null
+ 	[ "${kldload_cpuctl:-}"  = 1 ] && kldunload cpuctl 2>/dev/null
+ 	[ "${kldload_vmm:-}"     = 1 ] && kldunload vmm    2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+-	describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+-	[ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++	describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++	[ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ 	# shellcheck disable=SC2086
+-	cat <<EOF
++	@cat@ <<EOF
+ 	Usage:
+-		Live mode (auto):   $(basename $0) [options]
+-		Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+-		Offline mode:       $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++		Live mode (auto):   $(@basename@ $0) [options]
++		Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++		Offline mode:       $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ 	Modes:
+ 		Two modes are available.
+@@ -106,7 +106,7 @@ EOF
+
+ show_disclaimer()
+ {
+-	cat <<EOF
++	@cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -134,7 +134,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -203,7 +203,7 @@ __echo()
+ 			_interpret_chars='-e'
+ 		fi
+ 		_ctrlchar=$($echo_cmd $_interpret_chars "\033")
+-		_msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++		_msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ 	fi
+ 	if [ "$echo_cmd_type" = printf ]; then
+ 		if [ "$opt" = "-n" ]; then
+@@ -379,7 +379,7 @@ is_cpu_affected()
+ 		# https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ 		# https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ 		# model name : Pentium(R) Dual-Core  CPU      E5200  @ 2.50GHz
+-		if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++		if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ 			variant1=vuln
+ 			[ -z "$variant2" ] && variant2=immune
+ 			variant3=vuln
+@@ -482,7 +482,7 @@ is_cpu_affected()
+ 			i=$(( i + 1 ))
+ 			# do NOT quote $cpu_arch_list below
+ 			# shellcheck disable=SC2086
+-			cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++			cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ 			_debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ 			# some kernels report AArch64 instead of 8
+ 			[ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -493,49 +493,49 @@ is_cpu_affected()
+ 				# part   ?  ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c         d0d
+ 				# arch  7? 7? 7   7   7   7   7   8   8   8   8   8   8           8
+ 				#
+-				# Whitelist identified non-affected processors, use vulnerability information from
++				# Whitelist identified non-affected processors, use vulnerability information from
+ 				# https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ 				# Partnumbers can be found here:
+ 				# https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ 				#
+ 				# Maintain cumulative check of vulnerabilities -
+ 				# if at least one of the cpu is affected, then the system is affected
+-				if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++				if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					[ -z "$variant4" ] && variant4=immune
+ 					_debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+-				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++				elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					variant3a=vuln
+ 					[ -z "$variant4" ] && variant4=immune
+ 					_debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					variant3a=vuln
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					[ -z "$variant3" ] && variant3=immune
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ 					variant1=vuln
+ 					variant2=vuln
+ 					variant3=vuln
+ 					[ -z "$variant3a" ] && variant3a=immune
+ 					variant4=vuln
+ 					_debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+-				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++				elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ 					variant1=vuln
+ 					[ -z "$variant2" ] && variant2=immune
+ 					[ -z "$variant3" ] && variant3=immune
+@@ -816,7 +816,7 @@ is_cpu_ssb_free()
+ 		if [ "$cpu_family" = "18" ] || \
+ 			[ "$cpu_family" = "17" ] || \
+ 			[ "$cpu_family" = "16" ] || \
+-			[ "$cpu_family" = "15" ]; then
++			[ "$cpu_family" = "15" ]; then
+ 			return 0
+ 		fi
+ 	fi
+@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do
+ 	elif [ "$1" = "--cpu" ]; then
+ 		opt_cpu=$2
+ 		if [ "$opt_cpu" != all ]; then
+-			if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++			if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ 				opt_cpu=$(( opt_cpu ))
+ 			else
+ 				echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do
+ 			echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ 			exit 255
+ 		fi
+-		selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++		selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ 		if [ -n "$selected_cve" ]; then
+ 			opt_cve_list="$opt_cve_list $selected_cve"
+ 			opt_cve_all=0
+@@ -1166,14 +1166,14 @@ check_kernel()
+ 	# a damaged ELF file and validate it, check for stderr warnings too
+
+ 	# the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+-	_readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+-	_readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+-	_kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++	_readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++	_readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++	_kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ 	_debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ 	if [ "$_mode" = desperate ]; then
+-		if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++		if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ 			_debug "check_kernel (desperate): ... matched!"
+-			if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++			if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ 				_debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ 				objdump_options="-D -b binary -marm"
+ 			else
+@@ -1206,7 +1206,7 @@ try_decompress()
+
+ 	# Try to find the header ($1) and decompress from here
+ 	_debug "try_decompress: looking for $3 magic in $6"
+-	for     pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++	for     pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ 	do
+ 		_debug "try_decompress: magic for $3 found at offset $pos"
+ 		if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1233,11 +1233,11 @@ try_decompress()
+ 			kernel="$kerneltmp"
+ 			_debug "try_decompress: decompressed with $3 successfully!"
+ 			return 0
+-		elif [ "$3" != "cat" ]; then
++		elif [ "$3" != "@cat@" ]; then
+ 			_debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+-			[ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+-			cat "$kerneltmp" > "$kerneltmp2"
+-			try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++			[ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++			@cat@ "$kerneltmp" > "$kerneltmp2"
++			try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ 		else
+ 			_debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ 		fi
+@@ -1249,12 +1249,12 @@ extract_kernel()
+ {
+ 	[ -n "${1:-}" ] || return 1
+ 	# Prepare temp files:
+-	kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++	kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ 	# Initial attempt for uncompressed images or objects:
+ 	if check_kernel "$1"; then
+ 		_debug "extract_kernel: found kernel is valid, no decompression needed"
+-		cat "$1" > "$kerneltmp"
++		@cat@ "$1" > "$kerneltmp"
+ 		kernel=$kerneltmp
+ 		return 0
+ 	fi
+@@ -1263,14 +1263,14 @@ extract_kernel()
+ 	for pass in 1 2; do
+ 		for mode in normal desperate; do
+ 			_debug "extract_kernel: pass $pass $mode mode"
+-			try_decompress '\037\213\010'     xy    gunzip  ''      gunzip      "$1" "$mode" "$pass" && return 0
+-			try_decompress '\002\041\114\030' xyy   'lz4'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+-			try_decompress '\3757zXZ\000'     abcde unxz    ''      xz-utils    "$1" "$mode" "$pass" && return 0
+-			try_decompress 'BZh'              xy    bunzip2 ''      bzip2       "$1" "$mode" "$pass" && return 0
+-			try_decompress '\135\0\0\0'       xxx   unlzma  ''      xz-utils    "$1" "$mode" "$pass" && return 0
+-			try_decompress '\211\114\132'     xy    'lzop'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
+-			try_decompress '\177ELF'          xxy   'cat'   ''      cat         "$1" "$mode" "$pass" && return 0
+-			try_decompress '(\265/\375'       xxy   unzstd  ''      zstd        "$1" "$mode" "$pass" && return 0
++			try_decompress '\037\213\010'     xy    @gunzip@  ''      gunzip      "$1" "$mode" "$pass" && return 0
++			try_decompress '\002\041\114\030' xyy   '@lz4@'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++			try_decompress '\3757zXZ\000'     abcde @unxz@    ''      xz-utils    "$1" "$mode" "$pass" && return 0
++			try_decompress 'BZh'              xy    @bunzip2@ ''      bzip2       "$1" "$mode" "$pass" && return 0
++			try_decompress '\135\0\0\0'       xxx   @unlzma@  ''      xz-utils    "$1" "$mode" "$pass" && return 0
++			try_decompress '\211\114\132'     xy    '@lzop@'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
++			try_decompress '\177ELF'          xxy   '@cat@'   ''      cat         "$1" "$mode" "$pass" && return 0
++			try_decompress '(\265/\375'       xxy   @unzstd@  ''      zstd        "$1" "$mode" "$pass" && return 0
+ 		done
+ 	done
+ 	# kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1287,7 +1287,7 @@ mount_debugfs()
+ {
+ 	if [ ! -e /sys/kernel/debug/sched_features ]; then
+ 		# try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+-		mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++		@mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ 	fi
+ }
+
+@@ -1298,12 +1298,12 @@ load_msr()
+ 	load_msr_once=1
+
+ 	if [ "$os" = Linux ]; then
+-		if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+-			modprobe msr 2>/dev/null && insmod_msr=1
++		if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++			@modprobe@ msr 2>/dev/null && insmod_msr=1
+ 			_debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ 		else
+ 			_debug "msr module already loaded"
+-		fi
++		fi
+ 	else
+ 		if ! kldstat -q -m cpuctl; then
+ 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1321,12 +1321,12 @@ load_cpuid()
+ 	load_cpuid_once=1
+
+ 	if [ "$os" = Linux ]; then
+-		if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+-			modprobe cpuid 2>/dev/null && insmod_cpuid=1
++		if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++			@modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ 			_debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ 		else
+ 			_debug "cpuid module already loaded"
+-		fi
++		fi
+ 	else
+ 		if ! kldstat -q -m cpuctl; then
+ 			kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1415,7 +1415,7 @@ read_cpuid_one_core()
+ 		fi
+ 		# on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ 		# we use that fact to load the module if dd returns an error
+-		if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++		if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ 			load_cpuid
+ 		fi
+ 		# we need _leaf to be converted to decimal for dd
+@@ -1426,14 +1426,14 @@ read_cpuid_one_core()
+ 		_ddskip=$(( _position / 16 ))
+ 		_odskip=$(( _position - _ddskip * 16 ))
+ 		# now read the value
+-		_cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++		_cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ 	elif [ -e /dev/cpuctl0 ]; then
+ 		# BSD
+ 		if [ ! -r /dev/cpuctl0 ]; then
+ 			read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ 			return $READ_CPUID_RET_ERR
+ 		fi
+-		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++		_cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ 		# cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ 	else
+ 		read_cpuid_msg="Found no way to read cpuid info"
+@@ -1456,7 +1456,7 @@ read_cpuid_one_core()
+ 	fi
+
+ 	# get the value of the register we want
+-	_reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++	_reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ 	# Linux returns it as decimal, BSD as hex, normalize to decimal
+ 	_reg=$(( _reg ))
+ 	# shellcheck disable=SC2046
+@@ -1484,11 +1484,11 @@ dmesg_grep()
+ 	# grep for something in dmesg, ensuring that the dmesg buffer
+ 	# has not been truncated
+ 	dmesg_grepped=''
+-	if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++	if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ 		# dmesg truncated
+ 		return 2
+ 	fi
+-	dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++	dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ 	# not found:
+ 	[ -z "$dmesg_grepped" ] && return 1
+ 	# found, output is in $dmesg_grepped
+@@ -1505,12 +1505,12 @@ parse_cpu_details()
+ {
+ 	[ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+-	if command -v nproc >/dev/null; then
+-		number_of_cores=$(nproc)
+-	elif echo "$os" | grep -q BSD; then
+-		number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++	if command -v @nproc@ >/dev/null; then
++		number_of_cores=$(@nproc@)
++	elif echo "$os" | @grep@ -q BSD; then
++		number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ 	elif [ -e "$procfs/cpuinfo" ]; then
+-		number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++		number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ 	else
+ 		# if we don't know, default to 1 CPU
+ 		number_of_cores=1
+@@ -1518,43 +1518,43 @@ parse_cpu_details()
+ 	max_core_id=$(( number_of_cores - 1 ))
+
+ 	if [ -e "$procfs/cpuinfo" ]; then
+-		cpu_vendor=$(  grep '^vendor_id'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+-		cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++		cpu_vendor=$(  @grep@ '^vendor_id'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++		cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ 		# special case for ARM follows
+-		if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++		if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ 			cpu_vendor='ARM'
+ 			# some devices (phones or other) have several ARMs and as such different part numbers,
+ 			# an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+-			cpu_part_list=$(awk '/CPU part/         {print $4}' "$procfs/cpuinfo")
+-			cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++			cpu_part_list=$(@awk@ '/CPU part/         {print $4}' "$procfs/cpuinfo")
++			cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ 			# take the first one to fill the friendly name, do NOT quote the vars below
+ 			# shellcheck disable=SC2086
+-			cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++			cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ 			# shellcheck disable=SC2086
+-			cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++			cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ 			[ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ 			cpu_friendly_name="ARM"
+ 			[ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ 			[ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ 			cpu_vendor='CAVIUM'
+-		elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++		elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ 			cpu_vendor='PHYTIUM'
+ 		fi
+
+-		cpu_family=$(  grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_model=$(   grep '^model'      "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_stepping=$(grep '^stepping'   "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+-		cpu_ucode=$(   grep '^microcode'  "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++		cpu_family=$(  @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_model=$(   @grep@ '^model'      "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_stepping=$(@grep@ '^stepping'   "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++		cpu_ucode=$(   @grep@ '^microcode'  "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ 	else
+-		cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+-		cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++		cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++		cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ 		cpu_family=$(( cpu_family ))
+-		cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++		cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ 		cpu_model=$(( cpu_model ))
+-		cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+-		cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++		cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++		cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ 	fi
+
+ 	if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1609,7 +1609,7 @@ parse_cpu_details()
+ 			# call CPUID
+ 			cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ 			# read MSR
+-			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++			cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ 			# convert to decimal
+ 			cpu_ucode=$(( cpu_ucode ))
+ 			# convert back to hex
+@@ -1628,7 +1628,7 @@ parse_cpu_details()
+ 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ 	fi
+
+-	echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++	echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ 	ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ 	# also define those that we will need in other funcs
+@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled()
+ {
+ 	# SMT / HyperThreading is enabled if siblings != cpucores
+ 	if [ -e "$procfs/cpuinfo" ]; then
+-		_siblings=$(awk '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
+-		_cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++		_siblings=$(@awk@ '/^siblings/  {print $3;exit}' "$procfs/cpuinfo")
++		_cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ 		if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ 			if [ "$_siblings" = "$_cpucores" ]; then
+ 				return 1
+@@ -1774,10 +1774,10 @@ is_ucode_blacklisted()
+ 		$INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b   \
+ 		$INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ 	do
+-		model=$(echo "$tuple" | cut -d, -f1)
+-		stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++		model=$(echo "$tuple" | @cut@ -d, -f1)
++		stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ 		if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+-			ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++			ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ 			if [ "$cpu_ucode" = "$ucode" ]; then
+ 				_debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ 				return 0
+@@ -1865,7 +1865,7 @@ is_xen_dom0()
+ 		return 1
+ 	fi
+
+-	if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++	if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ 		return 0
+ 	else
+ 		return 1
+@@ -1893,13 +1893,13 @@ is_xen_domU()
+
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+-	local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++	local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ 	mcedb_source="$mcedb_cache"
+ 	mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+-	awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++	@awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -1920,10 +1920,10 @@ is_latest_known_ucode()
+ 	else
+ 		return 2
+ 	fi
+-	for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++	for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ 	do
+-		ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
+-		ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++		ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
++		ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ 		_debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ 		ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ 		if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -1948,7 +1948,7 @@ get_cmdline()
+ 		kernel_cmdline="$SMC_MOCK_CMDLINE"
+ 		return
+ 	else
+-		kernel_cmdline=$(cat "$procfs/cmdline")
++		kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ 		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ 	fi
+ }
+@@ -1956,7 +1956,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ 	_warn "This script doesn't work under Windows Subsystem for Linux"
+ 	_warn "You should use the official Microsoft tool instead."
+ 	_warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2005,15 +2005,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ 	_debug "We're under BSD, check if we have procfs"
+-	procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++	procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ 	if [ -z "$procfs" ]; then
+ 		_debug "we don't, try to mount it"
+ 		procfs=/proc
+ 		[ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ 		test -d $procfs || mkdir $procfs
+-		if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++		if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ 			mounted_procfs=1
+ 			_debug "procfs just mounted at $procfs"
+ 		else
+@@ -2045,14 +2045,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ 	# root check (only for live mode, for offline mode, we already checked if we could read the files)
+-	if [ "$(id -u)" -ne 0 ]; then
++	if [ "$(@id@ -u)" -ne 0 ]; then
+ 		_warn "Note that you should launch this script with root privileges to get accurate information."
+ 		_warn "We'll proceed but you might see permission denied errors."
+ 		_warn "To run it as root, you can try the following command: sudo $0"
+ 		_warn
+ 	fi
+ 	_info "Checking for vulnerabilities on current system"
+-	_info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++	_info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ 	_info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ 	# try to find the image of the current running kernel
+@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then
+ 		# specified by user on cmdline, with --live, don't override
+ 		:
+ 	# first, look for the BOOT_IMAGE hint in the kernel cmdline
+-	elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+-		opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++	elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++		opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ 		_debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ 		# if the boot partition is within a btrfs subvolume, strip the subvolume name
+ 		# if /boot is a separate subvolume, the remainder of the code in this section should handle it
+-		if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++		if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ 		# if we have a dedicated /boot partition, our bootloader might have just called it /
+ 		# so try to prepend /boot and see if we find anything
+ 		[ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then
+ 	# if we didn't find a kernel, default to guessing
+ 	if [ ! -e "$opt_kernel" ]; then
+ 		# Fedora:
+-		[ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++		[ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ 		# Slackware:
+ 		[ -e "/boot/vmlinuz"             ] && opt_kernel="/boot/vmlinuz"
+ 		# Arch aarch64:
+@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then
+ 		# pine64
+ 		[ -e "/boot/pine64/Image"        ] && opt_kernel="/boot/pine64/Image"
+ 		# generic:
+-		[ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+-		[ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+-		[ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++		[ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++		[ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++		[ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ 		# Gentoo:
+-		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++		[ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ 		# Guix System:
+ 		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+-		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++		[ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ 		# Clear Linux:
+-		str_uname=$(uname -r)
++		str_uname=$(@uname@ -r)
+ 		clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ 		[ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ 		# Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ 		# with actual \'s instead of /'s:
+-		custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++		custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ 		if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ 			opt_kernel="$custom_arch_kernel"
+ 		fi
+@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then
+ 		:
+ 	elif [ -e "$procfs/kallsyms" ] ; then
+ 		opt_map="$procfs/kallsyms"
+-	elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+-		opt_map="/lib/modules/$(uname -r)/System.map"
+-	elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+-		opt_map="/boot/System.map-$(uname -r)"
+-	elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+-		opt_map="/lib/kernel/System.map-$(uname -r)"
++	elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++		opt_map="/lib/modules/$(@uname@ -r)/System.map"
++	elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++		opt_map="/boot/System.map-$(@uname@ -r)"
++	elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++		opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ 	fi
+
+ 	# config
+@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then
+ 		# specified by user on cmdline, with --live, don't override
+ 		:
+ 	elif [ -e "$procfs/config.gz" ] ; then
+-		dumped_config="$(mktemp -t smc-config-XXXXXX)"
+-		gunzip -c "$procfs/config.gz" > "$dumped_config"
++		dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++		@gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ 		# dumped_config will be deleted at the end of the script
+ 		opt_config="$dumped_config"
+-	elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+-		opt_config="/lib/modules/$(uname -r)/config"
+-	elif [ -e "/boot/config-$(uname -r)" ]; then
+-		opt_config="/boot/config-$(uname -r)"
+-	elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+-		opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+-	elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+-		opt_config="/lib/kernel/config-$(uname -r)"
++	elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++		opt_config="/lib/modules/$(@uname@ -r)/config"
++	elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++		opt_config="/boot/config-$(@uname@ -r)"
++	elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++		opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++	elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++		opt_config="/lib/kernel/config-$(@uname@ -r)"
+ 	fi
+ else
+ 	_info "Checking for vulnerabilities against specified kernel"
+@@ -2161,7 +2161,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+-	if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++	if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ 		# given file is invalid!
+ 		_warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ 		opt_config=''
+@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+-	if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++	if ! command -v "@readelf@" >/dev/null 2>&1; then
+ 		_debug "readelf not found"
+ 		kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ 	elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2207,20 +2207,20 @@ else
+ 	# vanilla kernels have with ^Linux version
+ 	# also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ 	# and check for FreeBSD
+-	kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++	kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ 		-e '^Linux version ' \
+ 		-e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+-		-e '^FreeBSD [0-9]' | head -1)
++		-e '^FreeBSD [0-9]' | @head@ -1)
+ 	if [ -z "$kernel_version" ]; then
+ 		# try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+-		kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++		kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ 	fi
+ 	if [ -n "$kernel_version" ]; then
+ 		# in live mode, check if the img we found is the correct one
+ 		if [ "$opt_live" = 1 ]; then
+ 			_verbose "Kernel image is \033[35m$kernel_version"
+-			if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+-				_warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++			if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++				_warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ 			fi
+ 		else
+ 			_info "Kernel image is \033[35m$kernel_version"
+@@ -2248,11 +2248,11 @@ sys_interface_check()
+ 	if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ 		:
+ 	else
+-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ 		return 1
+ 	fi
+
+-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ 	# shellcheck disable=SC2086,SC1083
+ 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ 		_debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2261,17 +2261,17 @@ sys_interface_check()
+ 	fi
+
+ 	[ -n "$regex" ] || regex='.*'
+-	_mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++	_mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ 	# shellcheck disable=SC2086,SC1083
+ 	if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ 		fullmsg="$(eval echo \$$_mockvarname)"
+-		msg=$(echo "$fullmsg" | grep -Eo "$regex")
++		msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ 		_debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ 		mocked=1
+ 	else
+-		fullmsg=$(cat "$file")
+-		msg=$(grep -Eo "$regex" "$file")
+-		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++		fullmsg=$(@cat@ "$file")
++		msg=$(@grep@ -Eo "$regex" "$file")
++		mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ 	fi
+ 	if [ "$mode" = silent ]; then
+ 		return 0
+@@ -2280,15 +2280,15 @@ sys_interface_check()
+ 		return 0
+ 	fi
+ 	_info_nol "* Mitigated according to the /sys interface: "
+-	if echo "$msg" | grep -qi '^not affected'; then
++	if echo "$msg" | @grep@ -qi '^not affected'; then
+ 		# Not affected
+ 		status=OK
+ 		pstatus green YES "$fullmsg"
+-	elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++	elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ 		# Mitigation: PTI
+ 		status=OK
+ 		pstatus green YES "$fullmsg"
+-	elif echo "$msg" | grep -qi '^vulnerable'; then
++	elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ 		# Vulnerable
+ 		status=VULN
+ 		pstatus yellow NO "$fullmsg"
+@@ -2376,20 +2376,20 @@ write_msr_one_core()
+ 			# ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ 			[ "$ret" = 127 ] && _write_denied=1
+ 		# or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+-		elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ 			_debug "write_msr: using dd"
+-			dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++			@dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ 			# if it failed, inspect stderrto look for EPERM
+ 			if [ "$ret" != 0 ]; then
+-				if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++				if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ 					_write_denied=1
+ 				fi
+ 			fi
+ 		# or if we have perl, use it, any 5.x version will work
+-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ 			_debug "write_msr: using perl"
+ 			ret=1
+-			perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++			@perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ 		else
+ 			_debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2411,13 +2411,13 @@ write_msr_one_core()
+ 				msr_locked_down=1
+ 				write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ 				return $WRITE_MSR_RET_LOCKDOWN
+-			elif dmesg | grep -qF "msr: Direct access to MSR"; then
++			elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ 				_debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ 				msr_locked_down=1
+ 				write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ 				return $WRITE_MSR_RET_LOCKDOWN
+-			elif dmesg | grep -qF "raw MSR access is restricted"; then
++			elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ 				_debug "write_msr: locked down kernel detected (vanilla)"
+ 				mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ 				msr_locked_down=1
+@@ -2516,8 +2516,8 @@ read_msr_one_core()
+ 			return $READ_MSR_RET_KO
+ 		fi
+ 		# MSR 0x10: 0x000003e1 0xb106dded
+-		_msr_h=$(echo "$_msr" | awk '{print $3}');
+-		_msr_l=$(echo "$_msr" | awk '{print $4}');
++		_msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++		_msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ 		read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ 	else
+ 		# for Linux
+@@ -2528,15 +2528,15 @@ read_msr_one_core()
+ 		# if rdmsr is available, use it
+ 		elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ 			_debug "read_msr: using rdmsr on $_msr"
+-			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++			read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ 		# or if we have perl, use it, any 5.x version will work
+-		elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++		elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ 			_debug "read_msr: using perl on $_msr"
+-			read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++			read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ 		# fallback to dd if it supports skip_bytes
+-		elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++		elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ 			_debug "read_msr: using dd on $_msr"
+-			read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++			read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ 		else
+ 			_debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ 			mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2560,7 +2560,7 @@ check_cpu()
+ {
+ 	_info "\033[1;34mHardware check\033[0m"
+
+-	if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++	if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ 		return
+ 	fi
+
+@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre()
+ 	# if we were already called, don't do it again
+ 	[ -n "${redhat_canonical_spectre:-}" ] && return
+
+-	if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++	if ! command -v "@strings@" >/dev/null 2>&1; then
+ 		redhat_canonical_spectre=-1
+ 	elif [ -n "$kernel_err" ]; then
+ 		redhat_canonical_spectre=-2
+ 	else
+ 		# Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ 		# let's use the two same tricks than the official Red Hat detection script uses:
+-		if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++		if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ 			# 1) detect their specific variant2 patch. If it's present, it means
+ 			# that the variant1 patch is also present (both were merged at the same time)
+ 			_debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ 			redhat_canonical_spectre=1
+-		elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++		elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ 			# 2) detect their specific variant3 patch. If it's present, but the variant2
+ 			# is not, it means that only variant1 is present in addition to variant3
+ 			_debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3213,13 +3213,13 @@ check_has_vmm()
+ 		# If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ 		# this can always be overridden with --vmm in any case.
+ 		has_vmm=0
+-		if command -v pgrep >/dev/null 2>&1; then
++		if command -v @pgrep@ >/dev/null 2>&1; then
+ 			# remove xenbus and xenwatch, also present inside domU
+ 			# remove libvirtd as it can also be used to manage containers and not VMs
+ 			# for each binary we want to grep, get the pids
+ 			for _binary in qemu kvm xenstored xenconsoled
+ 			do
+-				for _pid in $(pgrep -x $_binary)
++				for _pid in $(@pgrep@ -x $_binary)
+ 				do
+ 					# resolve the exe symlink, if it doesn't resolve with -m,
+ 					# which doesn't even need the dest to exist, it means the symlink
+@@ -3235,7 +3235,7 @@ check_has_vmm()
+ 		else
+ 			# ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ 			# shellcheck disable=SC2009
+-			if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++			if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ 				has_vmm=1
+ 			fi
+ 		fi
+@@ -3267,7 +3267,7 @@ check_CVE_2017_5753()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5753_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5753_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux()
+ 		v1_mask_nospec=''
+ 		if [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ 		else
+-			perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++			@perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ 			if [ $ret -gt 0 ]; then
+ 				pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ 				v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ 			else
+-				perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++				@perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ 				if [ $ret -gt 0 ]; then
+ 					pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ 					v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ 				else
+-					ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++					ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ 					if [ "$ret" -gt 0 ]; then
+ 						pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ 						v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux()
+ 			pstatus yellow NO
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++		elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 		else
+-			"${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++			"@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ 			if [ "$ret" -eq 9 ]; then
+ 				pstatus green YES "mask_nospec64 macro is present and used"
+ 				v1_mask_nospec="arm64 mask_nospec64"
+@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux()
+ 			pstatus yellow NO
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+-		elif ! command -v perl >/dev/null 2>&1; then
++		elif ! command -v @perl@ >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+-		elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++		elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 		else
+-			"${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++			"@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ 			if [ "$ret" -eq 9 ]; then
+ 				pstatus green YES "array_index_nospec macro is present and used"
+ 				v1_mask_nospec="arm64 array_index_nospec"
+@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux()
+ 			if [ -n "$kernel_err" ]; then
+ 				pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 			else
+-				if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++				if ! command -v "@objdump@" >/dev/null 2>&1; then
+ 					pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ 				else
+ 					# here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux()
+ 					# so let's push the threshold to 70.
+ 					# v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ 					# non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+-					nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++					nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ 					if [ "$nb_lfence" -lt 30 ]; then
+ 						pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ 					else
+@@ -3505,7 +3505,7 @@ check_CVE_2017_5715()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5715_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5715_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux()
+ 					# /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ 					specex_knob_dir=$dir
+ 					ibrs_supported="$dir/ibrs_enabled exists"
+-					ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++					ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ 					_debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ 					# if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ 					if [ -e "$dir/ibpb_enabled" ]; then
+ 						# if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ 						ibpb_supported="$dir/ibpb_enabled exists"
+-						ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++						ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ 						_debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ 					else
+ 						_debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux()
+ 			# which in that case means ibrs is supported *and* enabled for kernel & user
+ 			# as per the ibrs patch series v3
+ 			if [ -z "$ibrs_supported" ]; then
+-				if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++				if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ 					_debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ 					ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ 					# enabled=2 -> kernel & user
+@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux()
+ 			fi
+ 			if [ -n "$fullmsg" ]; then
+ 				# when IBPB is enabled on 4.15+, we can see it in sysfs
+-				if echo "$fullmsg" | grep -q 'IBPB'; then
++				if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ 					_debug "ibpb: found enabled in sysfs"
+ 					[ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ 					[ -z "$ibpb_enabled"   ] && ibpb_enabled=1
+ 				fi
+ 				# when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+-				if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++				if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ 					_debug "ibrs: found IBRS_FW in sysfs"
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ 					ibrs_fw_enabled=1
+@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux()
+ 				# when IBRS is enabled on 4.15+, we can see it in sysfs
+ 				# on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ 				# only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+-				if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++				if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ 					_debug "ibrs: found IBRS in sysfs"
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ 					[ -z "$ibrs_enabled"   ] && ibrs_enabled=3
+ 				fi
+ 				# checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+-				if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++				if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ 					[ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ 					# 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ 					# that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux()
+ 			fi
+ 		fi
+ 		if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				:
+ 			else
+ 				ibrs_can_tell=1
+-				ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++				ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ 				if [ -n "$ibrs_supported" ]; then
+ 					_debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ 					ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux()
+ 		fi
+ 		if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ 			ibrs_can_tell=1
+-			if grep -q spec_ctrl "$opt_map"; then
++			if @grep@ -q spec_ctrl "$opt_map"; then
+ 				ibrs_supported="found spec_ctrl in symbols file"
+ 				_debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ 			fi
+@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux()
+ 		# recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ 		# we can detect it directly in the image
+ 		if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				:
+ 			else
+ 				ibpb_can_tell=1
+-				ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++				ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ 				if [ -n "$ibpb_supported" ]; then
+ 					_debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ 					ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux()
+ 					2)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 					3)	if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 					4)	pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+-					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+-							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+-						else
++					*)	if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++							then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++						else
+ 							pstatus yellow UNKNOWN; fi;;
+ 				esac
+ 			fi
+@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux()
+ 		bp_harden=''
+ 		if [ -r "$opt_config" ]; then
+ 			bp_harden_can_tell=1
+-			bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++			bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ 			if [ -n "$bp_harden" ]; then
+ 				pstatus green YES
+ 				_debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux()
+ 		fi
+ 		if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ 			bp_harden_can_tell=1
+-			bp_harden=$(grep -w bp_hardening_data "$opt_map")
++			bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ 			if [ -n "$bp_harden" ]; then
+ 				pstatus green YES
+ 				_debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux()
+ 		# We check the RETPOLINE kernel options
+ 		retpoline=0
+ 		if [ -r "$opt_config" ]; then
+-			if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++			if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ 				pstatus green YES
+ 				retpoline=1
+ 				# shellcheck disable=SC2046
+-				_debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++				_debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ 			else
+ 				pstatus yellow NO
+ 			fi
+@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux()
+ 			# since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ 			# so we look for both "retpoline" and "retpolines"
+ 			if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+-					if echo "$fullmsg" | grep -qwi minimal; then
++				if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++					if echo "$fullmsg" | @grep@ -qwi minimal; then
+ 						retpoline_compiler=0
+ 						retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ 					else
+@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux()
+ 				fi
+ 			elif [ -n "$opt_map" ]; then
+ 				# look for the symbol
+-				if grep -qw noretpoline_setup "$opt_map"; then
++				if @grep@ -qw noretpoline_setup "$opt_map"; then
+ 					retpoline_compiler=1
+ 					retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ 				fi
+ 			elif [ -n "$kernel" ]; then
+ 				# look for the symbol
+-				if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++				if command -v "@nm@" >/dev/null 2>&1; then
+ 					# the proper way: use nm and look for the symbol
+-					if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++					if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ 						retpoline_compiler=1
+ 						retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ 					fi
+-				elif grep -q noretpoline_setup "$kernel"; then
++				elif @grep@ -q noretpoline_setup "$kernel"; then
+ 					# if we don't have nm, nevermind, the symbol name is long enough to not have
+ 					# any false positive using good old grep directly on the binary
+ 					retpoline_compiler=1
+@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux()
+ 		retp_enabled=-1
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -e "$specex_knob_dir/retp_enabled" ]; then
+-				retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++				retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ 				_debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ 				_info_nol "    * Retpoline is enabled: "
+ 				if [ "$retp_enabled" = 1 ]; then
+@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux()
+ 			rsb_filling=0
+ 			if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ 				# if we're live and we aren't denied looking into /sys, let's do it
+-				if echo "$msg" | grep -qw RSB; then
++				if echo "$msg" | @grep@ -qw RSB; then
+ 					rsb_filling=1
+ 					pstatus green YES
+ 				fi
+@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux()
+ 				if [ -n "$kernel_err" ]; then
+ 					pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 				else
+-					if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++					if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ 						rsb_filling=1
+ 						pstatus green YES
+ 					else
+@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd()
+ {
+ 	_info     "* Mitigation 1"
+ 	_info_nol "  * Kernel supports IBRS: "
+-	ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++	ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ 	if [ -z "$ibrs_disabled" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd()
+ 	fi
+
+ 	_info_nol "  * IBRS enabled and active: "
+-	ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++	ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ 	if [ "$ibrs_active" = 1 ]; then
+ 		pstatus green YES
+ 	else
+@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd()
+ 	if [ -n "$kernel_err" ]; then
+ 		pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ 	else
+-		if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++		if ! command -v "@readelf@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ 		else
+-			nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++			nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ 			if [ "$nb_thunks" -gt 0 ]; then
+ 				retpoline=1
+ 				pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ 	_info_nol "  * Reduced performance impact of PTI: "
+-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ 		cpu_pcid=1
+ 	else
+ 		read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4122,7 +4122,7 @@ pti_performance_check()
+ 		fi
+ 	fi
+
+-	if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++	if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ 		cpu_invpcid=1
+ 	else
+ 		read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4147,7 +4147,7 @@ check_CVE_2017_5754()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2017_5754_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2017_5754_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux()
+ 		kpti_can_tell=0
+ 		if [ -n "$opt_config" ]; then
+ 			kpti_can_tell=1
+-			kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++			kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ 			if [ -n "$kpti_support" ]; then
+ 				_debug "kpti_support: found option '$kpti_support' in $opt_config"
+ 			fi
+@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux()
+ 			# so we try to find an exported symbol that is part of the PTI patch in System.map
+ 			# parse_kpti: arm
+ 			kpti_can_tell=1
+-			kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++			kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ 			if [ -n "$kpti_support" ]; then
+ 				_debug "kpti_support: found '$kpti_support' in $opt_map"
+ 			fi
+@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux()
+ 			# nopti option that is part of the patch (kernel command line option)
+ 			# 'kpti=': arm
+ 			kpti_can_tell=1
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ 			else
+-				kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++				kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ 				if [ -n "$kpti_support" ]; then
+ 					_debug "kpti_support: found '$kpti_support' in $kernel"
+ 				fi
+@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux()
+ 			dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ 			# aarch64
+ 			dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+-			if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++			if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ 				# vanilla PTI patch sets the 'pti' flag in cpuinfo
+ 				_debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ 				kpti_enabled=1
+-			elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++			elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ 				# kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ 				_debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ 				kpti_enabled=1
+ 			elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ 				# Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+-				kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++				kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ 				_debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ 			elif is_xen_dom0; then
+-				pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++				pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ 				[ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ 			fi
+@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux()
+ 				if [ -n "$kpti_support" ]; then
+ 					if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ 						explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+-					elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++					elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ 						explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ 					else
+ 						explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ 	_info_nol "* Kernel supports Page Table Isolation (PTI): "
+-	kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++	kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ 	if [ -z "$kpti_enabled" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -4429,7 +4429,7 @@ check_CVE_2018_3639()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3639_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3639_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux()
+ 	if [ "$opt_sysfs_only" != 1 ]; then
+ 		_info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ 		if [ "$opt_live" = 1 ]; then
+-			if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++			if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssb="found in $procfs/self/status"
+ 				_debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ 			fi
+ 		fi
+ 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+-		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+-			kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++			kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ 		fi
+ 		# arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+-		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+-			kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++			kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ 		fi
+ 		# arm64 only:
+ 		if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+-			kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++			kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ 		fi
+ 		if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+-			kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++			kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ 		fi
+ 		if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ 			# this string only appears in kernel if CONFIG_ARM64_SSBD is set
+-			kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++			kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ 			[ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ 		fi
+ 		# /arm64 only
+@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux()
+ 		if [ "$opt_live" = 1 ]; then
+ 			# https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ 			_info_nol "* SSB mitigation is enabled and active: "
+-			if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++			if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=1
+ 				pstatus green YES "per-thread through prctl"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=2
+ 				pstatus green YES "global"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=0
+ 				pstatus yellow NO
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=-2
+ 				pstatus blue NO "not vulnerable"
+-			elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++			elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ 				kernel_ssbd_enabled=0
+ 				pstatus blue NO
+ 			else
+-				pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++				pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ 			fi
+
+ 			if [ "$kernel_ssbd_enabled" = 1 ]; then
+ 				_info_nol "* SSB mitigation currently active for selected processes: "
+ 				# silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+-				mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+-					| xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+-					| sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++				mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++					| @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++					| @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ 				if [ -n "$mitigated_processes" ]; then
+ 					pstatus green YES "$mitigated_processes"
+ 				else
+@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ 	_info_nol "* Kernel supports speculation store bypass: "
+-	if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++	if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ 		kernel_ssb=1
+ 		pstatus green YES
+ 	else
+@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd()
+ 	fi
+
+ 	_info_nol "* Speculation store bypass is administratively enabled: "
+-	ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++	ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ 	_debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ 	case "$ssb_enabled" in
+ 		0) pstatus yellow NO "disabled";;
+@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd()
+ 	esac
+
+ 	_info_nol "* Speculation store bypass is currently active: "
+-	ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++	ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ 	_debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ 	case "$ssb_active" in
+ 		1) pstatus green YES;;
+@@ -4656,7 +4656,7 @@ check_CVE_2018_3620()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3620_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3620_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux()
+ 	fi
+ 	if [ "$opt_sysfs_only" != 1 ]; then
+ 		_info_nol "* Kernel supports PTE inversion: "
+-		if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++		if ! command -v "@strings@" >/dev/null 2>&1; then
+ 			pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ 			pteinv_supported=-1
+ 		elif [ -n "$kernel_err" ]; then
+ 			pstatus yellow UNKNOWN "$kernel_err"
+ 			pteinv_supported=-1
+ 		else
+-			if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++			if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ 				pstatus green YES "found in kernel image"
+ 				_debug "pteinv: found pte inversion evidence in kernel image"
+ 				pteinv_supported=1
+@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux()
+ 		_info_nol "* PTE inversion enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++				if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ 					pstatus green YES
+ 					pteinv_active=1
+ 				else
+@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd()
+ 	else
+ 		_debug "vmm module already loaded"
+ 	fi
+-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ 		# https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ 		# this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ 		# is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4772,7 +4772,7 @@ check_CVE_2018_3646()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_3646_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_3646_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux()
+ 		if [ "$opt_live" = 1 ]; then
+ 			if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ 				pstatus blue N/A "the kvm_intel module is not loaded"
+-			elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++			elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ 				pstatus green YES
+ 				ept_disabled=1
+ 			else
+@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux()
+
+ 		_info "* Mitigation 2"
+ 		_info_nol "  * L1D flush is supported by kernel: "
+-		if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++		if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ 			l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ 		fi
+ 		if [ -z "$l1d_kernel" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ 			elif [ -n "$kernel_err" ]; then
+ 				l1d_kernel_err="$kernel_err"
+-			elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++			elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ 				l1d_kernel='found flush_l1d in kernel image'
+ 			fi
+ 		fi
+@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux()
+ 				# $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ 				# $smtstatus is one of (vulnerable|disabled)
+ 				# can also just be "Not affected"
+-				if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++				if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ 					l1d_mode=0
+ 					pstatus yellow NO
+-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ 					l1d_mode=1
+ 					pstatus green YES "conditional flushes"
+-				elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++				elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ 					l1d_mode=2
+ 					pstatus green YES "unconditional flushes"
+ 				else
+ 					if is_xen_dom0; then
+-						l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+-						l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+-						l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++						l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++						l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++						l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ 						if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ 							l1d_mode=5
+@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux()
+
+ 		_info_nol "  * Hardware-backed L1D flush supported: "
+ 		if [ "$opt_live" = 1 ]; then
+-			if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++			if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ 				pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ 			else
+ 				pstatus blue NO "flush will be done in software, this is slower"
+@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ 	_info_nol "* Kernel supports L1D flushing: "
+-	if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++	if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ 		pstatus green YES
+ 		kernel_l1d_supported=1
+ 	else
+@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd()
+ 	fi
+
+ 	_info_nol "* L1D flushing is enabled: "
+-	kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++	kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ 	case "$kernel_l1d_enabled" in
+ 		0) pstatus yellow NO;;
+ 		1) pstatus green YES;;
+@@ -5018,7 +5018,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ 	cve='CVE-2019-11091'
+@@ -5032,7 +5032,7 @@ check_mds()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_mds_linux "$cve"
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_mds_bsd "$cve"
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5043,7 +5043,7 @@ check_mds_bsd()
+ {
+ 	_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ 	if [ "$opt_live" = 1 ]; then
+-		if sysctl hw.mds_disable >/dev/null 2>&1; then
++		if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ 			pstatus green YES
+ 			kernel_md_clear=1
+ 		else
+@@ -5051,7 +5051,7 @@ check_mds_bsd()
+ 			kernel_md_clear=0
+ 		fi
+ 	else
+-		if grep -Fq hw.mds_disable $opt_kernel; then
++		if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ 			pstatus green YES
+ 			kernel_md_clear=1
+ 		else
+@@ -5061,8 +5061,8 @@ check_mds_bsd()
+ 	fi
+
+ 	_info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+-	if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+-		kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++	if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++		kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ 		if [ "$kernel_smt_allowed" = 1 ]; then
+ 			pstatus yellow NO
+ 		else
+@@ -5074,7 +5074,7 @@ check_mds_bsd()
+
+ 	_info_nol "* Kernel mitigation is enabled: "
+ 	if [ "$kernel_md_clear" = 1 ]; then
+-		kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++		kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ 	else
+ 		kernel_mds_enabled=0
+ 	fi
+@@ -5088,7 +5088,7 @@ check_mds_bsd()
+
+ 	_info_nol "* Kernel mitigation is active: "
+ 	if [ "$kernel_md_clear" = 1 ]; then
+-		kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++		kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ 	else
+ 		kernel_mds_state=inactive
+ 	fi
+@@ -5146,16 +5146,16 @@ check_mds_linux()
+ 		_info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ 		kernel_md_clear=''
+ 		kernel_md_clear_can_tell=1
+-		if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++		if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ 			kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ 			pstatus green YES "$kernel_md_clear"
+ 		fi
+ 		if [ -z "$kernel_md_clear" ]; then
+-			if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++			if ! command -v "@strings@" >/dev/null 2>&1; then
+ 				kernel_md_clear_can_tell=0
+ 			elif [ -n "$kernel_err" ]; then
+ 				kernel_md_clear_can_tell=0
+-			elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++			elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ 				_debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ 				kernel_md_clear='found md_clear implementation evidence in kernel image'
+ 				pstatus green YES "$kernel_md_clear"
+@@ -5171,7 +5171,7 @@ check_mds_linux()
+
+ 		if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ 			_info_nol "* Kernel mitigation is enabled and active: "
+-			if echo "$fullmsg" | grep -qi ^mitigation; then
++			if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ 				mds_mitigated=1
+ 				pstatus green YES
+ 			else
+@@ -5179,7 +5179,7 @@ check_mds_linux()
+ 				pstatus yellow NO
+ 			fi
+ 			_info_nol "* SMT is either mitigated or disabled: "
+-			if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++			if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ 				mds_smt_mitigated=1
+ 				pstatus green YES
+ 			else
+@@ -5265,7 +5265,7 @@ check_CVE_2019_11135()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2019_11135_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2019_11135_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux()
+ 		kernel_taa=''
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_taa_err="$kernel_err"
+-		elif grep -q 'tsx_async_abort' "$kernel"; then
++		elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ 			kernel_taa="found tsx_async_abort in kernel image"
+ 		fi
+ 		if [ -n "$kernel_taa" ]; then
+@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux()
+ 		_info_nol "* TAA mitigation enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux()
+ 	else
+ 		if [ "$opt_paranoid" = 1 ]; then
+ 			# in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+-			if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++			if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ 				pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+-			elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++			elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ 				pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ 			else
+ 				pvulnstatus $cve "$status" "$msg"
+@@ -5367,7 +5367,7 @@ check_CVE_2018_12207()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2018_12207_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2018_12207_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux()
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_itlbmh_err="$kernel_err"
+ 		# commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+-		elif grep -q 'itlb_multihit' "$kernel"; then
++		elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ 			kernel_itlbmh="found itlb_multihit in kernel image"
+ 		fi
+ 		if [ -n "$kernel_itlbmh" ]; then
+@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux()
+ 		_info_nol "* iTLB Multihit mitigation enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qF 'Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ 	_info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+-	kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++	kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ 	if [ -z "$kernel_2m_x_ept" ]; then
+ 		pstatus yellow NO
+ 	else
+@@ -5484,7 +5484,7 @@ check_CVE_2020_0543()
+ 	_info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ 	if [ "$os" = Linux ]; then
+ 		check_CVE_2020_0543_linux
+-	elif echo "$os" | grep -q BSD; then
++	elif echo "$os" | @grep@ -q BSD; then
+ 		check_CVE_2020_0543_bsd
+ 	else
+ 		_warn "Unsupported OS ($os)"
+@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux()
+ 		kernel_srbds=''
+ 		if [ -n "$kernel_err" ]; then
+ 			kernel_srbds_err="$kernel_err"
+-		elif grep -q 'Dependent on hypervisor' "$kernel"; then
++		elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ 			kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ 		fi
+ 		if [ -n "$kernel_srbds" ]; then
+@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux()
+ 		_info_nol "* SRBDS mitigation control is enabled and active: "
+ 		if [ "$opt_live" = 1 ]; then
+ 			if [ -n "$fullmsg" ]; then
+-				if echo "$fullmsg" | grep -qE '^Mitigation'; then
++				if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ 					pstatus green YES "$fullmsg"
+ 				else
+ 					pstatus yellow NO
+@@ -5608,8 +5608,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+-	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+-		check_"$(echo "$cve" | tr - _)"
++	if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++		check_"$(echo "$cve" | @tr@ - _)"
+ 		_info
+ 	fi
+ done
+@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ 	_warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+-	if command -v "gzip" >/dev/null 2>&1; then
++	if command -v "@gzip@" >/dev/null 2>&1; then
+ 		# not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ 		# shellcheck disable=SC2002
+-		if command -v "base64" >/dev/null 2>&1; then
+-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+-		elif command -v "uuencode" >/dev/null 2>&1; then
+-			mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++		if command -v "@base64@" >/dev/null 2>&1; then
++			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++		elif command -v "@uuencode@" >/dev/null 2>&1; then
++			mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ 		fi
+ 	fi
+ 	if [ -n "$mock_cpuinfo" ]; then
+@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ 	fi
+ 	_info ""
+ 	# shellcheck disable=SC2046
+-	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++	_warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ 		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++		# Guix System:
++		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+ 		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ 		# Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
--
2.38.1




^ permalink raw reply related	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v4] gnu: Add spectre-meltdown-checker.
  2022-11-12 15:15               ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via
@ 2022-11-12 16:58                 ` Liliana Marie Prikler
  2022-11-13 13:09                   ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via
  0 siblings, 1 reply; 12+ messages in thread
From: Liliana Marie Prikler @ 2022-11-12 16:58 UTC (permalink / raw)
  To: Hilton Chain; +Cc: 59053

Am Samstag, dem 12.11.2022 um 23:15 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v3 -> v4:
> 1. Remove downloading function.
> 2. Add option for supplying a local database.
> 
>  gnu/local.mk                                  |    3 +
>  gnu/packages/linux.scm                        |   54 +
>  ...ker-remove-builtin-firmware-database.patch |  243 +++
>  ...cker-stage-commands-for-substitution.patch | 1849
> +++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch |   26 +
>  5 files changed, 2175 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..46b299d0d6 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,9 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..1807fd5655 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,57 @@ (define-public edac-utils
>  error detection and correction (EDAC).")
>      (home-page "https://github.com/grondo/edac-utils")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> +                ;; NOTE: Update these patches when updating.
> +                "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
Is this comment still needed?
> +                "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"))
> +              ;; Remove builtin firmware database.
> +              (modules '((guix build utils)))
> +              (snippet '(substitute* "spectre-meltdown-checker.sh"
> +                          (("^# [AI],.*") "")))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> +                     (("@([a-z0-9]*)@" _ command _)
> +                      (search-input-file
> +                       inputs (string-append "/bin/"
> command)))))))))
> +    (inputs
> +     (list kmod
> +           lz4
> +           lzop
> +           perl
> +           procps
> +           sharutils
> +           util-linux
> +           zstd))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis "CPU vulnerability / mitigation checker")
> +    (description
> +     "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..888bb0c2b1
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH 1/2] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> +       [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +       [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
> +       [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm
> -f "$kerneltmp2"
> +-      [ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm
> -f "$mcedb_tmp"
> +-      [ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm
> -rf "$intel_tmp"
> +       [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +       [ "${mounted_procfs:-}"  = 1 ] && umount "$procfs"
> 2>/dev/null
> +       [ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> +               --vmm [auto,yes,no]     override the detection of the
> presence of a hypervisor, default: auto
> +               --allow-msr-write       allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> +               --cpu [#,all]           interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +-              --update-fwdb           update our local copy of the
> CPU microcodes versions database (using the awesome
> +-                                      MCExtractor project and the
> Intel firmwares GitHub repository)
> +-              --update-builtin-fwdb   same as --update-fwdb but
> update builtin DB inside the script itself
> ++              --with-fwdb FILE        supply the CPU microcodes
> versions database
> +               --dump-mock-data        used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> +       Return codes:
> +@@ -837,147 +833,6 @@ show_header()
> +       _info
> + }
> +
> +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
> +-mcedb_cache="$HOME/.mcedb"
> +-update_fwdb()
> +-{
> +-      show_header
> +-
> +-      set -e
> +-
> +-      if [ -r "$mcedb_cache" ]; then
> +-              previous_dbversion=$(awk '/^# %%% MCEDB / { print $4
> }' "$mcedb_cache")
> +-      fi
> +-
> +-      # first, download the MCE.db from the excellent platomav's
> MCExtractor project
> +-      mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
> +-
>       mcedb_url='https://github.com/platomav/MCExtractor/raw/master/M
> CE.db'
> +-      _info_nol "Fetching MCE.db from the MCExtractor project... "
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> +-              curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +-      elif command -v fetch >/dev/null 2>&1; then
> +-              fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +-      else
> +-              echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +-              return 1
> +-      fi
> +-      if [ "$ret" != 0 ]; then
> +-              echo ERROR "error $ret while downloading MCE.db"
> +-              return $ret
> +-      fi
> +-      echo DONE
> +-
> +-      # second, get the Intel firmwares from GitHub
> +-      intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
> +-
>       intel_url="https://github.com/intel/Intel-Linux-Processor-Micro
> code-Data-Files/archive/main.zip"
> +-      _info_nol "Fetching Intel firmwares... "
> +-      ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +-      if command -v wget >/dev/null 2>&1; then
> +-              wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +-      elif command -v curl >/dev/null 2>&1; then
> +-              curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +-      elif command -v fetch >/dev/null 2>&1; then
> +-              fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +-      else
> +-              echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +-              return 1
> +-      fi
> +-      if [ "$ret" != 0 ]; then
> +-              echo ERROR "error $ret while downloading Intel
> firmwares"
> +-              return $ret
> +-      fi
> +-      echo DONE
> +-
> +-      # now extract MCEdb contents using sqlite
> +-      _info_nol "Extracting MCEdb data... "
> +-      if ! command -v sqlite3 >/dev/null 2>&1; then
> +-              echo ERROR "please install the \`sqlite3\` program"
> +-              return 1
> +-      fi
> +-      mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from
> MCE")
> +-      if [ -z "$mcedb_revision" ]; then
> +-              echo ERROR "downloaded file seems invalid"
> +-              return 1
> +-      fi
> +-      sqlite3 "$mcedb_tmp" "alter table Intel add column origin
> text"
> +-      sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
> +-
> +-      echo OK "MCExtractor database revision $mcedb_revision"
> +-
> +-      # parse Intel firmwares to get their versions
> +-      _info_nol "Integrating Intel firmwares data to db... "
> +-      if ! command -v unzip >/dev/null 2>&1; then
> +-              echo ERROR "please install the \`unzip\` program"
> +-              return 1
> +-      fi
> +-      ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
> +-      if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-
> Files-main/intel-ucode" ]; then
> +-              echo ERROR "expected the 'intel-ucode' folder in the
> downloaded zip file"
> +-              return 1
> +-      fi
> +-
> +-      if ! command -v iucode_tool >/dev/null 2>&1; then
> +-              if ! command -v iucode-tool >/dev/null 2>&1; then
> +-                      echo ERROR "please install the \`iucode-
> tool\` program"
> +-                      return 1
> +-              else
> +-                      iucode_tool="iucode-tool"
> +-              fi
> +-      else
> +-              iucode_tool="iucode_tool"
> +-      fi
> +-      #  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev
> 0x0217, size 5120
> +-      #  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev
> 0x0107, size 5120
> +-      $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
> +-      do
> +-              _line=$(   echo "$_line" | tr -d ',')
> +-              _cpuid=$(  echo "$_line" | awk '{print $3}')
> +-              _cpuid=$(( _cpuid ))
> +-              _cpuid=$(printf "0x%08X" "$_cpuid")
> +-              _date=$(   echo "$_line" | awk '{print $6}' | tr -d
> '-')
> +-              _version=$(echo "$_line" | awk '{print $8}')
> +-              _version=$(( _version ))
> +-              _version=$(printf "0x%08X" "$_version")
> +-              _sqlstm="$(printf "INSERT INTO Intel
> (origin,cpuid,version,yyyymmdd) VALUES
> (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")"
> "$(printf "%08X" "$_version")" "$_date")"
> +-              sqlite3 "$mcedb_tmp" "$_sqlstm"
> +-      done
> +-      _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> +-      if [ -n "$_intel_timestamp" ]; then
> +-              # use this date, it matches the last commit date
> +-              _intel_latest_date=$(date +%Y%m%d -d
> @"$_intel_timestamp")
> +-      else
> +-              echo "Falling back to the latest microcode date"
> +-              _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT
> yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC
> LIMIT 1;")
> +-      fi
> +-      echo DONE "(version $_intel_latest_date)"
> +-
> +-      dbversion="$mcedb_revision+i$_intel_latest_date"
> +-
> +-      if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [
> "$previous_dbversion" = "v$dbversion" ]; then
> +-              echo "We already have this version locally, no update
> needed"
> +-              return 0
> +-      fi
> +-
> +-      _info_nol "Building local database... "
> +-      {
> +-              echo "# Spectre & Meltdown Checker";
> +-              echo "# %%% MCEDB v$dbversion";
> +-              sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +-              sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD  
> AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +-      } > "$mcedb_cache"
> +-      echo DONE "(version $dbversion)"
> +-
> +-      if [ "$1" = builtin ]; then
> +-              newfile=$(mktemp -t smc-builtin-XXXXXX)
> +-              awk '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +-              awk '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +-              cat "$newfile" > "$0"
> +-              rm -f "$newfile"
> +-      fi
> +-}
> +-
> + parse_opt_file()
> + {
> +       # parse_opt_file option_name option_value
> +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
> +               # deprecated, kept for compatibility
> +               opt_explain=0
> +               shift
> +-      elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> +-              update_fwdb
> +-              exit $?
> +-      elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +-              update_fwdb builtin
> +-              exit $?
> ++      elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ];
> then
> ++              opt_fwdb=$2
> ++              if [ -f "$opt_fwdb" ]; then
> ++                      mcedb_cache=$2
> ++              else
> ++                      echo "$0: error: --with-fwdb should be a
> file, got '$opt_fwdb'" >&2
> ++                      exit 255
> ++              fi
> ++              shift 2
> +       elif [ "$1" = "--dump-mock-data" ]; then
> +               opt_mock=1
> +               shift
> +@@ -2033,21 +1891,11 @@ is_xen_domU()
> +       fi
> + }
> +
> +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> +       # we have a local cache file, but it might be older than the
> builtin version we have
> +       local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +-      # sort -V sorts by version number
> +-      older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | sort -V | head -n1)
> +-      if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +-              mcedb_source="$mcedb_cache"
> +-              mcedb_info="local firmwares DB $local_dbversion"
> +-      fi
> +-fi
> +-# if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +-      mcedb_source="$0"
> +-      mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++      mcedb_source="$mcedb_cache"
> ++      mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
> +               return 2
> +       fi
> +       ucode_latest="latest microcode version for your CPU model is
> unknown"
> +-      if is_intel; then
> ++      if [ -z "$mcedb_source" ]; then
> ++              return 2
> ++      elif is_intel; then
> +               cpu_brand_prefix=I
> +       elif is_amd; then
> +               cpu_brand_prefix=A
> +--
> +2.38.1
> +
LGTM.
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-
> commands-for-substitution.patch b/gnu/packages/patches/spectre-
> meltdown-checker-stage-commands-for-substitution.patch
> new file mode 100644
> index 0000000000..a8e7531f32
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-
> for-substitution.patch
> @@ -0,0 +1,1849 @@
> +From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:49:50 +0800
> +Subject: [PATCH 2/2] Stage commands for later substitution.
> +
> +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find,
> grep,
> +gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
> nproc,
> +objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
> strings,
> +sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
> +---
I think it'd better to provide a little more information in the patch
note, e.g. "The following commands are taken from the environment and
thus need to be substituted:
- awk
- base64
- basename
- ...
The following are shell built-ins and can remain as is
- command
- echo
- ..."

By the way, I feel like it'd be an improvement to crank down on the
number of context lines or translate this into an equivalent
substitute*, i.e.
(substitute* "spectre-meltdown-checker.sh"
  (("\\<(awk|base64|...)\\>" all cmd)
   (find-command inputs cmd))
  (("\\<(gzip|gunzip|...)\\>" all cmd)
   (find-command inputs cmd))
  ...)

where 
(define* (find-command inputs cmd #:optional (bin "bin"))
  (search-input-file inputs (string-append bin "/" cmd)))
 
> + spectre-meltdown-checker.sh | 606 ++++++++++++++++++---------------
> ---
> + 1 file changed, 303 insertions(+), 303 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index ce46970..4889ebb 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up...";
> exit_cleanup; exit 1' INT
> + exit_cleanup()
> + {
> +       # cleanup the temp decompressed config & kernel image
> +-      [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +-      [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
> +-      [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm
> -f "$kerneltmp2"
> +-      [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +-      [ "${mounted_procfs:-}"  = 1 ] && umount "$procfs"
> 2>/dev/null
> +-      [ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
> +-      [ "${insmod_msr:-}"      = 1 ] && rmmod msr 2>/dev/null
> ++      [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] &&
> @rm@ -f "$dumped_config"
> ++      [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] &&
> @rm@ -f "$kerneltmp"
> ++      [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] &&
> @rm@ -f "$kerneltmp2"
> ++      [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug
> 2>/dev/null
> ++      [ "${mounted_procfs:-}"  = 1 ] && @umount@ "$procfs"
> 2>/dev/null
> ++      [ "${insmod_cpuid:-}"    = 1 ] && @rmmod@ cpuid 2>/dev/null
> ++      [ "${insmod_msr:-}"      = 1 ] && @rmmod@ msr 2>/dev/null
> +       [ "${kldload_cpuctl:-}"  = 1 ] && kldunload cpuctl
> 2>/dev/null
> +       [ "${kldload_vmm:-}"     = 1 ] && kldunload vmm   
> 2>/dev/null
> + }
> +
> + # if we were git clone'd, adjust VERSION
> +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1;
> then
> +-      describe=$(git -C "$(dirname "$0")" describe --tags --dirty
> 2>/dev/null)
> +-      [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e
> s/^v//)
> ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null
> 2>&1; then
> ++      describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty
> 2>/dev/null)
> ++      [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e
> s/^v//)
> + fi
> +
> + show_usage()
> + {
> +       # shellcheck disable=SC2086
> +-      cat <<EOF
> ++      @cat@ <<EOF
> +       Usage:
> +-              Live mode (auto):   $(basename $0) [options]
> +-              Live mode (manual): $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> +-              Offline mode:       $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> ++              Live mode (auto):   $(@basename@ $0) [options]
> ++              Live mode (manual): $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> ++              Offline mode:       $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> +
> +       Modes:
> +               Two modes are available.
> +@@ -106,7 +106,7 @@ EOF
> +
> + show_disclaimer()
> + {
> +-      cat <<EOF
> ++      @cat@ <<EOF
> + Disclaimer:
> +
> + This tool does its best to determine whether your system is immune
> (or has proper mitigations in place) for the
> +@@ -134,7 +134,7 @@ This tool has been released in the hope that
> it'll be useful, but don't use it t
> + EOF
> + }
> +
> +-os=$(uname -s)
> ++os=$(@uname@ -s)
> +
> + # parse options
> + opt_kernel=''
> +@@ -203,7 +203,7 @@ __echo()
> +                       _interpret_chars='-e'
> +               fi
> +               _ctrlchar=$($echo_cmd $_interpret_chars "\033")
> +-              _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> ++              _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> +       fi
> +       if [ "$echo_cmd_type" = printf ]; then
> +               if [ "$opt" = "-n" ]; then
> +@@ -379,7 +379,7 @@ is_cpu_affected()
> +               # https://github.com/crozone/SpectrePoC/issues/1 ^F
> E5200 => spectre 2 not affected
> +               #
> https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 =>
> meltdown affected
> +               # model name : Pentium(R) Dual-Core  CPU      E5200 
> @ 2.50GHz
> +-              if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\)
> Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> ++              if echo "$cpu_friendly_name" | @grep@ -qE
> 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> +                       variant1=vuln
> +                       [ -z "$variant2" ] && variant2=immune
> +                       variant3=vuln
> +@@ -482,7 +482,7 @@ is_cpu_affected()
> +                       i=$(( i + 1 ))
> +                       # do NOT quote $cpu_arch_list below
> +                       # shellcheck disable=SC2086
> +-                      cpuarch=$(echo $cpu_arch_list | awk '{ print
> $'$i' }')
> ++                      cpuarch=$(echo $cpu_arch_list | @awk@ '{
> print $'$i' }')
> +                       _debug "checking cpu$i: <$cpupart>
> <$cpuarch>"
> +                       # some kernels report AArch64 instead of 8
> +                       [ "$cpuarch" = "AArch64" ] && cpuarch=8
> +@@ -493,49 +493,49 @@ is_cpu_affected()
> +                               # part   ?  ? c08 c09 c0d c0f c0e d07
> d08 d09 d0a d0b d0c         d0d
> +                               # arch  7? 7? 7   7   7   7   7   8  
> 8   8   8   8   8           8
> +                               #
> +-                              # Whitelist identified non-affected
> processors, use vulnerability information from
> ++                              # Whitelist identified non-affected
> processors, use vulnerability information from
> +                               #
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
> +                               # Partnumbers can be found here:
> +                               #
> https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
> +                               #
> +                               # Maintain cumulative check of
> vulnerabilities -
> +                               # if at least one of the cpu is
> affected, then the system is affected
> +-                              if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> ++                              if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       [ -z "$variant3a" ] &&
> variant3a=immune
> +                                       [ -z "$variant4" ] &&
> variant4=immune
> +                                       _debug "checking cpu$i: armv7
> A8/A9/A12/A17 non affected to variants 3, 3a & 4"
> +-                              elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc0f; then
> ++                              elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc0f; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       variant3a=vuln
> +                                       [ -z "$variant4" ] &&
> variant4=immune
> +                                       _debug "checking cpu$i: armv7
> A15 non affected to variants 3 & 4"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       variant3a=vuln
> +                                       variant4=vuln
> +                                       _debug "checking cpu$i: armv8
> A57/A72 non affected to variants 3"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd09; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd09; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +                                       [ -z "$variant3a" ] &&
> variant3a=immune
> +                                       variant4=vuln
> +                                       _debug "checking cpu$i: armv8
> A73 non affected to variants 3 & 3a"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0a; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0a; then
> +                                       variant1=vuln
> +                                       variant2=vuln
> +                                       variant3=vuln
> +                                       [ -z "$variant3a" ] &&
> variant3a=immune
> +                                       variant4=vuln
> +                                       _debug "checking cpu$i: armv8
> A75 non affected to variant 3a"
> +-                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> ++                              elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> +                                       variant1=vuln
> +                                       [ -z "$variant2" ] &&
> variant2=immune
> +                                       [ -z "$variant3" ] &&
> variant3=immune
> +@@ -816,7 +816,7 @@ is_cpu_ssb_free()
> +               if [ "$cpu_family" = "18" ] || \
> +                       [ "$cpu_family" = "17" ] || \
> +                       [ "$cpu_family" = "16" ] || \
> +-                      [ "$cpu_family" = "15" ]; then
> ++                      [ "$cpu_family" = "15" ]; then
> +                       return 0
> +               fi
> +       fi
> +@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do
> +       elif [ "$1" = "--cpu" ]; then
> +               opt_cpu=$2
> +               if [ "$opt_cpu" != all ]; then
> +-                      if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
> ++                      if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+';
> then
> +                               opt_cpu=$(( opt_cpu ))
> +                       else
> +                               echo "$0: error: --cpu should be an
> integer or 'all', got '$opt_cpu'" >&2
> +@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do
> +                       echo "$0: error: option --cve expects a
> parameter, supported CVEs are: $supported_cve_list" >&2
> +                       exit 255
> +               fi
> +-              selected_cve=$(echo "$supported_cve_list" | grep -iwo
> "$2")
> ++              selected_cve=$(echo "$supported_cve_list" | @grep@ -
> iwo "$2")
> +               if [ -n "$selected_cve" ]; then
> +                       opt_cve_list="$opt_cve_list $selected_cve"
> +                       opt_cve_all=0
> +@@ -1166,14 +1166,14 @@ check_kernel()
> +       # a damaged ELF file and validate it, check for stderr
> warnings too
> +
> +       # the warning "readelf: Warning: [16]: Link field (0) should
> index a symtab section./" can appear on valid kernels, ignore it
> +-      _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n"
> "/"); ret=$?
> +-      _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>/dev/null | grep -c -e data -e text -e init)
> +-      _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z
> "$_file" 2>/dev/null || echo 10000)
> ++      _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null |
> @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
> ++      _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null |
> @grep@ -c -e data -e text -e init)
> ++      _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f
> %z "$_file" 2>/dev/null || echo 10000)
> +       _debug "check_kernel: ret=$? size=$_kernel_size
> sections=$_readelf_sections warnings=$_readelf_warnings"
> +       if [ "$_mode" = desperate ]; then
> +-              if "${opt_arch_prefix}strings" "$_file" | grep -Eq
> '^Linux version '; then
> ++              if "@strings@" "$_file" | @grep@ -Eq '^Linux version
> '; then
> +                       _debug "check_kernel (desperate): ...
> matched!"
> +-                      if [ "$_readelf_sections" = 0 ] && grep -qF -
> e armv6 -e armv7 "$_file"; then
> ++                      if [ "$_readelf_sections" = 0 ] && @grep@ -qF
> -e armv6 -e armv7 "$_file"; then
> +                               _debug "check_kernel (desperate): raw
> arm binary found, adjusting objdump options"
> +                               objdump_options="-D -b binary -marm"
> +                       else
> +@@ -1206,7 +1206,7 @@ try_decompress()
> +
> +       # Try to find the header ($1) and decompress from here
> +       _debug "try_decompress: looking for $3 magic in $6"
> +-      for     pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo
> "^$2")
> ++      for     pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo
> "^$2")
> +       do
> +               _debug "try_decompress: magic for $3 found at offset
> $pos"
> +               if ! command -v "$3" >/dev/null 2>&1; then
> +@@ -1233,11 +1233,11 @@ try_decompress()
> +                       kernel="$kerneltmp"
> +                       _debug "try_decompress: decompressed with $3
> successfully!"
> +                       return 0
> +-              elif [ "$3" != "cat" ]; then
> ++              elif [ "$3" != "@cat@" ]; then
> +                       _debug "try_decompress: decompression with $3
> worked but result is not a kernel, trying with an offset"
> +-                      [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -
> t smc-kernel-XXXXXX)
> +-                      cat "$kerneltmp" > "$kerneltmp2"
> +-                      try_decompress '\177ELF' xxy 'cat' '' cat
> "$kerneltmp2" && return 0
> ++                      [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@
> -t smc-kernel-XXXXXX)
> ++                      @cat@ "$kerneltmp" > "$kerneltmp2"
> ++                      try_decompress '\177ELF' xxy '@cat@' '' cat
> "$kerneltmp2" && return 0
> +               else
> +                       _debug "try_decompress: decompression with $3
> worked but result is not a kernel"
> +               fi
> +@@ -1249,12 +1249,12 @@ extract_kernel()
> + {
> +       [ -n "${1:-}" ] || return 1
> +       # Prepare temp files:
> +-      kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
> ++      kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
> +
> +       # Initial attempt for uncompressed images or objects:
> +       if check_kernel "$1"; then
> +               _debug "extract_kernel: found kernel is valid, no
> decompression needed"
> +-              cat "$1" > "$kerneltmp"
> ++              @cat@ "$1" > "$kerneltmp"
> +               kernel=$kerneltmp
> +               return 0
> +       fi
> +@@ -1263,14 +1263,14 @@ extract_kernel()
> +       for pass in 1 2; do
> +               for mode in normal desperate; do
> +                       _debug "extract_kernel: pass $pass $mode
> mode"
> +-                      try_decompress '\037\213\010'     xy   
> gunzip  ''      gunzip      "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\002\041\114\030' xyy  
> 'lz4'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\3757zXZ\000'     abcde
> unxz    ''      xz-utils    "$1" "$mode" "$pass" && return 0
> +-                      try_decompress 'BZh'              xy   
> bunzip2 ''      bzip2       "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\135\0\0\0'       xxx  
> unlzma  ''      xz-utils    "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\211\114\132'     xy   
> 'lzop'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '\177ELF'          xxy  
> 'cat'   ''      cat         "$1" "$mode" "$pass" && return 0
> +-                      try_decompress '(\265/\375'       xxy  
> unzstd  ''      zstd        "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\037\213\010'     xy   
> @gunzip@  ''      gunzip      "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\002\041\114\030' xyy  
> '@lz4@'   '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\3757zXZ\000'     abcde
> @unxz@    ''      xz-utils    "$1" "$mode" "$pass" && return 0
> ++                      try_decompress 'BZh'              xy   
> @bunzip2@ ''      bzip2       "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\135\0\0\0'       xxx  
> @unlzma@  ''      xz-utils    "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\211\114\132'     xy   
> '@lzop@'  '-d'    lzop        "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '\177ELF'          xxy  
> '@cat@'   ''      cat         "$1" "$mode" "$pass" && return 0
> ++                      try_decompress '(\265/\375'       xxy  
> @unzstd@  ''      zstd        "$1" "$mode" "$pass" && return 0
> +               done
> +       done
> +       # kernel_err might already have been populated by
> try_decompress() if we're missing one of the tools
> +@@ -1287,7 +1287,7 @@ mount_debugfs()
> + {
> +       if [ ! -e /sys/kernel/debug/sched_features ]; then
> +               # try to mount the debugfs hierarchy ourselves and
> remember it to umount afterwards
> +-              mount -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> ++              @mount@ -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> +       fi
> + }
> +
> +@@ -1298,12 +1298,12 @@ load_msr()
> +       load_msr_once=1
> +
> +       if [ "$os" = Linux ]; then
> +-              if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
> +-                      modprobe msr 2>/dev/null && insmod_msr=1
> ++              if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null;
> then
> ++                      @modprobe@ msr 2>/dev/null && insmod_msr=1
> +                       _debug "attempted to load module msr,
> insmod_msr=$insmod_msr"
> +               else
> +                       _debug "msr module already loaded"
> +-              fi
> ++              fi
> +       else
> +               if ! kldstat -q -m cpuctl; then
> +                       kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1321,12 +1321,12 @@ load_cpuid()
> +       load_cpuid_once=1
> +
> +       if [ "$os" = Linux ]; then
> +-              if ! grep -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> +-                      modprobe cpuid 2>/dev/null && insmod_cpuid=1
> ++              if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> ++                      @modprobe@ cpuid 2>/dev/null &&
> insmod_cpuid=1
> +                       _debug "attempted to load module cpuid,
> insmod_cpuid=$insmod_cpuid"
> +               else
> +                       _debug "cpuid module already loaded"
> +-              fi
> ++              fi
> +       else
> +               if ! kldstat -q -m cpuctl; then
> +                       kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1415,7 +1415,7 @@ read_cpuid_one_core()
> +               fi
> +               # on some kernel versions, /dev/cpu/0/cpuid doesn't
> imply that the cpuid module is loaded, in that case dd returns an
> error,
> +               # we use that fact to load the module if dd returns
> an error
> +-              if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null
> 2>&1; then
> ++              if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1
> >/dev/null 2>&1; then
> +                       load_cpuid
> +               fi
> +               # we need _leaf to be converted to decimal for dd
> +@@ -1426,14 +1426,14 @@ read_cpuid_one_core()
> +               _ddskip=$(( _position / 16 ))
> +               _odskip=$(( _position - _ddskip * 16 ))
> +               # now read the value
> +-              _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip *
> 16)) -A n -t u4)
> ++              _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip
> * 16)) -A n -t u4)
> +       elif [ -e /dev/cpuctl0 ]; then
> +               # BSD
> +               if [ ! -r /dev/cpuctl0 ]; then
> +                       read_cpuid_msg="Couldn't read cpuid info from
> cpuctl"
> +                       return $READ_CPUID_RET_ERR
> +               fi
> +-              _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
> ++              _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
> +               # cpuid level 0x4, level_type 0x2: 0x1c004143
> 0x01c0003f 0x000001ff 0x00000000
> +       else
> +               read_cpuid_msg="Found no way to read cpuid info"
> +@@ -1456,7 +1456,7 @@ read_cpuid_one_core()
> +       fi
> +
> +       # get the value of the register we want
> +-      _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
> ++      _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
> +       # Linux returns it as decimal, BSD as hex, normalize to
> decimal
> +       _reg=$(( _reg ))
> +       # shellcheck disable=SC2046
> +@@ -1484,11 +1484,11 @@ dmesg_grep()
> +       # grep for something in dmesg, ensuring that the dmesg buffer
> +       # has not been truncated
> +       dmesg_grepped=''
> +-      if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> ++      if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> +               # dmesg truncated
> +               return 2
> +       fi
> +-      dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
> ++      dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
> +       # not found:
> +       [ -z "$dmesg_grepped" ] && return 1
> +       # found, output is in $dmesg_grepped
> +@@ -1505,12 +1505,12 @@ parse_cpu_details()
> + {
> +       [ "${parse_cpu_details_done:-}" = 1 ] && return 0
> +
> +-      if command -v nproc >/dev/null; then
> +-              number_of_cores=$(nproc)
> +-      elif echo "$os" | grep -q BSD; then
> +-              number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null ||
> echo 1)
> ++      if command -v @nproc@ >/dev/null; then
> ++              number_of_cores=$(@nproc@)
> ++      elif echo "$os" | @grep@ -q BSD; then
> ++              number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null ||
> echo 1)
> +       elif [ -e "$procfs/cpuinfo" ]; then
> +-              number_of_cores=$(grep -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> ++              number_of_cores=$(@grep@ -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> +       else
> +               # if we don't know, default to 1 CPU
> +               number_of_cores=1
> +@@ -1518,43 +1518,43 @@ parse_cpu_details()
> +       max_core_id=$(( number_of_cores - 1 ))
> +
> +       if [ -e "$procfs/cpuinfo" ]; then
> +-              cpu_vendor=$(  grep '^vendor_id'  "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> +-              cpu_friendly_name=$(grep '^model name'
> "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
> ++              cpu_vendor=$(  @grep@ '^vendor_id'  "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> ++              cpu_friendly_name=$(@grep@ '^model name'
> "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
> +               # special case for ARM follows
> +-              if grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> ++              if @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> +                       cpu_vendor='ARM'
> +                       # some devices (phones or other) have several
> ARMs and as such different part numbers,
> +                       # an example is "bigLITTLE", so we need to
> store the whole list, this is needed for is_cpu_affected
> +-                      cpu_part_list=$(awk '/CPU part/        
> {print $4}' "$procfs/cpuinfo")
> +-                      cpu_arch_list=$(awk '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> ++                      cpu_part_list=$(@awk@ '/CPU part/        
> {print $4}' "$procfs/cpuinfo")
> ++                      cpu_arch_list=$(@awk@ '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> +                       # take the first one to fill the friendly
> name, do NOT quote the vars below
> +                       # shellcheck disable=SC2086
> +-                      cpu_arch=$(echo $cpu_arch_list | awk '{ print
> $1 }')
> ++                      cpu_arch=$(echo $cpu_arch_list | @awk@ '{
> print $1 }')
> +                       # shellcheck disable=SC2086
> +-                      cpu_part=$(echo $cpu_part_list | awk '{ print
> $1 }')
> ++                      cpu_part=$(echo $cpu_part_list | @awk@ '{
> print $1 }')
> +                       [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
> +                       cpu_friendly_name="ARM"
> +                       [ -n "$cpu_arch" ] &&
> cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
> +                       [ -n "$cpu_part" ] &&
> cpu_friendly_name="$cpu_friendly_name model $cpu_part"
> +
> +-              elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> ++              elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> +                       cpu_vendor='CAVIUM'
> +-              elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> ++              elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> +                       cpu_vendor='PHYTIUM'
> +               fi
> +
> +-              cpu_family=$(  grep '^cpu family' "$procfs/cpuinfo" |
> awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
> +-              cpu_model=$(   grep '^model'      "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +-              cpu_stepping=$(grep '^stepping'   "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +-              cpu_ucode=$(   grep '^microcode'  "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> ++              cpu_family=$(  @grep@ '^cpu family' "$procfs/cpuinfo"
> | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++              cpu_model=$(   @grep@ '^model'      "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++              cpu_stepping=$(@grep@ '^stepping'   "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++              cpu_ucode=$(   @grep@ '^microcode'  "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> +       else
> +-              cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2
> -w | cut -f2 -d= | cut -f2 -d\" )
> +-              cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4
> -w | cut -f2 -d= )
> ++              cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' |
> @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
> ++              cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' |
> @cut@ -f4 -w | @cut@ -f2 -d= )
> +               cpu_family=$(( cpu_family ))
> +-              cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -
> w | cut -f2 -d= )
> ++              cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@
> -f5 -w | @cut@ -f2 -d= )
> +               cpu_model=$(( cpu_model ))
> +-              cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut
> -f6 -w | cut -f2 -d= )
> +-              cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
> ++              cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' |
> @cut@ -f6 -w | @cut@ -f2 -d= )
> ++              cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
> +       fi
> +
> +       if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
> +@@ -1609,7 +1609,7 @@ parse_cpu_details()
> +                       # call CPUID
> +                       cpucontrol -i 1 /dev/cpuctl0 >/dev/null
> +                       # read MSR
> +-                      cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> awk '{print $3}')
> ++                      cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> @awk@ '{print $3}')
> +                       # convert to decimal
> +                       cpu_ucode=$(( cpu_ucode ))
> +                       # convert back to hex
> +@@ -1628,7 +1628,7 @@ parse_cpu_details()
> +               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
> +       fi
> +
> +-      echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
> ++      echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode
> ))
> +       ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x
> ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping"
> "$cpu_ucode" "$cpu_cpuid")
> +
> +       # also define those that we will need in other funcs
> +@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled()
> + {
> +       # SMT / HyperThreading is enabled if siblings != cpucores
> +       if [ -e "$procfs/cpuinfo" ]; then
> +-              _siblings=$(awk '/^siblings/  {print $3;exit}'
> "$procfs/cpuinfo")
> +-              _cpucores=$(awk '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> ++              _siblings=$(@awk@ '/^siblings/  {print $3;exit}'
> "$procfs/cpuinfo")
> ++              _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> +               if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
> +                       if [ "$_siblings" = "$_cpucores" ]; then
> +                               return 1
> +@@ -1774,10 +1774,10 @@ is_ucode_blacklisted()
> +               $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b   \
> +               $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
> +       do
> +-              model=$(echo "$tuple" | cut -d, -f1)
> +-              stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
> ++              model=$(echo "$tuple" | @cut@ -d, -f1)
> ++              stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
> +               if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" =
> "$stepping" ]; then
> +-                      ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> ++                      ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> +                       if [ "$cpu_ucode" = "$ucode" ]; then
> +                               _debug "is_ucode_blacklisted: we have
> a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
> +                               return 0
> +@@ -1865,7 +1865,7 @@ is_xen_dom0()
> +               return 1
> +       fi
> +
> +-      if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d"
> "$procfs/xen/capabilities"; then
> ++      if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d"
> "$procfs/xen/capabilities"; then
> +               return 0
> +       else
> +               return 1
> +@@ -1893,13 +1893,13 @@ is_xen_domU()
> +
> + if [ -r "$mcedb_cache" ]; then
> +       # we have a local cache file, but it might be older than the
> builtin version we have
> +-      local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> ++      local_dbversion=$(  @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +       mcedb_source="$mcedb_cache"
> +       mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +-      awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1
> }' "$mcedb_source"
> ++      @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> + }
> +
> + is_latest_known_ucode()
> +@@ -1920,10 +1920,10 @@ is_latest_known_ucode()
> +       else
> +               return 2
> +       fi
> +-      for tuple in $(read_mcedb | grep "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> ++      for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> +       do
> +-              ucode=$((  $(echo "$tuple" | cut -d, -f3) ))
> +-              ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r
> 's=(....)(..)(..)=\1/\2/\3=')
> ++              ucode=$((  $(echo "$tuple" | @cut@ -d, -f3) ))
> ++              ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r
> 's=(....)(..)(..)=\1/\2/\3=')
> +               _debug "is_latest_known_ucode: with cpuid $cpu_cpuid
> has ucode $cpu_ucode, last known is $ucode from $ucode_date"
> +               ucode_latest=$(printf "latest version is 0x%x dated
> $ucode_date according to $mcedb_info" "$ucode")
> +               if [ "$cpu_ucode" -ge "$ucode" ]; then
> +@@ -1948,7 +1948,7 @@ get_cmdline()
> +               kernel_cmdline="$SMC_MOCK_CMDLINE"
> +               return
> +       else
> +-              kernel_cmdline=$(cat "$procfs/cmdline")
> ++              kernel_cmdline=$(@cat@ "$procfs/cmdline")
> +               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CMDLINE='$kernel_cmdline'")
> +       fi
> + }
> +@@ -1956,7 +1956,7 @@ get_cmdline()
> + # ENTRYPOINT
> +
> + # we can't do anything useful under WSL
> +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> +       _warn "This script doesn't work under Windows Subsystem for
> Linux"
> +       _warn "You should use the official Microsoft tool instead."
> +       _warn "It can be found under
> https://aka.ms/SpeculationControlPS"
> +@@ -2005,15 +2005,15 @@ fi
> +
> + # if we're under a BSD, try to mount linprocfs for
> "$procfs/cpuinfo"
> + procfs=/proc
> +-if echo "$os" | grep -q BSD; then
> ++if echo "$os" | @grep@ -q BSD; then
> +       _debug "We're under BSD, check if we have procfs"
> +-      procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
> ++      procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
> +       if [ -z "$procfs" ]; then
> +               _debug "we don't, try to mount it"
> +               procfs=/proc
> +               [ -d /compat/linux/proc ] &&
> procfs=/compat/linux/proc
> +               test -d $procfs || mkdir $procfs
> +-              if mount -t linprocfs linprocfs $procfs 2>/dev/null;
> then
> ++              if @mount@ -t linprocfs linprocfs $procfs
> 2>/dev/null; then
> +                       mounted_procfs=1
> +                       _debug "procfs just mounted at $procfs"
> +               else
> +@@ -2045,14 +2045,14 @@ fi
> +
> + if [ "$opt_live" = 1 ]; then
> +       # root check (only for live mode, for offline mode, we
> already checked if we could read the files)
> +-      if [ "$(id -u)" -ne 0 ]; then
> ++      if [ "$(@id@ -u)" -ne 0 ]; then
> +               _warn "Note that you should launch this script with
> root privileges to get accurate information."
> +               _warn "We'll proceed but you might see permission
> denied errors."
> +               _warn "To run it as root, you can try the following
> command: sudo $0"
> +               _warn
> +       fi
> +       _info "Checking for vulnerabilities on current system"
> +-      _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname
> -m)\033[0m"
> ++      _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v)
> $(@uname@ -m)\033[0m"
> +       _info "CPU is \033[35m$cpu_friendly_name\033[0m"
> +
> +       # try to find the image of the current running kernel
> +@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then
> +               # specified by user on cmdline, with --live, don't
> override
> +               :
> +       # first, look for the BOOT_IMAGE hint in the kernel cmdline
> +-      elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
> +-              opt_kernel=$(echo "$kernel_cmdline" | grep -Eo
> 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
> ++      elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
> ++              opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo
> 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
> +               _debug "found opt_kernel=$opt_kernel in
> $procfs/cmdline"
> +               # if the boot partition is within a btrfs subvolume,
> strip the subvolume name
> +               # if /boot is a separate subvolume, the remainder of
> the code in this section should handle it
> +-              if echo "$opt_kernel" | grep -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
> ++              if echo "$opt_kernel" | @grep@ -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
> +               # if we have a dedicated /boot partition, our
> bootloader might have just called it /
> +               # so try to prepend /boot and see if we find anything
> +               [ -e "/boot/$opt_kernel" ] &&
> opt_kernel="/boot/$opt_kernel"
> +@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then
> +       # if we didn't find a kernel, default to guessing
> +       if [ ! -e "$opt_kernel" ]; then
> +               # Fedora:
> +-              [ -e "/lib/modules/$(uname -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
> ++              [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
> +               # Slackware:
> +               [ -e "/boot/vmlinuz"             ] &&
> opt_kernel="/boot/vmlinuz"
> +               # Arch aarch64:
> +@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then
> +               # pine64
> +               [ -e "/boot/pine64/Image"        ] &&
> opt_kernel="/boot/pine64/Image"
> +               # generic:
> +-              [ -e "/boot/vmlinuz-$(uname -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(uname -r)"
> +-              [ -e "/boot/kernel-$( uname -r)" ] &&
> opt_kernel="/boot/kernel-$( uname -r)"
> +-              [ -e "/boot/bzImage-$(uname -r)" ] &&
> opt_kernel="/boot/bzImage-$(uname -r)"
> ++              [ -e "/boot/vmlinuz-$(@uname@ -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
> ++              [ -e "/boot/kernel-$( @uname@ -r)" ] &&
> opt_kernel="/boot/kernel-$( @uname@ -r)"
> ++              [ -e "/boot/bzImage-$(@uname@ -r)" ] &&
> opt_kernel="/boot/bzImage-$(@uname@ -r)"
> +               # Gentoo:
> +-              [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ++              [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> +               # Guix System:
> +               [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +-              [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> ++              [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux"
> +               # Clear Linux:
> +-              str_uname=$(uname -r)
> ++              str_uname=$(@uname@ -r)
> +               clear_linux_kernel="/lib/kernel/org.clearlinux.${str_
> uname##*.}.${str_uname%.*}"
> +               [ -e "$clear_linux_kernel" ] &&
> opt_kernel=$clear_linux_kernel
> +               # Custom Arch seems to have the kernel path in its
> cmdline in the form "\directory\kernelimage",
> +               # with actual \'s instead of /'s:
> +-              custom_arch_kernel=$(echo "$kernel_cmdline" | grep -
> Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d
> '[:space:]')
> ++              custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@
> -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d
> '[:space:]')
> +               if [ -n "$custom_arch_kernel" ] && [ -e
> "$custom_arch_kernel" ]; then
> +                       opt_kernel="$custom_arch_kernel"
> +               fi
> +@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then
> +               :
> +       elif [ -e "$procfs/kallsyms" ] ; then
> +               opt_map="$procfs/kallsyms"
> +-      elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
> +-              opt_map="/lib/modules/$(uname -r)/System.map"
> +-      elif [ -e "/boot/System.map-$(uname -r)" ] ; then
> +-              opt_map="/boot/System.map-$(uname -r)"
> +-      elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
> +-              opt_map="/lib/kernel/System.map-$(uname -r)"
> ++      elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
> ++              opt_map="/lib/modules/$(@uname@ -r)/System.map"
> ++      elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
> ++              opt_map="/boot/System.map-$(@uname@ -r)"
> ++      elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
> ++              opt_map="/lib/kernel/System.map-$(@uname@ -r)"
> +       fi
> +
> +       # config
> +@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then
> +               # specified by user on cmdline, with --live, don't
> override
> +               :
> +       elif [ -e "$procfs/config.gz" ] ; then
> +-              dumped_config="$(mktemp -t smc-config-XXXXXX)"
> +-              gunzip -c "$procfs/config.gz" > "$dumped_config"
> ++              dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
> ++              @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
> +               # dumped_config will be deleted at the end of the
> script
> +               opt_config="$dumped_config"
> +-      elif [ -e "/lib/modules/$(uname -r)/config" ]; then
> +-              opt_config="/lib/modules/$(uname -r)/config"
> +-      elif [ -e "/boot/config-$(uname -r)" ]; then
> +-              opt_config="/boot/config-$(uname -r)"
> +-      elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -
> r)" ]; then
> +-              opt_config="/etc/kernels/kernel-config-$(uname -m)-
> $(uname -r)"
> +-      elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
> +-              opt_config="/lib/kernel/config-$(uname -r)"
> ++      elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
> ++              opt_config="/lib/modules/$(@uname@ -r)/config"
> ++      elif [ -e "/boot/config-$(@uname@ -r)" ]; then
> ++              opt_config="/boot/config-$(@uname@ -r)"
> ++      elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@
> -r)" ]; then
> ++              opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-
> $(@uname@ -r)"
> ++      elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
> ++              opt_config="/lib/kernel/config-$(@uname@ -r)"
> +       fi
> + else
> +       _info "Checking for vulnerabilities against specified kernel"
> +@@ -2161,7 +2161,7 @@ else
> + fi
> +
> + if [ "$os" = Linux ]; then
> +-      if [ -n "$opt_config" ] && ! grep -q '^CONFIG_'
> "$opt_config"; then
> ++      if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_'
> "$opt_config"; then
> +               # given file is invalid!
> +               _warn "The kernel config file seems invalid, was
> expecting a plain-text file, ignoring it!"
> +               opt_config=''
> +@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then
> + fi
> +
> + if [ -e "$opt_kernel" ]; then
> +-      if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1;
> then
> ++      if ! command -v "@readelf@" >/dev/null 2>&1; then
> +               _debug "readelf not found"
> +               kernel_err="missing '${opt_arch_prefix}readelf' tool,
> please install it, usually it's in the 'binutils' package"
> +       elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ];
> then
> +@@ -2207,20 +2207,20 @@ else
> +       # vanilla kernels have with ^Linux version
> +       # also try harder with some kernels (such as Red Hat) that
> don't have ^Linux version before their version string
> +       # and check for FreeBSD
> +-      kernel_version=$("${opt_arch_prefix}strings" "$kernel"
> 2>/dev/null | grep -E \
> ++      kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -
> E \
> +               -e '^Linux version ' \
> +               -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-
> 9]+ .+ (19|20)[0-9][0-9]$' \
> +-              -e '^FreeBSD [0-9]' | head -1)
> ++              -e '^FreeBSD [0-9]' | @head@ -1)
> +       if [ -z "$kernel_version" ]; then
> +               # try even harder with some kernels (such as ARM)
> that split the release (uname -r) and version (uname -v) in 2
> adjacent strings
> +-              kernel_version=$("${opt_arch_prefix}strings"
> "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$'
> | tr "\n" " ")
> ++              kernel_version=$("@strings@" "$kernel" 2>/dev/null |
> @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
> +       fi
> +       if [ -n "$kernel_version" ]; then
> +               # in live mode, check if the img we found is the
> correct one
> +               if [ "$opt_live" = 1 ]; then
> +                       _verbose "Kernel image is
> \033[35m$kernel_version"
> +-                      if ! echo "$kernel_version" | grep -qF
> "$(uname -r)"; then
> +-                              _warn "Possible discrepancy between
> your running kernel '$(uname -r)' and the image '$kernel_version' we
> found ($opt_kernel), results might be incorrect"
> ++                      if ! echo "$kernel_version" | @grep@ -qF
> "$(@uname@ -r)"; then
> ++                              _warn "Possible discrepancy between
> your running kernel '$(@uname@ -r)' and the image '$kernel_version'
> we found ($opt_kernel), results might be incorrect"
> +                       fi
> +               else
> +                       _info "Kernel image is
> \033[35m$kernel_version"
> +@@ -2248,11 +2248,11 @@ sys_interface_check()
> +       if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r
> "$file" ]; then
> +               :
> +       else
> +-              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
> ++              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
> +               return 1
> +       fi
> +
> +-      _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
> ++      _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
> +       # shellcheck disable=SC2086,SC1083
> +       if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> +               _debug "sysfs: MOCKING enabled for $file func returns
> $(eval echo \$$_mockvarname)"
> +@@ -2261,17 +2261,17 @@ sys_interface_check()
> +       fi
> +
> +       [ -n "$regex" ] || regex='.*'
> +-      _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
> ++      _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
> +       # shellcheck disable=SC2086,SC1083
> +       if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> +               fullmsg="$(eval echo \$$_mockvarname)"
> +-              msg=$(echo "$fullmsg" | grep -Eo "$regex")
> ++              msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
> +               _debug "sysfs: MOCKING enabled for $file, will return
> $fullmsg"
> +               mocked=1
> +       else
> +-              fullmsg=$(cat "$file")
> +-              msg=$(grep -Eo "$regex" "$file")
> +-              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
> ++              fullmsg=$(@cat@ "$file")
> ++              msg=$(@grep@ -Eo "$regex" "$file")
> ++              mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
> +       fi
> +       if [ "$mode" = silent ]; then
> +               return 0
> +@@ -2280,15 +2280,15 @@ sys_interface_check()
> +               return 0
> +       fi
> +       _info_nol "* Mitigated according to the /sys interface: "
> +-      if echo "$msg" | grep -qi '^not affected'; then
> ++      if echo "$msg" | @grep@ -qi '^not affected'; then
> +               # Not affected
> +               status=OK
> +               pstatus green YES "$fullmsg"
> +-      elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
> ++      elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
> +               # Mitigation: PTI
> +               status=OK
> +               pstatus green YES "$fullmsg"
> +-      elif echo "$msg" | grep -qi '^vulnerable'; then
> ++      elif echo "$msg" | @grep@ -qi '^vulnerable'; then
> +               # Vulnerable
> +               status=VULN
> +               pstatus yellow NO "$fullmsg"
> +@@ -2376,20 +2376,20 @@ write_msr_one_core()
> +                       # ret=4: msr doesn't exist, ret=127:
> msr.allow_writes=off
> +                       [ "$ret" = 127 ] && _write_denied=1
> +               # or fallback to dd if it supports seek_bytes, we
> prefer it over perl because we can tell the difference between EPERM
> and EIO
> +-              elif dd if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> ++              elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> +                       _debug "write_msr: using dd"
> +-                      dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8
> count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> ++                      @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr
> bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> +                       # if it failed, inspect stderrto look for
> EPERM
> +                       if [ "$ret" != 0 ]; then
> +-                              if dd if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
> ++                              if @dd@ if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
> +                                       _write_denied=1
> +                               fi
> +                       fi
> +               # or if we have perl, use it, any 5.x version will
> work
> +-              elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++              elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> +                       _debug "write_msr: using perl"
> +                       ret=1
> +-                      perl -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> ++                      @perl@ -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> +               else
> +                       _debug "write_msr: got no wrmsr, perl or
> recent enough dd!"
> +                       mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
> +@@ -2411,13 +2411,13 @@ write_msr_one_core()
> +                               msr_locked_down=1
> +                               write_msr_msg="your kernel is
> configured to deny writes to MSRs from user space"
> +                               return $WRITE_MSR_RET_LOCKDOWN
> +-                      elif dmesg | grep -qF "msr: Direct access to
> MSR"; then
> ++                      elif @dmesg@ | @grep@ -qF "msr: Direct access
> to MSR"; then
> +                               _debug "write_msr: locked down kernel
> detected (Red Hat / Fedora)"
> +                               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> +                               msr_locked_down=1
> +                               write_msr_msg="your kernel is locked
> down (Fedora/Red Hat), please reboot without secure boot and retry"
> +                               return $WRITE_MSR_RET_LOCKDOWN
> +-                      elif dmesg | grep -qF "raw MSR access is
> restricted"; then
> ++                      elif @dmesg@ | @grep@ -qF "raw MSR access is
> restricted"; then
> +                               _debug "write_msr: locked down kernel
> detected (vanilla)"
> +                               mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> +                               msr_locked_down=1
> +@@ -2516,8 +2516,8 @@ read_msr_one_core()
> +                       return $READ_MSR_RET_KO
> +               fi
> +               # MSR 0x10: 0x000003e1 0xb106dded
> +-              _msr_h=$(echo "$_msr" | awk '{print $3}');
> +-              _msr_l=$(echo "$_msr" | awk '{print $4}');
> ++              _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
> ++              _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
> +               read_msr_value=$(( _msr_h << 32 | _msr_l ))
> +       else
> +               # for Linux
> +@@ -2528,15 +2528,15 @@ read_msr_one_core()
> +               # if rdmsr is available, use it
> +               elif command -v rdmsr >/dev/null 2>&1 && [
> "${SMC_NO_RDMSR:-}" != 1 ]; then
> +                       _debug "read_msr: using rdmsr on $_msr"
> +-                      read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | od -t u8 -A n)
> ++                      read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | @od@ -t u8 -A n)
> +               # or if we have perl, use it, any 5.x version will
> work
> +-              elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++              elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> +                       _debug "read_msr: using perl on $_msr"
> +-                      read_msr_value=$(perl -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | od -t u8 -A n)
> ++                      read_msr_value=$(@perl@ -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | @od@ -t u8 -A n)
> +               # fallback to dd if it supports skip_bytes
> +-              elif dd if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> ++              elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> +                       _debug "read_msr: using dd on $_msr"
> +-                      read_msr_value=$(dd if=/dev/cpu/"$_core"/msr
> bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8
> -A n)
> ++                      read_msr_value=$(@dd@
> if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec"
> iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
> +               else
> +                       _debug "read_msr: got no rdmsr, perl or
> recent enough dd!"
> +                       mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
> +@@ -2560,7 +2560,7 @@ check_cpu()
> + {
> +       _info "\033[1;34mHardware check\033[0m"
> +
> +-      if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
> ++      if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
> +               return
> +       fi
> +
> +@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre()
> +       # if we were already called, don't do it again
> +       [ -n "${redhat_canonical_spectre:-}" ] && return
> +
> +-      if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1;
> then
> ++      if ! command -v "@strings@" >/dev/null 2>&1; then
> +               redhat_canonical_spectre=-1
> +       elif [ -n "$kernel_err" ]; then
> +               redhat_canonical_spectre=-2
> +       else
> +               # Red Hat / Ubuntu specific variant1 patch is
> difficult to detect,
> +               # let's use the two same tricks than the official Red
> Hat detection script uses:
> +-              if "${opt_arch_prefix}strings" "$kernel" | grep -qw
> noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb;
> then
> ++              if "@strings@" "$kernel" | @grep@ -qw noibrs &&
> "@strings@" "$kernel" | @grep@ -qw noibpb; then
> +                       # 1) detect their specific variant2 patch. If
> it's present, it means
> +                       # that the variant1 patch is also present
> (both were merged at the same time)
> +                       _debug "found redhat/canonical version of the
> variant2 patch (implies variant1)"
> +                       redhat_canonical_spectre=1
> +-              elif "${opt_arch_prefix}strings" "$kernel" | grep -q
> 'x86/pti:'; then
> ++              elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:';
> then
> +                       # 2) detect their specific variant3 patch. If
> it's present, but the variant2
> +                       # is not, it means that only variant1 is
> present in addition to variant3
> +                       _debug "found redhat/canonical version of the
> variant3 patch (implies variant1 but not variant2)"
> +@@ -3213,13 +3213,13 @@ check_has_vmm()
> +               # If we find no evidence that this is the case,
> assume we're not (to avoid scaring users),
> +               # this can always be overridden with --vmm in any
> case.
> +               has_vmm=0
> +-              if command -v pgrep >/dev/null 2>&1; then
> ++              if command -v @pgrep@ >/dev/null 2>&1; then
> +                       # remove xenbus and xenwatch, also present
> inside domU
> +                       # remove libvirtd as it can also be used to
> manage containers and not VMs
> +                       # for each binary we want to grep, get the
> pids
> +                       for _binary in qemu kvm xenstored xenconsoled
> +                       do
> +-                              for _pid in $(pgrep -x $_binary)
> ++                              for _pid in $(@pgrep@ -x $_binary)
> +                               do
> +                                       # resolve the exe symlink, if
> it doesn't resolve with -m,
> +                                       # which doesn't even need the
> dest to exist, it means the symlink
> +@@ -3235,7 +3235,7 @@ check_has_vmm()
> +               else
> +                       # ignore SC2009 as `ps ax` is actually used
> as a fallback if `pgrep` isn't installed
> +                       # shellcheck disable=SC2009
> +-                      if command -v ps >/devnull && ps ax | grep -
> vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> ++                      if command -v ps >/devnull && ps ax | @grep@
> -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> +                               has_vmm=1
> +                       fi
> +               fi
> +@@ -3267,7 +3267,7 @@ check_CVE_2017_5753()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2017_5753_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2017_5753_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux()
> +               v1_mask_nospec=''
> +               if [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +-              elif ! command -v perl >/dev/null 2>&1; then
> ++              elif ! command -v @perl@ >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +               else
> +-                      perl -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++                      @perl@ -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> +                       if [ $ret -gt 0 ]; then
> +                               pstatus green YES "$ret occurrence(s)
> found of x86 64 bits array_index_mask_nospec()"
> +                               v1_mask_nospec="x86 64 bits
> array_index_mask_nospec"
> +                       else
> +-                              perl -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++                              @perl@ -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> +                               if [ $ret -gt 0 ]; then
> +                                       pstatus green YES "$ret
> occurrence(s) found of x86 32 bits array_index_mask_nospec()"
> +                                       v1_mask_nospec="x86 32 bits
> array_index_mask_nospec"
> +                               else
> +-
>                                       ret=$("${opt_arch_prefix}objdum
> p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 |
> grep -B1 -w sbc | grep -w -c cmp)
> ++                                      ret=$("@objdump@"
> $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 |
> @grep@ -B1 -w sbc | @grep@ -w -c cmp)
> +                                       if [ "$ret" -gt 0 ]; then
> +                                               pstatus green YES
> "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
> +                                               v1_mask_nospec="arm
> 32 bits array_index_mask_nospec"
> +@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux()
> +                       pstatus yellow NO
> +               elif [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +-              elif ! command -v perl >/dev/null 2>&1; then
> ++              elif ! command -v @perl@ >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +-              elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++              elif ! command -v "@objdump@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> +               else
> +-                      "${opt_arch_prefix}objdump" $objdump_options
> "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ &&
> $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
> ++                      "@objdump@" $objdump_options "$kernel" |
> @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/
> && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift
> @r if @r>3'; ret=$?
> +                       if [ "$ret" -eq 9 ]; then
> +                               pstatus green YES "mask_nospec64
> macro is present and used"
> +                               v1_mask_nospec="arm64 mask_nospec64"
> +@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux()
> +                       pstatus yellow NO
> +               elif [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +-              elif ! command -v perl >/dev/null 2>&1; then
> ++              elif ! command -v @perl@ >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +-              elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++              elif ! command -v "@objdump@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> +               else
> +-                      "${opt_arch_prefix}objdump" -d "$kernel" |
> perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> ++                      "@objdump@" -d "$kernel" | @perl@ -ne 'push
> @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> +                       if [ "$ret" -eq 9 ]; then
> +                               pstatus green YES "array_index_nospec
> macro is present and used"
> +                               v1_mask_nospec="arm64
> array_index_nospec"
> +@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux()
> +                       if [ -n "$kernel_err" ]; then
> +                               pstatus yellow UNKNOWN "couldn't
> check ($kernel_err)"
> +                       else
> +-                              if ! command -v
> "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
> ++                              if ! command -v "@objdump@"
> >/dev/null 2>&1; then
> +                                       pstatus yellow UNKNOWN
> "missing '${opt_arch_prefix}objdump' tool, please install it, usually
> it's in the binutils package"
> +                               else
> +                                       # here we disassemble the
> kernel and count the number of occurrences of the LFENCE opcode
> +@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux()
> +                                       # so let's push the threshold
> to 70.
> +                                       # v0.33+: now only count
> lfence opcodes after a jump, way less error-prone
> +                                       # non patched kernel have
> between 0 and 20 matches, patched ones have at least 40-45
> +-
>                                       nb_lfence=$("${opt_arch_prefix}
> objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence
> | grep -Ewc 'jmp|jne|je')
> ++                                      nb_lfence=$("@objdump@"
> $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence |
> @grep@ -Ewc 'jmp|jne|je')
> +                                       if [ "$nb_lfence" -lt 30 ];
> then
> +                                               pstatus yellow NO
> "only $nb_lfence jump-then-lfence instructions found, should be >= 30
> (heuristic)"
> +                                       else
> +@@ -3505,7 +3505,7 @@ check_CVE_2017_5715()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2017_5715_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2017_5715_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux()
> +                                       #
> /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
> +                                       specex_knob_dir=$dir
> +                                       ibrs_supported="$dir/ibrs_ena
> bled exists"
> +-                                      ibrs_enabled=$(cat
> "$dir/ibrs_enabled" 2>/dev/null)
> ++                                      ibrs_enabled=$(@cat@
> "$dir/ibrs_enabled" 2>/dev/null)
> +                                       _debug "ibrs: found
> $dir/ibrs_enabled=$ibrs_enabled"
> +                                       # if ibrs_enabled is there,
> ibpb_enabled will be in the same dir
> +                                       if [ -e "$dir/ibpb_enabled"
> ]; then
> +                                               # if the file is
> there, we have IBPB compiled-in (see note above for IBRS)
> +                                               ibpb_supported="$dir/
> ibpb_enabled exists"
> +-                                              ibpb_enabled=$(cat
> "$dir/ibpb_enabled" 2>/dev/null)
> ++                                              ibpb_enabled=$(@cat@
> "$dir/ibpb_enabled" 2>/dev/null)
> +                                               _debug "ibpb: found
> $dir/ibpb_enabled=$ibpb_enabled"
> +                                       else
> +                                               _debug "ibpb:
> $dir/ibpb_enabled file doesn't exist"
> +@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux()
> +                       # which in that case means ibrs is supported
> *and* enabled for kernel & user
> +                       # as per the ibrs patch series v3
> +                       if [ -z "$ibrs_supported" ]; then
> +-                              if grep ^flags "$procfs/cpuinfo" |
> grep -qw spec_ctrl_ibrs; then
> ++                              if @grep@ ^flags "$procfs/cpuinfo" |
> @grep@ -qw spec_ctrl_ibrs; then
> +                                       _debug "ibrs: found
> spec_ctrl_ibrs flag in $procfs/cpuinfo"
> +                                       ibrs_supported="spec_ctrl_ibr
> s flag in $procfs/cpuinfo"
> +                                       # enabled=2 -> kernel & user
> +@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux()
> +                       fi
> +                       if [ -n "$fullmsg" ]; then
> +                               # when IBPB is enabled on 4.15+, we
> can see it in sysfs
> +-                              if echo "$fullmsg" | grep -q 'IBPB';
> then
> ++                              if echo "$fullmsg" | @grep@ -q
> 'IBPB'; then
> +                                       _debug "ibpb: found enabled
> in sysfs"
> +                                       [ -z "$ibpb_supported" ] &&
> ibpb_supported='IBPB found enabled in sysfs'
> +                                       [ -z "$ibpb_enabled"   ] &&
> ibpb_enabled=1
> +                               fi
> +                               # when IBRS_FW is enabled on 4.15+,
> we can see it in sysfs
> +-                              if echo "$fullmsg" | grep -q ',
> IBRS_FW'; then
> ++                              if echo "$fullmsg" | @grep@ -q ',
> IBRS_FW'; then
> +                                       _debug "ibrs: found IBRS_FW
> in sysfs"
> +                                       [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS_FW in sysfs'
> +                                       ibrs_fw_enabled=1
> +@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux()
> +                               # when IBRS is enabled on 4.15+, we
> can see it in sysfs
> +                               # on a more recent kernel, classic
> "IBRS" is not even longer an option, because of the performance
> impact.
> +                               # only "Enhanced IBRS" is available
> (on CPUs with the IBRS_ALL flag)
> +-                              if echo "$fullmsg" | grep -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> ++                              if echo "$fullmsg" | @grep@ -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> +                                       _debug "ibrs: found IBRS in
> sysfs"
> +                                       [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS in sysfs'
> +                                       [ -z "$ibrs_enabled"   ] &&
> ibrs_enabled=3
> +                               fi
> +                               # checking for 'Enhanced IBRS' in
> sysfs, enabled on CPUs with IBRS_ALL
> +-                              if echo "$fullmsg" | grep -q -e
> 'Enhanced IBRS'; then
> ++                              if echo "$fullmsg" | @grep@ -q -e
> 'Enhanced IBRS'; then
> +                                       [ -z "$ibrs_supported" ] &&
> ibrs_supported='found Enhanced IBRS in sysfs'
> +                                       # 4 isn't actually a valid
> value of the now extinct "ibrs_enabled" flag file,
> +                                       # that only went from 0 to 3,
> so we use 4 as "enhanced ibrs is enabled"
> +@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux()
> +                       fi
> +               fi
> +               if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               :
> +                       else
> +                               ibrs_can_tell=1
> +-
>                               ibrs_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
> ++                              ibrs_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
> +                               if [ -n "$ibrs_supported" ]; then
> +                                       _debug "ibrs: found ibrs
> evidence in kernel image ($ibrs_supported)"
> +                                       ibrs_supported="found
> '$ibrs_supported' in kernel image"
> +@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux()
> +               fi
> +               if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ];
> then
> +                       ibrs_can_tell=1
> +-                      if grep -q spec_ctrl "$opt_map"; then
> ++                      if @grep@ -q spec_ctrl "$opt_map"; then
> +                               ibrs_supported="found spec_ctrl in
> symbols file"
> +                               _debug "ibrs: found '*spec_ctrl*'
> symbol in $opt_map"
> +                       fi
> +@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux()
> +               # recent (4.15) vanilla kernels have IBPB but not
> IBRS, and without the debugfs tunables of Red Hat
> +               # we can detect it directly in the image
> +               if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               :
> +                       else
> +                               ibpb_can_tell=1
> +-
>                               ibpb_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
> ++                              ibpb_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
> +                               if [ -n "$ibpb_supported" ]; then
> +                                       _debug "ibpb: found ibpb
> evidence in kernel image ($ibpb_supported)"
> +                                       ibpb_supported="found
> '$ibpb_supported' in kernel image"
> +@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux()
> +                                       2)      if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user
> space, and firmware code" ; else pstatus green YES "for both kernel
> and user space"; fi;;
> +                                       3)      if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and
> firmware code"; else pstatus green YES; fi;;
> +                                       4)      pstatus green YES
> "Enhanced flavor, performance impact will be greatly reduced";;
> +-                                      *)      if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> +-                                                      then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> +-                                              else
> ++                                      *)      if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> ++                                                      then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> ++                                              else
> +                                                       pstatus
> yellow UNKNOWN; fi;;
> +                               esac
> +                       fi
> +@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux()
> +               bp_harden=''
> +               if [ -r "$opt_config" ]; then
> +                       bp_harden_can_tell=1
> +-                      bp_harden=$(grep -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> ++                      bp_harden=$(@grep@ -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> +                       if [ -n "$bp_harden" ]; then
> +                               pstatus green YES
> +                               _debug "bp_harden: found '$bp_harden'
> in $opt_config"
> +@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux()
> +               fi
> +               if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
> +                       bp_harden_can_tell=1
> +-                      bp_harden=$(grep -w bp_hardening_data
> "$opt_map")
> ++                      bp_harden=$(@grep@ -w bp_hardening_data
> "$opt_map")
> +                       if [ -n "$bp_harden" ]; then
> +                               pstatus green YES
> +                               _debug "bp_harden: found '$bp_harden'
> in $opt_map"
> +@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux()
> +               # We check the RETPOLINE kernel options
> +               retpoline=0
> +               if [ -r "$opt_config" ]; then
> +-                      if grep -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> ++                      if @grep@ -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> +                               pstatus green YES
> +                               retpoline=1
> +                               # shellcheck disable=SC2046
> +-                              _debug 'retpoline: found '$(grep
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> ++                              _debug 'retpoline: found '$(@grep@
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> +                       else
> +                               pstatus yellow NO
> +                       fi
> +@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux()
> +                       # since 5.15.28, this is now "Retpolines" as
> the implementation was switched to a generic one,
> +                       # so we look for both "retpoline" and
> "retpolines"
> +                       if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ];
> then
> +-                              if echo "$fullmsg" | grep -qwi -e
> retpoline -e retpolines; then
> +-                                      if echo "$fullmsg" | grep -
> qwi minimal; then
> ++                              if echo "$fullmsg" | @grep@ -qwi -e
> retpoline -e retpolines; then
> ++                                      if echo "$fullmsg" | @grep@ -
> qwi minimal; then
> +                                               retpoline_compiler=0
> +                                               retpoline_compiler_re
> ason="kernel reports minimal retpoline compilation"
> +                                       else
> +@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux()
> +                               fi
> +                       elif [ -n "$opt_map" ]; then
> +                               # look for the symbol
> +-                              if grep -qw noretpoline_setup
> "$opt_map"; then
> ++                              if @grep@ -qw noretpoline_setup
> "$opt_map"; then
> +                                       retpoline_compiler=1
> +                                       retpoline_compiler_reason="no
> retpoline_setup symbol found in System.map"
> +                               fi
> +                       elif [ -n "$kernel" ]; then
> +                               # look for the symbol
> +-                              if command -v "${opt_arch_prefix}nm"
> >/dev/null 2>&1; then
> ++                              if command -v "@nm@" >/dev/null 2>&1;
> then
> +                                       # the proper way: use nm and
> look for the symbol
> +-                                      if "${opt_arch_prefix}nm"
> "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
> ++                                      if "@nm@" "$kernel"
> 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
> +                                               retpoline_compiler=1
> +                                               retpoline_compiler_re
> ason="noretpoline_setup found in kernel symbols"
> +                                       fi
> +-                              elif grep -q noretpoline_setup
> "$kernel"; then
> ++                              elif @grep@ -q noretpoline_setup
> "$kernel"; then
> +                                       # if we don't have nm,
> nevermind, the symbol name is long enough to not have
> +                                       # any false positive using
> good old grep directly on the binary
> +                                       retpoline_compiler=1
> +@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux()
> +               retp_enabled=-1
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -e "$specex_knob_dir/retp_enabled" ];
> then
> +-                              retp_enabled=$(cat
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> ++                              retp_enabled=$(@cat@
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> +                               _debug "retpoline: found
> $specex_knob_dir/retp_enabled=$retp_enabled"
> +                               _info_nol "    * Retpoline is
> enabled: "
> +                               if [ "$retp_enabled" = 1 ]; then
> +@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux()
> +                       rsb_filling=0
> +                       if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs"
> != 1 ]; then
> +                               # if we're live and we aren't denied
> looking into /sys, let's do it
> +-                              if echo "$msg" | grep -qw RSB; then
> ++                              if echo "$msg" | @grep@ -qw RSB; then
> +                                       rsb_filling=1
> +                                       pstatus green YES
> +                               fi
> +@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux()
> +                               if [ -n "$kernel_err" ]; then
> +                                       pstatus yellow UNKNOWN
> "couldn't check ($kernel_err)"
> +                               else
> +-                                      if grep -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> ++                                      if @grep@ -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> +                                               rsb_filling=1
> +                                               pstatus green YES
> +                                       else
> +@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd()
> + {
> +       _info     "* Mitigation 1"
> +       _info_nol "  * Kernel supports IBRS: "
> +-      ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
> ++      ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
> +       if [ -z "$ibrs_disabled" ]; then
> +               pstatus yellow NO
> +       else
> +@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd()
> +       fi
> +
> +       _info_nol "  * IBRS enabled and active: "
> +-      ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
> ++      ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
> +       if [ "$ibrs_active" = 1 ]; then
> +               pstatus green YES
> +       else
> +@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd()
> +       if [ -n "$kernel_err" ]; then
> +               pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
> +       else
> +-              if ! command -v "${opt_arch_prefix}readelf"
> >/dev/null 2>&1; then
> ++              if ! command -v "@readelf@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}readelf' tool, please install it, usually it's in
> the binutils package"
> +               else
> +-                      nb_thunks=$("${opt_arch_prefix}readelf" -s
> "$kernel" | grep -c -e __llvm_retpoline_ -e
> __llvm_external_retpoline_ -e __x86_indirect_thunk_)
> ++                      nb_thunks=$("@readelf@" -s "$kernel" | @grep@
> -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e
> __x86_indirect_thunk_)
> +                       if [ "$nb_thunks" -gt 0 ]; then
> +                               retpoline=1
> +                               pstatus green YES "found $nb_thunks
> thunk(s)"
> +@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd()
> + pti_performance_check()
> + {
> +       _info_nol "  * Reduced performance impact of PTI: "
> +-      if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw pcid; then
> ++      if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw pcid; then
> +               cpu_pcid=1
> +       else
> +               read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
> +@@ -4122,7 +4122,7 @@ pti_performance_check()
> +               fi
> +       fi
> +
> +-      if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw invpcid; then
> ++      if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw invpcid; then
> +               cpu_invpcid=1
> +       else
> +               read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
> +@@ -4147,7 +4147,7 @@ check_CVE_2017_5754()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2017_5754_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2017_5754_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux()
> +               kpti_can_tell=0
> +               if [ -n "$opt_config" ]; then
> +                       kpti_can_tell=1
> +-                      kpti_support=$(grep -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> ++                      kpti_support=$(@grep@ -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> +                       if [ -n "$kpti_support" ]; then
> +                               _debug "kpti_support: found option
> '$kpti_support' in $opt_config"
> +                       fi
> +@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux()
> +                       # so we try to find an exported symbol that
> is part of the PTI patch in System.map
> +                       # parse_kpti: arm
> +                       kpti_can_tell=1
> +-                      kpti_support=$(grep -w -e kpti_force_enabled
> -e parse_kpti "$opt_map")
> ++                      kpti_support=$(@grep@ -w -e
> kpti_force_enabled -e parse_kpti "$opt_map")
> +                       if [ -n "$kpti_support" ]; then
> +                               _debug "kpti_support: found
> '$kpti_support' in $opt_map"
> +                       fi
> +@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux()
> +                       # nopti option that is part of the patch
> (kernel command line option)
> +                       # 'kpti=': arm
> +                       kpti_can_tell=1
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> +                       else
> +-
>                               kpti_support=$("${opt_arch_prefix}strin
> gs" "$kernel" | grep -w -e nopti -e kpti=)
> ++                              kpti_support=$("@strings@" "$kernel"
> | @grep@ -w -e nopti -e kpti=)
> +                               if [ -n "$kpti_support" ]; then
> +                                       _debug "kpti_support: found
> '$kpti_support' in $kernel"
> +                               fi
> +@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux()
> +                       dmesg_grep="$dmesg_grep|x86/pti: Unmapping
> kernel while in userspace"
> +                       # aarch64
> +                       dmesg_grep="$dmesg_grep|CPU features:
> detected( feature)?: Kernel page table isolation \(KPTI\)"
> +-                      if grep ^flags "$procfs/cpuinfo" | grep -qw
> pti; then
> ++                      if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -
> qw pti; then
> +                               # vanilla PTI patch sets the 'pti'
> flag in cpuinfo
> +                               _debug "kpti_enabled: found 'pti'
> flag in $procfs/cpuinfo"
> +                               kpti_enabled=1
> +-                      elif grep ^flags "$procfs/cpuinfo" | grep -qw
> kaiser; then
> ++                      elif @grep@ ^flags "$procfs/cpuinfo" | @grep@
> -qw kaiser; then
> +                               # kernel line 4.9 sets the 'kaiser'
> flag in cpuinfo
> +                               _debug "kpti_enabled: found 'kaiser'
> flag in $procfs/cpuinfo"
> +                               kpti_enabled=1
> +                       elif [ -e /sys/kernel/debug/x86/pti_enabled
> ]; then
> +                               # Red Hat Backport creates a
> dedicated file, see https://access.redhat.com/articles/3311301
> +-                              kpti_enabled=$(cat
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> ++                              kpti_enabled=$(@cat@
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> +                               _debug "kpti_enabled: file
> /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
> +                       elif is_xen_dom0; then
> +-                              pti_xen_pv_domU=$(xl dmesg | grep
> 'XPTI' | grep 'DomU enabled' | head -1)
> ++                              pti_xen_pv_domU=$(xl @dmesg@ | @grep@
> 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
> +
> +                               [ -n "$pti_xen_pv_domU" ] &&
> kpti_enabled=1
> +                       fi
> +@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux()
> +                               if [ -n "$kpti_support" ]; then
> +                                       if [ -e
> "/sys/kernel/debug/x86/pti_enabled" ]; then
> +                                               explain "Your kernel
> supports PTI but it's disabled, you can enable it with \`echo 1 >
> /sys/kernel/debug/x86/pti_enabled\`"
> +-                                      elif echo "$kernel_cmdline" |
> grep -q -w -e nopti -e pti=off; then
> ++                                      elif echo "$kernel_cmdline" |
> @grep@ -q -w -e nopti -e pti=off; then
> +                                               explain "Your kernel
> supports PTI but it has been disabled on command-line, remove the
> nopti or pti=off option from your bootloader configuration"
> +                                       else
> +                                               explain "Your kernel
> supports PTI but it has been disabled, check \`dmesg\` right after
> boot to find clues why the system disabled it"
> +@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux()
> + check_CVE_2017_5754_bsd()
> + {
> +       _info_nol "* Kernel supports Page Table Isolation (PTI): "
> +-      kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
> ++      kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
> +       if [ -z "$kpti_enabled" ]; then
> +               pstatus yellow NO
> +       else
> +@@ -4429,7 +4429,7 @@ check_CVE_2018_3639()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_3639_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_3639_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux()
> +       if [ "$opt_sysfs_only" != 1 ]; then
> +               _info_nol "* Kernel supports disabling speculative
> store bypass (SSB): "
> +               if [ "$opt_live" = 1 ]; then
> +-                      if grep -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> ++                      if @grep@ -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssb="found in
> $procfs/self/status"
> +                               _debug "found
> Speculation.Store.Bypass: in $procfs/self/status"
> +                       fi
> +               fi
> +               # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +-              if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep
> -q 'arm64_sys_' "$kernel"; then
> +-                      kernel_ssb=$("${opt_arch_prefix}strings"
> "$kernel" | grep spec_store_bypass | head -n1);
> ++              if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && !
> @grep@ -q 'arm64_sys_' "$kernel"; then
> ++                      kernel_ssb=$("@strings@" "$kernel" | @grep@
> spec_store_bypass | @head@ -n1);
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in kernel"
> +               fi
> +               # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +-              if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> grep -q 'arm64_sys_' "$opt_map"; then
> +-                      kernel_ssb=$(grep spec_store_bypass
> "$opt_map" | awk '{print $3}' | head -n1)
> ++              if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> @grep@ -q 'arm64_sys_' "$opt_map"; then
> ++                      kernel_ssb=$(@grep@ spec_store_bypass
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> +               fi
> +               # arm64 only:
> +               if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
> +-                      kernel_ssb=$(grep -w cpu_enable_ssbs
> "$opt_map" | awk '{print $3}' | head -n1)
> ++                      kernel_ssb=$(@grep@ -w cpu_enable_ssbs
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> +               fi
> +               if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
> +-                      kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> ++                      kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> +                       [ -n "$kernel_ssb" ] &&
> kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
> +               fi
> +               if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
> +                       # this string only appears in kernel if
> CONFIG_ARM64_SSBD is set
> +-                      kernel_ssb=$(grep -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> ++                      kernel_ssb=$(@grep@ -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> +                       [ -n "$kernel_ssb" ] && kernel_ssb="found
> 'Speculative Store Bypassing Safe (SSBS)' in kernel"
> +               fi
> +               # /arm64 only
> +@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux()
> +               if [ "$opt_live" = 1 ]; then
> +                       #
> https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
> +                       _info_nol "* SSB mitigation is enabled and
> active: "
> +-                      if grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> ++                      if @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> +                               kernel_ssbd_enabled=1
> +                               pstatus green YES "per-thread through
> prctl"
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=2
> +                               pstatus green YES "global"
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=0
> +                               pstatus yellow NO
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=-2
> +                               pstatus blue NO "not vulnerable"
> +-                      elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> ++                      elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> +                               kernel_ssbd_enabled=0
> +                               pstatus blue NO
> +                       else
> +-                              pstatus blue UNKNOWN "unknown value:
> $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | cut -d: -f2-)"
> ++                              pstatus blue UNKNOWN "unknown value:
> $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | @cut@ -d: -f2-)"
> +                       fi
> +
> +                       if [ "$kernel_ssbd_enabled" = 1 ]; then
> +                               _info_nol "* SSB mitigation currently
> active for selected processes: "
> +                               # silence grep's stderr here to avoid
> ENOENT errors from processes that have exited since the shell's
> expansion of the *
> +-                              mitigated_processes=$(find /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> +-                                      | xargs -r0 grep -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> +-                                      | sed s/status/exe/ | xargs -
> r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr
> "\n" " " | sed 's/ $//')
> ++                              mitigated_processes=$(@find@ /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> ++                                      | @xargs@ -r0 @grep@ -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> ++                                      | @sed@ s/status/exe/ |
> @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ |
> @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
> +                               if [ -n "$mitigated_processes" ];
> then
> +                                       pstatus green YES
> "$mitigated_processes"
> +                               else
> +@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux()
> + check_CVE_2018_3639_bsd()
> + {
> +       _info_nol "* Kernel supports speculation store bypass: "
> +-      if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
> ++      if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1;
> then
> +               kernel_ssb=1
> +               pstatus green YES
> +       else
> +@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd()
> +       fi
> +
> +       _info_nol "* Speculation store bypass is administratively
> enabled: "
> +-      ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable
> 2>/dev/null)
> ++      ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable
> 2>/dev/null)
> +       _debug "hw.spec_store_bypass_disable=$ssb_enabled"
> +       case "$ssb_enabled" in
> +               0) pstatus yellow NO "disabled";;
> +@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd()
> +       esac
> +
> +       _info_nol "* Speculation store bypass is currently active: "
> +-      ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> ++      ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> +       _debug "hw.spec_store_bypass_disable_active=$ssb_active"
> +       case "$ssb_active" in
> +               1) pstatus green YES;;
> +@@ -4656,7 +4656,7 @@ check_CVE_2018_3620()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_3620_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_3620_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux()
> +       fi
> +       if [ "$opt_sysfs_only" != 1 ]; then
> +               _info_nol "* Kernel supports PTE inversion: "
> +-              if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++              if ! command -v "@strings@" >/dev/null 2>&1; then
> +                       pstatus yellow UNKNOWN "missing 'strings'
> tool, please install it"
> +                       pteinv_supported=-1
> +               elif [ -n "$kernel_err" ]; then
> +                       pstatus yellow UNKNOWN "$kernel_err"
> +                       pteinv_supported=-1
> +               else
> +-                      if "${opt_arch_prefix}strings" "$kernel" |
> grep -Fq 'PTE Inversion'; then
> ++                      if "@strings@" "$kernel" | @grep@ -Fq 'PTE
> Inversion'; then
> +                               pstatus green YES "found in kernel
> image"
> +                               _debug "pteinv: found pte inversion
> evidence in kernel image"
> +                               pteinv_supported=1
> +@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux()
> +               _info_nol "* PTE inversion enabled and active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -q
> 'Mitigation: PTE Inversion'; then
> ++                              if echo "$fullmsg" | @grep@ -q
> 'Mitigation: PTE Inversion'; then
> +                                       pstatus green YES
> +                                       pteinv_active=1
> +                               else
> +@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd()
> +       else
> +               _debug "vmm module already loaded"
> +       fi
> +-      if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++      if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> +               #
> https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
> +               # this is very difficult to detect that the kernel
> reserved the 0 page, but this fix
> +               # is part of the exact same patch than the other L1TF
> CVE, so we detect it
> +@@ -4772,7 +4772,7 @@ check_CVE_2018_3646()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_3646_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_3646_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux()
> +               if [ "$opt_live" = 1 ]; then
> +                       if ! [ -r
> /sys/module/kvm_intel/parameters/ept ]; then
> +                               pstatus blue N/A "the kvm_intel
> module is not loaded"
> +-                      elif [ "$(cat
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> ++                      elif [ "$(@cat@
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> +                               pstatus green YES
> +                               ept_disabled=1
> +                       else
> +@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux()
> +
> +               _info "* Mitigation 2"
> +               _info_nol "  * L1D flush is supported by kernel: "
> +-              if [ "$opt_live" = 1 ] && grep -qw flush_l1d
> "$procfs/cpuinfo"; then
> ++              if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d
> "$procfs/cpuinfo"; then
> +                       l1d_kernel="found flush_l1d in
> $procfs/cpuinfo"
> +               fi
> +               if [ -z "$l1d_kernel" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               l1d_kernel_err="missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> +                       elif [ -n "$kernel_err" ]; then
> +                               l1d_kernel_err="$kernel_err"
> +-                      elif "${opt_arch_prefix}strings" "$kernel" |
> grep -qw flush_l1d; then
> ++                      elif "@strings@" "$kernel" | @grep@ -qw
> flush_l1d; then
> +                               l1d_kernel='found flush_l1d in kernel
> image'
> +                       fi
> +               fi
> +@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux()
> +                               # $l1dstatus is one of
> (auto|vulnerable|conditional cache flushes|cache flushes|EPT
> disabled|flush not necessary)
> +                               # $smtstatus is one of
> (vulnerable|disabled)
> +                               # can also just be "Not affected"
> +-                              if echo "$fullmsg" | grep -Eq -e 'Not
> affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> ++                              if echo "$fullmsg" | @grep@ -Eq -e
> 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> +                                       l1d_mode=0
> +                                       pstatus yellow NO
> +-                              elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> ++                              elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> +                                       l1d_mode=1
> +                                       pstatus green YES
> "conditional flushes"
> +-                              elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) cache flushes'; then
> ++                              elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) cache flushes'; then
> +                                       l1d_mode=2
> +                                       pstatus green YES
> "unconditional flushes"
> +                               else
> +                                       if is_xen_dom0; then
> +-                                              l1d_xen_hardware=$(xl
> dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
> +-
>                                               l1d_xen_hypervisor=$(xl
> dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
> +-                                              l1d_xen_pv_domU=$(xl
> dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
> ++                                              l1d_xen_hardware=$(xl
> @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -
> 1)
> ++                                              l1d_xen_hypervisor=$(
> xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
> ++                                              l1d_xen_pv_domU=$(xl
> @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' |
> @head@ -1)
> +
> +                                               if [ -n
> "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n
> "$l1d_xen_pv_domU" ]; then
> +                                                       l1d_mode=5
> +@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux()
> +
> +               _info_nol "  * Hardware-backed L1D flush supported: "
> +               if [ "$opt_live" = 1 ]; then
> +-                      if grep -qw flush_l1d "$procfs/cpuinfo" || [
> -n "$l1d_xen_hardware" ]; then
> ++                      if @grep@ -qw flush_l1d "$procfs/cpuinfo" ||
> [ -n "$l1d_xen_hardware" ]; then
> +                               pstatus green YES "performance impact
> of the mitigation will be greatly reduced"
> +                       else
> +                               pstatus blue NO "flush will be done
> in software, this is slower"
> +@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux()
> + check_CVE_2018_3646_bsd()
> + {
> +       _info_nol "* Kernel supports L1D flushing: "
> +-      if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++      if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> +               pstatus green YES
> +               kernel_l1d_supported=1
> +       else
> +@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd()
> +       fi
> +
> +       _info_nol "* L1D flushing is enabled: "
> +-      kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> ++      kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> +       case "$kernel_l1d_enabled" in
> +               0) pstatus yellow NO;;
> +               1) pstatus green YES;;
> +@@ -5018,7 +5018,7 @@ check_CVE_2018_12127()
> + ###################
> + # MDSUM SECTION
> +
> +-# Microarchitectural Data Sampling Uncacheable Memory
> ++# Microarchitectural Data Sampling Uncacheable Memory
> + check_CVE_2019_11091()
> + {
> +       cve='CVE-2019-11091'
> +@@ -5032,7 +5032,7 @@ check_mds()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_mds_linux "$cve"
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_mds_bsd "$cve"
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5043,7 +5043,7 @@ check_mds_bsd()
> + {
> +       _info_nol "* Kernel supports using MD_CLEAR mitigation: "
> +       if [ "$opt_live" = 1 ]; then
> +-              if sysctl hw.mds_disable >/dev/null 2>&1; then
> ++              if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
> +                       pstatus green YES
> +                       kernel_md_clear=1
> +               else
> +@@ -5051,7 +5051,7 @@ check_mds_bsd()
> +                       kernel_md_clear=0
> +               fi
> +       else
> +-              if grep -Fq hw.mds_disable $opt_kernel; then
> ++              if @grep@ -Fq hw.mds_disable $opt_kernel; then
> +                       pstatus green YES
> +                       kernel_md_clear=1
> +               else
> +@@ -5061,8 +5061,8 @@ check_mds_bsd()
> +       fi
> +
> +       _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
> +-      if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> +-              kernel_smt_allowed=$(sysctl -n
> machdep.hyperthreading_allowed 2>/dev/null)
> ++      if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> ++              kernel_smt_allowed=$(@sysctl@ -n
> machdep.hyperthreading_allowed 2>/dev/null)
> +               if [ "$kernel_smt_allowed" = 1 ]; then
> +                       pstatus yellow NO
> +               else
> +@@ -5074,7 +5074,7 @@ check_mds_bsd()
> +
> +       _info_nol "* Kernel mitigation is enabled: "
> +       if [ "$kernel_md_clear" = 1 ]; then
> +-              kernel_mds_enabled=$(sysctl -n hw.mds_disable
> 2>/dev/null)
> ++              kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable
> 2>/dev/null)
> +       else
> +               kernel_mds_enabled=0
> +       fi
> +@@ -5088,7 +5088,7 @@ check_mds_bsd()
> +
> +       _info_nol "* Kernel mitigation is active: "
> +       if [ "$kernel_md_clear" = 1 ]; then
> +-              kernel_mds_state=$(sysctl -n hw.mds_disable_state
> 2>/dev/null)
> ++              kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state
> 2>/dev/null)
> +       else
> +               kernel_mds_state=inactive
> +       fi
> +@@ -5146,16 +5146,16 @@ check_mds_linux()
> +               _info_nol "* Kernel supports using MD_CLEAR
> mitigation: "
> +               kernel_md_clear=''
> +               kernel_md_clear_can_tell=1
> +-              if [ "$opt_live" = 1 ] && grep ^flags
> "$procfs/cpuinfo" | grep -qw md_clear; then
> ++              if [ "$opt_live" = 1 ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw md_clear; then
> +                       kernel_md_clear="md_clear found in
> $procfs/cpuinfo"
> +                       pstatus green YES "$kernel_md_clear"
> +               fi
> +               if [ -z "$kernel_md_clear" ]; then
> +-                      if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++                      if ! command -v "@strings@" >/dev/null 2>&1;
> then
> +                               kernel_md_clear_can_tell=0
> +                       elif [ -n "$kernel_err" ]; then
> +                               kernel_md_clear_can_tell=0
> +-                      elif "${opt_arch_prefix}strings" "$kernel" |
> grep -q 'Clear CPU buffers'; then
> ++                      elif "@strings@" "$kernel" | @grep@ -q 'Clear
> CPU buffers'; then
> +                               _debug "md_clear: found 'Clear CPU
> buffers' string in kernel image"
> +                               kernel_md_clear='found md_clear
> implementation evidence in kernel image'
> +                               pstatus green YES "$kernel_md_clear"
> +@@ -5171,7 +5171,7 @@ check_mds_linux()
> +
> +               if [ "$opt_live" = 1 ] && [
> "$sys_interface_available" = 1 ]; then
> +                       _info_nol "* Kernel mitigation is enabled and
> active: "
> +-                      if echo "$fullmsg" | grep -qi ^mitigation;
> then
> ++                      if echo "$fullmsg" | @grep@ -qi ^mitigation;
> then
> +                               mds_mitigated=1
> +                               pstatus green YES
> +                       else
> +@@ -5179,7 +5179,7 @@ check_mds_linux()
> +                               pstatus yellow NO
> +                       fi
> +                       _info_nol "* SMT is either mitigated or
> disabled: "
> +-                      if echo "$fullmsg" | grep -Eq 'SMT
> (disabled|mitigated)'; then
> ++                      if echo "$fullmsg" | @grep@ -Eq 'SMT
> (disabled|mitigated)'; then
> +                               mds_smt_mitigated=1
> +                               pstatus green YES
> +                       else
> +@@ -5265,7 +5265,7 @@ check_CVE_2019_11135()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2019_11135_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2019_11135_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux()
> +               kernel_taa=''
> +               if [ -n "$kernel_err" ]; then
> +                       kernel_taa_err="$kernel_err"
> +-              elif grep -q 'tsx_async_abort' "$kernel"; then
> ++              elif @grep@ -q 'tsx_async_abort' "$kernel"; then
> +                       kernel_taa="found tsx_async_abort in kernel
> image"
> +               fi
> +               if [ -n "$kernel_taa" ]; then
> +@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux()
> +               _info_nol "* TAA mitigation enabled and active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++                              if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> +                                       pstatus green YES "$fullmsg"
> +                               else
> +                                       pstatus yellow NO
> +@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux()
> +       else
> +               if [ "$opt_paranoid" = 1 ]; then
> +                       # in paranoid mode, TSX or SMT enabled are
> not OK, even if TAA is mitigated
> +-                      if ! echo "$fullmsg" | grep -qF 'TSX
> disabled'; then
> ++                      if ! echo "$fullmsg" | @grep@ -qF 'TSX
> disabled'; then
> +                               pvulnstatus $cve VULN "TSX must be
> disabled for full mitigation"
> +-                      elif echo "$fullmsg" | grep -qF 'SMT
> vulnerable'; then
> ++                      elif echo "$fullmsg" | @grep@ -qF 'SMT
> vulnerable'; then
> +                               pvulnstatus $cve VULN "SMT
> (HyperThreading) must be disabled for full mitigation"
> +                       else
> +                               pvulnstatus $cve "$status" "$msg"
> +@@ -5367,7 +5367,7 @@ check_CVE_2018_12207()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2018_12207_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2018_12207_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux()
> +               if [ -n "$kernel_err" ]; then
> +                       kernel_itlbmh_err="$kernel_err"
> +               # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
> +-              elif grep -q 'itlb_multihit' "$kernel"; then
> ++              elif @grep@ -q 'itlb_multihit' "$kernel"; then
> +                       kernel_itlbmh="found itlb_multihit in kernel
> image"
> +               fi
> +               if [ -n "$kernel_itlbmh" ]; then
> +@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux()
> +               _info_nol "* iTLB Multihit mitigation enabled and
> active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -qF
> 'Mitigation'; then
> ++                              if echo "$fullmsg" | @grep@ -qF
> 'Mitigation'; then
> +                                       pstatus green YES "$fullmsg"
> +                               else
> +                                       pstatus yellow NO
> +@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux()
> + check_CVE_2018_12207_bsd()
> + {
> +       _info_nol "* Kernel supports disabling superpages for
> executable mappings under EPT: "
> +-      kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> ++      kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> +       if [ -z "$kernel_2m_x_ept" ]; then
> +               pstatus yellow NO
> +       else
> +@@ -5484,7 +5484,7 @@ check_CVE_2020_0543()
> +       _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> +       if [ "$os" = Linux ]; then
> +               check_CVE_2020_0543_linux
> +-      elif echo "$os" | grep -q BSD; then
> ++      elif echo "$os" | @grep@ -q BSD; then
> +               check_CVE_2020_0543_bsd
> +       else
> +               _warn "Unsupported OS ($os)"
> +@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux()
> +               kernel_srbds=''
> +               if [ -n "$kernel_err" ]; then
> +                       kernel_srbds_err="$kernel_err"
> +-              elif grep -q 'Dependent on hypervisor' "$kernel";
> then
> ++              elif @grep@ -q 'Dependent on hypervisor' "$kernel";
> then
> +                       kernel_srbds="found SRBDS implementation
> evidence in kernel image. Your kernel is up to date for SRBDS
> mitigation"
> +               fi
> +               if [ -n "$kernel_srbds" ]; then
> +@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux()
> +               _info_nol "* SRBDS mitigation control is enabled and
> active: "
> +               if [ "$opt_live" = 1 ]; then
> +                       if [ -n "$fullmsg" ]; then
> +-                              if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++                              if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> +                                       pstatus green YES "$fullmsg"
> +                               else
> +                                       pstatus yellow NO
> +@@ -5608,8 +5608,8 @@ fi
> + # now run the checks the user asked for
> + for cve in $supported_cve_list
> + do
> +-      if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw
> "$cve"; then
> +-              check_"$(echo "$cve" | tr - _)"
> ++      if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -
> qw "$cve"; then
> ++              check_"$(echo "$cve" | @tr@ - _)"
> +               _info
> +       fi
> + done
> +@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then
> +       _warn "We're missing some kernel info (see -v), accuracy
> might be reduced"
> + fi
> +
> +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' |
> sort | tr "\n" '|')
> ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F
> 'mockme=' | @sort@ | @tr@ "\n" '|')
> + _debug "variables at end of script: $_vars"
> +
> + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
> +-      if command -v "gzip" >/dev/null 2>&1; then
> ++      if command -v "@gzip@" >/dev/null 2>&1; then
> +               # not a useless use of cat: gzipping cpuinfo directly
> doesn't work well
> +               # shellcheck disable=SC2002
> +-              if command -v "base64" >/dev/null 2>&1; then
> +-                      mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> base64 -w0)"
> +-              elif command -v "uuencode" >/dev/null 2>&1; then
> +-                      mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d
> "\n")"
> ++              if command -v "@base64@" >/dev/null 2>&1; then
> ++                      mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @base64@ -w0)"
> ++              elif command -v "@uuencode@" >/dev/null 2>&1; then
> ++                      mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv --
> '====' | @tr@ -d "\n")"
> +               fi
> +       fi
> +       if [ -n "$mock_cpuinfo" ]; then
> +@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ];
> then
> +       fi
> +       _info ""
> +       # shellcheck disable=SC2046
> +-      _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> sort -u)
> ++      _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> @sort@ -u)
> + fi
> +
> + if [ "$opt_explain" = 0 ]; then
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++              # Guix System:
> ++              [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> +               # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
> 
> base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
> --
> 2.38.1
Cheers

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [bug#59053] [PATCH v5] gnu: Add spectre-meltdown-checker.
  2022-11-12 16:58                 ` Liliana Marie Prikler
@ 2022-11-13 13:09                   ` Hilton Chain via Guix-patches via
  2022-11-13 22:02                     ` bug#59053: " Liliana Marie Prikler
  0 siblings, 1 reply; 12+ messages in thread
From: Hilton Chain via Guix-patches via @ 2022-11-13 13:09 UTC (permalink / raw)
  To: Liliana Marie Prikler; +Cc: 59053

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v4 -> v5: No more an extra patch for substitution.

 gnu/local.mk                                  |   2 +
 gnu/packages/linux.scm                        | 130 ++++++++++
 ...ker-remove-builtin-firmware-database.patch | 243 ++++++++++++++++++
 ...n-checker-support-guix-system-kernel.patch |  26 ++
 4 files changed, 401 insertions(+)
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
 create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..1e85790983 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,8 @@ dist_patch_DATA =						\
   %D%/packages/patches/syslinux-strip-gnu-property.patch	\
   %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch	\
   %D%/packages/patches/snappy-add-inline-for-GCC.patch		\
+  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
   %D%/packages/patches/sphinxbase-fix-doxygen.patch		\
   %D%/packages/patches/spice-vdagent-glib-2.68.patch		\
   %D%/packages/patches/sssd-optional-systemd.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..03b7ce46b0 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,133 @@ (define-public edac-utils
 error detection and correction (EDAC).")
     (home-page "https://github.com/grondo/edac-utils")
     (license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.45")
+    (source (origin
+              (method git-fetch)
+              (uri (git-reference
+                    (url "https://github.com/speed47/spectre-meltdown-checker")
+                    (commit (string-append "v" version))))
+              (file-name (git-file-name name version))
+              (patches
+               (search-patches
+                "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+                ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+                "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+              ;; Remove builtin firmware database.
+              (modules '((guix build utils)))
+              (snippet '(substitute* "spectre-meltdown-checker.sh"
+                          (("^# [AI],.*") "")))
+              (sha256
+               (base32
+                "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+    (build-system copy-build-system)
+    (arguments
+     (list
+      #:install-plan
+      #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+      #:phases
+      #~(modify-phases %standard-phases
+          (add-after 'unpack 'fixpath
+            (lambda* (#:key inputs #:allow-other-keys)
+              (define* (find-command inputs cmd #:optional (bin "bin")
+                                     #:key (prefix "") (suffix ""))
+                (string-append
+                 prefix (search-input-file inputs (string-append bin "/" cmd))
+                 suffix))
+              (substitute* "spectre-meltdown-checker.sh"
+                ;; ${opt_arch_prefix}CMD
+                (((string-append
+                   "\\$\\{opt_arch_prefix\\}"
+                   "\\<(nm|objdump|readelf|strings)\\>") all cmd)
+                 (find-command inputs cmd))
+
+                ;; dd
+                (("(dd)( if=)" all cmd suffix)
+                 (find-command inputs cmd #:suffix suffix))
+
+                ;; Commands safe to substitute directly.
+                (((string-append "\\<(" (string-join
+                                         (list "awk"
+                                               "basename"
+                                               "dirname"
+                                               "bunzip2"
+                                               "gunzip"
+                                               "gzip"
+                                               "lz4"
+                                               "lzop"
+                                               "modprobe"
+                                               "pgrep"
+                                               "rmmod"
+                                               "umount"
+                                               "unlzma"
+                                               "unxz"
+                                               "unzstd"
+                                               "uuencode")
+                                         "|")
+                                 ")\\>") all cmd)
+                 (find-command inputs cmd))
+
+                ;; Search by suffix.
+                ;; CMD -
+                ;; CMD ^
+                (((string-append "\\<(" (string-join
+                                         (list "base64"
+                                               "cut"
+                                               "grep"
+                                               "head"
+                                               "id"
+                                               "mount"
+                                               "mktemp"
+                                               "od"
+                                               "perl"
+                                               "rm"
+                                               "uname"
+                                               "xargs")
+                                         "|")
+                                 ")\\>( [-^])") all cmd suffix)
+                 (find-command inputs cmd #:suffix suffix))
+                ;; CMD |
+                (("(dmesg)( \\|)" all cmd suffix)
+                 (find-command inputs cmd #:suffix suffix))
+
+                ;; Then prefix
+                ;; | CMD
+                (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix cmd)
+                 (find-command inputs cmd #:prefix prefix))
+                ;; $(CMD
+                (("(\\$\\( *)(sysctl)" all prefix cmd)
+                 (find-command inputs cmd "sbin" #:prefix prefix))
+                (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
+                 (find-command inputs cmd #:prefix prefix))
+                ;; if CMD
+                (("(if )(sysctl)" all prefix cmd)
+                 (find-command inputs cmd "sbin" #:prefix prefix))
+                ;; command -v CMD
+                (("(command -v) \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
+                 (find-command inputs cmd #:prefix prefix))
+
+                ;; Cats are mysterious...
+                ;; cat <<EOF
+                (("(cat)( <<EOF)" all cmd suffix)
+                 (find-command inputs cmd #:suffix suffix))
+                ;; cat "$
+                (("(cat)(\"\\$)" all cmd suffix)
+                 (find-command inputs cmd #:suffix suffix))
+                ;; 'cat'
+                (("(')(cat)(')" all prefix cmd suffix)
+                 (find-command inputs cmd #:prefix prefix #:suffix suffix))
+                ;; "cat"
+                (("(\")(cat)(\")" all prefix cmd suffix)
+                 (find-command inputs cmd #:prefix prefix #:suffix suffix))))))))
+    (inputs (list kmod lz4 lzop perl procps sharutils util-linux zstd))
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (synopsis "CPU vulnerability / mitigation checker")
+    (description
+     "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+    (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..809763cf4f
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,243 @@
+From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ 	[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ 	[ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm -f "$kerneltmp"
+ 	[ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm -f "$kerneltmp2"
+-	[ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm -f "$mcedb_tmp"
+-	[ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm -rf "$intel_tmp"
+ 	[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ 	[ "${mounted_procfs:-}"  = 1 ] && umount "$procfs" 2>/dev/null
+ 	[ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ 		--vmm [auto,yes,no]	override the detection of the presence of a hypervisor, default: auto
+ 		--allow-msr-write	allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ 		--cpu [#,all]		interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+-		--update-fwdb		update our local copy of the CPU microcodes versions database (using the awesome
+-					MCExtractor project and the Intel firmwares GitHub repository)
+-		--update-builtin-fwdb	same as --update-fwdb but update builtin DB inside the script itself
++		--with-fwdb FILE	supply the CPU microcodes versions database
+ 		--dump-mock-data	used to mimick a CPU on an other system, mainly used to help debugging this script
+ 
+ 	Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ 	_info
+ }
+ 
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+-	show_header
+-
+-	set -e
+-
+-	if [ -r "$mcedb_cache" ]; then
+-		previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+-	fi
+-
+-	# first, download the MCE.db from the excellent platomav's MCExtractor project
+-	mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+-	mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+-	_info_nol "Fetching MCE.db from the MCExtractor project... "
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
+-		curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+-	elif command -v fetch >/dev/null 2>&1; then
+-		fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+-	else
+-		echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+-		return 1
+-	fi
+-	if [ "$ret" != 0 ]; then
+-		echo ERROR "error $ret while downloading MCE.db"
+-		return $ret
+-	fi
+-	echo DONE
+-
+-	# second, get the Intel firmwares from GitHub
+-	intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+-	intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+-	_info_nol "Fetching Intel firmwares... "
+-	## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+-	if command -v wget >/dev/null 2>&1; then
+-		wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+-	elif command -v curl >/dev/null 2>&1; then
+-		curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+-	elif command -v fetch >/dev/null 2>&1; then
+-		fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+-	else
+-		echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+-		return 1
+-	fi
+-	if [ "$ret" != 0 ]; then
+-		echo ERROR "error $ret while downloading Intel firmwares"
+-		return $ret
+-	fi
+-	echo DONE
+-
+-	# now extract MCEdb contents using sqlite
+-	_info_nol "Extracting MCEdb data... "
+-	if ! command -v sqlite3 >/dev/null 2>&1; then
+-		echo ERROR "please install the \`sqlite3\` program"
+-		return 1
+-	fi
+-	mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+-	if [ -z "$mcedb_revision" ]; then
+-		echo ERROR "downloaded file seems invalid"
+-		return 1
+-	fi
+-	sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+-	sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+-	echo OK "MCExtractor database revision $mcedb_revision"
+-
+-	# parse Intel firmwares to get their versions
+-	_info_nol "Integrating Intel firmwares data to db... "
+-	if ! command -v unzip >/dev/null 2>&1; then
+-		echo ERROR "please install the \`unzip\` program"
+-		return 1
+-	fi
+-	( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+-	if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+-		echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+-		return 1
+-	fi
+-
+-	if ! command -v iucode_tool >/dev/null 2>&1; then
+-		if ! command -v iucode-tool >/dev/null 2>&1; then
+-			echo ERROR "please install the \`iucode-tool\` program"
+-			return 1
+-		else
+-			iucode_tool="iucode-tool"
+-		fi
+-	else
+-		iucode_tool="iucode_tool"
+-	fi
+-	#  079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+-	#  078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+-	$iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+-	do
+-		_line=$(   echo "$_line" | tr -d ',')
+-		_cpuid=$(  echo "$_line" | awk '{print $3}')
+-		_cpuid=$(( _cpuid ))
+-		_cpuid=$(printf "0x%08X" "$_cpuid")
+-		_date=$(   echo "$_line" | awk '{print $6}' | tr -d '-')
+-		_version=$(echo "$_line" | awk '{print $8}')
+-		_version=$(( _version ))
+-		_version=$(printf "0x%08X" "$_version")
+-		_sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+-		sqlite3 "$mcedb_tmp" "$_sqlstm"
+-	done
+-	_intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+-	if [ -n "$_intel_timestamp" ]; then
+-		# use this date, it matches the last commit date
+-		_intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+-	else
+-		echo "Falling back to the latest microcode date"
+-		_intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+-	fi
+-	echo DONE "(version $_intel_latest_date)"
+-
+-	dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+-	if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+-		echo "We already have this version locally, no update needed"
+-		return 0
+-	fi
+-
+-	_info_nol "Building local database... "
+-	{
+-		echo "# Spectre & Meltdown Checker";
+-		echo "# %%% MCEDB v$dbversion";
+-		sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+-		sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD   AS t1 LEFT OUTER JOIN AMD   AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+-	} > "$mcedb_cache"
+-	echo DONE "(version $dbversion)"
+-
+-	if [ "$1" = builtin ]; then
+-		newfile=$(mktemp -t smc-builtin-XXXXXX)
+-		awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+-		awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+-		cat "$newfile" > "$0"
+-		rm -f "$newfile"
+-	fi
+-}
+-
+ parse_opt_file()
+ {
+ 	# parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ 		# deprecated, kept for compatibility
+ 		opt_explain=0
+ 		shift
+-	elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+-		update_fwdb
+-		exit $?
+-	elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+-		update_fwdb builtin
+-		exit $?
++	elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++	        opt_fwdb=$2
++		if [ -f "$opt_fwdb" ]; then
++		        mcedb_cache=$2
++		else
++		        echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++		        exit 255
++		fi
++		shift 2
+ 	elif [ "$1" = "--dump-mock-data" ]; then
+ 		opt_mock=1
+ 		shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ 	fi
+ }
+ 
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ 	# we have a local cache file, but it might be older than the builtin version we have
+ 	local_dbversion=$(  awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+-	# sort -V sorts by version number
+-	older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+-	if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+-		mcedb_source="$mcedb_cache"
+-		mcedb_info="local firmwares DB $local_dbversion"
+-	fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+-	mcedb_source="$0"
+-	mcedb_info="builtin firmwares DB $builtin_dbversion"
++	mcedb_source="$mcedb_cache"
++	mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ 		return 2
+ 	fi
+ 	ucode_latest="latest microcode version for your CPU model is unknown"
+-	if is_intel; then
++	if [ -z "$mcedb_source" ]; then
++	        return 2
++	elif is_intel; then
+ 		cpu_brand_prefix=I
+ 	elif is_amd; then
+ 		cpu_brand_prefix=A
+-- 
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ 		[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ 		# NixOS:
+ 		[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++		# Guix System:
++		[ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ 		# systemd kernel-install:
+ 		[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ 		# Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0

base-commit: 80d10fa413cf43439f9ab94b6f69fe68811156da
-- 
2.38.1





^ permalink raw reply related	[flat|nested] 12+ messages in thread

* bug#59053: [PATCH v5] gnu: Add spectre-meltdown-checker.
  2022-11-13 13:09                   ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via
@ 2022-11-13 22:02                     ` Liliana Marie Prikler
  0 siblings, 0 replies; 12+ messages in thread
From: Liliana Marie Prikler @ 2022-11-13 22:02 UTC (permalink / raw)
  To: Hilton Chain; +Cc: 59053-done

Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
I renamed the patches for the ChangeLog, slightly rewrote their
explanations, ...

>  gnu/local.mk                                  |   2 +
>  gnu/packages/linux.scm                        | 130 ++++++++++
>  ...ker-remove-builtin-firmware-database.patch | 243
> ++++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch |  26 ++
>  4 files changed, 401 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..1e85790983 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,8 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..03b7ce46b0 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,133 @@ (define-public edac-utils
>  error detection and correction (EDAC).")
>      (home-page "https://github.com/grondo/edac-utils")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker")
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> +              ;; Remove builtin firmware database.
> +              (modules '((guix build utils)))
> +              (snippet '(substitute* "spectre-meltdown-checker.sh"
> +                          (("^# [AI],.*") "")))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list
> +      #:install-plan
> +      #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +      #:phases
> +      #~(modify-phases %standard-phases
> +          (add-after 'unpack 'fixpath
> +            (lambda* (#:key inputs #:allow-other-keys)
> +              (define* (find-command inputs cmd #:optional (bin
> "bin")
> +                                     #:key (prefix "") (suffix ""))
> +                (string-append
> +                 prefix (search-input-file inputs (string-append bin
> "/" cmd))
> +                 suffix))
> +              (substitute* "spectre-meltdown-checker.sh"
> +                ;; ${opt_arch_prefix}CMD
> +                (((string-append
> +                   "\\$\\{opt_arch_prefix\\}"
> +                   "\\<(nm|objdump|readelf|strings)\\>") all cmd)
> +                 (find-command inputs cmd))
> +
> +                ;; dd
> +                (("(dd)( if=)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +
> +                ;; Commands safe to substitute directly.
> +                (((string-append "\\<(" (string-join
> +                                         (list "awk"
> +                                               "basename"
> +                                               "dirname"
> +                                               "bunzip2"
> +                                               "gunzip"
> +                                               "gzip"
> +                                               "lz4"
> +                                               "lzop"
> +                                               "modprobe"
> +                                               "pgrep"
> +                                               "rmmod"
> +                                               "umount"
> +                                               "unlzma"
> +                                               "unxz"
> +                                               "unzstd"
> +                                               "uuencode")
> +                                         "|")
> +                                 ")\\>") all cmd)
replaced these "clever" tricks with dumber ones,
> +                 (find-command inputs cmd))
> +
> +                ;; Search by suffix.
> +                ;; CMD -
> +                ;; CMD ^
> +                (((string-append "\\<(" (string-join
> +                                         (list "base64"
> +                                               "cut"
> +                                               "grep"
> +                                               "head"
> +                                               "id"
> +                                               "mount"
> +                                               "mktemp"
> +                                               "od"
> +                                               "perl"
> +                                               "rm"
> +                                               "uname"
> +                                               "xargs")
> +                                         "|")
> +                                 ")\\>( [-^])") all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +                ;; CMD |
> +                (("(dmesg)( \\|)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +
> +                ;; Then prefix
> +                ;; | CMD
> +                (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix
> cmd)
> +                 (find-command inputs cmd #:prefix prefix))
> +                ;; $(CMD
> +                (("(\\$\\( *)(sysctl)" all prefix cmd)
> +                 (find-command inputs cmd "sbin" #:prefix prefix))
> +               
> (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
> +                 (find-command inputs cmd #:prefix prefix))
> +                ;; if CMD
> +                (("(if )(sysctl)" all prefix cmd)
> +                 (find-command inputs cmd "sbin" #:prefix prefix))
> +                ;; command -v CMD
> +                (("(command -v)
> \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
> +                 (find-command inputs cmd #:prefix prefix))
> +
> +                ;; Cats are mysterious...
> +                ;; cat <<EOF
> +                (("(cat)( <<EOF)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +                ;; cat "$
> +                (("(cat)(\"\\$)" all cmd suffix)
> +                 (find-command inputs cmd #:suffix suffix))
> +                ;; 'cat'
> +                (("(')(cat)(')" all prefix cmd suffix)
> +                 (find-command inputs cmd #:prefix prefix #:suffix
> suffix))
> +                ;; "cat"
> +                (("(\")(cat)(\")" all prefix cmd suffix)
> +                 (find-command inputs cmd #:prefix prefix #:suffix
> suffix))))))))
> +    (inputs (list kmod lz4 lzop perl procps sharutils util-linux
> zstd))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> +    (synopsis "CPU vulnerability / mitigation checker")
> +    (description
> +     "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..809763cf4f
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> +       [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +       [ -n "${kerneltmp:-}"     ] && [ -f "$kerneltmp"     ] && rm
> -f "$kerneltmp"
> +       [ -n "${kerneltmp2:-}"    ] && [ -f "$kerneltmp2"    ] && rm
> -f "$kerneltmp2"
> +-      [ -n "${mcedb_tmp:-}"     ] && [ -f "$mcedb_tmp"     ] && rm
> -f "$mcedb_tmp"
> +-      [ -n "${intel_tmp:-}"     ] && [ -d "$intel_tmp"     ] && rm
> -rf "$intel_tmp"
> +       [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +       [ "${mounted_procfs:-}"  = 1 ] && umount "$procfs"
> 2>/dev/null
> +       [ "${insmod_cpuid:-}"    = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> +               --vmm [auto,yes,no]     override the detection of the
> presence of a hypervisor, default: auto
> +               --allow-msr-write       allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> +               --cpu [#,all]           interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +-              --update-fwdb           update our local copy of the
> CPU microcodes versions database (using the awesome
> +-                                      MCExtractor project and the
> Intel firmwares GitHub repository)
> +-              --update-builtin-fwdb   same as --update-fwdb but
> update builtin DB inside the script itself
> ++              --with-fwdb FILE        supply the CPU microcodes
> versions database
and added a note regarding the (lack of) freedom for proprietary
microcode.

I also added your name and email to the authors of linux.scm, since
this was a very non-trivial package.

Cheers

^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2022-11-13 22:03 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-05 15:57 [bug#59053] [PATCH] gnu: Add spectre-meltdown-checker Hilton Chain via Guix-patches via
2022-11-05 16:45 ` Liliana Marie Prikler
2022-11-11 11:10   ` [bug#59053] [PATCH v2] " Hilton Chain via Guix-patches via
2022-11-11 15:13     ` Liliana Marie Prikler
2022-11-12 12:14       ` [bug#59053] [PATCH v3] " Hilton Chain via Guix-patches via
2022-11-12 12:28         ` Liliana Marie Prikler
2022-11-12 12:50           ` Hilton Chain via Guix-patches via
2022-11-12 13:40             ` Liliana Marie Prikler
2022-11-12 15:15               ` [bug#59053] [PATCH v4] " Hilton Chain via Guix-patches via
2022-11-12 16:58                 ` Liliana Marie Prikler
2022-11-13 13:09                   ` [bug#59053] [PATCH v5] " Hilton Chain via Guix-patches via
2022-11-13 22:02                     ` bug#59053: " Liliana Marie Prikler

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.