Package: guix-patches;
Reported by: phodina <phodina <at> protonmail.com>
Date: Thu, 5 Aug 2021 17:02:01 UTC
Severity: normal
Tags: moreinfo, patch
Merged with 59053
Done: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Bug is archived. No further changes may be made.
Message #43 received at control <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space>, 59053 <at> debbugs.gnu.org Cc: control <at> debbugs.gnu.org Subject: Re: [PATCH] gnu: Add spectre-meltdown-checker. Date: Sat, 05 Nov 2022 17:45:41 +0100
merge 59053 49898
thanks
Hi Hilton,
thanks for the renewed interest in spectre-meltdown-checker. See the
other thread for a general discussion, but I'll repeat the most
important points.
Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch: New file.
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/local.mk (dist_patch_DATA): Add it.
Note that "Add it" lost its context because the new variable is between
it and the file added.
> ---
> gnu/local.mk | 1 +
> gnu/packages/linux.scm | 41
> +++++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
> 3 files changed, 68 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index eb6ac3df58..88c1fa6278 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1848,6 +1848,7 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index cf11a7fc1b..db199869a7 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
> @acronym{SMAPI, System Management Application Program Interface} and
> direct
> access to the embedded controller.")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (substitute* "spectre-meltdown-checker.sh"
> + (("\\$\\{opt_arch_prefix\\}readelf")
> + (search-input-file inputs "/bin/readelf"))
> + (("perl")
> + (search-input-file inputs "/bin/perl"))))))))
I'm pretty sure readelf and perl are not the only commands invoked.
> + (inputs (list binutils perl))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis
> + "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad
> vulnerability /
> +mitigation checker for Linux & BSD")
"for Linux & BSD" is gratuitous information imho.
As for the vulnerabilities listed in the synopsis surely there must be
a way of shortening that.
> + (description
> + "A shell script to assess your system's resilience against the
> several
> +transient execution CVEs that were published since early 2018, and
> give you
> +guidance as to how to mitigate them.")
Not a full sentence.
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++ # Guix System:
> ++ [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> + # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
This patch LGTM.
Note that as discussed in the other thread, we'd also want the checker
to not download proprietary firmware. Could you adjust the package
accordingly?
Cheers
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.