Package: guix-patches;
Reported by: Hilton Chain <hako <at> ultrarare.space>
Date: Sat, 5 Nov 2022 15:59:02 UTC
Severity: normal
Tags: moreinfo, patch
Merged with 49898
Done: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 59053 in the body.
You can then email your comments to 59053 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 05 Nov 2022 15:59:02 GMT) Full text and rfc822 format available.Hilton Chain <hako <at> ultrarare.space>:guix-patches <at> gnu.org.
(Sat, 05 Nov 2022 15:59:02 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Hilton Chain <hako <at> ultrarare.space> To: guix-patches <at> gnu.org Subject: [PATCH] gnu: Add spectre-meltdown-checker. Date: Sat, 05 Nov 2022 23:57:31 +0800
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch: New file.
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/local.mk (dist_patch_DATA): Add it.
---
gnu/local.mk | 1 +
gnu/packages/linux.scm | 41 +++++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
3 files changed, 68 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index eb6ac3df58..88c1fa6278 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1848,6 +1848,7 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index cf11a7fc1b..db199869a7 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
@acronym{SMAPI, System Management Application Program Interface} and direct
access to the embedded controller.")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("\\$\\{opt_arch_prefix\\}readelf")
+ (search-input-file inputs "/bin/readelf"))
+ (("perl")
+ (search-input-file inputs "/bin/perl"))))))))
+ (inputs (list binutils perl))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis
+ "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability /
+mitigation checker for Linux & BSD")
+ (description
+ "A shell script to assess your system's resilience against the several
+transient execution CVEs that were published since early 2018, and give you
+guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0
base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
--
2.38.0
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 05 Nov 2022 16:46:02 GMT) Full text and rfc822 format available.Message #8 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space>, 59053 <at> debbugs.gnu.org Cc: control <at> debbugs.gnu.org Subject: Re: [PATCH] gnu: Add spectre-meltdown-checker. Date: Sat, 05 Nov 2022 17:45:41 +0100
merge 59053 49898
thanks
Hi Hilton,
thanks for the renewed interest in spectre-meltdown-checker. See the
other thread for a general discussion, but I'll repeat the most
important points.
Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch: New file.
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/local.mk (dist_patch_DATA): Add it.
Note that "Add it" lost its context because the new variable is between
it and the file added.
> ---
> gnu/local.mk | 1 +
> gnu/packages/linux.scm | 41
> +++++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
> 3 files changed, 68 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index eb6ac3df58..88c1fa6278 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1848,6 +1848,7 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index cf11a7fc1b..db199869a7 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
> @acronym{SMAPI, System Management Application Program Interface} and
> direct
> access to the embedded controller.")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (substitute* "spectre-meltdown-checker.sh"
> + (("\\$\\{opt_arch_prefix\\}readelf")
> + (search-input-file inputs "/bin/readelf"))
> + (("perl")
> + (search-input-file inputs "/bin/perl"))))))))
I'm pretty sure readelf and perl are not the only commands invoked.
> + (inputs (list binutils perl))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis
> + "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad
> vulnerability /
> +mitigation checker for Linux & BSD")
"for Linux & BSD" is gratuitous information imho.
As for the vulnerabilities listed in the synopsis surely there must be
a way of shortening that.
> + (description
> + "A shell script to assess your system's resilience against the
> several
> +transient execution CVEs that were published since early 2018, and
> give you
> +guidance as to how to mitigate them.")
Not a full sentence.
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++ # Guix System:
> ++ [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> + # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
This patch LGTM.
Note that as discussed in the other thread, we'd also want the checker
to not download proprietary firmware. Could you adjust the package
accordingly?
Cheers
Liliana Marie Prikler <liliana.prikler <at> gmail.com>
to control <at> debbugs.gnu.org.
(Sat, 05 Nov 2022 16:46:02 GMT) Full text and rfc822 format available.Christopher Baines <mail <at> cbaines.net>
to control <at> debbugs.gnu.org.
(Sun, 06 Nov 2022 14:21:02 GMT) Full text and rfc822 format available.guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Fri, 11 Nov 2022 11:12:02 GMT) Full text and rfc822 format available.Message #15 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Hilton Chain <hako <at> ultrarare.space> To: Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: control <at> debbugs.gnu.org, 59053 <at> debbugs.gnu.org Subject: [PATCH v2] gnu: Add spectre-meltdown-checker. Date: Fri, 11 Nov 2022 19:10:33 +0800
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v1 -> v2:
gnu/local.mk | 3 +
gnu/packages/linux.scm | 53 +
...ker-remove-builtin-firmware-database.patch | 554 +++++
...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 +
5 files changed, 2583 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 27b31ea27f..d518cd8641 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1851,6 +1851,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 2c06269504..5a0d55833a 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,56 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ m _)
+ (search-input-file inputs (string-append "/bin/" m)))))))))
+ (inputs
+ (list binutils
+ coreutils
+ grep
+ kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ which
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..e926551550
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,554 @@
+From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Fri, 11 Nov 2022 18:55:25 +0800
+Subject: [PATCH 2/2] Remove builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 477 ++----------------------------------
+ 1 file changed, 27 insertions(+), 450 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..79c4bb7 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+ MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -853,9 +852,9 @@ update_fwdb()
+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ # if command -v wget >/dev/null 2>&1; then
++ # wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+@@ -874,9 +873,9 @@ update_fwdb()
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ # if command -v wget >/dev/null 2>&1; then
++ # wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+@@ -969,13 +968,13 @@ update_fwdb()
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+
+- if [ "$1" = builtin ]; then
+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- @cat@ "$newfile" > "$0"
+- @rm@ -f "$newfile"
+- fi
++ # if [ "$1" = builtin ]; then
++ # newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++ # @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++ # @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++ # @cat@ "$newfile" > "$0"
++ # @rm@ -f "$newfile"
++ # fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ update_fwdb
+ exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
++ # update_fwdb builtin
++ # exit $?
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,22 +2032,22 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
++ # older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
++ # if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ mcedb_source="$mcedb_cache"
+ mcedb_info="local firmwares DB $local_dbversion"
+- fi
++ # fi
+ fi
+ # if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
+-fi
++# if [ -z "${mcedb_source:-}" ]; then
++# mcedb_source="$0"
++# mcedb_info="builtin firmwares DB $builtin_dbversion"
++# fi
+ read_mcedb()
+ {
+ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+@@ -2070,6 +2069,9 @@ is_latest_known_ucode()
+ else
+ return 2
+ fi
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ fi
+ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ do
+ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+@@ -5833,428 +5835,3 @@ fi
+ [ "$global_critical" = 1 ] && exit 2 # critical
+ [ "$global_unknown" = 1 ] && exit 3 # unknown
+ exit 0 # ok
+-
+-# We're using MCE.db from the excellent platomav's MCExtractor project
+-# The builtin version follows, but the user can download an up-to-date copy (to be stored in his $HOME) by using --update-fwdb
+-# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb
+-
+-# %%% MCEDB v222+i20220208
+-# I,0x00000611,0x00000B27,19961218
+-# I,0x00000612,0x000000C6,19961210
+-# I,0x00000616,0x000000C6,19961210
+-# I,0x00000617,0x000000C6,19961210
+-# I,0x00000619,0x000000D2,19980218
+-# I,0x00000630,0x00000013,19960827
+-# I,0x00000632,0x00000020,19960903
+-# I,0x00000633,0x00000036,19980923
+-# I,0x00000634,0x00000037,19980923
+-# I,0x00000650,0x00000045,19990525
+-# I,0x00000651,0x00000042,19990525
+-# I,0x00000652,0x0000002D,19990518
+-# I,0x00000653,0x00000010,19990628
+-# I,0x00000660,0x0000000A,19990505
+-# I,0x00000665,0x00000003,19990505
+-# I,0x0000066A,0x0000000D,19990505
+-# I,0x0000066D,0x00000007,19990505
+-# I,0x00000670,0x00000007,19980602
+-# I,0x00000671,0x00000014,19980811
+-# I,0x00000672,0x00000038,19990922
+-# I,0x00000673,0x0000002E,19990910
+-# I,0x00000680,0x00000017,19990610
+-# I,0x00000681,0x00000014,19991209
+-# I,0x00000683,0x00000014,20010206
+-# I,0x00000686,0x00000008,20000505
+-# I,0x0000068A,0x00000005,20001207
+-# I,0x00000690,0x00000004,20000206
+-# I,0x00000691,0x00000001,20020527
+-# I,0x00000692,0x00000001,20020620
+-# I,0x00000694,0x00000002,20020926
+-# I,0x00000695,0x00000047,20041109
+-# I,0x00000696,0x00000001,20000707
+-# I,0x000006A0,0x00000003,20000110
+-# I,0x000006A1,0x00000001,20000306
+-# I,0x000006A4,0x00000001,20000616
+-# I,0x000006B0,0x0000001A,20010129
+-# I,0x000006B1,0x0000001D,20010220
+-# I,0x000006B4,0x00000002,20020111
+-# I,0x000006D0,0x00000006,20030522
+-# I,0x000006D1,0x00000009,20030709
+-# I,0x000006D2,0x00000010,20030814
+-# I,0x000006D6,0x00000018,20041017
+-# I,0x000006D8,0x00000021,20060831
+-# I,0x000006E0,0x00000008,20050215
+-# I,0x000006E1,0x0000000C,20050413
+-# I,0x000006E4,0x00000026,20050816
+-# I,0x000006E8,0x0000003C,20060208
+-# I,0x000006EC,0x0000005B,20070208
+-# I,0x000006F0,0x00000005,20050818
+-# I,0x000006F1,0x00000012,20051129
+-# I,0x000006F2,0x0000005D,20101002
+-# I,0x000006F4,0x00000028,20060417
+-# I,0x000006F5,0x00000039,20060727
+-# I,0x000006F6,0x000000D2,20101001
+-# I,0x000006F7,0x0000006B,20101002
+-# I,0x000006F9,0x00000084,20061012
+-# I,0x000006FA,0x00000095,20101002
+-# I,0x000006FB,0x000000C1,20111004
+-# I,0x000006FD,0x000000A4,20101002
+-# I,0x00000F00,0xFFFF0001,20000130
+-# I,0x00000F01,0xFFFF0007,20000404
+-# I,0x00000F02,0xFFFF000B,20000518
+-# I,0x00000F03,0xFFFF0001,20000518
+-# I,0x00000F04,0xFFFF0010,20000803
+-# I,0x00000F05,0x0000000C,20000824
+-# I,0x00000F06,0x00000004,20000911
+-# I,0x00000F07,0x00000012,20020716
+-# I,0x00000F08,0x00000008,20001101
+-# I,0x00000F09,0x00000008,20010104
+-# I,0x00000F0A,0x00000015,20020821
+-# I,0x00000F11,0x0000000A,20030729
+-# I,0x00000F12,0x0000002F,20030502
+-# I,0x00000F13,0x00000005,20030508
+-# I,0x00000F20,0x00000001,20010423
+-# I,0x00000F21,0x00000003,20010529
+-# I,0x00000F22,0x00000005,20030729
+-# I,0x00000F23,0x0000000D,20010817
+-# I,0x00000F24,0x00000021,20030610
+-# I,0x00000F25,0x0000002C,20040826
+-# I,0x00000F26,0x00000010,20040805
+-# I,0x00000F27,0x00000039,20030604
+-# I,0x00000F29,0x0000002F,20040811
+-# I,0x00000F30,0x00000013,20030815
+-# I,0x00000F31,0x0000000B,20031021
+-# I,0x00000F32,0x0000000A,20040511
+-# I,0x00000F33,0x0000000C,20050421
+-# I,0x00000F34,0x00000017,20050421
+-# I,0x00000F36,0x00000007,20040309
+-# I,0x00000F37,0x00000003,20031218
+-# I,0x00000F40,0x00000006,20040318
+-# I,0x00000F41,0x00000017,20050422
+-# I,0x00000F42,0x00000003,20050421
+-# I,0x00000F43,0x00000005,20050421
+-# I,0x00000F44,0x00000006,20050421
+-# I,0x00000F46,0x00000004,20050411
+-# I,0x00000F47,0x00000003,20050421
+-# I,0x00000F48,0x0000000E,20080115
+-# I,0x00000F49,0x00000003,20050421
+-# I,0x00000F4A,0x00000004,20051214
+-# I,0x00000F60,0x00000005,20050124
+-# I,0x00000F61,0x00000008,20050610
+-# I,0x00000F62,0x0000000F,20051215
+-# I,0x00000F63,0x00000005,20051010
+-# I,0x00000F64,0x00000004,20051223
+-# I,0x00000F65,0x0000000B,20070510
+-# I,0x00000F66,0x0000001B,20060310
+-# I,0x00000F68,0x00000009,20060714
+-# I,0x00001632,0x00000002,19980610
+-# I,0x00010650,0x00000002,20060513
+-# I,0x00010660,0x00000004,20060612
+-# I,0x00010661,0x00000045,20101004
+-# I,0x00010670,0x00000005,20070209
+-# I,0x00010671,0x00000106,20070329
+-# I,0x00010674,0x84050100,20070726
+-# I,0x00010676,0x00000612,20150802
+-# I,0x00010677,0x0000070D,20150802
+-# I,0x0001067A,0x00000A0E,20150729
+-# I,0x000106A0,0xFFFF001A,20071128
+-# I,0x000106A1,0xFFFF000B,20080220
+-# I,0x000106A2,0xFFFF0019,20080714
+-# I,0x000106A4,0x00000013,20150630
+-# I,0x000106A5,0x0000001D,20180511
+-# I,0x000106C0,0x00000007,20070824
+-# I,0x000106C1,0x00000109,20071203
+-# I,0x000106C2,0x00000219,20090410
+-# I,0x000106C9,0x00000007,20090213
+-# I,0x000106CA,0x00000107,20090825
+-# I,0x000106D0,0x00000005,20071204
+-# I,0x000106D1,0x0000002A,20150803
+-# I,0x000106E0,0xFFFF0022,20090116
+-# I,0x000106E1,0xFFFF000D,20090206
+-# I,0x000106E2,0xFFFF0011,20090924
+-# I,0x000106E3,0xFFFF0011,20090512
+-# I,0x000106E4,0x00000003,20130701
+-# I,0x000106E5,0x0000000A,20180508
+-# I,0x000106F0,0xFFFF0009,20090210
+-# I,0x000106F1,0xFFFF0007,20090210
+-# I,0x00020650,0xFFFF0008,20090218
+-# I,0x00020651,0xFFFF0018,20090818
+-# I,0x00020652,0x00000011,20180508
+-# I,0x00020654,0xFFFF0007,20091124
+-# I,0x00020655,0x00000007,20180423
+-# I,0x00020661,0x00000105,20110718
+-# I,0x000206A0,0x00000029,20091102
+-# I,0x000206A1,0x00000007,20091223
+-# I,0x000206A2,0x00000027,20100502
+-# I,0x000206A3,0x00000009,20100609
+-# I,0x000206A4,0x00000022,20100414
+-# I,0x000206A5,0x00000007,20100722
+-# I,0x000206A6,0x90030028,20100924
+-# I,0x000206A7,0x0000002F,20190217
+-# I,0x000206C0,0xFFFF001C,20091214
+-# I,0x000206C1,0x00000006,20091222
+-# I,0x000206C2,0x0000001F,20180508
+-# I,0x000206D0,0x80000006,20100816
+-# I,0x000206D1,0x80000106,20101201
+-# I,0x000206D2,0xAF506958,20110714
+-# I,0x000206D3,0xAF50696A,20110816
+-# I,0x000206D5,0xAF5069E5,20120118
+-# I,0x000206D6,0x00000621,20200304
+-# I,0x000206D7,0x0000071A,20200324
+-# I,0x000206E0,0xE3493401,20090108
+-# I,0x000206E1,0xE3493402,20090224
+-# I,0x000206E2,0xFFFF0004,20081001
+-# I,0x000206E3,0xE4486547,20090701
+-# I,0x000206E4,0xFFFF0008,20090619
+-# I,0x000206E5,0xFFFF0018,20091215
+-# I,0x000206E6,0x0000000D,20180515
+-# I,0x000206F0,0x00000005,20100729
+-# I,0x000206F1,0x00000008,20101013
+-# I,0x000206F2,0x0000003B,20180516
+-# I,0x00030650,0x00000009,20120118
+-# I,0x00030651,0x00000110,20131014
+-# I,0x00030660,0x00000003,20101103
+-# I,0x00030661,0x0000010F,20150721
+-# I,0x00030669,0x0000010D,20130515
+-# I,0x00030671,0x00000117,20130410
+-# I,0x00030672,0x0000022E,20140401
+-# I,0x00030673,0x83290100,20190916
+-# I,0x00030678,0x00000838,20190422
+-# I,0x00030679,0x0000090D,20190710
+-# I,0x000306A0,0x00000007,20110407
+-# I,0x000306A2,0x0000000C,20110725
+-# I,0x000306A4,0x00000007,20110908
+-# I,0x000306A5,0x00000009,20111110
+-# I,0x000306A6,0x00000004,20111114
+-# I,0x000306A8,0x00000010,20120220
+-# I,0x000306A9,0x00000021,20190213
+-# I,0x000306C0,0xFFFF0013,20111110
+-# I,0x000306C1,0xFFFF0014,20120725
+-# I,0x000306C2,0xFFFF0006,20121017
+-# I,0x000306C3,0x00000028,20191112
+-# I,0x000306D1,0xFFFF0009,20131015
+-# I,0x000306D2,0xFFFF0009,20131219
+-# I,0x000306D3,0xE3121338,20140825
+-# I,0x000306D4,0x0000002F,20191112
+-# I,0x000306E0,0xE920080F,20121113
+-# I,0x000306E2,0xE9220827,20130523
+-# I,0x000306E3,0x00000308,20130321
+-# I,0x000306E4,0x0000042E,20190314
+-# I,0x000306E6,0x00000600,20130619
+-# I,0x000306E7,0x00000715,20190314
+-# I,0x000306F0,0xFFFF0017,20130730
+-# I,0x000306F1,0xD141D629,20140416
+-# I,0x000306F2,0x00000049,20210811
+-# I,0x000306F3,0x0000000D,20160211
+-# I,0x000306F4,0x0000001A,20210524
+-# I,0x00040650,0xFFFF000B,20121206
+-# I,0x00040651,0x00000026,20191112
+-# I,0x00040660,0xFFFF0011,20121012
+-# I,0x00040661,0x0000001C,20191112
+-# I,0x00040670,0xFFFF0006,20140304
+-# I,0x00040671,0x00000022,20191112
+-# I,0x000406A0,0x80124001,20130521
+-# I,0x000406A8,0x0000081F,20140812
+-# I,0x000406A9,0x0000081F,20140812
+-# I,0x000406C1,0x0000010B,20140814
+-# I,0x000406C2,0x00000221,20150218
+-# I,0x000406C3,0x00000368,20190423
+-# I,0x000406C4,0x00000411,20190423
+-# I,0x000406D0,0x0000000E,20130612
+-# I,0x000406D8,0x0000012D,20190916
+-# I,0x000406E1,0x00000020,20141111
+-# I,0x000406E2,0x0000002C,20150521
+-# I,0x000406E3,0x000000EC,20210428
+-# I,0x000406E8,0x00000026,20160414
+-# I,0x000406F0,0x00000014,20150702
+-# I,0x000406F1,0x0B000040,20210519
+-# I,0x00050650,0x8000002B,20160208
+-# I,0x00050651,0x8000002B,20160208
+-# I,0x00050652,0x80000037,20170502
+-# I,0x00050653,0x0100015C,20210526
+-# I,0x00050654,0x02006C0A,20210616
+-# I,0x00050655,0x03000012,20190412
+-# I,0x00050656,0x0400320A,20210813
+-# I,0x00050657,0x0500320A,20210813
+-# I,0x0005065A,0x86002302,20210416
+-# I,0x0005065B,0x07002402,20210604
+-# I,0x00050661,0xF1000008,20150130
+-# I,0x00050662,0x0000001C,20190617
+-# I,0x00050663,0x0700001C,20210612
+-# I,0x00050664,0x0F00001A,20210612
+-# I,0x00050665,0x0E000014,20210918
+-# I,0x00050670,0xFFFF0030,20151113
+-# I,0x00050671,0x000001B6,20180108
+-# I,0x000506A0,0x00000038,20150112
+-# I,0x000506C2,0x00000014,20180511
+-# I,0x000506C8,0x90011010,20160323
+-# I,0x000506C9,0x00000046,20210510
+-# I,0x000506CA,0x00000022,20210622
+-# I,0x000506D1,0x00000102,20150605
+-# I,0x000506E0,0x00000018,20141119
+-# I,0x000506E1,0x0000002A,20150602
+-# I,0x000506E2,0x0000002E,20150815
+-# I,0x000506E3,0x000000F0,20211112
+-# I,0x000506E8,0x00000034,20160710
+-# I,0x000506F0,0x00000010,20160607
+-# I,0x000506F1,0x00000036,20210510
+-# I,0x00060660,0x0000000C,20160821
+-# I,0x00060661,0x0000000E,20170128
+-# I,0x00060662,0x00000022,20171129
+-# I,0x00060663,0x0000002A,20180417
+-# I,0x000606A0,0x80000031,20200308
+-# I,0x000606A4,0x0B000280,20200817
+-# I,0x000606A5,0x0C0002F0,20210308
+-# I,0x000606A6,0x0D000332,20211217
+-# I,0x000606E0,0x0000000B,20161104
+-# I,0x000606E1,0x00000108,20190423
+-# I,0x000706A0,0x00000026,20170712
+-# I,0x000706A1,0x00000038,20210510
+-# I,0x000706A8,0x0000001C,20210510
+-# I,0x000706E0,0x0000002C,20180614
+-# I,0x000706E1,0x00000042,20190420
+-# I,0x000706E2,0x00000042,20190420
+-# I,0x000706E3,0x81000008,20181002
+-# I,0x000706E4,0x00000046,20190905
+-# I,0x000706E5,0x000000A8,20210526
+-# I,0x00080650,0x00000018,20180108
+-# I,0x00080664,0x0B00000F,20210217
+-# I,0x00080665,0x0B00000F,20210217
+-# I,0x000806A0,0x00000010,20190507
+-# I,0x000806A1,0x0000002D,20210902
+-# I,0x000806C0,0x00000068,20200402
+-# I,0x000806C1,0x0000009C,20211026
+-# I,0x000806C2,0x00000022,20210716
+-# I,0x000806D0,0x00000050,20201217
+-# I,0x000806D1,0x0000003C,20210716
+-# I,0x000806E9,0x000000EC,20210428
+-# I,0x000806EA,0x000000EC,20210428
+-# I,0x000806EB,0x000000EC,20210428
+-# I,0x000806EC,0x000000EC,20210428
+-# I,0x00090660,0x00000009,20200617
+-# I,0x00090661,0x00000015,20210921
+-# I,0x00090670,0x00000019,20201111
+-# I,0x00090671,0x0000001C,20210614
+-# I,0x00090672,0x0000001F,20220303
+-# I,0x00090674,0x00000219,20210425
+-# I,0x00090675,0x0000001F,20220303
+-# I,0x000906A0,0x0000001C,20210614
+-# I,0x000906A1,0x0000011F,20211104
+-# I,0x000906A2,0x00000315,20220102
+-# I,0x000906A3,0x0000041B,20220308
+-# I,0x000906A4,0x0000041B,20220308
+-# I,0x000906C0,0x2400001F,20210809
+-# I,0x000906E9,0x000000F0,20211112
+-# I,0x000906EA,0x000000EC,20210428
+-# I,0x000906EB,0x000000EC,20210428
+-# I,0x000906EC,0x000000EC,20210428
+-# I,0x000906ED,0x000000EC,20210428
+-# I,0x000A0650,0x000000BE,20191010
+-# I,0x000A0651,0x000000C2,20191113
+-# I,0x000A0652,0x000000EC,20210428
+-# I,0x000A0653,0x000000EC,20210428
+-# I,0x000A0654,0x000000C6,20200123
+-# I,0x000A0655,0x000000EE,20210428
+-# I,0x000A0660,0x000000EA,20210428
+-# I,0x000A0661,0x000000EC,20210429
+-# I,0x000A0670,0x0000002C,20201124
+-# I,0x000A0671,0x00000050,20210829
+-# I,0x000A0680,0x80000002,20200121
+-# I,0x000B0670,0x00000009,20211115
+-# I,0x000B06F2,0x0000001F,20220303
+-# I,0x000B06F5,0x0000001F,20220303
+-# A,0x00000F00,0x02000008,20070614
+-# A,0x00000F01,0x0000001C,20021031
+-# A,0x00000F10,0x00000003,20020325
+-# A,0x00000F11,0x0000001F,20030220
+-# A,0x00000F48,0x00000046,20040719
+-# A,0x00000F4A,0x00000047,20040719
+-# A,0x00000F50,0x00000024,20021212
+-# A,0x00000F51,0x00000025,20030115
+-# A,0x00010F50,0x00000041,20040225
+-# A,0x00020F10,0x0000004D,20050428
+-# A,0x00040F01,0xC0012102,20050916
+-# A,0x00040F0A,0x00000068,20060920
+-# A,0x00040F13,0x0000007A,20080508
+-# A,0x00040F14,0x00000062,20060127
+-# A,0x00040F1B,0x0000006D,20060920
+-# A,0x00040F33,0x0000007B,20080514
+-# A,0x00060F80,0x00000083,20060929
+-# A,0x000C0F1B,0x0000006E,20060921
+-# A,0x000F0F00,0x00000005,20020627
+-# A,0x000F0F01,0x00000015,20020627
+-# A,0x00100F00,0x01000020,20070326
+-# A,0x00100F20,0x010000CA,20100331
+-# A,0x00100F22,0x010000C9,20100331
+-# A,0x00100F40,0x01000085,20080501
+-# A,0x00100F41,0x010000DB,20111024
+-# A,0x00100F42,0x01000092,20081021
+-# A,0x00100F43,0x010000C8,20100311
+-# A,0x00100F62,0x010000C7,20100311
+-# A,0x00100F80,0x010000DA,20111024
+-# A,0x00100F81,0x010000D9,20111012
+-# A,0x00100FA0,0x010000DC,20111024
+-# A,0x00120F00,0x03000002,20100324
+-# A,0x00200F30,0x02000018,20070921
+-# A,0x00200F31,0x02000057,20080502
+-# A,0x00200F32,0x02000034,20080307
+-# A,0x00300F01,0x0300000E,20101004
+-# A,0x00300F10,0x03000027,20111309
+-# A,0x00500F00,0x0500000B,20100601
+-# A,0x00500F01,0x0500001A,20100908
+-# A,0x00500F10,0x05000029,20130121
+-# A,0x00500F20,0x05000119,20130118
+-# A,0x00580F00,0x0500000B,20100601
+-# A,0x00580F01,0x0500001A,20100908
+-# A,0x00580F10,0x05000028,20101124
+-# A,0x00580F20,0x05000103,20110526
+-# A,0x00600F00,0x06000017,20101029
+-# A,0x00600F01,0x0600011F,20110227
+-# A,0x00600F10,0x06000425,20110408
+-# A,0x00600F11,0x0600050D,20110627
+-# A,0x00600F12,0x0600063E,20180207
+-# A,0x00600F20,0x06000852,20180206
+-# A,0x00610F00,0x0600100E,20111102
+-# A,0x00610F01,0x0600111F,20180305
+-# A,0x00630F00,0x0600301C,20130817
+-# A,0x00630F01,0x06003109,20180227
+-# A,0x00660F00,0x06006012,20141014
+-# A,0x00660F01,0x0600611A,20180126
+-# A,0x00670F00,0x06006705,20180220
+-# A,0x00680F00,0x06000017,20101029
+-# A,0x00680F01,0x0600011F,20110227
+-# A,0x00680F10,0x06000410,20110314
+-# A,0x00690F00,0x06001009,20110613
+-# A,0x00700F00,0x0700002A,20121218
+-# A,0x00700F01,0x07000110,20180209
+-# A,0x00730F00,0x07030009,20131206
+-# A,0x00730F01,0x07030106,20180209
+-# A,0x00800F00,0x0800002A,20161006
+-# A,0x00800F10,0x0800100C,20170131
+-# A,0x00800F11,0x08001138,20190204
+-# A,0x00800F12,0x0800126E,20211111
+-# A,0x00800F82,0x0800820D,20190416
+-# A,0x00810F00,0x08100004,20161120
+-# A,0x00810F10,0x08101016,20190430
+-# A,0x00810F11,0x08101103,20190417
+-# A,0x00810F80,0x08108002,20180605
+-# A,0x00810F81,0x08108109,20190417
+-# A,0x00820F00,0x08200002,20180214
+-# A,0x00820F01,0x08200103,20190417
+-# A,0x00830F00,0x08300027,20190401
+-# A,0x00830F10,0x08301052,20211111
+-# A,0x00850F00,0x08500004,20180212
+-# A,0x00860F00,0x0860000E,20200127
+-# A,0x00860F01,0x08600106,20200619
+-# A,0x00860F81,0x08608103,20200702
+-# A,0x00870F00,0x08700004,20181206
+-# A,0x00870F10,0x08701021,20200125
+-# A,0x00A00F00,0x0A000033,20200413
+-# A,0x00A00F10,0x0A001053,20211217
+-# A,0x00A00F11,0x0A00115D,20211119
+-# A,0x00A00F12,0x0A001227,20211215
+-# A,0x00A00F80,0x0A008003,20211015
+-# A,0x00A00F82,0x0A008204,20211015
+-# A,0x00A20F00,0x0A200025,20200121
+-# A,0x00A20F10,0x0A201016,20210408
+-# A,0x00A20F12,0x0A201205,20210719
+-# A,0x00A50F00,0x0A50000C,20201208
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a2f13e4195
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1947 @@
+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 1/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,
+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,
+whoami, xargs.
+---
+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------
+ 1 file changed, 324 insertions(+), 324 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..82cf1b6 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ # cleanup the temp decompressed config & kernel image
+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"
++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"
++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp"
++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp"
++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null
++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ # shellcheck disable=SC2086
+- cat <<EOF
++ @cat@ <<EOF
+ Usage:
+- Live mode (auto): $(basename $0) [options]
+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++ Live mode (auto): $(@basename@ $0) [options]
++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ Modes:
+ Two modes are available.
+@@ -110,7 +110,7 @@ EOF
+
+ show_disclaimer()
+ {
+- cat <<EOF
++ @cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -207,7 +207,7 @@ __echo()
+ _interpret_chars='-e'
+ fi
+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")
+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ fi
+ if [ "$echo_cmd_type" = printf ]; then
+ if [ "$opt" = "-n" ]; then
+@@ -383,7 +383,7 @@ is_cpu_affected()
+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ variant3=vuln
+@@ -486,7 +486,7 @@ is_cpu_affected()
+ i=$(( i + 1 ))
+ # do NOT quote $cpu_arch_list below
+ # shellcheck disable=SC2086
+- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ _debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ # some kernels report AArch64 instead of 8
+ [ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -497,49 +497,49 @@ is_cpu_affected()
+ # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d
+ # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8
+ #
+- # Whitelist identified non-affected processors, use vulnerability information from
++ # Whitelist identified non-affected processors, use vulnerability information from
+ # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ # Partnumbers can be found here:
+ # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ #
+ # Maintain cumulative check of vulnerabilities -
+ # if at least one of the cpu is affected, then the system is affected
+- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ variant1=vuln
+ variant2=vuln
+ variant3=vuln
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ [ -z "$variant3" ] && variant3=immune
+@@ -820,7 +820,7 @@ is_cpu_ssb_free()
+ if [ "$cpu_family" = "18" ] || \
+ [ "$cpu_family" = "17" ] || \
+ [ "$cpu_family" = "16" ] || \
+- [ "$cpu_family" = "15" ]; then
++ [ "$cpu_family" = "15" ]; then
+ return 0
+ fi
+ fi
+@@ -837,7 +837,7 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"
+ mcedb_cache="$HOME/.mcedb"
+ update_fwdb()
+ {
+@@ -846,11 +846,11 @@ update_fwdb()
+ set -e
+
+ if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ fi
+
+ # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+ if command -v wget >/dev/null 2>&1; then
+@@ -870,7 +870,7 @@ update_fwdb()
+ echo DONE
+
+ # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+@@ -930,20 +930,20 @@ update_fwdb()
+ fi
+ # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+ # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
+ do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
++ _line=$( echo "$_line" | @tr@ -d ',')
++ _cpuid=$( echo "$_line" | @awk@ '{print $3}')
+ _cpuid=$(( _cpuid ))
+ _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-')
++ _version=$(echo "$_line" | @awk@ '{print $8}')
+ _version=$(( _version ))
+ _version=$(printf "0x%08X" "$_version")
+ _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+ sqlite3 "$mcedb_tmp" "$_sqlstm"
+ done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+ if [ -n "$_intel_timestamp" ]; then
+ # use this date, it matches the last commit date
+ _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+@@ -964,17 +964,17 @@ update_fwdb()
+ {
+ echo "# Spectre & Meltdown Checker";
+ echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
++ sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
++ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+
+ if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++ @cat@ "$newfile" > "$0"
++ @rm@ -f "$newfile"
+ fi
+ }
+
+@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--cpu" ]; then
+ opt_cpu=$2
+ if [ "$opt_cpu" != all ]; then
+- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ opt_cpu=$(( opt_cpu ))
+ else
+ echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
+ echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ exit 255
+ fi
+- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ if [ -n "$selected_cve" ]; then
+ opt_cve_list="$opt_cve_list $selected_cve"
+ opt_cve_all=0
+@@ -1308,14 +1308,14 @@ check_kernel()
+ # a damaged ELF file and validate it, check for stderr warnings too
+
+ # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ if [ "$_mode" = desperate ]; then
+- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ _debug "check_kernel (desperate): ... matched!"
+- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ objdump_options="-D -b binary -marm"
+ else
+@@ -1348,7 +1348,7 @@ try_decompress()
+
+ # Try to find the header ($1) and decompress from here
+ _debug "try_decompress: looking for $3 magic in $6"
+- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ do
+ _debug "try_decompress: magic for $3 found at offset $pos"
+ if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1375,11 +1375,11 @@ try_decompress()
+ kernel="$kerneltmp"
+ _debug "try_decompress: decompressed with $3 successfully!"
+ return 0
+- elif [ "$3" != "cat" ]; then
++ elif [ "$3" != "@cat@" ]; then
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+- cat "$kerneltmp" > "$kerneltmp2"
+- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++ @cat@ "$kerneltmp" > "$kerneltmp2"
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ else
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ fi
+@@ -1391,12 +1391,12 @@ extract_kernel()
+ {
+ [ -n "${1:-}" ] || return 1
+ # Prepare temp files:
+- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ # Initial attempt for uncompressed images or objects:
+ if check_kernel "$1"; then
+ _debug "extract_kernel: found kernel is valid, no decompression needed"
+- cat "$1" > "$kerneltmp"
++ @cat@ "$1" > "$kerneltmp"
+ kernel=$kerneltmp
+ return 0
+ fi
+@@ -1405,14 +1405,14 @@ extract_kernel()
+ for pass in 1 2; do
+ for mode in normal desperate; do
+ _debug "extract_kernel: pass $pass $mode mode"
+- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0
+- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
+- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
+- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0
+- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0
++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0
++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
+ done
+ done
+ # kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1429,7 +1429,7 @@ mount_debugfs()
+ {
+ if [ ! -e /sys/kernel/debug/sched_features ]; then
+ # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ fi
+ }
+
+@@ -1440,12 +1440,12 @@ load_msr()
+ load_msr_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+- modprobe msr 2>/dev/null && insmod_msr=1
++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++ @modprobe@ msr 2>/dev/null && insmod_msr=1
+ _debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ else
+ _debug "msr module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1463,12 +1463,12 @@ load_cpuid()
+ load_cpuid_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+- modprobe cpuid 2>/dev/null && insmod_cpuid=1
++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ else
+ _debug "cpuid module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
+ fi
+ # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ # we use that fact to load the module if dd returns an error
+- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ load_cpuid
+ fi
+ # we need _leaf to be converted to decimal for dd
+@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
+ _ddskip=$(( _position / 16 ))
+ _odskip=$(( _position - _ddskip * 16 ))
+ # now read the value
+- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ elif [ -e /dev/cpuctl0 ]; then
+ # BSD
+ if [ ! -r /dev/cpuctl0 ]; then
+ read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ return $READ_CPUID_RET_ERR
+ fi
+- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ else
+ read_cpuid_msg="Found no way to read cpuid info"
+@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
+ fi
+
+ # get the value of the register we want
+- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ # Linux returns it as decimal, BSD as hex, normalize to decimal
+ _reg=$(( _reg ))
+ # shellcheck disable=SC2046
+@@ -1626,11 +1626,11 @@ dmesg_grep()
+ # grep for something in dmesg, ensuring that the dmesg buffer
+ # has not been truncated
+ dmesg_grepped=''
+- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ # dmesg truncated
+ return 2
+ fi
+- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ # not found:
+ [ -z "$dmesg_grepped" ] && return 1
+ # found, output is in $dmesg_grepped
+@@ -1647,12 +1647,12 @@ parse_cpu_details()
+ {
+ [ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+- if command -v nproc >/dev/null; then
+- number_of_cores=$(nproc)
+- elif echo "$os" | grep -q BSD; then
+- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++ if command -v @nproc@ >/dev/null; then
++ number_of_cores=$(@nproc@)
++ elif echo "$os" | @grep@ -q BSD; then
++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ elif [ -e "$procfs/cpuinfo" ]; then
+- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ else
+ # if we don't know, default to 1 CPU
+ number_of_cores=1
+@@ -1660,43 +1660,43 @@ parse_cpu_details()
+ max_core_id=$(( number_of_cores - 1 ))
+
+ if [ -e "$procfs/cpuinfo" ]; then
+- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ # special case for ARM follows
+- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ cpu_vendor='ARM'
+ # some devices (phones or other) have several ARMs and as such different part numbers,
+ # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo")
+- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo")
++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ # take the first one to fill the friendly name, do NOT quote the vars below
+ # shellcheck disable=SC2086
+- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ # shellcheck disable=SC2086
+- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ cpu_friendly_name="ARM"
+ [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ cpu_vendor='CAVIUM'
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ cpu_vendor='PHYTIUM'
+ fi
+
+- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ else
+- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ cpu_family=$(( cpu_family ))
+- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ cpu_model=$(( cpu_model ))
+- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ fi
+
+ if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1751,7 +1751,7 @@ parse_cpu_details()
+ # call CPUID
+ cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ # read MSR
+- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ # convert to decimal
+ cpu_ucode=$(( cpu_ucode ))
+ # convert back to hex
+@@ -1770,7 +1770,7 @@ parse_cpu_details()
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ fi
+
+- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ # also define those that we will need in other funcs
+@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
+ {
+ # SMT / HyperThreading is enabled if siblings != cpucores
+ if [ -e "$procfs/cpuinfo" ]; then
+- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
+- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ if [ "$_siblings" = "$_cpucores" ]; then
+ return 1
+@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
+ $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
+ $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ do
+- model=$(echo "$tuple" | cut -d, -f1)
+- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++ model=$(echo "$tuple" | @cut@ -d, -f1)
++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ if [ "$cpu_ucode" = "$ucode" ]; then
+ _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ return 0
+@@ -2007,7 +2007,7 @@ is_xen_dom0()
+ return 1
+ fi
+
+- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ return 0
+ else
+ return 1
+@@ -2033,12 +2033,12 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
++ older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+ if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ mcedb_source="$mcedb_cache"
+ mcedb_info="local firmwares DB $local_dbversion"
+@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
+ fi
+ read_mcedb()
+ {
+- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
+ else
+ return 2
+ fi
+- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ do
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
+- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -2098,7 +2098,7 @@ get_cmdline()
+ kernel_cmdline="$SMC_MOCK_CMDLINE"
+ return
+ else
+- kernel_cmdline=$(cat "$procfs/cmdline")
++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ fi
+ }
+@@ -2106,7 +2106,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ _warn "This script doesn't work under Windows Subsystem for Linux"
+ _warn "You should use the official Microsoft tool instead."
+ _warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2155,15 +2155,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ _debug "We're under BSD, check if we have procfs"
+- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ if [ -z "$procfs" ]; then
+ _debug "we don't, try to mount it"
+ procfs=/proc
+ [ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ test -d $procfs || mkdir $procfs
+- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ mounted_procfs=1
+ _debug "procfs just mounted at $procfs"
+ else
+@@ -2195,14 +2195,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ # root check (only for live mode, for offline mode, we already checked if we could read the files)
+- if [ "$(id -u)" -ne 0 ]; then
++ if [ "$(@id@ -u)" -ne 0 ]; then
+ _warn "Note that you should launch this script with root privileges to get accurate information."
+ _warn "We'll proceed but you might see permission denied errors."
+ _warn "To run it as root, you can try the following command: sudo $0"
+ _warn
+ fi
+ _info "Checking for vulnerabilities on current system"
+- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ _info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ # try to find the image of the current running kernel
+@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ # first, look for the BOOT_IMAGE hint in the kernel cmdline
+- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ _debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ # if the boot partition is within a btrfs subvolume, strip the subvolume name
+ # if /boot is a separate subvolume, the remainder of the code in this section should handle it
+- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ # if we have a dedicated /boot partition, our bootloader might have just called it /
+ # so try to prepend /boot and see if we find anything
+ [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
+ # if we didn't find a kernel, default to guessing
+ if [ ! -e "$opt_kernel" ]; then
+ # Fedora:
+- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ # Slackware:
+ [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz"
+ # Arch aarch64:
+@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
+ # pine64
+ [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image"
+ # generic:
+- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ # Gentoo:
+- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ # Guix System:
+ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ # Clear Linux:
+- str_uname=$(uname -r)
++ str_uname=$(@uname@ -r)
+ clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ # with actual \'s instead of /'s:
+- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ opt_kernel="$custom_arch_kernel"
+ fi
+@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
+ :
+ elif [ -e "$procfs/kallsyms" ] ; then
+ opt_map="$procfs/kallsyms"
+- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+- opt_map="/lib/modules/$(uname -r)/System.map"
+- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+- opt_map="/boot/System.map-$(uname -r)"
+- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+- opt_map="/lib/kernel/System.map-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++ opt_map="/boot/System.map-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ fi
+
+ # config
+@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ elif [ -e "$procfs/config.gz" ] ; then
+- dumped_config="$(mktemp -t smc-config-XXXXXX)"
+- gunzip -c "$procfs/config.gz" > "$dumped_config"
++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ # dumped_config will be deleted at the end of the script
+ opt_config="$dumped_config"
+- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+- opt_config="/lib/modules/$(uname -r)/config"
+- elif [ -e "/boot/config-$(uname -r)" ]; then
+- opt_config="/boot/config-$(uname -r)"
+- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+- opt_config="/lib/kernel/config-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++ opt_config="/lib/modules/$(@uname@ -r)/config"
++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++ opt_config="/boot/config-$(@uname@ -r)"
++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++ opt_config="/lib/kernel/config-$(@uname@ -r)"
+ fi
+ else
+ _info "Checking for vulnerabilities against specified kernel"
+@@ -2311,7 +2311,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ # given file is invalid!
+ _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ opt_config=''
+@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ _debug "readelf not found"
+ kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2357,20 +2357,20 @@ else
+ # vanilla kernels have with ^Linux version
+ # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ # and check for FreeBSD
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ -e '^Linux version ' \
+ -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+- -e '^FreeBSD [0-9]' | head -1)
++ -e '^FreeBSD [0-9]' | @head@ -1)
+ if [ -z "$kernel_version" ]; then
+ # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ fi
+ if [ -n "$kernel_version" ]; then
+ # in live mode, check if the img we found is the correct one
+ if [ "$opt_live" = 1 ]; then
+ _verbose "Kernel image is \033[35m$kernel_version"
+- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ fi
+ else
+ _info "Kernel image is \033[35m$kernel_version"
+@@ -2398,11 +2398,11 @@ sys_interface_check()
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ :
+ else
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ return 1
+ fi
+
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2411,17 +2411,17 @@ sys_interface_check()
+ fi
+
+ [ -n "$regex" ] || regex='.*'
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ fullmsg="$(eval echo \$$_mockvarname)"
+- msg=$(echo "$fullmsg" | grep -Eo "$regex")
++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ _debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ mocked=1
+ else
+- fullmsg=$(cat "$file")
+- msg=$(grep -Eo "$regex" "$file")
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++ fullmsg=$(@cat@ "$file")
++ msg=$(@grep@ -Eo "$regex" "$file")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ fi
+ if [ "$mode" = silent ]; then
+ return 0
+@@ -2430,15 +2430,15 @@ sys_interface_check()
+ return 0
+ fi
+ _info_nol "* Mitigated according to the /sys interface: "
+- if echo "$msg" | grep -qi '^not affected'; then
++ if echo "$msg" | @grep@ -qi '^not affected'; then
+ # Not affected
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ # Mitigation: PTI
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qi '^vulnerable'; then
++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ # Vulnerable
+ status=VULN
+ pstatus yellow NO "$fullmsg"
+@@ -2526,20 +2526,20 @@ write_msr_one_core()
+ # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ [ "$ret" = 127 ] && _write_denied=1
+ # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ _debug "write_msr: using dd"
+- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ # if it failed, inspect stderrto look for EPERM
+ if [ "$ret" != 0 ]; then
+- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ _write_denied=1
+ fi
+ fi
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "write_msr: using perl"
+ ret=1
+- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ else
+ _debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2561,13 +2561,13 @@ write_msr_one_core()
+ msr_locked_down=1
+ write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "msr: Direct access to MSR"; then
++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ _debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+ write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "raw MSR access is restricted"; then
++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ _debug "write_msr: locked down kernel detected (vanilla)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+@@ -2666,8 +2666,8 @@ read_msr_one_core()
+ return $READ_MSR_RET_KO
+ fi
+ # MSR 0x10: 0x000003e1 0xb106dded
+- _msr_h=$(echo "$_msr" | awk '{print $3}');
+- _msr_l=$(echo "$_msr" | awk '{print $4}');
++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ else
+ # for Linux
+@@ -2678,15 +2678,15 @@ read_msr_one_core()
+ # if rdmsr is available, use it
+ elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ _debug "read_msr: using rdmsr on $_msr"
+- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "read_msr: using perl on $_msr"
+- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ # fallback to dd if it supports skip_bytes
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ _debug "read_msr: using dd on $_msr"
+- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ else
+ _debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2710,7 +2710,7 @@ check_cpu()
+ {
+ _info "\033[1;34mHardware check\033[0m"
+
+- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ return
+ fi
+
+@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
+ # if we were already called, don't do it again
+ [ -n "${redhat_canonical_spectre:-}" ] && return
+
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ redhat_canonical_spectre=-1
+ elif [ -n "$kernel_err" ]; then
+ redhat_canonical_spectre=-2
+ else
+ # Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ # let's use the two same tricks than the official Red Hat detection script uses:
+- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ # 1) detect their specific variant2 patch. If it's present, it means
+ # that the variant1 patch is also present (both were merged at the same time)
+ _debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ redhat_canonical_spectre=1
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ # 2) detect their specific variant3 patch. If it's present, but the variant2
+ # is not, it means that only variant1 is present in addition to variant3
+ _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3363,13 +3363,13 @@ check_has_vmm()
+ # If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ # this can always be overridden with --vmm in any case.
+ has_vmm=0
+- if command -v pgrep >/dev/null 2>&1; then
++ if command -v @pgrep@ >/dev/null 2>&1; then
+ # remove xenbus and xenwatch, also present inside domU
+ # remove libvirtd as it can also be used to manage containers and not VMs
+ # for each binary we want to grep, get the pids
+ for _binary in qemu kvm xenstored xenconsoled
+ do
+- for _pid in $(pgrep -x $_binary)
++ for _pid in $(@pgrep@ -x $_binary)
+ do
+ # resolve the exe symlink, if it doesn't resolve with -m,
+ # which doesn't even need the dest to exist, it means the symlink
+@@ -3385,7 +3385,7 @@ check_has_vmm()
+ else
+ # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ # shellcheck disable=SC2009
+- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ has_vmm=1
+ fi
+ fi
+@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5753_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5753_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
+ v1_mask_nospec=''
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ else
+- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ else
+- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ else
+- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ if [ "$ret" -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "mask_nospec64 macro is present and used"
+ v1_mask_nospec="arm64 mask_nospec64"
+@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "array_index_nospec macro is present and used"
+ v1_mask_nospec="arm64 array_index_nospec"
+@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ if ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+ # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
+ # so let's push the threshold to 70.
+ # v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ if [ "$nb_lfence" -lt 30 ]; then
+ pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ else
+@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5715_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5715_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
+ # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ specex_knob_dir=$dir
+ ibrs_supported="$dir/ibrs_enabled exists"
+- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ # if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ if [ -e "$dir/ibpb_enabled" ]; then
+ # if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ ibpb_supported="$dir/ibpb_enabled exists"
+- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ else
+ _debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
+ # which in that case means ibrs is supported *and* enabled for kernel & user
+ # as per the ibrs patch series v3
+ if [ -z "$ibrs_supported" ]; then
+- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ # enabled=2 -> kernel & user
+@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -n "$fullmsg" ]; then
+ # when IBPB is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q 'IBPB'; then
++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ _debug "ibpb: found enabled in sysfs"
+ [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ [ -z "$ibpb_enabled" ] && ibpb_enabled=1
+ fi
+ # when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ _debug "ibrs: found IBRS_FW in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ ibrs_fw_enabled=1
+@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
+ # when IBRS is enabled on 4.15+, we can see it in sysfs
+ # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ _debug "ibrs: found IBRS in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ [ -z "$ibrs_enabled" ] && ibrs_enabled=3
+ fi
+ # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
+ fi
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibrs_can_tell=1
+- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ if [ -n "$ibrs_supported" ]; then
+ _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ ibrs_can_tell=1
+- if grep -q spec_ctrl "$opt_map"; then
++ if @grep@ -q spec_ctrl "$opt_map"; then
+ ibrs_supported="found spec_ctrl in symbols file"
+ _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ fi
+@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
+ # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ # we can detect it directly in the image
+ if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibpb_can_tell=1
+- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ if [ -n "$ibpb_supported" ]; then
+ _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
+ 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+- else
++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++ else
+ pstatus yellow UNKNOWN; fi;;
+ esac
+ fi
+@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
+ bp_harden=''
+ if [ -r "$opt_config" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w bp_hardening_data "$opt_map")
++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
+ # We check the RETPOLINE kernel options
+ retpoline=0
+ if [ -r "$opt_config" ]; then
+- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ pstatus green YES
+ retpoline=1
+ # shellcheck disable=SC2046
+- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ else
+ pstatus yellow NO
+ fi
+@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
+ # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ # so we look for both "retpoline" and "retpolines"
+ if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+- if echo "$fullmsg" | grep -qwi minimal; then
++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++ if echo "$fullmsg" | @grep@ -qwi minimal; then
+ retpoline_compiler=0
+ retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ else
+@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
+ fi
+ elif [ -n "$opt_map" ]; then
+ # look for the symbol
+- if grep -qw noretpoline_setup "$opt_map"; then
++ if @grep@ -qw noretpoline_setup "$opt_map"; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ fi
+ elif [ -n "$kernel" ]; then
+ # look for the symbol
+- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++ if command -v "@nm@" >/dev/null 2>&1; then
+ # the proper way: use nm and look for the symbol
+- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ fi
+- elif grep -q noretpoline_setup "$kernel"; then
++ elif @grep@ -q noretpoline_setup "$kernel"; then
+ # if we don't have nm, nevermind, the symbol name is long enough to not have
+ # any false positive using good old grep directly on the binary
+ retpoline_compiler=1
+@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
+ retp_enabled=-1
+ if [ "$opt_live" = 1 ]; then
+ if [ -e "$specex_knob_dir/retp_enabled" ]; then
+- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ _info_nol " * Retpoline is enabled: "
+ if [ "$retp_enabled" = 1 ]; then
+@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
+ rsb_filling=0
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ # if we're live and we aren't denied looking into /sys, let's do it
+- if echo "$msg" | grep -qw RSB; then
++ if echo "$msg" | @grep@ -qw RSB; then
+ rsb_filling=1
+ pstatus green YES
+ fi
+@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ rsb_filling=1
+ pstatus green YES
+ else
+@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
+ {
+ _info "* Mitigation 1"
+ _info_nol " * Kernel supports IBRS: "
+- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ if [ -z "$ibrs_disabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
+ fi
+
+ _info_nol " * IBRS enabled and active: "
+- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ if [ "$ibrs_active" = 1 ]; then
+ pstatus green YES
+ else
+@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ else
+- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ if [ "$nb_thunks" -gt 0 ]; then
+ retpoline=1
+ pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ _info_nol " * Reduced performance impact of PTI: "
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ cpu_pcid=1
+ else
+ read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4272,7 +4272,7 @@ pti_performance_check()
+ fi
+ fi
+
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ cpu_invpcid=1
+ else
+ read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5754_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5754_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
+ kpti_can_tell=0
+ if [ -n "$opt_config" ]; then
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found option '$kpti_support' in $opt_config"
+ fi
+@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
+ # so we try to find an exported symbol that is part of the PTI patch in System.map
+ # parse_kpti: arm
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $opt_map"
+ fi
+@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
+ # nopti option that is part of the patch (kernel command line option)
+ # 'kpti=': arm
+ kpti_can_tell=1
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ else
+- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $kernel"
+ fi
+@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
+ dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ # aarch64
+ dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ # vanilla PTI patch sets the 'pti' flag in cpuinfo
+ _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+ elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ elif is_xen_dom0; then
+- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ fi
+@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
+ if [ -n "$kpti_support" ]; then
+ if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ else
+ explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ _info_nol "* Kernel supports Page Table Isolation (PTI): "
+- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ if [ -z "$kpti_enabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3639_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3639_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ if [ "$opt_live" = 1 ]; then
+- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssb="found in $procfs/self/status"
+ _debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ fi
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ # arm64 only:
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ # this string only appears in kernel if CONFIG_ARM64_SSBD is set
+- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ fi
+ # /arm64 only
+@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_live" = 1 ]; then
+ # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ _info_nol "* SSB mitigation is enabled and active: "
+- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=1
+ pstatus green YES "per-thread through prctl"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=2
+ pstatus green YES "global"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus yellow NO
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=-2
+ pstatus blue NO "not vulnerable"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus blue NO
+ else
+- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ fi
+
+ if [ "$kernel_ssbd_enabled" = 1 ]; then
+ _info_nol "* SSB mitigation currently active for selected processes: "
+ # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ if [ -n "$mitigated_processes" ]; then
+ pstatus green YES "$mitigated_processes"
+ else
+@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ _info_nol "* Kernel supports speculation store bypass: "
+- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ kernel_ssb=1
+ pstatus green YES
+ else
+@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
+ fi
+
+ _info_nol "* Speculation store bypass is administratively enabled: "
+- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ case "$ssb_enabled" in
+ 0) pstatus yellow NO "disabled";;
+@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
+ esac
+
+ _info_nol "* Speculation store bypass is currently active: "
+- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ case "$ssb_active" in
+ 1) pstatus green YES;;
+@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3620_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3620_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
+ fi
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports PTE inversion: "
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ pteinv_supported=-1
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "$kernel_err"
+ pteinv_supported=-1
+ else
+- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ pstatus green YES "found in kernel image"
+ _debug "pteinv: found pte inversion evidence in kernel image"
+ pteinv_supported=1
+@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
+ _info_nol "* PTE inversion enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ pstatus green YES
+ pteinv_active=1
+ else
+@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
+ else
+ _debug "vmm module already loaded"
+ fi
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ # this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ # is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3646_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3646_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
+ if [ "$opt_live" = 1 ]; then
+ if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ pstatus blue N/A "the kvm_intel module is not loaded"
+- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ pstatus green YES
+ ept_disabled=1
+ else
+@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
+
+ _info "* Mitigation 2"
+ _info_nol " * L1D flush is supported by kernel: "
+- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ fi
+ if [ -z "$l1d_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ elif [ -n "$kernel_err" ]; then
+ l1d_kernel_err="$kernel_err"
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ l1d_kernel='found flush_l1d in kernel image'
+ fi
+ fi
+@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
+ # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ # $smtstatus is one of (vulnerable|disabled)
+ # can also just be "Not affected"
+- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ l1d_mode=0
+ pstatus yellow NO
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ l1d_mode=1
+ pstatus green YES "conditional flushes"
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ l1d_mode=2
+ pstatus green YES "unconditional flushes"
+ else
+ if is_xen_dom0; then
+- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ l1d_mode=5
+@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
+
+ _info_nol " * Hardware-backed L1D flush supported: "
+ if [ "$opt_live" = 1 ]; then
+- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ else
+ pstatus blue NO "flush will be done in software, this is slower"
+@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ _info_nol "* Kernel supports L1D flushing: "
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_l1d_supported=1
+ else
+@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
+ fi
+
+ _info_nol "* L1D flushing is enabled: "
+- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ case "$kernel_l1d_enabled" in
+ 0) pstatus yellow NO;;
+ 1) pstatus green YES;;
+@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ cve='CVE-2019-11091'
+@@ -5182,7 +5182,7 @@ check_mds()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_mds_linux "$cve"
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_mds_bsd "$cve"
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5193,7 +5193,7 @@ check_mds_bsd()
+ {
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ if [ "$opt_live" = 1 ]; then
+- if sysctl hw.mds_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5201,7 +5201,7 @@ check_mds_bsd()
+ kernel_md_clear=0
+ fi
+ else
+- if grep -Fq hw.mds_disable $opt_kernel; then
++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5211,8 +5211,8 @@ check_mds_bsd()
+ fi
+
+ _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ if [ "$kernel_smt_allowed" = 1 ]; then
+ pstatus yellow NO
+ else
+@@ -5224,7 +5224,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is enabled: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ else
+ kernel_mds_enabled=0
+ fi
+@@ -5238,7 +5238,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is active: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ else
+ kernel_mds_state=inactive
+ fi
+@@ -5296,16 +5296,16 @@ check_mds_linux()
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ kernel_md_clear=''
+ kernel_md_clear_can_tell=1
+- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ pstatus green YES "$kernel_md_clear"
+ fi
+ if [ -z "$kernel_md_clear" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ kernel_md_clear_can_tell=0
+ elif [ -n "$kernel_err" ]; then
+ kernel_md_clear_can_tell=0
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ _debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ kernel_md_clear='found md_clear implementation evidence in kernel image'
+ pstatus green YES "$kernel_md_clear"
+@@ -5321,7 +5321,7 @@ check_mds_linux()
+
+ if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ _info_nol "* Kernel mitigation is enabled and active: "
+- if echo "$fullmsg" | grep -qi ^mitigation; then
++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ mds_mitigated=1
+ pstatus green YES
+ else
+@@ -5329,7 +5329,7 @@ check_mds_linux()
+ pstatus yellow NO
+ fi
+ _info_nol "* SMT is either mitigated or disabled: "
+- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ mds_smt_mitigated=1
+ pstatus green YES
+ else
+@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2019_11135_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2019_11135_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
+ kernel_taa=''
+ if [ -n "$kernel_err" ]; then
+ kernel_taa_err="$kernel_err"
+- elif grep -q 'tsx_async_abort' "$kernel"; then
++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ kernel_taa="found tsx_async_abort in kernel image"
+ fi
+ if [ -n "$kernel_taa" ]; then
+@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
+ _info_nol "* TAA mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
+ else
+ if [ "$opt_paranoid" = 1 ]; then
+ # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ else
+ pvulnstatus $cve "$status" "$msg"
+@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_12207_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_12207_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
+ if [ -n "$kernel_err" ]; then
+ kernel_itlbmh_err="$kernel_err"
+ # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+- elif grep -q 'itlb_multihit' "$kernel"; then
++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ kernel_itlbmh="found itlb_multihit in kernel image"
+ fi
+ if [ -n "$kernel_itlbmh" ]; then
+@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
+ _info_nol "* iTLB Multihit mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qF 'Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ if [ -z "$kernel_2m_x_ept" ]; then
+ pstatus yellow NO
+ else
+@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2020_0543_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2020_0543_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
+ kernel_srbds=''
+ if [ -n "$kernel_err" ]; then
+ kernel_srbds_err="$kernel_err"
+- elif grep -q 'Dependent on hypervisor' "$kernel"; then
++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ fi
+ if [ -n "$kernel_srbds" ]; then
+@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
+ _info_nol "* SRBDS mitigation control is enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5758,8 +5758,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+- check_"$(echo "$cve" | tr - _)"
++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++ check_"$(echo "$cve" | @tr@ - _)"
+ _info
+ fi
+ done
+@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ _warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+- if command -v "gzip" >/dev/null 2>&1; then
++ if command -v "@gzip@" >/dev/null 2>&1; then
+ # not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ # shellcheck disable=SC2002
+- if command -v "base64" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+- elif command -v "uuencode" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++ if command -v "@base64@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++ elif command -v "@uuencode@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ fi
+ fi
+ if [ -n "$mock_cpuinfo" ]; then
+@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ fi
+ _info ""
+ # shellcheck disable=SC2046
+- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0
base-commit: 70df5c47a89f4f353a1df94467581a0f0da599a4
--
2.38.1
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Fri, 11 Nov 2022 15:14:01 GMT) Full text and rfc822 format available.Message #18 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space> Cc: 59053 <at> debbugs.gnu.org Subject: Re: [PATCH v2] gnu: Add spectre-meltdown-checker. Date: Fri, 11 Nov 2022 16:13:03 +0100
Hi,
Am Freitag, dem 11.11.2022 um 19:10 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v1 -> v2:
>
> gnu/local.mk | 3 +
> gnu/packages/linux.scm | 53 +
> ...ker-remove-builtin-firmware-database.patch | 554 +++++
> ...cker-stage-commands-for-substitution.patch | 1947
> +++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 +
> 5 files changed, 2583 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index 27b31ea27f..d518cd8641 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1851,6 +1851,9 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 2c06269504..5a0d55833a 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,56 @@ (define-public edac-utils
> error detection and correction (EDAC).")
> (home-page "https://github.com/grondo/edac-utils")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> + ;; NOTE: Update these patches when updating.
> + "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"
> + "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (substitute* "spectre-meltdown-checker.sh"
> + (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> + (("@([a-z0-9]*)@" _ m _)
> + (search-input-file inputs (string-append
> "/bin/" m)))))))))
I'd prefer "command" instead of m as a variable name here.
> + (inputs
> + (list binutils
> + coreutils
> + grep
> + kmod
> + lz4
> + lzop
> + perl
> + procps
> + sharutils
> + util-linux
> + which
> + zstd))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis "CPU vulnerability / mitigation checker")
> + (description
> + "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..e926551550
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,554 @@
> +From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:55:25 +0800
> +Subject: [PATCH 2/2] Remove builtin firmware database.
> +
> +---
> + spectre-meltdown-checker.sh | 477 ++-------------------------------
> ---
> + 1 file changed, 27 insertions(+), 450 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 82cf1b6..79c4bb7 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -95,7 +95,6 @@ show_usage()
> + --cpu [#,all] interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> + --update-fwdb update our local copy of the
> CPU microcodes versions database (using the awesome
> + MCExtractor project and the
> Intel firmwares GitHub repository)
> +- --update-builtin-fwdb same as --update-fwdb but
> update builtin DB inside the script itself
> + --dump-mock-data used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> + Return codes:
> +@@ -853,9 +852,9 @@ update_fwdb()
> + mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
> + mcedb_url='
> https://github.com/platomav/MCExtractor/raw/master/MCE.db'
> + _info_nol "Fetching MCE.db from the MCExtractor project... "
> +- if command -v wget >/dev/null 2>&1; then
> +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +- elif command -v curl >/dev/null 2>&1; then
> ++ # if command -v wget >/dev/null 2>&1; then
> ++ # wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> ++ if command -v curl >/dev/null 2>&1; then
> + curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> + elif command -v fetch >/dev/null 2>&1; then
> + fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
The curl line and fetch line do the same thing as the wget line.
Prefer removal over commenting.
> +@@ -874,9 +873,9 @@ update_fwdb()
> + intel_url="
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
> Files/archive/main.zip"
> + _info_nol "Fetching Intel firmwares... "
> + ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +- if command -v wget >/dev/null 2>&1; then
> +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +- elif command -v curl >/dev/null 2>&1; then
> ++ # if command -v wget >/dev/null 2>&1; then
> ++ # wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> ++ if command -v curl >/dev/null 2>&1; then
> + curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> + elif command -v fetch >/dev/null 2>&1; then
> + fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
Same here.
> +@@ -969,13 +968,13 @@ update_fwdb()
> + } > "$mcedb_cache"
> + echo DONE "(version $dbversion)"
> +
> +- if [ "$1" = builtin ]; then
> +- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> +- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +- @cat@ "$newfile" > "$0"
> +- @rm@ -f "$newfile"
> +- fi
> ++ # if [ "$1" = builtin ]; then
> ++ # newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> ++ # @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> ++ # @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> ++ # @cat@ "$newfile" > "$0"
> ++ # @rm@ -f "$newfile"
> ++ # fi
This time, it seems completely removed, but still prefer removal over
commenting.
> + }
> +
> + parse_opt_file()
> +@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do
> + elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> + update_fwdb
> + exit $?
> +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +- update_fwdb builtin
> +- exit $?
> ++ # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> ++ # update_fwdb builtin
> ++ # exit $?
> + elif [ "$1" = "--dump-mock-data" ]; then
> + opt_mock=1
> + shift
> +@@ -2033,22 +2032,22 @@ is_xen_domU()
> + fi
> + }
> +
> +-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> ++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> + # we have a local cache file, but it might be older than the
> builtin version we have
> + local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> + # sort -V sorts by version number
> +- older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> ++ # older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> ++ # if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> + mcedb_source="$mcedb_cache"
> + mcedb_info="local firmwares DB $local_dbversion"
> +- fi
> ++ # fi
> + fi
> + # if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +- mcedb_source="$0"
> +- mcedb_info="builtin firmwares DB $builtin_dbversion"
> +-fi
> ++# if [ -z "${mcedb_source:-}" ]; then
> ++# mcedb_source="$0"
> ++# mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++# fi
I'm not sure whether this is correctly patched.
> + read_mcedb()
> + {
> + @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> +@@ -2070,6 +2069,9 @@ is_latest_known_ucode()
> + else
> + return 2
> + fi
> ++ if [ -z "$mcedb_source" ]; then
> ++ return 2
> ++ fi
Here neither, what does the return 2 above do?
> + for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> + do
> + ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> +@@ -5833,428 +5835,3 @@ fi
> + [ "$global_critical" = 1 ] && exit 2 # critical
> + [ "$global_unknown" = 1 ] && exit 3 # unknown
> + exit 0 # ok
> +-
> +-# We're using MCE.db from the excellent platomav's MCExtractor
> project
> +-# The builtin version follows, but the user can download an up-to-
> date copy (to be stored in his $HOME) by using --update-fwdb
> +-# To update the builtin version itself (by *modifying* this very
> file), use --update-builtin-fwdb
> +-
Can we remove this builtin version without a patch, i.e. a snippet?
I think that doing so would be more robust than keeping the patch up to
date.
> +-# %%% MCEDB v222+i20220208
> +-# I,0x00000611,0x00000B27,19961218
> +-# I,0x00000612,0x000000C6,19961210
> +-# I,0x00000616,0x000000C6,19961210
> +-# I,0x00000617,0x000000C6,19961210
> +-# I,0x00000619,0x000000D2,19980218
> +-# I,0x00000630,0x00000013,19960827
> +-# I,0x00000632,0x00000020,19960903
> +-# I,0x00000633,0x00000036,19980923
> +-# I,0x00000634,0x00000037,19980923
> +-# I,0x00000650,0x00000045,19990525
> +-# I,0x00000651,0x00000042,19990525
> +-# I,0x00000652,0x0000002D,19990518
> +-# I,0x00000653,0x00000010,19990628
> +-# I,0x00000660,0x0000000A,19990505
> +-# I,0x00000665,0x00000003,19990505
> +-# I,0x0000066A,0x0000000D,19990505
> +-# I,0x0000066D,0x00000007,19990505
> +-# I,0x00000670,0x00000007,19980602
> +-# I,0x00000671,0x00000014,19980811
> +-# I,0x00000672,0x00000038,19990922
> +-# I,0x00000673,0x0000002E,19990910
> +-# I,0x00000680,0x00000017,19990610
> +-# I,0x00000681,0x00000014,19991209
> +-# I,0x00000683,0x00000014,20010206
> +-# I,0x00000686,0x00000008,20000505
> +-# I,0x0000068A,0x00000005,20001207
> +-# I,0x00000690,0x00000004,20000206
> +-# I,0x00000691,0x00000001,20020527
> +-# I,0x00000692,0x00000001,20020620
> +-# I,0x00000694,0x00000002,20020926
> +-# I,0x00000695,0x00000047,20041109
> +-# I,0x00000696,0x00000001,20000707
> +-# I,0x000006A0,0x00000003,20000110
> +-# I,0x000006A1,0x00000001,20000306
> +-# I,0x000006A4,0x00000001,20000616
> +-# I,0x000006B0,0x0000001A,20010129
> +-# I,0x000006B1,0x0000001D,20010220
> +-# I,0x000006B4,0x00000002,20020111
> +-# I,0x000006D0,0x00000006,20030522
> +-# I,0x000006D1,0x00000009,20030709
> +-# I,0x000006D2,0x00000010,20030814
> +-# I,0x000006D6,0x00000018,20041017
> +-# I,0x000006D8,0x00000021,20060831
> +-# I,0x000006E0,0x00000008,20050215
> +-# I,0x000006E1,0x0000000C,20050413
> +-# I,0x000006E4,0x00000026,20050816
> +-# I,0x000006E8,0x0000003C,20060208
> +-# I,0x000006EC,0x0000005B,20070208
> +-# I,0x000006F0,0x00000005,20050818
> +-# I,0x000006F1,0x00000012,20051129
> +-# I,0x000006F2,0x0000005D,20101002
> +-# I,0x000006F4,0x00000028,20060417
> +-# I,0x000006F5,0x00000039,20060727
> +-# I,0x000006F6,0x000000D2,20101001
> +-# I,0x000006F7,0x0000006B,20101002
> +-# I,0x000006F9,0x00000084,20061012
> +-# I,0x000006FA,0x00000095,20101002
> +-# I,0x000006FB,0x000000C1,20111004
> +-# I,0x000006FD,0x000000A4,20101002
> +-# I,0x00000F00,0xFFFF0001,20000130
> +-# I,0x00000F01,0xFFFF0007,20000404
> +-# I,0x00000F02,0xFFFF000B,20000518
> +-# I,0x00000F03,0xFFFF0001,20000518
> +-# I,0x00000F04,0xFFFF0010,20000803
> +-# I,0x00000F05,0x0000000C,20000824
> +-# I,0x00000F06,0x00000004,20000911
> +-# I,0x00000F07,0x00000012,20020716
> +-# I,0x00000F08,0x00000008,20001101
> +-# I,0x00000F09,0x00000008,20010104
> +-# I,0x00000F0A,0x00000015,20020821
> +-# I,0x00000F11,0x0000000A,20030729
> +-# I,0x00000F12,0x0000002F,20030502
> +-# I,0x00000F13,0x00000005,20030508
> +-# I,0x00000F20,0x00000001,20010423
> +-# I,0x00000F21,0x00000003,20010529
> +-# I,0x00000F22,0x00000005,20030729
> +-# I,0x00000F23,0x0000000D,20010817
> +-# I,0x00000F24,0x00000021,20030610
> +-# I,0x00000F25,0x0000002C,20040826
> +-# I,0x00000F26,0x00000010,20040805
> +-# I,0x00000F27,0x00000039,20030604
> +-# I,0x00000F29,0x0000002F,20040811
> +-# I,0x00000F30,0x00000013,20030815
> +-# I,0x00000F31,0x0000000B,20031021
> +-# I,0x00000F32,0x0000000A,20040511
> +-# I,0x00000F33,0x0000000C,20050421
> +-# I,0x00000F34,0x00000017,20050421
> +-# I,0x00000F36,0x00000007,20040309
> +-# I,0x00000F37,0x00000003,20031218
> +-# I,0x00000F40,0x00000006,20040318
> +-# I,0x00000F41,0x00000017,20050422
> +-# I,0x00000F42,0x00000003,20050421
> +-# I,0x00000F43,0x00000005,20050421
> +-# I,0x00000F44,0x00000006,20050421
> +-# I,0x00000F46,0x00000004,20050411
> +-# I,0x00000F47,0x00000003,20050421
> +-# I,0x00000F48,0x0000000E,20080115
> +-# I,0x00000F49,0x00000003,20050421
> +-# I,0x00000F4A,0x00000004,20051214
> +-# I,0x00000F60,0x00000005,20050124
> +-# I,0x00000F61,0x00000008,20050610
> +-# I,0x00000F62,0x0000000F,20051215
> +-# I,0x00000F63,0x00000005,20051010
> +-# I,0x00000F64,0x00000004,20051223
> +-# I,0x00000F65,0x0000000B,20070510
> +-# I,0x00000F66,0x0000001B,20060310
> +-# I,0x00000F68,0x00000009,20060714
> +-# I,0x00001632,0x00000002,19980610
> +-# I,0x00010650,0x00000002,20060513
> +-# I,0x00010660,0x00000004,20060612
> +-# I,0x00010661,0x00000045,20101004
> +-# I,0x00010670,0x00000005,20070209
> +-# I,0x00010671,0x00000106,20070329
> +-# I,0x00010674,0x84050100,20070726
> +-# I,0x00010676,0x00000612,20150802
> +-# I,0x00010677,0x0000070D,20150802
> +-# I,0x0001067A,0x00000A0E,20150729
> +-# I,0x000106A0,0xFFFF001A,20071128
> +-# I,0x000106A1,0xFFFF000B,20080220
> +-# I,0x000106A2,0xFFFF0019,20080714
> +-# I,0x000106A4,0x00000013,20150630
> +-# I,0x000106A5,0x0000001D,20180511
> +-# I,0x000106C0,0x00000007,20070824
> +-# I,0x000106C1,0x00000109,20071203
> +-# I,0x000106C2,0x00000219,20090410
> +-# I,0x000106C9,0x00000007,20090213
> +-# I,0x000106CA,0x00000107,20090825
> +-# I,0x000106D0,0x00000005,20071204
> +-# I,0x000106D1,0x0000002A,20150803
> +-# I,0x000106E0,0xFFFF0022,20090116
> +-# I,0x000106E1,0xFFFF000D,20090206
> +-# I,0x000106E2,0xFFFF0011,20090924
> +-# I,0x000106E3,0xFFFF0011,20090512
> +-# I,0x000106E4,0x00000003,20130701
> +-# I,0x000106E5,0x0000000A,20180508
> +-# I,0x000106F0,0xFFFF0009,20090210
> +-# I,0x000106F1,0xFFFF0007,20090210
> +-# I,0x00020650,0xFFFF0008,20090218
> +-# I,0x00020651,0xFFFF0018,20090818
> +-# I,0x00020652,0x00000011,20180508
> +-# I,0x00020654,0xFFFF0007,20091124
> +-# I,0x00020655,0x00000007,20180423
> +-# I,0x00020661,0x00000105,20110718
> +-# I,0x000206A0,0x00000029,20091102
> +-# I,0x000206A1,0x00000007,20091223
> +-# I,0x000206A2,0x00000027,20100502
> +-# I,0x000206A3,0x00000009,20100609
> +-# I,0x000206A4,0x00000022,20100414
> +-# I,0x000206A5,0x00000007,20100722
> +-# I,0x000206A6,0x90030028,20100924
> +-# I,0x000206A7,0x0000002F,20190217
> +-# I,0x000206C0,0xFFFF001C,20091214
> +-# I,0x000206C1,0x00000006,20091222
> +-# I,0x000206C2,0x0000001F,20180508
> +-# I,0x000206D0,0x80000006,20100816
> +-# I,0x000206D1,0x80000106,20101201
> +-# I,0x000206D2,0xAF506958,20110714
> +-# I,0x000206D3,0xAF50696A,20110816
> +-# I,0x000206D5,0xAF5069E5,20120118
> +-# I,0x000206D6,0x00000621,20200304
> +-# I,0x000206D7,0x0000071A,20200324
> +-# I,0x000206E0,0xE3493401,20090108
> +-# I,0x000206E1,0xE3493402,20090224
> +-# I,0x000206E2,0xFFFF0004,20081001
> +-# I,0x000206E3,0xE4486547,20090701
> +-# I,0x000206E4,0xFFFF0008,20090619
> +-# I,0x000206E5,0xFFFF0018,20091215
> +-# I,0x000206E6,0x0000000D,20180515
> +-# I,0x000206F0,0x00000005,20100729
> +-# I,0x000206F1,0x00000008,20101013
> +-# I,0x000206F2,0x0000003B,20180516
> +-# I,0x00030650,0x00000009,20120118
> +-# I,0x00030651,0x00000110,20131014
> +-# I,0x00030660,0x00000003,20101103
> +-# I,0x00030661,0x0000010F,20150721
> +-# I,0x00030669,0x0000010D,20130515
> +-# I,0x00030671,0x00000117,20130410
> +-# I,0x00030672,0x0000022E,20140401
> +-# I,0x00030673,0x83290100,20190916
> +-# I,0x00030678,0x00000838,20190422
> +-# I,0x00030679,0x0000090D,20190710
> +-# I,0x000306A0,0x00000007,20110407
> +-# I,0x000306A2,0x0000000C,20110725
> +-# I,0x000306A4,0x00000007,20110908
> +-# I,0x000306A5,0x00000009,20111110
> +-# I,0x000306A6,0x00000004,20111114
> +-# I,0x000306A8,0x00000010,20120220
> +-# I,0x000306A9,0x00000021,20190213
> +-# I,0x000306C0,0xFFFF0013,20111110
> +-# I,0x000306C1,0xFFFF0014,20120725
> +-# I,0x000306C2,0xFFFF0006,20121017
> +-# I,0x000306C3,0x00000028,20191112
> +-# I,0x000306D1,0xFFFF0009,20131015
> +-# I,0x000306D2,0xFFFF0009,20131219
> +-# I,0x000306D3,0xE3121338,20140825
> +-# I,0x000306D4,0x0000002F,20191112
> +-# I,0x000306E0,0xE920080F,20121113
> +-# I,0x000306E2,0xE9220827,20130523
> +-# I,0x000306E3,0x00000308,20130321
> +-# I,0x000306E4,0x0000042E,20190314
> +-# I,0x000306E6,0x00000600,20130619
> +-# I,0x000306E7,0x00000715,20190314
> +-# I,0x000306F0,0xFFFF0017,20130730
> +-# I,0x000306F1,0xD141D629,20140416
> +-# I,0x000306F2,0x00000049,20210811
> +-# I,0x000306F3,0x0000000D,20160211
> +-# I,0x000306F4,0x0000001A,20210524
> +-# I,0x00040650,0xFFFF000B,20121206
> +-# I,0x00040651,0x00000026,20191112
> +-# I,0x00040660,0xFFFF0011,20121012
> +-# I,0x00040661,0x0000001C,20191112
> +-# I,0x00040670,0xFFFF0006,20140304
> +-# I,0x00040671,0x00000022,20191112
> +-# I,0x000406A0,0x80124001,20130521
> +-# I,0x000406A8,0x0000081F,20140812
> +-# I,0x000406A9,0x0000081F,20140812
> +-# I,0x000406C1,0x0000010B,20140814
> +-# I,0x000406C2,0x00000221,20150218
> +-# I,0x000406C3,0x00000368,20190423
> +-# I,0x000406C4,0x00000411,20190423
> +-# I,0x000406D0,0x0000000E,20130612
> +-# I,0x000406D8,0x0000012D,20190916
> +-# I,0x000406E1,0x00000020,20141111
> +-# I,0x000406E2,0x0000002C,20150521
> +-# I,0x000406E3,0x000000EC,20210428
> +-# I,0x000406E8,0x00000026,20160414
> +-# I,0x000406F0,0x00000014,20150702
> +-# I,0x000406F1,0x0B000040,20210519
> +-# I,0x00050650,0x8000002B,20160208
> +-# I,0x00050651,0x8000002B,20160208
> +-# I,0x00050652,0x80000037,20170502
> +-# I,0x00050653,0x0100015C,20210526
> +-# I,0x00050654,0x02006C0A,20210616
> +-# I,0x00050655,0x03000012,20190412
> +-# I,0x00050656,0x0400320A,20210813
> +-# I,0x00050657,0x0500320A,20210813
> +-# I,0x0005065A,0x86002302,20210416
> +-# I,0x0005065B,0x07002402,20210604
> +-# I,0x00050661,0xF1000008,20150130
> +-# I,0x00050662,0x0000001C,20190617
> +-# I,0x00050663,0x0700001C,20210612
> +-# I,0x00050664,0x0F00001A,20210612
> +-# I,0x00050665,0x0E000014,20210918
> +-# I,0x00050670,0xFFFF0030,20151113
> +-# I,0x00050671,0x000001B6,20180108
> +-# I,0x000506A0,0x00000038,20150112
> +-# I,0x000506C2,0x00000014,20180511
> +-# I,0x000506C8,0x90011010,20160323
> +-# I,0x000506C9,0x00000046,20210510
> +-# I,0x000506CA,0x00000022,20210622
> +-# I,0x000506D1,0x00000102,20150605
> +-# I,0x000506E0,0x00000018,20141119
> +-# I,0x000506E1,0x0000002A,20150602
> +-# I,0x000506E2,0x0000002E,20150815
> +-# I,0x000506E3,0x000000F0,20211112
> +-# I,0x000506E8,0x00000034,20160710
> +-# I,0x000506F0,0x00000010,20160607
> +-# I,0x000506F1,0x00000036,20210510
> +-# I,0x00060660,0x0000000C,20160821
> +-# I,0x00060661,0x0000000E,20170128
> +-# I,0x00060662,0x00000022,20171129
> +-# I,0x00060663,0x0000002A,20180417
> +-# I,0x000606A0,0x80000031,20200308
> +-# I,0x000606A4,0x0B000280,20200817
> +-# I,0x000606A5,0x0C0002F0,20210308
> +-# I,0x000606A6,0x0D000332,20211217
> +-# I,0x000606E0,0x0000000B,20161104
> +-# I,0x000606E1,0x00000108,20190423
> +-# I,0x000706A0,0x00000026,20170712
> +-# I,0x000706A1,0x00000038,20210510
> +-# I,0x000706A8,0x0000001C,20210510
> +-# I,0x000706E0,0x0000002C,20180614
> +-# I,0x000706E1,0x00000042,20190420
> +-# I,0x000706E2,0x00000042,20190420
> +-# I,0x000706E3,0x81000008,20181002
> +-# I,0x000706E4,0x00000046,20190905
> +-# I,0x000706E5,0x000000A8,20210526
> +-# I,0x00080650,0x00000018,20180108
> +-# I,0x00080664,0x0B00000F,20210217
> +-# I,0x00080665,0x0B00000F,20210217
> +-# I,0x000806A0,0x00000010,20190507
> +-# I,0x000806A1,0x0000002D,20210902
> +-# I,0x000806C0,0x00000068,20200402
> +-# I,0x000806C1,0x0000009C,20211026
> +-# I,0x000806C2,0x00000022,20210716
> +-# I,0x000806D0,0x00000050,20201217
> +-# I,0x000806D1,0x0000003C,20210716
> +-# I,0x000806E9,0x000000EC,20210428
> +-# I,0x000806EA,0x000000EC,20210428
> +-# I,0x000806EB,0x000000EC,20210428
> +-# I,0x000806EC,0x000000EC,20210428
> +-# I,0x00090660,0x00000009,20200617
> +-# I,0x00090661,0x00000015,20210921
> +-# I,0x00090670,0x00000019,20201111
> +-# I,0x00090671,0x0000001C,20210614
> +-# I,0x00090672,0x0000001F,20220303
> +-# I,0x00090674,0x00000219,20210425
> +-# I,0x00090675,0x0000001F,20220303
> +-# I,0x000906A0,0x0000001C,20210614
> +-# I,0x000906A1,0x0000011F,20211104
> +-# I,0x000906A2,0x00000315,20220102
> +-# I,0x000906A3,0x0000041B,20220308
> +-# I,0x000906A4,0x0000041B,20220308
> +-# I,0x000906C0,0x2400001F,20210809
> +-# I,0x000906E9,0x000000F0,20211112
> +-# I,0x000906EA,0x000000EC,20210428
> +-# I,0x000906EB,0x000000EC,20210428
> +-# I,0x000906EC,0x000000EC,20210428
> +-# I,0x000906ED,0x000000EC,20210428
> +-# I,0x000A0650,0x000000BE,20191010
> +-# I,0x000A0651,0x000000C2,20191113
> +-# I,0x000A0652,0x000000EC,20210428
> +-# I,0x000A0653,0x000000EC,20210428
> +-# I,0x000A0654,0x000000C6,20200123
> +-# I,0x000A0655,0x000000EE,20210428
> +-# I,0x000A0660,0x000000EA,20210428
> +-# I,0x000A0661,0x000000EC,20210429
> +-# I,0x000A0670,0x0000002C,20201124
> +-# I,0x000A0671,0x00000050,20210829
> +-# I,0x000A0680,0x80000002,20200121
> +-# I,0x000B0670,0x00000009,20211115
> +-# I,0x000B06F2,0x0000001F,20220303
> +-# I,0x000B06F5,0x0000001F,20220303
> +-# A,0x00000F00,0x02000008,20070614
> +-# A,0x00000F01,0x0000001C,20021031
> +-# A,0x00000F10,0x00000003,20020325
> +-# A,0x00000F11,0x0000001F,20030220
> +-# A,0x00000F48,0x00000046,20040719
> +-# A,0x00000F4A,0x00000047,20040719
> +-# A,0x00000F50,0x00000024,20021212
> +-# A,0x00000F51,0x00000025,20030115
> +-# A,0x00010F50,0x00000041,20040225
> +-# A,0x00020F10,0x0000004D,20050428
> +-# A,0x00040F01,0xC0012102,20050916
> +-# A,0x00040F0A,0x00000068,20060920
> +-# A,0x00040F13,0x0000007A,20080508
> +-# A,0x00040F14,0x00000062,20060127
> +-# A,0x00040F1B,0x0000006D,20060920
> +-# A,0x00040F33,0x0000007B,20080514
> +-# A,0x00060F80,0x00000083,20060929
> +-# A,0x000C0F1B,0x0000006E,20060921
> +-# A,0x000F0F00,0x00000005,20020627
> +-# A,0x000F0F01,0x00000015,20020627
> +-# A,0x00100F00,0x01000020,20070326
> +-# A,0x00100F20,0x010000CA,20100331
> +-# A,0x00100F22,0x010000C9,20100331
> +-# A,0x00100F40,0x01000085,20080501
> +-# A,0x00100F41,0x010000DB,20111024
> +-# A,0x00100F42,0x01000092,20081021
> +-# A,0x00100F43,0x010000C8,20100311
> +-# A,0x00100F62,0x010000C7,20100311
> +-# A,0x00100F80,0x010000DA,20111024
> +-# A,0x00100F81,0x010000D9,20111012
> +-# A,0x00100FA0,0x010000DC,20111024
> +-# A,0x00120F00,0x03000002,20100324
> +-# A,0x00200F30,0x02000018,20070921
> +-# A,0x00200F31,0x02000057,20080502
> +-# A,0x00200F32,0x02000034,20080307
> +-# A,0x00300F01,0x0300000E,20101004
> +-# A,0x00300F10,0x03000027,20111309
> +-# A,0x00500F00,0x0500000B,20100601
> +-# A,0x00500F01,0x0500001A,20100908
> +-# A,0x00500F10,0x05000029,20130121
> +-# A,0x00500F20,0x05000119,20130118
> +-# A,0x00580F00,0x0500000B,20100601
> +-# A,0x00580F01,0x0500001A,20100908
> +-# A,0x00580F10,0x05000028,20101124
> +-# A,0x00580F20,0x05000103,20110526
> +-# A,0x00600F00,0x06000017,20101029
> +-# A,0x00600F01,0x0600011F,20110227
> +-# A,0x00600F10,0x06000425,20110408
> +-# A,0x00600F11,0x0600050D,20110627
> +-# A,0x00600F12,0x0600063E,20180207
> +-# A,0x00600F20,0x06000852,20180206
> +-# A,0x00610F00,0x0600100E,20111102
> +-# A,0x00610F01,0x0600111F,20180305
> +-# A,0x00630F00,0x0600301C,20130817
> +-# A,0x00630F01,0x06003109,20180227
> +-# A,0x00660F00,0x06006012,20141014
> +-# A,0x00660F01,0x0600611A,20180126
> +-# A,0x00670F00,0x06006705,20180220
> +-# A,0x00680F00,0x06000017,20101029
> +-# A,0x00680F01,0x0600011F,20110227
> +-# A,0x00680F10,0x06000410,20110314
> +-# A,0x00690F00,0x06001009,20110613
> +-# A,0x00700F00,0x0700002A,20121218
> +-# A,0x00700F01,0x07000110,20180209
> +-# A,0x00730F00,0x07030009,20131206
> +-# A,0x00730F01,0x07030106,20180209
> +-# A,0x00800F00,0x0800002A,20161006
> +-# A,0x00800F10,0x0800100C,20170131
> +-# A,0x00800F11,0x08001138,20190204
> +-# A,0x00800F12,0x0800126E,20211111
> +-# A,0x00800F82,0x0800820D,20190416
> +-# A,0x00810F00,0x08100004,20161120
> +-# A,0x00810F10,0x08101016,20190430
> +-# A,0x00810F11,0x08101103,20190417
> +-# A,0x00810F80,0x08108002,20180605
> +-# A,0x00810F81,0x08108109,20190417
> +-# A,0x00820F00,0x08200002,20180214
> +-# A,0x00820F01,0x08200103,20190417
> +-# A,0x00830F00,0x08300027,20190401
> +-# A,0x00830F10,0x08301052,20211111
> +-# A,0x00850F00,0x08500004,20180212
> +-# A,0x00860F00,0x0860000E,20200127
> +-# A,0x00860F01,0x08600106,20200619
> +-# A,0x00860F81,0x08608103,20200702
> +-# A,0x00870F00,0x08700004,20181206
> +-# A,0x00870F10,0x08701021,20200125
> +-# A,0x00A00F00,0x0A000033,20200413
> +-# A,0x00A00F10,0x0A001053,20211217
> +-# A,0x00A00F11,0x0A00115D,20211119
> +-# A,0x00A00F12,0x0A001227,20211215
> +-# A,0x00A00F80,0x0A008003,20211015
> +-# A,0x00A00F82,0x0A008204,20211015
> +-# A,0x00A20F00,0x0A200025,20200121
> +-# A,0x00A20F10,0x0A201016,20210408
> +-# A,0x00A20F12,0x0A201205,20210719
> +-# A,0x00A50F00,0x0A50000C,20201208
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-
> commands-for-substitution.patch b/gnu/packages/patches/spectre-
> meltdown-checker-stage-commands-for-substitution.patch
> new file mode 100644
> index 0000000000..a2f13e4195
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-
> for-substitution.patch
> @@ -0,0 +1,1947 @@
> +From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:49:50 +0800
> +Subject: [PATCH 1/2] Stage commands for later substitution.
> +
> +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find,
> getent,
> +grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount,
> nm,
> +nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort,
> stat,
> +strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode,
> which,
> +whoami, xargs.
> +---
> + spectre-meltdown-checker.sh | 648 ++++++++++++++++++---------------
> ---
> + 1 file changed, 324 insertions(+), 324 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..82cf1b6 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up...";
> exit_cleanup; exit 1' INT
> + exit_cleanup()
> + {
> + # cleanup the temp decompressed config & kernel image
> +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm
> -f "$mcedb_tmp"
> +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm
> -rf "$intel_tmp"
> +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
> ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] &&
> @rm@ -f "$dumped_config"
> ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] &&
> @rm@ -f "$kerneltmp"
> ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] &&
> @rm@ -f "$kerneltmp2"
> ++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] &&
> @rm@ -f "$mcedb_tmp"
> ++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] &&
> @rm@ -rf "$intel_tmp"
> ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug
> 2>/dev/null
> ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs"
> 2>/dev/null
> ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
> ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
> + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl
> 2>/dev/null
> + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm
> 2>/dev/null
> + }
> +
> + # if we were git clone'd, adjust VERSION
> +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1;
> then
> +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty
> 2>/dev/null)
> +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e
> s/^v//)
> ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null
> 2>&1; then
> ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty
> 2>/dev/null)
> ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e
> s/^v//)
> + fi
> +
> + show_usage()
> + {
> + # shellcheck disable=SC2086
> +- cat <<EOF
> ++ @cat@ <<EOF
> + Usage:
> +- Live mode (auto): $(basename $0) [options]
> +- Live mode (manual): $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> +- Offline mode: $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> ++ Live mode (auto): $(@basename@ $0) [options]
> ++ Live mode (manual): $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> ++ Offline mode: $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> +
> + Modes:
> + Two modes are available.
> +@@ -110,7 +110,7 @@ EOF
> +
> + show_disclaimer()
> + {
> +- cat <<EOF
> ++ @cat@ <<EOF
> + Disclaimer:
> +
> + This tool does its best to determine whether your system is immune
> (or has proper mitigations in place) for the
> +@@ -138,7 +138,7 @@ This tool has been released in the hope that
> it'll be useful, but don't use it t
> + EOF
> + }
> +
> +-os=$(uname -s)
> ++os=$(@uname@ -s)
> +
> + # parse options
> + opt_kernel=''
> +@@ -207,7 +207,7 @@ __echo()
> + _interpret_chars='-e'
> + fi
> + _ctrlchar=$($echo_cmd $_interpret_chars "\033")
> +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> + fi
> + if [ "$echo_cmd_type" = printf ]; then
> + if [ "$opt" = "-n" ]; then
> +@@ -383,7 +383,7 @@ is_cpu_affected()
> + # https://github.com/crozone/SpectrePoC/issues/1 ^F
> E5200 => spectre 2 not affected
> + #
> https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 =>
> meltdown affected
> + # model name : Pentium(R) Dual-Core CPU E5200
> @ 2.50GHz
> +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\)
> Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> ++ if echo "$cpu_friendly_name" | @grep@ -qE
> 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> + variant1=vuln
> + [ -z "$variant2" ] && variant2=immune
> + variant3=vuln
> +@@ -486,7 +486,7 @@ is_cpu_affected()
> + i=$(( i + 1 ))
> + # do NOT quote $cpu_arch_list below
> + # shellcheck disable=SC2086
> +- cpuarch=$(echo $cpu_arch_list | awk '{ print
> $'$i' }')
> ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{
> print $'$i' }')
> + _debug "checking cpu$i: <$cpupart>
> <$cpuarch>"
> + # some kernels report AArch64 instead of 8
> + [ "$cpuarch" = "AArch64" ] && cpuarch=8
> +@@ -497,49 +497,49 @@ is_cpu_affected()
> + # part ? ? c08 c09 c0d c0f c0e d07
> d08 d09 d0a d0b d0c d0d
> + # arch 7? 7? 7 7 7 7 7 8
> 8 8 8 8 8 8
> + #
> +- # Whitelist identified non-affected
> processors, use vulnerability information from
> ++ # Whitelist identified non-affected
> processors, use vulnerability information from
> + #
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
> + # Partnumbers can be found here:
> + #
> https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
> + #
> + # Maintain cumulative check of
> vulnerabilities -
> + # if at least one of the cpu is
> affected, then the system is affected
> +- if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> ++ if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + [ -z "$variant4" ] &&
> variant4=immune
> + _debug "checking cpu$i: armv7
> A8/A9/A12/A17 non affected to variants 3, 3a & 4"
> +- elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc0f; then
> ++ elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc0f; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + variant3a=vuln
> + [ -z "$variant4" ] &&
> variant4=immune
> + _debug "checking cpu$i: armv7
> A15 non affected to variants 3 & 4"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + variant3a=vuln
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A57/A72 non affected to variants 3"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd09; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd09; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A73 non affected to variants 3 & 3a"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0a; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0a; then
> + variant1=vuln
> + variant2=vuln
> + variant3=vuln
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A75 non affected to variant 3a"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> + variant1=vuln
> + [ -z "$variant2" ] &&
> variant2=immune
> + [ -z "$variant3" ] &&
> variant3=immune
> +@@ -820,7 +820,7 @@ is_cpu_ssb_free()
> + if [ "$cpu_family" = "18" ] || \
> + [ "$cpu_family" = "17" ] || \
> + [ "$cpu_family" = "16" ] || \
> +- [ "$cpu_family" = "15" ]; then
> ++ [ "$cpu_family" = "15" ]; then
> + return 0
> + fi
> + fi
> +@@ -837,7 +837,7 @@ show_header()
> + _info
> + }
> +
> +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
> ++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d:
> -f6)"
> + mcedb_cache="$HOME/.mcedb"
> + update_fwdb()
> + {
> +@@ -846,11 +846,11 @@ update_fwdb()
> + set -e
> +
> + if [ -r "$mcedb_cache" ]; then
> +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4
> }' "$mcedb_cache")
> ++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print
> $4 }' "$mcedb_cache")
> + fi
> +
> + # first, download the MCE.db from the excellent platomav's
> MCExtractor project
> +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
> ++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
> + mcedb_url='
> https://github.com/platomav/MCExtractor/raw/master/MCE.db'
> + _info_nol "Fetching MCE.db from the MCExtractor project... "
> + if command -v wget >/dev/null 2>&1; then
> +@@ -870,7 +870,7 @@ update_fwdb()
> + echo DONE
> +
> + # second, get the Intel firmwares from GitHub
> +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
> ++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
> + intel_url="
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-
> Files/archive/main.zip"
> + _info_nol "Fetching Intel firmwares... "
> + ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +@@ -930,20 +930,20 @@ update_fwdb()
> + fi
> + # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev
> 0x0217, size 5120
> + # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev
> 0x0107, size 5120
> +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
> ++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
> + do
> +- _line=$( echo "$_line" | tr -d ',')
> +- _cpuid=$( echo "$_line" | awk '{print $3}')
> ++ _line=$( echo "$_line" | @tr@ -d ',')
> ++ _cpuid=$( echo "$_line" | @awk@ '{print $3}')
> + _cpuid=$(( _cpuid ))
> + _cpuid=$(printf "0x%08X" "$_cpuid")
> +- _date=$( echo "$_line" | awk '{print $6}' | tr -d
> '-')
> +- _version=$(echo "$_line" | awk '{print $8}')
> ++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@
> -d '-')
> ++ _version=$(echo "$_line" | @awk@ '{print $8}')
> + _version=$(( _version ))
> + _version=$(printf "0x%08X" "$_version")
> + _sqlstm="$(printf "INSERT INTO Intel
> (origin,cpuid,version,yyyymmdd) VALUES
> (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")"
> "$(printf "%08X" "$_version")" "$_date")"
> + sqlite3 "$mcedb_tmp" "$_sqlstm"
> + done
> +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> ++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> + if [ -n "$_intel_timestamp" ]; then
> + # use this date, it matches the last commit date
> + _intel_latest_date=$(date +%Y%m%d -d
> @"$_intel_timestamp")
> +@@ -964,17 +964,17 @@ update_fwdb()
> + {
> + echo "# Spectre & Meltdown Checker";
> + echo "# %%% MCEDB v$dbversion";
> +- sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +- sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD
> AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> ++ sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
> ++ sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD
> AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
> + } > "$mcedb_cache"
> + echo DONE "(version $dbversion)"
> +
> + if [ "$1" = builtin ]; then
> +- newfile=$(mktemp -t smc-builtin-XXXXXX)
> +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +- cat "$newfile" > "$0"
> +- rm -f "$newfile"
> ++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
> ++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> ++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> ++ @cat@ "$newfile" > "$0"
> ++ @rm@ -f "$newfile"
> + fi
> + }
> +
> +@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
> + elif [ "$1" = "--cpu" ]; then
> + opt_cpu=$2
> + if [ "$opt_cpu" != all ]; then
> +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
> ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+';
> then
> + opt_cpu=$(( opt_cpu ))
> + else
> + echo "$0: error: --cpu should be an
> integer or 'all', got '$opt_cpu'" >&2
> +@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
> + echo "$0: error: option --cve expects a
> parameter, supported CVEs are: $supported_cve_list" >&2
> + exit 255
> + fi
> +- selected_cve=$(echo "$supported_cve_list" | grep -iwo
> "$2")
> ++ selected_cve=$(echo "$supported_cve_list" | @grep@ -
> iwo "$2")
> + if [ -n "$selected_cve" ]; then
> + opt_cve_list="$opt_cve_list $selected_cve"
> + opt_cve_all=0
> +@@ -1308,14 +1308,14 @@ check_kernel()
> + # a damaged ELF file and validate it, check for stderr
> warnings too
> +
> + # the warning "readelf: Warning: [16]: Link field (0) should
> index a symtab section./" can appear on valid kernels, ignore it
> +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n"
> "/"); ret=$?
> +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>/dev/null | grep -c -e data -e text -e init)
> +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z
> "$_file" 2>/dev/null || echo 10000)
> ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null |
> @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
> ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null |
> @grep@ -c -e data -e text -e init)
> ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f
> %z "$_file" 2>/dev/null || echo 10000)
> + _debug "check_kernel: ret=$? size=$_kernel_size
> sections=$_readelf_sections warnings=$_readelf_warnings"
> + if [ "$_mode" = desperate ]; then
> +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq
> '^Linux version '; then
> ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version
> '; then
> + _debug "check_kernel (desperate): ...
> matched!"
> +- if [ "$_readelf_sections" = 0 ] && grep -qF -
> e armv6 -e armv7 "$_file"; then
> ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF
> -e armv6 -e armv7 "$_file"; then
> + _debug "check_kernel (desperate): raw
> arm binary found, adjusting objdump options"
> + objdump_options="-D -b binary -marm"
> + else
> +@@ -1348,7 +1348,7 @@ try_decompress()
> +
> + # Try to find the header ($1) and decompress from here
> + _debug "try_decompress: looking for $3 magic in $6"
> +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo
> "^$2")
> ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo
> "^$2")
> + do
> + _debug "try_decompress: magic for $3 found at offset
> $pos"
> + if ! command -v "$3" >/dev/null 2>&1; then
> +@@ -1375,11 +1375,11 @@ try_decompress()
> + kernel="$kerneltmp"
> + _debug "try_decompress: decompressed with $3
> successfully!"
> + return 0
> +- elif [ "$3" != "cat" ]; then
> ++ elif [ "$3" != "@cat@" ]; then
> + _debug "try_decompress: decompression with $3
> worked but result is not a kernel, trying with an offset"
> +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -
> t smc-kernel-XXXXXX)
> +- cat "$kerneltmp" > "$kerneltmp2"
> +- try_decompress '\177ELF' xxy 'cat' '' cat
> "$kerneltmp2" && return 0
> ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@
> -t smc-kernel-XXXXXX)
> ++ @cat@ "$kerneltmp" > "$kerneltmp2"
> ++ try_decompress '\177ELF' xxy '@cat@' '' cat
> "$kerneltmp2" && return 0
> + else
> + _debug "try_decompress: decompression with $3
> worked but result is not a kernel"
> + fi
> +@@ -1391,12 +1391,12 @@ extract_kernel()
> + {
> + [ -n "${1:-}" ] || return 1
> + # Prepare temp files:
> +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
> ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
> +
> + # Initial attempt for uncompressed images or objects:
> + if check_kernel "$1"; then
> + _debug "extract_kernel: found kernel is valid, no
> decompression needed"
> +- cat "$1" > "$kerneltmp"
> ++ @cat@ "$1" > "$kerneltmp"
> + kernel=$kerneltmp
> + return 0
> + fi
> +@@ -1405,14 +1405,14 @@ extract_kernel()
> + for pass in 1 2; do
> + for mode in normal desperate; do
> + _debug "extract_kernel: pass $pass $mode
> mode"
> +- try_decompress '\037\213\010' xy
> gunzip '' gunzip "$1" "$mode" "$pass" && return 0
> +- try_decompress '\002\041\114\030' xyy
> 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> +- try_decompress '\3757zXZ\000' abcde
> unxz '' xz-utils "$1" "$mode" "$pass" && return 0
> +- try_decompress 'BZh' xy
> bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
> +- try_decompress '\135\0\0\0' xxx
> unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
> +- try_decompress '\211\114\132' xy
> 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
> +- try_decompress '\177ELF' xxy
> 'cat' '' cat "$1" "$mode" "$pass" && return 0
> +- try_decompress '(\265/\375' xxy
> unzstd '' zstd "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\037\213\010' xy
> @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\002\041\114\030' xyy
> '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\3757zXZ\000' abcde
> @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
> ++ try_decompress 'BZh' xy
> @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\135\0\0\0' xxx
> @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\211\114\132' xy
> '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\177ELF' xxy
> '@cat@' '' cat "$1" "$mode" "$pass" && return 0
> ++ try_decompress '(\265/\375' xxy
> @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
> + done
> + done
> + # kernel_err might already have been populated by
> try_decompress() if we're missing one of the tools
> +@@ -1429,7 +1429,7 @@ mount_debugfs()
> + {
> + if [ ! -e /sys/kernel/debug/sched_features ]; then
> + # try to mount the debugfs hierarchy ourselves and
> remember it to umount afterwards
> +- mount -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> ++ @mount@ -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> + fi
> + }
> +
> +@@ -1440,12 +1440,12 @@ load_msr()
> + load_msr_once=1
> +
> + if [ "$os" = Linux ]; then
> +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
> +- modprobe msr 2>/dev/null && insmod_msr=1
> ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null;
> then
> ++ @modprobe@ msr 2>/dev/null && insmod_msr=1
> + _debug "attempted to load module msr,
> insmod_msr=$insmod_msr"
> + else
> + _debug "msr module already loaded"
> +- fi
> ++ fi
> + else
> + if ! kldstat -q -m cpuctl; then
> + kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1463,12 +1463,12 @@ load_cpuid()
> + load_cpuid_once=1
> +
> + if [ "$os" = Linux ]; then
> +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> +- modprobe cpuid 2>/dev/null && insmod_cpuid=1
> ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> ++ @modprobe@ cpuid 2>/dev/null &&
> insmod_cpuid=1
> + _debug "attempted to load module cpuid,
> insmod_cpuid=$insmod_cpuid"
> + else
> + _debug "cpuid module already loaded"
> +- fi
> ++ fi
> + else
> + if ! kldstat -q -m cpuctl; then
> + kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
> + fi
> + # on some kernel versions, /dev/cpu/0/cpuid doesn't
> imply that the cpuid module is loaded, in that case dd returns an
> error,
> + # we use that fact to load the module if dd returns
> an error
> +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null
> 2>&1; then
> ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1
> >/dev/null 2>&1; then
> + load_cpuid
> + fi
> + # we need _leaf to be converted to decimal for dd
> +@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
> + _ddskip=$(( _position / 16 ))
> + _odskip=$(( _position - _ddskip * 16 ))
> + # now read the value
> +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip *
> 16)) -A n -t u4)
> ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip
> * 16)) -A n -t u4)
> + elif [ -e /dev/cpuctl0 ]; then
> + # BSD
> + if [ ! -r /dev/cpuctl0 ]; then
> + read_cpuid_msg="Couldn't read cpuid info from
> cpuctl"
> + return $READ_CPUID_RET_ERR
> + fi
> +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
> ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
You're missing cpucontrol here.
> + # cpuid level 0x4, level_type 0x2: 0x1c004143
> 0x01c0003f 0x000001ff 0x00000000
> + else
> + read_cpuid_msg="Found no way to read cpuid info"
> +@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
> + fi
> +
> + # get the value of the register we want
> +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
> ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
> + # Linux returns it as decimal, BSD as hex, normalize to
> decimal
> + _reg=$(( _reg ))
> + # shellcheck disable=SC2046
> +@@ -1626,11 +1626,11 @@ dmesg_grep()
> + # grep for something in dmesg, ensuring that the dmesg buffer
> + # has not been truncated
> + dmesg_grepped=''
> +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> + # dmesg truncated
> + return 2
> + fi
> +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
> ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
> + # not found:
> + [ -z "$dmesg_grepped" ] && return 1
> + # found, output is in $dmesg_grepped
> +@@ -1647,12 +1647,12 @@ parse_cpu_details()
> + {
> + [ "${parse_cpu_details_done:-}" = 1 ] && return 0
> +
> +- if command -v nproc >/dev/null; then
> +- number_of_cores=$(nproc)
> +- elif echo "$os" | grep -q BSD; then
> +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null ||
> echo 1)
> ++ if command -v @nproc@ >/dev/null; then
> ++ number_of_cores=$(@nproc@)
> ++ elif echo "$os" | @grep@ -q BSD; then
> ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null ||
> echo 1)
> + elif [ -e "$procfs/cpuinfo" ]; then
> +- number_of_cores=$(grep -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> ++ number_of_cores=$(@grep@ -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> + else
> + # if we don't know, default to 1 CPU
> + number_of_cores=1
> +@@ -1660,43 +1660,43 @@ parse_cpu_details()
> + max_core_id=$(( number_of_cores - 1 ))
> +
> + if [ -e "$procfs/cpuinfo" ]; then
> +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> +- cpu_friendly_name=$(grep '^model name'
> "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
> ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> ++ cpu_friendly_name=$(@grep@ '^model name'
> "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
> + # special case for ARM follows
> +- if grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> ++ if @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> + cpu_vendor='ARM'
> + # some devices (phones or other) have several
> ARMs and as such different part numbers,
> + # an example is "bigLITTLE", so we need to
> store the whole list, this is needed for is_cpu_affected
> +- cpu_part_list=$(awk '/CPU part/
> {print $4}' "$procfs/cpuinfo")
> +- cpu_arch_list=$(awk '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> ++ cpu_part_list=$(@awk@ '/CPU part/
> {print $4}' "$procfs/cpuinfo")
> ++ cpu_arch_list=$(@awk@ '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> + # take the first one to fill the friendly
> name, do NOT quote the vars below
> + # shellcheck disable=SC2086
> +- cpu_arch=$(echo $cpu_arch_list | awk '{ print
> $1 }')
> ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{
> print $1 }')
> + # shellcheck disable=SC2086
> +- cpu_part=$(echo $cpu_part_list | awk '{ print
> $1 }')
> ++ cpu_part=$(echo $cpu_part_list | @awk@ '{
> print $1 }')
> + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
> + cpu_friendly_name="ARM"
> + [ -n "$cpu_arch" ] &&
> cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
> + [ -n "$cpu_part" ] &&
> cpu_friendly_name="$cpu_friendly_name model $cpu_part"
> +
> +- elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> ++ elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> + cpu_vendor='CAVIUM'
> +- elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> ++ elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> + cpu_vendor='PHYTIUM'
> + fi
> +
> +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" |
> awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_model=$( grep '^model' "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo"
> | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> + else
> +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2
> -w | cut -f2 -d= | cut -f2 -d\" )
> +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4
> -w | cut -f2 -d= )
> ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' |
> @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
> ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' |
> @cut@ -f4 -w | @cut@ -f2 -d= )
> + cpu_family=$(( cpu_family ))
> +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -
> w | cut -f2 -d= )
> ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@
> -f5 -w | @cut@ -f2 -d= )
> + cpu_model=$(( cpu_model ))
> +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut
> -f6 -w | cut -f2 -d= )
> +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
> ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' |
> @cut@ -f6 -w | @cut@ -f2 -d= )
> ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
> + fi
> +
> + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
> +@@ -1751,7 +1751,7 @@ parse_cpu_details()
> + # call CPUID
> + cpucontrol -i 1 /dev/cpuctl0 >/dev/null
> + # read MSR
> +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> awk '{print $3}')
> ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> @awk@ '{print $3}')
> + # convert to decimal
> + cpu_ucode=$(( cpu_ucode ))
> + # convert back to hex
> +@@ -1770,7 +1770,7 @@ parse_cpu_details()
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
> + fi
> +
> +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
> ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode
> ))
> + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x
> ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping"
> "$cpu_ucode" "$cpu_cpuid")
> +
> + # also define those that we will need in other funcs
> +@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
> + {
> + # SMT / HyperThreading is enabled if siblings != cpucores
> + if [ -e "$procfs/cpuinfo" ]; then
> +- _siblings=$(awk '/^siblings/ {print $3;exit}'
> "$procfs/cpuinfo")
> +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}'
> "$procfs/cpuinfo")
> ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
> + if [ "$_siblings" = "$_cpucores" ]; then
> + return 1
> +@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
> + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
> + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
> + do
> +- model=$(echo "$tuple" | cut -d, -f1)
> +- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
> ++ model=$(echo "$tuple" | @cut@ -d, -f1)
> ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
> + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" =
> "$stepping" ]; then
> +- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> + if [ "$cpu_ucode" = "$ucode" ]; then
> + _debug "is_ucode_blacklisted: we have
> a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
> + return 0
> +@@ -2007,7 +2007,7 @@ is_xen_dom0()
> + return 1
> + fi
> +
> +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d"
> "$procfs/xen/capabilities"; then
> ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d"
> "$procfs/xen/capabilities"; then
> + return 0
> + else
> + return 1
> +@@ -2033,12 +2033,12 @@ is_xen_domU()
> + fi
> + }
> +
> +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
> ++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> + # we have a local cache file, but it might be older than the
> builtin version we have
> +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> + # sort -V sorts by version number
> +- older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | sort -V | head -n1)
> ++ older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | @sort@ -V | @head@ -n1)
> + if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> + mcedb_source="$mcedb_cache"
> + mcedb_info="local firmwares DB $local_dbversion"
> +@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
> + fi
> + read_mcedb()
> + {
> +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1
> }' "$mcedb_source"
> ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> + }
> +
> + is_latest_known_ucode()
> +@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
> + else
> + return 2
> + fi
> +- for tuple in $(read_mcedb | grep "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> ++ for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> + do
> +- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r
> 's=(....)(..)(..)=\1/\2/\3=')
> ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r
> 's=(....)(..)(..)=\1/\2/\3=')
> + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid
> has ucode $cpu_ucode, last known is $ucode from $ucode_date"
> + ucode_latest=$(printf "latest version is 0x%x dated
> $ucode_date according to $mcedb_info" "$ucode")
> + if [ "$cpu_ucode" -ge "$ucode" ]; then
> +@@ -2098,7 +2098,7 @@ get_cmdline()
> + kernel_cmdline="$SMC_MOCK_CMDLINE"
> + return
> + else
> +- kernel_cmdline=$(cat "$procfs/cmdline")
> ++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CMDLINE='$kernel_cmdline'")
> + fi
> + }
> +@@ -2106,7 +2106,7 @@ get_cmdline()
> + # ENTRYPOINT
> +
> + # we can't do anything useful under WSL
> +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> + _warn "This script doesn't work under Windows Subsystem for
> Linux"
> + _warn "You should use the official Microsoft tool instead."
> + _warn "It can be found under
> https://aka.ms/SpeculationControlPS"
> +@@ -2155,15 +2155,15 @@ fi
> +
> + # if we're under a BSD, try to mount linprocfs for
> "$procfs/cpuinfo"
> + procfs=/proc
> +-if echo "$os" | grep -q BSD; then
> ++if echo "$os" | @grep@ -q BSD; then
> + _debug "We're under BSD, check if we have procfs"
> +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
> ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
> + if [ -z "$procfs" ]; then
> + _debug "we don't, try to mount it"
> + procfs=/proc
> + [ -d /compat/linux/proc ] &&
> procfs=/compat/linux/proc
> + test -d $procfs || mkdir $procfs
> +- if mount -t linprocfs linprocfs $procfs 2>/dev/null;
> then
> ++ if @mount@ -t linprocfs linprocfs $procfs
> 2>/dev/null; then
> + mounted_procfs=1
> + _debug "procfs just mounted at $procfs"
> + else
> +@@ -2195,14 +2195,14 @@ fi
> +
> + if [ "$opt_live" = 1 ]; then
> + # root check (only for live mode, for offline mode, we
> already checked if we could read the files)
> +- if [ "$(id -u)" -ne 0 ]; then
> ++ if [ "$(@id@ -u)" -ne 0 ]; then
> + _warn "Note that you should launch this script with
> root privileges to get accurate information."
> + _warn "We'll proceed but you might see permission
> denied errors."
> + _warn "To run it as root, you can try the following
> command: sudo $0"
> + _warn
> + fi
> + _info "Checking for vulnerabilities on current system"
> +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname
> -m)\033[0m"
> ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v)
> $(@uname@ -m)\033[0m"
> + _info "CPU is \033[35m$cpu_friendly_name\033[0m"
> +
> + # try to find the image of the current running kernel
> +@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
> + # specified by user on cmdline, with --live, don't
> override
> + :
> + # first, look for the BOOT_IMAGE hint in the kernel cmdline
> +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
> +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo
> 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
> ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
> ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo
> 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
> + _debug "found opt_kernel=$opt_kernel in
> $procfs/cmdline"
> + # if the boot partition is within a btrfs subvolume,
> strip the subvolume name
> + # if /boot is a separate subvolume, the remainder of
> the code in this section should handle it
> +- if echo "$opt_kernel" | grep -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
> ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
> + # if we have a dedicated /boot partition, our
> bootloader might have just called it /
> + # so try to prepend /boot and see if we find anything
> + [ -e "/boot/$opt_kernel" ] &&
> opt_kernel="/boot/$opt_kernel"
> +@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
> + # if we didn't find a kernel, default to guessing
> + if [ ! -e "$opt_kernel" ]; then
> + # Fedora:
> +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
> ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
> + # Slackware:
> + [ -e "/boot/vmlinuz" ] &&
> opt_kernel="/boot/vmlinuz"
> + # Arch aarch64:
> +@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
> + # pine64
> + [ -e "/boot/pine64/Image" ] &&
> opt_kernel="/boot/pine64/Image"
> + # generic:
> +- [ -e "/boot/vmlinuz-$(uname -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(uname -r)"
> +- [ -e "/boot/kernel-$( uname -r)" ] &&
> opt_kernel="/boot/kernel-$( uname -r)"
> +- [ -e "/boot/bzImage-$(uname -r)" ] &&
> opt_kernel="/boot/bzImage-$(uname -r)"
> ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
> ++ [ -e "/boot/kernel-$( @uname@ -r)" ] &&
> opt_kernel="/boot/kernel-$( @uname@ -r)"
> ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] &&
> opt_kernel="/boot/bzImage-$(@uname@ -r)"
> + # Gentoo:
> +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> + # Guix System:
> + [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux"
> + # Clear Linux:
> +- str_uname=$(uname -r)
> ++ str_uname=$(@uname@ -r)
> + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_
> uname##*.}.${str_uname%.*}"
> + [ -e "$clear_linux_kernel" ] &&
> opt_kernel=$clear_linux_kernel
> + # Custom Arch seems to have the kernel path in its
> cmdline in the form "\directory\kernelimage",
> + # with actual \'s instead of /'s:
> +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -
> Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d
> '[:space:]')
> ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@
> -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d
> '[:space:]')
> + if [ -n "$custom_arch_kernel" ] && [ -e
> "$custom_arch_kernel" ]; then
> + opt_kernel="$custom_arch_kernel"
> + fi
> +@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
> + :
> + elif [ -e "$procfs/kallsyms" ] ; then
> + opt_map="$procfs/kallsyms"
> +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
> +- opt_map="/lib/modules/$(uname -r)/System.map"
> +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
> +- opt_map="/boot/System.map-$(uname -r)"
> +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
> +- opt_map="/lib/kernel/System.map-$(uname -r)"
> ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
> ++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
> ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
> ++ opt_map="/boot/System.map-$(@uname@ -r)"
> ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
> ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
> + fi
> +
> + # config
> +@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
> + # specified by user on cmdline, with --live, don't
> override
> + :
> + elif [ -e "$procfs/config.gz" ] ; then
> +- dumped_config="$(mktemp -t smc-config-XXXXXX)"
> +- gunzip -c "$procfs/config.gz" > "$dumped_config"
> ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
> ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
> + # dumped_config will be deleted at the end of the
> script
> + opt_config="$dumped_config"
> +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
> +- opt_config="/lib/modules/$(uname -r)/config"
> +- elif [ -e "/boot/config-$(uname -r)" ]; then
> +- opt_config="/boot/config-$(uname -r)"
> +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -
> r)" ]; then
> +- opt_config="/etc/kernels/kernel-config-$(uname -m)-
> $(uname -r)"
> +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
> +- opt_config="/lib/kernel/config-$(uname -r)"
> ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
> ++ opt_config="/lib/modules/$(@uname@ -r)/config"
> ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
> ++ opt_config="/boot/config-$(@uname@ -r)"
> ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@
> -r)" ]; then
> ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-
> $(@uname@ -r)"
> ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
> ++ opt_config="/lib/kernel/config-$(@uname@ -r)"
> + fi
> + else
> + _info "Checking for vulnerabilities against specified kernel"
> +@@ -2311,7 +2311,7 @@ else
> + fi
> +
> + if [ "$os" = Linux ]; then
> +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_'
> "$opt_config"; then
> ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_'
> "$opt_config"; then
> + # given file is invalid!
> + _warn "The kernel config file seems invalid, was
> expecting a plain-text file, ignoring it!"
> + opt_config=''
> +@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
> + fi
> +
> + if [ -e "$opt_kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1;
> then
> ++ if ! command -v "@readelf@" >/dev/null 2>&1; then
> + _debug "readelf not found"
> + kernel_err="missing '${opt_arch_prefix}readelf' tool,
> please install it, usually it's in the 'binutils' package"
> + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ];
> then
> +@@ -2357,20 +2357,20 @@ else
> + # vanilla kernels have with ^Linux version
> + # also try harder with some kernels (such as Red Hat) that
> don't have ^Linux version before their version string
> + # and check for FreeBSD
> +- kernel_version=$("${opt_arch_prefix}strings" "$kernel"
> 2>/dev/null | grep -E \
> ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -
> E \
> + -e '^Linux version ' \
> + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-
> 9]+ .+ (19|20)[0-9][0-9]$' \
> +- -e '^FreeBSD [0-9]' | head -1)
> ++ -e '^FreeBSD [0-9]' | @head@ -1)
> + if [ -z "$kernel_version" ]; then
> + # try even harder with some kernels (such as ARM)
> that split the release (uname -r) and version (uname -v) in 2
> adjacent strings
> +- kernel_version=$("${opt_arch_prefix}strings"
> "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$'
> | tr "\n" " ")
> ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null |
> @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
> + fi
> + if [ -n "$kernel_version" ]; then
> + # in live mode, check if the img we found is the
> correct one
> + if [ "$opt_live" = 1 ]; then
> + _verbose "Kernel image is
> \033[35m$kernel_version"
> +- if ! echo "$kernel_version" | grep -qF
> "$(uname -r)"; then
> +- _warn "Possible discrepancy between
> your running kernel '$(uname -r)' and the image '$kernel_version' we
> found ($opt_kernel), results might be incorrect"
> ++ if ! echo "$kernel_version" | @grep@ -qF
> "$(@uname@ -r)"; then
> ++ _warn "Possible discrepancy between
> your running kernel '$(@uname@ -r)' and the image '$kernel_version'
> we found ($opt_kernel), results might be incorrect"
> + fi
> + else
> + _info "Kernel image is
> \033[35m$kernel_version"
> +@@ -2398,11 +2398,11 @@ sys_interface_check()
> + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r
> "$file" ]; then
> + :
> + else
> +- mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
> ++ mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
> + return 1
> + fi
> +
> +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
> ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
> + # shellcheck disable=SC2086,SC1083
> + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> + _debug "sysfs: MOCKING enabled for $file func returns
> $(eval echo \$$_mockvarname)"
> +@@ -2411,17 +2411,17 @@ sys_interface_check()
> + fi
> +
> + [ -n "$regex" ] || regex='.*'
> +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
> ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
> + # shellcheck disable=SC2086,SC1083
> + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> + fullmsg="$(eval echo \$$_mockvarname)"
> +- msg=$(echo "$fullmsg" | grep -Eo "$regex")
> ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
> + _debug "sysfs: MOCKING enabled for $file, will return
> $fullmsg"
> + mocked=1
> + else
> +- fullmsg=$(cat "$file")
> +- msg=$(grep -Eo "$regex" "$file")
> +- mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
> ++ fullmsg=$(@cat@ "$file")
> ++ msg=$(@grep@ -Eo "$regex" "$file")
> ++ mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
> + fi
> + if [ "$mode" = silent ]; then
> + return 0
> +@@ -2430,15 +2430,15 @@ sys_interface_check()
> + return 0
> + fi
> + _info_nol "* Mitigated according to the /sys interface: "
> +- if echo "$msg" | grep -qi '^not affected'; then
> ++ if echo "$msg" | @grep@ -qi '^not affected'; then
> + # Not affected
> + status=OK
> + pstatus green YES "$fullmsg"
> +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
> ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
> + # Mitigation: PTI
> + status=OK
> + pstatus green YES "$fullmsg"
> +- elif echo "$msg" | grep -qi '^vulnerable'; then
> ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
> + # Vulnerable
> + status=VULN
> + pstatus yellow NO "$fullmsg"
> +@@ -2526,20 +2526,20 @@ write_msr_one_core()
> + # ret=4: msr doesn't exist, ret=127:
> msr.allow_writes=off
> + [ "$ret" = 127 ] && _write_denied=1
> + # or fallback to dd if it supports seek_bytes, we
> prefer it over perl because we can tell the difference between EPERM
> and EIO
> +- elif dd if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> + _debug "write_msr: using dd"
> +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8
> count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr
> bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> + # if it failed, inspect stderrto look for
> EPERM
> + if [ "$ret" != 0 ]; then
> +- if dd if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
> ++ if @dd@ if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
> + _write_denied=1
> + fi
> + fi
> + # or if we have perl, use it, any 5.x version will
> work
> +- elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++ elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> + _debug "write_msr: using perl"
> + ret=1
> +- perl -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> + else
> + _debug "write_msr: got no wrmsr, perl or
> recent enough dd!"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
> +@@ -2561,13 +2561,13 @@ write_msr_one_core()
> + msr_locked_down=1
> + write_msr_msg="your kernel is
> configured to deny writes to MSRs from user space"
> + return $WRITE_MSR_RET_LOCKDOWN
> +- elif dmesg | grep -qF "msr: Direct access to
> MSR"; then
> ++ elif @dmesg@ | @grep@ -qF "msr: Direct access
> to MSR"; then
> + _debug "write_msr: locked down kernel
> detected (Red Hat / Fedora)"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> + msr_locked_down=1
> + write_msr_msg="your kernel is locked
> down (Fedora/Red Hat), please reboot without secure boot and retry"
> + return $WRITE_MSR_RET_LOCKDOWN
> +- elif dmesg | grep -qF "raw MSR access is
> restricted"; then
> ++ elif @dmesg@ | @grep@ -qF "raw MSR access is
> restricted"; then
> + _debug "write_msr: locked down kernel
> detected (vanilla)"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> + msr_locked_down=1
> +@@ -2666,8 +2666,8 @@ read_msr_one_core()
> + return $READ_MSR_RET_KO
> + fi
> + # MSR 0x10: 0x000003e1 0xb106dded
> +- _msr_h=$(echo "$_msr" | awk '{print $3}');
> +- _msr_l=$(echo "$_msr" | awk '{print $4}');
> ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
> ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
> + read_msr_value=$(( _msr_h << 32 | _msr_l ))
> + else
> + # for Linux
> +@@ -2678,15 +2678,15 @@ read_msr_one_core()
> + # if rdmsr is available, use it
> + elif command -v rdmsr >/dev/null 2>&1 && [
> "${SMC_NO_RDMSR:-}" != 1 ]; then
> + _debug "read_msr: using rdmsr on $_msr"
> +- read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | od -t u8 -A n)
> ++ read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | @od@ -t u8 -A n)
> + # or if we have perl, use it, any 5.x version will
> work
> +- elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++ elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> + _debug "read_msr: using perl on $_msr"
> +- read_msr_value=$(perl -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | od -t u8 -A n)
> ++ read_msr_value=$(@perl@ -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | @od@ -t u8 -A n)
> + # fallback to dd if it supports skip_bytes
> +- elif dd if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> + _debug "read_msr: using dd on $_msr"
> +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr
> bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8
> -A n)
> ++ read_msr_value=$(@dd@
> if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec"
> iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
> + else
> + _debug "read_msr: got no rdmsr, perl or
> recent enough dd!"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
> +@@ -2710,7 +2710,7 @@ check_cpu()
> + {
> + _info "\033[1;34mHardware check\033[0m"
> +
> +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
> ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
> + return
> + fi
> +
> +@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
> + # if we were already called, don't do it again
> + [ -n "${redhat_canonical_spectre:-}" ] && return
> +
> +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1;
> then
> ++ if ! command -v "@strings@" >/dev/null 2>&1; then
> + redhat_canonical_spectre=-1
> + elif [ -n "$kernel_err" ]; then
> + redhat_canonical_spectre=-2
> + else
> + # Red Hat / Ubuntu specific variant1 patch is
> difficult to detect,
> + # let's use the two same tricks than the official Red
> Hat detection script uses:
> +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw
> noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb;
> then
> ++ if "@strings@" "$kernel" | @grep@ -qw noibrs &&
> "@strings@" "$kernel" | @grep@ -qw noibpb; then
> + # 1) detect their specific variant2 patch. If
> it's present, it means
> + # that the variant1 patch is also present
> (both were merged at the same time)
> + _debug "found redhat/canonical version of the
> variant2 patch (implies variant1)"
> + redhat_canonical_spectre=1
> +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q
> 'x86/pti:'; then
> ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:';
> then
> + # 2) detect their specific variant3 patch. If
> it's present, but the variant2
> + # is not, it means that only variant1 is
> present in addition to variant3
> + _debug "found redhat/canonical version of the
> variant3 patch (implies variant1 but not variant2)"
> +@@ -3363,13 +3363,13 @@ check_has_vmm()
> + # If we find no evidence that this is the case,
> assume we're not (to avoid scaring users),
> + # this can always be overridden with --vmm in any
> case.
> + has_vmm=0
> +- if command -v pgrep >/dev/null 2>&1; then
> ++ if command -v @pgrep@ >/dev/null 2>&1; then
> + # remove xenbus and xenwatch, also present
> inside domU
> + # remove libvirtd as it can also be used to
> manage containers and not VMs
> + # for each binary we want to grep, get the
> pids
> + for _binary in qemu kvm xenstored xenconsoled
> + do
> +- for _pid in $(pgrep -x $_binary)
> ++ for _pid in $(@pgrep@ -x $_binary)
> + do
> + # resolve the exe symlink, if
> it doesn't resolve with -m,
> + # which doesn't even need the
> dest to exist, it means the symlink
> +@@ -3385,7 +3385,7 @@ check_has_vmm()
> + else
> + # ignore SC2009 as `ps ax` is actually used
> as a fallback if `pgrep` isn't installed
> + # shellcheck disable=SC2009
> +- if command -v ps >/devnull && ps ax | grep -
> vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> ++ if command -v ps >/devnull && ps ax | @grep@
> -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> + has_vmm=1
> + fi
> + fi
> +@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5753_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5753_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
> + v1_mask_nospec=''
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> + else
> +- perl -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++ @perl@ -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> + if [ $ret -gt 0 ]; then
> + pstatus green YES "$ret occurrence(s)
> found of x86 64 bits array_index_mask_nospec()"
> + v1_mask_nospec="x86 64 bits
> array_index_mask_nospec"
> + else
> +- perl -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++ @perl@ -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> + if [ $ret -gt 0 ]; then
> + pstatus green YES "$ret
> occurrence(s) found of x86 32 bits array_index_mask_nospec()"
> + v1_mask_nospec="x86 32 bits
> array_index_mask_nospec"
> + else
> +-
> ret=$("${opt_arch_prefix}objdum
> p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 |
> grep -B1 -w sbc | grep -w -c cmp)
> ++ ret=$("@objdump@"
> $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 |
> @grep@ -B1 -w sbc | @grep@ -w -c cmp)
> + if [ "$ret" -gt 0 ]; then
> + pstatus green YES
> "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
> + v1_mask_nospec="arm
> 32 bits array_index_mask_nospec"
> +@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
> + pstatus yellow NO
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +- elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> + else
> +- "${opt_arch_prefix}objdump" $objdump_options
> "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ &&
> $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
> ++ "@objdump@" $objdump_options "$kernel" |
> @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/
> && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift
> @r if @r>3'; ret=$?
> + if [ "$ret" -eq 9 ]; then
> + pstatus green YES "mask_nospec64
> macro is present and used"
> + v1_mask_nospec="arm64 mask_nospec64"
> +@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
> + pstatus yellow NO
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +- elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> + else
> +- "${opt_arch_prefix}objdump" -d "$kernel" |
> perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push
> @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> + if [ "$ret" -eq 9 ]; then
> + pstatus green YES "array_index_nospec
> macro is present and used"
> + v1_mask_nospec="arm64
> array_index_nospec"
> +@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't
> check ($kernel_err)"
> + else
> +- if ! command -v
> "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
> ++ if ! command -v "@objdump@"
> >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN
> "missing '${opt_arch_prefix}objdump' tool, please install it, usually
> it's in the binutils package"
> + else
> + # here we disassemble the
> kernel and count the number of occurrences of the LFENCE opcode
> +@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
> + # so let's push the threshold
> to 70.
> + # v0.33+: now only count
> lfence opcodes after a jump, way less error-prone
> + # non patched kernel have
> between 0 and 20 matches, patched ones have at least 40-45
> +-
> nb_lfence=$("${opt_arch_prefix}
> objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence
> | grep -Ewc 'jmp|jne|je')
> ++ nb_lfence=$("@objdump@"
> $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence |
> @grep@ -Ewc 'jmp|jne|je')
> + if [ "$nb_lfence" -lt 30 ];
> then
> + pstatus yellow NO
> "only $nb_lfence jump-then-lfence instructions found, should be >= 30
> (heuristic)"
> + else
> +@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5715_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5715_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
> + #
> /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
> + specex_knob_dir=$dir
> + ibrs_supported="$dir/ibrs_ena
> bled exists"
> +- ibrs_enabled=$(cat
> "$dir/ibrs_enabled" 2>/dev/null)
> ++ ibrs_enabled=$(@cat@
> "$dir/ibrs_enabled" 2>/dev/null)
> + _debug "ibrs: found
> $dir/ibrs_enabled=$ibrs_enabled"
> + # if ibrs_enabled is there,
> ibpb_enabled will be in the same dir
> + if [ -e "$dir/ibpb_enabled"
> ]; then
> + # if the file is
> there, we have IBPB compiled-in (see note above for IBRS)
> + ibpb_supported="$dir/
> ibpb_enabled exists"
> +- ibpb_enabled=$(cat
> "$dir/ibpb_enabled" 2>/dev/null)
> ++ ibpb_enabled=$(@cat@
> "$dir/ibpb_enabled" 2>/dev/null)
> + _debug "ibpb: found
> $dir/ibpb_enabled=$ibpb_enabled"
> + else
> + _debug "ibpb:
> $dir/ibpb_enabled file doesn't exist"
> +@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
> + # which in that case means ibrs is supported
> *and* enabled for kernel & user
> + # as per the ibrs patch series v3
> + if [ -z "$ibrs_supported" ]; then
> +- if grep ^flags "$procfs/cpuinfo" |
> grep -qw spec_ctrl_ibrs; then
> ++ if @grep@ ^flags "$procfs/cpuinfo" |
> @grep@ -qw spec_ctrl_ibrs; then
> + _debug "ibrs: found
> spec_ctrl_ibrs flag in $procfs/cpuinfo"
> + ibrs_supported="spec_ctrl_ibr
> s flag in $procfs/cpuinfo"
> + # enabled=2 -> kernel & user
> +@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -n "$fullmsg" ]; then
> + # when IBPB is enabled on 4.15+, we
> can see it in sysfs
> +- if echo "$fullmsg" | grep -q 'IBPB';
> then
> ++ if echo "$fullmsg" | @grep@ -q
> 'IBPB'; then
> + _debug "ibpb: found enabled
> in sysfs"
> + [ -z "$ibpb_supported" ] &&
> ibpb_supported='IBPB found enabled in sysfs'
> + [ -z "$ibpb_enabled" ] &&
> ibpb_enabled=1
> + fi
> + # when IBRS_FW is enabled on 4.15+,
> we can see it in sysfs
> +- if echo "$fullmsg" | grep -q ',
> IBRS_FW'; then
> ++ if echo "$fullmsg" | @grep@ -q ',
> IBRS_FW'; then
> + _debug "ibrs: found IBRS_FW
> in sysfs"
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS_FW in sysfs'
> + ibrs_fw_enabled=1
> +@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
> + # when IBRS is enabled on 4.15+, we
> can see it in sysfs
> + # on a more recent kernel, classic
> "IBRS" is not even longer an option, because of the performance
> impact.
> + # only "Enhanced IBRS" is available
> (on CPUs with the IBRS_ALL flag)
> +- if echo "$fullmsg" | grep -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> ++ if echo "$fullmsg" | @grep@ -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> + _debug "ibrs: found IBRS in
> sysfs"
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS in sysfs'
> + [ -z "$ibrs_enabled" ] &&
> ibrs_enabled=3
> + fi
> + # checking for 'Enhanced IBRS' in
> sysfs, enabled on CPUs with IBRS_ALL
> +- if echo "$fullmsg" | grep -q -e
> 'Enhanced IBRS'; then
> ++ if echo "$fullmsg" | @grep@ -q -e
> 'Enhanced IBRS'; then
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found Enhanced IBRS in sysfs'
> + # 4 isn't actually a valid
> value of the now extinct "ibrs_enabled" flag file,
> + # that only went from 0 to 3,
> so we use 4 as "enhanced ibrs is enabled"
> +@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
> + fi
> + fi
> + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + :
> + else
> + ibrs_can_tell=1
> +-
> ibrs_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
> ++ ibrs_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
> + if [ -n "$ibrs_supported" ]; then
> + _debug "ibrs: found ibrs
> evidence in kernel image ($ibrs_supported)"
> + ibrs_supported="found
> '$ibrs_supported' in kernel image"
> +@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ];
> then
> + ibrs_can_tell=1
> +- if grep -q spec_ctrl "$opt_map"; then
> ++ if @grep@ -q spec_ctrl "$opt_map"; then
> + ibrs_supported="found spec_ctrl in
> symbols file"
> + _debug "ibrs: found '*spec_ctrl*'
> symbol in $opt_map"
> + fi
> +@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
> + # recent (4.15) vanilla kernels have IBPB but not
> IBRS, and without the debugfs tunables of Red Hat
> + # we can detect it directly in the image
> + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + :
> + else
> + ibpb_can_tell=1
> +-
> ibpb_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
> ++ ibpb_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
> + if [ -n "$ibpb_supported" ]; then
> + _debug "ibpb: found ibpb
> evidence in kernel image ($ibpb_supported)"
> + ibpb_supported="found
> '$ibpb_supported' in kernel image"
> +@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
> + 2) if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user
> space, and firmware code" ; else pstatus green YES "for both kernel
> and user space"; fi;;
> + 3) if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and
> firmware code"; else pstatus green YES; fi;;
> + 4) pstatus green YES
> "Enhanced flavor, performance impact will be greatly reduced";;
> +- *) if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> +- then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> +- else
> ++ *) if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> ++ then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> ++ else
> + pstatus
> yellow UNKNOWN; fi;;
> + esac
> + fi
> +@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
> + bp_harden=''
> + if [ -r "$opt_config" ]; then
> + bp_harden_can_tell=1
> +- bp_harden=$(grep -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> ++ bp_harden=$(@grep@ -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> + if [ -n "$bp_harden" ]; then
> + pstatus green YES
> + _debug "bp_harden: found '$bp_harden'
> in $opt_config"
> +@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
> + bp_harden_can_tell=1
> +- bp_harden=$(grep -w bp_hardening_data
> "$opt_map")
> ++ bp_harden=$(@grep@ -w bp_hardening_data
> "$opt_map")
> + if [ -n "$bp_harden" ]; then
> + pstatus green YES
> + _debug "bp_harden: found '$bp_harden'
> in $opt_map"
> +@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
> + # We check the RETPOLINE kernel options
> + retpoline=0
> + if [ -r "$opt_config" ]; then
> +- if grep -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> ++ if @grep@ -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> + pstatus green YES
> + retpoline=1
> + # shellcheck disable=SC2046
> +- _debug 'retpoline: found '$(grep
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> ++ _debug 'retpoline: found '$(@grep@
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> + else
> + pstatus yellow NO
> + fi
> +@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
> + # since 5.15.28, this is now "Retpolines" as
> the implementation was switched to a generic one,
> + # so we look for both "retpoline" and
> "retpolines"
> + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ];
> then
> +- if echo "$fullmsg" | grep -qwi -e
> retpoline -e retpolines; then
> +- if echo "$fullmsg" | grep -
> qwi minimal; then
> ++ if echo "$fullmsg" | @grep@ -qwi -e
> retpoline -e retpolines; then
> ++ if echo "$fullmsg" | @grep@ -
> qwi minimal; then
> + retpoline_compiler=0
> + retpoline_compiler_re
> ason="kernel reports minimal retpoline compilation"
> + else
> +@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
> + fi
> + elif [ -n "$opt_map" ]; then
> + # look for the symbol
> +- if grep -qw noretpoline_setup
> "$opt_map"; then
> ++ if @grep@ -qw noretpoline_setup
> "$opt_map"; then
> + retpoline_compiler=1
> + retpoline_compiler_reason="no
> retpoline_setup symbol found in System.map"
> + fi
> + elif [ -n "$kernel" ]; then
> + # look for the symbol
> +- if command -v "${opt_arch_prefix}nm"
> >/dev/null 2>&1; then
> ++ if command -v "@nm@" >/dev/null 2>&1;
> then
> + # the proper way: use nm and
> look for the symbol
> +- if "${opt_arch_prefix}nm"
> "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
> ++ if "@nm@" "$kernel"
> 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
> + retpoline_compiler=1
> + retpoline_compiler_re
> ason="noretpoline_setup found in kernel symbols"
> + fi
> +- elif grep -q noretpoline_setup
> "$kernel"; then
> ++ elif @grep@ -q noretpoline_setup
> "$kernel"; then
> + # if we don't have nm,
> nevermind, the symbol name is long enough to not have
> + # any false positive using
> good old grep directly on the binary
> + retpoline_compiler=1
> +@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
> + retp_enabled=-1
> + if [ "$opt_live" = 1 ]; then
> + if [ -e "$specex_knob_dir/retp_enabled" ];
> then
> +- retp_enabled=$(cat
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> ++ retp_enabled=$(@cat@
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> + _debug "retpoline: found
> $specex_knob_dir/retp_enabled=$retp_enabled"
> + _info_nol " * Retpoline is
> enabled: "
> + if [ "$retp_enabled" = 1 ]; then
> +@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
> + rsb_filling=0
> + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs"
> != 1 ]; then
> + # if we're live and we aren't denied
> looking into /sys, let's do it
> +- if echo "$msg" | grep -qw RSB; then
> ++ if echo "$msg" | @grep@ -qw RSB; then
> + rsb_filling=1
> + pstatus green YES
> + fi
> +@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN
> "couldn't check ($kernel_err)"
> + else
> +- if grep -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> ++ if @grep@ -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> + rsb_filling=1
> + pstatus green YES
> + else
> +@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
> + {
> + _info "* Mitigation 1"
> + _info_nol " * Kernel supports IBRS: "
> +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
> ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
> + if [ -z "$ibrs_disabled" ]; then
> + pstatus yellow NO
> + else
> +@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
> + fi
> +
> + _info_nol " * IBRS enabled and active: "
> +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
> ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
> + if [ "$ibrs_active" = 1 ]; then
> + pstatus green YES
> + else
> +@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
> + else
> +- if ! command -v "${opt_arch_prefix}readelf"
> >/dev/null 2>&1; then
> ++ if ! command -v "@readelf@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}readelf' tool, please install it, usually it's in
> the binutils package"
> + else
> +- nb_thunks=$("${opt_arch_prefix}readelf" -s
> "$kernel" | grep -c -e __llvm_retpoline_ -e
> __llvm_external_retpoline_ -e __x86_indirect_thunk_)
> ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@
> -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e
> __x86_indirect_thunk_)
> + if [ "$nb_thunks" -gt 0 ]; then
> + retpoline=1
> + pstatus green YES "found $nb_thunks
> thunk(s)"
> +@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
> + pti_performance_check()
> + {
> + _info_nol " * Reduced performance impact of PTI: "
> +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw pcid; then
> ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw pcid; then
> + cpu_pcid=1
> + else
> + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
> +@@ -4272,7 +4272,7 @@ pti_performance_check()
> + fi
> + fi
> +
> +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw invpcid; then
> ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw invpcid; then
> + cpu_invpcid=1
> + else
> + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
> +@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5754_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5754_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
> + kpti_can_tell=0
> + if [ -n "$opt_config" ]; then
> + kpti_can_tell=1
> +- kpti_support=$(grep -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> ++ kpti_support=$(@grep@ -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found option
> '$kpti_support' in $opt_config"
> + fi
> +@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
> + # so we try to find an exported symbol that
> is part of the PTI patch in System.map
> + # parse_kpti: arm
> + kpti_can_tell=1
> +- kpti_support=$(grep -w -e kpti_force_enabled
> -e parse_kpti "$opt_map")
> ++ kpti_support=$(@grep@ -w -e
> kpti_force_enabled -e parse_kpti "$opt_map")
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found
> '$kpti_support' in $opt_map"
> + fi
> +@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
> + # nopti option that is part of the patch
> (kernel command line option)
> + # 'kpti=': arm
> + kpti_can_tell=1
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> + else
> +-
> kpti_support=$("${opt_arch_prefix}strin
> gs" "$kernel" | grep -w -e nopti -e kpti=)
> ++ kpti_support=$("@strings@" "$kernel"
> | @grep@ -w -e nopti -e kpti=)
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found
> '$kpti_support' in $kernel"
> + fi
> +@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
> + dmesg_grep="$dmesg_grep|x86/pti: Unmapping
> kernel while in userspace"
> + # aarch64
> + dmesg_grep="$dmesg_grep|CPU features:
> detected( feature)?: Kernel page table isolation \(KPTI\)"
> +- if grep ^flags "$procfs/cpuinfo" | grep -qw
> pti; then
> ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -
> qw pti; then
> + # vanilla PTI patch sets the 'pti'
> flag in cpuinfo
> + _debug "kpti_enabled: found 'pti'
> flag in $procfs/cpuinfo"
> + kpti_enabled=1
> +- elif grep ^flags "$procfs/cpuinfo" | grep -qw
> kaiser; then
> ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@
> -qw kaiser; then
> + # kernel line 4.9 sets the 'kaiser'
> flag in cpuinfo
> + _debug "kpti_enabled: found 'kaiser'
> flag in $procfs/cpuinfo"
> + kpti_enabled=1
> + elif [ -e /sys/kernel/debug/x86/pti_enabled
> ]; then
> + # Red Hat Backport creates a
> dedicated file, see https://access.redhat.com/articles/3311301
> +- kpti_enabled=$(cat
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> ++ kpti_enabled=$(@cat@
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> + _debug "kpti_enabled: file
> /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
> + elif is_xen_dom0; then
> +- pti_xen_pv_domU=$(xl dmesg | grep
> 'XPTI' | grep 'DomU enabled' | head -1)
> ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@
> 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
> +
> + [ -n "$pti_xen_pv_domU" ] &&
> kpti_enabled=1
> + fi
> +@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
> + if [ -n "$kpti_support" ]; then
> + if [ -e
> "/sys/kernel/debug/x86/pti_enabled" ]; then
> + explain "Your kernel
> supports PTI but it's disabled, you can enable it with \`echo 1 >
> /sys/kernel/debug/x86/pti_enabled\`"
> +- elif echo "$kernel_cmdline" |
> grep -q -w -e nopti -e pti=off; then
> ++ elif echo "$kernel_cmdline" |
> @grep@ -q -w -e nopti -e pti=off; then
> + explain "Your kernel
> supports PTI but it has been disabled on command-line, remove the
> nopti or pti=off option from your bootloader configuration"
> + else
> + explain "Your kernel
> supports PTI but it has been disabled, check \`dmesg\` right after
> boot to find clues why the system disabled it"
> +@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
> + check_CVE_2017_5754_bsd()
> + {
> + _info_nol "* Kernel supports Page Table Isolation (PTI): "
> +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
> ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
> + if [ -z "$kpti_enabled" ]; then
> + pstatus yellow NO
> + else
> +@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3639_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3639_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
> + if [ "$opt_sysfs_only" != 1 ]; then
> + _info_nol "* Kernel supports disabling speculative
> store bypass (SSB): "
> + if [ "$opt_live" = 1 ]; then
> +- if grep -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssb="found in
> $procfs/self/status"
> + _debug "found
> Speculation.Store.Bypass: in $procfs/self/status"
> + fi
> + fi
> + # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep
> -q 'arm64_sys_' "$kernel"; then
> +- kernel_ssb=$("${opt_arch_prefix}strings"
> "$kernel" | grep spec_store_bypass | head -n1);
> ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && !
> @grep@ -q 'arm64_sys_' "$kernel"; then
> ++ kernel_ssb=$("@strings@" "$kernel" | @grep@
> spec_store_bypass | @head@ -n1);
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in kernel"
> + fi
> + # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> grep -q 'arm64_sys_' "$opt_map"; then
> +- kernel_ssb=$(grep spec_store_bypass
> "$opt_map" | awk '{print $3}' | head -n1)
> ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> @grep@ -q 'arm64_sys_' "$opt_map"; then
> ++ kernel_ssb=$(@grep@ spec_store_bypass
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> + fi
> + # arm64 only:
> + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
> +- kernel_ssb=$(grep -w cpu_enable_ssbs
> "$opt_map" | awk '{print $3}' | head -n1)
> ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> + fi
> + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
> +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> + [ -n "$kernel_ssb" ] &&
> kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
> + fi
> + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
> + # this string only appears in kernel if
> CONFIG_ARM64_SSBD is set
> +- kernel_ssb=$(grep -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> ++ kernel_ssb=$(@grep@ -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> 'Speculative Store Bypassing Safe (SSBS)' in kernel"
> + fi
> + # /arm64 only
> +@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
> + if [ "$opt_live" = 1 ]; then
> + #
> https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
> + _info_nol "* SSB mitigation is enabled and
> active: "
> +- if grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> ++ if @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> + kernel_ssbd_enabled=1
> + pstatus green YES "per-thread through
> prctl"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=2
> + pstatus green YES "global"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=0
> + pstatus yellow NO
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=-2
> + pstatus blue NO "not vulnerable"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=0
> + pstatus blue NO
> + else
> +- pstatus blue UNKNOWN "unknown value:
> $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | cut -d: -f2-)"
> ++ pstatus blue UNKNOWN "unknown value:
> $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | @cut@ -d: -f2-)"
> + fi
> +
> + if [ "$kernel_ssbd_enabled" = 1 ]; then
> + _info_nol "* SSB mitigation currently
> active for selected processes: "
> + # silence grep's stderr here to avoid
> ENOENT errors from processes that have exited since the shell's
> expansion of the *
> +- mitigated_processes=$(find /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> +- | xargs -r0 grep -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> +- | sed s/status/exe/ | xargs -
> r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr
> "\n" " " | sed 's/ $//')
> ++ mitigated_processes=$(@find@ /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> ++ | @xargs@ -r0 @grep@ -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> ++ | @sed@ s/status/exe/ |
> @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ |
> @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
> + if [ -n "$mitigated_processes" ];
> then
> + pstatus green YES
> "$mitigated_processes"
> + else
> +@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
> + check_CVE_2018_3639_bsd()
> + {
> + _info_nol "* Kernel supports speculation store bypass: "
> +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
> ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1;
> then
> + kernel_ssb=1
> + pstatus green YES
> + else
> +@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
> + fi
> +
> + _info_nol "* Speculation store bypass is administratively
> enabled: "
> +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable
> 2>/dev/null)
> ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable
> 2>/dev/null)
> + _debug "hw.spec_store_bypass_disable=$ssb_enabled"
> + case "$ssb_enabled" in
> + 0) pstatus yellow NO "disabled";;
> +@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
> + esac
> +
> + _info_nol "* Speculation store bypass is currently active: "
> +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> + _debug "hw.spec_store_bypass_disable_active=$ssb_active"
> + case "$ssb_active" in
> + 1) pstatus green YES;;
> +@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3620_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3620_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
> + fi
> + if [ "$opt_sysfs_only" != 1 ]; then
> + _info_nol "* Kernel supports PTE inversion: "
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'strings'
> tool, please install it"
> + pteinv_supported=-1
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "$kernel_err"
> + pteinv_supported=-1
> + else
> +- if "${opt_arch_prefix}strings" "$kernel" |
> grep -Fq 'PTE Inversion'; then
> ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE
> Inversion'; then
> + pstatus green YES "found in kernel
> image"
> + _debug "pteinv: found pte inversion
> evidence in kernel image"
> + pteinv_supported=1
> +@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
> + _info_nol "* PTE inversion enabled and active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -q
> 'Mitigation: PTE Inversion'; then
> ++ if echo "$fullmsg" | @grep@ -q
> 'Mitigation: PTE Inversion'; then
> + pstatus green YES
> + pteinv_active=1
> + else
> +@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
> + else
> + _debug "vmm module already loaded"
> + fi
> +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> + #
> https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
> + # this is very difficult to detect that the kernel
> reserved the 0 page, but this fix
> + # is part of the exact same patch than the other L1TF
> CVE, so we detect it
> +@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3646_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3646_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
> + if [ "$opt_live" = 1 ]; then
> + if ! [ -r
> /sys/module/kvm_intel/parameters/ept ]; then
> + pstatus blue N/A "the kvm_intel
> module is not loaded"
> +- elif [ "$(cat
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> ++ elif [ "$(@cat@
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> + pstatus green YES
> + ept_disabled=1
> + else
> +@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
> +
> + _info "* Mitigation 2"
> + _info_nol " * L1D flush is supported by kernel: "
> +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d
> "$procfs/cpuinfo"; then
> ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d
> "$procfs/cpuinfo"; then
> + l1d_kernel="found flush_l1d in
> $procfs/cpuinfo"
> + fi
> + if [ -z "$l1d_kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + l1d_kernel_err="missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> + elif [ -n "$kernel_err" ]; then
> + l1d_kernel_err="$kernel_err"
> +- elif "${opt_arch_prefix}strings" "$kernel" |
> grep -qw flush_l1d; then
> ++ elif "@strings@" "$kernel" | @grep@ -qw
> flush_l1d; then
> + l1d_kernel='found flush_l1d in kernel
> image'
> + fi
> + fi
> +@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
> + # $l1dstatus is one of
> (auto|vulnerable|conditional cache flushes|cache flushes|EPT
> disabled|flush not necessary)
> + # $smtstatus is one of
> (vulnerable|disabled)
> + # can also just be "Not affected"
> +- if echo "$fullmsg" | grep -Eq -e 'Not
> affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> ++ if echo "$fullmsg" | @grep@ -Eq -e
> 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> + l1d_mode=0
> + pstatus yellow NO
> +- elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> ++ elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> + l1d_mode=1
> + pstatus green YES
> "conditional flushes"
> +- elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) cache flushes'; then
> ++ elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) cache flushes'; then
> + l1d_mode=2
> + pstatus green YES
> "unconditional flushes"
> + else
> + if is_xen_dom0; then
> +- l1d_xen_hardware=$(xl
> dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
> +-
> l1d_xen_hypervisor=$(xl
> dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
> +- l1d_xen_pv_domU=$(xl
> dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
> ++ l1d_xen_hardware=$(xl
> @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -
> 1)
> ++ l1d_xen_hypervisor=$(
> xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
> ++ l1d_xen_pv_domU=$(xl
> @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' |
> @head@ -1)
> +
> + if [ -n
> "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n
> "$l1d_xen_pv_domU" ]; then
> + l1d_mode=5
> +@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
> +
> + _info_nol " * Hardware-backed L1D flush supported: "
> + if [ "$opt_live" = 1 ]; then
> +- if grep -qw flush_l1d "$procfs/cpuinfo" || [
> -n "$l1d_xen_hardware" ]; then
> ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" ||
> [ -n "$l1d_xen_hardware" ]; then
> + pstatus green YES "performance impact
> of the mitigation will be greatly reduced"
> + else
> + pstatus blue NO "flush will be done
> in software, this is slower"
> +@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
> + check_CVE_2018_3646_bsd()
> + {
> + _info_nol "* Kernel supports L1D flushing: "
> +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> + pstatus green YES
> + kernel_l1d_supported=1
> + else
> +@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
> + fi
> +
> + _info_nol "* L1D flushing is enabled: "
> +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> + case "$kernel_l1d_enabled" in
> + 0) pstatus yellow NO;;
> + 1) pstatus green YES;;
> +@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
> + ###################
> + # MDSUM SECTION
> +
> +-# Microarchitectural Data Sampling Uncacheable Memory
> ++# Microarchitectural Data Sampling Uncacheable Memory
> + check_CVE_2019_11091()
> + {
> + cve='CVE-2019-11091'
> +@@ -5182,7 +5182,7 @@ check_mds()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_mds_linux "$cve"
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_mds_bsd "$cve"
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5193,7 +5193,7 @@ check_mds_bsd()
> + {
> + _info_nol "* Kernel supports using MD_CLEAR mitigation: "
> + if [ "$opt_live" = 1 ]; then
> +- if sysctl hw.mds_disable >/dev/null 2>&1; then
> ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
> + pstatus green YES
> + kernel_md_clear=1
> + else
> +@@ -5201,7 +5201,7 @@ check_mds_bsd()
> + kernel_md_clear=0
> + fi
> + else
> +- if grep -Fq hw.mds_disable $opt_kernel; then
> ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
> + pstatus green YES
> + kernel_md_clear=1
> + else
> +@@ -5211,8 +5211,8 @@ check_mds_bsd()
> + fi
> +
> + _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
> +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> +- kernel_smt_allowed=$(sysctl -n
> machdep.hyperthreading_allowed 2>/dev/null)
> ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> ++ kernel_smt_allowed=$(@sysctl@ -n
> machdep.hyperthreading_allowed 2>/dev/null)
> + if [ "$kernel_smt_allowed" = 1 ]; then
> + pstatus yellow NO
> + else
> +@@ -5224,7 +5224,7 @@ check_mds_bsd()
> +
> + _info_nol "* Kernel mitigation is enabled: "
> + if [ "$kernel_md_clear" = 1 ]; then
> +- kernel_mds_enabled=$(sysctl -n hw.mds_disable
> 2>/dev/null)
> ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable
> 2>/dev/null)
> + else
> + kernel_mds_enabled=0
> + fi
> +@@ -5238,7 +5238,7 @@ check_mds_bsd()
> +
> + _info_nol "* Kernel mitigation is active: "
> + if [ "$kernel_md_clear" = 1 ]; then
> +- kernel_mds_state=$(sysctl -n hw.mds_disable_state
> 2>/dev/null)
> ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state
> 2>/dev/null)
> + else
> + kernel_mds_state=inactive
> + fi
> +@@ -5296,16 +5296,16 @@ check_mds_linux()
> + _info_nol "* Kernel supports using MD_CLEAR
> mitigation: "
> + kernel_md_clear=''
> + kernel_md_clear_can_tell=1
> +- if [ "$opt_live" = 1 ] && grep ^flags
> "$procfs/cpuinfo" | grep -qw md_clear; then
> ++ if [ "$opt_live" = 1 ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw md_clear; then
> + kernel_md_clear="md_clear found in
> $procfs/cpuinfo"
> + pstatus green YES "$kernel_md_clear"
> + fi
> + if [ -z "$kernel_md_clear" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + kernel_md_clear_can_tell=0
> + elif [ -n "$kernel_err" ]; then
> + kernel_md_clear_can_tell=0
> +- elif "${opt_arch_prefix}strings" "$kernel" |
> grep -q 'Clear CPU buffers'; then
> ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear
> CPU buffers'; then
> + _debug "md_clear: found 'Clear CPU
> buffers' string in kernel image"
> + kernel_md_clear='found md_clear
> implementation evidence in kernel image'
> + pstatus green YES "$kernel_md_clear"
> +@@ -5321,7 +5321,7 @@ check_mds_linux()
> +
> + if [ "$opt_live" = 1 ] && [
> "$sys_interface_available" = 1 ]; then
> + _info_nol "* Kernel mitigation is enabled and
> active: "
> +- if echo "$fullmsg" | grep -qi ^mitigation;
> then
> ++ if echo "$fullmsg" | @grep@ -qi ^mitigation;
> then
> + mds_mitigated=1
> + pstatus green YES
> + else
> +@@ -5329,7 +5329,7 @@ check_mds_linux()
> + pstatus yellow NO
> + fi
> + _info_nol "* SMT is either mitigated or
> disabled: "
> +- if echo "$fullmsg" | grep -Eq 'SMT
> (disabled|mitigated)'; then
> ++ if echo "$fullmsg" | @grep@ -Eq 'SMT
> (disabled|mitigated)'; then
> + mds_smt_mitigated=1
> + pstatus green YES
> + else
> +@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2019_11135_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2019_11135_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
> + kernel_taa=''
> + if [ -n "$kernel_err" ]; then
> + kernel_taa_err="$kernel_err"
> +- elif grep -q 'tsx_async_abort' "$kernel"; then
> ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
> + kernel_taa="found tsx_async_abort in kernel
> image"
> + fi
> + if [ -n "$kernel_taa" ]; then
> +@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
> + _info_nol "* TAA mitigation enabled and active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
> + else
> + if [ "$opt_paranoid" = 1 ]; then
> + # in paranoid mode, TSX or SMT enabled are
> not OK, even if TAA is mitigated
> +- if ! echo "$fullmsg" | grep -qF 'TSX
> disabled'; then
> ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX
> disabled'; then
> + pvulnstatus $cve VULN "TSX must be
> disabled for full mitigation"
> +- elif echo "$fullmsg" | grep -qF 'SMT
> vulnerable'; then
> ++ elif echo "$fullmsg" | @grep@ -qF 'SMT
> vulnerable'; then
> + pvulnstatus $cve VULN "SMT
> (HyperThreading) must be disabled for full mitigation"
> + else
> + pvulnstatus $cve "$status" "$msg"
> +@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_12207_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_12207_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
> + if [ -n "$kernel_err" ]; then
> + kernel_itlbmh_err="$kernel_err"
> + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
> +- elif grep -q 'itlb_multihit' "$kernel"; then
> ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
> + kernel_itlbmh="found itlb_multihit in kernel
> image"
> + fi
> + if [ -n "$kernel_itlbmh" ]; then
> +@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
> + _info_nol "* iTLB Multihit mitigation enabled and
> active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qF
> 'Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qF
> 'Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
> + check_CVE_2018_12207_bsd()
> + {
> + _info_nol "* Kernel supports disabling superpages for
> executable mappings under EPT: "
> +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> + if [ -z "$kernel_2m_x_ept" ]; then
> + pstatus yellow NO
> + else
> +@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2020_0543_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2020_0543_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
> + kernel_srbds=''
> + if [ -n "$kernel_err" ]; then
> + kernel_srbds_err="$kernel_err"
> +- elif grep -q 'Dependent on hypervisor' "$kernel";
> then
> ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel";
> then
> + kernel_srbds="found SRBDS implementation
> evidence in kernel image. Your kernel is up to date for SRBDS
> mitigation"
> + fi
> + if [ -n "$kernel_srbds" ]; then
> +@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
> + _info_nol "* SRBDS mitigation control is enabled and
> active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5758,8 +5758,8 @@ fi
> + # now run the checks the user asked for
> + for cve in $supported_cve_list
> + do
> +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw
> "$cve"; then
> +- check_"$(echo "$cve" | tr - _)"
> ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -
> qw "$cve"; then
> ++ check_"$(echo "$cve" | @tr@ - _)"
> + _info
> + fi
> + done
> +@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
> + _warn "We're missing some kernel info (see -v), accuracy
> might be reduced"
> + fi
> +
> +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' |
> sort | tr "\n" '|')
> ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F
> 'mockme=' | @sort@ | @tr@ "\n" '|')
> + _debug "variables at end of script: $_vars"
> +
> + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
> +- if command -v "gzip" >/dev/null 2>&1; then
> ++ if command -v "@gzip@" >/dev/null 2>&1; then
> + # not a useless use of cat: gzipping cpuinfo directly
> doesn't work well
> + # shellcheck disable=SC2002
> +- if command -v "base64" >/dev/null 2>&1; then
> +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> base64 -w0)"
> +- elif command -v "uuencode" >/dev/null 2>&1; then
> +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d
> "\n")"
> ++ if command -v "@base64@" >/dev/null 2>&1; then
> ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @base64@ -w0)"
> ++ elif command -v "@uuencode@" >/dev/null 2>&1; then
> ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv --
> '====' | @tr@ -d "\n")"
> + fi
> + fi
> + if [ -n "$mock_cpuinfo" ]; then
> +@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ];
> then
> + fi
> + _info ""
> + # shellcheck disable=SC2046
> +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> sort -u)
> ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> @sort@ -u)
> + fi
> +
> + if [ "$opt_explain" = 0 ]; then
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++ # Guix System:
> ++ [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> + # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 70df5c47a89f4f353a1df94467581a0f0da599a4
> --
> 2.38.1
Haven't looked at all the other substituted commands, but otherwise
seems good to me.
Cheers
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 12 Nov 2022 12:16:02 GMT) Full text and rfc822 format available.Message #21 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Hilton Chain <hako <at> ultrarare.space> To: Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: 59053 <at> debbugs.gnu.org Subject: [PATCH v3] gnu: Add spectre-meltdown-checker. Date: Sat, 12 Nov 2022 20:14:28 +0800
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v2 -> v3:
1. Use curl as default downloader (It seems that wget doesn't work out of the
box for TLS?).
2. Remove instead of commenting.
3. Remove builtin firmware database via a snippet.
4. Adjust position of the "return 2" statement. For the purpose, it's there to
stop the version checking function, as later steps assumes a valid firmware
database. For the very value, it's that return value of is_latest_known_ucode()
other than 0 or 1, is considered "unknown" in the final output.
gnu/local.mk | 3 +
gnu/packages/linux.scm | 58 +
...ker-remove-builtin-firmware-database.patch | 113 +
...cker-stage-commands-for-substitution.patch | 1947 +++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 +
5 files changed, 2147 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..46b299d0d6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..b15899baf6 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,61 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ command _)
+ (search-input-file
+ inputs (string-append "/bin/" command)))))))))
+ (inputs
+ (list binutils
+ coreutils
+ grep
+ kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ which
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..400d8d3a07
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,113 @@
+From e2cc68814cf658638946e069406ef6a6032ab318 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 12 Nov 2022 19:49:36 +0800
+Subject: [PATCH 2/2] Remove references to the builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 43 +++++++++++--------------------------
+ 1 file changed, 12 insertions(+), 31 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..5104599 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+ MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -853,10 +852,10 @@ update_fwdb()
+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
++ elif command -v wget >/dev/null 2>&1; then
++ wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ else
+@@ -874,10 +873,10 @@ update_fwdb()
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
++ elif command -v wget >/dev/null 2>&1; then
++ wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ else
+@@ -968,14 +967,6 @@ update_fwdb()
+ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- @cat@ "$newfile" > "$0"
+- @rm@ -f "$newfile"
+- fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1061,6 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ update_fwdb
+ exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +2021,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +2041,10 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ # When $mcedb_source is not set, skip version checking and report unknown.
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a2f13e4195
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1947 @@
+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 1/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,
+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,
+whoami, xargs.
+---
+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------
+ 1 file changed, 324 insertions(+), 324 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..82cf1b6 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ # cleanup the temp decompressed config & kernel image
+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"
++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"
++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp"
++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp"
++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null
++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ # shellcheck disable=SC2086
+- cat <<EOF
++ @cat@ <<EOF
+ Usage:
+- Live mode (auto): $(basename $0) [options]
+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++ Live mode (auto): $(@basename@ $0) [options]
++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ Modes:
+ Two modes are available.
+@@ -110,7 +110,7 @@ EOF
+
+ show_disclaimer()
+ {
+- cat <<EOF
++ @cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -207,7 +207,7 @@ __echo()
+ _interpret_chars='-e'
+ fi
+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")
+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ fi
+ if [ "$echo_cmd_type" = printf ]; then
+ if [ "$opt" = "-n" ]; then
+@@ -383,7 +383,7 @@ is_cpu_affected()
+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ variant3=vuln
+@@ -486,7 +486,7 @@ is_cpu_affected()
+ i=$(( i + 1 ))
+ # do NOT quote $cpu_arch_list below
+ # shellcheck disable=SC2086
+- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ _debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ # some kernels report AArch64 instead of 8
+ [ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -497,49 +497,49 @@ is_cpu_affected()
+ # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d
+ # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8
+ #
+- # Whitelist identified non-affected processors, use vulnerability information from
++ # Whitelist identified non-affected processors, use vulnerability information from
+ # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ # Partnumbers can be found here:
+ # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ #
+ # Maintain cumulative check of vulnerabilities -
+ # if at least one of the cpu is affected, then the system is affected
+- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ variant1=vuln
+ variant2=vuln
+ variant3=vuln
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ [ -z "$variant3" ] && variant3=immune
+@@ -820,7 +820,7 @@ is_cpu_ssb_free()
+ if [ "$cpu_family" = "18" ] || \
+ [ "$cpu_family" = "17" ] || \
+ [ "$cpu_family" = "16" ] || \
+- [ "$cpu_family" = "15" ]; then
++ [ "$cpu_family" = "15" ]; then
+ return 0
+ fi
+ fi
+@@ -837,7 +837,7 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"
+ mcedb_cache="$HOME/.mcedb"
+ update_fwdb()
+ {
+@@ -846,11 +846,11 @@ update_fwdb()
+ set -e
+
+ if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ fi
+
+ # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+ if command -v wget >/dev/null 2>&1; then
+@@ -870,7 +870,7 @@ update_fwdb()
+ echo DONE
+
+ # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+@@ -930,20 +930,20 @@ update_fwdb()
+ fi
+ # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+ # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
+ do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
++ _line=$( echo "$_line" | @tr@ -d ',')
++ _cpuid=$( echo "$_line" | @awk@ '{print $3}')
+ _cpuid=$(( _cpuid ))
+ _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-')
++ _version=$(echo "$_line" | @awk@ '{print $8}')
+ _version=$(( _version ))
+ _version=$(printf "0x%08X" "$_version")
+ _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+ sqlite3 "$mcedb_tmp" "$_sqlstm"
+ done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+ if [ -n "$_intel_timestamp" ]; then
+ # use this date, it matches the last commit date
+ _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+@@ -964,17 +964,17 @@ update_fwdb()
+ {
+ echo "# Spectre & Meltdown Checker";
+ echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
++ sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
++ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+
+ if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++ @cat@ "$newfile" > "$0"
++ @rm@ -f "$newfile"
+ fi
+ }
+
+@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--cpu" ]; then
+ opt_cpu=$2
+ if [ "$opt_cpu" != all ]; then
+- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ opt_cpu=$(( opt_cpu ))
+ else
+ echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
+ echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ exit 255
+ fi
+- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ if [ -n "$selected_cve" ]; then
+ opt_cve_list="$opt_cve_list $selected_cve"
+ opt_cve_all=0
+@@ -1308,14 +1308,14 @@ check_kernel()
+ # a damaged ELF file and validate it, check for stderr warnings too
+
+ # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ if [ "$_mode" = desperate ]; then
+- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ _debug "check_kernel (desperate): ... matched!"
+- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ objdump_options="-D -b binary -marm"
+ else
+@@ -1348,7 +1348,7 @@ try_decompress()
+
+ # Try to find the header ($1) and decompress from here
+ _debug "try_decompress: looking for $3 magic in $6"
+- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ do
+ _debug "try_decompress: magic for $3 found at offset $pos"
+ if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1375,11 +1375,11 @@ try_decompress()
+ kernel="$kerneltmp"
+ _debug "try_decompress: decompressed with $3 successfully!"
+ return 0
+- elif [ "$3" != "cat" ]; then
++ elif [ "$3" != "@cat@" ]; then
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+- cat "$kerneltmp" > "$kerneltmp2"
+- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++ @cat@ "$kerneltmp" > "$kerneltmp2"
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ else
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ fi
+@@ -1391,12 +1391,12 @@ extract_kernel()
+ {
+ [ -n "${1:-}" ] || return 1
+ # Prepare temp files:
+- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ # Initial attempt for uncompressed images or objects:
+ if check_kernel "$1"; then
+ _debug "extract_kernel: found kernel is valid, no decompression needed"
+- cat "$1" > "$kerneltmp"
++ @cat@ "$1" > "$kerneltmp"
+ kernel=$kerneltmp
+ return 0
+ fi
+@@ -1405,14 +1405,14 @@ extract_kernel()
+ for pass in 1 2; do
+ for mode in normal desperate; do
+ _debug "extract_kernel: pass $pass $mode mode"
+- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0
+- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
+- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
+- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0
+- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0
++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0
++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
+ done
+ done
+ # kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1429,7 +1429,7 @@ mount_debugfs()
+ {
+ if [ ! -e /sys/kernel/debug/sched_features ]; then
+ # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ fi
+ }
+
+@@ -1440,12 +1440,12 @@ load_msr()
+ load_msr_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+- modprobe msr 2>/dev/null && insmod_msr=1
++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++ @modprobe@ msr 2>/dev/null && insmod_msr=1
+ _debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ else
+ _debug "msr module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1463,12 +1463,12 @@ load_cpuid()
+ load_cpuid_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+- modprobe cpuid 2>/dev/null && insmod_cpuid=1
++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ else
+ _debug "cpuid module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
+ fi
+ # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ # we use that fact to load the module if dd returns an error
+- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ load_cpuid
+ fi
+ # we need _leaf to be converted to decimal for dd
+@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
+ _ddskip=$(( _position / 16 ))
+ _odskip=$(( _position - _ddskip * 16 ))
+ # now read the value
+- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ elif [ -e /dev/cpuctl0 ]; then
+ # BSD
+ if [ ! -r /dev/cpuctl0 ]; then
+ read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ return $READ_CPUID_RET_ERR
+ fi
+- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ else
+ read_cpuid_msg="Found no way to read cpuid info"
+@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
+ fi
+
+ # get the value of the register we want
+- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ # Linux returns it as decimal, BSD as hex, normalize to decimal
+ _reg=$(( _reg ))
+ # shellcheck disable=SC2046
+@@ -1626,11 +1626,11 @@ dmesg_grep()
+ # grep for something in dmesg, ensuring that the dmesg buffer
+ # has not been truncated
+ dmesg_grepped=''
+- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ # dmesg truncated
+ return 2
+ fi
+- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ # not found:
+ [ -z "$dmesg_grepped" ] && return 1
+ # found, output is in $dmesg_grepped
+@@ -1647,12 +1647,12 @@ parse_cpu_details()
+ {
+ [ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+- if command -v nproc >/dev/null; then
+- number_of_cores=$(nproc)
+- elif echo "$os" | grep -q BSD; then
+- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++ if command -v @nproc@ >/dev/null; then
++ number_of_cores=$(@nproc@)
++ elif echo "$os" | @grep@ -q BSD; then
++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ elif [ -e "$procfs/cpuinfo" ]; then
+- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ else
+ # if we don't know, default to 1 CPU
+ number_of_cores=1
+@@ -1660,43 +1660,43 @@ parse_cpu_details()
+ max_core_id=$(( number_of_cores - 1 ))
+
+ if [ -e "$procfs/cpuinfo" ]; then
+- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ # special case for ARM follows
+- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ cpu_vendor='ARM'
+ # some devices (phones or other) have several ARMs and as such different part numbers,
+ # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo")
+- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo")
++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ # take the first one to fill the friendly name, do NOT quote the vars below
+ # shellcheck disable=SC2086
+- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ # shellcheck disable=SC2086
+- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ cpu_friendly_name="ARM"
+ [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ cpu_vendor='CAVIUM'
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ cpu_vendor='PHYTIUM'
+ fi
+
+- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ else
+- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ cpu_family=$(( cpu_family ))
+- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ cpu_model=$(( cpu_model ))
+- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ fi
+
+ if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1751,7 +1751,7 @@ parse_cpu_details()
+ # call CPUID
+ cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ # read MSR
+- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ # convert to decimal
+ cpu_ucode=$(( cpu_ucode ))
+ # convert back to hex
+@@ -1770,7 +1770,7 @@ parse_cpu_details()
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ fi
+
+- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ # also define those that we will need in other funcs
+@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
+ {
+ # SMT / HyperThreading is enabled if siblings != cpucores
+ if [ -e "$procfs/cpuinfo" ]; then
+- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
+- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ if [ "$_siblings" = "$_cpucores" ]; then
+ return 1
+@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
+ $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
+ $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ do
+- model=$(echo "$tuple" | cut -d, -f1)
+- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++ model=$(echo "$tuple" | @cut@ -d, -f1)
++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ if [ "$cpu_ucode" = "$ucode" ]; then
+ _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ return 0
+@@ -2007,7 +2007,7 @@ is_xen_dom0()
+ return 1
+ fi
+
+- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ return 0
+ else
+ return 1
+@@ -2033,12 +2033,12 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
++ older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+ if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ mcedb_source="$mcedb_cache"
+ mcedb_info="local firmwares DB $local_dbversion"
+@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
+ fi
+ read_mcedb()
+ {
+- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
+ else
+ return 2
+ fi
+- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ do
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
+- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -2098,7 +2098,7 @@ get_cmdline()
+ kernel_cmdline="$SMC_MOCK_CMDLINE"
+ return
+ else
+- kernel_cmdline=$(cat "$procfs/cmdline")
++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ fi
+ }
+@@ -2106,7 +2106,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ _warn "This script doesn't work under Windows Subsystem for Linux"
+ _warn "You should use the official Microsoft tool instead."
+ _warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2155,15 +2155,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ _debug "We're under BSD, check if we have procfs"
+- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ if [ -z "$procfs" ]; then
+ _debug "we don't, try to mount it"
+ procfs=/proc
+ [ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ test -d $procfs || mkdir $procfs
+- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ mounted_procfs=1
+ _debug "procfs just mounted at $procfs"
+ else
+@@ -2195,14 +2195,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ # root check (only for live mode, for offline mode, we already checked if we could read the files)
+- if [ "$(id -u)" -ne 0 ]; then
++ if [ "$(@id@ -u)" -ne 0 ]; then
+ _warn "Note that you should launch this script with root privileges to get accurate information."
+ _warn "We'll proceed but you might see permission denied errors."
+ _warn "To run it as root, you can try the following command: sudo $0"
+ _warn
+ fi
+ _info "Checking for vulnerabilities on current system"
+- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ _info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ # try to find the image of the current running kernel
+@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ # first, look for the BOOT_IMAGE hint in the kernel cmdline
+- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ _debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ # if the boot partition is within a btrfs subvolume, strip the subvolume name
+ # if /boot is a separate subvolume, the remainder of the code in this section should handle it
+- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ # if we have a dedicated /boot partition, our bootloader might have just called it /
+ # so try to prepend /boot and see if we find anything
+ [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
+ # if we didn't find a kernel, default to guessing
+ if [ ! -e "$opt_kernel" ]; then
+ # Fedora:
+- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ # Slackware:
+ [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz"
+ # Arch aarch64:
+@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
+ # pine64
+ [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image"
+ # generic:
+- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ # Gentoo:
+- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ # Guix System:
+ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ # Clear Linux:
+- str_uname=$(uname -r)
++ str_uname=$(@uname@ -r)
+ clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ # with actual \'s instead of /'s:
+- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ opt_kernel="$custom_arch_kernel"
+ fi
+@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
+ :
+ elif [ -e "$procfs/kallsyms" ] ; then
+ opt_map="$procfs/kallsyms"
+- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+- opt_map="/lib/modules/$(uname -r)/System.map"
+- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+- opt_map="/boot/System.map-$(uname -r)"
+- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+- opt_map="/lib/kernel/System.map-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++ opt_map="/boot/System.map-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ fi
+
+ # config
+@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ elif [ -e "$procfs/config.gz" ] ; then
+- dumped_config="$(mktemp -t smc-config-XXXXXX)"
+- gunzip -c "$procfs/config.gz" > "$dumped_config"
++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ # dumped_config will be deleted at the end of the script
+ opt_config="$dumped_config"
+- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+- opt_config="/lib/modules/$(uname -r)/config"
+- elif [ -e "/boot/config-$(uname -r)" ]; then
+- opt_config="/boot/config-$(uname -r)"
+- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+- opt_config="/lib/kernel/config-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++ opt_config="/lib/modules/$(@uname@ -r)/config"
++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++ opt_config="/boot/config-$(@uname@ -r)"
++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++ opt_config="/lib/kernel/config-$(@uname@ -r)"
+ fi
+ else
+ _info "Checking for vulnerabilities against specified kernel"
+@@ -2311,7 +2311,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ # given file is invalid!
+ _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ opt_config=''
+@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ _debug "readelf not found"
+ kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2357,20 +2357,20 @@ else
+ # vanilla kernels have with ^Linux version
+ # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ # and check for FreeBSD
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ -e '^Linux version ' \
+ -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+- -e '^FreeBSD [0-9]' | head -1)
++ -e '^FreeBSD [0-9]' | @head@ -1)
+ if [ -z "$kernel_version" ]; then
+ # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ fi
+ if [ -n "$kernel_version" ]; then
+ # in live mode, check if the img we found is the correct one
+ if [ "$opt_live" = 1 ]; then
+ _verbose "Kernel image is \033[35m$kernel_version"
+- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ fi
+ else
+ _info "Kernel image is \033[35m$kernel_version"
+@@ -2398,11 +2398,11 @@ sys_interface_check()
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ :
+ else
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ return 1
+ fi
+
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2411,17 +2411,17 @@ sys_interface_check()
+ fi
+
+ [ -n "$regex" ] || regex='.*'
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ fullmsg="$(eval echo \$$_mockvarname)"
+- msg=$(echo "$fullmsg" | grep -Eo "$regex")
++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ _debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ mocked=1
+ else
+- fullmsg=$(cat "$file")
+- msg=$(grep -Eo "$regex" "$file")
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++ fullmsg=$(@cat@ "$file")
++ msg=$(@grep@ -Eo "$regex" "$file")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ fi
+ if [ "$mode" = silent ]; then
+ return 0
+@@ -2430,15 +2430,15 @@ sys_interface_check()
+ return 0
+ fi
+ _info_nol "* Mitigated according to the /sys interface: "
+- if echo "$msg" | grep -qi '^not affected'; then
++ if echo "$msg" | @grep@ -qi '^not affected'; then
+ # Not affected
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ # Mitigation: PTI
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qi '^vulnerable'; then
++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ # Vulnerable
+ status=VULN
+ pstatus yellow NO "$fullmsg"
+@@ -2526,20 +2526,20 @@ write_msr_one_core()
+ # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ [ "$ret" = 127 ] && _write_denied=1
+ # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ _debug "write_msr: using dd"
+- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ # if it failed, inspect stderrto look for EPERM
+ if [ "$ret" != 0 ]; then
+- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ _write_denied=1
+ fi
+ fi
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "write_msr: using perl"
+ ret=1
+- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ else
+ _debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2561,13 +2561,13 @@ write_msr_one_core()
+ msr_locked_down=1
+ write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "msr: Direct access to MSR"; then
++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ _debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+ write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "raw MSR access is restricted"; then
++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ _debug "write_msr: locked down kernel detected (vanilla)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+@@ -2666,8 +2666,8 @@ read_msr_one_core()
+ return $READ_MSR_RET_KO
+ fi
+ # MSR 0x10: 0x000003e1 0xb106dded
+- _msr_h=$(echo "$_msr" | awk '{print $3}');
+- _msr_l=$(echo "$_msr" | awk '{print $4}');
++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ else
+ # for Linux
+@@ -2678,15 +2678,15 @@ read_msr_one_core()
+ # if rdmsr is available, use it
+ elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ _debug "read_msr: using rdmsr on $_msr"
+- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "read_msr: using perl on $_msr"
+- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ # fallback to dd if it supports skip_bytes
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ _debug "read_msr: using dd on $_msr"
+- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ else
+ _debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2710,7 +2710,7 @@ check_cpu()
+ {
+ _info "\033[1;34mHardware check\033[0m"
+
+- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ return
+ fi
+
+@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
+ # if we were already called, don't do it again
+ [ -n "${redhat_canonical_spectre:-}" ] && return
+
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ redhat_canonical_spectre=-1
+ elif [ -n "$kernel_err" ]; then
+ redhat_canonical_spectre=-2
+ else
+ # Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ # let's use the two same tricks than the official Red Hat detection script uses:
+- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ # 1) detect their specific variant2 patch. If it's present, it means
+ # that the variant1 patch is also present (both were merged at the same time)
+ _debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ redhat_canonical_spectre=1
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ # 2) detect their specific variant3 patch. If it's present, but the variant2
+ # is not, it means that only variant1 is present in addition to variant3
+ _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3363,13 +3363,13 @@ check_has_vmm()
+ # If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ # this can always be overridden with --vmm in any case.
+ has_vmm=0
+- if command -v pgrep >/dev/null 2>&1; then
++ if command -v @pgrep@ >/dev/null 2>&1; then
+ # remove xenbus and xenwatch, also present inside domU
+ # remove libvirtd as it can also be used to manage containers and not VMs
+ # for each binary we want to grep, get the pids
+ for _binary in qemu kvm xenstored xenconsoled
+ do
+- for _pid in $(pgrep -x $_binary)
++ for _pid in $(@pgrep@ -x $_binary)
+ do
+ # resolve the exe symlink, if it doesn't resolve with -m,
+ # which doesn't even need the dest to exist, it means the symlink
+@@ -3385,7 +3385,7 @@ check_has_vmm()
+ else
+ # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ # shellcheck disable=SC2009
+- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ has_vmm=1
+ fi
+ fi
+@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5753_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5753_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
+ v1_mask_nospec=''
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ else
+- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ else
+- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ else
+- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ if [ "$ret" -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "mask_nospec64 macro is present and used"
+ v1_mask_nospec="arm64 mask_nospec64"
+@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "array_index_nospec macro is present and used"
+ v1_mask_nospec="arm64 array_index_nospec"
+@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ if ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+ # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
+ # so let's push the threshold to 70.
+ # v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ if [ "$nb_lfence" -lt 30 ]; then
+ pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ else
+@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5715_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5715_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
+ # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ specex_knob_dir=$dir
+ ibrs_supported="$dir/ibrs_enabled exists"
+- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ # if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ if [ -e "$dir/ibpb_enabled" ]; then
+ # if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ ibpb_supported="$dir/ibpb_enabled exists"
+- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ else
+ _debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
+ # which in that case means ibrs is supported *and* enabled for kernel & user
+ # as per the ibrs patch series v3
+ if [ -z "$ibrs_supported" ]; then
+- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ # enabled=2 -> kernel & user
+@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -n "$fullmsg" ]; then
+ # when IBPB is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q 'IBPB'; then
++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ _debug "ibpb: found enabled in sysfs"
+ [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ [ -z "$ibpb_enabled" ] && ibpb_enabled=1
+ fi
+ # when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ _debug "ibrs: found IBRS_FW in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ ibrs_fw_enabled=1
+@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
+ # when IBRS is enabled on 4.15+, we can see it in sysfs
+ # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ _debug "ibrs: found IBRS in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ [ -z "$ibrs_enabled" ] && ibrs_enabled=3
+ fi
+ # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
+ fi
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibrs_can_tell=1
+- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ if [ -n "$ibrs_supported" ]; then
+ _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ ibrs_can_tell=1
+- if grep -q spec_ctrl "$opt_map"; then
++ if @grep@ -q spec_ctrl "$opt_map"; then
+ ibrs_supported="found spec_ctrl in symbols file"
+ _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ fi
+@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
+ # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ # we can detect it directly in the image
+ if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibpb_can_tell=1
+- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ if [ -n "$ibpb_supported" ]; then
+ _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
+ 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+- else
++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++ else
+ pstatus yellow UNKNOWN; fi;;
+ esac
+ fi
+@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
+ bp_harden=''
+ if [ -r "$opt_config" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w bp_hardening_data "$opt_map")
++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
+ # We check the RETPOLINE kernel options
+ retpoline=0
+ if [ -r "$opt_config" ]; then
+- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ pstatus green YES
+ retpoline=1
+ # shellcheck disable=SC2046
+- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ else
+ pstatus yellow NO
+ fi
+@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
+ # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ # so we look for both "retpoline" and "retpolines"
+ if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+- if echo "$fullmsg" | grep -qwi minimal; then
++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++ if echo "$fullmsg" | @grep@ -qwi minimal; then
+ retpoline_compiler=0
+ retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ else
+@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
+ fi
+ elif [ -n "$opt_map" ]; then
+ # look for the symbol
+- if grep -qw noretpoline_setup "$opt_map"; then
++ if @grep@ -qw noretpoline_setup "$opt_map"; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ fi
+ elif [ -n "$kernel" ]; then
+ # look for the symbol
+- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++ if command -v "@nm@" >/dev/null 2>&1; then
+ # the proper way: use nm and look for the symbol
+- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ fi
+- elif grep -q noretpoline_setup "$kernel"; then
++ elif @grep@ -q noretpoline_setup "$kernel"; then
+ # if we don't have nm, nevermind, the symbol name is long enough to not have
+ # any false positive using good old grep directly on the binary
+ retpoline_compiler=1
+@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
+ retp_enabled=-1
+ if [ "$opt_live" = 1 ]; then
+ if [ -e "$specex_knob_dir/retp_enabled" ]; then
+- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ _info_nol " * Retpoline is enabled: "
+ if [ "$retp_enabled" = 1 ]; then
+@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
+ rsb_filling=0
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ # if we're live and we aren't denied looking into /sys, let's do it
+- if echo "$msg" | grep -qw RSB; then
++ if echo "$msg" | @grep@ -qw RSB; then
+ rsb_filling=1
+ pstatus green YES
+ fi
+@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ rsb_filling=1
+ pstatus green YES
+ else
+@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
+ {
+ _info "* Mitigation 1"
+ _info_nol " * Kernel supports IBRS: "
+- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ if [ -z "$ibrs_disabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
+ fi
+
+ _info_nol " * IBRS enabled and active: "
+- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ if [ "$ibrs_active" = 1 ]; then
+ pstatus green YES
+ else
+@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ else
+- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ if [ "$nb_thunks" -gt 0 ]; then
+ retpoline=1
+ pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ _info_nol " * Reduced performance impact of PTI: "
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ cpu_pcid=1
+ else
+ read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4272,7 +4272,7 @@ pti_performance_check()
+ fi
+ fi
+
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ cpu_invpcid=1
+ else
+ read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5754_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5754_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
+ kpti_can_tell=0
+ if [ -n "$opt_config" ]; then
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found option '$kpti_support' in $opt_config"
+ fi
+@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
+ # so we try to find an exported symbol that is part of the PTI patch in System.map
+ # parse_kpti: arm
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $opt_map"
+ fi
+@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
+ # nopti option that is part of the patch (kernel command line option)
+ # 'kpti=': arm
+ kpti_can_tell=1
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ else
+- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $kernel"
+ fi
+@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
+ dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ # aarch64
+ dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ # vanilla PTI patch sets the 'pti' flag in cpuinfo
+ _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+ elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ elif is_xen_dom0; then
+- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ fi
+@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
+ if [ -n "$kpti_support" ]; then
+ if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ else
+ explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ _info_nol "* Kernel supports Page Table Isolation (PTI): "
+- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ if [ -z "$kpti_enabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3639_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3639_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ if [ "$opt_live" = 1 ]; then
+- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssb="found in $procfs/self/status"
+ _debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ fi
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ # arm64 only:
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ # this string only appears in kernel if CONFIG_ARM64_SSBD is set
+- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ fi
+ # /arm64 only
+@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_live" = 1 ]; then
+ # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ _info_nol "* SSB mitigation is enabled and active: "
+- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=1
+ pstatus green YES "per-thread through prctl"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=2
+ pstatus green YES "global"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus yellow NO
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=-2
+ pstatus blue NO "not vulnerable"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus blue NO
+ else
+- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ fi
+
+ if [ "$kernel_ssbd_enabled" = 1 ]; then
+ _info_nol "* SSB mitigation currently active for selected processes: "
+ # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ if [ -n "$mitigated_processes" ]; then
+ pstatus green YES "$mitigated_processes"
+ else
+@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ _info_nol "* Kernel supports speculation store bypass: "
+- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ kernel_ssb=1
+ pstatus green YES
+ else
+@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
+ fi
+
+ _info_nol "* Speculation store bypass is administratively enabled: "
+- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ case "$ssb_enabled" in
+ 0) pstatus yellow NO "disabled";;
+@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
+ esac
+
+ _info_nol "* Speculation store bypass is currently active: "
+- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ case "$ssb_active" in
+ 1) pstatus green YES;;
+@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3620_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3620_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
+ fi
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports PTE inversion: "
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ pteinv_supported=-1
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "$kernel_err"
+ pteinv_supported=-1
+ else
+- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ pstatus green YES "found in kernel image"
+ _debug "pteinv: found pte inversion evidence in kernel image"
+ pteinv_supported=1
+@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
+ _info_nol "* PTE inversion enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ pstatus green YES
+ pteinv_active=1
+ else
+@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
+ else
+ _debug "vmm module already loaded"
+ fi
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ # this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ # is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3646_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3646_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
+ if [ "$opt_live" = 1 ]; then
+ if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ pstatus blue N/A "the kvm_intel module is not loaded"
+- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ pstatus green YES
+ ept_disabled=1
+ else
+@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
+
+ _info "* Mitigation 2"
+ _info_nol " * L1D flush is supported by kernel: "
+- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ fi
+ if [ -z "$l1d_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ elif [ -n "$kernel_err" ]; then
+ l1d_kernel_err="$kernel_err"
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ l1d_kernel='found flush_l1d in kernel image'
+ fi
+ fi
+@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
+ # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ # $smtstatus is one of (vulnerable|disabled)
+ # can also just be "Not affected"
+- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ l1d_mode=0
+ pstatus yellow NO
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ l1d_mode=1
+ pstatus green YES "conditional flushes"
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ l1d_mode=2
+ pstatus green YES "unconditional flushes"
+ else
+ if is_xen_dom0; then
+- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ l1d_mode=5
+@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
+
+ _info_nol " * Hardware-backed L1D flush supported: "
+ if [ "$opt_live" = 1 ]; then
+- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ else
+ pstatus blue NO "flush will be done in software, this is slower"
+@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ _info_nol "* Kernel supports L1D flushing: "
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_l1d_supported=1
+ else
+@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
+ fi
+
+ _info_nol "* L1D flushing is enabled: "
+- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ case "$kernel_l1d_enabled" in
+ 0) pstatus yellow NO;;
+ 1) pstatus green YES;;
+@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ cve='CVE-2019-11091'
+@@ -5182,7 +5182,7 @@ check_mds()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_mds_linux "$cve"
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_mds_bsd "$cve"
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5193,7 +5193,7 @@ check_mds_bsd()
+ {
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ if [ "$opt_live" = 1 ]; then
+- if sysctl hw.mds_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5201,7 +5201,7 @@ check_mds_bsd()
+ kernel_md_clear=0
+ fi
+ else
+- if grep -Fq hw.mds_disable $opt_kernel; then
++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5211,8 +5211,8 @@ check_mds_bsd()
+ fi
+
+ _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ if [ "$kernel_smt_allowed" = 1 ]; then
+ pstatus yellow NO
+ else
+@@ -5224,7 +5224,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is enabled: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ else
+ kernel_mds_enabled=0
+ fi
+@@ -5238,7 +5238,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is active: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ else
+ kernel_mds_state=inactive
+ fi
+@@ -5296,16 +5296,16 @@ check_mds_linux()
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ kernel_md_clear=''
+ kernel_md_clear_can_tell=1
+- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ pstatus green YES "$kernel_md_clear"
+ fi
+ if [ -z "$kernel_md_clear" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ kernel_md_clear_can_tell=0
+ elif [ -n "$kernel_err" ]; then
+ kernel_md_clear_can_tell=0
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ _debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ kernel_md_clear='found md_clear implementation evidence in kernel image'
+ pstatus green YES "$kernel_md_clear"
+@@ -5321,7 +5321,7 @@ check_mds_linux()
+
+ if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ _info_nol "* Kernel mitigation is enabled and active: "
+- if echo "$fullmsg" | grep -qi ^mitigation; then
++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ mds_mitigated=1
+ pstatus green YES
+ else
+@@ -5329,7 +5329,7 @@ check_mds_linux()
+ pstatus yellow NO
+ fi
+ _info_nol "* SMT is either mitigated or disabled: "
+- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ mds_smt_mitigated=1
+ pstatus green YES
+ else
+@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2019_11135_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2019_11135_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
+ kernel_taa=''
+ if [ -n "$kernel_err" ]; then
+ kernel_taa_err="$kernel_err"
+- elif grep -q 'tsx_async_abort' "$kernel"; then
++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ kernel_taa="found tsx_async_abort in kernel image"
+ fi
+ if [ -n "$kernel_taa" ]; then
+@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
+ _info_nol "* TAA mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
+ else
+ if [ "$opt_paranoid" = 1 ]; then
+ # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ else
+ pvulnstatus $cve "$status" "$msg"
+@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_12207_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_12207_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
+ if [ -n "$kernel_err" ]; then
+ kernel_itlbmh_err="$kernel_err"
+ # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+- elif grep -q 'itlb_multihit' "$kernel"; then
++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ kernel_itlbmh="found itlb_multihit in kernel image"
+ fi
+ if [ -n "$kernel_itlbmh" ]; then
+@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
+ _info_nol "* iTLB Multihit mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qF 'Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ if [ -z "$kernel_2m_x_ept" ]; then
+ pstatus yellow NO
+ else
+@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2020_0543_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2020_0543_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
+ kernel_srbds=''
+ if [ -n "$kernel_err" ]; then
+ kernel_srbds_err="$kernel_err"
+- elif grep -q 'Dependent on hypervisor' "$kernel"; then
++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ fi
+ if [ -n "$kernel_srbds" ]; then
+@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
+ _info_nol "* SRBDS mitigation control is enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5758,8 +5758,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+- check_"$(echo "$cve" | tr - _)"
++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++ check_"$(echo "$cve" | @tr@ - _)"
+ _info
+ fi
+ done
+@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ _warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+- if command -v "gzip" >/dev/null 2>&1; then
++ if command -v "@gzip@" >/dev/null 2>&1; then
+ # not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ # shellcheck disable=SC2002
+- if command -v "base64" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+- elif command -v "uuencode" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++ if command -v "@base64@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++ elif command -v "@uuencode@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ fi
+ fi
+ if [ -n "$mock_cpuinfo" ]; then
+@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ fi
+ _info ""
+ # shellcheck disable=SC2046
+- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0
base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
--
2.38.1
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 12 Nov 2022 12:30:02 GMT) Full text and rfc822 format available.Message #24 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space> Cc: 59053 <at> debbugs.gnu.org Subject: Re: [PATCH v3] gnu: Add spectre-meltdown-checker. Date: Sat, 12 Nov 2022 13:28:58 +0100
Am Samstag, dem 12.11.2022 um 20:14 +0800 schrieb Hilton Chain: > 1. Use curl as default downloader (It seems that wget doesn't work > out of the box for TLS?). Uhm, what exactly is the checker downloading that it needs wget or curl for?
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 12 Nov 2022 12:52:02 GMT) Full text and rfc822 format available.Message #27 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Hilton Chain <hako <at> ultrarare.space> To: Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: 59053 <at> debbugs.gnu.org Subject: Re: [PATCH v3] gnu: Add spectre-meltdown-checker. Date: Sat, 12 Nov 2022 20:50:25 +0800
On Sat, 12 Nov 2022 20:28:58 +0800, Liliana Marie Prikler wrote: > Uhm, what exactly is the checker downloading that it needs wget or curl > for? With option "--update-fwdb", the checker fetches source files and builds the firmware database.
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 12 Nov 2022 13:41:02 GMT) Full text and rfc822 format available.Message #30 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space> Cc: 59053 <at> debbugs.gnu.org Subject: Re: [PATCH v3] gnu: Add spectre-meltdown-checker. Date: Sat, 12 Nov 2022 14:40:13 +0100
Am Samstag, dem 12.11.2022 um 20:50 +0800 schrieb Hilton Chain: > On Sat, 12 Nov 2022 20:28:58 +0800, > Liliana Marie Prikler wrote: > > Uhm, what exactly is the checker downloading that it needs wget or > > curl for? > With option "--update-fwdb", the checker fetches source files and > builds the firmware database. You mean proprietary firmware?
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 12 Nov 2022 15:16:02 GMT) Full text and rfc822 format available.Message #33 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Hilton Chain <hako <at> ultrarare.space> To: Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: 59053 <at> debbugs.gnu.org Subject: [PATCH v4] gnu: Add spectre-meltdown-checker. Date: Sat, 12 Nov 2022 23:15:18 +0800
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v3 -> v4:
1. Remove downloading function.
2. Add option for supplying a local database.
gnu/local.mk | 3 +
gnu/packages/linux.scm | 54 +
...ker-remove-builtin-firmware-database.patch | 243 +++
...cker-stage-commands-for-substitution.patch | 1849 +++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 +
5 files changed, 2175 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..46b299d0d6 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..1807fd5655 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,57 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ command _)
+ (search-input-file
+ inputs (string-append "/bin/" command)))))))))
+ (inputs
+ (list kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..888bb0c2b1
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,243 @@
+From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH 1/2] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+- MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
++ --with-fwdb FILE supply the CPU microcodes versions database
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+- show_header
+-
+- set -e
+-
+- if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- fi
+-
+- # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+- _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading MCE.db"
+- return $ret
+- fi
+- echo DONE
+-
+- # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+- _info_nol "Fetching Intel firmwares... "
+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading Intel firmwares"
+- return $ret
+- fi
+- echo DONE
+-
+- # now extract MCEdb contents using sqlite
+- _info_nol "Extracting MCEdb data... "
+- if ! command -v sqlite3 >/dev/null 2>&1; then
+- echo ERROR "please install the \`sqlite3\` program"
+- return 1
+- fi
+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+- if [ -z "$mcedb_revision" ]; then
+- echo ERROR "downloaded file seems invalid"
+- return 1
+- fi
+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+- echo OK "MCExtractor database revision $mcedb_revision"
+-
+- # parse Intel firmwares to get their versions
+- _info_nol "Integrating Intel firmwares data to db... "
+- if ! command -v unzip >/dev/null 2>&1; then
+- echo ERROR "please install the \`unzip\` program"
+- return 1
+- fi
+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+- return 1
+- fi
+-
+- if ! command -v iucode_tool >/dev/null 2>&1; then
+- if ! command -v iucode-tool >/dev/null 2>&1; then
+- echo ERROR "please install the \`iucode-tool\` program"
+- return 1
+- else
+- iucode_tool="iucode-tool"
+- fi
+- else
+- iucode_tool="iucode_tool"
+- fi
+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+- do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
+- _cpuid=$(( _cpuid ))
+- _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
+- _version=$(( _version ))
+- _version=$(printf "0x%08X" "$_version")
+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+- sqlite3 "$mcedb_tmp" "$_sqlstm"
+- done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+- if [ -n "$_intel_timestamp" ]; then
+- # use this date, it matches the last commit date
+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+- else
+- echo "Falling back to the latest microcode date"
+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+- fi
+- echo DONE "(version $_intel_latest_date)"
+-
+- dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+- echo "We already have this version locally, no update needed"
+- return 0
+- fi
+-
+- _info_nol "Building local database... "
+- {
+- echo "# Spectre & Meltdown Checker";
+- echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- } > "$mcedb_cache"
+- echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
+- fi
+-}
+-
+ parse_opt_file()
+ {
+ # parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ # deprecated, kept for compatibility
+ opt_explain=0
+ shift
+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+- update_fwdb
+- exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++ opt_fwdb=$2
++ if [ -f "$opt_fwdb" ]; then
++ mcedb_cache=$2
++ else
++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++ exit 255
++ fi
++ shift 2
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
new file mode 100644
index 0000000000..a8e7531f32
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch
@@ -0,0 +1,1849 @@
+From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 2/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, grep,
+gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, nproc,
+objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, strings,
+sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
+---
+ spectre-meltdown-checker.sh | 606 ++++++++++++++++++------------------
+ 1 file changed, 303 insertions(+), 303 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index ce46970..4889ebb 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ # cleanup the temp decompressed config & kernel image
+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"
++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"
++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null
++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ # shellcheck disable=SC2086
+- cat <<EOF
++ @cat@ <<EOF
+ Usage:
+- Live mode (auto): $(basename $0) [options]
+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++ Live mode (auto): $(@basename@ $0) [options]
++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ Modes:
+ Two modes are available.
+@@ -106,7 +106,7 @@ EOF
+
+ show_disclaimer()
+ {
+- cat <<EOF
++ @cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -134,7 +134,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -203,7 +203,7 @@ __echo()
+ _interpret_chars='-e'
+ fi
+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")
+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ fi
+ if [ "$echo_cmd_type" = printf ]; then
+ if [ "$opt" = "-n" ]; then
+@@ -379,7 +379,7 @@ is_cpu_affected()
+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ variant3=vuln
+@@ -482,7 +482,7 @@ is_cpu_affected()
+ i=$(( i + 1 ))
+ # do NOT quote $cpu_arch_list below
+ # shellcheck disable=SC2086
+- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ _debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ # some kernels report AArch64 instead of 8
+ [ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -493,49 +493,49 @@ is_cpu_affected()
+ # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d
+ # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8
+ #
+- # Whitelist identified non-affected processors, use vulnerability information from
++ # Whitelist identified non-affected processors, use vulnerability information from
+ # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ # Partnumbers can be found here:
+ # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ #
+ # Maintain cumulative check of vulnerabilities -
+ # if at least one of the cpu is affected, then the system is affected
+- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ variant1=vuln
+ variant2=vuln
+ variant3=vuln
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ [ -z "$variant3" ] && variant3=immune
+@@ -816,7 +816,7 @@ is_cpu_ssb_free()
+ if [ "$cpu_family" = "18" ] || \
+ [ "$cpu_family" = "17" ] || \
+ [ "$cpu_family" = "16" ] || \
+- [ "$cpu_family" = "15" ]; then
++ [ "$cpu_family" = "15" ]; then
+ return 0
+ fi
+ fi
+@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--cpu" ]; then
+ opt_cpu=$2
+ if [ "$opt_cpu" != all ]; then
+- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ opt_cpu=$(( opt_cpu ))
+ else
+ echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do
+ echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ exit 255
+ fi
+- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ if [ -n "$selected_cve" ]; then
+ opt_cve_list="$opt_cve_list $selected_cve"
+ opt_cve_all=0
+@@ -1166,14 +1166,14 @@ check_kernel()
+ # a damaged ELF file and validate it, check for stderr warnings too
+
+ # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ if [ "$_mode" = desperate ]; then
+- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ _debug "check_kernel (desperate): ... matched!"
+- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ objdump_options="-D -b binary -marm"
+ else
+@@ -1206,7 +1206,7 @@ try_decompress()
+
+ # Try to find the header ($1) and decompress from here
+ _debug "try_decompress: looking for $3 magic in $6"
+- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ do
+ _debug "try_decompress: magic for $3 found at offset $pos"
+ if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1233,11 +1233,11 @@ try_decompress()
+ kernel="$kerneltmp"
+ _debug "try_decompress: decompressed with $3 successfully!"
+ return 0
+- elif [ "$3" != "cat" ]; then
++ elif [ "$3" != "@cat@" ]; then
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+- cat "$kerneltmp" > "$kerneltmp2"
+- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++ @cat@ "$kerneltmp" > "$kerneltmp2"
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ else
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ fi
+@@ -1249,12 +1249,12 @@ extract_kernel()
+ {
+ [ -n "${1:-}" ] || return 1
+ # Prepare temp files:
+- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ # Initial attempt for uncompressed images or objects:
+ if check_kernel "$1"; then
+ _debug "extract_kernel: found kernel is valid, no decompression needed"
+- cat "$1" > "$kerneltmp"
++ @cat@ "$1" > "$kerneltmp"
+ kernel=$kerneltmp
+ return 0
+ fi
+@@ -1263,14 +1263,14 @@ extract_kernel()
+ for pass in 1 2; do
+ for mode in normal desperate; do
+ _debug "extract_kernel: pass $pass $mode mode"
+- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0
+- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
+- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
+- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0
+- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0
++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0
++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
+ done
+ done
+ # kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1287,7 +1287,7 @@ mount_debugfs()
+ {
+ if [ ! -e /sys/kernel/debug/sched_features ]; then
+ # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ fi
+ }
+
+@@ -1298,12 +1298,12 @@ load_msr()
+ load_msr_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+- modprobe msr 2>/dev/null && insmod_msr=1
++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++ @modprobe@ msr 2>/dev/null && insmod_msr=1
+ _debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ else
+ _debug "msr module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1321,12 +1321,12 @@ load_cpuid()
+ load_cpuid_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+- modprobe cpuid 2>/dev/null && insmod_cpuid=1
++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ else
+ _debug "cpuid module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1415,7 +1415,7 @@ read_cpuid_one_core()
+ fi
+ # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ # we use that fact to load the module if dd returns an error
+- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ load_cpuid
+ fi
+ # we need _leaf to be converted to decimal for dd
+@@ -1426,14 +1426,14 @@ read_cpuid_one_core()
+ _ddskip=$(( _position / 16 ))
+ _odskip=$(( _position - _ddskip * 16 ))
+ # now read the value
+- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ elif [ -e /dev/cpuctl0 ]; then
+ # BSD
+ if [ ! -r /dev/cpuctl0 ]; then
+ read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ return $READ_CPUID_RET_ERR
+ fi
+- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ else
+ read_cpuid_msg="Found no way to read cpuid info"
+@@ -1456,7 +1456,7 @@ read_cpuid_one_core()
+ fi
+
+ # get the value of the register we want
+- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ # Linux returns it as decimal, BSD as hex, normalize to decimal
+ _reg=$(( _reg ))
+ # shellcheck disable=SC2046
+@@ -1484,11 +1484,11 @@ dmesg_grep()
+ # grep for something in dmesg, ensuring that the dmesg buffer
+ # has not been truncated
+ dmesg_grepped=''
+- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ # dmesg truncated
+ return 2
+ fi
+- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ # not found:
+ [ -z "$dmesg_grepped" ] && return 1
+ # found, output is in $dmesg_grepped
+@@ -1505,12 +1505,12 @@ parse_cpu_details()
+ {
+ [ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+- if command -v nproc >/dev/null; then
+- number_of_cores=$(nproc)
+- elif echo "$os" | grep -q BSD; then
+- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++ if command -v @nproc@ >/dev/null; then
++ number_of_cores=$(@nproc@)
++ elif echo "$os" | @grep@ -q BSD; then
++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ elif [ -e "$procfs/cpuinfo" ]; then
+- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ else
+ # if we don't know, default to 1 CPU
+ number_of_cores=1
+@@ -1518,43 +1518,43 @@ parse_cpu_details()
+ max_core_id=$(( number_of_cores - 1 ))
+
+ if [ -e "$procfs/cpuinfo" ]; then
+- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ # special case for ARM follows
+- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ cpu_vendor='ARM'
+ # some devices (phones or other) have several ARMs and as such different part numbers,
+ # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo")
+- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo")
++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ # take the first one to fill the friendly name, do NOT quote the vars below
+ # shellcheck disable=SC2086
+- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ # shellcheck disable=SC2086
+- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ cpu_friendly_name="ARM"
+ [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ cpu_vendor='CAVIUM'
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ cpu_vendor='PHYTIUM'
+ fi
+
+- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ else
+- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ cpu_family=$(( cpu_family ))
+- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ cpu_model=$(( cpu_model ))
+- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ fi
+
+ if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1609,7 +1609,7 @@ parse_cpu_details()
+ # call CPUID
+ cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ # read MSR
+- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ # convert to decimal
+ cpu_ucode=$(( cpu_ucode ))
+ # convert back to hex
+@@ -1628,7 +1628,7 @@ parse_cpu_details()
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ fi
+
+- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ # also define those that we will need in other funcs
+@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled()
+ {
+ # SMT / HyperThreading is enabled if siblings != cpucores
+ if [ -e "$procfs/cpuinfo" ]; then
+- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
+- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ if [ "$_siblings" = "$_cpucores" ]; then
+ return 1
+@@ -1774,10 +1774,10 @@ is_ucode_blacklisted()
+ $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
+ $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ do
+- model=$(echo "$tuple" | cut -d, -f1)
+- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++ model=$(echo "$tuple" | @cut@ -d, -f1)
++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ if [ "$cpu_ucode" = "$ucode" ]; then
+ _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ return 0
+@@ -1865,7 +1865,7 @@ is_xen_dom0()
+ return 1
+ fi
+
+- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ return 0
+ else
+ return 1
+@@ -1893,13 +1893,13 @@ is_xen_domU()
+
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ mcedb_source="$mcedb_cache"
+ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -1920,10 +1920,10 @@ is_latest_known_ucode()
+ else
+ return 2
+ fi
+- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ do
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
+- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -1948,7 +1948,7 @@ get_cmdline()
+ kernel_cmdline="$SMC_MOCK_CMDLINE"
+ return
+ else
+- kernel_cmdline=$(cat "$procfs/cmdline")
++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ fi
+ }
+@@ -1956,7 +1956,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ _warn "This script doesn't work under Windows Subsystem for Linux"
+ _warn "You should use the official Microsoft tool instead."
+ _warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2005,15 +2005,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ _debug "We're under BSD, check if we have procfs"
+- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ if [ -z "$procfs" ]; then
+ _debug "we don't, try to mount it"
+ procfs=/proc
+ [ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ test -d $procfs || mkdir $procfs
+- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ mounted_procfs=1
+ _debug "procfs just mounted at $procfs"
+ else
+@@ -2045,14 +2045,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ # root check (only for live mode, for offline mode, we already checked if we could read the files)
+- if [ "$(id -u)" -ne 0 ]; then
++ if [ "$(@id@ -u)" -ne 0 ]; then
+ _warn "Note that you should launch this script with root privileges to get accurate information."
+ _warn "We'll proceed but you might see permission denied errors."
+ _warn "To run it as root, you can try the following command: sudo $0"
+ _warn
+ fi
+ _info "Checking for vulnerabilities on current system"
+- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ _info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ # try to find the image of the current running kernel
+@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ # first, look for the BOOT_IMAGE hint in the kernel cmdline
+- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ _debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ # if the boot partition is within a btrfs subvolume, strip the subvolume name
+ # if /boot is a separate subvolume, the remainder of the code in this section should handle it
+- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ # if we have a dedicated /boot partition, our bootloader might have just called it /
+ # so try to prepend /boot and see if we find anything
+ [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then
+ # if we didn't find a kernel, default to guessing
+ if [ ! -e "$opt_kernel" ]; then
+ # Fedora:
+- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ # Slackware:
+ [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz"
+ # Arch aarch64:
+@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then
+ # pine64
+ [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image"
+ # generic:
+- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ # Gentoo:
+- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ # Guix System:
+ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ # Clear Linux:
+- str_uname=$(uname -r)
++ str_uname=$(@uname@ -r)
+ clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ # with actual \'s instead of /'s:
+- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ opt_kernel="$custom_arch_kernel"
+ fi
+@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then
+ :
+ elif [ -e "$procfs/kallsyms" ] ; then
+ opt_map="$procfs/kallsyms"
+- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+- opt_map="/lib/modules/$(uname -r)/System.map"
+- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+- opt_map="/boot/System.map-$(uname -r)"
+- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+- opt_map="/lib/kernel/System.map-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++ opt_map="/boot/System.map-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ fi
+
+ # config
+@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ elif [ -e "$procfs/config.gz" ] ; then
+- dumped_config="$(mktemp -t smc-config-XXXXXX)"
+- gunzip -c "$procfs/config.gz" > "$dumped_config"
++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ # dumped_config will be deleted at the end of the script
+ opt_config="$dumped_config"
+- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+- opt_config="/lib/modules/$(uname -r)/config"
+- elif [ -e "/boot/config-$(uname -r)" ]; then
+- opt_config="/boot/config-$(uname -r)"
+- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+- opt_config="/lib/kernel/config-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++ opt_config="/lib/modules/$(@uname@ -r)/config"
++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++ opt_config="/boot/config-$(@uname@ -r)"
++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++ opt_config="/lib/kernel/config-$(@uname@ -r)"
+ fi
+ else
+ _info "Checking for vulnerabilities against specified kernel"
+@@ -2161,7 +2161,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ # given file is invalid!
+ _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ opt_config=''
+@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ _debug "readelf not found"
+ kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2207,20 +2207,20 @@ else
+ # vanilla kernels have with ^Linux version
+ # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ # and check for FreeBSD
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ -e '^Linux version ' \
+ -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+- -e '^FreeBSD [0-9]' | head -1)
++ -e '^FreeBSD [0-9]' | @head@ -1)
+ if [ -z "$kernel_version" ]; then
+ # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ fi
+ if [ -n "$kernel_version" ]; then
+ # in live mode, check if the img we found is the correct one
+ if [ "$opt_live" = 1 ]; then
+ _verbose "Kernel image is \033[35m$kernel_version"
+- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ fi
+ else
+ _info "Kernel image is \033[35m$kernel_version"
+@@ -2248,11 +2248,11 @@ sys_interface_check()
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ :
+ else
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ return 1
+ fi
+
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2261,17 +2261,17 @@ sys_interface_check()
+ fi
+
+ [ -n "$regex" ] || regex='.*'
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ fullmsg="$(eval echo \$$_mockvarname)"
+- msg=$(echo "$fullmsg" | grep -Eo "$regex")
++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ _debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ mocked=1
+ else
+- fullmsg=$(cat "$file")
+- msg=$(grep -Eo "$regex" "$file")
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++ fullmsg=$(@cat@ "$file")
++ msg=$(@grep@ -Eo "$regex" "$file")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ fi
+ if [ "$mode" = silent ]; then
+ return 0
+@@ -2280,15 +2280,15 @@ sys_interface_check()
+ return 0
+ fi
+ _info_nol "* Mitigated according to the /sys interface: "
+- if echo "$msg" | grep -qi '^not affected'; then
++ if echo "$msg" | @grep@ -qi '^not affected'; then
+ # Not affected
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ # Mitigation: PTI
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qi '^vulnerable'; then
++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ # Vulnerable
+ status=VULN
+ pstatus yellow NO "$fullmsg"
+@@ -2376,20 +2376,20 @@ write_msr_one_core()
+ # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ [ "$ret" = 127 ] && _write_denied=1
+ # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ _debug "write_msr: using dd"
+- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ # if it failed, inspect stderrto look for EPERM
+ if [ "$ret" != 0 ]; then
+- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ _write_denied=1
+ fi
+ fi
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "write_msr: using perl"
+ ret=1
+- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ else
+ _debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2411,13 +2411,13 @@ write_msr_one_core()
+ msr_locked_down=1
+ write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "msr: Direct access to MSR"; then
++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ _debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+ write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "raw MSR access is restricted"; then
++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ _debug "write_msr: locked down kernel detected (vanilla)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+@@ -2516,8 +2516,8 @@ read_msr_one_core()
+ return $READ_MSR_RET_KO
+ fi
+ # MSR 0x10: 0x000003e1 0xb106dded
+- _msr_h=$(echo "$_msr" | awk '{print $3}');
+- _msr_l=$(echo "$_msr" | awk '{print $4}');
++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ else
+ # for Linux
+@@ -2528,15 +2528,15 @@ read_msr_one_core()
+ # if rdmsr is available, use it
+ elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ _debug "read_msr: using rdmsr on $_msr"
+- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "read_msr: using perl on $_msr"
+- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ # fallback to dd if it supports skip_bytes
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ _debug "read_msr: using dd on $_msr"
+- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ else
+ _debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2560,7 +2560,7 @@ check_cpu()
+ {
+ _info "\033[1;34mHardware check\033[0m"
+
+- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ return
+ fi
+
+@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre()
+ # if we were already called, don't do it again
+ [ -n "${redhat_canonical_spectre:-}" ] && return
+
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ redhat_canonical_spectre=-1
+ elif [ -n "$kernel_err" ]; then
+ redhat_canonical_spectre=-2
+ else
+ # Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ # let's use the two same tricks than the official Red Hat detection script uses:
+- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ # 1) detect their specific variant2 patch. If it's present, it means
+ # that the variant1 patch is also present (both were merged at the same time)
+ _debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ redhat_canonical_spectre=1
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ # 2) detect their specific variant3 patch. If it's present, but the variant2
+ # is not, it means that only variant1 is present in addition to variant3
+ _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3213,13 +3213,13 @@ check_has_vmm()
+ # If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ # this can always be overridden with --vmm in any case.
+ has_vmm=0
+- if command -v pgrep >/dev/null 2>&1; then
++ if command -v @pgrep@ >/dev/null 2>&1; then
+ # remove xenbus and xenwatch, also present inside domU
+ # remove libvirtd as it can also be used to manage containers and not VMs
+ # for each binary we want to grep, get the pids
+ for _binary in qemu kvm xenstored xenconsoled
+ do
+- for _pid in $(pgrep -x $_binary)
++ for _pid in $(@pgrep@ -x $_binary)
+ do
+ # resolve the exe symlink, if it doesn't resolve with -m,
+ # which doesn't even need the dest to exist, it means the symlink
+@@ -3235,7 +3235,7 @@ check_has_vmm()
+ else
+ # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ # shellcheck disable=SC2009
+- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ has_vmm=1
+ fi
+ fi
+@@ -3267,7 +3267,7 @@ check_CVE_2017_5753()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5753_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5753_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux()
+ v1_mask_nospec=''
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ else
+- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ else
+- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ else
+- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ if [ "$ret" -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "mask_nospec64 macro is present and used"
+ v1_mask_nospec="arm64 mask_nospec64"
+@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "array_index_nospec macro is present and used"
+ v1_mask_nospec="arm64 array_index_nospec"
+@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ if ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+ # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux()
+ # so let's push the threshold to 70.
+ # v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ if [ "$nb_lfence" -lt 30 ]; then
+ pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ else
+@@ -3505,7 +3505,7 @@ check_CVE_2017_5715()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5715_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5715_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux()
+ # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ specex_knob_dir=$dir
+ ibrs_supported="$dir/ibrs_enabled exists"
+- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ # if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ if [ -e "$dir/ibpb_enabled" ]; then
+ # if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ ibpb_supported="$dir/ibpb_enabled exists"
+- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ else
+ _debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux()
+ # which in that case means ibrs is supported *and* enabled for kernel & user
+ # as per the ibrs patch series v3
+ if [ -z "$ibrs_supported" ]; then
+- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ # enabled=2 -> kernel & user
+@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -n "$fullmsg" ]; then
+ # when IBPB is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q 'IBPB'; then
++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ _debug "ibpb: found enabled in sysfs"
+ [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ [ -z "$ibpb_enabled" ] && ibpb_enabled=1
+ fi
+ # when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ _debug "ibrs: found IBRS_FW in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ ibrs_fw_enabled=1
+@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux()
+ # when IBRS is enabled on 4.15+, we can see it in sysfs
+ # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ _debug "ibrs: found IBRS in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ [ -z "$ibrs_enabled" ] && ibrs_enabled=3
+ fi
+ # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux()
+ fi
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibrs_can_tell=1
+- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ if [ -n "$ibrs_supported" ]; then
+ _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ ibrs_can_tell=1
+- if grep -q spec_ctrl "$opt_map"; then
++ if @grep@ -q spec_ctrl "$opt_map"; then
+ ibrs_supported="found spec_ctrl in symbols file"
+ _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ fi
+@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux()
+ # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ # we can detect it directly in the image
+ if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibpb_can_tell=1
+- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ if [ -n "$ibpb_supported" ]; then
+ _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux()
+ 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+- else
++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++ else
+ pstatus yellow UNKNOWN; fi;;
+ esac
+ fi
+@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux()
+ bp_harden=''
+ if [ -r "$opt_config" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w bp_hardening_data "$opt_map")
++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux()
+ # We check the RETPOLINE kernel options
+ retpoline=0
+ if [ -r "$opt_config" ]; then
+- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ pstatus green YES
+ retpoline=1
+ # shellcheck disable=SC2046
+- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ else
+ pstatus yellow NO
+ fi
+@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux()
+ # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ # so we look for both "retpoline" and "retpolines"
+ if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+- if echo "$fullmsg" | grep -qwi minimal; then
++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++ if echo "$fullmsg" | @grep@ -qwi minimal; then
+ retpoline_compiler=0
+ retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ else
+@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux()
+ fi
+ elif [ -n "$opt_map" ]; then
+ # look for the symbol
+- if grep -qw noretpoline_setup "$opt_map"; then
++ if @grep@ -qw noretpoline_setup "$opt_map"; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ fi
+ elif [ -n "$kernel" ]; then
+ # look for the symbol
+- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++ if command -v "@nm@" >/dev/null 2>&1; then
+ # the proper way: use nm and look for the symbol
+- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ fi
+- elif grep -q noretpoline_setup "$kernel"; then
++ elif @grep@ -q noretpoline_setup "$kernel"; then
+ # if we don't have nm, nevermind, the symbol name is long enough to not have
+ # any false positive using good old grep directly on the binary
+ retpoline_compiler=1
+@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux()
+ retp_enabled=-1
+ if [ "$opt_live" = 1 ]; then
+ if [ -e "$specex_knob_dir/retp_enabled" ]; then
+- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ _info_nol " * Retpoline is enabled: "
+ if [ "$retp_enabled" = 1 ]; then
+@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux()
+ rsb_filling=0
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ # if we're live and we aren't denied looking into /sys, let's do it
+- if echo "$msg" | grep -qw RSB; then
++ if echo "$msg" | @grep@ -qw RSB; then
+ rsb_filling=1
+ pstatus green YES
+ fi
+@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ rsb_filling=1
+ pstatus green YES
+ else
+@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd()
+ {
+ _info "* Mitigation 1"
+ _info_nol " * Kernel supports IBRS: "
+- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ if [ -z "$ibrs_disabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd()
+ fi
+
+ _info_nol " * IBRS enabled and active: "
+- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ if [ "$ibrs_active" = 1 ]; then
+ pstatus green YES
+ else
+@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ else
+- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ if [ "$nb_thunks" -gt 0 ]; then
+ retpoline=1
+ pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ _info_nol " * Reduced performance impact of PTI: "
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ cpu_pcid=1
+ else
+ read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4122,7 +4122,7 @@ pti_performance_check()
+ fi
+ fi
+
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ cpu_invpcid=1
+ else
+ read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4147,7 +4147,7 @@ check_CVE_2017_5754()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5754_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5754_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux()
+ kpti_can_tell=0
+ if [ -n "$opt_config" ]; then
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found option '$kpti_support' in $opt_config"
+ fi
+@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux()
+ # so we try to find an exported symbol that is part of the PTI patch in System.map
+ # parse_kpti: arm
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $opt_map"
+ fi
+@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux()
+ # nopti option that is part of the patch (kernel command line option)
+ # 'kpti=': arm
+ kpti_can_tell=1
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ else
+- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $kernel"
+ fi
+@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux()
+ dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ # aarch64
+ dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ # vanilla PTI patch sets the 'pti' flag in cpuinfo
+ _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+ elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ elif is_xen_dom0; then
+- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ fi
+@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux()
+ if [ -n "$kpti_support" ]; then
+ if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ else
+ explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ _info_nol "* Kernel supports Page Table Isolation (PTI): "
+- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ if [ -z "$kpti_enabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4429,7 +4429,7 @@ check_CVE_2018_3639()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3639_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3639_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ if [ "$opt_live" = 1 ]; then
+- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssb="found in $procfs/self/status"
+ _debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ fi
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ # arm64 only:
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ # this string only appears in kernel if CONFIG_ARM64_SSBD is set
+- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ fi
+ # /arm64 only
+@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_live" = 1 ]; then
+ # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ _info_nol "* SSB mitigation is enabled and active: "
+- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=1
+ pstatus green YES "per-thread through prctl"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=2
+ pstatus green YES "global"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus yellow NO
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=-2
+ pstatus blue NO "not vulnerable"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus blue NO
+ else
+- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ fi
+
+ if [ "$kernel_ssbd_enabled" = 1 ]; then
+ _info_nol "* SSB mitigation currently active for selected processes: "
+ # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ if [ -n "$mitigated_processes" ]; then
+ pstatus green YES "$mitigated_processes"
+ else
+@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ _info_nol "* Kernel supports speculation store bypass: "
+- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ kernel_ssb=1
+ pstatus green YES
+ else
+@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd()
+ fi
+
+ _info_nol "* Speculation store bypass is administratively enabled: "
+- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ case "$ssb_enabled" in
+ 0) pstatus yellow NO "disabled";;
+@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd()
+ esac
+
+ _info_nol "* Speculation store bypass is currently active: "
+- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ case "$ssb_active" in
+ 1) pstatus green YES;;
+@@ -4656,7 +4656,7 @@ check_CVE_2018_3620()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3620_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3620_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux()
+ fi
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports PTE inversion: "
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ pteinv_supported=-1
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "$kernel_err"
+ pteinv_supported=-1
+ else
+- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ pstatus green YES "found in kernel image"
+ _debug "pteinv: found pte inversion evidence in kernel image"
+ pteinv_supported=1
+@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux()
+ _info_nol "* PTE inversion enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ pstatus green YES
+ pteinv_active=1
+ else
+@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd()
+ else
+ _debug "vmm module already loaded"
+ fi
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ # this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ # is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4772,7 +4772,7 @@ check_CVE_2018_3646()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3646_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3646_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux()
+ if [ "$opt_live" = 1 ]; then
+ if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ pstatus blue N/A "the kvm_intel module is not loaded"
+- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ pstatus green YES
+ ept_disabled=1
+ else
+@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux()
+
+ _info "* Mitigation 2"
+ _info_nol " * L1D flush is supported by kernel: "
+- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ fi
+ if [ -z "$l1d_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ elif [ -n "$kernel_err" ]; then
+ l1d_kernel_err="$kernel_err"
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ l1d_kernel='found flush_l1d in kernel image'
+ fi
+ fi
+@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux()
+ # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ # $smtstatus is one of (vulnerable|disabled)
+ # can also just be "Not affected"
+- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ l1d_mode=0
+ pstatus yellow NO
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ l1d_mode=1
+ pstatus green YES "conditional flushes"
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ l1d_mode=2
+ pstatus green YES "unconditional flushes"
+ else
+ if is_xen_dom0; then
+- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ l1d_mode=5
+@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux()
+
+ _info_nol " * Hardware-backed L1D flush supported: "
+ if [ "$opt_live" = 1 ]; then
+- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ else
+ pstatus blue NO "flush will be done in software, this is slower"
+@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ _info_nol "* Kernel supports L1D flushing: "
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_l1d_supported=1
+ else
+@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd()
+ fi
+
+ _info_nol "* L1D flushing is enabled: "
+- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ case "$kernel_l1d_enabled" in
+ 0) pstatus yellow NO;;
+ 1) pstatus green YES;;
+@@ -5018,7 +5018,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ cve='CVE-2019-11091'
+@@ -5032,7 +5032,7 @@ check_mds()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_mds_linux "$cve"
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_mds_bsd "$cve"
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5043,7 +5043,7 @@ check_mds_bsd()
+ {
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ if [ "$opt_live" = 1 ]; then
+- if sysctl hw.mds_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5051,7 +5051,7 @@ check_mds_bsd()
+ kernel_md_clear=0
+ fi
+ else
+- if grep -Fq hw.mds_disable $opt_kernel; then
++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5061,8 +5061,8 @@ check_mds_bsd()
+ fi
+
+ _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ if [ "$kernel_smt_allowed" = 1 ]; then
+ pstatus yellow NO
+ else
+@@ -5074,7 +5074,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is enabled: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ else
+ kernel_mds_enabled=0
+ fi
+@@ -5088,7 +5088,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is active: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ else
+ kernel_mds_state=inactive
+ fi
+@@ -5146,16 +5146,16 @@ check_mds_linux()
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ kernel_md_clear=''
+ kernel_md_clear_can_tell=1
+- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ pstatus green YES "$kernel_md_clear"
+ fi
+ if [ -z "$kernel_md_clear" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ kernel_md_clear_can_tell=0
+ elif [ -n "$kernel_err" ]; then
+ kernel_md_clear_can_tell=0
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ _debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ kernel_md_clear='found md_clear implementation evidence in kernel image'
+ pstatus green YES "$kernel_md_clear"
+@@ -5171,7 +5171,7 @@ check_mds_linux()
+
+ if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ _info_nol "* Kernel mitigation is enabled and active: "
+- if echo "$fullmsg" | grep -qi ^mitigation; then
++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ mds_mitigated=1
+ pstatus green YES
+ else
+@@ -5179,7 +5179,7 @@ check_mds_linux()
+ pstatus yellow NO
+ fi
+ _info_nol "* SMT is either mitigated or disabled: "
+- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ mds_smt_mitigated=1
+ pstatus green YES
+ else
+@@ -5265,7 +5265,7 @@ check_CVE_2019_11135()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2019_11135_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2019_11135_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux()
+ kernel_taa=''
+ if [ -n "$kernel_err" ]; then
+ kernel_taa_err="$kernel_err"
+- elif grep -q 'tsx_async_abort' "$kernel"; then
++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ kernel_taa="found tsx_async_abort in kernel image"
+ fi
+ if [ -n "$kernel_taa" ]; then
+@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux()
+ _info_nol "* TAA mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux()
+ else
+ if [ "$opt_paranoid" = 1 ]; then
+ # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ else
+ pvulnstatus $cve "$status" "$msg"
+@@ -5367,7 +5367,7 @@ check_CVE_2018_12207()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_12207_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_12207_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux()
+ if [ -n "$kernel_err" ]; then
+ kernel_itlbmh_err="$kernel_err"
+ # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+- elif grep -q 'itlb_multihit' "$kernel"; then
++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ kernel_itlbmh="found itlb_multihit in kernel image"
+ fi
+ if [ -n "$kernel_itlbmh" ]; then
+@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux()
+ _info_nol "* iTLB Multihit mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qF 'Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ if [ -z "$kernel_2m_x_ept" ]; then
+ pstatus yellow NO
+ else
+@@ -5484,7 +5484,7 @@ check_CVE_2020_0543()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2020_0543_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2020_0543_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux()
+ kernel_srbds=''
+ if [ -n "$kernel_err" ]; then
+ kernel_srbds_err="$kernel_err"
+- elif grep -q 'Dependent on hypervisor' "$kernel"; then
++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ fi
+ if [ -n "$kernel_srbds" ]; then
+@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux()
+ _info_nol "* SRBDS mitigation control is enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5608,8 +5608,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+- check_"$(echo "$cve" | tr - _)"
++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++ check_"$(echo "$cve" | @tr@ - _)"
+ _info
+ fi
+ done
+@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ _warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+- if command -v "gzip" >/dev/null 2>&1; then
++ if command -v "@gzip@" >/dev/null 2>&1; then
+ # not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ # shellcheck disable=SC2002
+- if command -v "base64" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+- elif command -v "uuencode" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++ if command -v "@base64@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++ elif command -v "@uuencode@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ fi
+ fi
+ if [ -n "$mock_cpuinfo" ]; then
+@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ fi
+ _info ""
+ # shellcheck disable=SC2046
+- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0
base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
--
2.38.1
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sat, 12 Nov 2022 16:59:02 GMT) Full text and rfc822 format available.Message #36 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space> Cc: 59053 <at> debbugs.gnu.org Subject: Re: [PATCH v4] gnu: Add spectre-meltdown-checker. Date: Sat, 12 Nov 2022 17:58:33 +0100
Am Samstag, dem 12.11.2022 um 23:15 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
> ---
> v3 -> v4:
> 1. Remove downloading function.
> 2. Add option for supplying a local database.
>
> gnu/local.mk | 3 +
> gnu/packages/linux.scm | 54 +
> ...ker-remove-builtin-firmware-database.patch | 243 +++
> ...cker-stage-commands-for-substitution.patch | 1849
> +++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 +
> 5 files changed, 2175 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> stage-commands-for-substitution.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..46b299d0d6 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,9 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> + %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-
> substitution.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..1807fd5655 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,57 @@ (define-public edac-utils
> error detection and correction (EDAC).")
> (home-page "https://github.com/grondo/edac-utils")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"
> + ;; NOTE: Update these patches when updating.
> + "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
Is this comment still needed?
> + "spectre-meltdown-checker-stage-commands-for-
> substitution.patch"))
> + ;; Remove builtin firmware database.
> + (modules '((guix build utils)))
> + (snippet '(substitute* "spectre-meltdown-checker.sh"
> + (("^# [AI],.*") "")))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (substitute* "spectre-meltdown-checker.sh"
> + (("@sysctl@") (search-input-file inputs
> "/sbin/sysctl"))
> + (("@([a-z0-9]*)@" _ command _)
> + (search-input-file
> + inputs (string-append "/bin/"
> command)))))))))
> + (inputs
> + (list kmod
> + lz4
> + lzop
> + perl
> + procps
> + sharutils
> + util-linux
> + zstd))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis "CPU vulnerability / mitigation checker")
> + (description
> + "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..888bb0c2b1
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH 1/2] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm
> -f "$mcedb_tmp"
> +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm
> -rf "$intel_tmp"
> + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> + --vmm [auto,yes,no] override the detection of the
> presence of a hypervisor, default: auto
> + --allow-msr-write allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> + --cpu [#,all] interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +- --update-fwdb update our local copy of the
> CPU microcodes versions database (using the awesome
> +- MCExtractor project and the
> Intel firmwares GitHub repository)
> +- --update-builtin-fwdb same as --update-fwdb but
> update builtin DB inside the script itself
> ++ --with-fwdb FILE supply the CPU microcodes
> versions database
> + --dump-mock-data used to mimick a CPU on an
> other system, mainly used to help debugging this script
> +
> + Return codes:
> +@@ -837,147 +833,6 @@ show_header()
> + _info
> + }
> +
> +-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
> +-mcedb_cache="$HOME/.mcedb"
> +-update_fwdb()
> +-{
> +- show_header
> +-
> +- set -e
> +-
> +- if [ -r "$mcedb_cache" ]; then
> +- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4
> }' "$mcedb_cache")
> +- fi
> +-
> +- # first, download the MCE.db from the excellent platomav's
> MCExtractor project
> +- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
> +-
> mcedb_url='https://github.com/platomav/MCExtractor/raw/master/M
> CE.db'
> +- _info_nol "Fetching MCE.db from the MCExtractor project... "
> +- if command -v wget >/dev/null 2>&1; then
> +- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
> +- elif command -v curl >/dev/null 2>&1; then
> +- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +- elif command -v fetch >/dev/null 2>&1; then
> +- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
> +- else
> +- echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +- return 1
> +- fi
> +- if [ "$ret" != 0 ]; then
> +- echo ERROR "error $ret while downloading MCE.db"
> +- return $ret
> +- fi
> +- echo DONE
> +-
> +- # second, get the Intel firmwares from GitHub
> +- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
> +-
> intel_url="https://github.com/intel/Intel-Linux-Processor-Micro
> code-Data-Files/archive/main.zip"
> +- _info_nol "Fetching Intel firmwares... "
> +- ##
> https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +- if command -v wget >/dev/null 2>&1; then
> +- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
> +- elif command -v curl >/dev/null 2>&1; then
> +- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +- elif command -v fetch >/dev/null 2>&1; then
> +- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
> +- else
> +- echo ERROR "please install one of \`wget\`, \`curl\`
> of \`fetch\` programs"
> +- return 1
> +- fi
> +- if [ "$ret" != 0 ]; then
> +- echo ERROR "error $ret while downloading Intel
> firmwares"
> +- return $ret
> +- fi
> +- echo DONE
> +-
> +- # now extract MCEdb contents using sqlite
> +- _info_nol "Extracting MCEdb data... "
> +- if ! command -v sqlite3 >/dev/null 2>&1; then
> +- echo ERROR "please install the \`sqlite3\` program"
> +- return 1
> +- fi
> +- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from
> MCE")
> +- if [ -z "$mcedb_revision" ]; then
> +- echo ERROR "downloaded file seems invalid"
> +- return 1
> +- fi
> +- sqlite3 "$mcedb_tmp" "alter table Intel add column origin
> text"
> +- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
> +-
> +- echo OK "MCExtractor database revision $mcedb_revision"
> +-
> +- # parse Intel firmwares to get their versions
> +- _info_nol "Integrating Intel firmwares data to db... "
> +- if ! command -v unzip >/dev/null 2>&1; then
> +- echo ERROR "please install the \`unzip\` program"
> +- return 1
> +- fi
> +- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
> +- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-
> Files-main/intel-ucode" ]; then
> +- echo ERROR "expected the 'intel-ucode' folder in the
> downloaded zip file"
> +- return 1
> +- fi
> +-
> +- if ! command -v iucode_tool >/dev/null 2>&1; then
> +- if ! command -v iucode-tool >/dev/null 2>&1; then
> +- echo ERROR "please install the \`iucode-
> tool\` program"
> +- return 1
> +- else
> +- iucode_tool="iucode-tool"
> +- fi
> +- else
> +- iucode_tool="iucode_tool"
> +- fi
> +- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev
> 0x0217, size 5120
> +- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev
> 0x0107, size 5120
> +- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-
> Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
> +- do
> +- _line=$( echo "$_line" | tr -d ',')
> +- _cpuid=$( echo "$_line" | awk '{print $3}')
> +- _cpuid=$(( _cpuid ))
> +- _cpuid=$(printf "0x%08X" "$_cpuid")
> +- _date=$( echo "$_line" | awk '{print $6}' | tr -d
> '-')
> +- _version=$(echo "$_line" | awk '{print $8}')
> +- _version=$(( _version ))
> +- _version=$(printf "0x%08X" "$_version")
> +- _sqlstm="$(printf "INSERT INTO Intel
> (origin,cpuid,version,yyyymmdd) VALUES
> (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")"
> "$(printf "%08X" "$_version")" "$_date")"
> +- sqlite3 "$mcedb_tmp" "$_sqlstm"
> +- done
> +- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-
> Processor-Microcode-Data-Files-main/license" 2>/dev/null)
> +- if [ -n "$_intel_timestamp" ]; then
> +- # use this date, it matches the last commit date
> +- _intel_latest_date=$(date +%Y%m%d -d
> @"$_intel_timestamp")
> +- else
> +- echo "Falling back to the latest microcode date"
> +- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT
> yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC
> LIMIT 1;")
> +- fi
> +- echo DONE "(version $_intel_latest_date)"
> +-
> +- dbversion="$mcedb_revision+i$_intel_latest_date"
> +-
> +- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [
> "$previous_dbversion" = "v$dbversion" ]; then
> +- echo "We already have this version locally, no update
> needed"
> +- return 0
> +- fi
> +-
> +- _info_nol "Building local database... "
> +- {
> +- echo "# Spectre & Meltdown Checker";
> +- echo "# %%% MCEDB v$dbversion";
> +- sqlite3 "$mcedb_tmp" "SELECT '#
> I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel
> AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +- sqlite3 "$mcedb_tmp" "SELECT '#
> A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD
> AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND
> t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid
> ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
> +- } > "$mcedb_cache"
> +- echo DONE "(version $dbversion)"
> +-
> +- if [ "$1" = builtin ]; then
> +- newfile=$(mktemp -t smc-builtin-XXXXXX)
> +- awk '/^# %%% MCEDB / { exit }; { print }' "$0" >
> "$newfile"
> +- awk '{ if (NR>1) { print } }' "$mcedb_cache" >>
> "$newfile"
> +- cat "$newfile" > "$0"
> +- rm -f "$newfile"
> +- fi
> +-}
> +-
> + parse_opt_file()
> + {
> + # parse_opt_file option_name option_value
> +@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
> + # deprecated, kept for compatibility
> + opt_explain=0
> + shift
> +- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb"
> ]; then
> +- update_fwdb
> +- exit $?
> +- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--
> update-builtin-mcedb" ]; then
> +- update_fwdb builtin
> +- exit $?
> ++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ];
> then
> ++ opt_fwdb=$2
> ++ if [ -f "$opt_fwdb" ]; then
> ++ mcedb_cache=$2
> ++ else
> ++ echo "$0: error: --with-fwdb should be a
> file, got '$opt_fwdb'" >&2
> ++ exit 255
> ++ fi
> ++ shift 2
> + elif [ "$1" = "--dump-mock-data" ]; then
> + opt_mock=1
> + shift
> +@@ -2033,21 +1891,11 @@ is_xen_domU()
> + fi
> + }
> +
> +-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
> + if [ -r "$mcedb_cache" ]; then
> + # we have a local cache file, but it might be older than the
> builtin version we have
> + local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> +- # sort -V sorts by version number
> +- older_dbversion=$(printf "%b\n%b" "$local_dbversion"
> "$builtin_dbversion" | sort -V | head -n1)
> +- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
> +- mcedb_source="$mcedb_cache"
> +- mcedb_info="local firmwares DB $local_dbversion"
> +- fi
> +-fi
> +-# if mcedb_source is not set, either we don't have a local cached
> db, or it is older than the builtin db
> +-if [ -z "${mcedb_source:-}" ]; then
> +- mcedb_source="$0"
> +- mcedb_info="builtin firmwares DB $builtin_dbversion"
> ++ mcedb_source="$mcedb_cache"
> ++ mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
> + return 2
> + fi
> + ucode_latest="latest microcode version for your CPU model is
> unknown"
> +- if is_intel; then
> ++ if [ -z "$mcedb_source" ]; then
> ++ return 2
> ++ elif is_intel; then
> + cpu_brand_prefix=I
> + elif is_amd; then
> + cpu_brand_prefix=A
> +--
> +2.38.1
> +
LGTM.
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-stage-
> commands-for-substitution.patch b/gnu/packages/patches/spectre-
> meltdown-checker-stage-commands-for-substitution.patch
> new file mode 100644
> index 0000000000..a8e7531f32
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-
> for-substitution.patch
> @@ -0,0 +1,1849 @@
> +From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Fri, 11 Nov 2022 18:49:50 +0800
> +Subject: [PATCH 2/2] Stage commands for later substitution.
> +
> +awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find,
> grep,
> +gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
> nproc,
> +objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
> strings,
> +sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.
> +---
I think it'd better to provide a little more information in the patch
note, e.g. "The following commands are taken from the environment and
thus need to be substituted:
- awk
- base64
- basename
- ...
The following are shell built-ins and can remain as is
- command
- echo
- ..."
By the way, I feel like it'd be an improvement to crank down on the
number of context lines or translate this into an equivalent
substitute*, i.e.
(substitute* "spectre-meltdown-checker.sh"
(("\\<(awk|base64|...)\\>" all cmd)
(find-command inputs cmd))
(("\\<(gzip|gunzip|...)\\>" all cmd)
(find-command inputs cmd))
...)
where
(define* (find-command inputs cmd #:optional (bin "bin"))
(search-input-file inputs (string-append bin "/" cmd)))
> + spectre-meltdown-checker.sh | 606 ++++++++++++++++++---------------
> ---
> + 1 file changed, 303 insertions(+), 303 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index ce46970..4889ebb 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up...";
> exit_cleanup; exit 1' INT
> + exit_cleanup()
> + {
> + # cleanup the temp decompressed config & kernel image
> +- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> +- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> +- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> +- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> +- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
> ++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] &&
> @rm@ -f "$dumped_config"
> ++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] &&
> @rm@ -f "$kerneltmp"
> ++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] &&
> @rm@ -f "$kerneltmp2"
> ++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug
> 2>/dev/null
> ++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs"
> 2>/dev/null
> ++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
> ++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
> + [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl
> 2>/dev/null
> + [ "${kldload_vmm:-}" = 1 ] && kldunload vmm
> 2>/dev/null
> + }
> +
> + # if we were git clone'd, adjust VERSION
> +-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1;
> then
> +- describe=$(git -C "$(dirname "$0")" describe --tags --dirty
> 2>/dev/null)
> +- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e
> s/^v//)
> ++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null
> 2>&1; then
> ++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty
> 2>/dev/null)
> ++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e
> s/^v//)
> + fi
> +
> + show_usage()
> + {
> + # shellcheck disable=SC2086
> +- cat <<EOF
> ++ @cat@ <<EOF
> + Usage:
> +- Live mode (auto): $(basename $0) [options]
> +- Live mode (manual): $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> +- Offline mode: $(basename $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> ++ Live mode (auto): $(@basename@ $0) [options]
> ++ Live mode (manual): $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
> ++ Offline mode: $(@basename@ $0) [options] <[--
> kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
> +
> + Modes:
> + Two modes are available.
> +@@ -106,7 +106,7 @@ EOF
> +
> + show_disclaimer()
> + {
> +- cat <<EOF
> ++ @cat@ <<EOF
> + Disclaimer:
> +
> + This tool does its best to determine whether your system is immune
> (or has proper mitigations in place) for the
> +@@ -134,7 +134,7 @@ This tool has been released in the hope that
> it'll be useful, but don't use it t
> + EOF
> + }
> +
> +-os=$(uname -s)
> ++os=$(@uname@ -s)
> +
> + # parse options
> + opt_kernel=''
> +@@ -203,7 +203,7 @@ __echo()
> + _interpret_chars='-e'
> + fi
> + _ctrlchar=$($echo_cmd $_interpret_chars "\033")
> +- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> ++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r
> "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
> + fi
> + if [ "$echo_cmd_type" = printf ]; then
> + if [ "$opt" = "-n" ]; then
> +@@ -379,7 +379,7 @@ is_cpu_affected()
> + # https://github.com/crozone/SpectrePoC/issues/1 ^F
> E5200 => spectre 2 not affected
> + #
> https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 =>
> meltdown affected
> + # model name : Pentium(R) Dual-Core CPU E5200
> @ 2.50GHz
> +- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\)
> Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> ++ if echo "$cpu_friendly_name" | @grep@ -qE
> 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
> + variant1=vuln
> + [ -z "$variant2" ] && variant2=immune
> + variant3=vuln
> +@@ -482,7 +482,7 @@ is_cpu_affected()
> + i=$(( i + 1 ))
> + # do NOT quote $cpu_arch_list below
> + # shellcheck disable=SC2086
> +- cpuarch=$(echo $cpu_arch_list | awk '{ print
> $'$i' }')
> ++ cpuarch=$(echo $cpu_arch_list | @awk@ '{
> print $'$i' }')
> + _debug "checking cpu$i: <$cpupart>
> <$cpuarch>"
> + # some kernels report AArch64 instead of 8
> + [ "$cpuarch" = "AArch64" ] && cpuarch=8
> +@@ -493,49 +493,49 @@ is_cpu_affected()
> + # part ? ? c08 c09 c0d c0f c0e d07
> d08 d09 d0a d0b d0c d0d
> + # arch 7? 7? 7 7 7 7 7 8
> 8 8 8 8 8 8
> + #
> +- # Whitelist identified non-affected
> processors, use vulnerability information from
> ++ # Whitelist identified non-affected
> processors, use vulnerability information from
> + #
> https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
> + # Partnumbers can be found here:
> + #
> https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
> + #
> + # Maintain cumulative check of
> vulnerabilities -
> + # if at least one of the cpu is
> affected, then the system is affected
> +- if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> ++ if [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + [ -z "$variant4" ] &&
> variant4=immune
> + _debug "checking cpu$i: armv7
> A8/A9/A12/A17 non affected to variants 3, 3a & 4"
> +- elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | grep -q -w -e 0xc0f; then
> ++ elif [ "$cpuarch" = 7 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xc0f; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + variant3a=vuln
> + [ -z "$variant4" ] &&
> variant4=immune
> + _debug "checking cpu$i: armv7
> A15 non affected to variants 3 & 4"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + variant3a=vuln
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A57/A72 non affected to variants 3"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd09; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd09; then
> + variant1=vuln
> + variant2=vuln
> + [ -z "$variant3" ] &&
> variant3=immune
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A73 non affected to variants 3 & 3a"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0a; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0a; then
> + variant1=vuln
> + variant2=vuln
> + variant3=vuln
> + [ -z "$variant3a" ] &&
> variant3a=immune
> + variant4=vuln
> + _debug "checking cpu$i: armv8
> A75 non affected to variant 3a"
> +- elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> ++ elif [ "$cpuarch" = 8 ] && echo
> "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
> + variant1=vuln
> + [ -z "$variant2" ] &&
> variant2=immune
> + [ -z "$variant3" ] &&
> variant3=immune
> +@@ -816,7 +816,7 @@ is_cpu_ssb_free()
> + if [ "$cpu_family" = "18" ] || \
> + [ "$cpu_family" = "17" ] || \
> + [ "$cpu_family" = "16" ] || \
> +- [ "$cpu_family" = "15" ]; then
> ++ [ "$cpu_family" = "15" ]; then
> + return 0
> + fi
> + fi
> +@@ -910,7 +910,7 @@ while [ -n "${1:-}" ]; do
> + elif [ "$1" = "--cpu" ]; then
> + opt_cpu=$2
> + if [ "$opt_cpu" != all ]; then
> +- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
> ++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+';
> then
> + opt_cpu=$(( opt_cpu ))
> + else
> + echo "$0: error: --cpu should be an
> integer or 'all', got '$opt_cpu'" >&2
> +@@ -961,7 +961,7 @@ while [ -n "${1:-}" ]; do
> + echo "$0: error: option --cve expects a
> parameter, supported CVEs are: $supported_cve_list" >&2
> + exit 255
> + fi
> +- selected_cve=$(echo "$supported_cve_list" | grep -iwo
> "$2")
> ++ selected_cve=$(echo "$supported_cve_list" | @grep@ -
> iwo "$2")
> + if [ -n "$selected_cve" ]; then
> + opt_cve_list="$opt_cve_list $selected_cve"
> + opt_cve_all=0
> +@@ -1166,14 +1166,14 @@ check_kernel()
> + # a damaged ELF file and validate it, check for stderr
> warnings too
> +
> + # the warning "readelf: Warning: [16]: Link field (0) should
> index a symtab section./" can appear on valid kernels, ignore it
> +- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n"
> "/"); ret=$?
> +- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file"
> 2>/dev/null | grep -c -e data -e text -e init)
> +- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z
> "$_file" 2>/dev/null || echo 10000)
> ++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null |
> @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
> ++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null |
> @grep@ -c -e data -e text -e init)
> ++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f
> %z "$_file" 2>/dev/null || echo 10000)
> + _debug "check_kernel: ret=$? size=$_kernel_size
> sections=$_readelf_sections warnings=$_readelf_warnings"
> + if [ "$_mode" = desperate ]; then
> +- if "${opt_arch_prefix}strings" "$_file" | grep -Eq
> '^Linux version '; then
> ++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version
> '; then
> + _debug "check_kernel (desperate): ...
> matched!"
> +- if [ "$_readelf_sections" = 0 ] && grep -qF -
> e armv6 -e armv7 "$_file"; then
> ++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF
> -e armv6 -e armv7 "$_file"; then
> + _debug "check_kernel (desperate): raw
> arm binary found, adjusting objdump options"
> + objdump_options="-D -b binary -marm"
> + else
> +@@ -1206,7 +1206,7 @@ try_decompress()
> +
> + # Try to find the header ($1) and decompress from here
> + _debug "try_decompress: looking for $3 magic in $6"
> +- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo
> "^$2")
> ++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo
> "^$2")
> + do
> + _debug "try_decompress: magic for $3 found at offset
> $pos"
> + if ! command -v "$3" >/dev/null 2>&1; then
> +@@ -1233,11 +1233,11 @@ try_decompress()
> + kernel="$kerneltmp"
> + _debug "try_decompress: decompressed with $3
> successfully!"
> + return 0
> +- elif [ "$3" != "cat" ]; then
> ++ elif [ "$3" != "@cat@" ]; then
> + _debug "try_decompress: decompression with $3
> worked but result is not a kernel, trying with an offset"
> +- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -
> t smc-kernel-XXXXXX)
> +- cat "$kerneltmp" > "$kerneltmp2"
> +- try_decompress '\177ELF' xxy 'cat' '' cat
> "$kerneltmp2" && return 0
> ++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@
> -t smc-kernel-XXXXXX)
> ++ @cat@ "$kerneltmp" > "$kerneltmp2"
> ++ try_decompress '\177ELF' xxy '@cat@' '' cat
> "$kerneltmp2" && return 0
> + else
> + _debug "try_decompress: decompression with $3
> worked but result is not a kernel"
> + fi
> +@@ -1249,12 +1249,12 @@ extract_kernel()
> + {
> + [ -n "${1:-}" ] || return 1
> + # Prepare temp files:
> +- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
> ++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
> +
> + # Initial attempt for uncompressed images or objects:
> + if check_kernel "$1"; then
> + _debug "extract_kernel: found kernel is valid, no
> decompression needed"
> +- cat "$1" > "$kerneltmp"
> ++ @cat@ "$1" > "$kerneltmp"
> + kernel=$kerneltmp
> + return 0
> + fi
> +@@ -1263,14 +1263,14 @@ extract_kernel()
> + for pass in 1 2; do
> + for mode in normal desperate; do
> + _debug "extract_kernel: pass $pass $mode
> mode"
> +- try_decompress '\037\213\010' xy
> gunzip '' gunzip "$1" "$mode" "$pass" && return 0
> +- try_decompress '\002\041\114\030' xyy
> 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> +- try_decompress '\3757zXZ\000' abcde
> unxz '' xz-utils "$1" "$mode" "$pass" && return 0
> +- try_decompress 'BZh' xy
> bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
> +- try_decompress '\135\0\0\0' xxx
> unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
> +- try_decompress '\211\114\132' xy
> 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
> +- try_decompress '\177ELF' xxy
> 'cat' '' cat "$1" "$mode" "$pass" && return 0
> +- try_decompress '(\265/\375' xxy
> unzstd '' zstd "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\037\213\010' xy
> @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\002\041\114\030' xyy
> '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\3757zXZ\000' abcde
> @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
> ++ try_decompress 'BZh' xy
> @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\135\0\0\0' xxx
> @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\211\114\132' xy
> '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
> ++ try_decompress '\177ELF' xxy
> '@cat@' '' cat "$1" "$mode" "$pass" && return 0
> ++ try_decompress '(\265/\375' xxy
> @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
> + done
> + done
> + # kernel_err might already have been populated by
> try_decompress() if we're missing one of the tools
> +@@ -1287,7 +1287,7 @@ mount_debugfs()
> + {
> + if [ ! -e /sys/kernel/debug/sched_features ]; then
> + # try to mount the debugfs hierarchy ourselves and
> remember it to umount afterwards
> +- mount -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> ++ @mount@ -t debugfs debugfs /sys/kernel/debug
> 2>/dev/null && mounted_debugfs=1
> + fi
> + }
> +
> +@@ -1298,12 +1298,12 @@ load_msr()
> + load_msr_once=1
> +
> + if [ "$os" = Linux ]; then
> +- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
> +- modprobe msr 2>/dev/null && insmod_msr=1
> ++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null;
> then
> ++ @modprobe@ msr 2>/dev/null && insmod_msr=1
> + _debug "attempted to load module msr,
> insmod_msr=$insmod_msr"
> + else
> + _debug "msr module already loaded"
> +- fi
> ++ fi
> + else
> + if ! kldstat -q -m cpuctl; then
> + kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1321,12 +1321,12 @@ load_cpuid()
> + load_cpuid_once=1
> +
> + if [ "$os" = Linux ]; then
> +- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> +- modprobe cpuid 2>/dev/null && insmod_cpuid=1
> ++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null;
> then
> ++ @modprobe@ cpuid 2>/dev/null &&
> insmod_cpuid=1
> + _debug "attempted to load module cpuid,
> insmod_cpuid=$insmod_cpuid"
> + else
> + _debug "cpuid module already loaded"
> +- fi
> ++ fi
> + else
> + if ! kldstat -q -m cpuctl; then
> + kldload cpuctl 2>/dev/null &&
> kldload_cpuctl=1
> +@@ -1415,7 +1415,7 @@ read_cpuid_one_core()
> + fi
> + # on some kernel versions, /dev/cpu/0/cpuid doesn't
> imply that the cpuid module is loaded, in that case dd returns an
> error,
> + # we use that fact to load the module if dd returns
> an error
> +- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null
> 2>&1; then
> ++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1
> >/dev/null 2>&1; then
> + load_cpuid
> + fi
> + # we need _leaf to be converted to decimal for dd
> +@@ -1426,14 +1426,14 @@ read_cpuid_one_core()
> + _ddskip=$(( _position / 16 ))
> + _odskip=$(( _position - _ddskip * 16 ))
> + # now read the value
> +- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip *
> 16)) -A n -t u4)
> ++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16
> skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip
> * 16)) -A n -t u4)
> + elif [ -e /dev/cpuctl0 ]; then
> + # BSD
> + if [ ! -r /dev/cpuctl0 ]; then
> + read_cpuid_msg="Couldn't read cpuid info from
> cpuctl"
> + return $READ_CPUID_RET_ERR
> + fi
> +- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
> ++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf"
> "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
> + # cpuid level 0x4, level_type 0x2: 0x1c004143
> 0x01c0003f 0x000001ff 0x00000000
> + else
> + read_cpuid_msg="Found no way to read cpuid info"
> +@@ -1456,7 +1456,7 @@ read_cpuid_one_core()
> + fi
> +
> + # get the value of the register we want
> +- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
> ++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
> + # Linux returns it as decimal, BSD as hex, normalize to
> decimal
> + _reg=$(( _reg ))
> + # shellcheck disable=SC2046
> +@@ -1484,11 +1484,11 @@ dmesg_grep()
> + # grep for something in dmesg, ensuring that the dmesg buffer
> + # has not been truncated
> + dmesg_grepped=''
> +- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> ++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e
> '^FreeBSD is a registered' ; then
> + # dmesg truncated
> + return 2
> + fi
> +- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
> ++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
> + # not found:
> + [ -z "$dmesg_grepped" ] && return 1
> + # found, output is in $dmesg_grepped
> +@@ -1505,12 +1505,12 @@ parse_cpu_details()
> + {
> + [ "${parse_cpu_details_done:-}" = 1 ] && return 0
> +
> +- if command -v nproc >/dev/null; then
> +- number_of_cores=$(nproc)
> +- elif echo "$os" | grep -q BSD; then
> +- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null ||
> echo 1)
> ++ if command -v @nproc@ >/dev/null; then
> ++ number_of_cores=$(@nproc@)
> ++ elif echo "$os" | @grep@ -q BSD; then
> ++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null ||
> echo 1)
> + elif [ -e "$procfs/cpuinfo" ]; then
> +- number_of_cores=$(grep -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> ++ number_of_cores=$(@grep@ -c ^processor
> "$procfs/cpuinfo" 2>/dev/null || echo 1)
> + else
> + # if we don't know, default to 1 CPU
> + number_of_cores=1
> +@@ -1518,43 +1518,43 @@ parse_cpu_details()
> + max_core_id=$(( number_of_cores - 1 ))
> +
> + if [ -e "$procfs/cpuinfo" ]; then
> +- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> +- cpu_friendly_name=$(grep '^model name'
> "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
> ++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> ++ cpu_friendly_name=$(@grep@ '^model name'
> "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
> + # special case for ARM follows
> +- if grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> ++ if @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
> + cpu_vendor='ARM'
> + # some devices (phones or other) have several
> ARMs and as such different part numbers,
> + # an example is "bigLITTLE", so we need to
> store the whole list, this is needed for is_cpu_affected
> +- cpu_part_list=$(awk '/CPU part/
> {print $4}' "$procfs/cpuinfo")
> +- cpu_arch_list=$(awk '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> ++ cpu_part_list=$(@awk@ '/CPU part/
> {print $4}' "$procfs/cpuinfo")
> ++ cpu_arch_list=$(@awk@ '/CPU architecture/
> {print $3}' "$procfs/cpuinfo")
> + # take the first one to fill the friendly
> name, do NOT quote the vars below
> + # shellcheck disable=SC2086
> +- cpu_arch=$(echo $cpu_arch_list | awk '{ print
> $1 }')
> ++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{
> print $1 }')
> + # shellcheck disable=SC2086
> +- cpu_part=$(echo $cpu_part_list | awk '{ print
> $1 }')
> ++ cpu_part=$(echo $cpu_part_list | @awk@ '{
> print $1 }')
> + [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
> + cpu_friendly_name="ARM"
> + [ -n "$cpu_arch" ] &&
> cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
> + [ -n "$cpu_part" ] &&
> cpu_friendly_name="$cpu_friendly_name model $cpu_part"
> +
> +- elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> ++ elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
> + cpu_vendor='CAVIUM'
> +- elif grep -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> ++ elif @grep@ -qi 'CPU
> implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
> + cpu_vendor='PHYTIUM'
> + fi
> +
> +- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" |
> awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_model=$( grep '^model' "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" |
> awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
> +- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" |
> awk '{print $3}' | head -1)
> ++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo"
> | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
> ++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo"
> | @awk@ '{print $3}' | @head@ -1)
> + else
> +- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2
> -w | cut -f2 -d= | cut -f2 -d\" )
> +- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4
> -w | cut -f2 -d= )
> ++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' |
> @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
> ++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' |
> @cut@ -f4 -w | @cut@ -f2 -d= )
> + cpu_family=$(( cpu_family ))
> +- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -
> w | cut -f2 -d= )
> ++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@
> -f5 -w | @cut@ -f2 -d= )
> + cpu_model=$(( cpu_model ))
> +- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut
> -f6 -w | cut -f2 -d= )
> +- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
> ++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' |
> @cut@ -f6 -w | @cut@ -f2 -d= )
> ++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
> + fi
> +
> + if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
> +@@ -1609,7 +1609,7 @@ parse_cpu_details()
> + # call CPUID
> + cpucontrol -i 1 /dev/cpuctl0 >/dev/null
> + # read MSR
> +- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> awk '{print $3}')
> ++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 |
> @awk@ '{print $3}')
> + # convert to decimal
> + cpu_ucode=$(( cpu_ucode ))
> + # convert back to hex
> +@@ -1628,7 +1628,7 @@ parse_cpu_details()
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
> + fi
> +
> +- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
> ++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode
> ))
> + ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x
> ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping"
> "$cpu_ucode" "$cpu_cpuid")
> +
> + # also define those that we will need in other funcs
> +@@ -1725,8 +1725,8 @@ is_cpu_smt_enabled()
> + {
> + # SMT / HyperThreading is enabled if siblings != cpucores
> + if [ -e "$procfs/cpuinfo" ]; then
> +- _siblings=$(awk '/^siblings/ {print $3;exit}'
> "$procfs/cpuinfo")
> +- _cpucores=$(awk '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> ++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}'
> "$procfs/cpuinfo")
> ++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}'
> "$procfs/cpuinfo")
> + if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
> + if [ "$_siblings" = "$_cpucores" ]; then
> + return 1
> +@@ -1774,10 +1774,10 @@ is_ucode_blacklisted()
> + $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
> + $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
> + do
> +- model=$(echo "$tuple" | cut -d, -f1)
> +- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
> ++ model=$(echo "$tuple" | @cut@ -d, -f1)
> ++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
> + if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" =
> "$stepping" ]; then
> +- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> + if [ "$cpu_ucode" = "$ucode" ]; then
> + _debug "is_ucode_blacklisted: we have
> a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
> + return 0
> +@@ -1865,7 +1865,7 @@ is_xen_dom0()
> + return 1
> + fi
> +
> +- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d"
> "$procfs/xen/capabilities"; then
> ++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d"
> "$procfs/xen/capabilities"; then
> + return 0
> + else
> + return 1
> +@@ -1893,13 +1893,13 @@ is_xen_domU()
> +
> + if [ -r "$mcedb_cache" ]; then
> + # we have a local cache file, but it might be older than the
> builtin version we have
> +- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> ++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }'
> "$mcedb_cache")
> + mcedb_source="$mcedb_cache"
> + mcedb_info="local firmwares DB $local_dbversion"
> + fi
> + read_mcedb()
> + {
> +- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1
> }' "$mcedb_source"
> ++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / {
> DELIM=1 }' "$mcedb_source"
> + }
> +
> + is_latest_known_ucode()
> +@@ -1920,10 +1920,10 @@ is_latest_known_ucode()
> + else
> + return 2
> + fi
> +- for tuple in $(read_mcedb | grep "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> ++ for tuple in $(read_mcedb | @grep@ "$(printf
> "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
> + do
> +- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
> +- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r
> 's=(....)(..)(..)=\1/\2/\3=')
> ++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
> ++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r
> 's=(....)(..)(..)=\1/\2/\3=')
> + _debug "is_latest_known_ucode: with cpuid $cpu_cpuid
> has ucode $cpu_ucode, last known is $ucode from $ucode_date"
> + ucode_latest=$(printf "latest version is 0x%x dated
> $ucode_date according to $mcedb_info" "$ucode")
> + if [ "$cpu_ucode" -ge "$ucode" ]; then
> +@@ -1948,7 +1948,7 @@ get_cmdline()
> + kernel_cmdline="$SMC_MOCK_CMDLINE"
> + return
> + else
> +- kernel_cmdline=$(cat "$procfs/cmdline")
> ++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_CMDLINE='$kernel_cmdline'")
> + fi
> + }
> +@@ -1956,7 +1956,7 @@ get_cmdline()
> + # ENTRYPOINT
> +
> + # we can't do anything useful under WSL
> +-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> ++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
> + _warn "This script doesn't work under Windows Subsystem for
> Linux"
> + _warn "You should use the official Microsoft tool instead."
> + _warn "It can be found under
> https://aka.ms/SpeculationControlPS"
> +@@ -2005,15 +2005,15 @@ fi
> +
> + # if we're under a BSD, try to mount linprocfs for
> "$procfs/cpuinfo"
> + procfs=/proc
> +-if echo "$os" | grep -q BSD; then
> ++if echo "$os" | @grep@ -q BSD; then
> + _debug "We're under BSD, check if we have procfs"
> +- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
> ++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
> + if [ -z "$procfs" ]; then
> + _debug "we don't, try to mount it"
> + procfs=/proc
> + [ -d /compat/linux/proc ] &&
> procfs=/compat/linux/proc
> + test -d $procfs || mkdir $procfs
> +- if mount -t linprocfs linprocfs $procfs 2>/dev/null;
> then
> ++ if @mount@ -t linprocfs linprocfs $procfs
> 2>/dev/null; then
> + mounted_procfs=1
> + _debug "procfs just mounted at $procfs"
> + else
> +@@ -2045,14 +2045,14 @@ fi
> +
> + if [ "$opt_live" = 1 ]; then
> + # root check (only for live mode, for offline mode, we
> already checked if we could read the files)
> +- if [ "$(id -u)" -ne 0 ]; then
> ++ if [ "$(@id@ -u)" -ne 0 ]; then
> + _warn "Note that you should launch this script with
> root privileges to get accurate information."
> + _warn "We'll proceed but you might see permission
> denied errors."
> + _warn "To run it as root, you can try the following
> command: sudo $0"
> + _warn
> + fi
> + _info "Checking for vulnerabilities on current system"
> +- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname
> -m)\033[0m"
> ++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v)
> $(@uname@ -m)\033[0m"
> + _info "CPU is \033[35m$cpu_friendly_name\033[0m"
> +
> + # try to find the image of the current running kernel
> +@@ -2060,12 +2060,12 @@ if [ "$opt_live" = 1 ]; then
> + # specified by user on cmdline, with --live, don't
> override
> + :
> + # first, look for the BOOT_IMAGE hint in the kernel cmdline
> +- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
> +- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo
> 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
> ++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
> ++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo
> 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
> + _debug "found opt_kernel=$opt_kernel in
> $procfs/cmdline"
> + # if the boot partition is within a btrfs subvolume,
> strip the subvolume name
> + # if /boot is a separate subvolume, the remainder of
> the code in this section should handle it
> +- if echo "$opt_kernel" | grep -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
> ++ if echo "$opt_kernel" | @grep@ -q "^/@"; then
> opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
> + # if we have a dedicated /boot partition, our
> bootloader might have just called it /
> + # so try to prepend /boot and see if we find anything
> + [ -e "/boot/$opt_kernel" ] &&
> opt_kernel="/boot/$opt_kernel"
> +@@ -2077,7 +2077,7 @@ if [ "$opt_live" = 1 ]; then
> + # if we didn't find a kernel, default to guessing
> + if [ ! -e "$opt_kernel" ]; then
> + # Fedora:
> +- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
> ++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] &&
> opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
> + # Slackware:
> + [ -e "/boot/vmlinuz" ] &&
> opt_kernel="/boot/vmlinuz"
> + # Arch aarch64:
> +@@ -2091,24 +2091,24 @@ if [ "$opt_live" = 1 ]; then
> + # pine64
> + [ -e "/boot/pine64/Image" ] &&
> opt_kernel="/boot/pine64/Image"
> + # generic:
> +- [ -e "/boot/vmlinuz-$(uname -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(uname -r)"
> +- [ -e "/boot/kernel-$( uname -r)" ] &&
> opt_kernel="/boot/kernel-$( uname -r)"
> +- [ -e "/boot/bzImage-$(uname -r)" ] &&
> opt_kernel="/boot/bzImage-$(uname -r)"
> ++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] &&
> opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
> ++ [ -e "/boot/kernel-$( @uname@ -r)" ] &&
> opt_kernel="/boot/kernel-$( @uname@ -r)"
> ++ [ -e "/boot/bzImage-$(@uname@ -r)" ] &&
> opt_kernel="/boot/bzImage-$(@uname@ -r)"
> + # Gentoo:
> +- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@
> -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> + # Guix System:
> + [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> +- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> ++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@
> /etc/machine-id)/$(@uname@ -r)/linux"
> + # Clear Linux:
> +- str_uname=$(uname -r)
> ++ str_uname=$(@uname@ -r)
> + clear_linux_kernel="/lib/kernel/org.clearlinux.${str_
> uname##*.}.${str_uname%.*}"
> + [ -e "$clear_linux_kernel" ] &&
> opt_kernel=$clear_linux_kernel
> + # Custom Arch seems to have the kernel path in its
> cmdline in the form "\directory\kernelimage",
> + # with actual \'s instead of /'s:
> +- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -
> Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d
> '[:space:]')
> ++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@
> -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d
> '[:space:]')
> + if [ -n "$custom_arch_kernel" ] && [ -e
> "$custom_arch_kernel" ]; then
> + opt_kernel="$custom_arch_kernel"
> + fi
> +@@ -2122,12 +2122,12 @@ if [ "$opt_live" = 1 ]; then
> + :
> + elif [ -e "$procfs/kallsyms" ] ; then
> + opt_map="$procfs/kallsyms"
> +- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
> +- opt_map="/lib/modules/$(uname -r)/System.map"
> +- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
> +- opt_map="/boot/System.map-$(uname -r)"
> +- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
> +- opt_map="/lib/kernel/System.map-$(uname -r)"
> ++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
> ++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
> ++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
> ++ opt_map="/boot/System.map-$(@uname@ -r)"
> ++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
> ++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
> + fi
> +
> + # config
> +@@ -2135,18 +2135,18 @@ if [ "$opt_live" = 1 ]; then
> + # specified by user on cmdline, with --live, don't
> override
> + :
> + elif [ -e "$procfs/config.gz" ] ; then
> +- dumped_config="$(mktemp -t smc-config-XXXXXX)"
> +- gunzip -c "$procfs/config.gz" > "$dumped_config"
> ++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
> ++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
> + # dumped_config will be deleted at the end of the
> script
> + opt_config="$dumped_config"
> +- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
> +- opt_config="/lib/modules/$(uname -r)/config"
> +- elif [ -e "/boot/config-$(uname -r)" ]; then
> +- opt_config="/boot/config-$(uname -r)"
> +- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -
> r)" ]; then
> +- opt_config="/etc/kernels/kernel-config-$(uname -m)-
> $(uname -r)"
> +- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
> +- opt_config="/lib/kernel/config-$(uname -r)"
> ++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
> ++ opt_config="/lib/modules/$(@uname@ -r)/config"
> ++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
> ++ opt_config="/boot/config-$(@uname@ -r)"
> ++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@
> -r)" ]; then
> ++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-
> $(@uname@ -r)"
> ++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
> ++ opt_config="/lib/kernel/config-$(@uname@ -r)"
> + fi
> + else
> + _info "Checking for vulnerabilities against specified kernel"
> +@@ -2161,7 +2161,7 @@ else
> + fi
> +
> + if [ "$os" = Linux ]; then
> +- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_'
> "$opt_config"; then
> ++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_'
> "$opt_config"; then
> + # given file is invalid!
> + _warn "The kernel config file seems invalid, was
> expecting a plain-text file, ignoring it!"
> + opt_config=''
> +@@ -2189,7 +2189,7 @@ if [ "$os" = Linux ]; then
> + fi
> +
> + if [ -e "$opt_kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1;
> then
> ++ if ! command -v "@readelf@" >/dev/null 2>&1; then
> + _debug "readelf not found"
> + kernel_err="missing '${opt_arch_prefix}readelf' tool,
> please install it, usually it's in the 'binutils' package"
> + elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ];
> then
> +@@ -2207,20 +2207,20 @@ else
> + # vanilla kernels have with ^Linux version
> + # also try harder with some kernels (such as Red Hat) that
> don't have ^Linux version before their version string
> + # and check for FreeBSD
> +- kernel_version=$("${opt_arch_prefix}strings" "$kernel"
> 2>/dev/null | grep -E \
> ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -
> E \
> + -e '^Linux version ' \
> + -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-
> 9]+ .+ (19|20)[0-9][0-9]$' \
> +- -e '^FreeBSD [0-9]' | head -1)
> ++ -e '^FreeBSD [0-9]' | @head@ -1)
> + if [ -z "$kernel_version" ]; then
> + # try even harder with some kernels (such as ARM)
> that split the release (uname -r) and version (uname -v) in 2
> adjacent strings
> +- kernel_version=$("${opt_arch_prefix}strings"
> "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$'
> | tr "\n" " ")
> ++ kernel_version=$("@strings@" "$kernel" 2>/dev/null |
> @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
> + fi
> + if [ -n "$kernel_version" ]; then
> + # in live mode, check if the img we found is the
> correct one
> + if [ "$opt_live" = 1 ]; then
> + _verbose "Kernel image is
> \033[35m$kernel_version"
> +- if ! echo "$kernel_version" | grep -qF
> "$(uname -r)"; then
> +- _warn "Possible discrepancy between
> your running kernel '$(uname -r)' and the image '$kernel_version' we
> found ($opt_kernel), results might be incorrect"
> ++ if ! echo "$kernel_version" | @grep@ -qF
> "$(@uname@ -r)"; then
> ++ _warn "Possible discrepancy between
> your running kernel '$(@uname@ -r)' and the image '$kernel_version'
> we found ($opt_kernel), results might be incorrect"
> + fi
> + else
> + _info "Kernel image is
> \033[35m$kernel_version"
> +@@ -2248,11 +2248,11 @@ sys_interface_check()
> + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r
> "$file" ]; then
> + :
> + else
> +- mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
> ++ mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
> + return 1
> + fi
> +
> +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
> ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
> + # shellcheck disable=SC2086,SC1083
> + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> + _debug "sysfs: MOCKING enabled for $file func returns
> $(eval echo \$$_mockvarname)"
> +@@ -2261,17 +2261,17 @@ sys_interface_check()
> + fi
> +
> + [ -n "$regex" ] || regex='.*'
> +- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
> ++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
> + # shellcheck disable=SC2086,SC1083
> + if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
> + fullmsg="$(eval echo \$$_mockvarname)"
> +- msg=$(echo "$fullmsg" | grep -Eo "$regex")
> ++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
> + _debug "sysfs: MOCKING enabled for $file, will return
> $fullmsg"
> + mocked=1
> + else
> +- fullmsg=$(cat "$file")
> +- msg=$(grep -Eo "$regex" "$file")
> +- mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
> ++ fullmsg=$(@cat@ "$file")
> ++ msg=$(@grep@ -Eo "$regex" "$file")
> ++ mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
> + fi
> + if [ "$mode" = silent ]; then
> + return 0
> +@@ -2280,15 +2280,15 @@ sys_interface_check()
> + return 0
> + fi
> + _info_nol "* Mitigated according to the /sys interface: "
> +- if echo "$msg" | grep -qi '^not affected'; then
> ++ if echo "$msg" | @grep@ -qi '^not affected'; then
> + # Not affected
> + status=OK
> + pstatus green YES "$fullmsg"
> +- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
> ++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
> + # Mitigation: PTI
> + status=OK
> + pstatus green YES "$fullmsg"
> +- elif echo "$msg" | grep -qi '^vulnerable'; then
> ++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
> + # Vulnerable
> + status=VULN
> + pstatus yellow NO "$fullmsg"
> +@@ -2376,20 +2376,20 @@ write_msr_one_core()
> + # ret=4: msr doesn't exist, ret=127:
> msr.allow_writes=off
> + [ "$ret" = 127 ] && _write_denied=1
> + # or fallback to dd if it supports seek_bytes, we
> prefer it over perl because we can tell the difference between EPERM
> and EIO
> +- elif dd if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}"
> != 1 ]; then
> + _debug "write_msr: using dd"
> +- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8
> count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> ++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr
> bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
> + # if it failed, inspect stderrto look for
> EPERM
> + if [ "$ret" != 0 ]; then
> +- if dd if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
> ++ if @dd@ if=/dev/zero
> of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec"
> oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
> + _write_denied=1
> + fi
> + fi
> + # or if we have perl, use it, any 5.x version will
> work
> +- elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++ elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> + _debug "write_msr: using perl"
> + ret=1
> +- perl -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> ++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr')
> and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -
> eq 8 ] && ret=0
> + else
> + _debug "write_msr: got no wrmsr, perl or
> recent enough dd!"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
> +@@ -2411,13 +2411,13 @@ write_msr_one_core()
> + msr_locked_down=1
> + write_msr_msg="your kernel is
> configured to deny writes to MSRs from user space"
> + return $WRITE_MSR_RET_LOCKDOWN
> +- elif dmesg | grep -qF "msr: Direct access to
> MSR"; then
> ++ elif @dmesg@ | @grep@ -qF "msr: Direct access
> to MSR"; then
> + _debug "write_msr: locked down kernel
> detected (Red Hat / Fedora)"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> + msr_locked_down=1
> + write_msr_msg="your kernel is locked
> down (Fedora/Red Hat), please reboot without secure boot and retry"
> + return $WRITE_MSR_RET_LOCKDOWN
> +- elif dmesg | grep -qF "raw MSR access is
> restricted"; then
> ++ elif @dmesg@ | @grep@ -qF "raw MSR access is
> restricted"; then
> + _debug "write_msr: locked down kernel
> detected (vanilla)"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
> + msr_locked_down=1
> +@@ -2516,8 +2516,8 @@ read_msr_one_core()
> + return $READ_MSR_RET_KO
> + fi
> + # MSR 0x10: 0x000003e1 0xb106dded
> +- _msr_h=$(echo "$_msr" | awk '{print $3}');
> +- _msr_l=$(echo "$_msr" | awk '{print $4}');
> ++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
> ++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
> + read_msr_value=$(( _msr_h << 32 | _msr_l ))
> + else
> + # for Linux
> +@@ -2528,15 +2528,15 @@ read_msr_one_core()
> + # if rdmsr is available, use it
> + elif command -v rdmsr >/dev/null 2>&1 && [
> "${SMC_NO_RDMSR:-}" != 1 ]; then
> + _debug "read_msr: using rdmsr on $_msr"
> +- read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | od -t u8 -A n)
> ++ read_msr_value=$(rdmsr -r $_msr_dec
> 2>/dev/null | @od@ -t u8 -A n)
> + # or if we have perl, use it, any 5.x version will
> work
> +- elif command -v perl >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> ++ elif command -v @perl@ >/dev/null 2>&1 && [
> "${SMC_NO_PERL:-}" != 1 ]; then
> + _debug "read_msr: using perl on $_msr"
> +- read_msr_value=$(perl -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | od -t u8 -A n)
> ++ read_msr_value=$(@perl@ -e
> "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and
> read(M,\$_,8) and print" | @od@ -t u8 -A n)
> + # fallback to dd if it supports skip_bytes
> +- elif dd if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> ++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1
> skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
> + _debug "read_msr: using dd on $_msr"
> +- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr
> bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8
> -A n)
> ++ read_msr_value=$(@dd@
> if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec"
> iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
> + else
> + _debug "read_msr: got no rdmsr, perl or
> recent enough dd!"
> + mockme=$(printf "%b\n%b" "$mockme"
> "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
> +@@ -2560,7 +2560,7 @@ check_cpu()
> + {
> + _info "\033[1;34mHardware check\033[0m"
> +
> +- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
> ++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
> + return
> + fi
> +
> +@@ -3176,19 +3176,19 @@ check_redhat_canonical_spectre()
> + # if we were already called, don't do it again
> + [ -n "${redhat_canonical_spectre:-}" ] && return
> +
> +- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1;
> then
> ++ if ! command -v "@strings@" >/dev/null 2>&1; then
> + redhat_canonical_spectre=-1
> + elif [ -n "$kernel_err" ]; then
> + redhat_canonical_spectre=-2
> + else
> + # Red Hat / Ubuntu specific variant1 patch is
> difficult to detect,
> + # let's use the two same tricks than the official Red
> Hat detection script uses:
> +- if "${opt_arch_prefix}strings" "$kernel" | grep -qw
> noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb;
> then
> ++ if "@strings@" "$kernel" | @grep@ -qw noibrs &&
> "@strings@" "$kernel" | @grep@ -qw noibpb; then
> + # 1) detect their specific variant2 patch. If
> it's present, it means
> + # that the variant1 patch is also present
> (both were merged at the same time)
> + _debug "found redhat/canonical version of the
> variant2 patch (implies variant1)"
> + redhat_canonical_spectre=1
> +- elif "${opt_arch_prefix}strings" "$kernel" | grep -q
> 'x86/pti:'; then
> ++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:';
> then
> + # 2) detect their specific variant3 patch. If
> it's present, but the variant2
> + # is not, it means that only variant1 is
> present in addition to variant3
> + _debug "found redhat/canonical version of the
> variant3 patch (implies variant1 but not variant2)"
> +@@ -3213,13 +3213,13 @@ check_has_vmm()
> + # If we find no evidence that this is the case,
> assume we're not (to avoid scaring users),
> + # this can always be overridden with --vmm in any
> case.
> + has_vmm=0
> +- if command -v pgrep >/dev/null 2>&1; then
> ++ if command -v @pgrep@ >/dev/null 2>&1; then
> + # remove xenbus and xenwatch, also present
> inside domU
> + # remove libvirtd as it can also be used to
> manage containers and not VMs
> + # for each binary we want to grep, get the
> pids
> + for _binary in qemu kvm xenstored xenconsoled
> + do
> +- for _pid in $(pgrep -x $_binary)
> ++ for _pid in $(@pgrep@ -x $_binary)
> + do
> + # resolve the exe symlink, if
> it doesn't resolve with -m,
> + # which doesn't even need the
> dest to exist, it means the symlink
> +@@ -3235,7 +3235,7 @@ check_has_vmm()
> + else
> + # ignore SC2009 as `ps ax` is actually used
> as a fallback if `pgrep` isn't installed
> + # shellcheck disable=SC2009
> +- if command -v ps >/devnull && ps ax | grep -
> vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> ++ if command -v ps >/devnull && ps ax | @grep@
> -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e
> '/xenstored' -e '/xenconsoled'; then
> + has_vmm=1
> + fi
> + fi
> +@@ -3267,7 +3267,7 @@ check_CVE_2017_5753()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5753_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5753_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -3319,20 +3319,20 @@ check_CVE_2017_5753_linux()
> + v1_mask_nospec=''
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> + else
> +- perl -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++ @perl@ -ne
> '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> + if [ $ret -gt 0 ]; then
> + pstatus green YES "$ret occurrence(s)
> found of x86 64 bits array_index_mask_nospec()"
> + v1_mask_nospec="x86 64 bits
> array_index_mask_nospec"
> + else
> +- perl -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> ++ @perl@ -ne
> '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END {
> exit($found) }' "$kernel"; ret=$?
> + if [ $ret -gt 0 ]; then
> + pstatus green YES "$ret
> occurrence(s) found of x86 32 bits array_index_mask_nospec()"
> + v1_mask_nospec="x86 32 bits
> array_index_mask_nospec"
> + else
> +-
> ret=$("${opt_arch_prefix}objdum
> p" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 |
> grep -B1 -w sbc | grep -w -c cmp)
> ++ ret=$("@objdump@"
> $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 |
> @grep@ -B1 -w sbc | @grep@ -w -c cmp)
> + if [ "$ret" -gt 0 ]; then
> + pstatus green YES
> "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
> + v1_mask_nospec="arm
> 32 bits array_index_mask_nospec"
> +@@ -3376,12 +3376,12 @@ check_CVE_2017_5753_linux()
> + pstatus yellow NO
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +- elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> + else
> +- "${opt_arch_prefix}objdump" $objdump_options
> "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ &&
> $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
> ++ "@objdump@" $objdump_options "$kernel" |
> @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/
> && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift
> @r if @r>3'; ret=$?
> + if [ "$ret" -eq 9 ]; then
> + pstatus green YES "mask_nospec64
> macro is present and used"
> + v1_mask_nospec="arm64 mask_nospec64"
> +@@ -3403,12 +3403,12 @@ check_CVE_2017_5753_linux()
> + pstatus yellow NO
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check
> ($kernel_err)"
> +- elif ! command -v perl >/dev/null 2>&1; then
> ++ elif ! command -v @perl@ >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'perl'
> binary, please install it"
> +- elif ! command -v "${opt_arch_prefix}objdump"
> >/dev/null 2>&1; then
> ++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}objdump' tool, please install it, usually it's in
> the binutils package"
> + else
> +- "${opt_arch_prefix}objdump" -d "$kernel" |
> perl -ne 'push @r, $_; /\s(hint|csdb)\s/ &&
> $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> ++ "@objdump@" -d "$kernel" | @perl@ -ne 'push
> @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ &&
> $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9);
> shift @r if @r>3'; ret=$?
> + if [ "$ret" -eq 9 ]; then
> + pstatus green YES "array_index_nospec
> macro is present and used"
> + v1_mask_nospec="arm64
> array_index_nospec"
> +@@ -3424,7 +3424,7 @@ check_CVE_2017_5753_linux()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't
> check ($kernel_err)"
> + else
> +- if ! command -v
> "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
> ++ if ! command -v "@objdump@"
> >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN
> "missing '${opt_arch_prefix}objdump' tool, please install it, usually
> it's in the binutils package"
> + else
> + # here we disassemble the
> kernel and count the number of occurrences of the LFENCE opcode
> +@@ -3434,7 +3434,7 @@ check_CVE_2017_5753_linux()
> + # so let's push the threshold
> to 70.
> + # v0.33+: now only count
> lfence opcodes after a jump, way less error-prone
> + # non patched kernel have
> between 0 and 20 matches, patched ones have at least 40-45
> +-
> nb_lfence=$("${opt_arch_prefix}
> objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence
> | grep -Ewc 'jmp|jne|je')
> ++ nb_lfence=$("@objdump@"
> $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence |
> @grep@ -Ewc 'jmp|jne|je')
> + if [ "$nb_lfence" -lt 30 ];
> then
> + pstatus yellow NO
> "only $nb_lfence jump-then-lfence instructions found, should be >= 30
> (heuristic)"
> + else
> +@@ -3505,7 +3505,7 @@ check_CVE_2017_5715()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5715_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5715_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -3547,13 +3547,13 @@ check_CVE_2017_5715_linux()
> + #
> /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
> + specex_knob_dir=$dir
> + ibrs_supported="$dir/ibrs_ena
> bled exists"
> +- ibrs_enabled=$(cat
> "$dir/ibrs_enabled" 2>/dev/null)
> ++ ibrs_enabled=$(@cat@
> "$dir/ibrs_enabled" 2>/dev/null)
> + _debug "ibrs: found
> $dir/ibrs_enabled=$ibrs_enabled"
> + # if ibrs_enabled is there,
> ibpb_enabled will be in the same dir
> + if [ -e "$dir/ibpb_enabled"
> ]; then
> + # if the file is
> there, we have IBPB compiled-in (see note above for IBRS)
> + ibpb_supported="$dir/
> ibpb_enabled exists"
> +- ibpb_enabled=$(cat
> "$dir/ibpb_enabled" 2>/dev/null)
> ++ ibpb_enabled=$(@cat@
> "$dir/ibpb_enabled" 2>/dev/null)
> + _debug "ibpb: found
> $dir/ibpb_enabled=$ibpb_enabled"
> + else
> + _debug "ibpb:
> $dir/ibpb_enabled file doesn't exist"
> +@@ -3568,7 +3568,7 @@ check_CVE_2017_5715_linux()
> + # which in that case means ibrs is supported
> *and* enabled for kernel & user
> + # as per the ibrs patch series v3
> + if [ -z "$ibrs_supported" ]; then
> +- if grep ^flags "$procfs/cpuinfo" |
> grep -qw spec_ctrl_ibrs; then
> ++ if @grep@ ^flags "$procfs/cpuinfo" |
> @grep@ -qw spec_ctrl_ibrs; then
> + _debug "ibrs: found
> spec_ctrl_ibrs flag in $procfs/cpuinfo"
> + ibrs_supported="spec_ctrl_ibr
> s flag in $procfs/cpuinfo"
> + # enabled=2 -> kernel & user
> +@@ -3578,13 +3578,13 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -n "$fullmsg" ]; then
> + # when IBPB is enabled on 4.15+, we
> can see it in sysfs
> +- if echo "$fullmsg" | grep -q 'IBPB';
> then
> ++ if echo "$fullmsg" | @grep@ -q
> 'IBPB'; then
> + _debug "ibpb: found enabled
> in sysfs"
> + [ -z "$ibpb_supported" ] &&
> ibpb_supported='IBPB found enabled in sysfs'
> + [ -z "$ibpb_enabled" ] &&
> ibpb_enabled=1
> + fi
> + # when IBRS_FW is enabled on 4.15+,
> we can see it in sysfs
> +- if echo "$fullmsg" | grep -q ',
> IBRS_FW'; then
> ++ if echo "$fullmsg" | @grep@ -q ',
> IBRS_FW'; then
> + _debug "ibrs: found IBRS_FW
> in sysfs"
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS_FW in sysfs'
> + ibrs_fw_enabled=1
> +@@ -3592,13 +3592,13 @@ check_CVE_2017_5715_linux()
> + # when IBRS is enabled on 4.15+, we
> can see it in sysfs
> + # on a more recent kernel, classic
> "IBRS" is not even longer an option, because of the performance
> impact.
> + # only "Enhanced IBRS" is available
> (on CPUs with the IBRS_ALL flag)
> +- if echo "$fullmsg" | grep -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> ++ if echo "$fullmsg" | @grep@ -q -e
> '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
> + _debug "ibrs: found IBRS in
> sysfs"
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found IBRS in sysfs'
> + [ -z "$ibrs_enabled" ] &&
> ibrs_enabled=3
> + fi
> + # checking for 'Enhanced IBRS' in
> sysfs, enabled on CPUs with IBRS_ALL
> +- if echo "$fullmsg" | grep -q -e
> 'Enhanced IBRS'; then
> ++ if echo "$fullmsg" | @grep@ -q -e
> 'Enhanced IBRS'; then
> + [ -z "$ibrs_supported" ] &&
> ibrs_supported='found Enhanced IBRS in sysfs'
> + # 4 isn't actually a valid
> value of the now extinct "ibrs_enabled" flag file,
> + # that only went from 0 to 3,
> so we use 4 as "enhanced ibrs is enabled"
> +@@ -3617,11 +3617,11 @@ check_CVE_2017_5715_linux()
> + fi
> + fi
> + if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + :
> + else
> + ibrs_can_tell=1
> +-
> ibrs_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
> ++ ibrs_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
> + if [ -n "$ibrs_supported" ]; then
> + _debug "ibrs: found ibrs
> evidence in kernel image ($ibrs_supported)"
> + ibrs_supported="found
> '$ibrs_supported' in kernel image"
> +@@ -3630,7 +3630,7 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ];
> then
> + ibrs_can_tell=1
> +- if grep -q spec_ctrl "$opt_map"; then
> ++ if @grep@ -q spec_ctrl "$opt_map"; then
> + ibrs_supported="found spec_ctrl in
> symbols file"
> + _debug "ibrs: found '*spec_ctrl*'
> symbol in $opt_map"
> + fi
> +@@ -3638,11 +3638,11 @@ check_CVE_2017_5715_linux()
> + # recent (4.15) vanilla kernels have IBPB but not
> IBRS, and without the debugfs tunables of Red Hat
> + # we can detect it directly in the image
> + if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + :
> + else
> + ibpb_can_tell=1
> +-
> ibpb_supported=$("${opt_arch_prefix}str
> ings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
> ++ ibpb_supported=$("@strings@"
> "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
> + if [ -n "$ibpb_supported" ]; then
> + _debug "ibpb: found ibpb
> evidence in kernel image ($ibpb_supported)"
> + ibpb_supported="found
> '$ibpb_supported' in kernel image"
> +@@ -3691,9 +3691,9 @@ check_CVE_2017_5715_linux()
> + 2) if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user
> space, and firmware code" ; else pstatus green YES "for both kernel
> and user space"; fi;;
> + 3) if [
> "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and
> firmware code"; else pstatus green YES; fi;;
> + 4) pstatus green YES
> "Enhanced flavor, performance impact will be greatly reduced";;
> +- *) if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> +- then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> +- else
> ++ *) if [ "$cpuid_ibrs" !=
> 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [
> "$cpuid_spec_ctrl" != -1 ];
> ++ then pstatus
> yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
> ++ else
> + pstatus
> yellow UNKNOWN; fi;;
> + esac
> + fi
> +@@ -3744,7 +3744,7 @@ check_CVE_2017_5715_linux()
> + bp_harden=''
> + if [ -r "$opt_config" ]; then
> + bp_harden_can_tell=1
> +- bp_harden=$(grep -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> ++ bp_harden=$(@grep@ -w
> 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
> + if [ -n "$bp_harden" ]; then
> + pstatus green YES
> + _debug "bp_harden: found '$bp_harden'
> in $opt_config"
> +@@ -3752,7 +3752,7 @@ check_CVE_2017_5715_linux()
> + fi
> + if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
> + bp_harden_can_tell=1
> +- bp_harden=$(grep -w bp_hardening_data
> "$opt_map")
> ++ bp_harden=$(@grep@ -w bp_hardening_data
> "$opt_map")
> + if [ -n "$bp_harden" ]; then
> + pstatus green YES
> + _debug "bp_harden: found '$bp_harden'
> in $opt_map"
> +@@ -3770,11 +3770,11 @@ check_CVE_2017_5715_linux()
> + # We check the RETPOLINE kernel options
> + retpoline=0
> + if [ -r "$opt_config" ]; then
> +- if grep -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> ++ if @grep@ -q '^CONFIG_RETPOLINE=y'
> "$opt_config"; then
> + pstatus green YES
> + retpoline=1
> + # shellcheck disable=SC2046
> +- _debug 'retpoline: found '$(grep
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> ++ _debug 'retpoline: found '$(@grep@
> '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
> + else
> + pstatus yellow NO
> + fi
> +@@ -3795,8 +3795,8 @@ check_CVE_2017_5715_linux()
> + # since 5.15.28, this is now "Retpolines" as
> the implementation was switched to a generic one,
> + # so we look for both "retpoline" and
> "retpolines"
> + if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ];
> then
> +- if echo "$fullmsg" | grep -qwi -e
> retpoline -e retpolines; then
> +- if echo "$fullmsg" | grep -
> qwi minimal; then
> ++ if echo "$fullmsg" | @grep@ -qwi -e
> retpoline -e retpolines; then
> ++ if echo "$fullmsg" | @grep@ -
> qwi minimal; then
> + retpoline_compiler=0
> + retpoline_compiler_re
> ason="kernel reports minimal retpoline compilation"
> + else
> +@@ -3806,19 +3806,19 @@ check_CVE_2017_5715_linux()
> + fi
> + elif [ -n "$opt_map" ]; then
> + # look for the symbol
> +- if grep -qw noretpoline_setup
> "$opt_map"; then
> ++ if @grep@ -qw noretpoline_setup
> "$opt_map"; then
> + retpoline_compiler=1
> + retpoline_compiler_reason="no
> retpoline_setup symbol found in System.map"
> + fi
> + elif [ -n "$kernel" ]; then
> + # look for the symbol
> +- if command -v "${opt_arch_prefix}nm"
> >/dev/null 2>&1; then
> ++ if command -v "@nm@" >/dev/null 2>&1;
> then
> + # the proper way: use nm and
> look for the symbol
> +- if "${opt_arch_prefix}nm"
> "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
> ++ if "@nm@" "$kernel"
> 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
> + retpoline_compiler=1
> + retpoline_compiler_re
> ason="noretpoline_setup found in kernel symbols"
> + fi
> +- elif grep -q noretpoline_setup
> "$kernel"; then
> ++ elif @grep@ -q noretpoline_setup
> "$kernel"; then
> + # if we don't have nm,
> nevermind, the symbol name is long enough to not have
> + # any false positive using
> good old grep directly on the binary
> + retpoline_compiler=1
> +@@ -3847,7 +3847,7 @@ check_CVE_2017_5715_linux()
> + retp_enabled=-1
> + if [ "$opt_live" = 1 ]; then
> + if [ -e "$specex_knob_dir/retp_enabled" ];
> then
> +- retp_enabled=$(cat
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> ++ retp_enabled=$(@cat@
> "$specex_knob_dir/retp_enabled" 2>/dev/null)
> + _debug "retpoline: found
> $specex_knob_dir/retp_enabled=$retp_enabled"
> + _info_nol " * Retpoline is
> enabled: "
> + if [ "$retp_enabled" = 1 ]; then
> +@@ -3877,7 +3877,7 @@ check_CVE_2017_5715_linux()
> + rsb_filling=0
> + if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs"
> != 1 ]; then
> + # if we're live and we aren't denied
> looking into /sys, let's do it
> +- if echo "$msg" | grep -qw RSB; then
> ++ if echo "$msg" | @grep@ -qw RSB; then
> + rsb_filling=1
> + pstatus green YES
> + fi
> +@@ -3886,7 +3886,7 @@ check_CVE_2017_5715_linux()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN
> "couldn't check ($kernel_err)"
> + else
> +- if grep -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> ++ if @grep@ -qw -e 'Filling RSB
> on context switch' "$kernel"; then
> + rsb_filling=1
> + pstatus green YES
> + else
> +@@ -4048,7 +4048,7 @@ check_CVE_2017_5715_bsd()
> + {
> + _info "* Mitigation 1"
> + _info_nol " * Kernel supports IBRS: "
> +- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
> ++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
> + if [ -z "$ibrs_disabled" ]; then
> + pstatus yellow NO
> + else
> +@@ -4056,7 +4056,7 @@ check_CVE_2017_5715_bsd()
> + fi
> +
> + _info_nol " * IBRS enabled and active: "
> +- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
> ++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
> + if [ "$ibrs_active" = 1 ]; then
> + pstatus green YES
> + else
> +@@ -4069,10 +4069,10 @@ check_CVE_2017_5715_bsd()
> + if [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
> + else
> +- if ! command -v "${opt_arch_prefix}readelf"
> >/dev/null 2>&1; then
> ++ if ! command -v "@readelf@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}readelf' tool, please install it, usually it's in
> the binutils package"
> + else
> +- nb_thunks=$("${opt_arch_prefix}readelf" -s
> "$kernel" | grep -c -e __llvm_retpoline_ -e
> __llvm_external_retpoline_ -e __x86_indirect_thunk_)
> ++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@
> -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e
> __x86_indirect_thunk_)
> + if [ "$nb_thunks" -gt 0 ]; then
> + retpoline=1
> + pstatus green YES "found $nb_thunks
> thunk(s)"
> +@@ -4113,7 +4113,7 @@ check_CVE_2017_5715_bsd()
> + pti_performance_check()
> + {
> + _info_nol " * Reduced performance impact of PTI: "
> +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw pcid; then
> ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw pcid; then
> + cpu_pcid=1
> + else
> + read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
> +@@ -4122,7 +4122,7 @@ pti_performance_check()
> + fi
> + fi
> +
> +- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo"
> | grep -qw invpcid; then
> ++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw invpcid; then
> + cpu_invpcid=1
> + else
> + read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
> +@@ -4147,7 +4147,7 @@ check_CVE_2017_5754()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2017_5754_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2017_5754_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4169,7 +4169,7 @@ check_CVE_2017_5754_linux()
> + kpti_can_tell=0
> + if [ -n "$opt_config" ]; then
> + kpti_can_tell=1
> +- kpti_support=$(grep -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> ++ kpti_support=$(@grep@ -w -e
> CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e
> CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found option
> '$kpti_support' in $opt_config"
> + fi
> +@@ -4179,7 +4179,7 @@ check_CVE_2017_5754_linux()
> + # so we try to find an exported symbol that
> is part of the PTI patch in System.map
> + # parse_kpti: arm
> + kpti_can_tell=1
> +- kpti_support=$(grep -w -e kpti_force_enabled
> -e parse_kpti "$opt_map")
> ++ kpti_support=$(@grep@ -w -e
> kpti_force_enabled -e parse_kpti "$opt_map")
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found
> '$kpti_support' in $opt_map"
> + fi
> +@@ -4189,10 +4189,10 @@ check_CVE_2017_5754_linux()
> + # nopti option that is part of the patch
> (kernel command line option)
> + # 'kpti=': arm
> + kpti_can_tell=1
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + pstatus yellow UNKNOWN "missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> + else
> +-
> kpti_support=$("${opt_arch_prefix}strin
> gs" "$kernel" | grep -w -e nopti -e kpti=)
> ++ kpti_support=$("@strings@" "$kernel"
> | @grep@ -w -e nopti -e kpti=)
> + if [ -n "$kpti_support" ]; then
> + _debug "kpti_support: found
> '$kpti_support' in $kernel"
> + fi
> +@@ -4219,20 +4219,20 @@ check_CVE_2017_5754_linux()
> + dmesg_grep="$dmesg_grep|x86/pti: Unmapping
> kernel while in userspace"
> + # aarch64
> + dmesg_grep="$dmesg_grep|CPU features:
> detected( feature)?: Kernel page table isolation \(KPTI\)"
> +- if grep ^flags "$procfs/cpuinfo" | grep -qw
> pti; then
> ++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -
> qw pti; then
> + # vanilla PTI patch sets the 'pti'
> flag in cpuinfo
> + _debug "kpti_enabled: found 'pti'
> flag in $procfs/cpuinfo"
> + kpti_enabled=1
> +- elif grep ^flags "$procfs/cpuinfo" | grep -qw
> kaiser; then
> ++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@
> -qw kaiser; then
> + # kernel line 4.9 sets the 'kaiser'
> flag in cpuinfo
> + _debug "kpti_enabled: found 'kaiser'
> flag in $procfs/cpuinfo"
> + kpti_enabled=1
> + elif [ -e /sys/kernel/debug/x86/pti_enabled
> ]; then
> + # Red Hat Backport creates a
> dedicated file, see https://access.redhat.com/articles/3311301
> +- kpti_enabled=$(cat
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> ++ kpti_enabled=$(@cat@
> /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
> + _debug "kpti_enabled: file
> /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
> + elif is_xen_dom0; then
> +- pti_xen_pv_domU=$(xl dmesg | grep
> 'XPTI' | grep 'DomU enabled' | head -1)
> ++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@
> 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
> +
> + [ -n "$pti_xen_pv_domU" ] &&
> kpti_enabled=1
> + fi
> +@@ -4307,7 +4307,7 @@ check_CVE_2017_5754_linux()
> + if [ -n "$kpti_support" ]; then
> + if [ -e
> "/sys/kernel/debug/x86/pti_enabled" ]; then
> + explain "Your kernel
> supports PTI but it's disabled, you can enable it with \`echo 1 >
> /sys/kernel/debug/x86/pti_enabled\`"
> +- elif echo "$kernel_cmdline" |
> grep -q -w -e nopti -e pti=off; then
> ++ elif echo "$kernel_cmdline" |
> @grep@ -q -w -e nopti -e pti=off; then
> + explain "Your kernel
> supports PTI but it has been disabled on command-line, remove the
> nopti or pti=off option from your bootloader configuration"
> + else
> + explain "Your kernel
> supports PTI but it has been disabled, check \`dmesg\` right after
> boot to find clues why the system disabled it"
> +@@ -4358,7 +4358,7 @@ check_CVE_2017_5754_linux()
> + check_CVE_2017_5754_bsd()
> + {
> + _info_nol "* Kernel supports Page Table Isolation (PTI): "
> +- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
> ++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
> + if [ -z "$kpti_enabled" ]; then
> + pstatus yellow NO
> + else
> +@@ -4429,7 +4429,7 @@ check_CVE_2018_3639()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3639_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3639_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4448,33 +4448,33 @@ check_CVE_2018_3639_linux()
> + if [ "$opt_sysfs_only" != 1 ]; then
> + _info_nol "* Kernel supports disabling speculative
> store bypass (SSB): "
> + if [ "$opt_live" = 1 ]; then
> +- if grep -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> ++ if @grep@ -Eq 'Speculation.?Store.?Bypass:'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssb="found in
> $procfs/self/status"
> + _debug "found
> Speculation.Store.Bypass: in $procfs/self/status"
> + fi
> + fi
> + # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep
> -q 'arm64_sys_' "$kernel"; then
> +- kernel_ssb=$("${opt_arch_prefix}strings"
> "$kernel" | grep spec_store_bypass | head -n1);
> ++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && !
> @grep@ -q 'arm64_sys_' "$kernel"; then
> ++ kernel_ssb=$("@strings@" "$kernel" | @grep@
> spec_store_bypass | @head@ -n1);
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in kernel"
> + fi
> + # arm64 kernels can have cpu_show_spec_store_bypass
> with ARM64_SSBD, so exclude them
> +- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> grep -q 'arm64_sys_' "$opt_map"; then
> +- kernel_ssb=$(grep spec_store_bypass
> "$opt_map" | awk '{print $3}' | head -n1)
> ++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && !
> @grep@ -q 'arm64_sys_' "$opt_map"; then
> ++ kernel_ssb=$(@grep@ spec_store_bypass
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> + fi
> + # arm64 only:
> + if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
> +- kernel_ssb=$(grep -w cpu_enable_ssbs
> "$opt_map" | awk '{print $3}' | head -n1)
> ++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs
> "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> $kernel_ssb in System.map"
> + fi
> + if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
> +- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> ++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y'
> "$opt_config")
> + [ -n "$kernel_ssb" ] &&
> kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
> + fi
> + if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
> + # this string only appears in kernel if
> CONFIG_ARM64_SSBD is set
> +- kernel_ssb=$(grep -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> ++ kernel_ssb=$(@grep@ -w "Speculative Store
> Bypassing Safe (SSBS)" "$kernel")
> + [ -n "$kernel_ssb" ] && kernel_ssb="found
> 'Speculative Store Bypassing Safe (SSBS)' in kernel"
> + fi
> + # /arm64 only
> +@@ -4489,31 +4489,31 @@ check_CVE_2018_3639_linux()
> + if [ "$opt_live" = 1 ]; then
> + #
> https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
> + _info_nol "* SSB mitigation is enabled and
> active: "
> +- if grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> ++ if @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status"
> 2>/dev/null; then
> + kernel_ssbd_enabled=1
> + pstatus green YES "per-thread through
> prctl"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=2
> + pstatus green YES "global"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=0
> + pstatus yellow NO
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=-2
> + pstatus blue NO "not vulnerable"
> +- elif grep -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> ++ elif @grep@ -Eq
> 'Speculation.?Store.?Bypass:[[:space:]]+unknown'
> "$procfs/self/status" 2>/dev/null; then
> + kernel_ssbd_enabled=0
> + pstatus blue NO
> + else
> +- pstatus blue UNKNOWN "unknown value:
> $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | cut -d: -f2-)"
> ++ pstatus blue UNKNOWN "unknown value:
> $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status"
> 2>/dev/null | @cut@ -d: -f2-)"
> + fi
> +
> + if [ "$kernel_ssbd_enabled" = 1 ]; then
> + _info_nol "* SSB mitigation currently
> active for selected processes: "
> + # silence grep's stderr here to avoid
> ENOENT errors from processes that have exited since the shell's
> expansion of the *
> +- mitigated_processes=$(find /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> +- | xargs -r0 grep -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> +- | sed s/status/exe/ | xargs -
> r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr
> "\n" " " | sed 's/ $//')
> ++ mitigated_processes=$(@find@ /proc -
> mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
> ++ | @xargs@ -r0 @grep@ -El
> 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated'
> 2>/dev/null \
> ++ | @sed@ s/status/exe/ |
> @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ |
> @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
> + if [ -n "$mitigated_processes" ];
> then
> + pstatus green YES
> "$mitigated_processes"
> + else
> +@@ -4565,7 +4565,7 @@ check_CVE_2018_3639_linux()
> + check_CVE_2018_3639_bsd()
> + {
> + _info_nol "* Kernel supports speculation store bypass: "
> +- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
> ++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1;
> then
> + kernel_ssb=1
> + pstatus green YES
> + else
> +@@ -4574,7 +4574,7 @@ check_CVE_2018_3639_bsd()
> + fi
> +
> + _info_nol "* Speculation store bypass is administratively
> enabled: "
> +- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable
> 2>/dev/null)
> ++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable
> 2>/dev/null)
> + _debug "hw.spec_store_bypass_disable=$ssb_enabled"
> + case "$ssb_enabled" in
> + 0) pstatus yellow NO "disabled";;
> +@@ -4584,7 +4584,7 @@ check_CVE_2018_3639_bsd()
> + esac
> +
> + _info_nol "* Speculation store bypass is currently active: "
> +- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> ++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active
> 2>/dev/null)
> + _debug "hw.spec_store_bypass_disable_active=$ssb_active"
> + case "$ssb_active" in
> + 1) pstatus green YES;;
> +@@ -4656,7 +4656,7 @@ check_CVE_2018_3620()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3620_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3620_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4674,14 +4674,14 @@ check_CVE_2018_3620_linux()
> + fi
> + if [ "$opt_sysfs_only" != 1 ]; then
> + _info_nol "* Kernel supports PTE inversion: "
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1; then
> + pstatus yellow UNKNOWN "missing 'strings'
> tool, please install it"
> + pteinv_supported=-1
> + elif [ -n "$kernel_err" ]; then
> + pstatus yellow UNKNOWN "$kernel_err"
> + pteinv_supported=-1
> + else
> +- if "${opt_arch_prefix}strings" "$kernel" |
> grep -Fq 'PTE Inversion'; then
> ++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE
> Inversion'; then
> + pstatus green YES "found in kernel
> image"
> + _debug "pteinv: found pte inversion
> evidence in kernel image"
> + pteinv_supported=1
> +@@ -4694,7 +4694,7 @@ check_CVE_2018_3620_linux()
> + _info_nol "* PTE inversion enabled and active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -q
> 'Mitigation: PTE Inversion'; then
> ++ if echo "$fullmsg" | @grep@ -q
> 'Mitigation: PTE Inversion'; then
> + pstatus green YES
> + pteinv_active=1
> + else
> +@@ -4742,7 +4742,7 @@ check_CVE_2018_3620_bsd()
> + else
> + _debug "vmm module already loaded"
> + fi
> +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> + #
> https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
> + # this is very difficult to detect that the kernel
> reserved the 0 page, but this fix
> + # is part of the exact same patch than the other L1TF
> CVE, so we detect it
> +@@ -4772,7 +4772,7 @@ check_CVE_2018_3646()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_3646_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_3646_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -4798,7 +4798,7 @@ check_CVE_2018_3646_linux()
> + if [ "$opt_live" = 1 ]; then
> + if ! [ -r
> /sys/module/kvm_intel/parameters/ept ]; then
> + pstatus blue N/A "the kvm_intel
> module is not loaded"
> +- elif [ "$(cat
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> ++ elif [ "$(@cat@
> /sys/module/kvm_intel/parameters/ept)" = N ]; then
> + pstatus green YES
> + ept_disabled=1
> + else
> +@@ -4810,15 +4810,15 @@ check_CVE_2018_3646_linux()
> +
> + _info "* Mitigation 2"
> + _info_nol " * L1D flush is supported by kernel: "
> +- if [ "$opt_live" = 1 ] && grep -qw flush_l1d
> "$procfs/cpuinfo"; then
> ++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d
> "$procfs/cpuinfo"; then
> + l1d_kernel="found flush_l1d in
> $procfs/cpuinfo"
> + fi
> + if [ -z "$l1d_kernel" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + l1d_kernel_err="missing
> '${opt_arch_prefix}strings' tool, please install it, usually it's in
> the binutils package"
> + elif [ -n "$kernel_err" ]; then
> + l1d_kernel_err="$kernel_err"
> +- elif "${opt_arch_prefix}strings" "$kernel" |
> grep -qw flush_l1d; then
> ++ elif "@strings@" "$kernel" | @grep@ -qw
> flush_l1d; then
> + l1d_kernel='found flush_l1d in kernel
> image'
> + fi
> + fi
> +@@ -4839,20 +4839,20 @@ check_CVE_2018_3646_linux()
> + # $l1dstatus is one of
> (auto|vulnerable|conditional cache flushes|cache flushes|EPT
> disabled|flush not necessary)
> + # $smtstatus is one of
> (vulnerable|disabled)
> + # can also just be "Not affected"
> +- if echo "$fullmsg" | grep -Eq -e 'Not
> affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> ++ if echo "$fullmsg" | @grep@ -Eq -e
> 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not
> necessary)'; then
> + l1d_mode=0
> + pstatus yellow NO
> +- elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> ++ elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) conditional cache flushes'; then
> + l1d_mode=1
> + pstatus green YES
> "conditional flushes"
> +- elif echo "$fullmsg" | grep -Eq
> '(VMX:|L1D) cache flushes'; then
> ++ elif echo "$fullmsg" | @grep@ -Eq
> '(VMX:|L1D) cache flushes'; then
> + l1d_mode=2
> + pstatus green YES
> "unconditional flushes"
> + else
> + if is_xen_dom0; then
> +- l1d_xen_hardware=$(xl
> dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
> +-
> l1d_xen_hypervisor=$(xl
> dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
> +- l1d_xen_pv_domU=$(xl
> dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
> ++ l1d_xen_hardware=$(xl
> @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -
> 1)
> ++ l1d_xen_hypervisor=$(
> xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
> ++ l1d_xen_pv_domU=$(xl
> @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' |
> @head@ -1)
> +
> + if [ -n
> "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n
> "$l1d_xen_pv_domU" ]; then
> + l1d_mode=5
> +@@ -4883,7 +4883,7 @@ check_CVE_2018_3646_linux()
> +
> + _info_nol " * Hardware-backed L1D flush supported: "
> + if [ "$opt_live" = 1 ]; then
> +- if grep -qw flush_l1d "$procfs/cpuinfo" || [
> -n "$l1d_xen_hardware" ]; then
> ++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" ||
> [ -n "$l1d_xen_hardware" ]; then
> + pstatus green YES "performance impact
> of the mitigation will be greatly reduced"
> + else
> + pstatus blue NO "flush will be done
> in software, this is slower"
> +@@ -4955,7 +4955,7 @@ check_CVE_2018_3646_linux()
> + check_CVE_2018_3646_bsd()
> + {
> + _info_nol "* Kernel supports L1D flushing: "
> +- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> ++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
> + pstatus green YES
> + kernel_l1d_supported=1
> + else
> +@@ -4964,7 +4964,7 @@ check_CVE_2018_3646_bsd()
> + fi
> +
> + _info_nol "* L1D flushing is enabled: "
> +- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> ++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush
> 2>/dev/null)
> + case "$kernel_l1d_enabled" in
> + 0) pstatus yellow NO;;
> + 1) pstatus green YES;;
> +@@ -5018,7 +5018,7 @@ check_CVE_2018_12127()
> + ###################
> + # MDSUM SECTION
> +
> +-# Microarchitectural Data Sampling Uncacheable Memory
> ++# Microarchitectural Data Sampling Uncacheable Memory
> + check_CVE_2019_11091()
> + {
> + cve='CVE-2019-11091'
> +@@ -5032,7 +5032,7 @@ check_mds()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_mds_linux "$cve"
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_mds_bsd "$cve"
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5043,7 +5043,7 @@ check_mds_bsd()
> + {
> + _info_nol "* Kernel supports using MD_CLEAR mitigation: "
> + if [ "$opt_live" = 1 ]; then
> +- if sysctl hw.mds_disable >/dev/null 2>&1; then
> ++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
> + pstatus green YES
> + kernel_md_clear=1
> + else
> +@@ -5051,7 +5051,7 @@ check_mds_bsd()
> + kernel_md_clear=0
> + fi
> + else
> +- if grep -Fq hw.mds_disable $opt_kernel; then
> ++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
> + pstatus green YES
> + kernel_md_clear=1
> + else
> +@@ -5061,8 +5061,8 @@ check_mds_bsd()
> + fi
> +
> + _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
> +- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> +- kernel_smt_allowed=$(sysctl -n
> machdep.hyperthreading_allowed 2>/dev/null)
> ++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1;
> then
> ++ kernel_smt_allowed=$(@sysctl@ -n
> machdep.hyperthreading_allowed 2>/dev/null)
> + if [ "$kernel_smt_allowed" = 1 ]; then
> + pstatus yellow NO
> + else
> +@@ -5074,7 +5074,7 @@ check_mds_bsd()
> +
> + _info_nol "* Kernel mitigation is enabled: "
> + if [ "$kernel_md_clear" = 1 ]; then
> +- kernel_mds_enabled=$(sysctl -n hw.mds_disable
> 2>/dev/null)
> ++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable
> 2>/dev/null)
> + else
> + kernel_mds_enabled=0
> + fi
> +@@ -5088,7 +5088,7 @@ check_mds_bsd()
> +
> + _info_nol "* Kernel mitigation is active: "
> + if [ "$kernel_md_clear" = 1 ]; then
> +- kernel_mds_state=$(sysctl -n hw.mds_disable_state
> 2>/dev/null)
> ++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state
> 2>/dev/null)
> + else
> + kernel_mds_state=inactive
> + fi
> +@@ -5146,16 +5146,16 @@ check_mds_linux()
> + _info_nol "* Kernel supports using MD_CLEAR
> mitigation: "
> + kernel_md_clear=''
> + kernel_md_clear_can_tell=1
> +- if [ "$opt_live" = 1 ] && grep ^flags
> "$procfs/cpuinfo" | grep -qw md_clear; then
> ++ if [ "$opt_live" = 1 ] && @grep@ ^flags
> "$procfs/cpuinfo" | @grep@ -qw md_clear; then
> + kernel_md_clear="md_clear found in
> $procfs/cpuinfo"
> + pstatus green YES "$kernel_md_clear"
> + fi
> + if [ -z "$kernel_md_clear" ]; then
> +- if ! command -v "${opt_arch_prefix}strings"
> >/dev/null 2>&1; then
> ++ if ! command -v "@strings@" >/dev/null 2>&1;
> then
> + kernel_md_clear_can_tell=0
> + elif [ -n "$kernel_err" ]; then
> + kernel_md_clear_can_tell=0
> +- elif "${opt_arch_prefix}strings" "$kernel" |
> grep -q 'Clear CPU buffers'; then
> ++ elif "@strings@" "$kernel" | @grep@ -q 'Clear
> CPU buffers'; then
> + _debug "md_clear: found 'Clear CPU
> buffers' string in kernel image"
> + kernel_md_clear='found md_clear
> implementation evidence in kernel image'
> + pstatus green YES "$kernel_md_clear"
> +@@ -5171,7 +5171,7 @@ check_mds_linux()
> +
> + if [ "$opt_live" = 1 ] && [
> "$sys_interface_available" = 1 ]; then
> + _info_nol "* Kernel mitigation is enabled and
> active: "
> +- if echo "$fullmsg" | grep -qi ^mitigation;
> then
> ++ if echo "$fullmsg" | @grep@ -qi ^mitigation;
> then
> + mds_mitigated=1
> + pstatus green YES
> + else
> +@@ -5179,7 +5179,7 @@ check_mds_linux()
> + pstatus yellow NO
> + fi
> + _info_nol "* SMT is either mitigated or
> disabled: "
> +- if echo "$fullmsg" | grep -Eq 'SMT
> (disabled|mitigated)'; then
> ++ if echo "$fullmsg" | @grep@ -Eq 'SMT
> (disabled|mitigated)'; then
> + mds_smt_mitigated=1
> + pstatus green YES
> + else
> +@@ -5265,7 +5265,7 @@ check_CVE_2019_11135()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2019_11135_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2019_11135_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5286,7 +5286,7 @@ check_CVE_2019_11135_linux()
> + kernel_taa=''
> + if [ -n "$kernel_err" ]; then
> + kernel_taa_err="$kernel_err"
> +- elif grep -q 'tsx_async_abort' "$kernel"; then
> ++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
> + kernel_taa="found tsx_async_abort in kernel
> image"
> + fi
> + if [ -n "$kernel_taa" ]; then
> +@@ -5300,7 +5300,7 @@ check_CVE_2019_11135_linux()
> + _info_nol "* TAA mitigation enabled and active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5335,9 +5335,9 @@ check_CVE_2019_11135_linux()
> + else
> + if [ "$opt_paranoid" = 1 ]; then
> + # in paranoid mode, TSX or SMT enabled are
> not OK, even if TAA is mitigated
> +- if ! echo "$fullmsg" | grep -qF 'TSX
> disabled'; then
> ++ if ! echo "$fullmsg" | @grep@ -qF 'TSX
> disabled'; then
> + pvulnstatus $cve VULN "TSX must be
> disabled for full mitigation"
> +- elif echo "$fullmsg" | grep -qF 'SMT
> vulnerable'; then
> ++ elif echo "$fullmsg" | @grep@ -qF 'SMT
> vulnerable'; then
> + pvulnstatus $cve VULN "SMT
> (HyperThreading) must be disabled for full mitigation"
> + else
> + pvulnstatus $cve "$status" "$msg"
> +@@ -5367,7 +5367,7 @@ check_CVE_2018_12207()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2018_12207_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2018_12207_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5391,7 +5391,7 @@ check_CVE_2018_12207_linux()
> + if [ -n "$kernel_err" ]; then
> + kernel_itlbmh_err="$kernel_err"
> + # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
> +- elif grep -q 'itlb_multihit' "$kernel"; then
> ++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
> + kernel_itlbmh="found itlb_multihit in kernel
> image"
> + fi
> + if [ -n "$kernel_itlbmh" ]; then
> +@@ -5405,7 +5405,7 @@ check_CVE_2018_12207_linux()
> + _info_nol "* iTLB Multihit mitigation enabled and
> active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qF
> 'Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qF
> 'Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5447,7 +5447,7 @@ check_CVE_2018_12207_linux()
> + check_CVE_2018_12207_bsd()
> + {
> + _info_nol "* Kernel supports disabling superpages for
> executable mappings under EPT: "
> +- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> ++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept
> 2>/dev/null)
> + if [ -z "$kernel_2m_x_ept" ]; then
> + pstatus yellow NO
> + else
> +@@ -5484,7 +5484,7 @@ check_CVE_2020_0543()
> + _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
> + if [ "$os" = Linux ]; then
> + check_CVE_2020_0543_linux
> +- elif echo "$os" | grep -q BSD; then
> ++ elif echo "$os" | @grep@ -q BSD; then
> + check_CVE_2020_0543_bsd
> + else
> + _warn "Unsupported OS ($os)"
> +@@ -5505,7 +5505,7 @@ check_CVE_2020_0543_linux()
> + kernel_srbds=''
> + if [ -n "$kernel_err" ]; then
> + kernel_srbds_err="$kernel_err"
> +- elif grep -q 'Dependent on hypervisor' "$kernel";
> then
> ++ elif @grep@ -q 'Dependent on hypervisor' "$kernel";
> then
> + kernel_srbds="found SRBDS implementation
> evidence in kernel image. Your kernel is up to date for SRBDS
> mitigation"
> + fi
> + if [ -n "$kernel_srbds" ]; then
> +@@ -5518,7 +5518,7 @@ check_CVE_2020_0543_linux()
> + _info_nol "* SRBDS mitigation control is enabled and
> active: "
> + if [ "$opt_live" = 1 ]; then
> + if [ -n "$fullmsg" ]; then
> +- if echo "$fullmsg" | grep -qE
> '^Mitigation'; then
> ++ if echo "$fullmsg" | @grep@ -qE
> '^Mitigation'; then
> + pstatus green YES "$fullmsg"
> + else
> + pstatus yellow NO
> +@@ -5608,8 +5608,8 @@ fi
> + # now run the checks the user asked for
> + for cve in $supported_cve_list
> + do
> +- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw
> "$cve"; then
> +- check_"$(echo "$cve" | tr - _)"
> ++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -
> qw "$cve"; then
> ++ check_"$(echo "$cve" | @tr@ - _)"
> + _info
> + fi
> + done
> +@@ -5623,17 +5623,17 @@ if [ "$bad_accuracy" = 1 ]; then
> + _warn "We're missing some kernel info (see -v), accuracy
> might be reduced"
> + fi
> +
> +-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' |
> sort | tr "\n" '|')
> ++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F
> 'mockme=' | @sort@ | @tr@ "\n" '|')
> + _debug "variables at end of script: $_vars"
> +
> + if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
> +- if command -v "gzip" >/dev/null 2>&1; then
> ++ if command -v "@gzip@" >/dev/null 2>&1; then
> + # not a useless use of cat: gzipping cpuinfo directly
> doesn't work well
> + # shellcheck disable=SC2002
> +- if command -v "base64" >/dev/null 2>&1; then
> +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> base64 -w0)"
> +- elif command -v "uuencode" >/dev/null 2>&1; then
> +- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c |
> uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d
> "\n")"
> ++ if command -v "@base64@" >/dev/null 2>&1; then
> ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @base64@ -w0)"
> ++ elif command -v "@uuencode@" >/dev/null 2>&1; then
> ++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@
> -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv --
> '====' | @tr@ -d "\n")"
> + fi
> + fi
> + if [ -n "$mock_cpuinfo" ]; then
> +@@ -5642,7 +5642,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ];
> then
> + fi
> + _info ""
> + # shellcheck disable=SC2046
> +- _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> sort -u)
> ++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" |
> @sort@ -u)
> + fi
> +
> + if [ "$opt_explain" = 0 ]; then
> +--
> +2.38.1
> +
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> + # NixOS:
> + [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++ # Guix System:
> ++ [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> + # systemd kernel-install:
> + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> + # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
>
> base-commit: 2757de2e2b271d87f6f72ba4161c2225fbdc9e78
> --
> 2.38.1
Cheers
guix-patches <at> gnu.org:bug#59053; Package guix-patches.
(Sun, 13 Nov 2022 13:11:02 GMT) Full text and rfc822 format available.Message #39 received at 59053 <at> debbugs.gnu.org (full text, mbox):
From: Hilton Chain <hako <at> ultrarare.space> To: Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: 59053 <at> debbugs.gnu.org Subject: [PATCH v5] gnu: Add spectre-meltdown-checker. Date: Sun, 13 Nov 2022 21:09:15 +0800
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
* gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch:
New file.
* gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch:
New file.
* gnu/local.mk (dist_patch_DATA): Add patches.
---
v4 -> v5: No more an extra patch for substitution.
gnu/local.mk | 2 +
gnu/packages/linux.scm | 130 ++++++++++
...ker-remove-builtin-firmware-database.patch | 243 ++++++++++++++++++
...n-checker-support-guix-system-kernel.patch | 26 ++
4 files changed, 401 insertions(+)
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
create mode 100644 gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index e3e02314bb..1e85790983 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1857,6 +1857,8 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index fea33dfa0b..03b7ce46b0 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -9595,3 +9595,133 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list
+ #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (define* (find-command inputs cmd #:optional (bin "bin")
+ #:key (prefix "") (suffix ""))
+ (string-append
+ prefix (search-input-file inputs (string-append bin "/" cmd))
+ suffix))
+ (substitute* "spectre-meltdown-checker.sh"
+ ;; ${opt_arch_prefix}CMD
+ (((string-append
+ "\\$\\{opt_arch_prefix\\}"
+ "\\<(nm|objdump|readelf|strings)\\>") all cmd)
+ (find-command inputs cmd))
+
+ ;; dd
+ (("(dd)( if=)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+
+ ;; Commands safe to substitute directly.
+ (((string-append "\\<(" (string-join
+ (list "awk"
+ "basename"
+ "dirname"
+ "bunzip2"
+ "gunzip"
+ "gzip"
+ "lz4"
+ "lzop"
+ "modprobe"
+ "pgrep"
+ "rmmod"
+ "umount"
+ "unlzma"
+ "unxz"
+ "unzstd"
+ "uuencode")
+ "|")
+ ")\\>") all cmd)
+ (find-command inputs cmd))
+
+ ;; Search by suffix.
+ ;; CMD -
+ ;; CMD ^
+ (((string-append "\\<(" (string-join
+ (list "base64"
+ "cut"
+ "grep"
+ "head"
+ "id"
+ "mount"
+ "mktemp"
+ "od"
+ "perl"
+ "rm"
+ "uname"
+ "xargs")
+ "|")
+ ")\\>( [-^])") all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; CMD |
+ (("(dmesg)( \\|)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+
+ ;; Then prefix
+ ;; | CMD
+ (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+ ;; $(CMD
+ (("(\\$\\( *)(sysctl)" all prefix cmd)
+ (find-command inputs cmd "sbin" #:prefix prefix))
+ (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+ ;; if CMD
+ (("(if )(sysctl)" all prefix cmd)
+ (find-command inputs cmd "sbin" #:prefix prefix))
+ ;; command -v CMD
+ (("(command -v) \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+
+ ;; Cats are mysterious...
+ ;; cat <<EOF
+ (("(cat)( <<EOF)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; cat "$
+ (("(cat)(\"\\$)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; 'cat'
+ (("(')(cat)(')" all prefix cmd suffix)
+ (find-command inputs cmd #:prefix prefix #:suffix suffix))
+ ;; "cat"
+ (("(\")(cat)(\")" all prefix cmd suffix)
+ (find-command inputs cmd #:prefix prefix #:suffix suffix))))))))
+ (inputs (list kmod lz4 lzop perl procps sharutils util-linux zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
new file mode 100644
index 0000000000..809763cf4f
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch
@@ -0,0 +1,243 @@
+From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+- MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
++ --with-fwdb FILE supply the CPU microcodes versions database
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+- show_header
+-
+- set -e
+-
+- if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- fi
+-
+- # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+- _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading MCE.db"
+- return $ret
+- fi
+- echo DONE
+-
+- # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+- _info_nol "Fetching Intel firmwares... "
+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading Intel firmwares"
+- return $ret
+- fi
+- echo DONE
+-
+- # now extract MCEdb contents using sqlite
+- _info_nol "Extracting MCEdb data... "
+- if ! command -v sqlite3 >/dev/null 2>&1; then
+- echo ERROR "please install the \`sqlite3\` program"
+- return 1
+- fi
+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+- if [ -z "$mcedb_revision" ]; then
+- echo ERROR "downloaded file seems invalid"
+- return 1
+- fi
+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+- echo OK "MCExtractor database revision $mcedb_revision"
+-
+- # parse Intel firmwares to get their versions
+- _info_nol "Integrating Intel firmwares data to db... "
+- if ! command -v unzip >/dev/null 2>&1; then
+- echo ERROR "please install the \`unzip\` program"
+- return 1
+- fi
+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+- return 1
+- fi
+-
+- if ! command -v iucode_tool >/dev/null 2>&1; then
+- if ! command -v iucode-tool >/dev/null 2>&1; then
+- echo ERROR "please install the \`iucode-tool\` program"
+- return 1
+- else
+- iucode_tool="iucode-tool"
+- fi
+- else
+- iucode_tool="iucode_tool"
+- fi
+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+- do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
+- _cpuid=$(( _cpuid ))
+- _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
+- _version=$(( _version ))
+- _version=$(printf "0x%08X" "$_version")
+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+- sqlite3 "$mcedb_tmp" "$_sqlstm"
+- done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+- if [ -n "$_intel_timestamp" ]; then
+- # use this date, it matches the last commit date
+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+- else
+- echo "Falling back to the latest microcode date"
+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+- fi
+- echo DONE "(version $_intel_latest_date)"
+-
+- dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+- echo "We already have this version locally, no update needed"
+- return 0
+- fi
+-
+- _info_nol "Building local database... "
+- {
+- echo "# Spectre & Meltdown Checker";
+- echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- } > "$mcedb_cache"
+- echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
+- fi
+-}
+-
+ parse_opt_file()
+ {
+ # parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ # deprecated, kept for compatibility
+ opt_explain=0
+ shift
+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+- update_fwdb
+- exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++ opt_fwdb=$2
++ if [ -f "$opt_fwdb" ]; then
++ mcedb_cache=$2
++ else
++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++ exit 255
++ fi
++ shift 2
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
new file mode 100644
index 0000000000..afec52b418
--- /dev/null
+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako <at> ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0
base-commit: 80d10fa413cf43439f9ab94b6f69fe68811156da
--
2.38.1
Liliana Marie Prikler <liliana.prikler <at> gmail.com>:Hilton Chain <hako <at> ultrarare.space>:Message #44 received at 59053-done <at> debbugs.gnu.org (full text, mbox):
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space> Cc: 59053-done <at> debbugs.gnu.org Subject: Re: [PATCH v5] gnu: Add spectre-meltdown-checker. Date: Sun, 13 Nov 2022 23:02:06 +0100
Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
I renamed the patches for the ChangeLog, slightly rewrote their
explanations, ...
> gnu/local.mk | 2 +
> gnu/packages/linux.scm | 130 ++++++++++
> ...ker-remove-builtin-firmware-database.patch | 243
> ++++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 ++
> 4 files changed, 401 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..1e85790983 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,8 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..03b7ce46b0 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,133 @@ (define-public edac-utils
> error detection and correction (EDAC).")
> (home-page "https://github.com/grondo/edac-utils")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> + ;; Remove builtin firmware database.
> + (modules '((guix build utils)))
> + (snippet '(substitute* "spectre-meltdown-checker.sh"
> + (("^# [AI],.*") "")))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list
> + #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (define* (find-command inputs cmd #:optional (bin
> "bin")
> + #:key (prefix "") (suffix ""))
> + (string-append
> + prefix (search-input-file inputs (string-append bin
> "/" cmd))
> + suffix))
> + (substitute* "spectre-meltdown-checker.sh"
> + ;; ${opt_arch_prefix}CMD
> + (((string-append
> + "\\$\\{opt_arch_prefix\\}"
> + "\\<(nm|objdump|readelf|strings)\\>") all cmd)
> + (find-command inputs cmd))
> +
> + ;; dd
> + (("(dd)( if=)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> +
> + ;; Commands safe to substitute directly.
> + (((string-append "\\<(" (string-join
> + (list "awk"
> + "basename"
> + "dirname"
> + "bunzip2"
> + "gunzip"
> + "gzip"
> + "lz4"
> + "lzop"
> + "modprobe"
> + "pgrep"
> + "rmmod"
> + "umount"
> + "unlzma"
> + "unxz"
> + "unzstd"
> + "uuencode")
> + "|")
> + ")\\>") all cmd)
replaced these "clever" tricks with dumber ones,
> + (find-command inputs cmd))
> +
> + ;; Search by suffix.
> + ;; CMD -
> + ;; CMD ^
> + (((string-append "\\<(" (string-join
> + (list "base64"
> + "cut"
> + "grep"
> + "head"
> + "id"
> + "mount"
> + "mktemp"
> + "od"
> + "perl"
> + "rm"
> + "uname"
> + "xargs")
> + "|")
> + ")\\>( [-^])") all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; CMD |
> + (("(dmesg)( \\|)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> +
> + ;; Then prefix
> + ;; | CMD
> + (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix
> cmd)
> + (find-command inputs cmd #:prefix prefix))
> + ;; $(CMD
> + (("(\\$\\( *)(sysctl)" all prefix cmd)
> + (find-command inputs cmd "sbin" #:prefix prefix))
> +
> (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
> + (find-command inputs cmd #:prefix prefix))
> + ;; if CMD
> + (("(if )(sysctl)" all prefix cmd)
> + (find-command inputs cmd "sbin" #:prefix prefix))
> + ;; command -v CMD
> + (("(command -v)
> \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
> + (find-command inputs cmd #:prefix prefix))
> +
> + ;; Cats are mysterious...
> + ;; cat <<EOF
> + (("(cat)( <<EOF)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; cat "$
> + (("(cat)(\"\\$)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; 'cat'
> + (("(')(cat)(')" all prefix cmd suffix)
> + (find-command inputs cmd #:prefix prefix #:suffix
> suffix))
> + ;; "cat"
> + (("(\")(cat)(\")" all prefix cmd suffix)
> + (find-command inputs cmd #:prefix prefix #:suffix
> suffix))))))))
> + (inputs (list kmod lz4 lzop perl procps sharutils util-linux
> zstd))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis "CPU vulnerability / mitigation checker")
> + (description
> + "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..809763cf4f
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako <at> ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm
> -f "$mcedb_tmp"
> +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm
> -rf "$intel_tmp"
> + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> + --vmm [auto,yes,no] override the detection of the
> presence of a hypervisor, default: auto
> + --allow-msr-write allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> + --cpu [#,all] interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +- --update-fwdb update our local copy of the
> CPU microcodes versions database (using the awesome
> +- MCExtractor project and the
> Intel firmwares GitHub repository)
> +- --update-builtin-fwdb same as --update-fwdb but
> update builtin DB inside the script itself
> ++ --with-fwdb FILE supply the CPU microcodes
> versions database
and added a note regarding the (lack of) freedom for proprietary
microcode.
I also added your name and email to the authors of linux.scm, since
this was a very non-trivial package.
Cheers
Liliana Marie Prikler <liliana.prikler <at> gmail.com>:phodina <phodina <at> protonmail.com>:Debbugs Internal Request <help-debbugs <at> gnu.org>
to internal_control <at> debbugs.gnu.org.
(Mon, 12 Dec 2022 12:24:12 GMT) Full text and rfc822 format available.
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.