Package: guix-patches;
Reported by: Hilton Chain <hako <at> ultrarare.space>
Date: Sat, 5 Nov 2022 15:59:02 UTC
Severity: normal
Tags: moreinfo, patch
Merged with 49898
Done: Liliana Marie Prikler <liliana.prikler <at> gmail.com>
Bug is archived. No further changes may be made.
View this message in rfc822 format
From: help-debbugs <at> gnu.org (GNU bug Tracking System) To: Liliana Marie Prikler <liliana.prikler <at> gmail.com> Cc: tracker <at> debbugs.gnu.org Subject: bug#49898: closed ([PATCH] gnu: Add spectre-meltdown-checker.) Date: Sun, 13 Nov 2022 22:03:02 +0000
[Message part 1 (text/plain, inline)]
Your message dated Sun, 13 Nov 2022 23:02:06 +0100 with message-id <ac1b13e0eb9516094b3fb543d91265e6fd48154f.camel <at> gmail.com> and subject line Re: [PATCH v5] gnu: Add spectre-meltdown-checker. has caused the debbugs.gnu.org bug report #59053, regarding [PATCH] gnu: Add spectre-meltdown-checker. to be marked as done. (If you believe you have received this mail in error, please contact help-debbugs <at> gnu.org.) -- 59053: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=59053 GNU Bug Tracking System Contact help-debbugs <at> gnu.org with problems
[Message part 2 (message/rfc822, inline)]
From: phodina <phodina <at> protonmail.com> To: "guix-patches <at> gnu.org" <guix-patches <at> gnu.org> Subject: [PATCH] gnu: Add spectre-meltdown-checker. Date: Thu, 05 Aug 2021 17:00:59 +0000* gnu/packages/linux.scm (spectre-meltdown-checker): New variable. diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 4ca2a386e1..f89f6f259e 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -53,6 +53,7 @@ ;;; Copyright © 2020 pukkamustard <pukkamustard <at> posteo.net> ;;; Copyright © 2021 B. Wilson <elaexuotee <at> wilsonb.com> ;;; Copyright © 2021 Ivan Gankevich <i.gankevich <at> spbu.ru> +;;; Copyright © 2021 Petr Hodina <phodina <at> protonmail.com> ;;; ;;; This file is part of GNU Guix. ;;; @@ -148,6 +149,7 @@ #:use-module (guix build-system cmake) #:use-module (guix build-system gnu) #:use-module (guix build-system go) + #:use-module (guix build-system copy) #:use-module (guix build-system meson) #:use-module (guix build-system python) #:use-module (guix build-system trivial) @@ -7191,6 +7193,44 @@ interfaces in parallel environments.") (supported-systems '("i686-linux" "x86_64-linux")) (license (list license:bsd-2 license:gpl2)))) ;dual +(define-public spectre-meltdown-checker +(package + (name "spectre-meltdown-checker") + (version "v0.44") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit version))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam")))) + (build-system copy-build-system) + (inputs `(("util-linux" ,util-linux) + ("binutils" ,binutils))) + (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker") + (description "A shell script to assess your system's resilience against +the several transient execution CVEs that were published since early 2018, +and give you guidance as to how to mitigate them. +@enumerate +@item Bounds Check Bypass +@item Branch Target Injection +@item Rogue Data Cache Load +@item Rogue System Register Read +@item Speculative Store Bypass +@item L1 Terminal Fault (SGX, OS, VMM) +@item Microarchitectural Store Buffer Data Sampling +@item Microarchitectural Fill Buffer Data Sampling +@item Microarchitectural Load Port Data Sampling +@item Microarchitectural Data Sampling Uncacheable Memory +@item TSX asynchronous abort +@item Machine Mheck Exception on Page Size Changes +@item Special Register Buffer Data Sampling +@end enumerate") + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (license license:gpl3))) + (define-public snapscreenshot (package (name "snapscreenshot") -- 2.32.0
[Message part 3 (message/rfc822, inline)]
From: Liliana Marie Prikler <liliana.prikler <at> gmail.com> To: Hilton Chain <hako <at> ultrarare.space> Cc: 59053-done <at> debbugs.gnu.org Subject: Re: [PATCH v5] gnu: Add spectre-meltdown-checker. Date: Sun, 13 Nov 2022 23:02:06 +0100Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain: > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: > New file. > * gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch: > New file. > * gnu/local.mk (dist_patch_DATA): Add patches. I renamed the patches for the ChangeLog, slightly rewrote their explanations, ... > gnu/local.mk | 2 + > gnu/packages/linux.scm | 130 ++++++++++ > ...ker-remove-builtin-firmware-database.patch | 243 > ++++++++++++++++++ > ...n-checker-support-guix-system-kernel.patch | 26 ++ > 4 files changed, 401 insertions(+) > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > remove-builtin-firmware-database.patch > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index e3e02314bb..1e85790983 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1857,6 +1857,8 @@ dist_patch_DATA > = \ > %D%/packages/patches/syslinux-strip-gnu-property.patch \ > %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch \ > %D%/packages/patches/snappy-add-inline-for-GCC.patch \ > + %D%/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch \ > + %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ > %D%/packages/patches/sphinxbase-fix-doxygen.patch \ > %D%/packages/patches/spice-vdagent-glib-2.68.patch \ > %D%/packages/patches/sssd-optional-systemd.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index fea33dfa0b..03b7ce46b0 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9595,3 +9595,133 @@ (define-public edac-utils > error detection and correction (EDAC).") > (home-page "https://github.com/grondo/edac-utils") > (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > + (package > + (name "spectre-meltdown-checker") > + (version "0.45") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url > "https://github.com/speed47/spectre-meltdown-checker") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (patches > + (search-patches > + "spectre-meltdown-checker-remove-builtin-firmware- > database.patch" > + ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > + "spectre-meltdown-checker-support-guix-system- > kernel.patch")) > + ;; Remove builtin firmware database. > + (modules '((guix build utils))) > + (snippet '(substitute* "spectre-meltdown-checker.sh" > + (("^# [AI],.*") ""))) > + (sha256 > + (base32 > + > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > + (build-system copy-build-system) > + (arguments > + (list > + #:install-plan > + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'fixpath > + (lambda* (#:key inputs #:allow-other-keys) > + (define* (find-command inputs cmd #:optional (bin > "bin") > + #:key (prefix "") (suffix "")) > + (string-append > + prefix (search-input-file inputs (string-append bin > "/" cmd)) > + suffix)) > + (substitute* "spectre-meltdown-checker.sh" > + ;; ${opt_arch_prefix}CMD > + (((string-append > + "\\$\\{opt_arch_prefix\\}" > + "\\<(nm|objdump|readelf|strings)\\>") all cmd) > + (find-command inputs cmd)) > + > + ;; dd > + (("(dd)( if=)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + > + ;; Commands safe to substitute directly. > + (((string-append "\\<(" (string-join > + (list "awk" > + "basename" > + "dirname" > + "bunzip2" > + "gunzip" > + "gzip" > + "lz4" > + "lzop" > + "modprobe" > + "pgrep" > + "rmmod" > + "umount" > + "unlzma" > + "unxz" > + "unzstd" > + "uuencode") > + "|") > + ")\\>") all cmd) replaced these "clever" tricks with dumber ones, > + (find-command inputs cmd)) > + > + ;; Search by suffix. > + ;; CMD - > + ;; CMD ^ > + (((string-append "\\<(" (string-join > + (list "base64" > + "cut" > + "grep" > + "head" > + "id" > + "mount" > + "mktemp" > + "od" > + "perl" > + "rm" > + "uname" > + "xargs") > + "|") > + ")\\>( [-^])") all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + ;; CMD | > + (("(dmesg)( \\|)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + > + ;; Then prefix > + ;; | CMD > + (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix > cmd) > + (find-command inputs cmd #:prefix prefix)) > + ;; $(CMD > + (("(\\$\\( *)(sysctl)" all prefix cmd) > + (find-command inputs cmd "sbin" #:prefix prefix)) > + > (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd) > + (find-command inputs cmd #:prefix prefix)) > + ;; if CMD > + (("(if )(sysctl)" all prefix cmd) > + (find-command inputs cmd "sbin" #:prefix prefix)) > + ;; command -v CMD > + (("(command -v) > \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd) > + (find-command inputs cmd #:prefix prefix)) > + > + ;; Cats are mysterious... > + ;; cat <<EOF > + (("(cat)( <<EOF)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + ;; cat "$ > + (("(cat)(\"\\$)" all cmd suffix) > + (find-command inputs cmd #:suffix suffix)) > + ;; 'cat' > + (("(')(cat)(')" all prefix cmd suffix) > + (find-command inputs cmd #:prefix prefix #:suffix > suffix)) > + ;; "cat" > + (("(\")(cat)(\")" all prefix cmd suffix) > + (find-command inputs cmd #:prefix prefix #:suffix > suffix)))))))) > + (inputs (list kmod lz4 lzop perl procps sharutils util-linux > zstd)) > + (home-page > "https://github.com/speed47/spectre-meltdown-checker") > + (synopsis "CPU vulnerability / mitigation checker") > + (description > + "This package provides a shell script to assess your system's > resilience > +against the several transient execution CVEs that were published > since early > +2018, and give you guidance as to how to mitigate them.") > + (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove- > builtin-firmware-database.patch b/gnu/packages/patches/spectre- > meltdown-checker-remove-builtin-firmware-database.patch > new file mode 100644 > index 0000000000..809763cf4f > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin- > firmware-database.patch > @@ -0,0 +1,243 @@ > +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako <at> ultrarare.space> > +Date: Sat, 12 Nov 2022 22:45:24 +0800 > +Subject: [PATCH] Remove builtin firmware database. > + > +1. Remove downloading function. > +2. Add option for supplying a local database. > +--- > + spectre-meltdown-checker.sh | 180 +++------------------------------ > --- > + 1 file changed, 15 insertions(+), 165 deletions(-) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 30f760c..ce46970 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -22,8 +22,6 @@ exit_cleanup() > + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm > -f "$dumped_config" > + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm > -f "$kerneltmp" > + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm > -f "$kerneltmp2" > +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm > -f "$mcedb_tmp" > +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm > -rf "$intel_tmp" > + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug > 2>/dev/null > + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" > 2>/dev/null > + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null > +@@ -93,9 +91,7 @@ show_usage() > + --vmm [auto,yes,no] override the detection of the > presence of a hypervisor, default: auto > + --allow-msr-write allow probing for write-only > MSRs, this might produce kernel logs or be blocked by your system > + --cpu [#,all] interact with CPUID and MSR > of CPU core number #, or all (default: CPU core 0) > +- --update-fwdb update our local copy of the > CPU microcodes versions database (using the awesome > +- MCExtractor project and the > Intel firmwares GitHub repository) > +- --update-builtin-fwdb same as --update-fwdb but > update builtin DB inside the script itself > ++ --with-fwdb FILE supply the CPU microcodes > versions database and added a note regarding the (lack of) freedom for proprietary microcode. I also added your name and email to the authors of linux.scm, since this was a very non-trivial package. Cheers
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.