--- Begin Message ---
Subject: |
[PATCH] gnu: Add spectre-meltdown-checker. |
Date: |
Thu, 05 Aug 2021 17:00:59 +0000 |
* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..f89f6f259e 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@
;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -148,6 +149,7 @@
#:use-module (guix build-system cmake)
#:use-module (guix build-system gnu)
#:use-module (guix build-system go)
+ #:use-module (guix build-system copy)
#:use-module (guix build-system meson)
#:use-module (guix build-system python)
#:use-module (guix build-system trivial)
@@ -7191,6 +7193,44 @@ interfaces in parallel environments.")
(supported-systems '("i686-linux" "x86_64-linux"))
(license (list license:bsd-2 license:gpl2)))) ;dual
+(define-public spectre-meltdown-checker
+(package
+ (name "spectre-meltdown-checker")
+ (version "v0.44")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit version)))
+ (file-name (git-file-name name version))
+ (sha256
+ (base32
+ "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+ (build-system copy-build-system)
+ (inputs `(("util-linux" ,util-linux)
+ ("binutils" ,binutils)))
+ (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+ (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.
+@enumerate
+@item Bounds Check Bypass
+@item Branch Target Injection
+@item Rogue Data Cache Load
+@item Rogue System Register Read
+@item Speculative Store Bypass
+@item L1 Terminal Fault (SGX, OS, VMM)
+@item Microarchitectural Store Buffer Data Sampling
+@item Microarchitectural Fill Buffer Data Sampling
+@item Microarchitectural Load Port Data Sampling
+@item Microarchitectural Data Sampling Uncacheable Memory
+@item TSX asynchronous abort
+@item Machine Mheck Exception on Page Size Changes
+@item Special Register Buffer Data Sampling
+@end enumerate")
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (license license:gpl3)))
+
(define-public snapscreenshot
(package
(name "snapscreenshot")
--
2.32.0
--- End Message ---
--- Begin Message ---
Subject: |
Re: [PATCH v5] gnu: Add spectre-meltdown-checker. |
Date: |
Sun, 13 Nov 2022 23:02:06 +0100 |
User-agent: |
Evolution 3.46.0 |
Am Sonntag, dem 13.11.2022 um 21:09 +0800 schrieb Hilton Chain:
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch:
> New file.
> * gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch:
> New file.
> * gnu/local.mk (dist_patch_DATA): Add patches.
I renamed the patches for the ChangeLog, slightly rewrote their
explanations, ...
> gnu/local.mk | 2 +
> gnu/packages/linux.scm | 130 ++++++++++
> ...ker-remove-builtin-firmware-database.patch | 243
> ++++++++++++++++++
> ...n-checker-support-guix-system-kernel.patch | 26 ++
> 4 files changed, 401 insertions(+)
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> remove-builtin-firmware-database.patch
> create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index e3e02314bb..1e85790983 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1857,6 +1857,8 @@ dist_patch_DATA
> = \
> %D%/packages/patches/syslinux-strip-gnu-property.patch \
> %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch \
> %D%/packages/patches/snappy-add-inline-for-GCC.patch \
> + %D%/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch \
> + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
> %D%/packages/patches/sphinxbase-fix-doxygen.patch \
> %D%/packages/patches/spice-vdagent-glib-2.68.patch \
> %D%/packages/patches/sssd-optional-systemd.patch \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index fea33dfa0b..03b7ce46b0 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9595,3 +9595,133 @@ (define-public edac-utils
> error detection and correction (EDAC).")
> (home-page "https://github.com/grondo/edac-utils")
> (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> + (package
> + (name "spectre-meltdown-checker")
> + (version "0.45")
> + (source (origin
> + (method git-fetch)
> + (uri (git-reference
> + (url
> "https://github.com/speed47/spectre-meltdown-checker")
> + (commit (string-append "v" version))))
> + (file-name (git-file-name name version))
> + (patches
> + (search-patches
> + "spectre-meltdown-checker-remove-builtin-firmware-
> database.patch"
> + ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> + "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> + ;; Remove builtin firmware database.
> + (modules '((guix build utils)))
> + (snippet '(substitute* "spectre-meltdown-checker.sh"
> + (("^# [AI],.*") "")))
> + (sha256
> + (base32
> +
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> + (build-system copy-build-system)
> + (arguments
> + (list
> + #:install-plan
> + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> + #:phases
> + #~(modify-phases %standard-phases
> + (add-after 'unpack 'fixpath
> + (lambda* (#:key inputs #:allow-other-keys)
> + (define* (find-command inputs cmd #:optional (bin
> "bin")
> + #:key (prefix "") (suffix ""))
> + (string-append
> + prefix (search-input-file inputs (string-append bin
> "/" cmd))
> + suffix))
> + (substitute* "spectre-meltdown-checker.sh"
> + ;; ${opt_arch_prefix}CMD
> + (((string-append
> + "\\$\\{opt_arch_prefix\\}"
> + "\\<(nm|objdump|readelf|strings)\\>") all cmd)
> + (find-command inputs cmd))
> +
> + ;; dd
> + (("(dd)( if=)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> +
> + ;; Commands safe to substitute directly.
> + (((string-append "\\<(" (string-join
> + (list "awk"
> + "basename"
> + "dirname"
> + "bunzip2"
> + "gunzip"
> + "gzip"
> + "lz4"
> + "lzop"
> + "modprobe"
> + "pgrep"
> + "rmmod"
> + "umount"
> + "unlzma"
> + "unxz"
> + "unzstd"
> + "uuencode")
> + "|")
> + ")\\>") all cmd)
replaced these "clever" tricks with dumber ones,
> + (find-command inputs cmd))
> +
> + ;; Search by suffix.
> + ;; CMD -
> + ;; CMD ^
> + (((string-append "\\<(" (string-join
> + (list "base64"
> + "cut"
> + "grep"
> + "head"
> + "id"
> + "mount"
> + "mktemp"
> + "od"
> + "perl"
> + "rm"
> + "uname"
> + "xargs")
> + "|")
> + ")\\>( [-^])") all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; CMD |
> + (("(dmesg)( \\|)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> +
> + ;; Then prefix
> + ;; | CMD
> + (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix
> cmd)
> + (find-command inputs cmd #:prefix prefix))
> + ;; $(CMD
> + (("(\\$\\( *)(sysctl)" all prefix cmd)
> + (find-command inputs cmd "sbin" #:prefix prefix))
> +
> (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
> + (find-command inputs cmd #:prefix prefix))
> + ;; if CMD
> + (("(if )(sysctl)" all prefix cmd)
> + (find-command inputs cmd "sbin" #:prefix prefix))
> + ;; command -v CMD
> + (("(command -v)
> \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
> + (find-command inputs cmd #:prefix prefix))
> +
> + ;; Cats are mysterious...
> + ;; cat <<EOF
> + (("(cat)( <<EOF)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; cat "$
> + (("(cat)(\"\\$)" all cmd suffix)
> + (find-command inputs cmd #:suffix suffix))
> + ;; 'cat'
> + (("(')(cat)(')" all prefix cmd suffix)
> + (find-command inputs cmd #:prefix prefix #:suffix
> suffix))
> + ;; "cat"
> + (("(\")(cat)(\")" all prefix cmd suffix)
> + (find-command inputs cmd #:prefix prefix #:suffix
> suffix))))))))
> + (inputs (list kmod lz4 lzop perl procps sharutils util-linux
> zstd))
> + (home-page
> "https://github.com/speed47/spectre-meltdown-checker")
> + (synopsis "CPU vulnerability / mitigation checker")
> + (description
> + "This package provides a shell script to assess your system's
> resilience
> +against the several transient execution CVEs that were published
> since early
> +2018, and give you guidance as to how to mitigate them.")
> + (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-remove-
> builtin-firmware-database.patch b/gnu/packages/patches/spectre-
> meltdown-checker-remove-builtin-firmware-database.patch
> new file mode 100644
> index 0000000000..809763cf4f
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-
> firmware-database.patch
> @@ -0,0 +1,243 @@
> +From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 12 Nov 2022 22:45:24 +0800
> +Subject: [PATCH] Remove builtin firmware database.
> +
> +1. Remove downloading function.
> +2. Add option for supplying a local database.
> +---
> + spectre-meltdown-checker.sh | 180 +++------------------------------
> ---
> + 1 file changed, 15 insertions(+), 165 deletions(-)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 30f760c..ce46970 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -22,8 +22,6 @@ exit_cleanup()
> + [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm
> -f "$dumped_config"
> + [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm
> -f "$kerneltmp"
> + [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm
> -f "$kerneltmp2"
> +- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm
> -f "$mcedb_tmp"
> +- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm
> -rf "$intel_tmp"
> + [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug
> 2>/dev/null
> + [ "${mounted_procfs:-}" = 1 ] && umount "$procfs"
> 2>/dev/null
> + [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
> +@@ -93,9 +91,7 @@ show_usage()
> + --vmm [auto,yes,no] override the detection of the
> presence of a hypervisor, default: auto
> + --allow-msr-write allow probing for write-only
> MSRs, this might produce kernel logs or be blocked by your system
> + --cpu [#,all] interact with CPUID and MSR
> of CPU core number #, or all (default: CPU core 0)
> +- --update-fwdb update our local copy of the
> CPU microcodes versions database (using the awesome
> +- MCExtractor project and the
> Intel firmwares GitHub repository)
> +- --update-builtin-fwdb same as --update-fwdb but
> update builtin DB inside the script itself
> ++ --with-fwdb FILE supply the CPU microcodes
> versions database
and added a note regarding the (lack of) freedom for proprietary
microcode.
I also added your name and email to the authors of linux.scm, since
this was a very non-trivial package.
Cheers
--- End Message ---