diff mbox series

[bug#49898,v5] gnu: Add spectre-meltdown-checker.

Message ID D2gPGa0WXCIsO76lbxLvD3cuk1oncyGtWwqd_v8_62noAYBvKmfbJdMv-TWoDeZak8S2pVhq1hHoG6hM6-JpwqLoIYK939aGeF7muZ0J3tw=@protonmail.com
State New
Headers show
Series [bug#49898,v5] gnu: Add spectre-meltdown-checker. | expand

Checks

Context Check Description
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

phodina Dec. 7, 2021, 10:04 p.m. UTC 
Hi Liliana,

> Hi Petr,
>
> Am Samstag, den 18.09.2021, 15:25 +0000 schrieb phodina:
>
> > [...]
>
> > -           (add-after 'unpack 'fix-relative-locations
> >
> >
> > -             (lambda* (#:key outputs #:allow-other-keys)
> >
> >
> > -               (let ((icoreutils (assoc-ref %build-inputs
> >
> >
> >
> > "coreutils"))
> >
> > -                     (igrep (assoc-ref %build-inputs "grep"))
> >
> >
> > -                     (iutil-linux (assoc-ref %build-inputs "util-
> >
> >
> >
> > linux"))
> >
> > -                     (iutil-linux-with-udev
> >
> >
> > -                       (assoc-ref %build-inputs "util-linux-with-
> >
> >
> >
> > udev"))
> >
> > -                     (igawk (assoc-ref %build-inputs "gawk"))
> >
> >
> > -                     (igzip (assoc-ref %build-inputs "gzip"))
> >
> >
> > -                     (iunzip (assoc-ref %build-inputs "unzip"))
> >
> >
> > -                     (ilzop (assoc-ref %build-inputs "lzop"))
> >
> >
> > -                     (iperl (assoc-ref %build-inputs "perl"))
> >
> >
> > -                     (iprocps (assoc-ref %build-inputs "procps"))
> >
> >
> > -                     (isqlite (assoc-ref %build-inputs "sqlite"))
> >
> >
> > -                     (iwget (assoc-ref %build-inputs "wget"))
> >
> >
> > -                     (iwhich (assoc-ref %build-inputs "which"))
> >
> >
> > -                     (ixz (assoc-ref %build-inputs "xz"))
> >
> >
> > -                     (izstd (assoc-ref %build-inputs "zstd")))
> >
> >
>
> I don't think Hungarian notation is very helpful here.
>
> > -                 (substitute* "spectre-meltdown-checker.sh"
> >
> >
> > -                  ; TODO: Find regexp what will work
> >
> >
> > -                  ;(("echo") (string-append icoreutils "/bin/echo"))
> >
> >
> > -                  ;(("printf") (string-append icoreutils
> >
> >
> >
> > "/bin/printf"))
>
> There are multiple ways of handling this, but I thing the best one
>
> would be to substitute both `command -v printf' and` which echo' with
>
> the path to false, then match the line
>
> [ -z "$echo_cmd" ] && echo_cmd='echo'
>
> and instead put there
>
> echo_cmd_type='printf'
>
> echo_cmd=(path-to "/bin/printf")
>
> > -                   (("dirname") (string-append icoreutils
> >
> >
> >
> > "/bin/dirname"))
> >
> > -                   (("cat") (string-append icoreutils "/bin/cat"))
> >
> >
> > -                   (("grep[ ]+") (string-append igrep "/bin/grep "))
> >
> >
> > -                   (("cut") (string-append icoreutils "/bin/cut"))
> >
> >
> > -                   (("mktemp") (string-append icoreutils
> >
> >
> >
> > "/bin/mktemp"))
> >
> > -                   (("stat[ ]+") (string-append icoreutils "/bin/stat
> >
> >
> >
> > " ))
> >
> > -                   (("tail[ ]+") (string-append icoreutils "/bin/tail
> >
> >
> >
> > " ))
> >
> > -                   (("head[ ]+") (string-append icoreutils "/bin/head
> >
> >
> >
> > " ))
> >
> > -                   (("mount[ ]+")  "/run/setuid-programs/mount ")
> >
> >
> > -                   (("modprobe") (string-append iutil-linux
> >
> >
> >
> > "/bin/modprobe"))
> >
> > -                   (("dd") (string-append icoreutils "/bin/dd"))
> >
> >
> > -                   (("dmesg[ ]+") (string-append iutil-linux-with-udev
> >
> >
> >
> > "/bin/dmesg "))
> >
> > -                   (("awk") (string-append igawk "/bin/awk"))
> >
> >
> > -                   (("gzip") (string-append igzip "/bin/gzip"))
> >
> >
> > -                   (("unzip") (string-append iunzip "/bin/unzip"))
> >
> >
> > -                   (("lzop") (string-append ilzop "/bin/lzop"))
> >
> >
> > -                   (("perl") (string-append iperl "/bin/perl"))
> >
> >
> > -                   (("ps[ ]+") (string-append iprocps "/bin/ps "))
> >
> >
> > -                   (("sqlite3") (string-append isqlite
> >
> >
> >
> > "/bin/sqlite3"))
> >
> > -                   (("wget") (string-append iwget "/bin/wget"))
> >
> >
> > -                   (("which") (string-append iwhich "/bin/which"))
> >
> >
> > -                   (("xz") (string-append ixz "/bin/xz"))
> >
> >
> > -                   (("zstd") (string-append izstd "/bin/zstd")))))))))
> >
> >
>
> Group those that need spaces and those that don't together, with an
>
> explanation as to why those two groups exist.
>
> > -   (inputs `(("binutils" ,binutils)
> > -                ("coreutils",coreutils)
> >
> >
> > -                ("gawk" ,gawk)
> >
> >
> > -                ("grep" ,grep)
> >
> >
> > -                ("gzip" ,gzip)
> >
> >
> > -                ("unzip" ,unzip)
> >
> >
> > -                ("lzop" ,lzop)
> >
> >
> > -                ("perl" ,perl)
> >
> >
> > -                ("procps" ,procps)
> >
> >
> > -                ("sqlite" ,sqlite)
> >
> >
> > -                ("util-linux" ,util-linux)
> >
> >
> > -                ("util-linux-with-udev" ,util-linux+udev)
> >
> >
>
> Why both?
>
> > -                ("wget" ,wget)
> >
> >
> > -                ("which" ,which)
> >
> >
> > -                ("xz" ,xz)
> >
> >
> > -                ("zstd" ,zstd)))
> >
> >
> > -   (synopsis "Spectre, Meltdown ... vulnerability/mitigation
> >
> >     checker")
> > -   (description "A shell script to assess your system's resilience
> >
> >     against
> >
> >     +the several transient execution CVEs that were published since early
> >
> >     2018,
> >
> >     +and give you guidance as to how to mitigate them.")
> > -   (home-page "https://github.com/speed47/spectre-meltdown-checker"
> >
> >     )
> > -   (license license:gpl3)))
> >
> > (define-public snapscreenshot
> >
> > (package
> >
> > (name "snapscreenshot")
> > ----------------------------------------------------------------
> >
> > 2.32.0

I've used the wrap-program as an alternative to the your suggested solution.

Going through the program there is a function update_fwdb [1] that downloads and updates database files when the script is executed with the --update-fwdb argument.

I've added both files [2][3] in question to the lists of inputs.

However, since they are supposed to be updated at runtime (stored in $HOME) I don't know to represent this in the package definition.

Could you please suggest how to proceed?

----
Petr

[1] https://github.com/speed47/spectre-meltdown-checker/blob/master/spectre-meltdown-checker.sh#L838
[2] https://github.com/platomav/MCExtractor/raw/master/MCE.db
[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip

Comments

Liliana Marie Prikler June 26, 2022, 10:23 a.m. UTC | #1 
Hi Petr,

sorry for the very late reply.  Are you still interested in adding
spectre-meltdown-checker?  If so, there's a new version out.  Also...

Am Dienstag, dem 07.12.2021 um 22:04 +0000 schrieb phodina:
> I've used the wrap-program as an alternative to the your suggested
> solution.
That does work, but remains quite inelegant.

> Going through the program there is a function update_fwdb [1] that
> downloads and updates database files when the script is executed with
> the --update-fwdb argument.
> 
> I've added both files [2][3] in question to the lists of inputs.
> 
> However, since they are supposed to be updated at runtime (stored in
> $HOME) I don't know to represent this in the package definition.
> 
> Could you please suggest how to proceed?
I'd suggest removing that functionality as well as the associated
inputs (i.e. curl etc., not the databases).  Even if it's treated as
"just data", users should be able to specify on their own the data to
check against.  Perhaps you could suggest to upstream that adding --
fwdb /path/to/fwdb might be useful?

Since this patch is rather old, there are a few style-related changes
that should also be incorporated:


> +    (arguments
> +     `(...))
Use a list of G-Expressions.

> +                   (paths (map
> +                           (lambda (input)
> +                             (string-append (assoc-ref inputs input)
> "/bin"))
> +                           '("coreutils" "grep" "util-linux"
> "iucode-tool"
> +                             "util-linux-with-udev" "gawk" "gzip"
> "lzop"
> +                             "lzop" "perl" "procps" "sqlite" "wget"
> "which" "xz" "zstd"))))
You can use (search-input-file inputs "/bin/CMD") to search CMD from
inputs.
> +    (inputs `(("binutils" ,binutils)
> +              ("coreutils",coreutils)
> +              [...])
You can drop the input labels, but you'll have to find another way to
pass the firmware databases.  Speaking of which, is anything even done
with those?  Could we add (a) separate package(s) with those databases
instead?

Cheers
phodina June 26, 2022, 11:07 a.m. UTC | #2 
Hi,

Yes I'm still interested in upstreaming this package. True, in the meantime a lot has happened and I'll prepare a patch with simplified inputs and Gexps.

Also the databases will be in separate packages and just put into the inputs and linked correctly.

And I'll also update the package version.

Unfortunately HW issues will remain with us for long and it's useful to have some way to check for them.

FIY I'm currently also in process of packaging other stuff so it might take some time.

----
Petr
diff mbox series

Patch

From 83a93beffb9e4493c361d126fdb7564c662525c7 Mon Sep 17 00:00:00 2001
From: Petr Hodina <phodina@protonmail.com>
Date: Thu, 5 Aug 2021 18:23:47 +0200
Subject: [PATCH v5] gnu: Add spectre-meltdown-checker.

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 03e84a0a79..19999ef8e0 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@ 
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
 ;;; Copyright © 2021 Olivier Dion <olivier.dion@polymtl.ca>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -139,6 +140,7 @@  (define-module (gnu packages linux)
   #:use-module (gnu packages video)
   #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
+  #:use-module (gnu packages wget)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xdisorg)
@@ -150,6 +152,7 @@  (define-module (gnu packages linux)
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7325,6 +7328,81 @@  (define-public psm
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual
 
+(define-public spectre-meltdown-checker
+  (package
+    (name "spectre-meltdown-checker")
+    (version "0.44")
+    (source 
+     (origin
+       (method git-fetch)
+       (uri (git-reference
+             (url "https://github.com/speed47/spectre-meltdown-checker")
+             (commit (string-append "v" version))))
+       (file-name (git-file-name name version))
+       (sha256
+        (base32
+         "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+    (build-system copy-build-system)
+    (arguments
+     `(#:install-plan '(("spectre-meltdown-checker.sh"
+                         "bin/spectre-meltdown-checker.sh"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'unzip-intelfw
+           (lambda* (#:key inputs #:allow-other-keys)
+             (invoke "unzip" (assoc-ref inputs "intelfw"))))
+         (add-after 'install 'patch-paths
+           (lambda* (#:key inputs #:allow-other-keys)
+             (let ((out (assoc-ref %outputs "out"))
+                   (paths (map
+                           (lambda (input)
+                             (string-append (assoc-ref inputs input) "/bin"))
+                           '("coreutils" "grep" "util-linux" "iucode-tool"
+                             "util-linux-with-udev" "gawk" "gzip" "lzop"
+                             "lzop" "perl" "procps" "sqlite" "wget" "which" "xz" "zstd"))))
+               (for-each
+                (lambda (program)
+                  (wrap-program
+                      (string-append out "/" program)
+                    `("PATH" prefix ,paths)))
+                '("bin/spectre-meltdown-checker.sh"))))))))
+    (inputs `(("binutils" ,binutils)
+              ("coreutils",coreutils)
+              ("gawk" ,gawk)
+              ("grep" ,grep)
+              ("gzip" ,gzip)
+              ("intelfw", (origin
+                            (method url-fetch)
+                            (uri
+                             "https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip")
+                            (sha256
+                             (base32
+                              "1zpf1h864f9lqdjf867xg5cw3xpq4l335g7dqpyl2zhb13kk0dhy"))))
+              ("iucode-tool" ,iucode-tool)
+              ("lzop" ,lzop)
+              ("mcedb", (origin
+                          (method url-fetch)
+                          (uri "https://github.com/platomav/MCExtractor/raw/master/MCE.db")
+                          (sha256
+                           (base32
+                            "1lms4q6g17jz7pqvl8fcbpbsxxz84nax18zhn9b532svldxg7gh2"))))
+              ("perl" ,perl)
+              ("procps" ,procps)
+              ("sqlite" ,sqlite)
+              ("unzip" ,unzip)
+              ("util-linux" ,util-linux)
+              ("util-linux-with-udev" ,util-linux+udev)
+              ("wget" ,wget)
+              ("which" ,which)
+              ("xz" ,xz)
+              ("zstd" ,zstd)))
+    (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+    (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+    (home-page "https://github.com/speed47/spectre-meltdown-checker")
+    (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")
-- 
2.34.0