@@ -1857,6 +1857,9 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
@@ -9595,3 +9595,61 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"
+ ;; NOTE: Update these patches when updating.
+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (substitute* "spectre-meltdown-checker.sh"
+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))
+ (("@([a-z0-9]*)@" _ command _)
+ (search-input-file
+ inputs (string-append "/bin/" command)))))))))
+ (inputs
+ (list binutils
+ coreutils
+ grep
+ kmod
+ lz4
+ lzop
+ perl
+ procps
+ sharutils
+ util-linux
+ which
+ zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
new file mode 100644
@@ -0,0 +1,113 @@
+From e2cc68814cf658638946e069406ef6a6032ab318 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 19:49:36 +0800
+Subject: [PATCH 2/2] Remove references to the builtin firmware database.
+
+---
+ spectre-meltdown-checker.sh | 43 +++++++++++--------------------------
+ 1 file changed, 12 insertions(+), 31 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 82cf1b6..5104599 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -95,7 +95,6 @@ show_usage()
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+ MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -853,10 +852,10 @@ update_fwdb()
+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
++ elif command -v wget >/dev/null 2>&1; then
++ wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+ else
+@@ -874,10 +873,10 @@ update_fwdb()
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
++ if command -v curl >/dev/null 2>&1; then
+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
++ elif command -v wget >/dev/null 2>&1; then
++ wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+ elif command -v fetch >/dev/null 2>&1; then
+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+ else
+@@ -968,14 +967,6 @@ update_fwdb()
+ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- @cat@ "$newfile" > "$0"
+- @rm@ -f "$newfile"
+- fi
+ }
+
+ parse_opt_file()
+@@ -1070,9 +1061,6 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+ update_fwdb
+ exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +2021,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +2041,10 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ # When $mcedb_source is not set, skip version checking and report unknown.
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
new file mode 100644
@@ -0,0 +1,1947 @@
+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Fri, 11 Nov 2022 18:49:50 +0800
+Subject: [PATCH 1/2] Stage commands for later substitution.
+
+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,
+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,
+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,
+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,
+whoami, xargs.
+---
+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------
+ 1 file changed, 324 insertions(+), 324 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..82cf1b6 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT
+ exit_cleanup()
+ {
+ # cleanup the temp decompressed config & kernel image
+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null
++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"
++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"
++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"
++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp"
++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp"
++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null
++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null
++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null
++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null
+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null
+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null
+ }
+
+ # if we were git clone'd, adjust VERSION
+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then
+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)
+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)
++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then
++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)
++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)
+ fi
+
+ show_usage()
+ {
+ # shellcheck disable=SC2086
+- cat <<EOF
++ @cat@ <<EOF
+ Usage:
+- Live mode (auto): $(basename $0) [options]
+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
++ Live mode (auto): $(@basename@ $0) [options]
++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live
++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>
+
+ Modes:
+ Two modes are available.
+@@ -110,7 +110,7 @@ EOF
+
+ show_disclaimer()
+ {
+- cat <<EOF
++ @cat@ <<EOF
+ Disclaimer:
+
+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t
+ EOF
+ }
+
+-os=$(uname -s)
++os=$(@uname@ -s)
+
+ # parse options
+ opt_kernel=''
+@@ -207,7 +207,7 @@ __echo()
+ _interpret_chars='-e'
+ fi
+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")
+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")
+ fi
+ if [ "$echo_cmd_type" = printf ]; then
+ if [ "$opt" = "-n" ]; then
+@@ -383,7 +383,7 @@ is_cpu_affected()
+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected
+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected
+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz
+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ variant3=vuln
+@@ -486,7 +486,7 @@ is_cpu_affected()
+ i=$(( i + 1 ))
+ # do NOT quote $cpu_arch_list below
+ # shellcheck disable=SC2086
+- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')
++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')
+ _debug "checking cpu$i: <$cpupart> <$cpuarch>"
+ # some kernels report AArch64 instead of 8
+ [ "$cpuarch" = "AArch64" ] && cpuarch=8
+@@ -497,49 +497,49 @@ is_cpu_affected()
+ # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d
+ # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8
+ #
+- # Whitelist identified non-affected processors, use vulnerability information from
++ # Whitelist identified non-affected processors, use vulnerability information from
+ # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability
+ # Partnumbers can be found here:
+ # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in
+ #
+ # Maintain cumulative check of vulnerabilities -
+ # if at least one of the cpu is affected, then the system is affected
+- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"
+- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then
++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ [ -z "$variant4" ] && variant4=immune
+ _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ variant3a=vuln
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then
+ variant1=vuln
+ variant2=vuln
+ [ -z "$variant3" ] && variant3=immune
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then
+ variant1=vuln
+ variant2=vuln
+ variant3=vuln
+ [ -z "$variant3a" ] && variant3a=immune
+ variant4=vuln
+ _debug "checking cpu$i: armv8 A75 non affected to variant 3a"
+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then
+ variant1=vuln
+ [ -z "$variant2" ] && variant2=immune
+ [ -z "$variant3" ] && variant3=immune
+@@ -820,7 +820,7 @@ is_cpu_ssb_free()
+ if [ "$cpu_family" = "18" ] || \
+ [ "$cpu_family" = "17" ] || \
+ [ "$cpu_family" = "16" ] || \
+- [ "$cpu_family" = "15" ]; then
++ [ "$cpu_family" = "15" ]; then
+ return 0
+ fi
+ fi
+@@ -837,7 +837,7 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"
+ mcedb_cache="$HOME/.mcedb"
+ update_fwdb()
+ {
+@@ -846,11 +846,11 @@ update_fwdb()
+ set -e
+
+ if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ fi
+
+ # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"
+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+ _info_nol "Fetching MCE.db from the MCExtractor project... "
+ if command -v wget >/dev/null 2>&1; then
+@@ -870,7 +870,7 @@ update_fwdb()
+ echo DONE
+
+ # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
++ intel_tmp="$(@mktemp@ -d -t smc-intelfw-XXXXXX)"
+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+ _info_nol "Fetching Intel firmwares... "
+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+@@ -930,20 +930,20 @@ update_fwdb()
+ fi
+ # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+ # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
++ $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | @grep@ -wF sig | while read -r _line
+ do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
++ _line=$( echo "$_line" | @tr@ -d ',')
++ _cpuid=$( echo "$_line" | @awk@ '{print $3}')
+ _cpuid=$(( _cpuid ))
+ _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
++ _date=$( echo "$_line" | @awk@ '{print $6}' | @tr@ -d '-')
++ _version=$(echo "$_line" | @awk@ '{print $8}')
+ _version=$(( _version ))
+ _version=$(printf "0x%08X" "$_version")
+ _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+ sqlite3 "$mcedb_tmp" "$_sqlstm"
+ done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
++ _intel_timestamp=$(@stat@ -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+ if [ -n "$_intel_timestamp" ]; then
+ # use this date, it matches the last commit date
+ _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+@@ -964,17 +964,17 @@ update_fwdb()
+ {
+ echo "# Spectre & Meltdown Checker";
+ echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
++ sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
++ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';
+ } > "$mcedb_cache"
+ echo DONE "(version $dbversion)"
+
+ if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
++ newfile=$(@mktemp@ -t smc-builtin-XXXXXX)
++ @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
++ @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
++ @cat@ "$newfile" > "$0"
++ @rm@ -f "$newfile"
+ fi
+ }
+
+@@ -1055,7 +1055,7 @@ while [ -n "${1:-}" ]; do
+ elif [ "$1" = "--cpu" ]; then
+ opt_cpu=$2
+ if [ "$opt_cpu" != all ]; then
+- if echo "$opt_cpu" | grep -Eq '^[0-9]+'; then
++ if echo "$opt_cpu" | @grep@ -Eq '^[0-9]+'; then
+ opt_cpu=$(( opt_cpu ))
+ else
+ echo "$0: error: --cpu should be an integer or 'all', got '$opt_cpu'" >&2
+@@ -1103,7 +1103,7 @@ while [ -n "${1:-}" ]; do
+ echo "$0: error: option --cve expects a parameter, supported CVEs are: $supported_cve_list" >&2
+ exit 255
+ fi
+- selected_cve=$(echo "$supported_cve_list" | grep -iwo "$2")
++ selected_cve=$(echo "$supported_cve_list" | @grep@ -iwo "$2")
+ if [ -n "$selected_cve" ]; then
+ opt_cve_list="$opt_cve_list $selected_cve"
+ opt_cve_all=0
+@@ -1308,14 +1308,14 @@ check_kernel()
+ # a damaged ELF file and validate it, check for stderr warnings too
+
+ # the warning "readelf: Warning: [16]: Link field (0) should index a symtab section./" can appear on valid kernels, ignore it
+- _readelf_warnings=$("${opt_arch_prefix}readelf" -S "$_file" 2>&1 >/dev/null | grep -v 'should index a symtab section' | tr "\n" "/"); ret=$?
+- _readelf_sections=$("${opt_arch_prefix}readelf" -S "$_file" 2>/dev/null | grep -c -e data -e text -e init)
+- _kernel_size=$(stat -c %s "$_file" 2>/dev/null || stat -f %z "$_file" 2>/dev/null || echo 10000)
++ _readelf_warnings=$("@readelf@" -S "$_file" 2>&1 >/dev/null | @grep@ -v 'should index a symtab section' | @tr@ "\n" "/"); ret=$?
++ _readelf_sections=$("@readelf@" -S "$_file" 2>/dev/null | @grep@ -c -e data -e text -e init)
++ _kernel_size=$(@stat@ -c %s "$_file" 2>/dev/null || @stat@ -f %z "$_file" 2>/dev/null || echo 10000)
+ _debug "check_kernel: ret=$? size=$_kernel_size sections=$_readelf_sections warnings=$_readelf_warnings"
+ if [ "$_mode" = desperate ]; then
+- if "${opt_arch_prefix}strings" "$_file" | grep -Eq '^Linux version '; then
++ if "@strings@" "$_file" | @grep@ -Eq '^Linux version '; then
+ _debug "check_kernel (desperate): ... matched!"
+- if [ "$_readelf_sections" = 0 ] && grep -qF -e armv6 -e armv7 "$_file"; then
++ if [ "$_readelf_sections" = 0 ] && @grep@ -qF -e armv6 -e armv7 "$_file"; then
+ _debug "check_kernel (desperate): raw arm binary found, adjusting objdump options"
+ objdump_options="-D -b binary -marm"
+ else
+@@ -1348,7 +1348,7 @@ try_decompress()
+
+ # Try to find the header ($1) and decompress from here
+ _debug "try_decompress: looking for $3 magic in $6"
+- for pos in $(tr "$1\n$2" "\n$2=" < "$6" | grep -abo "^$2")
++ for pos in $(@tr@ "$1\n$2" "\n$2=" < "$6" | @grep@ -abo "^$2")
+ do
+ _debug "try_decompress: magic for $3 found at offset $pos"
+ if ! command -v "$3" >/dev/null 2>&1; then
+@@ -1375,11 +1375,11 @@ try_decompress()
+ kernel="$kerneltmp"
+ _debug "try_decompress: decompressed with $3 successfully!"
+ return 0
+- elif [ "$3" != "cat" ]; then
++ elif [ "$3" != "@cat@" ]; then
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel, trying with an offset"
+- [ -z "$kerneltmp2" ] && kerneltmp2=$(mktemp -t smc-kernel-XXXXXX)
+- cat "$kerneltmp" > "$kerneltmp2"
+- try_decompress '\177ELF' xxy 'cat' '' cat "$kerneltmp2" && return 0
++ [ -z "$kerneltmp2" ] && kerneltmp2=$(@mktemp@ -t smc-kernel-XXXXXX)
++ @cat@ "$kerneltmp" > "$kerneltmp2"
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$kerneltmp2" && return 0
+ else
+ _debug "try_decompress: decompression with $3 worked but result is not a kernel"
+ fi
+@@ -1391,12 +1391,12 @@ extract_kernel()
+ {
+ [ -n "${1:-}" ] || return 1
+ # Prepare temp files:
+- kerneltmp="$(mktemp -t smc-kernel-XXXXXX)"
++ kerneltmp="$(@mktemp@ -t smc-kernel-XXXXXX)"
+
+ # Initial attempt for uncompressed images or objects:
+ if check_kernel "$1"; then
+ _debug "extract_kernel: found kernel is valid, no decompression needed"
+- cat "$1" > "$kerneltmp"
++ @cat@ "$1" > "$kerneltmp"
+ kernel=$kerneltmp
+ return 0
+ fi
+@@ -1405,14 +1405,14 @@ extract_kernel()
+ for pass in 1 2; do
+ for mode in normal desperate; do
+ _debug "extract_kernel: pass $pass $mode mode"
+- try_decompress '\037\213\010' xy gunzip '' gunzip "$1" "$mode" "$pass" && return 0
+- try_decompress '\002\041\114\030' xyy 'lz4' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
+- try_decompress '\3757zXZ\000' abcde unxz '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress 'BZh' xy bunzip2 '' bzip2 "$1" "$mode" "$pass" && return 0
+- try_decompress '\135\0\0\0' xxx unlzma '' xz-utils "$1" "$mode" "$pass" && return 0
+- try_decompress '\211\114\132' xy 'lzop' '-d' lzop "$1" "$mode" "$pass" && return 0
+- try_decompress '\177ELF' xxy 'cat' '' cat "$1" "$mode" "$pass" && return 0
+- try_decompress '(\265/\375' xxy unzstd '' zstd "$1" "$mode" "$pass" && return 0
++ try_decompress '\037\213\010' xy @gunzip@ '' gunzip "$1" "$mode" "$pass" && return 0
++ try_decompress '\002\041\114\030' xyy '@lz4@' '-d -l' liblz4-tool "$1" "$mode" "$pass" && return 0
++ try_decompress '\3757zXZ\000' abcde @unxz@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress 'BZh' xy @bunzip2@ '' bzip2 "$1" "$mode" "$pass" && return 0
++ try_decompress '\135\0\0\0' xxx @unlzma@ '' xz-utils "$1" "$mode" "$pass" && return 0
++ try_decompress '\211\114\132' xy '@lzop@' '-d' lzop "$1" "$mode" "$pass" && return 0
++ try_decompress '\177ELF' xxy '@cat@' '' cat "$1" "$mode" "$pass" && return 0
++ try_decompress '(\265/\375' xxy @unzstd@ '' zstd "$1" "$mode" "$pass" && return 0
+ done
+ done
+ # kernel_err might already have been populated by try_decompress() if we're missing one of the tools
+@@ -1429,7 +1429,7 @@ mount_debugfs()
+ {
+ if [ ! -e /sys/kernel/debug/sched_features ]; then
+ # try to mount the debugfs hierarchy ourselves and remember it to umount afterwards
+- mount -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
++ @mount@ -t debugfs debugfs /sys/kernel/debug 2>/dev/null && mounted_debugfs=1
+ fi
+ }
+
+@@ -1440,12 +1440,12 @@ load_msr()
+ load_msr_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw msr "$procfs/modules" 2>/dev/null; then
+- modprobe msr 2>/dev/null && insmod_msr=1
++ if ! @grep@ -qw msr "$procfs/modules" 2>/dev/null; then
++ @modprobe@ msr 2>/dev/null && insmod_msr=1
+ _debug "attempted to load module msr, insmod_msr=$insmod_msr"
+ else
+ _debug "msr module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1463,12 +1463,12 @@ load_cpuid()
+ load_cpuid_once=1
+
+ if [ "$os" = Linux ]; then
+- if ! grep -qw cpuid "$procfs/modules" 2>/dev/null; then
+- modprobe cpuid 2>/dev/null && insmod_cpuid=1
++ if ! @grep@ -qw cpuid "$procfs/modules" 2>/dev/null; then
++ @modprobe@ cpuid 2>/dev/null && insmod_cpuid=1
+ _debug "attempted to load module cpuid, insmod_cpuid=$insmod_cpuid"
+ else
+ _debug "cpuid module already loaded"
+- fi
++ fi
+ else
+ if ! kldstat -q -m cpuctl; then
+ kldload cpuctl 2>/dev/null && kldload_cpuctl=1
+@@ -1557,7 +1557,7 @@ read_cpuid_one_core()
+ fi
+ # on some kernel versions, /dev/cpu/0/cpuid doesn't imply that the cpuid module is loaded, in that case dd returns an error,
+ # we use that fact to load the module if dd returns an error
+- if ! dd if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
++ if ! @dd@ if=/dev/cpu/0/cpuid bs=16 count=1 >/dev/null 2>&1; then
+ load_cpuid
+ fi
+ # we need _leaf to be converted to decimal for dd
+@@ -1568,14 +1568,14 @@ read_cpuid_one_core()
+ _ddskip=$(( _position / 16 ))
+ _odskip=$(( _position - _ddskip * 16 ))
+ # now read the value
+- _cpuid=$(dd if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | od -j $((_odskip * 16)) -A n -t u4)
++ _cpuid=$(@dd@ if="/dev/cpu/$_core/cpuid" bs=16 skip=$_ddskip count=$((_odskip + 1)) 2>/dev/null | @od@ -j $((_odskip * 16)) -A n -t u4)
+ elif [ -e /dev/cpuctl0 ]; then
+ # BSD
+ if [ ! -r /dev/cpuctl0 ]; then
+ read_cpuid_msg="Couldn't read cpuid info from cpuctl"
+ return $READ_CPUID_RET_ERR
+ fi
+- _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | cut -d: -f2-)
++ _cpuid=$(cpucontrol -i "$_leaf","$_subleaf" "/dev/cpuctl$_core" 2>/dev/null | @cut@ -d: -f2-)
+ # cpuid level 0x4, level_type 0x2: 0x1c004143 0x01c0003f 0x000001ff 0x00000000
+ else
+ read_cpuid_msg="Found no way to read cpuid info"
+@@ -1598,7 +1598,7 @@ read_cpuid_one_core()
+ fi
+
+ # get the value of the register we want
+- _reg=$(echo "$_cpuid" | awk '{print $'"$_register"'}')
++ _reg=$(echo "$_cpuid" | @awk@ '{print $'"$_register"'}')
+ # Linux returns it as decimal, BSD as hex, normalize to decimal
+ _reg=$(( _reg ))
+ # shellcheck disable=SC2046
+@@ -1626,11 +1626,11 @@ dmesg_grep()
+ # grep for something in dmesg, ensuring that the dmesg buffer
+ # has not been truncated
+ dmesg_grepped=''
+- if ! dmesg | grep -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
++ if ! @dmesg@ | @grep@ -qE -e '(^|\] )Linux version [0-9]' -e '^FreeBSD is a registered' ; then
+ # dmesg truncated
+ return 2
+ fi
+- dmesg_grepped=$(dmesg | grep -E "$1" | head -1)
++ dmesg_grepped=$(@dmesg@ | @grep@ -E "$1" | @head@ -1)
+ # not found:
+ [ -z "$dmesg_grepped" ] && return 1
+ # found, output is in $dmesg_grepped
+@@ -1647,12 +1647,12 @@ parse_cpu_details()
+ {
+ [ "${parse_cpu_details_done:-}" = 1 ] && return 0
+
+- if command -v nproc >/dev/null; then
+- number_of_cores=$(nproc)
+- elif echo "$os" | grep -q BSD; then
+- number_of_cores=$(sysctl -n hw.ncpu 2>/dev/null || echo 1)
++ if command -v @nproc@ >/dev/null; then
++ number_of_cores=$(@nproc@)
++ elif echo "$os" | @grep@ -q BSD; then
++ number_of_cores=$(@sysctl@ -n hw.ncpu 2>/dev/null || echo 1)
+ elif [ -e "$procfs/cpuinfo" ]; then
+- number_of_cores=$(grep -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
++ number_of_cores=$(@grep@ -c ^processor "$procfs/cpuinfo" 2>/dev/null || echo 1)
+ else
+ # if we don't know, default to 1 CPU
+ number_of_cores=1
+@@ -1660,43 +1660,43 @@ parse_cpu_details()
+ max_core_id=$(( number_of_cores - 1 ))
+
+ if [ -e "$procfs/cpuinfo" ]; then
+- cpu_vendor=$( grep '^vendor_id' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
+- cpu_friendly_name=$(grep '^model name' "$procfs/cpuinfo" | cut -d: -f2- | head -1 | sed -e 's/^ *//')
++ cpu_vendor=$( @grep@ '^vendor_id' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
++ cpu_friendly_name=$(@grep@ '^model name' "$procfs/cpuinfo" | @cut@ -d: -f2- | @head@ -1 | @sed@ -e 's/^ *//')
+ # special case for ARM follows
+- if grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
++ if @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x41' "$procfs/cpuinfo"; then
+ cpu_vendor='ARM'
+ # some devices (phones or other) have several ARMs and as such different part numbers,
+ # an example is "bigLITTLE", so we need to store the whole list, this is needed for is_cpu_affected
+- cpu_part_list=$(awk '/CPU part/ {print $4}' "$procfs/cpuinfo")
+- cpu_arch_list=$(awk '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
++ cpu_part_list=$(@awk@ '/CPU part/ {print $4}' "$procfs/cpuinfo")
++ cpu_arch_list=$(@awk@ '/CPU architecture/ {print $3}' "$procfs/cpuinfo")
+ # take the first one to fill the friendly name, do NOT quote the vars below
+ # shellcheck disable=SC2086
+- cpu_arch=$(echo $cpu_arch_list | awk '{ print $1 }')
++ cpu_arch=$(echo $cpu_arch_list | @awk@ '{ print $1 }')
+ # shellcheck disable=SC2086
+- cpu_part=$(echo $cpu_part_list | awk '{ print $1 }')
++ cpu_part=$(echo $cpu_part_list | @awk@ '{ print $1 }')
+ [ "$cpu_arch" = "AArch64" ] && cpu_arch=8
+ cpu_friendly_name="ARM"
+ [ -n "$cpu_arch" ] && cpu_friendly_name="$cpu_friendly_name v$cpu_arch"
+ [ -n "$cpu_part" ] && cpu_friendly_name="$cpu_friendly_name model $cpu_part"
+
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x43' "$procfs/cpuinfo"; then
+ cpu_vendor='CAVIUM'
+- elif grep -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
++ elif @grep@ -qi 'CPU implementer[[:space:]]*:[[:space:]]*0x70' "$procfs/cpuinfo"; then
+ cpu_vendor='PHYTIUM'
+ fi
+
+- cpu_family=$( grep '^cpu family' "$procfs/cpuinfo" | awk '{print $4}' | grep -E '^[0-9]+$' | head -1)
+- cpu_model=$( grep '^model' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_stepping=$(grep '^stepping' "$procfs/cpuinfo" | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+- cpu_ucode=$( grep '^microcode' "$procfs/cpuinfo" | awk '{print $3}' | head -1)
++ cpu_family=$( @grep@ '^cpu family' "$procfs/cpuinfo" | @awk@ '{print $4}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_model=$( @grep@ '^model' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_stepping=$(@grep@ '^stepping' "$procfs/cpuinfo" | @awk@ '{print $3}' | @grep@ -E '^[0-9]+$' | @head@ -1)
++ cpu_ucode=$( @grep@ '^microcode' "$procfs/cpuinfo" | @awk@ '{print $3}' | @head@ -1)
+ else
+- cpu_vendor=$( dmesg | grep -i -m1 'Origin=' | cut -f2 -w | cut -f2 -d= | cut -f2 -d\" )
+- cpu_family=$( dmesg | grep -i -m1 'Family=' | cut -f4 -w | cut -f2 -d= )
++ cpu_vendor=$( @dmesg@ | @grep@ -i -m1 'Origin=' | @cut@ -f2 -w | @cut@ -f2 -d= | @cut@ -f2 -d\" )
++ cpu_family=$( @dmesg@ | @grep@ -i -m1 'Family=' | @cut@ -f4 -w | @cut@ -f2 -d= )
+ cpu_family=$(( cpu_family ))
+- cpu_model=$( dmesg | grep -i -m1 'Model=' | cut -f5 -w | cut -f2 -d= )
++ cpu_model=$( @dmesg@ | @grep@ -i -m1 'Model=' | @cut@ -f5 -w | @cut@ -f2 -d= )
+ cpu_model=$(( cpu_model ))
+- cpu_stepping=$( dmesg | grep -i -m1 'Stepping=' | cut -f6 -w | cut -f2 -d= )
+- cpu_friendly_name=$(sysctl -n hw.model 2>/dev/null)
++ cpu_stepping=$( @dmesg@ | @grep@ -i -m1 'Stepping=' | @cut@ -f6 -w | @cut@ -f2 -d= )
++ cpu_friendly_name=$(@sysctl@ -n hw.model 2>/dev/null)
+ fi
+
+ if [ -n "${SMC_MOCK_CPU_FRIENDLY_NAME:-}" ]; then
+@@ -1751,7 +1751,7 @@ parse_cpu_details()
+ # call CPUID
+ cpucontrol -i 1 /dev/cpuctl0 >/dev/null
+ # read MSR
+- cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | awk '{print $3}')
++ cpu_ucode=$(cpucontrol -m 0x8b /dev/cpuctl0 | @awk@ '{print $3}')
+ # convert to decimal
+ cpu_ucode=$(( cpu_ucode ))
+ # convert back to hex
+@@ -1770,7 +1770,7 @@ parse_cpu_details()
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CPU_UCODE='$cpu_ucode'")
+ fi
+
+- echo "$cpu_ucode" | grep -q ^0x && cpu_ucode=$(( cpu_ucode ))
++ echo "$cpu_ucode" | @grep@ -q ^0x && cpu_ucode=$(( cpu_ucode ))
+ ucode_found=$(printf "family 0x%x model 0x%x stepping 0x%x ucode 0x%x cpuid 0x%x" "$cpu_family" "$cpu_model" "$cpu_stepping" "$cpu_ucode" "$cpu_cpuid")
+
+ # also define those that we will need in other funcs
+@@ -1867,8 +1867,8 @@ is_cpu_smt_enabled()
+ {
+ # SMT / HyperThreading is enabled if siblings != cpucores
+ if [ -e "$procfs/cpuinfo" ]; then
+- _siblings=$(awk '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
+- _cpucores=$(awk '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
++ _siblings=$(@awk@ '/^siblings/ {print $3;exit}' "$procfs/cpuinfo")
++ _cpucores=$(@awk@ '/^cpu cores/ {print $4;exit}' "$procfs/cpuinfo")
+ if [ -n "$_siblings" ] && [ -n "$_cpucores" ]; then
+ if [ "$_siblings" = "$_cpucores" ]; then
+ return 1
+@@ -1916,10 +1916,10 @@ is_ucode_blacklisted()
+ $INTEL_FAM6_SANDYBRIDGE_X,0x06,0x61b \
+ $INTEL_FAM6_SANDYBRIDGE_X,0x07,0x712
+ do
+- model=$(echo "$tuple" | cut -d, -f1)
+- stepping=$(( $(echo "$tuple" | cut -d, -f2) ))
++ model=$(echo "$tuple" | @cut@ -d, -f1)
++ stepping=$(( $(echo "$tuple" | @cut@ -d, -f2) ))
+ if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ]; then
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
+ if [ "$cpu_ucode" = "$ucode" ]; then
+ _debug "is_ucode_blacklisted: we have a match! ($cpu_model/$cpu_stepping/$cpu_ucode)"
+ return 0
+@@ -2007,7 +2007,7 @@ is_xen_dom0()
+ return 1
+ fi
+
+- if [ -e "$procfs/xen/capabilities" ] && grep -q "control_d" "$procfs/xen/capabilities"; then
++ if [ -e "$procfs/xen/capabilities" ] && @grep@ -q "control_d" "$procfs/xen/capabilities"; then
+ return 0
+ else
+ return 1
+@@ -2033,12 +2033,12 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
++builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+- local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
++ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+ # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
++ older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)
+ if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+ mcedb_source="$mcedb_cache"
+ mcedb_info="local firmwares DB $local_dbversion"
+@@ -2051,7 +2051,7 @@ if [ -z "${mcedb_source:-}" ]; then
+ fi
+ read_mcedb()
+ {
+- awk '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
++ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"
+ }
+
+ is_latest_known_ucode()
+@@ -2070,10 +2070,10 @@ is_latest_known_ucode()
+ else
+ return 2
+ fi
+- for tuple in $(read_mcedb | grep "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
++ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")
+ do
+- ucode=$(( $(echo "$tuple" | cut -d, -f3) ))
+- ucode_date=$(echo "$tuple" | cut -d, -f4 | sed -r 's=(....)(..)(..)=\1/\2/\3=')
++ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))
++ ucode_date=$(echo "$tuple" | @cut@ -d, -f4 | @sed@ -r 's=(....)(..)(..)=\1/\2/\3=')
+ _debug "is_latest_known_ucode: with cpuid $cpu_cpuid has ucode $cpu_ucode, last known is $ucode from $ucode_date"
+ ucode_latest=$(printf "latest version is 0x%x dated $ucode_date according to $mcedb_info" "$ucode")
+ if [ "$cpu_ucode" -ge "$ucode" ]; then
+@@ -2098,7 +2098,7 @@ get_cmdline()
+ kernel_cmdline="$SMC_MOCK_CMDLINE"
+ return
+ else
+- kernel_cmdline=$(cat "$procfs/cmdline")
++ kernel_cmdline=$(@cat@ "$procfs/cmdline")
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_CMDLINE='$kernel_cmdline'")
+ fi
+ }
+@@ -2106,7 +2106,7 @@ get_cmdline()
+ # ENTRYPOINT
+
+ # we can't do anything useful under WSL
+-if uname -a | grep -qE -- '-Microsoft #[0-9]+-Microsoft '; then
++if @uname@ -a | @grep@ -qE -- '-Microsoft #[0-9]+-Microsoft '; then
+ _warn "This script doesn't work under Windows Subsystem for Linux"
+ _warn "You should use the official Microsoft tool instead."
+ _warn "It can be found under https://aka.ms/SpeculationControlPS"
+@@ -2155,15 +2155,15 @@ fi
+
+ # if we're under a BSD, try to mount linprocfs for "$procfs/cpuinfo"
+ procfs=/proc
+-if echo "$os" | grep -q BSD; then
++if echo "$os" | @grep@ -q BSD; then
+ _debug "We're under BSD, check if we have procfs"
+- procfs=$(mount | awk '/^linprocfs/ { print $3; exit; }')
++ procfs=$(@mount@ | @awk@ '/^linprocfs/ { print $3; exit; }')
+ if [ -z "$procfs" ]; then
+ _debug "we don't, try to mount it"
+ procfs=/proc
+ [ -d /compat/linux/proc ] && procfs=/compat/linux/proc
+ test -d $procfs || mkdir $procfs
+- if mount -t linprocfs linprocfs $procfs 2>/dev/null; then
++ if @mount@ -t linprocfs linprocfs $procfs 2>/dev/null; then
+ mounted_procfs=1
+ _debug "procfs just mounted at $procfs"
+ else
+@@ -2195,14 +2195,14 @@ fi
+
+ if [ "$opt_live" = 1 ]; then
+ # root check (only for live mode, for offline mode, we already checked if we could read the files)
+- if [ "$(id -u)" -ne 0 ]; then
++ if [ "$(@id@ -u)" -ne 0 ]; then
+ _warn "Note that you should launch this script with root privileges to get accurate information."
+ _warn "We'll proceed but you might see permission denied errors."
+ _warn "To run it as root, you can try the following command: sudo $0"
+ _warn
+ fi
+ _info "Checking for vulnerabilities on current system"
+- _info "Kernel is \033[35m$os $(uname -r) $(uname -v) $(uname -m)\033[0m"
++ _info "Kernel is \033[35m$os $(@uname@ -r) $(@uname@ -v) $(@uname@ -m)\033[0m"
+ _info "CPU is \033[35m$cpu_friendly_name\033[0m"
+
+ # try to find the image of the current running kernel
+@@ -2210,12 +2210,12 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ # first, look for the BOOT_IMAGE hint in the kernel cmdline
+- elif echo "$kernel_cmdline" | grep -q 'BOOT_IMAGE='; then
+- opt_kernel=$(echo "$kernel_cmdline" | grep -Eo 'BOOT_IMAGE=[^ ]+' | cut -d= -f2)
++ elif echo "$kernel_cmdline" | @grep@ -q 'BOOT_IMAGE='; then
++ opt_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo 'BOOT_IMAGE=[^ ]+' | @cut@ -d= -f2)
+ _debug "found opt_kernel=$opt_kernel in $procfs/cmdline"
+ # if the boot partition is within a btrfs subvolume, strip the subvolume name
+ # if /boot is a separate subvolume, the remainder of the code in this section should handle it
+- if echo "$opt_kernel" | grep -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | sed "s:/@[^/]*::"); fi
++ if echo "$opt_kernel" | @grep@ -q "^/@"; then opt_kernel=$(echo "$opt_kernel" | @sed@ "s:/@[^/]*::"); fi
+ # if we have a dedicated /boot partition, our bootloader might have just called it /
+ # so try to prepend /boot and see if we find anything
+ [ -e "/boot/$opt_kernel" ] && opt_kernel="/boot/$opt_kernel"
+@@ -2227,7 +2227,7 @@ if [ "$opt_live" = 1 ]; then
+ # if we didn't find a kernel, default to guessing
+ if [ ! -e "$opt_kernel" ]; then
+ # Fedora:
+- [ -e "/lib/modules/$(uname -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(uname -r)/vmlinuz"
++ [ -e "/lib/modules/$(@uname@ -r)/vmlinuz" ] && opt_kernel="/lib/modules/$(@uname@ -r)/vmlinuz"
+ # Slackware:
+ [ -e "/boot/vmlinuz" ] && opt_kernel="/boot/vmlinuz"
+ # Arch aarch64:
+@@ -2241,24 +2241,24 @@ if [ "$opt_live" = 1 ]; then
+ # pine64
+ [ -e "/boot/pine64/Image" ] && opt_kernel="/boot/pine64/Image"
+ # generic:
+- [ -e "/boot/vmlinuz-$(uname -r)" ] && opt_kernel="/boot/vmlinuz-$(uname -r)"
+- [ -e "/boot/kernel-$( uname -r)" ] && opt_kernel="/boot/kernel-$( uname -r)"
+- [ -e "/boot/bzImage-$(uname -r)" ] && opt_kernel="/boot/bzImage-$(uname -r)"
++ [ -e "/boot/vmlinuz-$(@uname@ -r)" ] && opt_kernel="/boot/vmlinuz-$(@uname@ -r)"
++ [ -e "/boot/kernel-$( @uname@ -r)" ] && opt_kernel="/boot/kernel-$( @uname@ -r)"
++ [ -e "/boot/bzImage-$(@uname@ -r)" ] && opt_kernel="/boot/bzImage-$(@uname@ -r)"
+ # Gentoo:
+- [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
++ [ -e "/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)" ] && opt_kernel="/boot/kernel-genkernel-$(@uname@ -m)-$(@uname@ -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ # Guix System:
+ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+- [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
++ [ -e "/etc/machine-id" ] && [ -e "/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux" ] && opt_kernel="/boot/$(@cat@ /etc/machine-id)/$(@uname@ -r)/linux"
+ # Clear Linux:
+- str_uname=$(uname -r)
++ str_uname=$(@uname@ -r)
+ clear_linux_kernel="/lib/kernel/org.clearlinux.${str_uname##*.}.${str_uname%.*}"
+ [ -e "$clear_linux_kernel" ] && opt_kernel=$clear_linux_kernel
+ # Custom Arch seems to have the kernel path in its cmdline in the form "\directory\kernelimage",
+ # with actual \'s instead of /'s:
+- custom_arch_kernel=$(echo "$kernel_cmdline" | grep -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | tr "\\\\" "/" | tr -d '[:space:]')
++ custom_arch_kernel=$(echo "$kernel_cmdline" | @grep@ -Eo "(^|\s)\\\\[\\\\a-zA-Z0-9_.-]+" | @tr@ "\\\\" "/" | @tr@ -d '[:space:]')
+ if [ -n "$custom_arch_kernel" ] && [ -e "$custom_arch_kernel" ]; then
+ opt_kernel="$custom_arch_kernel"
+ fi
+@@ -2272,12 +2272,12 @@ if [ "$opt_live" = 1 ]; then
+ :
+ elif [ -e "$procfs/kallsyms" ] ; then
+ opt_map="$procfs/kallsyms"
+- elif [ -e "/lib/modules/$(uname -r)/System.map" ] ; then
+- opt_map="/lib/modules/$(uname -r)/System.map"
+- elif [ -e "/boot/System.map-$(uname -r)" ] ; then
+- opt_map="/boot/System.map-$(uname -r)"
+- elif [ -e "/lib/kernel/System.map-$(uname -r)" ]; then
+- opt_map="/lib/kernel/System.map-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/System.map" ] ; then
++ opt_map="/lib/modules/$(@uname@ -r)/System.map"
++ elif [ -e "/boot/System.map-$(@uname@ -r)" ] ; then
++ opt_map="/boot/System.map-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/System.map-$(@uname@ -r)" ]; then
++ opt_map="/lib/kernel/System.map-$(@uname@ -r)"
+ fi
+
+ # config
+@@ -2285,18 +2285,18 @@ if [ "$opt_live" = 1 ]; then
+ # specified by user on cmdline, with --live, don't override
+ :
+ elif [ -e "$procfs/config.gz" ] ; then
+- dumped_config="$(mktemp -t smc-config-XXXXXX)"
+- gunzip -c "$procfs/config.gz" > "$dumped_config"
++ dumped_config="$(@mktemp@ -t smc-config-XXXXXX)"
++ @gunzip@ -c "$procfs/config.gz" > "$dumped_config"
+ # dumped_config will be deleted at the end of the script
+ opt_config="$dumped_config"
+- elif [ -e "/lib/modules/$(uname -r)/config" ]; then
+- opt_config="/lib/modules/$(uname -r)/config"
+- elif [ -e "/boot/config-$(uname -r)" ]; then
+- opt_config="/boot/config-$(uname -r)"
+- elif [ -e "/etc/kernels/kernel-config-$(uname -m)-$(uname -r)" ]; then
+- opt_config="/etc/kernels/kernel-config-$(uname -m)-$(uname -r)"
+- elif [ -e "/lib/kernel/config-$(uname -r)" ]; then
+- opt_config="/lib/kernel/config-$(uname -r)"
++ elif [ -e "/lib/modules/$(@uname@ -r)/config" ]; then
++ opt_config="/lib/modules/$(@uname@ -r)/config"
++ elif [ -e "/boot/config-$(@uname@ -r)" ]; then
++ opt_config="/boot/config-$(@uname@ -r)"
++ elif [ -e "/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)" ]; then
++ opt_config="/etc/kernels/kernel-config-$(@uname@ -m)-$(@uname@ -r)"
++ elif [ -e "/lib/kernel/config-$(@uname@ -r)" ]; then
++ opt_config="/lib/kernel/config-$(@uname@ -r)"
+ fi
+ else
+ _info "Checking for vulnerabilities against specified kernel"
+@@ -2311,7 +2311,7 @@ else
+ fi
+
+ if [ "$os" = Linux ]; then
+- if [ -n "$opt_config" ] && ! grep -q '^CONFIG_' "$opt_config"; then
++ if [ -n "$opt_config" ] && ! @grep@ -q '^CONFIG_' "$opt_config"; then
+ # given file is invalid!
+ _warn "The kernel config file seems invalid, was expecting a plain-text file, ignoring it!"
+ opt_config=''
+@@ -2339,7 +2339,7 @@ if [ "$os" = Linux ]; then
+ fi
+
+ if [ -e "$opt_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ _debug "readelf not found"
+ kernel_err="missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the 'binutils' package"
+ elif [ "$opt_sysfs_only" = 1 ] || [ "$opt_hw_only" = 1 ]; then
+@@ -2357,20 +2357,20 @@ else
+ # vanilla kernels have with ^Linux version
+ # also try harder with some kernels (such as Red Hat) that don't have ^Linux version before their version string
+ # and check for FreeBSD
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E \
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E \
+ -e '^Linux version ' \
+ -e '^[[:alnum:]][^[:space:]]+ \([^[:space:]]+\) #[0-9]+ .+ (19|20)[0-9][0-9]$' \
+- -e '^FreeBSD [0-9]' | head -1)
++ -e '^FreeBSD [0-9]' | @head@ -1)
+ if [ -z "$kernel_version" ]; then
+ # try even harder with some kernels (such as ARM) that split the release (uname -r) and version (uname -v) in 2 adjacent strings
+- kernel_version=$("${opt_arch_prefix}strings" "$kernel" 2>/dev/null | grep -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | tr "\n" " ")
++ kernel_version=$("@strings@" "$kernel" 2>/dev/null | @grep@ -E -B1 '^#[0-9]+ .+ (19|20)[0-9][0-9]$' | @tr@ "\n" " ")
+ fi
+ if [ -n "$kernel_version" ]; then
+ # in live mode, check if the img we found is the correct one
+ if [ "$opt_live" = 1 ]; then
+ _verbose "Kernel image is \033[35m$kernel_version"
+- if ! echo "$kernel_version" | grep -qF "$(uname -r)"; then
+- _warn "Possible discrepancy between your running kernel '$(uname -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
++ if ! echo "$kernel_version" | @grep@ -qF "$(@uname@ -r)"; then
++ _warn "Possible discrepancy between your running kernel '$(@uname@ -r)' and the image '$kernel_version' we found ($opt_kernel), results might be incorrect"
+ fi
+ else
+ _info "Kernel image is \033[35m$kernel_version"
+@@ -2398,11 +2398,11 @@ sys_interface_check()
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" = 0 ] && [ -r "$file" ]; then
+ :
+ else
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")_RET=1")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")_RET=1")
+ return 1
+ fi
+
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")_RET"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")_RET"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ _debug "sysfs: MOCKING enabled for $file func returns $(eval echo \$$_mockvarname)"
+@@ -2411,17 +2411,17 @@ sys_interface_check()
+ fi
+
+ [ -n "$regex" ] || regex='.*'
+- _mockvarname="SMC_MOCK_SYSFS_$(basename "$file")"
++ _mockvarname="SMC_MOCK_SYSFS_$(@basename@ "$file")"
+ # shellcheck disable=SC2086,SC1083
+ if [ -n "$(eval echo \${$_mockvarname:-})" ]; then
+ fullmsg="$(eval echo \$$_mockvarname)"
+- msg=$(echo "$fullmsg" | grep -Eo "$regex")
++ msg=$(echo "$fullmsg" | @grep@ -Eo "$regex")
+ _debug "sysfs: MOCKING enabled for $file, will return $fullmsg"
+ mocked=1
+ else
+- fullmsg=$(cat "$file")
+- msg=$(grep -Eo "$regex" "$file")
+- mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(basename "$file")='$fullmsg'")
++ fullmsg=$(@cat@ "$file")
++ msg=$(@grep@ -Eo "$regex" "$file")
++ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_SYSFS_$(@basename@ "$file")='$fullmsg'")
+ fi
+ if [ "$mode" = silent ]; then
+ return 0
+@@ -2430,15 +2430,15 @@ sys_interface_check()
+ return 0
+ fi
+ _info_nol "* Mitigated according to the /sys interface: "
+- if echo "$msg" | grep -qi '^not affected'; then
++ if echo "$msg" | @grep@ -qi '^not affected'; then
+ # Not affected
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qEi '^(kvm: )?mitigation'; then
++ elif echo "$msg" | @grep@ -qEi '^(kvm: )?mitigation'; then
+ # Mitigation: PTI
+ status=OK
+ pstatus green YES "$fullmsg"
+- elif echo "$msg" | grep -qi '^vulnerable'; then
++ elif echo "$msg" | @grep@ -qi '^vulnerable'; then
+ # Vulnerable
+ status=VULN
+ pstatus yellow NO "$fullmsg"
+@@ -2526,20 +2526,20 @@ write_msr_one_core()
+ # ret=4: msr doesn't exist, ret=127: msr.allow_writes=off
+ [ "$ret" = 127 ] && _write_denied=1
+ # or fallback to dd if it supports seek_bytes, we prefer it over perl because we can tell the difference between EPERM and EIO
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null && [ "${SMC_NO_DD:-}" != 1 ]; then
+ _debug "write_msr: using dd"
+- dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
++ @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>/dev/null; ret=$?
+ # if it failed, inspect stderrto look for EPERM
+ if [ "$ret" != 0 ]; then
+- if dd if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | grep -qF 'Operation not permitted'; then
++ if @dd@ if=/dev/zero of=/dev/cpu/"$_core"/msr bs=8 count=1 seek="$_msr_dec" oflag=seek_bytes 2>&1 | @grep@ -qF 'Operation not permitted'; then
+ _write_denied=1
+ fi
+ fi
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "write_msr: using perl"
+ ret=1
+- perl -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
++ @perl@ -e "open(M,'>','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and exit(syswrite(M,pack('H16',0)))"; [ $? -eq 8 ] && ret=0
+ else
+ _debug "write_msr: got no wrmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_ERR")
+@@ -2561,13 +2561,13 @@ write_msr_one_core()
+ msr_locked_down=1
+ write_msr_msg="your kernel is configured to deny writes to MSRs from user space"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "msr: Direct access to MSR"; then
++ elif @dmesg@ | @grep@ -qF "msr: Direct access to MSR"; then
+ _debug "write_msr: locked down kernel detected (Red Hat / Fedora)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+ write_msr_msg="your kernel is locked down (Fedora/Red Hat), please reboot without secure boot and retry"
+ return $WRITE_MSR_RET_LOCKDOWN
+- elif dmesg | grep -qF "raw MSR access is restricted"; then
++ elif @dmesg@ | @grep@ -qF "raw MSR access is restricted"; then
+ _debug "write_msr: locked down kernel detected (vanilla)"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_WRMSR_${_msr}_RET=$WRITE_MSR_RET_LOCKDOWN")
+ msr_locked_down=1
+@@ -2666,8 +2666,8 @@ read_msr_one_core()
+ return $READ_MSR_RET_KO
+ fi
+ # MSR 0x10: 0x000003e1 0xb106dded
+- _msr_h=$(echo "$_msr" | awk '{print $3}');
+- _msr_l=$(echo "$_msr" | awk '{print $4}');
++ _msr_h=$(echo "$_msr" | @awk@ '{print $3}');
++ _msr_l=$(echo "$_msr" | @awk@ '{print $4}');
+ read_msr_value=$(( _msr_h << 32 | _msr_l ))
+ else
+ # for Linux
+@@ -2678,15 +2678,15 @@ read_msr_one_core()
+ # if rdmsr is available, use it
+ elif command -v rdmsr >/dev/null 2>&1 && [ "${SMC_NO_RDMSR:-}" != 1 ]; then
+ _debug "read_msr: using rdmsr on $_msr"
+- read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(rdmsr -r $_msr_dec 2>/dev/null | @od@ -t u8 -A n)
+ # or if we have perl, use it, any 5.x version will work
+- elif command -v perl >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
++ elif command -v @perl@ >/dev/null 2>&1 && [ "${SMC_NO_PERL:-}" != 1 ]; then
+ _debug "read_msr: using perl on $_msr"
+- read_msr_value=$(perl -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | od -t u8 -A n)
++ read_msr_value=$(@perl@ -e "open(M,'<','/dev/cpu/$_core/msr') and seek(M,$_msr_dec,0) and read(M,\$_,8) and print" | @od@ -t u8 -A n)
+ # fallback to dd if it supports skip_bytes
+- elif dd if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
++ elif @dd@ if=/dev/null of=/dev/null bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null; then
+ _debug "read_msr: using dd on $_msr"
+- read_msr_value=$(dd if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | od -t u8 -A n)
++ read_msr_value=$(@dd@ if=/dev/cpu/"$_core"/msr bs=8 count=1 skip="$_msr_dec" iflag=skip_bytes 2>/dev/null | @od@ -t u8 -A n)
+ else
+ _debug "read_msr: got no rdmsr, perl or recent enough dd!"
+ mockme=$(printf "%b\n%b" "$mockme" "SMC_MOCK_RDMSR_${_msr}_RET=$READ_MSR_RET_ERR")
+@@ -2710,7 +2710,7 @@ check_cpu()
+ {
+ _info "\033[1;34mHardware check\033[0m"
+
+- if ! uname -m | grep -qwE 'x86_64|i[3-6]86|amd64'; then
++ if ! @uname@ -m | @grep@ -qwE 'x86_64|i[3-6]86|amd64'; then
+ return
+ fi
+
+@@ -3326,19 +3326,19 @@ check_redhat_canonical_spectre()
+ # if we were already called, don't do it again
+ [ -n "${redhat_canonical_spectre:-}" ] && return
+
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ redhat_canonical_spectre=-1
+ elif [ -n "$kernel_err" ]; then
+ redhat_canonical_spectre=-2
+ else
+ # Red Hat / Ubuntu specific variant1 patch is difficult to detect,
+ # let's use the two same tricks than the official Red Hat detection script uses:
+- if "${opt_arch_prefix}strings" "$kernel" | grep -qw noibrs && "${opt_arch_prefix}strings" "$kernel" | grep -qw noibpb; then
++ if "@strings@" "$kernel" | @grep@ -qw noibrs && "@strings@" "$kernel" | @grep@ -qw noibpb; then
+ # 1) detect their specific variant2 patch. If it's present, it means
+ # that the variant1 patch is also present (both were merged at the same time)
+ _debug "found redhat/canonical version of the variant2 patch (implies variant1)"
+ redhat_canonical_spectre=1
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'x86/pti:'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'x86/pti:'; then
+ # 2) detect their specific variant3 patch. If it's present, but the variant2
+ # is not, it means that only variant1 is present in addition to variant3
+ _debug "found redhat/canonical version of the variant3 patch (implies variant1 but not variant2)"
+@@ -3363,13 +3363,13 @@ check_has_vmm()
+ # If we find no evidence that this is the case, assume we're not (to avoid scaring users),
+ # this can always be overridden with --vmm in any case.
+ has_vmm=0
+- if command -v pgrep >/dev/null 2>&1; then
++ if command -v @pgrep@ >/dev/null 2>&1; then
+ # remove xenbus and xenwatch, also present inside domU
+ # remove libvirtd as it can also be used to manage containers and not VMs
+ # for each binary we want to grep, get the pids
+ for _binary in qemu kvm xenstored xenconsoled
+ do
+- for _pid in $(pgrep -x $_binary)
++ for _pid in $(@pgrep@ -x $_binary)
+ do
+ # resolve the exe symlink, if it doesn't resolve with -m,
+ # which doesn't even need the dest to exist, it means the symlink
+@@ -3385,7 +3385,7 @@ check_has_vmm()
+ else
+ # ignore SC2009 as `ps ax` is actually used as a fallback if `pgrep` isn't installed
+ # shellcheck disable=SC2009
+- if command -v ps >/devnull && ps ax | grep -vw grep | grep -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
++ if command -v ps >/devnull && ps ax | @grep@ -vw grep | @grep@ -q -e '\<qemu' -e '/qemu' -e '<\kvm' -e '/kvm' -e '/xenstored' -e '/xenconsoled'; then
+ has_vmm=1
+ fi
+ fi
+@@ -3417,7 +3417,7 @@ check_CVE_2017_5753()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5753_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5753_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3469,20 +3469,20 @@ check_CVE_2017_5753_linux()
+ v1_mask_nospec=''
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+ else
+- perl -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x0f\x83....\x48\x19\xd2\x48\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 64 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 64 bits array_index_mask_nospec"
+ else
+- perl -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
++ @perl@ -ne '/\x3b\x82..\x00\x00\x73.\x19\xd2\x21\xd0/ and $found++; END { exit($found) }' "$kernel"; ret=$?
+ if [ $ret -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of x86 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="x86 32 bits array_index_mask_nospec"
+ else
+- ret=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" | grep -w -e f3af8014 -e e320f014 -B2 | grep -B1 -w sbc | grep -w -c cmp)
++ ret=$("@objdump@" $objdump_options "$kernel" | @grep@ -w -e f3af8014 -e e320f014 -B2 | @grep@ -B1 -w sbc | @grep@ -w -c cmp)
+ if [ "$ret" -gt 0 ]; then
+ pstatus green YES "$ret occurrence(s) found of arm 32 bits array_index_mask_nospec()"
+ v1_mask_nospec="arm 32 bits array_index_mask_nospec"
+@@ -3526,12 +3526,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" $objdump_options "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" $objdump_options "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\ssub\s+(x\d+)/ && $r[1]=~/\sbic\s+$1,\s+$1,/ && $r[2]=~/\sand\s/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "mask_nospec64 macro is present and used"
+ v1_mask_nospec="arm64 mask_nospec64"
+@@ -3553,12 +3553,12 @@ check_CVE_2017_5753_linux()
+ pstatus yellow NO
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+- elif ! command -v perl >/dev/null 2>&1; then
++ elif ! command -v @perl@ >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'perl' binary, please install it"
+- elif ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ elif ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+- "${opt_arch_prefix}objdump" -d "$kernel" | perl -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
++ "@objdump@" -d "$kernel" | @perl@ -ne 'push @r, $_; /\s(hint|csdb)\s/ && $r[0]=~/\smov\s+(w\d+),\s+(w\d+)/ && $r[1]=~/\scmp\s+(x\d+),\s+(x\d+)/ && $r[2]=~/\sngc\s+$2,/ && exit(9); shift @r if @r>3'; ret=$?
+ if [ "$ret" -eq 9 ]; then
+ pstatus green YES "array_index_nospec macro is present and used"
+ v1_mask_nospec="arm64 array_index_nospec"
+@@ -3574,7 +3574,7 @@ check_CVE_2017_5753_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}objdump" >/dev/null 2>&1; then
++ if ! command -v "@objdump@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}objdump' tool, please install it, usually it's in the binutils package"
+ else
+ # here we disassemble the kernel and count the number of occurrences of the LFENCE opcode
+@@ -3584,7 +3584,7 @@ check_CVE_2017_5753_linux()
+ # so let's push the threshold to 70.
+ # v0.33+: now only count lfence opcodes after a jump, way less error-prone
+ # non patched kernel have between 0 and 20 matches, patched ones have at least 40-45
+- nb_lfence=$("${opt_arch_prefix}objdump" $objdump_options "$kernel" 2>/dev/null | grep -w -B1 lfence | grep -Ewc 'jmp|jne|je')
++ nb_lfence=$("@objdump@" $objdump_options "$kernel" 2>/dev/null | @grep@ -w -B1 lfence | @grep@ -Ewc 'jmp|jne|je')
+ if [ "$nb_lfence" -lt 30 ]; then
+ pstatus yellow NO "only $nb_lfence jump-then-lfence instructions found, should be >= 30 (heuristic)"
+ else
+@@ -3655,7 +3655,7 @@ check_CVE_2017_5715()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5715_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5715_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -3697,13 +3697,13 @@ check_CVE_2017_5715_linux()
+ # /proc/sys/kernel/ibrs_enabled: OpenSUSE tumbleweed
+ specex_knob_dir=$dir
+ ibrs_supported="$dir/ibrs_enabled exists"
+- ibrs_enabled=$(cat "$dir/ibrs_enabled" 2>/dev/null)
++ ibrs_enabled=$(@cat@ "$dir/ibrs_enabled" 2>/dev/null)
+ _debug "ibrs: found $dir/ibrs_enabled=$ibrs_enabled"
+ # if ibrs_enabled is there, ibpb_enabled will be in the same dir
+ if [ -e "$dir/ibpb_enabled" ]; then
+ # if the file is there, we have IBPB compiled-in (see note above for IBRS)
+ ibpb_supported="$dir/ibpb_enabled exists"
+- ibpb_enabled=$(cat "$dir/ibpb_enabled" 2>/dev/null)
++ ibpb_enabled=$(@cat@ "$dir/ibpb_enabled" 2>/dev/null)
+ _debug "ibpb: found $dir/ibpb_enabled=$ibpb_enabled"
+ else
+ _debug "ibpb: $dir/ibpb_enabled file doesn't exist"
+@@ -3718,7 +3718,7 @@ check_CVE_2017_5715_linux()
+ # which in that case means ibrs is supported *and* enabled for kernel & user
+ # as per the ibrs patch series v3
+ if [ -z "$ibrs_supported" ]; then
+- if grep ^flags "$procfs/cpuinfo" | grep -qw spec_ctrl_ibrs; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw spec_ctrl_ibrs; then
+ _debug "ibrs: found spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ ibrs_supported="spec_ctrl_ibrs flag in $procfs/cpuinfo"
+ # enabled=2 -> kernel & user
+@@ -3728,13 +3728,13 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -n "$fullmsg" ]; then
+ # when IBPB is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q 'IBPB'; then
++ if echo "$fullmsg" | @grep@ -q 'IBPB'; then
+ _debug "ibpb: found enabled in sysfs"
+ [ -z "$ibpb_supported" ] && ibpb_supported='IBPB found enabled in sysfs'
+ [ -z "$ibpb_enabled" ] && ibpb_enabled=1
+ fi
+ # when IBRS_FW is enabled on 4.15+, we can see it in sysfs
+- if echo "$fullmsg" | grep -q ', IBRS_FW'; then
++ if echo "$fullmsg" | @grep@ -q ', IBRS_FW'; then
+ _debug "ibrs: found IBRS_FW in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS_FW in sysfs'
+ ibrs_fw_enabled=1
+@@ -3742,13 +3742,13 @@ check_CVE_2017_5715_linux()
+ # when IBRS is enabled on 4.15+, we can see it in sysfs
+ # on a more recent kernel, classic "IBRS" is not even longer an option, because of the performance impact.
+ # only "Enhanced IBRS" is available (on CPUs with the IBRS_ALL flag)
+- if echo "$fullmsg" | grep -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
++ if echo "$fullmsg" | @grep@ -q -e '\<IBRS\>' -e 'Indirect Branch Restricted Speculation'; then
+ _debug "ibrs: found IBRS in sysfs"
+ [ -z "$ibrs_supported" ] && ibrs_supported='found IBRS in sysfs'
+ [ -z "$ibrs_enabled" ] && ibrs_enabled=3
+ fi
+ # checking for 'Enhanced IBRS' in sysfs, enabled on CPUs with IBRS_ALL
+- if echo "$fullmsg" | grep -q -e 'Enhanced IBRS'; then
++ if echo "$fullmsg" | @grep@ -q -e 'Enhanced IBRS'; then
+ [ -z "$ibrs_supported" ] && ibrs_supported='found Enhanced IBRS in sysfs'
+ # 4 isn't actually a valid value of the now extinct "ibrs_enabled" flag file,
+ # that only went from 0 to 3, so we use 4 as "enhanced ibrs is enabled"
+@@ -3767,11 +3767,11 @@ check_CVE_2017_5715_linux()
+ fi
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibrs_can_tell=1
+- ibrs_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e ', IBRS_FW' | head -1)
++ ibrs_supported=$("@strings@" "$kernel" | @grep@ -Fw -e ', IBRS_FW' | @head@ -1)
+ if [ -n "$ibrs_supported" ]; then
+ _debug "ibrs: found ibrs evidence in kernel image ($ibrs_supported)"
+ ibrs_supported="found '$ibrs_supported' in kernel image"
+@@ -3780,7 +3780,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$ibrs_supported" ] && [ -n "$opt_map" ]; then
+ ibrs_can_tell=1
+- if grep -q spec_ctrl "$opt_map"; then
++ if @grep@ -q spec_ctrl "$opt_map"; then
+ ibrs_supported="found spec_ctrl in symbols file"
+ _debug "ibrs: found '*spec_ctrl*' symbol in $opt_map"
+ fi
+@@ -3788,11 +3788,11 @@ check_CVE_2017_5715_linux()
+ # recent (4.15) vanilla kernels have IBPB but not IBRS, and without the debugfs tunables of Red Hat
+ # we can detect it directly in the image
+ if [ -z "$ibpb_supported" ] && [ -n "$kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ :
+ else
+ ibpb_can_tell=1
+- ibpb_supported=$("${opt_arch_prefix}strings" "$kernel" | grep -Fw -e 'ibpb' -e ', IBPB' | head -1)
++ ibpb_supported=$("@strings@" "$kernel" | @grep@ -Fw -e 'ibpb' -e ', IBPB' | @head@ -1)
+ if [ -n "$ibpb_supported" ]; then
+ _debug "ibpb: found ibpb evidence in kernel image ($ibpb_supported)"
+ ibpb_supported="found '$ibpb_supported' in kernel image"
+@@ -3841,9 +3841,9 @@ check_CVE_2017_5715_linux()
+ 2) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel, user space, and firmware code" ; else pstatus green YES "for both kernel and user space"; fi;;
+ 3) if [ "$ibrs_fw_enabled" = 1 ]; then pstatus green YES "for kernel and firmware code"; else pstatus green YES; fi;;
+ 4) pstatus green YES "Enhanced flavor, performance impact will be greatly reduced";;
+- *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
+- then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
+- else
++ *) if [ "$cpuid_ibrs" != 'SPEC_CTRL' ] && [ "$cpuid_ibrs" != 'IBRS_SUPPORT' ] && [ "$cpuid_spec_ctrl" != -1 ];
++ then pstatus yellow NO; _debug "ibrs: known cpu not supporting SPEC-CTRL or IBRS";
++ else
+ pstatus yellow UNKNOWN; fi;;
+ esac
+ fi
+@@ -3894,7 +3894,7 @@ check_CVE_2017_5715_linux()
+ bp_harden=''
+ if [ -r "$opt_config" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
++ bp_harden=$(@grep@ -w 'CONFIG_HARDEN_BRANCH_PREDICTOR=y' "$opt_config")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_config"
+@@ -3902,7 +3902,7 @@ check_CVE_2017_5715_linux()
+ fi
+ if [ -z "$bp_harden" ] && [ -n "$opt_map" ]; then
+ bp_harden_can_tell=1
+- bp_harden=$(grep -w bp_hardening_data "$opt_map")
++ bp_harden=$(@grep@ -w bp_hardening_data "$opt_map")
+ if [ -n "$bp_harden" ]; then
+ pstatus green YES
+ _debug "bp_harden: found '$bp_harden' in $opt_map"
+@@ -3920,11 +3920,11 @@ check_CVE_2017_5715_linux()
+ # We check the RETPOLINE kernel options
+ retpoline=0
+ if [ -r "$opt_config" ]; then
+- if grep -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
++ if @grep@ -q '^CONFIG_RETPOLINE=y' "$opt_config"; then
+ pstatus green YES
+ retpoline=1
+ # shellcheck disable=SC2046
+- _debug 'retpoline: found '$(grep '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
++ _debug 'retpoline: found '$(@grep@ '^CONFIG_RETPOLINE' "$opt_config")" in $opt_config"
+ else
+ pstatus yellow NO
+ fi
+@@ -3945,8 +3945,8 @@ check_CVE_2017_5715_linux()
+ # since 5.15.28, this is now "Retpolines" as the implementation was switched to a generic one,
+ # so we look for both "retpoline" and "retpolines"
+ if [ "$opt_live" = 1 ] && [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qwi -e retpoline -e retpolines; then
+- if echo "$fullmsg" | grep -qwi minimal; then
++ if echo "$fullmsg" | @grep@ -qwi -e retpoline -e retpolines; then
++ if echo "$fullmsg" | @grep@ -qwi minimal; then
+ retpoline_compiler=0
+ retpoline_compiler_reason="kernel reports minimal retpoline compilation"
+ else
+@@ -3956,19 +3956,19 @@ check_CVE_2017_5715_linux()
+ fi
+ elif [ -n "$opt_map" ]; then
+ # look for the symbol
+- if grep -qw noretpoline_setup "$opt_map"; then
++ if @grep@ -qw noretpoline_setup "$opt_map"; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup symbol found in System.map"
+ fi
+ elif [ -n "$kernel" ]; then
+ # look for the symbol
+- if command -v "${opt_arch_prefix}nm" >/dev/null 2>&1; then
++ if command -v "@nm@" >/dev/null 2>&1; then
+ # the proper way: use nm and look for the symbol
+- if "${opt_arch_prefix}nm" "$kernel" 2>/dev/null | grep -qw 'noretpoline_setup'; then
++ if "@nm@" "$kernel" 2>/dev/null | @grep@ -qw 'noretpoline_setup'; then
+ retpoline_compiler=1
+ retpoline_compiler_reason="noretpoline_setup found in kernel symbols"
+ fi
+- elif grep -q noretpoline_setup "$kernel"; then
++ elif @grep@ -q noretpoline_setup "$kernel"; then
+ # if we don't have nm, nevermind, the symbol name is long enough to not have
+ # any false positive using good old grep directly on the binary
+ retpoline_compiler=1
+@@ -3997,7 +3997,7 @@ check_CVE_2017_5715_linux()
+ retp_enabled=-1
+ if [ "$opt_live" = 1 ]; then
+ if [ -e "$specex_knob_dir/retp_enabled" ]; then
+- retp_enabled=$(cat "$specex_knob_dir/retp_enabled" 2>/dev/null)
++ retp_enabled=$(@cat@ "$specex_knob_dir/retp_enabled" 2>/dev/null)
+ _debug "retpoline: found $specex_knob_dir/retp_enabled=$retp_enabled"
+ _info_nol " * Retpoline is enabled: "
+ if [ "$retp_enabled" = 1 ]; then
+@@ -4027,7 +4027,7 @@ check_CVE_2017_5715_linux()
+ rsb_filling=0
+ if [ "$opt_live" = 1 ] && [ "$opt_no_sysfs" != 1 ]; then
+ # if we're live and we aren't denied looking into /sys, let's do it
+- if echo "$msg" | grep -qw RSB; then
++ if echo "$msg" | @grep@ -qw RSB; then
+ rsb_filling=1
+ pstatus green YES
+ fi
+@@ -4036,7 +4036,7 @@ check_CVE_2017_5715_linux()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if grep -qw -e 'Filling RSB on context switch' "$kernel"; then
++ if @grep@ -qw -e 'Filling RSB on context switch' "$kernel"; then
+ rsb_filling=1
+ pstatus green YES
+ else
+@@ -4198,7 +4198,7 @@ check_CVE_2017_5715_bsd()
+ {
+ _info "* Mitigation 1"
+ _info_nol " * Kernel supports IBRS: "
+- ibrs_disabled=$(sysctl -n hw.ibrs_disable 2>/dev/null)
++ ibrs_disabled=$(@sysctl@ -n hw.ibrs_disable 2>/dev/null)
+ if [ -z "$ibrs_disabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4206,7 +4206,7 @@ check_CVE_2017_5715_bsd()
+ fi
+
+ _info_nol " * IBRS enabled and active: "
+- ibrs_active=$(sysctl -n hw.ibrs_active 2>/dev/null)
++ ibrs_active=$(@sysctl@ -n hw.ibrs_active 2>/dev/null)
+ if [ "$ibrs_active" = 1 ]; then
+ pstatus green YES
+ else
+@@ -4219,10 +4219,10 @@ check_CVE_2017_5715_bsd()
+ if [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "couldn't check ($kernel_err)"
+ else
+- if ! command -v "${opt_arch_prefix}readelf" >/dev/null 2>&1; then
++ if ! command -v "@readelf@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}readelf' tool, please install it, usually it's in the binutils package"
+ else
+- nb_thunks=$("${opt_arch_prefix}readelf" -s "$kernel" | grep -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
++ nb_thunks=$("@readelf@" -s "$kernel" | @grep@ -c -e __llvm_retpoline_ -e __llvm_external_retpoline_ -e __x86_indirect_thunk_)
+ if [ "$nb_thunks" -gt 0 ]; then
+ retpoline=1
+ pstatus green YES "found $nb_thunks thunk(s)"
+@@ -4263,7 +4263,7 @@ check_CVE_2017_5715_bsd()
+ pti_performance_check()
+ {
+ _info_nol " * Reduced performance impact of PTI: "
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw pcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pcid; then
+ cpu_pcid=1
+ else
+ read_cpuid 0x1 0x0 $ECX 17 1 1; ret=$?
+@@ -4272,7 +4272,7 @@ pti_performance_check()
+ fi
+ fi
+
+- if [ -e "$procfs/cpuinfo" ] && grep ^flags "$procfs/cpuinfo" | grep -qw invpcid; then
++ if [ -e "$procfs/cpuinfo" ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw invpcid; then
+ cpu_invpcid=1
+ else
+ read_cpuid 0x7 0x0 $EBX 10 1 1; ret=$?
+@@ -4297,7 +4297,7 @@ check_CVE_2017_5754()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2017_5754_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2017_5754_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4319,7 +4319,7 @@ check_CVE_2017_5754_linux()
+ kpti_can_tell=0
+ if [ -n "$opt_config" ]; then
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
++ kpti_support=$(@grep@ -w -e CONFIG_PAGE_TABLE_ISOLATION=y -e CONFIG_KAISER=y -e CONFIG_UNMAP_KERNEL_AT_EL0=y "$opt_config")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found option '$kpti_support' in $opt_config"
+ fi
+@@ -4329,7 +4329,7 @@ check_CVE_2017_5754_linux()
+ # so we try to find an exported symbol that is part of the PTI patch in System.map
+ # parse_kpti: arm
+ kpti_can_tell=1
+- kpti_support=$(grep -w -e kpti_force_enabled -e parse_kpti "$opt_map")
++ kpti_support=$(@grep@ -w -e kpti_force_enabled -e parse_kpti "$opt_map")
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $opt_map"
+ fi
+@@ -4339,10 +4339,10 @@ check_CVE_2017_5754_linux()
+ # nopti option that is part of the patch (kernel command line option)
+ # 'kpti=': arm
+ kpti_can_tell=1
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ else
+- kpti_support=$("${opt_arch_prefix}strings" "$kernel" | grep -w -e nopti -e kpti=)
++ kpti_support=$("@strings@" "$kernel" | @grep@ -w -e nopti -e kpti=)
+ if [ -n "$kpti_support" ]; then
+ _debug "kpti_support: found '$kpti_support' in $kernel"
+ fi
+@@ -4369,20 +4369,20 @@ check_CVE_2017_5754_linux()
+ dmesg_grep="$dmesg_grep|x86/pti: Unmapping kernel while in userspace"
+ # aarch64
+ dmesg_grep="$dmesg_grep|CPU features: detected( feature)?: Kernel page table isolation \(KPTI\)"
+- if grep ^flags "$procfs/cpuinfo" | grep -qw pti; then
++ if @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw pti; then
+ # vanilla PTI patch sets the 'pti' flag in cpuinfo
+ _debug "kpti_enabled: found 'pti' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+- elif grep ^flags "$procfs/cpuinfo" | grep -qw kaiser; then
++ elif @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw kaiser; then
+ # kernel line 4.9 sets the 'kaiser' flag in cpuinfo
+ _debug "kpti_enabled: found 'kaiser' flag in $procfs/cpuinfo"
+ kpti_enabled=1
+ elif [ -e /sys/kernel/debug/x86/pti_enabled ]; then
+ # Red Hat Backport creates a dedicated file, see https://access.redhat.com/articles/3311301
+- kpti_enabled=$(cat /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
++ kpti_enabled=$(@cat@ /sys/kernel/debug/x86/pti_enabled 2>/dev/null)
+ _debug "kpti_enabled: file /sys/kernel/debug/x86/pti_enabled exists and says: $kpti_enabled"
+ elif is_xen_dom0; then
+- pti_xen_pv_domU=$(xl dmesg | grep 'XPTI' | grep 'DomU enabled' | head -1)
++ pti_xen_pv_domU=$(xl @dmesg@ | @grep@ 'XPTI' | @grep@ 'DomU enabled' | @head@ -1)
+
+ [ -n "$pti_xen_pv_domU" ] && kpti_enabled=1
+ fi
+@@ -4457,7 +4457,7 @@ check_CVE_2017_5754_linux()
+ if [ -n "$kpti_support" ]; then
+ if [ -e "/sys/kernel/debug/x86/pti_enabled" ]; then
+ explain "Your kernel supports PTI but it's disabled, you can enable it with \`echo 1 > /sys/kernel/debug/x86/pti_enabled\`"
+- elif echo "$kernel_cmdline" | grep -q -w -e nopti -e pti=off; then
++ elif echo "$kernel_cmdline" | @grep@ -q -w -e nopti -e pti=off; then
+ explain "Your kernel supports PTI but it has been disabled on command-line, remove the nopti or pti=off option from your bootloader configuration"
+ else
+ explain "Your kernel supports PTI but it has been disabled, check \`dmesg\` right after boot to find clues why the system disabled it"
+@@ -4508,7 +4508,7 @@ check_CVE_2017_5754_linux()
+ check_CVE_2017_5754_bsd()
+ {
+ _info_nol "* Kernel supports Page Table Isolation (PTI): "
+- kpti_enabled=$(sysctl -n vm.pmap.pti 2>/dev/null)
++ kpti_enabled=$(@sysctl@ -n vm.pmap.pti 2>/dev/null)
+ if [ -z "$kpti_enabled" ]; then
+ pstatus yellow NO
+ else
+@@ -4579,7 +4579,7 @@ check_CVE_2018_3639()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3639_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3639_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4598,33 +4598,33 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports disabling speculative store bypass (SSB): "
+ if [ "$opt_live" = 1 ]; then
+- if grep -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssb="found in $procfs/self/status"
+ _debug "found Speculation.Store.Bypass: in $procfs/self/status"
+ fi
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! grep -q 'arm64_sys_' "$kernel"; then
+- kernel_ssb=$("${opt_arch_prefix}strings" "$kernel" | grep spec_store_bypass | head -n1);
++ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ] && ! @grep@ -q 'arm64_sys_' "$kernel"; then
++ kernel_ssb=$("@strings@" "$kernel" | @grep@ spec_store_bypass | @head@ -n1);
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in kernel"
+ fi
+ # arm64 kernels can have cpu_show_spec_store_bypass with ARM64_SSBD, so exclude them
+- if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! grep -q 'arm64_sys_' "$opt_map"; then
+- kernel_ssb=$(grep spec_store_bypass "$opt_map" | awk '{print $3}' | head -n1)
++ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ] && ! @grep@ -q 'arm64_sys_' "$opt_map"; then
++ kernel_ssb=$(@grep@ spec_store_bypass "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ # arm64 only:
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_map" ]; then
+- kernel_ssb=$(grep -w cpu_enable_ssbs "$opt_map" | awk '{print $3}' | head -n1)
++ kernel_ssb=$(@grep@ -w cpu_enable_ssbs "$opt_map" | @awk@ '{print $3}' | @head@ -n1)
+ [ -n "$kernel_ssb" ] && kernel_ssb="found $kernel_ssb in System.map"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$opt_config" ]; then
+- kernel_ssb=$(grep -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
++ kernel_ssb=$(@grep@ -w 'CONFIG_ARM64_SSBD=y' "$opt_config")
+ [ -n "$kernel_ssb" ] && kernel_ssb="CONFIG_ARM64_SSBD enabled in kconfig"
+ fi
+ if [ -z "$kernel_ssb" ] && [ -n "$kernel" ]; then
+ # this string only appears in kernel if CONFIG_ARM64_SSBD is set
+- kernel_ssb=$(grep -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
++ kernel_ssb=$(@grep@ -w "Speculative Store Bypassing Safe (SSBS)" "$kernel")
+ [ -n "$kernel_ssb" ] && kernel_ssb="found 'Speculative Store Bypassing Safe (SSBS)' in kernel"
+ fi
+ # /arm64 only
+@@ -4639,31 +4639,31 @@ check_CVE_2018_3639_linux()
+ if [ "$opt_live" = 1 ]; then
+ # https://elixir.bootlin.com/linux/v5.0/source/fs/proc/array.c#L340
+ _info_nol "* SSB mitigation is enabled and active: "
+- if grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
++ if @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+thread' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=1
+ pstatus green YES "per-thread through prctl"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+globally mitigated' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=2
+ pstatus green YES "global"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus yellow NO
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+not vulnerable' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=-2
+ pstatus blue NO "not vulnerable"
+- elif grep -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
++ elif @grep@ -Eq 'Speculation.?Store.?Bypass:[[:space:]]+unknown' "$procfs/self/status" 2>/dev/null; then
+ kernel_ssbd_enabled=0
+ pstatus blue NO
+ else
+- pstatus blue UNKNOWN "unknown value: $(grep -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | cut -d: -f2-)"
++ pstatus blue UNKNOWN "unknown value: $(@grep@ -E 'Speculation.?Store.?Bypass:' "$procfs/self/status" 2>/dev/null | @cut@ -d: -f2-)"
+ fi
+
+ if [ "$kernel_ssbd_enabled" = 1 ]; then
+ _info_nol "* SSB mitigation currently active for selected processes: "
+ # silence grep's stderr here to avoid ENOENT errors from processes that have exited since the shell's expansion of the *
+- mitigated_processes=$(find /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
+- | xargs -r0 grep -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
+- | sed s/status/exe/ | xargs -r -n1 readlink -f 2>/dev/null | xargs -r -n1 basename | sort -u | tr "\n" " " | sed 's/ $//')
++ mitigated_processes=$(@find@ /proc -mindepth 2 -maxdepth 2 -type f -name status -print0 2>/dev/null \
++ | @xargs@ -r0 @grep@ -El 'Speculation.?Store.?Bypass:[[:space:]]+thread (force )?mitigated' 2>/dev/null \
++ | @sed@ s/status/exe/ | @xargs@ -r -n1 readlink -f 2>/dev/null | @xargs@ -r -n1 @basename@ | @sort@ -u | @tr@ "\n" " " | @sed@ 's/ $//')
+ if [ -n "$mitigated_processes" ]; then
+ pstatus green YES "$mitigated_processes"
+ else
+@@ -4715,7 +4715,7 @@ check_CVE_2018_3639_linux()
+ check_CVE_2018_3639_bsd()
+ {
+ _info_nol "* Kernel supports speculation store bypass: "
+- if sysctl hw.spec_store_bypass_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.spec_store_bypass_disable >/dev/null 2>&1; then
+ kernel_ssb=1
+ pstatus green YES
+ else
+@@ -4724,7 +4724,7 @@ check_CVE_2018_3639_bsd()
+ fi
+
+ _info_nol "* Speculation store bypass is administratively enabled: "
+- ssb_enabled=$(sysctl -n hw.spec_store_bypass_disable 2>/dev/null)
++ ssb_enabled=$(@sysctl@ -n hw.spec_store_bypass_disable 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable=$ssb_enabled"
+ case "$ssb_enabled" in
+ 0) pstatus yellow NO "disabled";;
+@@ -4734,7 +4734,7 @@ check_CVE_2018_3639_bsd()
+ esac
+
+ _info_nol "* Speculation store bypass is currently active: "
+- ssb_active=$(sysctl -n hw.spec_store_bypass_disable_active 2>/dev/null)
++ ssb_active=$(@sysctl@ -n hw.spec_store_bypass_disable_active 2>/dev/null)
+ _debug "hw.spec_store_bypass_disable_active=$ssb_active"
+ case "$ssb_active" in
+ 1) pstatus green YES;;
+@@ -4806,7 +4806,7 @@ check_CVE_2018_3620()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3620_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3620_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4824,14 +4824,14 @@ check_CVE_2018_3620_linux()
+ fi
+ if [ "$opt_sysfs_only" != 1 ]; then
+ _info_nol "* Kernel supports PTE inversion: "
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ pstatus yellow UNKNOWN "missing 'strings' tool, please install it"
+ pteinv_supported=-1
+ elif [ -n "$kernel_err" ]; then
+ pstatus yellow UNKNOWN "$kernel_err"
+ pteinv_supported=-1
+ else
+- if "${opt_arch_prefix}strings" "$kernel" | grep -Fq 'PTE Inversion'; then
++ if "@strings@" "$kernel" | @grep@ -Fq 'PTE Inversion'; then
+ pstatus green YES "found in kernel image"
+ _debug "pteinv: found pte inversion evidence in kernel image"
+ pteinv_supported=1
+@@ -4844,7 +4844,7 @@ check_CVE_2018_3620_linux()
+ _info_nol "* PTE inversion enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -q 'Mitigation: PTE Inversion'; then
++ if echo "$fullmsg" | @grep@ -q 'Mitigation: PTE Inversion'; then
+ pstatus green YES
+ pteinv_active=1
+ else
+@@ -4892,7 +4892,7 @@ check_CVE_2018_3620_bsd()
+ else
+ _debug "vmm module already loaded"
+ fi
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ # https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch
+ # this is very difficult to detect that the kernel reserved the 0 page, but this fix
+ # is part of the exact same patch than the other L1TF CVE, so we detect it
+@@ -4922,7 +4922,7 @@ check_CVE_2018_3646()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_3646_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_3646_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -4948,7 +4948,7 @@ check_CVE_2018_3646_linux()
+ if [ "$opt_live" = 1 ]; then
+ if ! [ -r /sys/module/kvm_intel/parameters/ept ]; then
+ pstatus blue N/A "the kvm_intel module is not loaded"
+- elif [ "$(cat /sys/module/kvm_intel/parameters/ept)" = N ]; then
++ elif [ "$(@cat@ /sys/module/kvm_intel/parameters/ept)" = N ]; then
+ pstatus green YES
+ ept_disabled=1
+ else
+@@ -4960,15 +4960,15 @@ check_CVE_2018_3646_linux()
+
+ _info "* Mitigation 2"
+ _info_nol " * L1D flush is supported by kernel: "
+- if [ "$opt_live" = 1 ] && grep -qw flush_l1d "$procfs/cpuinfo"; then
++ if [ "$opt_live" = 1 ] && @grep@ -qw flush_l1d "$procfs/cpuinfo"; then
+ l1d_kernel="found flush_l1d in $procfs/cpuinfo"
+ fi
+ if [ -z "$l1d_kernel" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ l1d_kernel_err="missing '${opt_arch_prefix}strings' tool, please install it, usually it's in the binutils package"
+ elif [ -n "$kernel_err" ]; then
+ l1d_kernel_err="$kernel_err"
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -qw flush_l1d; then
++ elif "@strings@" "$kernel" | @grep@ -qw flush_l1d; then
+ l1d_kernel='found flush_l1d in kernel image'
+ fi
+ fi
+@@ -4989,20 +4989,20 @@ check_CVE_2018_3646_linux()
+ # $l1dstatus is one of (auto|vulnerable|conditional cache flushes|cache flushes|EPT disabled|flush not necessary)
+ # $smtstatus is one of (vulnerable|disabled)
+ # can also just be "Not affected"
+- if echo "$fullmsg" | grep -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
++ if echo "$fullmsg" | @grep@ -Eq -e 'Not affected' -e '(VMX:|L1D) (EPT disabled|vulnerable|flush not necessary)'; then
+ l1d_mode=0
+ pstatus yellow NO
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) conditional cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) conditional cache flushes'; then
+ l1d_mode=1
+ pstatus green YES "conditional flushes"
+- elif echo "$fullmsg" | grep -Eq '(VMX:|L1D) cache flushes'; then
++ elif echo "$fullmsg" | @grep@ -Eq '(VMX:|L1D) cache flushes'; then
+ l1d_mode=2
+ pstatus green YES "unconditional flushes"
+ else
+ if is_xen_dom0; then
+- l1d_xen_hardware=$(xl dmesg | grep 'Hardware features:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_hypervisor=$(xl dmesg | grep 'Xen settings:' | grep 'L1D_FLUSH' | head -1)
+- l1d_xen_pv_domU=$(xl dmesg | grep 'PV L1TF shadowing:' | grep 'DomU enabled' | head -1)
++ l1d_xen_hardware=$(xl @dmesg@ | @grep@ 'Hardware features:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_hypervisor=$(xl @dmesg@ | @grep@ 'Xen settings:' | @grep@ 'L1D_FLUSH' | @head@ -1)
++ l1d_xen_pv_domU=$(xl @dmesg@ | @grep@ 'PV L1TF shadowing:' | @grep@ 'DomU enabled' | @head@ -1)
+
+ if [ -n "$l1d_xen_hardware" ] && [ -n "$l1d_xen_hypervisor" ] && [ -n "$l1d_xen_pv_domU" ]; then
+ l1d_mode=5
+@@ -5033,7 +5033,7 @@ check_CVE_2018_3646_linux()
+
+ _info_nol " * Hardware-backed L1D flush supported: "
+ if [ "$opt_live" = 1 ]; then
+- if grep -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
++ if @grep@ -qw flush_l1d "$procfs/cpuinfo" || [ -n "$l1d_xen_hardware" ]; then
+ pstatus green YES "performance impact of the mitigation will be greatly reduced"
+ else
+ pstatus blue NO "flush will be done in software, this is slower"
+@@ -5105,7 +5105,7 @@ check_CVE_2018_3646_linux()
+ check_CVE_2018_3646_bsd()
+ {
+ _info_nol "* Kernel supports L1D flushing: "
+- if sysctl hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
++ if @sysctl@ hw.vmm.vmx.l1d_flush >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_l1d_supported=1
+ else
+@@ -5114,7 +5114,7 @@ check_CVE_2018_3646_bsd()
+ fi
+
+ _info_nol "* L1D flushing is enabled: "
+- kernel_l1d_enabled=$(sysctl -n hw.vmm.vmx.l1d_flush 2>/dev/null)
++ kernel_l1d_enabled=$(@sysctl@ -n hw.vmm.vmx.l1d_flush 2>/dev/null)
+ case "$kernel_l1d_enabled" in
+ 0) pstatus yellow NO;;
+ 1) pstatus green YES;;
+@@ -5168,7 +5168,7 @@ check_CVE_2018_12127()
+ ###################
+ # MDSUM SECTION
+
+-# Microarchitectural Data Sampling Uncacheable Memory
++# Microarchitectural Data Sampling Uncacheable Memory
+ check_CVE_2019_11091()
+ {
+ cve='CVE-2019-11091'
+@@ -5182,7 +5182,7 @@ check_mds()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_mds_linux "$cve"
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_mds_bsd "$cve"
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5193,7 +5193,7 @@ check_mds_bsd()
+ {
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ if [ "$opt_live" = 1 ]; then
+- if sysctl hw.mds_disable >/dev/null 2>&1; then
++ if @sysctl@ hw.mds_disable >/dev/null 2>&1; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5201,7 +5201,7 @@ check_mds_bsd()
+ kernel_md_clear=0
+ fi
+ else
+- if grep -Fq hw.mds_disable $opt_kernel; then
++ if @grep@ -Fq hw.mds_disable $opt_kernel; then
+ pstatus green YES
+ kernel_md_clear=1
+ else
+@@ -5211,8 +5211,8 @@ check_mds_bsd()
+ fi
+
+ _info_nol "* CPU Hyper-Threading (SMT) is disabled: "
+- if sysctl machdep.hyperthreading_allowed >/dev/null 2>&1; then
+- kernel_smt_allowed=$(sysctl -n machdep.hyperthreading_allowed 2>/dev/null)
++ if @sysctl@ machdep.hyperthreading_allowed >/dev/null 2>&1; then
++ kernel_smt_allowed=$(@sysctl@ -n machdep.hyperthreading_allowed 2>/dev/null)
+ if [ "$kernel_smt_allowed" = 1 ]; then
+ pstatus yellow NO
+ else
+@@ -5224,7 +5224,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is enabled: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_enabled=$(sysctl -n hw.mds_disable 2>/dev/null)
++ kernel_mds_enabled=$(@sysctl@ -n hw.mds_disable 2>/dev/null)
+ else
+ kernel_mds_enabled=0
+ fi
+@@ -5238,7 +5238,7 @@ check_mds_bsd()
+
+ _info_nol "* Kernel mitigation is active: "
+ if [ "$kernel_md_clear" = 1 ]; then
+- kernel_mds_state=$(sysctl -n hw.mds_disable_state 2>/dev/null)
++ kernel_mds_state=$(@sysctl@ -n hw.mds_disable_state 2>/dev/null)
+ else
+ kernel_mds_state=inactive
+ fi
+@@ -5296,16 +5296,16 @@ check_mds_linux()
+ _info_nol "* Kernel supports using MD_CLEAR mitigation: "
+ kernel_md_clear=''
+ kernel_md_clear_can_tell=1
+- if [ "$opt_live" = 1 ] && grep ^flags "$procfs/cpuinfo" | grep -qw md_clear; then
++ if [ "$opt_live" = 1 ] && @grep@ ^flags "$procfs/cpuinfo" | @grep@ -qw md_clear; then
+ kernel_md_clear="md_clear found in $procfs/cpuinfo"
+ pstatus green YES "$kernel_md_clear"
+ fi
+ if [ -z "$kernel_md_clear" ]; then
+- if ! command -v "${opt_arch_prefix}strings" >/dev/null 2>&1; then
++ if ! command -v "@strings@" >/dev/null 2>&1; then
+ kernel_md_clear_can_tell=0
+ elif [ -n "$kernel_err" ]; then
+ kernel_md_clear_can_tell=0
+- elif "${opt_arch_prefix}strings" "$kernel" | grep -q 'Clear CPU buffers'; then
++ elif "@strings@" "$kernel" | @grep@ -q 'Clear CPU buffers'; then
+ _debug "md_clear: found 'Clear CPU buffers' string in kernel image"
+ kernel_md_clear='found md_clear implementation evidence in kernel image'
+ pstatus green YES "$kernel_md_clear"
+@@ -5321,7 +5321,7 @@ check_mds_linux()
+
+ if [ "$opt_live" = 1 ] && [ "$sys_interface_available" = 1 ]; then
+ _info_nol "* Kernel mitigation is enabled and active: "
+- if echo "$fullmsg" | grep -qi ^mitigation; then
++ if echo "$fullmsg" | @grep@ -qi ^mitigation; then
+ mds_mitigated=1
+ pstatus green YES
+ else
+@@ -5329,7 +5329,7 @@ check_mds_linux()
+ pstatus yellow NO
+ fi
+ _info_nol "* SMT is either mitigated or disabled: "
+- if echo "$fullmsg" | grep -Eq 'SMT (disabled|mitigated)'; then
++ if echo "$fullmsg" | @grep@ -Eq 'SMT (disabled|mitigated)'; then
+ mds_smt_mitigated=1
+ pstatus green YES
+ else
+@@ -5415,7 +5415,7 @@ check_CVE_2019_11135()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2019_11135_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2019_11135_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5436,7 +5436,7 @@ check_CVE_2019_11135_linux()
+ kernel_taa=''
+ if [ -n "$kernel_err" ]; then
+ kernel_taa_err="$kernel_err"
+- elif grep -q 'tsx_async_abort' "$kernel"; then
++ elif @grep@ -q 'tsx_async_abort' "$kernel"; then
+ kernel_taa="found tsx_async_abort in kernel image"
+ fi
+ if [ -n "$kernel_taa" ]; then
+@@ -5450,7 +5450,7 @@ check_CVE_2019_11135_linux()
+ _info_nol "* TAA mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5485,9 +5485,9 @@ check_CVE_2019_11135_linux()
+ else
+ if [ "$opt_paranoid" = 1 ]; then
+ # in paranoid mode, TSX or SMT enabled are not OK, even if TAA is mitigated
+- if ! echo "$fullmsg" | grep -qF 'TSX disabled'; then
++ if ! echo "$fullmsg" | @grep@ -qF 'TSX disabled'; then
+ pvulnstatus $cve VULN "TSX must be disabled for full mitigation"
+- elif echo "$fullmsg" | grep -qF 'SMT vulnerable'; then
++ elif echo "$fullmsg" | @grep@ -qF 'SMT vulnerable'; then
+ pvulnstatus $cve VULN "SMT (HyperThreading) must be disabled for full mitigation"
+ else
+ pvulnstatus $cve "$status" "$msg"
+@@ -5517,7 +5517,7 @@ check_CVE_2018_12207()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2018_12207_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2018_12207_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5541,7 +5541,7 @@ check_CVE_2018_12207_linux()
+ if [ -n "$kernel_err" ]; then
+ kernel_itlbmh_err="$kernel_err"
+ # commit 5219505fcbb640e273a0d51c19c38de0100ec5a9
+- elif grep -q 'itlb_multihit' "$kernel"; then
++ elif @grep@ -q 'itlb_multihit' "$kernel"; then
+ kernel_itlbmh="found itlb_multihit in kernel image"
+ fi
+ if [ -n "$kernel_itlbmh" ]; then
+@@ -5555,7 +5555,7 @@ check_CVE_2018_12207_linux()
+ _info_nol "* iTLB Multihit mitigation enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qF 'Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qF 'Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5597,7 +5597,7 @@ check_CVE_2018_12207_linux()
+ check_CVE_2018_12207_bsd()
+ {
+ _info_nol "* Kernel supports disabling superpages for executable mappings under EPT: "
+- kernel_2m_x_ept=$(sysctl -n vm.pmap.allow_2m_x_ept 2>/dev/null)
++ kernel_2m_x_ept=$(@sysctl@ -n vm.pmap.allow_2m_x_ept 2>/dev/null)
+ if [ -z "$kernel_2m_x_ept" ]; then
+ pstatus yellow NO
+ else
+@@ -5634,7 +5634,7 @@ check_CVE_2020_0543()
+ _info "\033[1;34m$cve aka '$(cve2name "$cve")'\033[0m"
+ if [ "$os" = Linux ]; then
+ check_CVE_2020_0543_linux
+- elif echo "$os" | grep -q BSD; then
++ elif echo "$os" | @grep@ -q BSD; then
+ check_CVE_2020_0543_bsd
+ else
+ _warn "Unsupported OS ($os)"
+@@ -5655,7 +5655,7 @@ check_CVE_2020_0543_linux()
+ kernel_srbds=''
+ if [ -n "$kernel_err" ]; then
+ kernel_srbds_err="$kernel_err"
+- elif grep -q 'Dependent on hypervisor' "$kernel"; then
++ elif @grep@ -q 'Dependent on hypervisor' "$kernel"; then
+ kernel_srbds="found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation"
+ fi
+ if [ -n "$kernel_srbds" ]; then
+@@ -5668,7 +5668,7 @@ check_CVE_2020_0543_linux()
+ _info_nol "* SRBDS mitigation control is enabled and active: "
+ if [ "$opt_live" = 1 ]; then
+ if [ -n "$fullmsg" ]; then
+- if echo "$fullmsg" | grep -qE '^Mitigation'; then
++ if echo "$fullmsg" | @grep@ -qE '^Mitigation'; then
+ pstatus green YES "$fullmsg"
+ else
+ pstatus yellow NO
+@@ -5758,8 +5758,8 @@ fi
+ # now run the checks the user asked for
+ for cve in $supported_cve_list
+ do
+- if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | grep -qw "$cve"; then
+- check_"$(echo "$cve" | tr - _)"
++ if [ "$opt_cve_all" = 1 ] || echo "$opt_cve_list" | @grep@ -qw "$cve"; then
++ check_"$(echo "$cve" | @tr@ - _)"
+ _info
+ fi
+ done
+@@ -5773,17 +5773,17 @@ if [ "$bad_accuracy" = 1 ]; then
+ _warn "We're missing some kernel info (see -v), accuracy might be reduced"
+ fi
+
+-_vars=$(set | grep -Ev '^[A-Z_[:space:]]' | grep -v -F 'mockme=' | sort | tr "\n" '|')
++_vars=$(set | @grep@ -Ev '^[A-Z_[:space:]]' | @grep@ -v -F 'mockme=' | @sort@ | @tr@ "\n" '|')
+ _debug "variables at end of script: $_vars"
+
+ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+- if command -v "gzip" >/dev/null 2>&1; then
++ if command -v "@gzip@" >/dev/null 2>&1; then
+ # not a useless use of cat: gzipping cpuinfo directly doesn't work well
+ # shellcheck disable=SC2002
+- if command -v "base64" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | base64 -w0)"
+- elif command -v "uuencode" >/dev/null 2>&1; then
+- mock_cpuinfo="$(cat /proc/cpuinfo | gzip -c | uuencode -m - | grep -Fv 'begin-base64' | grep -Fxv -- '====' | tr -d "\n")"
++ if command -v "@base64@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @base64@ -w0)"
++ elif command -v "@uuencode@" >/dev/null 2>&1; then
++ mock_cpuinfo="$(@cat@ /proc/cpuinfo | @gzip@ -c | @uuencode@ -m - | @grep@ -Fv 'begin-base64' | @grep@ -Fxv -- '====' | @tr@ -d "\n")"
+ fi
+ fi
+ if [ -n "$mock_cpuinfo" ]; then
+@@ -5792,7 +5792,7 @@ if [ -n "$mockme" ] && [ "$opt_mock" = 1 ]; then
+ fi
+ _info ""
+ # shellcheck disable=SC2046
+- _warn "To mock this CPU, set those vars: "$(echo "$mockme" | sort -u)
++ _warn "To mock this CPU, set those vars: "$(echo "$mockme" | @sort@ -u)
+ fi
+
+ if [ "$opt_explain" = 0 ]; then
+--
+2.38.1
+
new file mode 100644
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0