diff mbox series

[bug#49898,v3] gnu: Add spectre-meltdown-checker.

Message ID Qnv2d9veC0SXJimwcILw0UislAW8WkkHHDTmEn8RNRI-jmuH3nFOcMI7z0YLHifpvjyoA4CCLYLk92cQ651b-UUWMRUCgvtpXQH5dMs5eHM=@protonmail.com
State New
Headers show
Series [bug#49898,v3] gnu: Add spectre-meltdown-checker. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch success View Laminar job
cbaines/issue success View issue

Commit Message

phodina Aug. 8, 2021, 11:05 a.m. UTC 
>
> This looks better, but after running the checker in a few
>
> configurations (it doesn't appear to make a difference whether with or
>
> without root, but judging from the papers some attacks would require
>
> sudo) I've noticed that commands are insufficiently hardcoded.
>
> For instance, the check for Spectre Variant 1 requires perl, which is
>
> not available and the line stating so is hidden well among a large wall
>
> of output.
>
> Likewise, I don't think simply including binutils does anything, you'll
>
> have to patch those in as well if you want them.
>
> Regards,

Yes, it's unfortunately well hidden and there seems to be a mix of tools also
available only for BSD. I wanted to run it in pure environment and with =-e=
but there are many condtitions that exit at once.

So I went throught the whole script and listed the commands.
Not sure regarding the admin priviledges. I'll create issue on the upstream
regarding the requirements. The Dockerfile gives some hints but it's not exhaustive.

Kind regards,
Petr

-----------------------------------------------------

* gnu/packages/linux.scm (spectre-meltdown-checker): New variable.

--
2.32.0

Comments

Leo Prikler Aug. 8, 2021, 9:42 p.m. UTC | #1 
Hi,

Am Sonntag, den 08.08.2021, 11:05 +0000 schrieb phodina:
> Yes, it's unfortunately well hidden and there seems to be a mix of
> tools also available only for BSD. I wanted to run it in pure
> environment and with =-e= but there are many condtitions that exit at
> once.
I don't think the BSD ones should be too much of an issue, but if we
ever decide to ship a BSD kernel, that might become relevant.
> So I went throught the whole script and listed the commands.
> Not sure regarding the admin priviledges. I'll create issue on the
> upstream regarding the requirements. The Dockerfile gives some hints
> but it's not exhaustive.
As far as I can see, I don't think it claims sudo on your behalf, so
that should be fine.

> -----------------------------------------------------
> 
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> 
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index 4ca2a386e1..24f7d43b33 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -53,6 +53,7 @@
>  ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
>  ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
>  ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
> +;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -137,6 +138,7 @@
>    #:use-module (gnu packages video)
>    #:use-module (gnu packages vulkan)
>    #:use-module (gnu packages web)
> +  #:use-module (gnu packages wget)
>    #:use-module (gnu packages xiph)
>    #:use-module (gnu packages xml)
>    #:use-module (gnu packages xdisorg)
> @@ -148,6 +150,7 @@
>    #:use-module (guix build-system cmake)
>    #:use-module (guix build-system gnu)
>    #:use-module (guix build-system go)
> +  #:use-module (guix build-system copy)
>    #:use-module (guix build-system meson)
>    #:use-module (guix build-system python)
>    #:use-module (guix build-system trivial)
> @@ -7191,6 +7194,44 @@ interfaces in parallel environments.")
>      (supported-systems '("i686-linux" "x86_64-linux"))
>      (license (list license:bsd-2 license:gpl2)))) ;dual
> 
> +(define-public spectre-meltdown-checker
> +(package
> +  (name "spectre-meltdown-checker")
> +  (version "0.44")
> +  (source (origin
> +            (method git-fetch)
> +            (uri (git-reference
> +                  (url "
> https://github.com/speed47/spectre-meltdown-checker")
> +                  (commit (string-append "v" version))))
> +            (file-name (git-file-name name version))
> +            (sha256
> +             (base32
> +              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"
> ))))
> +  (build-system copy-build-system)
> +  (arguments
> +   `(#:install-plan '(("spectre-meltdown-checker.sh"
> +                       "bin/spectre-meltdown-checker.sh"))))
> +   (inputs `(("binutils" ,binutils)
> +             ("coreutils",coreutils)
> +             ("gawk" ,gawk)
> +             ("gzip" ,gzip)
> +             ("lzop" ,lzop)
> +             ("perl" ,perl)
> +             ("procps" ,procps)
> +             ("sqlite" ,sqlite)
> +             ("util-linux" ,util-linux)
> +             ("util-linux-with-udev" ,util-linux+udev)
Why both?
> +             ("wget" ,wget)
> +             ("which" ,which)
> +             ("xz" ,xz)
> +             ("zstd" ,zstd)))
Are you sure that mere presence of these packages as inputs will do
anything to patch them?  Because I'm not so much.

Regards
diff mbox series

Patch

diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 4ca2a386e1..24f7d43b33 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -53,6 +53,7 @@ 
 ;;; Copyright © 2020 pukkamustard <pukkamustard@posteo.net>
 ;;; Copyright © 2021 B. Wilson <elaexuotee@wilsonb.com>
 ;;; Copyright © 2021 Ivan Gankevich <i.gankevich@spbu.ru>
+;;; Copyright © 2021 Petr Hodina <phodina@protonmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -137,6 +138,7 @@ 
   #:use-module (gnu packages video)
   #:use-module (gnu packages vulkan)
   #:use-module (gnu packages web)
+  #:use-module (gnu packages wget)
   #:use-module (gnu packages xiph)
   #:use-module (gnu packages xml)
   #:use-module (gnu packages xdisorg)
@@ -148,6 +150,7 @@ 
   #:use-module (guix build-system cmake)
   #:use-module (guix build-system gnu)
   #:use-module (guix build-system go)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system meson)
   #:use-module (guix build-system python)
   #:use-module (guix build-system trivial)
@@ -7191,6 +7194,44 @@  interfaces in parallel environments.")
     (supported-systems '("i686-linux" "x86_64-linux"))
     (license (list license:bsd-2 license:gpl2)))) ;dual

+(define-public spectre-meltdown-checker
+(package
+  (name "spectre-meltdown-checker")
+  (version "0.44")
+  (source (origin
+            (method git-fetch)
+            (uri (git-reference
+                  (url "https://github.com/speed47/spectre-meltdown-checker")
+                  (commit (string-append "v" version))))
+            (file-name (git-file-name name version))
+            (sha256
+             (base32
+              "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam"))))
+  (build-system copy-build-system)
+  (arguments
+   `(#:install-plan '(("spectre-meltdown-checker.sh"
+                       "bin/spectre-meltdown-checker.sh"))))
+   (inputs `(("binutils" ,binutils)
+             ("coreutils",coreutils)
+             ("gawk" ,gawk)
+             ("gzip" ,gzip)
+             ("lzop" ,lzop)
+             ("perl" ,perl)
+             ("procps" ,procps)
+             ("sqlite" ,sqlite)
+             ("util-linux" ,util-linux)
+             ("util-linux-with-udev" ,util-linux+udev)
+             ("wget" ,wget)
+             ("which" ,which)
+             ("xz" ,xz)
+             ("zstd" ,zstd)))
+  (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker")
+  (description "A shell script to assess your system's resilience against
+the several transient execution CVEs that were published since early 2018,
+and give you guidance as to how to mitigate them.")
+  (home-page "https://github.com/speed47/spectre-meltdown-checker")
+  (license license:gpl3)))
+
 (define-public snapscreenshot
   (package
     (name "snapscreenshot")