@@ -1857,6 +1857,8 @@ dist_patch_DATA = \
%D%/packages/patches/syslinux-strip-gnu-property.patch \
%D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \
%D%/packages/patches/snappy-add-inline-for-GCC.patch \
+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \
+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/spice-vdagent-glib-2.68.patch \
%D%/packages/patches/sssd-optional-systemd.patch \
@@ -9595,3 +9595,133 @@ (define-public edac-utils
error detection and correction (EDAC).")
(home-page "https://github.com/grondo/edac-utils")
(license license:gpl2+)))
+
+(define-public spectre-meltdown-checker
+ (package
+ (name "spectre-meltdown-checker")
+ (version "0.45")
+ (source (origin
+ (method git-fetch)
+ (uri (git-reference
+ (url "https://github.com/speed47/spectre-meltdown-checker")
+ (commit (string-append "v" version))))
+ (file-name (git-file-name name version))
+ (patches
+ (search-patches
+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"
+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441
+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))
+ ;; Remove builtin firmware database.
+ (modules '((guix build utils)))
+ (snippet '(substitute* "spectre-meltdown-checker.sh"
+ (("^# [AI],.*") "")))
+ (sha256
+ (base32
+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
+ (build-system copy-build-system)
+ (arguments
+ (list
+ #:install-plan
+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'unpack 'fixpath
+ (lambda* (#:key inputs #:allow-other-keys)
+ (define* (find-command inputs cmd #:optional (bin "bin")
+ #:key (prefix "") (suffix ""))
+ (string-append
+ prefix (search-input-file inputs (string-append bin "/" cmd))
+ suffix))
+ (substitute* "spectre-meltdown-checker.sh"
+ ;; ${opt_arch_prefix}CMD
+ (((string-append
+ "\\$\\{opt_arch_prefix\\}"
+ "\\<(nm|objdump|readelf|strings)\\>") all cmd)
+ (find-command inputs cmd))
+
+ ;; dd
+ (("(dd)( if=)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+
+ ;; Commands safe to substitute directly.
+ (((string-append "\\<(" (string-join
+ (list "awk"
+ "basename"
+ "dirname"
+ "bunzip2"
+ "gunzip"
+ "gzip"
+ "lz4"
+ "lzop"
+ "modprobe"
+ "pgrep"
+ "rmmod"
+ "umount"
+ "unlzma"
+ "unxz"
+ "unzstd"
+ "uuencode")
+ "|")
+ ")\\>") all cmd)
+ (find-command inputs cmd))
+
+ ;; Search by suffix.
+ ;; CMD -
+ ;; CMD ^
+ (((string-append "\\<(" (string-join
+ (list "base64"
+ "cut"
+ "grep"
+ "head"
+ "id"
+ "mount"
+ "mktemp"
+ "od"
+ "perl"
+ "rm"
+ "uname"
+ "xargs")
+ "|")
+ ")\\>( [-^])") all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; CMD |
+ (("(dmesg)( \\|)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+
+ ;; Then prefix
+ ;; | CMD
+ (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+ ;; $(CMD
+ (("(\\$\\( *)(sysctl)" all prefix cmd)
+ (find-command inputs cmd "sbin" #:prefix prefix))
+ (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+ ;; if CMD
+ (("(if )(sysctl)" all prefix cmd)
+ (find-command inputs cmd "sbin" #:prefix prefix))
+ ;; command -v CMD
+ (("(command -v) \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)
+ (find-command inputs cmd #:prefix prefix))
+
+ ;; Cats are mysterious...
+ ;; cat <<EOF
+ (("(cat)( <<EOF)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; cat "$
+ (("(cat)(\"\\$)" all cmd suffix)
+ (find-command inputs cmd #:suffix suffix))
+ ;; 'cat'
+ (("(')(cat)(')" all prefix cmd suffix)
+ (find-command inputs cmd #:prefix prefix #:suffix suffix))
+ ;; "cat"
+ (("(\")(cat)(\")" all prefix cmd suffix)
+ (find-command inputs cmd #:prefix prefix #:suffix suffix))))))))
+ (inputs (list kmod lz4 lzop perl procps sharutils util-linux zstd))
+ (home-page "https://github.com/speed47/spectre-meltdown-checker")
+ (synopsis "CPU vulnerability / mitigation checker")
+ (description
+ "This package provides a shell script to assess your system's resilience
+against the several transient execution CVEs that were published since early
+2018, and give you guidance as to how to mitigate them.")
+ (license license:gpl3)))
new file mode 100644
@@ -0,0 +1,243 @@
+From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 12 Nov 2022 22:45:24 +0800
+Subject: [PATCH] Remove builtin firmware database.
+
+1. Remove downloading function.
+2. Add option for supplying a local database.
+---
+ spectre-meltdown-checker.sh | 180 +++---------------------------------
+ 1 file changed, 15 insertions(+), 165 deletions(-)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 30f760c..ce46970 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -22,8 +22,6 @@ exit_cleanup()
+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
+@@ -93,9 +91,7 @@ show_usage()
+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome
+- MCExtractor project and the Intel firmwares GitHub repository)
+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself
++ --with-fwdb FILE supply the CPU microcodes versions database
+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
+
+ Return codes:
+@@ -837,147 +833,6 @@ show_header()
+ _info
+ }
+
+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
+-mcedb_cache="$HOME/.mcedb"
+-update_fwdb()
+-{
+- show_header
+-
+- set -e
+-
+- if [ -r "$mcedb_cache" ]; then
+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- fi
+-
+- # first, download the MCE.db from the excellent platomav's MCExtractor project
+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"
+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'
+- _info_nol "Fetching MCE.db from the MCExtractor project... "
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading MCE.db"
+- return $ret
+- fi
+- echo DONE
+-
+- # second, get the Intel firmwares from GitHub
+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"
+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"
+- _info_nol "Fetching Intel firmwares... "
+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+- if command -v wget >/dev/null 2>&1; then
+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?
+- elif command -v curl >/dev/null 2>&1; then
+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- elif command -v fetch >/dev/null 2>&1; then
+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?
+- else
+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
+- return 1
+- fi
+- if [ "$ret" != 0 ]; then
+- echo ERROR "error $ret while downloading Intel firmwares"
+- return $ret
+- fi
+- echo DONE
+-
+- # now extract MCEdb contents using sqlite
+- _info_nol "Extracting MCEdb data... "
+- if ! command -v sqlite3 >/dev/null 2>&1; then
+- echo ERROR "please install the \`sqlite3\` program"
+- return 1
+- fi
+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")
+- if [ -z "$mcedb_revision" ]; then
+- echo ERROR "downloaded file seems invalid"
+- return 1
+- fi
+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"
+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"
+-
+- echo OK "MCExtractor database revision $mcedb_revision"
+-
+- # parse Intel firmwares to get their versions
+- _info_nol "Integrating Intel firmwares data to db... "
+- if ! command -v unzip >/dev/null 2>&1; then
+- echo ERROR "please install the \`unzip\` program"
+- return 1
+- fi
+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )
+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then
+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"
+- return 1
+- fi
+-
+- if ! command -v iucode_tool >/dev/null 2>&1; then
+- if ! command -v iucode-tool >/dev/null 2>&1; then
+- echo ERROR "please install the \`iucode-tool\` program"
+- return 1
+- else
+- iucode_tool="iucode-tool"
+- fi
+- else
+- iucode_tool="iucode_tool"
+- fi
+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120
+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120
+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line
+- do
+- _line=$( echo "$_line" | tr -d ',')
+- _cpuid=$( echo "$_line" | awk '{print $3}')
+- _cpuid=$(( _cpuid ))
+- _cpuid=$(printf "0x%08X" "$_cpuid")
+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')
+- _version=$(echo "$_line" | awk '{print $8}')
+- _version=$(( _version ))
+- _version=$(printf "0x%08X" "$_version")
+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
+- sqlite3 "$mcedb_tmp" "$_sqlstm"
+- done
+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
+- if [ -n "$_intel_timestamp" ]; then
+- # use this date, it matches the last commit date
+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
+- else
+- echo "Falling back to the latest microcode date"
+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")
+- fi
+- echo DONE "(version $_intel_latest_date)"
+-
+- dbversion="$mcedb_revision+i$_intel_latest_date"
+-
+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
+- echo "We already have this version locally, no update needed"
+- return 0
+- fi
+-
+- _info_nol "Building local database... "
+- {
+- echo "# Spectre & Meltdown Checker";
+- echo "# %%% MCEDB v$dbversion";
+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';
+- } > "$mcedb_cache"
+- echo DONE "(version $dbversion)"
+-
+- if [ "$1" = builtin ]; then
+- newfile=$(mktemp -t smc-builtin-XXXXXX)
+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"
+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"
+- cat "$newfile" > "$0"
+- rm -f "$newfile"
+- fi
+-}
+-
+ parse_opt_file()
+ {
+ # parse_opt_file option_name option_value
+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do
+ # deprecated, kept for compatibility
+ opt_explain=0
+ shift
+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then
+- update_fwdb
+- exit $?
+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then
+- update_fwdb builtin
+- exit $?
++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then
++ opt_fwdb=$2
++ if [ -f "$opt_fwdb" ]; then
++ mcedb_cache=$2
++ else
++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2
++ exit 255
++ fi
++ shift 2
+ elif [ "$1" = "--dump-mock-data" ]; then
+ opt_mock=1
+ shift
+@@ -2033,21 +1891,11 @@ is_xen_domU()
+ fi
+ }
+
+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")
+ if [ -r "$mcedb_cache" ]; then
+ # we have a local cache file, but it might be older than the builtin version we have
+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")
+- # sort -V sorts by version number
+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)
+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then
+- mcedb_source="$mcedb_cache"
+- mcedb_info="local firmwares DB $local_dbversion"
+- fi
+-fi
+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db
+-if [ -z "${mcedb_source:-}" ]; then
+- mcedb_source="$0"
+- mcedb_info="builtin firmwares DB $builtin_dbversion"
++ mcedb_source="$mcedb_cache"
++ mcedb_info="local firmwares DB $local_dbversion"
+ fi
+ read_mcedb()
+ {
+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()
+ return 2
+ fi
+ ucode_latest="latest microcode version for your CPU model is unknown"
+- if is_intel; then
++ if [ -z "$mcedb_source" ]; then
++ return 2
++ elif is_intel; then
+ cpu_brand_prefix=I
+ elif is_amd; then
+ cpu_brand_prefix=A
+--
+2.38.1
+
new file mode 100644
@@ -0,0 +1,26 @@
+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
+From: Hilton Chain <hako@ultrarare.space>
+Date: Sat, 5 Nov 2022 23:22:31 +0800
+Subject: [PATCH] Add support for Guix System kernel.
+
+---
+ spectre-meltdown-checker.sh | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
+index 248a444..855a090 100755
+--- a/spectre-meltdown-checker.sh
++++ b/spectre-meltdown-checker.sh
+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
+ # NixOS:
+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
++ # Guix System:
++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
+ # systemd kernel-install:
+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
+ # Clear Linux:
+
+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
+--
+2.38.0