| Message ID | y76pme1e6ms.wl-hako@ultrarare.space |
|---|---|
| State | New |
| Headers | show |
| Series | [bug#59053] gnu: Add spectre-meltdown-checker. | expand |
| Context | Check | Description |
|---|---|---|
| cbaines/comparison | success | View comparision |
| cbaines/git-branch | success | View Git branch |
| cbaines/applying patch | success | |
| cbaines/issue | success | View issue |
merge 59053 49898 thanks Hi Hilton, thanks for the renewed interest in spectre-meltdown-checker. See the other thread for a general discussion, but I'll repeat the most important points. Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain: > * gnu/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch: New file. > * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. > * gnu/local.mk (dist_patch_DATA): Add it. Note that "Add it" lost its context because the new variable is between it and the file added. > --- > gnu/local.mk | 1 + > gnu/packages/linux.scm | 41 > +++++++++++++++++++ > ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++ > 3 files changed, 68 insertions(+) > create mode 100644 gnu/packages/patches/spectre-meltdown-checker- > support-guix-system-kernel.patch > > diff --git a/gnu/local.mk b/gnu/local.mk > index eb6ac3df58..88c1fa6278 100644 > --- a/gnu/local.mk > +++ b/gnu/local.mk > @@ -1848,6 +1848,7 @@ dist_patch_DATA > = \ > %D%/packages/patches/syslinux-strip-gnu-property.patch \ > %D%/packages/patches/snappy-add-O2-flag-in- > CmakeLists.txt.patch \ > %D%/packages/patches/snappy-add-inline-for-GCC.patch \ > + %D%/packages/patches/spectre-meltdown-checker-support-guix-system- > kernel.patch \ > %D%/packages/patches/sphinxbase-fix-doxygen.patch \ > %D%/packages/patches/spice-vdagent-glib-2.68.patch \ > %D%/packages/patches/sssd-optional-systemd.patch \ > diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm > index cf11a7fc1b..db199869a7 100644 > --- a/gnu/packages/linux.scm > +++ b/gnu/packages/linux.scm > @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module > @acronym{SMAPI, System Management Application Program Interface} and > direct > access to the embedded controller.") > (license license:gpl2+))) > + > +(define-public spectre-meltdown-checker > + (package > + (name "spectre-meltdown-checker") > + (version "0.45") > + (source (origin > + (method git-fetch) > + (uri (git-reference > + (url > "https://github.com/speed47/spectre-meltdown-checker") > + (commit (string-append "v" version)))) > + (file-name (git-file-name name version)) > + (patches > + (search-patches > + ;; > https://github.com/speed47/spectre-meltdown-checker/pull/441 > + "spectre-meltdown-checker-support-guix-system- > kernel.patch")) > + (sha256 > + (base32 > + > "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) > + (build-system copy-build-system) > + (arguments > + (list #:install-plan > + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown- > checker")) > + #:phases > + #~(modify-phases %standard-phases > + (add-after 'unpack 'fixpath > + (lambda* (#:key inputs #:allow-other-keys) > + (substitute* "spectre-meltdown-checker.sh" > + (("\\$\\{opt_arch_prefix\\}readelf") > + (search-input-file inputs "/bin/readelf")) > + (("perl") > + (search-input-file inputs "/bin/perl")))))))) I'm pretty sure readelf and perl are not the only commands invoked. > + (inputs (list binutils perl)) > + (home-page > "https://github.com/speed47/spectre-meltdown-checker") > + (synopsis > + "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad > vulnerability / > +mitigation checker for Linux & BSD") "for Linux & BSD" is gratuitous information imho. As for the vulnerabilities listed in the synopsis surely there must be a way of shortening that. > + (description > + "A shell script to assess your system's resilience against the > several > +transient execution CVEs that were published since early 2018, and > give you > +guidance as to how to mitigate them.") Not a full sentence. > + (license license:gpl3))) > diff --git a/gnu/packages/patches/spectre-meltdown-checker-support- > guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown- > checker-support-guix-system-kernel.patch > new file mode 100644 > index 0000000000..afec52b418 > --- /dev/null > +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix- > system-kernel.patch > @@ -0,0 +1,26 @@ > +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 > 2001 > +From: Hilton Chain <hako@ultrarare.space> > +Date: Sat, 5 Nov 2022 23:22:31 +0800 > +Subject: [PATCH] Add support for Guix System kernel. > + > +--- > + spectre-meltdown-checker.sh | 2 ++ > + 1 file changed, 2 insertions(+) > + > +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown- > checker.sh > +index 248a444..855a090 100755 > +--- a/spectre-meltdown-checker.sh > ++++ b/spectre-meltdown-checker.sh > +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then > + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" > + # NixOS: > + [ -e "/run/booted-system/kernel" ] && > opt_kernel="/run/booted-system/kernel" > ++ # Guix System: > ++ [ -e "/run/booted-system/kernel/bzImage" ] && > opt_kernel="/run/booted-system/kernel/bzImage" > + # systemd kernel-install: > + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat > /etc/machine-id)/$(uname -r)/linux" > + # Clear Linux: > + > +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 > +-- > +2.38.0 > > base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21 This patch LGTM. Note that as discussed in the other thread, we'd also want the checker to not download proprietary firmware. Could you adjust the package accordingly? Cheers
diff --git a/gnu/local.mk b/gnu/local.mk index eb6ac3df58..88c1fa6278 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1848,6 +1848,7 @@ dist_patch_DATA = \ %D%/packages/patches/syslinux-strip-gnu-property.patch \ %D%/packages/patches/snappy-add-O2-flag-in-CmakeLists.txt.patch \ %D%/packages/patches/snappy-add-inline-for-GCC.patch \ + %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/spice-vdagent-glib-2.68.patch \ %D%/packages/patches/sssd-optional-systemd.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index cf11a7fc1b..db199869a7 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module @acronym{SMAPI, System Management Application Program Interface} and direct access to the embedded controller.") (license license:gpl2+))) + +(define-public spectre-meltdown-checker + (package + (name "spectre-meltdown-checker") + (version "0.45") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (patches + (search-patches + ;; https://github.com/speed47/spectre-meltdown-checker/pull/441 + "spectre-meltdown-checker-support-guix-system-kernel.patch")) + (sha256 + (base32 + "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) + (build-system copy-build-system) + (arguments + (list #:install-plan + #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker")) + #:phases + #~(modify-phases %standard-phases + (add-after 'unpack 'fixpath + (lambda* (#:key inputs #:allow-other-keys) + (substitute* "spectre-meltdown-checker.sh" + (("\\$\\{opt_arch_prefix\\}readelf") + (search-input-file inputs "/bin/readelf")) + (("perl") + (search-input-file inputs "/bin/perl")))))))) + (inputs (list binutils perl)) + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (synopsis + "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability / +mitigation checker for Linux & BSD") + (description + "A shell script to assess your system's resilience against the several +transient execution CVEs that were published since early 2018, and give you +guidance as to how to mitigate them.") + (license license:gpl3))) diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch new file mode 100644 index 0000000000..afec52b418 --- /dev/null +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch @@ -0,0 +1,26 @@ +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001 +From: Hilton Chain <hako@ultrarare.space> +Date: Sat, 5 Nov 2022 23:22:31 +0800 +Subject: [PATCH] Add support for Guix System kernel. + +--- + spectre-meltdown-checker.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh +index 248a444..855a090 100755 +--- a/spectre-meltdown-checker.sh ++++ b/spectre-meltdown-checker.sh +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then + [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)" + # NixOS: + [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel" ++ # Guix System: ++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage" + # systemd kernel-install: + [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux" + # Clear Linux: + +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183 +-- +2.38.0