From patchwork Sun Aug 8 11:05:49 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: phodina X-Patchwork-Id: 31882 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C0A5A27BC78; Sun, 8 Aug 2021 12:06:11 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3E6D227BC6B for ; Sun, 8 Aug 2021 12:06:11 +0100 (BST) Received: from localhost ([::1]:43882 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mCgd8-0007gw-6t for patchwork@mira.cbaines.net; Sun, 08 Aug 2021 07:06:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49330) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mCgd0-0007gC-SW for guix-patches@gnu.org; Sun, 08 Aug 2021 07:06:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42186) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mCgd0-0003pO-Lb for guix-patches@gnu.org; Sun, 08 Aug 2021 07:06:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1mCgd0-00066a-GM for guix-patches@gnu.org; Sun, 08 Aug 2021 07:06:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#49898] [PATCH v3] gnu: Add spectre-meltdown-checker. References: In-Reply-To: Resent-From: phodina Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 08 Aug 2021 11:06:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 49898 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 49898@debbugs.gnu.org Cc: Leo Prikler Received: via spool by 49898-submit@debbugs.gnu.org id=B49898.162842076123461 (code B ref 49898); Sun, 08 Aug 2021 11:06:02 +0000 Received: (at 49898) by debbugs.gnu.org; 8 Aug 2021 11:06:01 +0000 Received: from localhost ([127.0.0.1]:53732 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mCgcy-00066K-Hs for submit@debbugs.gnu.org; Sun, 08 Aug 2021 07:06:00 -0400 Received: from mail1.protonmail.ch ([185.70.40.18]:49772) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1mCgcw-000660-6B for 49898@debbugs.gnu.org; Sun, 08 Aug 2021 07:05:59 -0400 Date: Sun, 08 Aug 2021 11:05:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail; t=1628420751; bh=+i5xuq4ar/QHhNmkNd926g1e66Iz+WR1cjYzRJgx7aY=; h=Date:To:From:Cc:Reply-To:Subject:From; b=mI3BAWuuGGDlgWrtyta7HBoG4opehbNRnpQ4U8f2F2Yr7tAD/o/cXrFTH4patGqks yHql8qFTpkbxZhX88Hs6AeTwjrTNllRuvIMW+A9GO0rmglE6GPkMlk8GhWeYL0Vu4Q kYRjS01ihJYcWpnBcADrWn0kMoGbha5kyjKImhbE= Message-ID: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" Reply-to: phodina X-ACL-Warn: , phodina via Guix-patches X-Patchwork-Original-From: phodina via Guix-patches via From: phodina X-getmail-retrieved-from-mailbox: Patches > > This looks better, but after running the checker in a few > > configurations (it doesn't appear to make a difference whether with or > > without root, but judging from the papers some attacks would require > > sudo) I've noticed that commands are insufficiently hardcoded. > > For instance, the check for Spectre Variant 1 requires perl, which is > > not available and the line stating so is hidden well among a large wall > > of output. > > Likewise, I don't think simply including binutils does anything, you'll > > have to patch those in as well if you want them. > > Regards, Yes, it's unfortunately well hidden and there seems to be a mix of tools also available only for BSD. I wanted to run it in pure environment and with =-e= but there are many condtitions that exit at once. So I went throught the whole script and listed the commands. Not sure regarding the admin priviledges. I'll create issue on the upstream regarding the requirements. The Dockerfile gives some hints but it's not exhaustive. Kind regards, Petr ----------------------------------------------------- * gnu/packages/linux.scm (spectre-meltdown-checker): New variable. --- 2.32.0 diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 4ca2a386e1..24f7d43b33 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -53,6 +53,7 @@ ;;; Copyright © 2020 pukkamustard ;;; Copyright © 2021 B. Wilson ;;; Copyright © 2021 Ivan Gankevich +;;; Copyright © 2021 Petr Hodina ;;; ;;; This file is part of GNU Guix. ;;; @@ -137,6 +138,7 @@ #:use-module (gnu packages video) #:use-module (gnu packages vulkan) #:use-module (gnu packages web) + #:use-module (gnu packages wget) #:use-module (gnu packages xiph) #:use-module (gnu packages xml) #:use-module (gnu packages xdisorg) @@ -148,6 +150,7 @@ #:use-module (guix build-system cmake) #:use-module (guix build-system gnu) #:use-module (guix build-system go) + #:use-module (guix build-system copy) #:use-module (guix build-system meson) #:use-module (guix build-system python) #:use-module (guix build-system trivial) @@ -7191,6 +7194,44 @@ interfaces in parallel environments.") (supported-systems '("i686-linux" "x86_64-linux")) (license (list license:bsd-2 license:gpl2)))) ;dual +(define-public spectre-meltdown-checker +(package + (name "spectre-meltdown-checker") + (version "0.44") + (source (origin + (method git-fetch) + (uri (git-reference + (url "https://github.com/speed47/spectre-meltdown-checker") + (commit (string-append "v" version)))) + (file-name (git-file-name name version)) + (sha256 + (base32 + "1b47wlc52jnp2d5c7kbqnxmlm4g3cfbv25q30llv5mlmzs6d7bam")))) + (build-system copy-build-system) + (arguments + `(#:install-plan '(("spectre-meltdown-checker.sh" + "bin/spectre-meltdown-checker.sh")))) + (inputs `(("binutils" ,binutils) + ("coreutils",coreutils) + ("gawk" ,gawk) + ("gzip" ,gzip) + ("lzop" ,lzop) + ("perl" ,perl) + ("procps" ,procps) + ("sqlite" ,sqlite) + ("util-linux" ,util-linux) + ("util-linux-with-udev" ,util-linux+udev) + ("wget" ,wget) + ("which" ,which) + ("xz" ,xz) + ("zstd" ,zstd))) + (synopsis "Spectre, Meltdown ... vulnerability/mitigation checker") + (description "A shell script to assess your system's resilience against +the several transient execution CVEs that were published since early 2018, +and give you guidance as to how to mitigate them.") + (home-page "https://github.com/speed47/spectre-meltdown-checker") + (license license:gpl3))) + (define-public snapscreenshot (package (name "snapscreenshot")