me/guix
Archived
1
0
Fork 0
Code Activity

gnu: spectre-meltdown-checker: Update to 0.46.

Browse source 
* gnu/packages/patches/spectre-meltdown-checker-externalize-fwdb.patch: Update
patch.
* gnu/packages/patches/spectre-meltdown-checker-find-kernel.patch: Delete file
* gnu/local.mk (dist_patch_DATA): Remove it.
* gnu/packages/linux.scm (spectre-meltdown-checker): Update to 0.46.
[#:phases]<fixpath>: Correct name for bunzip2.
Substitute lzop and mktemp as well.
This commit is contained in:
Hilton Chain 2023-07-27 14:42:59 +08:00
parent 5f81d31aa4
commit 99a46ecb26
No known key found for this signature in database
GPG key ID: ACC66D09CA528292
4 changed files with 96 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
gnu/local.mk
View file

@ -1984,7 +1984,6 @@ dist_patch_DATA = \
%D%/packages/patches/softhsm-fix-openssl3-tests.patch \ %D%/packages/patches/softhsm-fix-openssl3-tests.patch \
%D%/packages/patches/spectre-meltdown-checker-externalize-fwdb.patch \ %D%/packages/patches/spectre-meltdown-checker-externalize-fwdb.patch \
%D%/packages/patches/spdlog-fix-tests.patch \ %D%/packages/patches/spdlog-fix-tests.patch \
%D%/packages/patches/spectre-meltdown-checker-find-kernel.patch \
%D%/packages/patches/sphinxbase-fix-doxygen.patch \ %D%/packages/patches/sphinxbase-fix-doxygen.patch \
%D%/packages/patches/sssd-system-directories.patch \ %D%/packages/patches/sssd-system-directories.patch \
%D%/packages/patches/steghide-fixes.patch \ %D%/packages/patches/steghide-fixes.patch \

13
gnu/packages/linux.scm
View file

@ -10349,7 +10349,7 @@ error detection and correction (EDAC).")
(define-public spectre-meltdown-checker (define-public spectre-meltdown-checker
(package (package
(name "spectre-meltdown-checker") (name "spectre-meltdown-checker")
(version "0.45") (version "0.46")
(source (origin (source (origin
(method git-fetch) (method git-fetch)
(uri (git-reference (uri (git-reference
@ -10358,15 +10358,14 @@ error detection and correction (EDAC).")
(file-name (git-file-name name version)) (file-name (git-file-name name version))
(patches (patches
(search-patches (search-patches
"spectre-meltdown-checker-externalize-fwdb.patch" "spectre-meltdown-checker-externalize-fwdb.patch"))
"spectre-meltdown-checker-find-kernel.patch"))
;; Remove builtin firmware database. ;; Remove builtin firmware database.
(modules '((guix build utils))) (modules '((guix build utils)))
(snippet '(substitute* "spectre-meltdown-checker.sh" (snippet '(substitute* "spectre-meltdown-checker.sh"
(("^# [AI],.*") ""))) (("^# [AI],.*") "")))
(sha256 (sha256
(base32 (base32
"1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8")))) "0j42p6dayb7k87kf8sqimxlaswis3qh0569a15zccyknv9vf129k"))))
(build-system copy-build-system) (build-system copy-build-system)
(arguments (arguments
(list (list
@ -10385,11 +10384,11 @@ error detection and correction (EDAC).")
(find-command inputs cmd)) (find-command inputs cmd))
;; Commands safe to substitute directly. ;; Commands safe to substitute directly.
(("\\<(awk|(base|dir)name|bunzip|g(un)?zip|lz4)\\>" all cmd) (("\\<(awk|(base|dir)name|bunzip2|g(un)?zip|lz4)\\>" all cmd)
(find-command inputs cmd)) (find-command inputs cmd))
(("\\<(modprobe|pgrep|rmmod|umount|unlzma)\\>" all cmd) (("\\<(lzop|mktemp|modprobe|pgrep|rmmod|umount)\\>" all cmd)
(find-command inputs cmd)) (find-command inputs cmd))
(("\\<(unxz|unzstd|uuencode)\\>" all cmd) (("\\<(unlzma|unxz|unzstd|uuencode)\\>" all cmd)
(find-command inputs cmd)) (find-command inputs cmd))
;; Commands which should only be substituted based on their ;; Commands which should only be substituted based on their

109
gnu/packages/patches/spectre-meltdown-checker-externalize-fwdb.patch
View file

@ -1,27 +1,28 @@
From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001 From 8caeb440a176cb7f8908403da51106c74e2b5cb8 Mon Sep 17 00:00:00 2001
From: Hilton Chain <hako@ultrarare.space> From: Hilton Chain <hako@ultrarare.space>
Date: Sat, 12 Nov 2022 22:45:24 +0800 Date: Thu, 27 Jul 2023 14:45:14 +0800
Subject: [PATCH] Replace fwdb downloader with a local file option. Subject: [PATCH] Replace fwdb downloader with a local file option.
Also warn about non-free software. Also warn about non-free software.
--- ---
spectre-meltdown-checker.sh | 180 +++--------------------------------- spectre-meltdown-checker.sh | 253 +++---------------------------------
1 file changed, 15 insertions(+), 165 deletions(-) 1 file changed, 17 insertions(+), 236 deletions(-)
diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 30f760c..ce46970 100755 index e7b6b33..33bdf71 100755
--- a/spectre-meltdown-checker.sh --- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh
@@ -22,8 +22,6 @@ exit_cleanup() @@ -23,9 +23,6 @@ exit_cleanup()
[ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config" [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"
[ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp" [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"
[ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2" [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"
- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp" - [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"
- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp" - [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"
- [ -n "${linuxfw_tmp:-}" ] && [ -f "$linuxfw_tmp" ] && rm -f "$linuxfw_tmp"
[ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null
[ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null
[ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null
@@ -93,9 +91,9 @@ show_usage() @@ -97,9 +94,9 @@ show_usage()
--vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto
--allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system
--cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0) --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)
@ -34,10 +35,33 @@ index 30f760c..ce46970 100755
--dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script
Return codes: Return codes:
@@ -837,147 +833,6 @@ show_header() @@ -858,217 +855,6 @@ show_header()
_info _info
} }
-# Family-Model-Stepping to CPUID
-# prints CPUID in base-10 to stdout
-fms2cpuid()
-{
- _family="$1"
- _model="$2"
- _stepping="$3"
-
- if [ "$(( _family ))" -le 15 ]; then
- _extfamily=0
- _lowfamily=$(( _family ))
- else
- # when we have a family > 0xF, then lowfamily is stuck at 0xF
- # and extfamily is ADDED to it (as in "+"), to ensure old software
- # never sees a lowfamily < 0xF for newer families
- _lowfamily=15
- _extfamily=$(( (_family) - 15 ))
- fi
- _extmodel=$(( (_model & 0xF0 ) >> 4 ))
- _lowmodel=$(( (_model & 0x0F ) >> 0 ))
- echo $(( (_stepping & 0x0F) | (_lowmodel << 4) | (_lowfamily << 8) | (_extmodel << 16) | (_extfamily << 20) ))
-}
-
-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)" -[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"
-mcedb_cache="$HOME/.mcedb" -mcedb_cache="$HOME/.mcedb"
-update_fwdb() -update_fwdb()
@ -97,13 +121,15 @@ index 30f760c..ce46970 100755
- echo ERROR "please install the \`sqlite3\` program" - echo ERROR "please install the \`sqlite3\` program"
- return 1 - return 1
- fi - fi
- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE") - mcedb_revision=$(sqlite3 "$mcedb_tmp" "SELECT \"revision\" from \"MCE\"")
- if [ -z "$mcedb_revision" ]; then - if [ -z "$mcedb_revision" ]; then
- echo ERROR "downloaded file seems invalid" - echo ERROR "downloaded file seems invalid"
- return 1 - return 1
- fi - fi
- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text" - sqlite3 "$mcedb_tmp" "ALTER TABLE \"Intel\" ADD COLUMN \"origin\" TEXT"
- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'" - sqlite3 "$mcedb_tmp" "ALTER TABLE \"AMD\" ADD COLUMN \"origin\" TEXT"
- sqlite3 "$mcedb_tmp" "UPDATE \"Intel\" SET \"origin\"='mce'"
- sqlite3 "$mcedb_tmp" "UPDATE \"AMD\" SET \"origin\"='mce'"
- -
- echo OK "MCExtractor database revision $mcedb_revision" - echo OK "MCExtractor database revision $mcedb_revision"
- -
@ -141,7 +167,7 @@ index 30f760c..ce46970 100755
- _version=$(echo "$_line" | awk '{print $8}') - _version=$(echo "$_line" | awk '{print $8}')
- _version=$(( _version )) - _version=$(( _version ))
- _version=$(printf "0x%08X" "$_version") - _version=$(printf "0x%08X" "$_version")
- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")" - _sqlstm="$(printf "INSERT INTO \"Intel\" (\"origin\",\"cpuid\",\"version\",\"yyyymmdd\") VALUES ('%s','%s','%s','%s');" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
- sqlite3 "$mcedb_tmp" "$_sqlstm" - sqlite3 "$mcedb_tmp" "$_sqlstm"
- done - done
- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null) - _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)
@ -150,10 +176,52 @@ index 30f760c..ce46970 100755
- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp") - _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")
- else - else
- echo "Falling back to the latest microcode date" - echo "Falling back to the latest microcode date"
- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;") - _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT \"yyyymmdd\" FROM \"Intel\" WHERE \"origin\"='intel' ORDER BY \"yyyymmdd\" DESC LIMIT 1;")
- fi - fi
- echo DONE "(version $_intel_latest_date)" - echo DONE "(version $_intel_latest_date)"
- -
- # now parse the most recent linux-firmware amd-ucode README file
- _info_nol "Fetching latest amd-ucode README from linux-firmware project... "
- linuxfw_url="https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode/README"
- linuxfw_tmp=$(mktemp -t smc-linuxfw-XXXXXX)
- if command -v wget >/dev/null 2>&1; then
- wget -q "$linuxfw_url" -O "$linuxfw_tmp"; ret=$?
- elif command -v curl >/dev/null 2>&1; then
- curl -sL "$linuxfw_url" -o "$linuxfw_tmp"; ret=$?
- elif command -v fetch >/dev/null 2>&1; then
- fetch -q "$linuxfw_url" -o "$linuxfw_tmp"; ret=$?
- else
- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"
- return 1
- fi
- if [ "$ret" != 0 ]; then
- echo ERROR "error $ret while downloading linux-firmware README"
- return $ret
- fi
- echo DONE
-
- _info_nol "Parsing the README... "
- nbfound=0
- for line in $(grep -E 'Family=0x[0-9a-f]+ Model=0x[0-9a-f]+ Stepping=0x[0-9a-f]+: Patch=0x[0-9a-f]+' "$linuxfw_tmp" | tr " " ","); do
- _debug "Parsing line $line"
- _family=$( echo "$line" | grep -Eoi 'Family=0x[0-9a-f]+' | cut -d= -f2)
- _model=$( echo "$line" | grep -Eoi 'Model=0x[0-9a-f]+' | cut -d= -f2)
- _stepping=$(echo "$line" | grep -Eoi 'Stepping=0x[0-9a-f]+' | cut -d= -f2)
- _version=$( echo "$line" | grep -Eoi 'Patch=0x[0-9a-f]+' | cut -d= -f2)
- _version=$(printf "0x%08X" "$(( _version ))")
- _cpuid=$(fms2cpuid "$_family" "$_model" "$_stepping")
- _cpuid=$(printf "0x%08X" "$_cpuid")
- _date="20000101"
- _sqlstm="$(printf "INSERT INTO \"AMD\" (\"origin\",\"cpuid\",\"version\",\"yyyymmdd\") VALUES ('%s','%s','%s','%s');" "linux-firmware" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"
- _debug "family $_family model $_model stepping $_stepping cpuid $_cpuid"
- _debug "$_sqlstm"
- sqlite3 "$mcedb_tmp" "$_sqlstm"
- nbfound=$((nbfound + 1))
- unset _family _model _stepping _version _cpuid _date _sqlstm
- done
- echo "found $nbfound microcodes"
- unset nbfound
-
- dbversion="$mcedb_revision+i$_intel_latest_date" - dbversion="$mcedb_revision+i$_intel_latest_date"
- -
- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then - if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then
@ -165,8 +233,11 @@ index 30f760c..ce46970 100755
- { - {
- echo "# Spectre & Meltdown Checker"; - echo "# Spectre & Meltdown Checker";
- echo "# %%% MCEDB v$dbversion"; - echo "# %%% MCEDB v$dbversion";
- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; - # ensure the official Intel DB always has precedence over mcedb, even if mcedb has seen a more recent fw
- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,'; - sqlite3 "$mcedb_tmp" "DELETE FROM \"Intel\" WHERE \"origin\"!='intel' AND \"cpuid\" IN (SELECT \"cpuid\" FROM \"Intel\" WHERE \"origin\"='intel' GROUP BY \"cpuid\" ORDER BY \"cpuid\" ASC);"
- # we'll use the more recent fw for Intel and AMD
- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||\"t1\".\"cpuid\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"Intel\" AS \"t1\" LEFT OUTER JOIN \"Intel\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\" ORDER BY \"t1\".\"cpuid\" ASC;" | grep -v '^# .,0x00000000,';
- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||\"t1\".\"cpuid\"||',0x'||MAX(\"t1\".\"version\")||','||\"t1\".\"yyyymmdd\" FROM \"AMD\" AS \"t1\" LEFT OUTER JOIN \"AMD\" AS \"t2\" ON \"t2\".\"cpuid\"=\"t1\".\"cpuid\" AND \"t2\".\"yyyymmdd\" > \"t1\".\"yyyymmdd\" WHERE \"t2\".\"yyyymmdd\" IS NULL GROUP BY \"t1\".\"cpuid\" ORDER BY \"t1\".\"cpuid\" ASC;" | grep -v '^# .,0x00000000,';
- } > "$mcedb_cache" - } > "$mcedb_cache"
- echo DONE "(version $dbversion)" - echo DONE "(version $dbversion)"
- -
@ -182,7 +253,7 @@ index 30f760c..ce46970 100755
parse_opt_file() parse_opt_file()
{ {
# parse_opt_file option_name option_value # parse_opt_file option_name option_value
@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do @@ -1158,12 +944,15 @@ while [ -n "${1:-}" ]; do
# deprecated, kept for compatibility # deprecated, kept for compatibility
opt_explain=0 opt_explain=0
shift shift
@ -204,7 +275,7 @@ index 30f760c..ce46970 100755
elif [ "$1" = "--dump-mock-data" ]; then elif [ "$1" = "--dump-mock-data" ]; then
opt_mock=1 opt_mock=1
shift shift
@@ -2033,21 +1891,11 @@ is_xen_domU() @@ -2192,21 +1981,11 @@ is_xen_domU()
fi fi
} }
@ -228,7 +299,7 @@ index 30f760c..ce46970 100755
fi fi
read_mcedb() read_mcedb()
{ {
@@ -2063,7 +1911,9 @@ is_latest_known_ucode() @@ -2222,7 +2001,9 @@ is_latest_known_ucode()
return 2 return 2
fi fi
ucode_latest="latest microcode version for your CPU model is unknown" ucode_latest="latest microcode version for your CPU model is unknown"
@ -240,5 +311,5 @@ index 30f760c..ce46970 100755
elif is_amd; then elif is_amd; then
cpu_brand_prefix=A cpu_brand_prefix=A
-- --
2.38.1 2.41.0

26
gnu/packages/patches/spectre-meltdown-checker-find-kernel.patch
View file

@ -1,26 +0,0 @@
From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001
From: Hilton Chain <hako@ultrarare.space>
Date: Sat, 5 Nov 2022 23:22:31 +0800
Subject: [PATCH] Locate the kernel bzimage used by Guix System
---
spectre-meltdown-checker.sh | 2 ++
1 file changed, 2 insertions(+)
diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh
index 248a444..855a090 100755
--- a/spectre-meltdown-checker.sh
+++ b/spectre-meltdown-checker.sh
@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
[ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
# NixOS:
[ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"
+ # Guix System:
+ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"
# systemd kernel-install:
[ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"
# Clear Linux:
base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
--
2.38.0