[bug#59053] [PATCH] gnu: Add spectre-meltdown-checker.

[Liliana Marie Prikler]

merge 59053 49898
thanks

Hi Hilton,

thanks for the renewed interest in spectre-meltdown-checker.  See the
other thread for a general discussion, but I'll repeat the most
important points.

Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:
> * gnu/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch: New file.
> * gnu/packages/linux.scm (spectre-meltdown-checker): New variable.
> * gnu/local.mk (dist_patch_DATA): Add it.
Note that "Add it" lost its context because the new variable is between
it and the file added.
> ---
>  gnu/local.mk                                  |  1 +
>  gnu/packages/linux.scm                        | 41
> +++++++++++++++++++
>  ...n-checker-support-guix-system-kernel.patch | 26 ++++++++++++
>  3 files changed, 68 insertions(+)
>  create mode 100644 gnu/packages/patches/spectre-meltdown-checker-
> support-guix-system-kernel.patch
> 
> diff --git a/gnu/local.mk b/gnu/local.mk
> index eb6ac3df58..88c1fa6278 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -1848,6 +1848,7 @@ dist_patch_DATA
> =                                         \
>    %D%/packages/patches/syslinux-strip-gnu-property.patch       \
>    %D%/packages/patches/snappy-add-O2-flag-in-
> CmakeLists.txt.patch      \
>    %D%/packages/patches/snappy-add-inline-for-GCC.patch         \
> +  %D%/packages/patches/spectre-meltdown-checker-support-guix-system-
> kernel.patch \
>    %D%/packages/patches/sphinxbase-fix-doxygen.patch            \
>    %D%/packages/patches/spice-vdagent-glib-2.68.patch           \
>    %D%/packages/patches/sssd-optional-systemd.patch             \
> diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
> index cf11a7fc1b..db199869a7 100644
> --- a/gnu/packages/linux.scm
> +++ b/gnu/packages/linux.scm
> @@ -9512,3 +9512,44 @@ (define-public tp-smapi-module
>  @acronym{SMAPI, System Management Application Program Interface} and
> direct
>  access to the embedded controller.")
>      (license license:gpl2+)))
> +
> +(define-public spectre-meltdown-checker
> +  (package
> +    (name "spectre-meltdown-checker")
> +    (version "0.45")
> +    (source (origin
> +              (method git-fetch)
> +              (uri (git-reference
> +                    (url
> "https://github.com/speed47/spectre-meltdown-checker";)
> +                    (commit (string-append "v" version))))
> +              (file-name (git-file-name name version))
> +              (patches
> +               (search-patches
> +                ;;
> https://github.com/speed47/spectre-meltdown-checker/pull/441
> +                "spectre-meltdown-checker-support-guix-system-
> kernel.patch"))
> +              (sha256
> +               (base32
> +               
> "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))
> +    (build-system copy-build-system)
> +    (arguments
> +     (list #:install-plan
> +           #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-
> checker"))
> +           #:phases
> +           #~(modify-phases %standard-phases
> +               (add-after 'unpack 'fixpath
> +                 (lambda* (#:key inputs #:allow-other-keys)
> +                   (substitute* "spectre-meltdown-checker.sh"
> +                     (("\\$\\{opt_arch_prefix\\}readelf")
> +                      (search-input-file inputs "/bin/readelf"))
> +                     (("perl")
> +                      (search-input-file inputs "/bin/perl"))))))))
I'm pretty sure readelf and perl are not the only commands invoked.


> +    (inputs (list binutils perl))
> +    (home-page
> "https://github.com/speed47/spectre-meltdown-checker";)
> +    (synopsis
> +     "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad
> vulnerability /
> +mitigation checker for Linux & BSD")
"for Linux & BSD" is gratuitous information imho.
As for the vulnerabilities listed in the synopsis surely there must be
a way of shortening that.
> +    (description
> +     "A shell script to assess your system's resilience against the
> several
> +transient execution CVEs that were published since early 2018, and
> give you
> +guidance as to how to mitigate them.")
Not a full sentence.
> +    (license license:gpl3)))
> diff --git a/gnu/packages/patches/spectre-meltdown-checker-support-
> guix-system-kernel.patch b/gnu/packages/patches/spectre-meltdown-
> checker-support-guix-system-kernel.patch
> new file mode 100644
> index 0000000000..afec52b418
> --- /dev/null
> +++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-
> system-kernel.patch
> @@ -0,0 +1,26 @@
> +From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00
> 2001
> +From: Hilton Chain <hako@ultrarare.space>
> +Date: Sat, 5 Nov 2022 23:22:31 +0800
> +Subject: [PATCH] Add support for Guix System kernel.
> +
> +---
> + spectre-meltdown-checker.sh | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-
> checker.sh
> +index 248a444..855a090 100755
> +--- a/spectre-meltdown-checker.sh
> ++++ b/spectre-meltdown-checker.sh
> +@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then
> +               [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"
> +               # NixOS:
> +               [ -e "/run/booted-system/kernel" ] &&
> opt_kernel="/run/booted-system/kernel"
> ++              # Guix System:
> ++              [ -e "/run/booted-system/kernel/bzImage" ] &&
> opt_kernel="/run/booted-system/kernel/bzImage"
> +               # systemd kernel-install:
> +               [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat
> /etc/machine-id)/$(uname -r)/linux"
> +               # Clear Linux:
> +
> +base-commit: a6c943d38f315f339697ec26e7374a09b88f2183
> +--
> +2.38.0
> 
> base-commit: 2211f50ec1ebcf5f880454b4133ac40e41abac21
This patch LGTM.

Note that as discussed in the other thread, we'd also want the checker
to not download proprietary firmware.  Could you adjust the package
accordingly?

Cheers