[PATCH] gnu: Add spectre-meltdown-checker.

--

2.32.0

Hi,

Am Donnerstag, den 05.08.2021, 17:00 +0000 schrieb phodina:

Version should be "0.44".

Use (string-append "v" version).

copy-build-system needs an install plan to be meaningful.

"the several CVEs" is quite an obscure formulation if correct English.

Just "several CVEs" should mean about the same while being more

understandable.

Not sure if we want to maintain this enumeration tbh.

Regards

Thanks Leo for the suggestions!

-------------------

--

2.32.0

Hi,

Am Samstag, den 07.08.2021, 09:04 +0000 schrieb phodina:

We typically sort inputs alphabetically.

This looks better, but after running the checker in a few

configurations (it doesn't appear to make a difference whether with or

without root, but judging from the papers some attacks would require

sudo) I've noticed that commands are insufficiently hardcoded.

For instance, the check for Spectre Variant 1 requires perl, which is

not available and the line stating so is hidden well among a large wall

of output.

Likewise, I don't think simply including binutils does anything, you'll

have to patch those in as well if you want them.

Regards,

Yes, it's unfortunately well hidden and there seems to be a mix of tools also

available only for BSD. I wanted to run it in pure environment and with =-e=

but there are many condtitions that exit at once.

So I went throught the whole script and listed the commands.

Not sure regarding the admin priviledges. I'll create issue on the upstream

regarding the requirements. The Dockerfile gives some hints but it's not exhaustive.

Kind regards,

Petr

-----------------------------------------------------

--

2.32.0

Hi,

Am Sonntag, den 08.08.2021, 11:05 +0000 schrieb phodina:

I don't think the BSD ones should be too much of an issue, but if we

ever decide to ship a BSD kernel, that might become relevant.

As far as I can see, I don't think it claims sudo on your behalf, so

that should be fine.

Why both?

Are you sure that mere presence of these packages as inputs will do

anything to patch them? Because I'm not so much.

Regards

Hi Leo,

I've substituted most of the commands. The only commands at the moment are echo and printf. I haven't found regexp that would work as they are text is also used for variables.

Otherwise the rest of the commands should be covered.

Hi Petr,

Am Samstag, den 18.09.2021, 15:25 +0000 schrieb phodina:

I don't think Hungarian notation is very helpful here.

There are multiple ways of handling this, but I thing the best one

would be to substitute both `command -v printf' and `which echo' with

the path to false, then match the line

[ -z "$echo_cmd" ] && echo_cmd='echo'

and instead put there

echo_cmd_type='printf'

echo_cmd=(path-to "/bin/printf")

Group those that need spaces and those that don't together, with an

explanation as to why those two groups exist.

Why both?

Hi Liliana,

I've used the wrap-program as an alternative to the your suggested solution.

Going through the program there is a function update_fwdb [1] that downloads and updates database files when the script is executed with the --update-fwdb argument.

I've added both files [2][3] in question to the lists of inputs.

However, since they are supposed to be updated at runtime (stored in $HOME) I don't know to represent this in the package definition.

Could you please suggest how to proceed?

----

Petr

[1] https://github.com/speed47/spectre-meltdown-checker/blob/master/spectre-meltdown-checker.sh#L838

[2] https://github.com/platomav/MCExtractor/raw/master/MCE.db

[3] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip

Hi Petr,

sorry for the very late reply. Are you still interested in adding

spectre-meltdown-checker? If so, there's a new version out. Also...

Am Dienstag, dem 07.12.2021 um 22:04 +0000 schrieb phodina:

That does work, but remains quite inelegant.

I'd suggest removing that functionality as well as the associated

inputs (i.e. curl etc., not the databases). Even if it's treated as

"just data", users should be able to specify on their own the data to

check against. Perhaps you could suggest to upstream that adding --

fwdb /path/to/fwdb might be useful?

Since this patch is rather old, there are a few style-related changes

that should also be incorporated:

Use a list of G-Expressions.

You can use (search-input-file inputs "/bin/CMD") to search CMD from

inputs.

You can drop the input labels, but you'll have to find another way to

pass the firmware databases. Speaking of which, is anything even done

with those? Could we add (a) separate package(s) with those databases

instead?

Cheers

Hi,

Yes I'm still interested in upstreaming this package. True, in the meantime a lot has happened and I'll prepare a patch with simplified inputs and Gexps.

Also the databases will be in separate packages and just put into the inputs and linked correctly.

And I'll also update the package version.

Unfortunately HW issues will remain with us for long and it's useful to have some way to check for them.

FIY I'm currently also in process of packaging other stuff so it might take some time.

----

Petr

Hi!

here's updated patch set:

- The version has been updated.

- It uses gexps.

- There are now 3 packages (intelfw and mcextractor are new).

There is the issue with Intel license. Not sure if it can be included.

The intelfw and mcextractor are used in the shell function update_fwdb. It might be better to create a patch, remove the download functionality and point it to /gnu/store for the package inputs. What do you think?

----

Petr

Am Freitag, dem 01.07.2022 um 21:57 +0000 schrieb phodina:

I don't think it can. In my humble opinion, microcode counts as very

functional data and should thus be distributed under a free license.

mcextractor OTOH looks good to me, even if its main purpose is to

handle these binary blobs.

As already outlined, I think we should go with a "please provide your

firmware via command line option if you think that makes a difference"

approach, assuming unpatched firmware if none is passed. Since Guix

doesn't actually distribute any of Intel's or AMD's blobs, that is the

correct behaviour, both ethically and functionally.

Cheers

merge 59053 49898

thanks

Hi Hilton,

thanks for the renewed interest in spectre-meltdown-checker. See the

other thread for a general discussion, but I'll repeat the most

important points.

Am Samstag, dem 05.11.2022 um 23:57 +0800 schrieb Hilton Chain:

Note that "Add it" lost its context because the new variable is between

it and the file added.

I'm pretty sure readelf and perl are not the only commands invoked.

"for Linux & BSD" is gratuitous information imho.

As for the vulnerabilities listed in the synopsis surely there must be

a way of shortening that.

Not a full sentence.

This patch LGTM.

Note that as discussed in the other thread, we'd also want the checker

to not download proprietary firmware. Could you adjust the package

accordingly?

Cheers

tags 59053 + moreinfo

quit