[PATCH] gnu: Add spectre-meltdown-checker.

+++ b/gnu/local.mk

+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \

+++ b/gnu/packages/linux.scm

+

+(define-public spectre-meltdown-checker

+ (package

+ (name "spectre-meltdown-checker")

+ (version "0.45")

+ (source (origin

+ (method git-fetch)

+ (uri (git-reference

+ (url "https://github.com/speed47/spectre-meltdown-checker")

+ (commit (string-append "v" version))))

+ (file-name (git-file-name name version))

+ (patches

+ (search-patches

+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441

+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))

+ (sha256

+ (base32

+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))

+ (build-system copy-build-system)

+ (arguments

+ (list #:install-plan

+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))

+ #:phases

+ #~(modify-phases %standard-phases

+ (add-after 'unpack 'fixpath

+ (lambda* (#:key inputs #:allow-other-keys)

+ (substitute* "spectre-meltdown-checker.sh"

+ (("\\$\\{opt_arch_prefix\\}readelf")

+ (search-input-file inputs "/bin/readelf"))

+ (("perl")

+ (search-input-file inputs "/bin/perl"))))))))

+ (inputs (list binutils perl))

+ (home-page "https://github.com/speed47/spectre-meltdown-checker")

+ (synopsis

+ "Spectre, Meltdown, Foreshadow, Fallout, RIDL, ZombieLoad vulnerability /

+mitigation checker for Linux & BSD")

+ (description

+ "A shell script to assess your system's resilience against the several

+transient execution CVEs that were published since early 2018, and give you

+guidance as to how to mitigate them.")

+ (license license:gpl3)))

+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Sat, 5 Nov 2022 23:22:31 +0800

+Subject: [PATCH] Add support for Guix System kernel.

+

+---

+ spectre-meltdown-checker.sh | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 248a444..855a090 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then

+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"

+ # NixOS:

+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"

++ # Guix System:

++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"

+ # systemd kernel-install:

+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"

+ # Clear Linux:

+

+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183

+--

+2.38.0

+++ b/gnu/local.mk

+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \

+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \

+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \

+++ b/gnu/packages/linux.scm

+

+(define-public spectre-meltdown-checker

+ (package

+ (name "spectre-meltdown-checker")

+ (version "0.45")

+ (source (origin

+ (method git-fetch)

+ (uri (git-reference

+ (url "https://github.com/speed47/spectre-meltdown-checker")

+ (commit (string-append "v" version))))

+ (file-name (git-file-name name version))

+ (patches

+ (search-patches

+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441

+ "spectre-meltdown-checker-support-guix-system-kernel.patch"

+ ;; NOTE: Update these patches when updating.

+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"

+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))

+ (sha256

+ (base32

+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))

+ (build-system copy-build-system)

+ (arguments

+ (list #:install-plan

+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))

+ #:phases

+ #~(modify-phases %standard-phases

+ (add-after 'unpack 'fixpath

+ (lambda* (#:key inputs #:allow-other-keys)

+ (substitute* "spectre-meltdown-checker.sh"

+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))

+ (("@([a-z0-9]*)@" _ m _)

+ (search-input-file inputs (string-append "/bin/" m)))))))))

+ (inputs

+ (list binutils

+ coreutils

+ grep

+ kmod

+ lz4

+ lzop

+ perl

+ procps

+ sharutils

+ util-linux

+ which

+ zstd))

+ (home-page "https://github.com/speed47/spectre-meltdown-checker")

+ (synopsis "CPU vulnerability / mitigation checker")

+ (description

+ "This package provides a shell script to assess your system's resilience

+against the several transient execution CVEs that were published since early

+2018, and give you guidance as to how to mitigate them.")

+ (license license:gpl3)))

+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch

+From ac4bb2e61e4e8d195d560014816e107b315817ff Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Fri, 11 Nov 2022 18:55:25 +0800

+Subject: [PATCH 2/2] Remove builtin firmware database.

+

+---

+ spectre-meltdown-checker.sh | 477 ++----------------------------------

+ 1 file changed, 27 insertions(+), 450 deletions(-)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 82cf1b6..79c4bb7 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -95,7 +95,6 @@ show_usage()

+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)

+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome

+ MCExtractor project and the Intel firmwares GitHub repository)

+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself

+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script

+

+ Return codes:

+@@ -853,9 +852,9 @@ update_fwdb()

+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"

+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'

+ _info_nol "Fetching MCE.db from the MCExtractor project... "

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

++ # if command -v wget >/dev/null 2>&1; then

++ # wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?

++ if command -v curl >/dev/null 2>&1; then

+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+ elif command -v fetch >/dev/null 2>&1; then

+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+@@ -874,9 +873,9 @@ update_fwdb()

+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"

+ _info_nol "Fetching Intel firmwares... "

+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

++ # if command -v wget >/dev/null 2>&1; then

++ # wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?

++ if command -v curl >/dev/null 2>&1; then

+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+ elif command -v fetch >/dev/null 2>&1; then

+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+@@ -969,13 +968,13 @@ update_fwdb()

+ } > "$mcedb_cache"

+ echo DONE "(version $dbversion)"

+

+- if [ "$1" = builtin ]; then

+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)

+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"

+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"

+- @cat@ "$newfile" > "$0"

+- @rm@ -f "$newfile"

+- fi

++ # if [ "$1" = builtin ]; then

++ # newfile=$(@mktemp@ -t smc-builtin-XXXXXX)

++ # @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"

++ # @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"

++ # @cat@ "$newfile" > "$0"

++ # @rm@ -f "$newfile"

++ # fi

+ }

+

+ parse_opt_file()

+@@ -1070,9 +1069,9 @@ while [ -n "${1:-}" ]; do

+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then

+ update_fwdb

+ exit $?

+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then

+- update_fwdb builtin

+- exit $?

++ # elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then

++ # update_fwdb builtin

++ # exit $?

+ elif [ "$1" = "--dump-mock-data" ]; then

+ opt_mock=1

+ shift

+@@ -2033,22 +2032,22 @@ is_xen_domU()

+ fi

+ }

+

+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")

++# builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")

+ if [ -r "$mcedb_cache" ]; then

+ # we have a local cache file, but it might be older than the builtin version we have

+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+ # sort -V sorts by version number

+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)

+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then

++ # older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)

++ # if [ "$older_dbversion" = "$builtin_dbversion" ]; then

+ mcedb_source="$mcedb_cache"

+ mcedb_info="local firmwares DB $local_dbversion"

+- fi

++ # fi

+ fi

+ # if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db

+-if [ -z "${mcedb_source:-}" ]; then

+- mcedb_source="$0"

+- mcedb_info="builtin firmwares DB $builtin_dbversion"

+-fi

++# if [ -z "${mcedb_source:-}" ]; then

++# mcedb_source="$0"

++# mcedb_info="builtin firmwares DB $builtin_dbversion"

++# fi

+ read_mcedb()

+ {

+ @awk@ '{ if (DELIM==1) { print $2 } } /^# %%% MCEDB / { DELIM=1 }' "$mcedb_source"

+@@ -2070,6 +2069,9 @@ is_latest_known_ucode()

+ else

+ return 2

+ fi

++ if [ -z "$mcedb_source" ]; then

++ return 2

++ fi

+ for tuple in $(read_mcedb | @grep@ "$(printf "^$cpu_brand_prefix,0x%08X," "$cpu_cpuid")")

+ do

+ ucode=$(( $(echo "$tuple" | @cut@ -d, -f3) ))

+@@ -5833,428 +5835,3 @@ fi

+ [ "$global_critical" = 1 ] && exit 2 # critical

+ [ "$global_unknown" = 1 ] && exit 3 # unknown

+ exit 0 # ok

+-

+-# We're using MCE.db from the excellent platomav's MCExtractor project

+-# The builtin version follows, but the user can download an up-to-date copy (to be stored in his $HOME) by using --update-fwdb

+-# To update the builtin version itself (by *modifying* this very file), use --update-builtin-fwdb

+-

+-# %%% MCEDB v222+i20220208

+-# I,0x00000611,0x00000B27,19961218

+-# I,0x00000612,0x000000C6,19961210

+-# I,0x00000616,0x000000C6,19961210

+-# I,0x00000617,0x000000C6,19961210

+-# I,0x00000619,0x000000D2,19980218

+-# I,0x00000630,0x00000013,19960827

+-# I,0x00000632,0x00000020,19960903

+-# I,0x00000633,0x00000036,19980923

+-# I,0x00000634,0x00000037,19980923

+-# I,0x00000650,0x00000045,19990525

+-# I,0x00000651,0x00000042,19990525

+-# I,0x00000652,0x0000002D,19990518

+-# I,0x00000653,0x00000010,19990628

+-# I,0x00000660,0x0000000A,19990505

+-# I,0x00000665,0x00000003,19990505

+-# I,0x0000066A,0x0000000D,19990505

+-# I,0x0000066D,0x00000007,19990505

+-# I,0x00000670,0x00000007,19980602

+-# I,0x00000671,0x00000014,19980811

+-# I,0x00000672,0x00000038,19990922

+-# I,0x00000673,0x0000002E,19990910

+-# I,0x00000680,0x00000017,19990610

+-# I,0x00000681,0x00000014,19991209

+-# I,0x00000683,0x00000014,20010206

+-# I,0x00000686,0x00000008,20000505

+-# I,0x0000068A,0x00000005,20001207

+-# I,0x00000690,0x00000004,20000206

+-# I,0x00000691,0x00000001,20020527

+-# I,0x00000692,0x00000001,20020620

+-# I,0x00000694,0x00000002,20020926

+-# I,0x00000695,0x00000047,20041109

+-# I,0x00000696,0x00000001,20000707

+-# I,0x000006A0,0x00000003,20000110

+-# I,0x000006A1,0x00000001,20000306

+-# I,0x000006A4,0x00000001,20000616

+-# I,0x000006B0,0x0000001A,20010129

+-# I,0x000006B1,0x0000001D,20010220

+-# I,0x000006B4,0x00000002,20020111

+-# I,0x000006D0,0x00000006,20030522

+-# I,0x000006D1,0x00000009,20030709

+-# I,0x000006D2,0x00000010,20030814

+-# I,0x000006D6,0x00000018,20041017

+-# I,0x000006D8,0x00000021,20060831

+-# I,0x000006E0,0x00000008,20050215

+-# I,0x000006E1,0x0000000C,20050413

+-# I,0x000006E4,0x00000026,20050816

+-# I,0x000006E8,0x0000003C,20060208

+-# I,0x000006EC,0x0000005B,20070208

+-# I,0x000006F0,0x00000005,20050818

+-# I,0x000006F1,0x00000012,20051129

+-# I,0x000006F2,0x0000005D,20101002

+-# I,0x000006F4,0x00000028,20060417

+-# I,0x000006F5,0x00000039,20060727

+-# I,0x000006F6,0x000000D2,20101001

+-# I,0x000006F7,0x0000006B,20101002

+-# I,0x000006F9,0x00000084,20061012

+-# I,0x000006FA,0x00000095,20101002

+-# I,0x000006FB,0x000000C1,20111004

+-# I,0x000006FD,0x000000A4,20101002

+-# I,0x00000F00,0xFFFF0001,20000130

+-# I,0x00000F01,0xFFFF0007,20000404

+-# I,0x00000F02,0xFFFF000B,20000518

+-# I,0x00000F03,0xFFFF0001,20000518

+-# I,0x00000F04,0xFFFF0010,20000803

+-# I,0x00000F05,0x0000000C,20000824

+-# I,0x00000F06,0x00000004,20000911

+-# I,0x00000F07,0x00000012,20020716

+-# I,0x00000F08,0x00000008,20001101

+-# I,0x00000F09,0x00000008,20010104

+-# I,0x00000F0A,0x00000015,20020821

+-# I,0x00000F11,0x0000000A,20030729

+-# I,0x00000F12,0x0000002F,20030502

+-# I,0x00000F13,0x00000005,20030508

+-# I,0x00000F20,0x00000001,20010423

+-# I,0x00000F21,0x00000003,20010529

+-# I,0x00000F22,0x00000005,20030729

+-# I,0x00000F23,0x0000000D,20010817

+-# I,0x00000F24,0x00000021,20030610

+-# I,0x00000F25,0x0000002C,20040826

+-# I,0x00000F26,0x00000010,20040805

+-# I,0x00000F27,0x00000039,20030604

+-# I,0x00000F29,0x0000002F,20040811

+-# I,0x00000F30,0x00000013,20030815

+-# I,0x00000F31,0x0000000B,20031021

+-# I,0x00000F32,0x0000000A,20040511

+-# I,0x00000F33,0x0000000C,20050421

+-# I,0x00000F34,0x00000017,20050421

+-# I,0x00000F36,0x00000007,20040309

+-# I,0x00000F37,0x00000003,20031218

+-# I,0x00000F40,0x00000006,20040318

+-# I,0x00000F41,0x00000017,20050422

+-# I,0x00000F42,0x00000003,20050421

+-# I,0x00000F43,0x00000005,20050421

+-# I,0x00000F44,0x00000006,20050421

+-# I,0x00000F46,0x00000004,20050411

+-# I,0x00000F47,0x00000003,20050421

+-# I,0x00000F48,0x0000000E,20080115

+-# I,0x00000F49,0x00000003,20050421

+-# I,0x00000F4A,0x00000004,20051214

+-# I,0x00000F60,0x00000005,20050124

+-# I,0x00000F61,0x00000008,20050610

+-# I,0x00000F62,0x0000000F,20051215

+-# I,0x00000F63,0x00000005,20051010

+-# I,0x00000F64,0x00000004,20051223

+-# I,0x00000F65,0x0000000B,20070510

+-# I,0x00000F66,0x0000001B,20060310

+-# I,0x00000F68,0x00000009,20060714

+-# I,0x00001632,0x00000002,19980610

+-# I,0x00010650,0x00000002,20060513

+-# I,0x00010660,0x00000004,20060612

+-# I,0x00010661,0x00000045,20101004

+-# I,0x00010670,0x00000005,20070209

+-# I,0x00010671,0x00000106,20070329

+-# I,0x00010674,0x84050100,20070726

+-# I,0x00010676,0x00000612,20150802

+-# I,0x00010677,0x0000070D,20150802

+-# I,0x0001067A,0x00000A0E,20150729

+-# I,0x000106A0,0xFFFF001A,20071128

+-# I,0x000106A1,0xFFFF000B,20080220

+-# I,0x000106A2,0xFFFF0019,20080714

+-# I,0x000106A4,0x00000013,20150630

+-# I,0x000106A5,0x0000001D,20180511

+-# I,0x000106C0,0x00000007,20070824

+-# I,0x000106C1,0x00000109,20071203

+-# I,0x000106C2,0x00000219,20090410

+-# I,0x000106C9,0x00000007,20090213

+-# I,0x000106CA,0x00000107,20090825

+-# I,0x000106D0,0x00000005,20071204

+-# I,0x000106D1,0x0000002A,20150803

+-# I,0x000106E0,0xFFFF0022,20090116

+-# I,0x000106E1,0xFFFF000D,20090206

+-# I,0x000106E2,0xFFFF0011,20090924

+-# I,0x000106E3,0xFFFF0011,20090512

+-# I,0x000106E4,0x00000003,20130701

+-# I,0x000106E5,0x0000000A,20180508

+-# I,0x000106F0,0xFFFF0009,20090210

+-# I,0x000106F1,0xFFFF0007,20090210

+-# I,0x00020650,0xFFFF0008,20090218

+-# I,0x00020651,0xFFFF0018,20090818

+-# I,0x00020652,0x00000011,20180508

+-# I,0x00020654,0xFFFF0007,20091124

+-# I,0x00020655,0x00000007,20180423

+-# I,0x00020661,0x00000105,20110718

+-# I,0x000206A0,0x00000029,20091102

+-# I,0x000206A1,0x00000007,20091223

+-# I,0x000206A2,0x00000027,20100502

+-# I,0x000206A3,0x00000009,20100609

+-# I,0x000206A4,0x00000022,20100414

+-# I,0x000206A5,0x00000007,20100722

+-# I,0x000206A6,0x90030028,20100924

+-# I,0x000206A7,0x0000002F,20190217

+-# I,0x000206C0,0xFFFF001C,20091214

+-# I,0x000206C1,0x00000006,20091222

+-# I,0x000206C2,0x0000001F,20180508

+-# I,0x000206D0,0x80000006,20100816

+-# I,0x000206D1,0x80000106,20101201

+-# I,0x000206D2,0xAF506958,20110714

+-# I,0x000206D3,0xAF50696A,20110816

+-# I,0x000206D5,0xAF5069E5,20120118

+-# I,0x000206D6,0x00000621,20200304

+-# I,0x000206D7,0x0000071A,20200324

+-# I,0x000206E0,0xE3493401,20090108

+-# I,0x000206E1,0xE3493402,20090224

+-# I,0x000206E2,0xFFFF0004,20081001

+-# I,0x000206E3,0xE4486547,20090701

+-# I,0x000206E4,0xFFFF0008,20090619

+-# I,0x000206E5,0xFFFF0018,20091215

+-# I,0x000206E6,0x0000000D,20180515

+-# I,0x000206F0,0x00000005,20100729

+-# I,0x000206F1,0x00000008,20101013

+-# I,0x000206F2,0x0000003B,20180516

+-# I,0x00030650,0x00000009,20120118

+-# I,0x00030651,0x00000110,20131014

+-# I,0x00030660,0x00000003,20101103

+-# I,0x00030661,0x0000010F,20150721

+-# I,0x00030669,0x0000010D,20130515

+-# I,0x00030671,0x00000117,20130410

+-# I,0x00030672,0x0000022E,20140401

+-# I,0x00030673,0x83290100,20190916

+-# I,0x00030678,0x00000838,20190422

+-# I,0x00030679,0x0000090D,20190710

+-# I,0x000306A0,0x00000007,20110407

+-# I,0x000306A2,0x0000000C,20110725

+-# I,0x000306A4,0x00000007,20110908

+-# I,0x000306A5,0x00000009,20111110

+-# I,0x000306A6,0x00000004,20111114

+-# I,0x000306A8,0x00000010,20120220

+-# I,0x000306A9,0x00000021,20190213

+-# I,0x000306C0,0xFFFF0013,20111110

+-# I,0x000306C1,0xFFFF0014,20120725

+-# I,0x000306C2,0xFFFF0006,20121017

+-# I,0x000306C3,0x00000028,20191112

+-# I,0x000306D1,0xFFFF0009,20131015

+-# I,0x000306D2,0xFFFF0009,20131219

+-# I,0x000306D3,0xE3121338,20140825

+-# I,0x000306D4,0x0000002F,20191112

+-# I,0x000306E0,0xE920080F,20121113

+-# I,0x000306E2,0xE9220827,20130523

+-# I,0x000306E3,0x00000308,20130321

+-# I,0x000306E4,0x0000042E,20190314

+-# I,0x000306E6,0x00000600,20130619

+-# I,0x000306E7,0x00000715,20190314

+-# I,0x000306F0,0xFFFF0017,20130730

+-# I,0x000306F1,0xD141D629,20140416

+-# I,0x000306F2,0x00000049,20210811

+-# I,0x000306F3,0x0000000D,20160211

+-# I,0x000306F4,0x0000001A,20210524

+-# I,0x00040650,0xFFFF000B,20121206

+-# I,0x00040651,0x00000026,20191112

+-# I,0x00040660,0xFFFF0011,20121012

+-# I,0x00040661,0x0000001C,20191112

+-# I,0x00040670,0xFFFF0006,20140304

+-# I,0x00040671,0x00000022,20191112

+-# I,0x000406A0,0x80124001,20130521

+-# I,0x000406A8,0x0000081F,20140812

+-# I,0x000406A9,0x0000081F,20140812

+-# I,0x000406C1,0x0000010B,20140814

+-# I,0x000406C2,0x00000221,20150218

+-# I,0x000406C3,0x00000368,20190423

+-# I,0x000406C4,0x00000411,20190423

+-# I,0x000406D0,0x0000000E,20130612

+-# I,0x000406D8,0x0000012D,20190916

+-# I,0x000406E1,0x00000020,20141111

+-# I,0x000406E2,0x0000002C,20150521

+-# I,0x000406E3,0x000000EC,20210428

+-# I,0x000406E8,0x00000026,20160414

+-# I,0x000406F0,0x00000014,20150702

+-# I,0x000406F1,0x0B000040,20210519

+-# I,0x00050650,0x8000002B,20160208

+-# I,0x00050651,0x8000002B,20160208

+-# I,0x00050652,0x80000037,20170502

+-# I,0x00050653,0x0100015C,20210526

+-# I,0x00050654,0x02006C0A,20210616

+-# I,0x00050655,0x03000012,20190412

+-# I,0x00050656,0x0400320A,20210813

+-# I,0x00050657,0x0500320A,20210813

+-# I,0x0005065A,0x86002302,20210416

+-# I,0x0005065B,0x07002402,20210604

+-# I,0x00050661,0xF1000008,20150130

+-# I,0x00050662,0x0000001C,20190617

+-# I,0x00050663,0x0700001C,20210612

+-# I,0x00050664,0x0F00001A,20210612

+-# I,0x00050665,0x0E000014,20210918

+-# I,0x00050670,0xFFFF0030,20151113

+-# I,0x00050671,0x000001B6,20180108

+-# I,0x000506A0,0x00000038,20150112

+-# I,0x000506C2,0x00000014,20180511

+-# I,0x000506C8,0x90011010,20160323

+-# I,0x000506C9,0x00000046,20210510

+-# I,0x000506CA,0x00000022,20210622

+-# I,0x000506D1,0x00000102,20150605

+-# I,0x000506E0,0x00000018,20141119

+-# I,0x000506E1,0x0000002A,20150602

+-# I,0x000506E2,0x0000002E,20150815

+-# I,0x000506E3,0x000000F0,20211112

+-# I,0x000506E8,0x00000034,20160710

+-# I,0x000506F0,0x00000010,20160607

+-# I,0x000506F1,0x00000036,20210510

+-# I,0x00060660,0x0000000C,20160821

+-# I,0x00060661,0x0000000E,20170128

+-# I,0x00060662,0x00000022,201711

+++ b/gnu/local.mk

+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \

+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \

+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \

+++ b/gnu/packages/linux.scm

+

+(define-public spectre-meltdown-checker

+ (package

+ (name "spectre-meltdown-checker")

+ (version "0.45")

+ (source (origin

+ (method git-fetch)

+ (uri (git-reference

+ (url "https://github.com/speed47/spectre-meltdown-checker")

+ (commit (string-append "v" version))))

+ (file-name (git-file-name name version))

+ (patches

+ (search-patches

+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441

+ "spectre-meltdown-checker-support-guix-system-kernel.patch"

+ ;; NOTE: Update these patches when updating.

+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"

+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"))

+ ;; Remove builtin firmware database.

+ (modules '((guix build utils)))

+ (snippet '(substitute* "spectre-meltdown-checker.sh"

+ (("^# [AI],.*") "")))

+ (sha256

+ (base32

+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))

+ (build-system copy-build-system)

+ (arguments

+ (list #:install-plan

+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))

+ #:phases

+ #~(modify-phases %standard-phases

+ (add-after 'unpack 'fixpath

+ (lambda* (#:key inputs #:allow-other-keys)

+ (substitute* "spectre-meltdown-checker.sh"

+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))

+ (("@([a-z0-9]*)@" _ command _)

+ (search-input-file

+ inputs (string-append "/bin/" command)))))))))

+ (inputs

+ (list binutils

+ coreutils

+ grep

+ kmod

+ lz4

+ lzop

+ perl

+ procps

+ sharutils

+ util-linux

+ which

+ zstd))

+ (home-page "https://github.com/speed47/spectre-meltdown-checker")

+ (synopsis "CPU vulnerability / mitigation checker")

+ (description

+ "This package provides a shell script to assess your system's resilience

+against the several transient execution CVEs that were published since early

+2018, and give you guidance as to how to mitigate them.")

+ (license license:gpl3)))

+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch

+From e2cc68814cf658638946e069406ef6a6032ab318 Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Sat, 12 Nov 2022 19:49:36 +0800

+Subject: [PATCH 2/2] Remove references to the builtin firmware database.

+

+---

+ spectre-meltdown-checker.sh | 43 +++++++++++--------------------------

+ 1 file changed, 12 insertions(+), 31 deletions(-)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 82cf1b6..5104599 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -95,7 +95,6 @@ show_usage()

+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)

+ --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome

+ MCExtractor project and the Intel firmwares GitHub repository)

+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself

+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script

+

+ Return codes:

+@@ -853,10 +852,10 @@ update_fwdb()

+ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX)"

+ mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'

+ _info_nol "Fetching MCE.db from the MCExtractor project... "

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

++ if command -v curl >/dev/null 2>&1; then

+ curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?

++ elif command -v wget >/dev/null 2>&1; then

++ wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?

+ elif command -v fetch >/dev/null 2>&1; then

+ fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+ else

+@@ -874,10 +873,10 @@ update_fwdb()

+ intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"

+ _info_nol "Fetching Intel firmwares... "

+ ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

++ if command -v curl >/dev/null 2>&1; then

+ curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

++ elif command -v wget >/dev/null 2>&1; then

++ wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?

+ elif command -v fetch >/dev/null 2>&1; then

+ fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+ else

+@@ -968,14 +967,6 @@ update_fwdb()

+ sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | @grep@ -v '^# .,0x00000000,';

+ } > "$mcedb_cache"

+ echo DONE "(version $dbversion)"

+-

+- if [ "$1" = builtin ]; then

+- newfile=$(@mktemp@ -t smc-builtin-XXXXXX)

+- @awk@ '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"

+- @awk@ '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"

+- @cat@ "$newfile" > "$0"

+- @rm@ -f "$newfile"

+- fi

+ }

+

+ parse_opt_file()

+@@ -1070,9 +1061,6 @@ while [ -n "${1:-}" ]; do

+ elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then

+ update_fwdb

+ exit $?

+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then

+- update_fwdb builtin

+- exit $?

+ elif [ "$1" = "--dump-mock-data" ]; then

+ opt_mock=1

+ shift

+@@ -2033,21 +2021,11 @@ is_xen_domU()

+ fi

+ }

+

+-builtin_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$0")

+ if [ -r "$mcedb_cache" ]; then

+ # we have a local cache file, but it might be older than the builtin version we have

+ local_dbversion=$( @awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+- # sort -V sorts by version number

+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | @sort@ -V | @head@ -n1)

+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then

+- mcedb_source="$mcedb_cache"

+- mcedb_info="local firmwares DB $local_dbversion"

+- fi

+-fi

+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db

+-if [ -z "${mcedb_source:-}" ]; then

+- mcedb_source="$0"

+- mcedb_info="builtin firmwares DB $builtin_dbversion"

++ mcedb_source="$mcedb_cache"

++ mcedb_info="local firmwares DB $local_dbversion"

+ fi

+ read_mcedb()

+ {

+@@ -2063,7 +2041,10 @@ is_latest_known_ucode()

+ return 2

+ fi

+ ucode_latest="latest microcode version for your CPU model is unknown"

+- if is_intel; then

++ if [ -z "$mcedb_source" ]; then

++ # When $mcedb_source is not set, skip version checking and report unknown.

++ return 2

++ elif is_intel; then

+ cpu_brand_prefix=I

+ elif is_amd; then

+ cpu_brand_prefix=A

+--

+2.38.1

+

+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch

+From 4dc8ae01aec5a8a2aa2afc015603261d514620ae Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Fri, 11 Nov 2022 18:49:50 +0800

+Subject: [PATCH 1/2] Stage commands for later substitution.

+

+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, getent,

+grep, gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm,

+nproc, objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat,

+strings, sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, which,

+whoami, xargs.

+---

+ spectre-meltdown-checker.sh | 648 ++++++++++++++++++------------------

+ 1 file changed, 324 insertions(+), 324 deletions(-)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 30f760c..82cf1b6 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -19,33 +19,33 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT

+ exit_cleanup()

+ {

+ # cleanup the temp decompressed config & kernel image

+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"

+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"

+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"

+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"

+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"

+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null

+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null

+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null

+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null

++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"

++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"

++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"

++ [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && @rm@ -f "$mcedb_tmp"

++ [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && @rm@ -rf "$intel_tmp"

++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null

++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null

++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null

++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null

+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null

+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null

+ }

+

+ # if we were git clone'd, adjust VERSION

+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then

+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)

+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)

++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then

++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)

++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)

+ fi

+

+ show_usage()

+ {

+ # shellcheck disable=SC2086

+- cat <<EOF

++ @cat@ <<EOF

+ Usage:

+- Live mode (auto): $(basename $0) [options]

+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live

+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>

++ Live mode (auto): $(@basename@ $0) [options]

++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live

++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>

+

+ Modes:

+ Two modes are available.

+@@ -110,7 +110,7 @@ EOF

+

+ show_disclaimer()

+ {

+- cat <<EOF

++ @cat@ <<EOF

+ Disclaimer:

+

+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the

+@@ -138,7 +138,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t

+ EOF

+ }

+

+-os=$(uname -s)

++os=$(@uname@ -s)

+

+ # parse options

+ opt_kernel=''

+@@ -207,7 +207,7 @@ __echo()

+ _interpret_chars='-e'

+ fi

+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")

+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")

++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")

+ fi

+ if [ "$echo_cmd_type" = printf ]; then

+ if [ "$opt" = "-n" ]; then

+@@ -383,7 +383,7 @@ is_cpu_affected()

+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected

+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected

+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz

+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then

++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then

+ variant1=vuln

+ [ -z "$variant2" ] && variant2=immune

+ variant3=vuln

+@@ -486,7 +486,7 @@ is_cpu_affected()

+ i=$(( i + 1 ))

+ # do NOT quote $cpu_arch_list below

+ # shellcheck disable=SC2086

+- cpuarch=$(echo $cpu_arch_list | awk '{ print $'$i' }')

++ cpuarch=$(echo $cpu_arch_list | @awk@ '{ print $'$i' }')

+ _debug "checking cpu$i: <$cpupart> <$cpuarch>"

+ # some kernels report AArch64 instead of 8

+ [ "$cpuarch" = "AArch64" ] && cpuarch=8

+@@ -497,49 +497,49 @@ is_cpu_affected()

+ # part ? ? c08 c09 c0d c0f c0e d07 d08 d09 d0a d0b d0c d0d

+ # arch 7? 7? 7 7 7 7 7 8 8 8 8 8 8 8

+ #

+- # Whitelist identified non-affected processors, use vulnerability information from

++ # Whitelist identified non-affected processors, use vulnerability information from

+ # https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability

+ # Partnumbers can be found here:

+ # https://github.com/gcc-mirror/gcc/blob/master/gcc/config/arm/arm-cpus.in

+ #

+ # Maintain cumulative check of vulnerabilities -

+ # if at least one of the cpu is affected, then the system is affected

+- if [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then

++ if [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc08 -e 0xc09 -e 0xc0d -e 0xc0e; then

+ variant1=vuln

+ variant2=vuln

+ [ -z "$variant3" ] && variant3=immune

+ [ -z "$variant3a" ] && variant3a=immune

+ [ -z "$variant4" ] && variant4=immune

+ _debug "checking cpu$i: armv7 A8/A9/A12/A17 non affected to variants 3, 3a & 4"

+- elif [ "$cpuarch" = 7 ] && echo "$cpupart" | grep -q -w -e 0xc0f; then

++ elif [ "$cpuarch" = 7 ] && echo "$cpupart" | @grep@ -q -w -e 0xc0f; then

+ variant1=vuln

+ variant2=vuln

+ [ -z "$variant3" ] && variant3=immune

+ variant3a=vuln

+ [ -z "$variant4" ] && variant4=immune

+ _debug "checking cpu$i: armv7 A15 non affected to variants 3 & 4"

+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd07 -e 0xd08; then

++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd07 -e 0xd08; then

+ variant1=vuln

+ variant2=vuln

+ [ -z "$variant3" ] && variant3=immune

+ variant3a=vuln

+ variant4=vuln

+ _debug "checking cpu$i: armv8 A57/A72 non affected to variants 3"

+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd09; then

++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd09; then

+ variant1=vuln

+ variant2=vuln

+ [ -z "$variant3" ] && variant3=immune

+ [ -z "$variant3a" ] && variant3a=immune

+ variant4=vuln

+ _debug "checking cpu$i: armv8 A73 non affected to variants 3 & 3a"

+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0a; then

++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0a; then

+ variant1=vuln

+ variant2=vuln

+ variant3=vuln

+ [ -z "$variant3a" ] && variant3a=immune

+ variant4=vuln

+ _debug "checking cpu$i: armv8 A75 non affected to variant 3a"

+- elif [ "$cpuarch" = 8 ] && echo "$cpupart" | grep -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then

++ elif [ "$cpuarch" = 8 ] && echo "$cpupart" | @grep@ -q -w -e 0xd0b -e 0xd0c -e 0xd0d; then

+ variant1=vuln

+ [ -z "$variant2" ] && variant2=immune

+ [ -z "$variant3" ] && variant3=immune

+@@ -820,7 +820,7 @@ is_cpu_ssb_free()

+ if [ "$cpu_family" = "18" ] || \

+ [ "$cpu_family" = "17" ] || \

+ [ "$cpu_family" = "16" ] || \

+- [ "$cpu_family" = "15" ]; then

++ [ "$cpu_family" = "15" ]; then

+ return 0

+ fi

+ fi

+@@ -837,7 +837,7 @@ show_header()

+ _info

+ }

+

+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"

++[ -z "$HOME" ] && HOME="$(@getent@ passwd "$(@whoami@)" | @cut@ -d: -f6)"

+ mcedb_cache="$HOME/.mcedb"

+ update_fwdb()

+ {

+@@ -846,11 +846,11 @@ update_fwdb()

+ set -e

+

+ if [ -r "$mcedb_cache" ]; then

+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

++ previous_dbversion=$(@awk@ '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+ fi

+

+ # first, download the MCE.db from the excellent platomav's MCExtractor project

+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"

++ mcedb_tmp="$(@mktemp@ -t smc-mcedb-XXXXXX

+++ b/gnu/local.mk

+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \

+ %D%/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch \

+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \

+++ b/gnu/packages/linux.scm

+

+(define-public spectre-meltdown-checker

+ (package

+ (name "spectre-meltdown-checker")

+ (version "0.45")

+ (source (origin

+ (method git-fetch)

+ (uri (git-reference

+ (url "https://github.com/speed47/spectre-meltdown-checker")

+ (commit (string-append "v" version))))

+ (file-name (git-file-name name version))

+ (patches

+ (search-patches

+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441

+ "spectre-meltdown-checker-support-guix-system-kernel.patch"

+ ;; NOTE: Update these patches when updating.

+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"

+ "spectre-meltdown-checker-stage-commands-for-substitution.patch"))

+ ;; Remove builtin firmware database.

+ (modules '((guix build utils)))

+ (snippet '(substitute* "spectre-meltdown-checker.sh"

+ (("^# [AI],.*") "")))

+ (sha256

+ (base32

+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))

+ (build-system copy-build-system)

+ (arguments

+ (list #:install-plan

+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))

+ #:phases

+ #~(modify-phases %standard-phases

+ (add-after 'unpack 'fixpath

+ (lambda* (#:key inputs #:allow-other-keys)

+ (substitute* "spectre-meltdown-checker.sh"

+ (("@sysctl@") (search-input-file inputs "/sbin/sysctl"))

+ (("@([a-z0-9]*)@" _ command _)

+ (search-input-file

+ inputs (string-append "/bin/" command)))))))))

+ (inputs

+ (list kmod

+ lz4

+ lzop

+ perl

+ procps

+ sharutils

+ util-linux

+ zstd))

+ (home-page "https://github.com/speed47/spectre-meltdown-checker")

+ (synopsis "CPU vulnerability / mitigation checker")

+ (description

+ "This package provides a shell script to assess your system's resilience

+against the several transient execution CVEs that were published since early

+2018, and give you guidance as to how to mitigate them.")

+ (license license:gpl3)))

+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch

+From a3a9b7ca93071393e6bfd999fedd737009718aab Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Sat, 12 Nov 2022 22:45:24 +0800

+Subject: [PATCH 1/2] Remove builtin firmware database.

+

+1. Remove downloading function.

+2. Add option for supplying a local database.

+---

+ spectre-meltdown-checker.sh | 180 +++---------------------------------

+ 1 file changed, 15 insertions(+), 165 deletions(-)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 30f760c..ce46970 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -22,8 +22,6 @@ exit_cleanup()

+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"

+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"

+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"

+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"

+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"

+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null

+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null

+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null

+@@ -93,9 +91,7 @@ show_usage()

+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto

+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system

+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)

+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome

+- MCExtractor project and the Intel firmwares GitHub repository)

+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself

++ --with-fwdb FILE supply the CPU microcodes versions database

+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script

+

+ Return codes:

+@@ -837,147 +833,6 @@ show_header()

+ _info

+ }

+

+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"

+-mcedb_cache="$HOME/.mcedb"

+-update_fwdb()

+-{

+- show_header

+-

+- set -e

+-

+- if [ -r "$mcedb_cache" ]; then

+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+- fi

+-

+- # first, download the MCE.db from the excellent platomav's MCExtractor project

+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"

+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'

+- _info_nol "Fetching MCE.db from the MCExtractor project... "

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+- elif command -v fetch >/dev/null 2>&1; then

+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+- else

+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"

+- return 1

+- fi

+- if [ "$ret" != 0 ]; then

+- echo ERROR "error $ret while downloading MCE.db"

+- return $ret

+- fi

+- echo DONE

+-

+- # second, get the Intel firmwares from GitHub

+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"

+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"

+- _info_nol "Fetching Intel firmwares... "

+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+- elif command -v fetch >/dev/null 2>&1; then

+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+- else

+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"

+- return 1

+- fi

+- if [ "$ret" != 0 ]; then

+- echo ERROR "error $ret while downloading Intel firmwares"

+- return $ret

+- fi

+- echo DONE

+-

+- # now extract MCEdb contents using sqlite

+- _info_nol "Extracting MCEdb data... "

+- if ! command -v sqlite3 >/dev/null 2>&1; then

+- echo ERROR "please install the \`sqlite3\` program"

+- return 1

+- fi

+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")

+- if [ -z "$mcedb_revision" ]; then

+- echo ERROR "downloaded file seems invalid"

+- return 1

+- fi

+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"

+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"

+-

+- echo OK "MCExtractor database revision $mcedb_revision"

+-

+- # parse Intel firmwares to get their versions

+- _info_nol "Integrating Intel firmwares data to db... "

+- if ! command -v unzip >/dev/null 2>&1; then

+- echo ERROR "please install the \`unzip\` program"

+- return 1

+- fi

+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )

+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then

+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"

+- return 1

+- fi

+-

+- if ! command -v iucode_tool >/dev/null 2>&1; then

+- if ! command -v iucode-tool >/dev/null 2>&1; then

+- echo ERROR "please install the \`iucode-tool\` program"

+- return 1

+- else

+- iucode_tool="iucode-tool"

+- fi

+- else

+- iucode_tool="iucode_tool"

+- fi

+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120

+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120

+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line

+- do

+- _line=$( echo "$_line" | tr -d ',')

+- _cpuid=$( echo "$_line" | awk '{print $3}')

+- _cpuid=$(( _cpuid ))

+- _cpuid=$(printf "0x%08X" "$_cpuid")

+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')

+- _version=$(echo "$_line" | awk '{print $8}')

+- _version=$(( _version ))

+- _version=$(printf "0x%08X" "$_version")

+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"

+- sqlite3 "$mcedb_tmp" "$_sqlstm"

+- done

+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)

+- if [ -n "$_intel_timestamp" ]; then

+- # use this date, it matches the last commit date

+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")

+- else

+- echo "Falling back to the latest microcode date"

+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")

+- fi

+- echo DONE "(version $_intel_latest_date)"

+-

+- dbversion="$mcedb_revision+i$_intel_latest_date"

+-

+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then

+- echo "We already have this version locally, no update needed"

+- return 0

+- fi

+-

+- _info_nol "Building local database... "

+- {

+- echo "# Spectre & Meltdown Checker";

+- echo "# %%% MCEDB v$dbversion";

+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';

+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';

+- } > "$mcedb_cache"

+- echo DONE "(version $dbversion)"

+-

+- if [ "$1" = builtin ]; then

+- newfile=$(mktemp -t smc-builtin-XXXXXX)

+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"

+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"

+- cat "$newfile" > "$0"

+- rm -f "$newfile"

+- fi

+-}

+-

+ parse_opt_file()

+ {

+ # parse_opt_file option_name option_value

+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do

+ # deprecated, kept for compatibility

+ opt_explain=0

+ shift

+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then

+- update_fwdb

+- exit $?

+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then

+- update_fwdb builtin

+- exit $?

++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then

++ opt_fwdb=$2

++ if [ -f "$opt_fwdb" ]; then

++ mcedb_cache=$2

++ else

++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2

++ exit 255

++ fi

++ shift 2

+ elif [ "$1" = "--dump-mock-data" ]; then

+ opt_mock=1

+ shift

+@@ -2033,21 +1891,11 @@ is_xen_domU()

+ fi

+ }

+

+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")

+ if [ -r "$mcedb_cache" ]; then

+ # we have a local cache file, but it might be older than the builtin version we have

+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+- # sort -V sorts by version number

+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)

+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then

+- mcedb_source="$mcedb_cache"

+- mcedb_info="local firmwares DB $local_dbversion"

+- fi

+-fi

+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db

+-if [ -z "${mcedb_source:-}" ]; then

+- mcedb_source="$0"

+- mcedb_info="builtin firmwares DB $builtin_dbversion"

++ mcedb_source="$mcedb_cache"

++ mcedb_info="local firmwares DB $local_dbversion"

+ fi

+ read_mcedb()

+ {

+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()

+ return 2

+ fi

+ ucode_latest="latest microcode version for your CPU model is unknown"

+- if is_intel; then

++ if [ -z "$mcedb_source" ]; then

++ return 2

++ elif is_intel; then

+ cpu_brand_prefix=I

+ elif is_amd; then

+ cpu_brand_prefix=A

+--

+2.38.1

+

+++ b/gnu/packages/patches/spectre-meltdown-checker-stage-commands-for-substitution.patch

+From 1d79c223d5dc114f63da2c5061d2c713d8a05687 Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Fri, 11 Nov 2022 18:49:50 +0800

+Subject: [PATCH 2/2] Stage commands for later substitution.

+

+awk, base64, basename, bunzip2, cat, cut, dd, dirname, dmesg, find, grep,

+gunzip, gzip, head, id, lz4, lzop, mktemp, modprobe, mount, nm, nproc,

+objdump, od, perl, pgrep, readelf, rm, rmmod, sed, sort, stat, strings,

+sysctl, tr, umount, uname, unlzma, unxz, unzstd, uuencode, xargs.

+---

+ spectre-meltdown-checker.sh | 606 ++++++++++++++++++------------------

+ 1 file changed, 303 insertions(+), 303 deletions(-)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index ce46970..4889ebb 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -19,31 +19,31 @@ trap '_warn "interrupted, cleaning up..."; exit_cleanup; exit 1' INT

+ exit_cleanup()

+ {

+ # cleanup the temp decompressed config & kernel image

+- [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"

+- [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"

+- [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"

+- [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null

+- [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null

+- [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null

+- [ "${insmod_msr:-}" = 1 ] && rmmod msr 2>/dev/null

++ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && @rm@ -f "$dumped_config"

++ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && @rm@ -f "$kerneltmp"

++ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && @rm@ -f "$kerneltmp2"

++ [ "${mounted_debugfs:-}" = 1 ] && @umount@ /sys/kernel/debug 2>/dev/null

++ [ "${mounted_procfs:-}" = 1 ] && @umount@ "$procfs" 2>/dev/null

++ [ "${insmod_cpuid:-}" = 1 ] && @rmmod@ cpuid 2>/dev/null

++ [ "${insmod_msr:-}" = 1 ] && @rmmod@ msr 2>/dev/null

+ [ "${kldload_cpuctl:-}" = 1 ] && kldunload cpuctl 2>/dev/null

+ [ "${kldload_vmm:-}" = 1 ] && kldunload vmm 2>/dev/null

+ }

+

+ # if we were git clone'd, adjust VERSION

+-if [ -d "$(dirname "$0")/.git" ] && command -v git >/dev/null 2>&1; then

+- describe=$(git -C "$(dirname "$0")" describe --tags --dirty 2>/dev/null)

+- [ -n "$describe" ] && VERSION=$(echo "$describe" | sed -e s/^v//)

++if [ -d "$(@dirname@ "$0")/.git" ] && command -v git >/dev/null 2>&1; then

++ describe=$(git -C "$(@dirname@ "$0")" describe --tags --dirty 2>/dev/null)

++ [ -n "$describe" ] && VERSION=$(echo "$describe" | @sed@ -e s/^v//)

+ fi

+

+ show_usage()

+ {

+ # shellcheck disable=SC2086

+- cat <<EOF

++ @cat@ <<EOF

+ Usage:

+- Live mode (auto): $(basename $0) [options]

+- Live mode (manual): $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live

+- Offline mode: $(basename $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>

++ Live mode (auto): $(@basename@ $0) [options]

++ Live mode (manual): $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]> --live

++ Offline mode: $(@basename@ $0) [options] <[--kernel <kimage>] [--config <kconfig>] [--map <mapfile>]>

+

+ Modes:

+ Two modes are available.

+@@ -106,7 +106,7 @@ EOF

+

+ show_disclaimer()

+ {

+- cat <<EOF

++ @cat@ <<EOF

+ Disclaimer:

+

+ This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the

+@@ -134,7 +134,7 @@ This tool has been released in the hope that it'll be useful, but don't use it t

+ EOF

+ }

+

+-os=$(uname -s)

++os=$(@uname@ -s)

+

+ # parse options

+ opt_kernel=''

+@@ -203,7 +203,7 @@ __echo()

+ _interpret_chars='-e'

+ fi

+ _ctrlchar=$($echo_cmd $_interpret_chars "\033")

+- _msg=$($echo_cmd $_interpret_chars "$_msg" | sed -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")

++ _msg=$($echo_cmd $_interpret_chars "$_msg" | @sed@ -r "s/$_ctrlchar\[([0-9][0-9]?(;[0-9][0-9]?)?)?m//g")

+ fi

+ if [ "$echo_cmd_type" = printf ]; then

+ if [ "$opt" = "-n" ]; then

+@@ -379,7 +379,7 @@ is_cpu_affected()

+ # https://github.com/crozone/SpectrePoC/issues/1 ^F E5200 => spectre 2 not affected

+ # https://github.com/paboldin/meltdown-exploit/issues/19 ^F E5200 => meltdown affected

+ # model name : Pentium(R) Dual-Core CPU E5200 @ 2.50GHz

+- if echo "$cpu_friendly_name" | grep -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then

++ if echo "$cpu_friendly_name" | @grep@ -qE 'Pentium\(R\) Dual-Core[[:space:]]+CPU[[:space:]]+E[0-9]{4}K?'; then

+ variant1=vuln

+ [ -z "$varian

+++ b/gnu/local.mk

+ %D%/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch \

+ %D%/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch \

+++ b/gnu/packages/linux.scm

+

+(define-public spectre-meltdown-checker

+ (package

+ (name "spectre-meltdown-checker")

+ (version "0.45")

+ (source (origin

+ (method git-fetch)

+ (uri (git-reference

+ (url "https://github.com/speed47/spectre-meltdown-checker")

+ (commit (string-append "v" version))))

+ (file-name (git-file-name name version))

+ (patches

+ (search-patches

+ "spectre-meltdown-checker-remove-builtin-firmware-database.patch"

+ ;; https://github.com/speed47/spectre-meltdown-checker/pull/441

+ "spectre-meltdown-checker-support-guix-system-kernel.patch"))

+ ;; Remove builtin firmware database.

+ (modules '((guix build utils)))

+ (snippet '(substitute* "spectre-meltdown-checker.sh"

+ (("^# [AI],.*") "")))

+ (sha256

+ (base32

+ "1xx8h5791lhc2xw0dcbzjkklzvlxwxkjzh8di4g8divfy24fqsn8"))))

+ (build-system copy-build-system)

+ (arguments

+ (list

+ #:install-plan

+ #~'(("spectre-meltdown-checker.sh" "bin/spectre-meltdown-checker"))

+ #:phases

+ #~(modify-phases %standard-phases

+ (add-after 'unpack 'fixpath

+ (lambda* (#:key inputs #:allow-other-keys)

+ (define* (find-command inputs cmd #:optional (bin "bin")

+ #:key (prefix "") (suffix ""))

+ (string-append

+ prefix (search-input-file inputs (string-append bin "/" cmd))

+ suffix))

+ (substitute* "spectre-meltdown-checker.sh"

+ ;; ${opt_arch_prefix}CMD

+ (((string-append

+ "\\$\\{opt_arch_prefix\\}"

+ "\\<(nm|objdump|readelf|strings)\\>") all cmd)

+ (find-command inputs cmd))

+

+ ;; dd

+ (("(dd)( if=)" all cmd suffix)

+ (find-command inputs cmd #:suffix suffix))

+

+ ;; Commands safe to substitute directly.

+ (((string-append "\\<(" (string-join

+ (list "awk"

+ "basename"

+ "dirname"

+ "bunzip2"

+ "gunzip"

+ "gzip"

+ "lz4"

+ "lzop"

+ "modprobe"

+ "pgrep"

+ "rmmod"

+ "umount"

+ "unlzma"

+ "unxz"

+ "unzstd"

+ "uuencode")

+ "|")

+ ")\\>") all cmd)

+ (find-command inputs cmd))

+

+ ;; Search by suffix.

+ ;; CMD -

+ ;; CMD ^

+ (((string-append "\\<(" (string-join

+ (list "base64"

+ "cut"

+ "grep"

+ "head"

+ "id"

+ "mount"

+ "mktemp"

+ "od"

+ "perl"

+ "rm"

+ "uname"

+ "xargs")

+ "|")

+ ")\\>( [-^])") all cmd suffix)

+ (find-command inputs cmd #:suffix suffix))

+ ;; CMD |

+ (("(dmesg)( \\|)" all cmd suffix)

+ (find-command inputs cmd #:suffix suffix))

+

+ ;; Then prefix

+ ;; | CMD

+ (("(\\| )\\<(grep|sed|sort|stat|tr)\\>" all prefix cmd)

+ (find-command inputs cmd #:prefix prefix))

+ ;; $(CMD

+ (("(\\$\\( *)(sysctl)" all prefix cmd)

+ (find-command inputs cmd "sbin" #:prefix prefix))

+ (("(\\$\\()\\<(cat|find|grep|mount|nproc|stat|tr)\\>" all prefix cmd)

+ (find-command inputs cmd #:prefix prefix))

+ ;; if CMD

+ (("(if )(sysctl)" all prefix cmd)

+ (find-command inputs cmd "sbin" #:prefix prefix))

+ ;; command -v CMD

+ (("(command -v) \"*\\<(base64|nproc|perl|printf)\\>\"*" all prefix cmd)

+ (find-command inputs cmd #:prefix prefix))

+

+ ;; Cats are mysterious...

+ ;; cat <<EOF

+ (("(cat)( <<EOF)" all cmd suffix)

+ (find-command inputs cmd #:suffix suffix))

+ ;; cat "$

+ (("(cat)(\"\\$)" all cmd suffix)

+ (find-command inputs cmd #:suffix suffix))

+ ;; 'cat'

+ (("(')(cat)(')" all prefix cmd suffix)

+ (find-command inputs cmd #:prefix prefix #:suffix suffix))

+ ;; "cat"

+ (("(\")(cat)(\")" all prefix cmd suffix)

+ (find-command inputs cmd #:prefix prefix #:suffix suffix))))))))

+ (inputs (list kmod lz4 lzop perl procps sharutils util-linux zstd))

+ (home-page "https://github.com/speed47/spectre-meltdown-checker")

+ (synopsis "CPU vulnerability / mitigation checker")

+ (description

+ "This package provides a shell script to assess your system's resilience

+against the several transient execution CVEs that were published since early

+2018, and give you guidance as to how to mitigate them.")

+ (license license:gpl3)))

+++ b/gnu/packages/patches/spectre-meltdown-checker-remove-builtin-firmware-database.patch

+From 340b08737e552c3c186863d76d123808d853a159 Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Sat, 12 Nov 2022 22:45:24 +0800

+Subject: [PATCH] Remove builtin firmware database.

+

+1. Remove downloading function.

+2. Add option for supplying a local database.

+---

+ spectre-meltdown-checker.sh | 180 +++---------------------------------

+ 1 file changed, 15 insertions(+), 165 deletions(-)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 30f760c..ce46970 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -22,8 +22,6 @@ exit_cleanup()

+ [ -n "${dumped_config:-}" ] && [ -f "$dumped_config" ] && rm -f "$dumped_config"

+ [ -n "${kerneltmp:-}" ] && [ -f "$kerneltmp" ] && rm -f "$kerneltmp"

+ [ -n "${kerneltmp2:-}" ] && [ -f "$kerneltmp2" ] && rm -f "$kerneltmp2"

+- [ -n "${mcedb_tmp:-}" ] && [ -f "$mcedb_tmp" ] && rm -f "$mcedb_tmp"

+- [ -n "${intel_tmp:-}" ] && [ -d "$intel_tmp" ] && rm -rf "$intel_tmp"

+ [ "${mounted_debugfs:-}" = 1 ] && umount /sys/kernel/debug 2>/dev/null

+ [ "${mounted_procfs:-}" = 1 ] && umount "$procfs" 2>/dev/null

+ [ "${insmod_cpuid:-}" = 1 ] && rmmod cpuid 2>/dev/null

+@@ -93,9 +91,7 @@ show_usage()

+ --vmm [auto,yes,no] override the detection of the presence of a hypervisor, default: auto

+ --allow-msr-write allow probing for write-only MSRs, this might produce kernel logs or be blocked by your system

+ --cpu [#,all] interact with CPUID and MSR of CPU core number #, or all (default: CPU core 0)

+- --update-fwdb update our local copy of the CPU microcodes versions database (using the awesome

+- MCExtractor project and the Intel firmwares GitHub repository)

+- --update-builtin-fwdb same as --update-fwdb but update builtin DB inside the script itself

++ --with-fwdb FILE supply the CPU microcodes versions database

+ --dump-mock-data used to mimick a CPU on an other system, mainly used to help debugging this script

+

+ Return codes:

+@@ -837,147 +833,6 @@ show_header()

+ _info

+ }

+

+-[ -z "$HOME" ] && HOME="$(getent passwd "$(whoami)" | cut -d: -f6)"

+-mcedb_cache="$HOME/.mcedb"

+-update_fwdb()

+-{

+- show_header

+-

+- set -e

+-

+- if [ -r "$mcedb_cache" ]; then

+- previous_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+- fi

+-

+- # first, download the MCE.db from the excellent platomav's MCExtractor project

+- mcedb_tmp="$(mktemp -t smc-mcedb-XXXXXX)"

+- mcedb_url='https://github.com/platomav/MCExtractor/raw/master/MCE.db'

+- _info_nol "Fetching MCE.db from the MCExtractor project... "

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$mcedb_url" -O "$mcedb_tmp"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

+- curl -sL "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+- elif command -v fetch >/dev/null 2>&1; then

+- fetch -q "$mcedb_url" -o "$mcedb_tmp"; ret=$?

+- else

+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"

+- return 1

+- fi

+- if [ "$ret" != 0 ]; then

+- echo ERROR "error $ret while downloading MCE.db"

+- return $ret

+- fi

+- echo DONE

+-

+- # second, get the Intel firmwares from GitHub

+- intel_tmp="$(mktemp -d -t smc-intelfw-XXXXXX)"

+- intel_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/main.zip"

+- _info_nol "Fetching Intel firmwares... "

+- ## https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git

+- if command -v wget >/dev/null 2>&1; then

+- wget -q "$intel_url" -O "$intel_tmp/fw.zip"; ret=$?

+- elif command -v curl >/dev/null 2>&1; then

+- curl -sL "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+- elif command -v fetch >/dev/null 2>&1; then

+- fetch -q "$intel_url" -o "$intel_tmp/fw.zip"; ret=$?

+- else

+- echo ERROR "please install one of \`wget\`, \`curl\` of \`fetch\` programs"

+- return 1

+- fi

+- if [ "$ret" != 0 ]; then

+- echo ERROR "error $ret while downloading Intel firmwares"

+- return $ret

+- fi

+- echo DONE

+-

+- # now extract MCEdb contents using sqlite

+- _info_nol "Extracting MCEdb data... "

+- if ! command -v sqlite3 >/dev/null 2>&1; then

+- echo ERROR "please install the \`sqlite3\` program"

+- return 1

+- fi

+- mcedb_revision=$(sqlite3 "$mcedb_tmp" "select revision from MCE")

+- if [ -z "$mcedb_revision" ]; then

+- echo ERROR "downloaded file seems invalid"

+- return 1

+- fi

+- sqlite3 "$mcedb_tmp" "alter table Intel add column origin text"

+- sqlite3 "$mcedb_tmp" "update Intel set origin='mce'"

+-

+- echo OK "MCExtractor database revision $mcedb_revision"

+-

+- # parse Intel firmwares to get their versions

+- _info_nol "Integrating Intel firmwares data to db... "

+- if ! command -v unzip >/dev/null 2>&1; then

+- echo ERROR "please install the \`unzip\` program"

+- return 1

+- fi

+- ( cd "$intel_tmp" && unzip fw.zip >/dev/null; )

+- if ! [ -d "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" ]; then

+- echo ERROR "expected the 'intel-ucode' folder in the downloaded zip file"

+- return 1

+- fi

+-

+- if ! command -v iucode_tool >/dev/null 2>&1; then

+- if ! command -v iucode-tool >/dev/null 2>&1; then

+- echo ERROR "please install the \`iucode-tool\` program"

+- return 1

+- else

+- iucode_tool="iucode-tool"

+- fi

+- else

+- iucode_tool="iucode_tool"

+- fi

+- # 079/001: sig 0x000106c2, pf_mask 0x01, 2009-04-10, rev 0x0217, size 5120

+- # 078/004: sig 0x000106ca, pf_mask 0x10, 2009-08-25, rev 0x0107, size 5120

+- $iucode_tool -l "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/intel-ucode" | grep -wF sig | while read -r _line

+- do

+- _line=$( echo "$_line" | tr -d ',')

+- _cpuid=$( echo "$_line" | awk '{print $3}')

+- _cpuid=$(( _cpuid ))

+- _cpuid=$(printf "0x%08X" "$_cpuid")

+- _date=$( echo "$_line" | awk '{print $6}' | tr -d '-')

+- _version=$(echo "$_line" | awk '{print $8}')

+- _version=$(( _version ))

+- _version=$(printf "0x%08X" "$_version")

+- _sqlstm="$(printf "INSERT INTO Intel (origin,cpuid,version,yyyymmdd) VALUES (\"%s\",\"%s\",\"%s\",\"%s\");" "intel" "$(printf "%08X" "$_cpuid")" "$(printf "%08X" "$_version")" "$_date")"

+- sqlite3 "$mcedb_tmp" "$_sqlstm"

+- done

+- _intel_timestamp=$(stat -c %Y "$intel_tmp/Intel-Linux-Processor-Microcode-Data-Files-main/license" 2>/dev/null)

+- if [ -n "$_intel_timestamp" ]; then

+- # use this date, it matches the last commit date

+- _intel_latest_date=$(date +%Y%m%d -d @"$_intel_timestamp")

+- else

+- echo "Falling back to the latest microcode date"

+- _intel_latest_date=$(sqlite3 "$mcedb_tmp" "SELECT yyyymmdd from Intel WHERE origin = 'intel' ORDER BY yyyymmdd DESC LIMIT 1;")

+- fi

+- echo DONE "(version $_intel_latest_date)"

+-

+- dbversion="$mcedb_revision+i$_intel_latest_date"

+-

+- if [ "$1" != builtin ] && [ -n "$previous_dbversion" ] && [ "$previous_dbversion" = "v$dbversion" ]; then

+- echo "We already have this version locally, no update needed"

+- return 0

+- fi

+-

+- _info_nol "Building local database... "

+- {

+- echo "# Spectre & Meltdown Checker";

+- echo "# %%% MCEDB v$dbversion";

+- sqlite3 "$mcedb_tmp" "SELECT '# I,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM Intel AS t1 LEFT OUTER JOIN Intel AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';

+- sqlite3 "$mcedb_tmp" "SELECT '# A,0x'||t1.cpuid||',0x'||MAX(t1.version)||','||t1.yyyymmdd FROM AMD AS t1 LEFT OUTER JOIN AMD AS t2 ON t2.cpuid=t1.cpuid AND t2.yyyymmdd > t1.yyyymmdd WHERE t2.yyyymmdd IS NULL GROUP BY t1.cpuid ORDER BY t1.cpuid ASC;" | grep -v '^# .,0x00000000,';

+- } > "$mcedb_cache"

+- echo DONE "(version $dbversion)"

+-

+- if [ "$1" = builtin ]; then

+- newfile=$(mktemp -t smc-builtin-XXXXXX)

+- awk '/^# %%% MCEDB / { exit }; { print }' "$0" > "$newfile"

+- awk '{ if (NR>1) { print } }' "$mcedb_cache" >> "$newfile"

+- cat "$newfile" > "$0"

+- rm -f "$newfile"

+- fi

+-}

+-

+ parse_opt_file()

+ {

+ # parse_opt_file option_name option_value

+@@ -1067,12 +922,15 @@ while [ -n "${1:-}" ]; do

+ # deprecated, kept for compatibility

+ opt_explain=0

+ shift

+- elif [ "$1" = "--update-fwdb" ] || [ "$1" = "--update-mcedb" ]; then

+- update_fwdb

+- exit $?

+- elif [ "$1" = "--update-builtin-fwdb" ] || [ "$1" = "--update-builtin-mcedb" ]; then

+- update_fwdb builtin

+- exit $?

++ elif [ "$1" = "--with-fwdb" ] || [ "$1" = "--with-mcedb" ]; then

++ opt_fwdb=$2

++ if [ -f "$opt_fwdb" ]; then

++ mcedb_cache=$2

++ else

++ echo "$0: error: --with-fwdb should be a file, got '$opt_fwdb'" >&2

++ exit 255

++ fi

++ shift 2

+ elif [ "$1" = "--dump-mock-data" ]; then

+ opt_mock=1

+ shift

+@@ -2033,21 +1891,11 @@ is_xen_domU()

+ fi

+ }

+

+-builtin_dbversion=$(awk '/^# %%% MCEDB / { print $4 }' "$0")

+ if [ -r "$mcedb_cache" ]; then

+ # we have a local cache file, but it might be older than the builtin version we have

+ local_dbversion=$( awk '/^# %%% MCEDB / { print $4 }' "$mcedb_cache")

+- # sort -V sorts by version number

+- older_dbversion=$(printf "%b\n%b" "$local_dbversion" "$builtin_dbversion" | sort -V | head -n1)

+- if [ "$older_dbversion" = "$builtin_dbversion" ]; then

+- mcedb_source="$mcedb_cache"

+- mcedb_info="local firmwares DB $local_dbversion"

+- fi

+-fi

+-# if mcedb_source is not set, either we don't have a local cached db, or it is older than the builtin db

+-if [ -z "${mcedb_source:-}" ]; then

+- mcedb_source="$0"

+- mcedb_info="builtin firmwares DB $builtin_dbversion"

++ mcedb_source="$mcedb_cache"

++ mcedb_info="local firmwares DB $local_dbversion"

+ fi

+ read_mcedb()

+ {

+@@ -2063,7 +1911,9 @@ is_latest_known_ucode()

+ return 2

+ fi

+ ucode_latest="latest microcode version for your CPU model is unknown"

+- if is_intel; then

++ if [ -z "$mcedb_source" ]; then

++ return 2

++ elif is_intel; then

+ cpu_brand_prefix=I

+ elif is_amd; then

+ cpu_brand_prefix=A

+--

+2.38.1

+

+++ b/gnu/packages/patches/spectre-meltdown-checker-support-guix-system-kernel.patch

+From 5b757d930ec0cf102b03fb9817d17e06c72e74b3 Mon Sep 17 00:00:00 2001

+From: Hilton Chain <hako@ultrarare.space>

+Date: Sat, 5 Nov 2022 23:22:31 +0800

+Subject: [PATCH] Add support for Guix System kernel.

+

+---

+ spectre-meltdown-checker.sh | 2 ++

+ 1 file changed, 2 insertions(+)

+

+diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh

+index 248a444..855a090 100755

+--- a/spectre-meltdown-checker.sh

++++ b/spectre-meltdown-checker.sh

+@@ -2251,6 +2251,8 @@ if [ "$opt_live" = 1 ]; then

+ [ -e "/boot/kernel-genkernel-$(uname -m)-$(uname -r)" ] && opt_kernel="/boot/kernel-genkernel-$(uname -m)-$(uname -r)"

+ # NixOS:

+ [ -e "/run/booted-system/kernel" ] && opt_kernel="/run/booted-system/kernel"

++ # Guix System:

++ [ -e "/run/booted-system/kernel/bzImage" ] && opt_kernel="/run/booted-system/kernel/bzImage"

+ # systemd kernel-install:

+ [ -e "/etc/machine-id" ] && [ -e "/boot/$(cat /etc/machine-id)/$(uname -r)/linux" ] && opt_kernel="/boot/$(cat /etc/machine-id)/$(uname -r)/linux"

+ # Clear Linux:

+

+base-commit: a6c943d38f315f339697ec26e7374a09b88f2183

+--

+2.38.0