mirror of
https://github.com/speed47/spectre-meltdown-checker.git
synced 2026-04-03 13:47:08 +02:00
Compare commits
3 Commits
v26.21.040
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
|
f2d871acff | ||
|
|
83ebe2f75f | ||
|
a05f8aab34 |
4
.github/workflows/autoupdate.yml
vendored
4
.github/workflows/autoupdate.yml
vendored
@@ -5,6 +5,9 @@ on:
|
|||||||
schedule:
|
schedule:
|
||||||
- cron: '42 9 * * *'
|
- cron: '42 9 * * *'
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
pull-requests: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
autoupdate:
|
autoupdate:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
@@ -25,7 +28,6 @@ jobs:
|
|||||||
if: steps.diff.outputs.nbdiff != '0'
|
if: steps.diff.outputs.nbdiff != '0'
|
||||||
uses: peter-evans/create-pull-request@v7
|
uses: peter-evans/create-pull-request@v7
|
||||||
with:
|
with:
|
||||||
token: ${{ secrets.SMC_PR_PAT }}
|
|
||||||
branch: autoupdate-fwdb
|
branch: autoupdate-fwdb
|
||||||
commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
|
commit-message: "update: fwdb from ${{ steps.diff.outputs.change }}, ${{ steps.diff.outputs.nbdiff }} microcode changes"
|
||||||
title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
|
title: "[Auto] Update fwdb from ${{ steps.diff.outputs.change }}"
|
||||||
|
|||||||
111
.github/workflows/build.yml
vendored
Normal file
111
.github/workflows/build.yml
vendored
Normal file
@@ -0,0 +1,111 @@
|
|||||||
|
name: build
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- test
|
||||||
|
- source
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v6
|
||||||
|
with:
|
||||||
|
persist-credentials: true
|
||||||
|
- name: install prerequisites
|
||||||
|
run: sudo apt-get update && sudo apt-get install -y shellcheck shfmt jq sqlite3 iucode-tool make
|
||||||
|
- name: build and check
|
||||||
|
run: |
|
||||||
|
make build fmt-check shellcheck
|
||||||
|
mv spectre-meltdown-checker.sh dist/
|
||||||
|
- name: check direct execution
|
||||||
|
run: |
|
||||||
|
expected=$(cat .github/workflows/expected_cve_count)
|
||||||
|
cd dist
|
||||||
|
nb=$(sudo ./spectre-meltdown-checker.sh --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "OK $nb CVEs reported"
|
||||||
|
fi
|
||||||
|
- name: check docker compose run execution
|
||||||
|
run: |
|
||||||
|
expected=$(cat .github/workflows/expected_cve_count)
|
||||||
|
cd dist
|
||||||
|
docker compose build
|
||||||
|
nb=$(docker compose run --rm spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "OK $nb CVEs reported"
|
||||||
|
fi
|
||||||
|
- name: check docker run execution
|
||||||
|
run: |
|
||||||
|
expected=$(cat .github/workflows/expected_cve_count)
|
||||||
|
cd dist
|
||||||
|
docker build -t spectre-meltdown-checker .
|
||||||
|
nb=$(docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/modules:/lib/modules:ro spectre-meltdown-checker --batch json | jq '.[]|.CVE' | wc -l)
|
||||||
|
if [ "$nb" -ne "$expected" ]; then
|
||||||
|
echo "Invalid number of CVEs reported: $nb instead of $expected"
|
||||||
|
exit 1
|
||||||
|
else
|
||||||
|
echo "OK $nb CVEs reported"
|
||||||
|
fi
|
||||||
|
- name: check fwdb update (separated)
|
||||||
|
run: |
|
||||||
|
cd dist
|
||||||
|
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
|
||||||
|
./spectre-meltdown-checker.sh --update-fwdb; ret=$?
|
||||||
|
if [ "$ret" != 0 ]; then
|
||||||
|
echo "Non-zero return value: $ret"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
|
||||||
|
if [ "$nbtmp1" != "$nbtmp2" ]; then
|
||||||
|
echo "Left temporary files!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
if ! [ -e ~/.mcedb ]; then
|
||||||
|
echo "No .mcedb file found after updating fwdb"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
- name: check fwdb update (builtin)
|
||||||
|
run: |
|
||||||
|
cd dist
|
||||||
|
nbtmp1=$(find /tmp 2>/dev/null | wc -l)
|
||||||
|
./spectre-meltdown-checker.sh --update-builtin-fwdb; ret=$?
|
||||||
|
if [ "$ret" != 0 ]; then
|
||||||
|
echo "Non-zero return value: $ret"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
nbtmp2=$(find /tmp 2>/dev/null | wc -l)
|
||||||
|
if [ "$nbtmp1" != "$nbtmp2" ]; then
|
||||||
|
echo "Left temporary files!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
- name: create a pull request to ${{ github.ref_name }}-build
|
||||||
|
run: |
|
||||||
|
tmpdir=$(mktemp -d)
|
||||||
|
mv ./dist/* .github $tmpdir/
|
||||||
|
rm -rf ./dist
|
||||||
|
git fetch origin ${{ github.ref_name }}-build
|
||||||
|
git checkout -f ${{ github.ref_name }}-build
|
||||||
|
mv $tmpdir/* .
|
||||||
|
mkdir -p .github
|
||||||
|
rsync -vaP --delete $tmpdir/.github/ .github/
|
||||||
|
git add --all
|
||||||
|
echo =#=#= DIFF CACHED
|
||||||
|
git diff --cached
|
||||||
|
echo =#=#= STATUS
|
||||||
|
git status
|
||||||
|
echo =#=#= COMMIT
|
||||||
|
git config --global user.name "github-actions[bot]"
|
||||||
|
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
|
||||||
|
git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b'
|
||||||
|
git log ${{ github.ref }} -1 --format=format:'%s%n%n built from commit %H%n dated %ai%n by %an (%ae)%n%n %b' | git commit -F -
|
||||||
|
git push
|
||||||
1
.github/workflows/expected_cve_count
vendored
Normal file
1
.github/workflows/expected_cve_count
vendored
Normal file
@@ -0,0 +1 @@
|
|||||||
|
21
|
||||||
33
.github/workflows/stale.yml
vendored
Normal file
33
.github/workflows/stale.yml
vendored
Normal file
@@ -0,0 +1,33 @@
|
|||||||
|
name: 'Manage stale issues and PRs'
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
- cron: '37 7 * * *'
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
action:
|
||||||
|
description: "dry-run"
|
||||||
|
required: true
|
||||||
|
default: "dryrun"
|
||||||
|
type: choice
|
||||||
|
options:
|
||||||
|
- dryrun
|
||||||
|
- apply
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
issues: write
|
||||||
|
pull-requests: write
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
stale:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/stale@v10
|
||||||
|
with:
|
||||||
|
any-of-labels: 'needs-more-info,answered'
|
||||||
|
labels-to-remove-when-unstale: 'needs-more-info,answered'
|
||||||
|
days-before-stale: 30
|
||||||
|
days-before-close: 7
|
||||||
|
stale-issue-label: stale
|
||||||
|
remove-stale-when-updated: true
|
||||||
|
debug-only: ${{ case(inputs.action == 'apply', false, true) }}
|
||||||
@@ -13,7 +13,7 @@
|
|||||||
#
|
#
|
||||||
# Stephane Lesimple
|
# Stephane Lesimple
|
||||||
#
|
#
|
||||||
VERSION='26.21.0401891'
|
VERSION='26.21.0402701'
|
||||||
|
|
||||||
# --- Common paths and basedirs ---
|
# --- Common paths and basedirs ---
|
||||||
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
|
readonly VULN_SYSFS_BASE="/sys/devices/system/cpu/vulnerabilities"
|
||||||
@@ -3329,7 +3329,7 @@ pr_info
|
|||||||
# Sets: ret_sys_interface_check_fullmsg
|
# Sets: ret_sys_interface_check_fullmsg
|
||||||
# Returns: 0 if file matched, 1 otherwise
|
# Returns: 0 if file matched, 1 otherwise
|
||||||
sys_interface_check() {
|
sys_interface_check() {
|
||||||
local file regex mode msg mockvarname
|
local file regex mode mockvarname
|
||||||
file="$1"
|
file="$1"
|
||||||
regex="${2:-}"
|
regex="${2:-}"
|
||||||
mode="${3:-}"
|
mode="${3:-}"
|
||||||
|
|||||||
Reference in New Issue
Block a user