Spectre V1 scanner

[adrelanos]

Just leaving that here. Hopefully this is useful.

https://www.phoronix.com/scan.php?page=news_item&px=Red-Hat-Spectre-V1-Scanner

[lunarthegrey]

This is not an issue or bug report. Should be posted in the community forum or subreddit.

https://groups.google.com/forum/#!forum/qubes-users
https://www.reddit.com/r/Qubes/

[lunarthegrey]

This is not an issue or bug report. Should be posted in the community forum or subreddit.

https://groups.google.com/forum/#!forum/qubes-users
https://www.reddit.com/r/Qubes/

[adrelanos]

The feature request here is "use Spectre V1 scanner to scan all of Qubes code".

[adrelanos]

The feature request here is "use Spectre V1 scanner to scan all of Qubes code".

[lunarthegrey]

@adrelanos Gotcha. Original post didn't hint at that. Thanks for explaining.

[lunarthegrey]

@adrelanos Gotcha. Original post didn't hint at that. Thanks for explaining.

[esote]

@adrelanos While this should definitely be pursued for all Qubes binaries, unfortunately Qubes does use quite a few Python scripts, which this tool wouldn't be helpful with. So in this way, we wouldn't be able to "scan all of Qubes code" -- just scan Qubes' binaries.

[esote]

@adrelanos While this should definitely be pursued for all Qubes binaries, unfortunately Qubes does use quite a few Python scripts, which this tool wouldn't be helpful with. So in this way, we wouldn't be able to "scan all of Qubes code" -- just scan Qubes' binaries.

[esote]

I've investigated this tool further. It seems fairly self-explanatory. I had to download binutils, and edit the makefile to compile it correctly. The tool is very fast (scanned all binaries in /usr/bin in 47 seconds).

In order to scan binaries, you have to use --binary because by default it expects them in ELF format.

From scanning vmlinuz* and /usr/bin/* binaries (inside a DispVM) it showed no problems, which is a good sign.

This tool does not seem finalized:

it is not sufficient to just install the binutils package or the binutils-devel package, as the scanner uses header files that are internal to the binutils sources. This requirement is an artifact of how the scanner evolved and it will be removed one day.

— Original RedHad article: SPECTRE Variant 1 scanner tool

As well, it seems the only place to download the source code is provided by a person's web home page:

https://people.redhat.com/~nickc/Spectre_Scanner/scanner.tar.xz

@marmarek How useful do you see this tool being? Right now, to me, it seems more like a tool for users to verify their installation's security. I don't see a good place for it, until it becomes an actual package provided from Fedora's repositories (or others).

[esote]

I've investigated this tool further. It seems fairly self-explanatory. I had to download binutils, and edit the makefile to compile it correctly. The tool is very fast (scanned all binaries in /usr/bin in 47 seconds).

In order to scan binaries, you have to use --binary because by default it expects them in ELF format.

From scanning vmlinuz* and /usr/bin/* binaries (inside a DispVM) it showed no problems, which is a good sign.

This tool does not seem finalized:

it is not sufficient to just install the binutils package or the binutils-devel package, as the scanner uses header files that are internal to the binutils sources. This requirement is an artifact of how the scanner evolved and it will be removed one day.

— Original RedHad article: SPECTRE Variant 1 scanner tool

As well, it seems the only place to download the source code is provided by a person's web home page:

https://people.redhat.com/~nickc/Spectre_Scanner/scanner.tar.xz

@marmarek How useful do you see this tool being? Right now, to me, it seems more like a tool for users to verify their installation's security. I don't see a good place for it, until it becomes an actual package provided from Fedora's repositories (or others).