From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <a.zeidler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 9DEF0BB2A6
 for <pve-devel@lists.proxmox.com>; Fri, 22 Mar 2024 19:54:26 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 828E7AA60
 for <pve-devel@lists.proxmox.com>; Fri, 22 Mar 2024 19:54:26 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS
 for <pve-devel@lists.proxmox.com>; Fri, 22 Mar 2024 19:54:25 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 873E341AC8
 for <pve-devel@lists.proxmox.com>; Fri, 22 Mar 2024 19:54:25 +0100 (CET)
Message-ID: <677c896378e7200a9204cebfbc39de25a5ce5bdb.camel@proxmox.com>
From: Alexander Zeidler <a.zeidler@proxmox.com>
To: Stoiko Ivanov <s.ivanov@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Date: Fri, 22 Mar 2024 19:54:24 +0100
In-Reply-To: <20240322174417.28cd4963@rosa.proxmox.com>
References: <20240322135933.164404-1-a.zeidler@proxmox.com>
 <20240322135933.164404-9-a.zeidler@proxmox.com>
 <20240322174417.28cd4963@rosa.proxmox.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.46.4-2 
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.105 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
 URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
 information. [report.pm]
Subject: Re: [pve-devel] [PATCH manager 9/9] report: add microcode info to
 better assess possible system impacts
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Fri, 22 Mar 2024 18:54:26 -0000

On Fri, 2024-03-22 at 17:44 +0100, Stoiko Ivanov wrote:
> On Fri, 22 Mar 2024 14:59:33 +0100
> Alexander Zeidler <a.zeidler@proxmox.com> wrote:
>=20
> > * list availability and installation status of `*microcode` packages
> > * grep for applied "Early OS Microcode Updates"
> > * grep for (un)patched CPU vulnerability messages
> >=20
> > Signed-off-by: Alexander Zeidler <a.zeidler@proxmox.com>
> > ---
> >  PVE/Report.pm | 2 ++
> >  1 file changed, 2 insertions(+)
> >=20
> > diff --git a/PVE/Report.pm b/PVE/Report.pm
> > index fe497b43..18c554ec 100644
> > --- a/PVE/Report.pm
> > +++ b/PVE/Report.pm
> > @@ -108,6 +108,8 @@ my $init_report_cmds =3D sub {
> >  		'dmidecode -t bios -q',
> >  		'dmidecode -t memory | grep -E "Capacity|Devices|Size|Manu|Part" | s=
ed -Ez "s/\n\t(M|P)[^:]*: (\S*)/\t\2/g" | sort',
> >  		'lscpu',
> > +		'apt list *microcode 2>/dev/null | column -tL',
> While `apt` works really well and its output hasn't changed since I
> started using it (wheezy or jessie) - I still want to mention it's output
> when piping:
> ```
> WARNING: apt does not have a stable CLI interface. Use with caution in
> scripts. ```
> potentially consider either using our code directly or switching to=20
> `dpkg -l`?
> (but as said `apt` has been pretty stable, and we simply dump the output =
-
> so probably the warning is not too relevant here)
Thank you! I have noticed the missing -a to list possible further package
versions for downgrading if needed. So `dpkg` and its verbose output would
not be an equal solution. However, since previous package versions can be
looked up in the Debian repo, the whole command may not be needed in the
first place.

Instead it may be better to include the current installed microcode version
in `pveversion` and use the

> > +		'dmesg | grep -i "microcode\|vuln"',

to see if microcode was loaded during this boot.

> >  		'lspci -nnk',
> >  	    ],
> >  	},
>=20