search

speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.87k stars 476 forks source link

`--update-fwdb` & `--update-builtin-fwdb` fail when run from container #440

Closed srcshelton closed 1 year ago

srcshelton commented 2 years ago

Running from a container-image with podman:

+ podman run --privileged --rm --volume /boot:/boot:ro --volume /dev/cpu:/dev/cpu:ro --volume /lib/modules:/lib/modules:ro spectre-meltdown-checker --update-fwdb
Spectre and Meltdown mitigation detection tool v0.45

Fetching MCE.db from the MCExtractor project... DONE
Fetching Intel firmwares... DONE
Extracting MCEdb data... OK MCExtractor database revision 235
Integrating Intel firmwares data to db... DONE (version 20220804)
Building local database... DONE (version 235+i20220804)
$ echo $?
1
+ podman run --privileged --rm --volume /boot:/boot:ro --volume /dev/cpu:/dev/cpu:ro --volume /lib/modules:/lib/modules:ro spectre-meltdown-checker --update-builtin-fwdb
Spectre and Meltdown mitigation detection tool v0.45

Fetching MCE.db from the MCExtractor project... DONE
Fetching Intel firmwares... DONE
Extracting MCEdb data... OK MCExtractor database revision 235
Integrating Intel firmwares data to db... DONE (version 20220804)
Building local database... DONE (version 235+i20220804)
$ echo $?
1

… is there a filesystem location within the container to which a volume could be mounted in order to make these updates persistent?

speed47 commented 1 year ago

The return code you were seeing was most probably due to the behavior that was fixed by 60c71ccb7a47b8d42aa75c1a959d5ecc83bcf244 and not by the fact that you're running it using podman.

The --update-fwdb command does store the database in $HOME/.mcedb (with $HOME usually being /root), so you can mount this file in the container to have an updated version if you wish.