[pve-devel] [PATCH manager 9/9] report: add microcode info to better assess possible system impacts

[Alexander Zeidler]

On Fri, 2024-03-22 at 17:44 +0100, Stoiko Ivanov wrote:
> On Fri, 22 Mar 2024 14:59:33 +0100
> Alexander Zeidler <a.zeidler at proxmox.com> wrote:
> 
> > * list availability and installation status of `*microcode` packages
> > * grep for applied "Early OS Microcode Updates"
> > * grep for (un)patched CPU vulnerability messages
> > 
> > Signed-off-by: Alexander Zeidler <a.zeidler at proxmox.com>
> > ---
> >  PVE/Report.pm | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/PVE/Report.pm b/PVE/Report.pm
> > index fe497b43..18c554ec 100644
> > --- a/PVE/Report.pm
> > +++ b/PVE/Report.pm
> > @@ -108,6 +108,8 @@ my $init_report_cmds = sub {
> >  		'dmidecode -t bios -q',
> >  		'dmidecode -t memory | grep -E "Capacity|Devices|Size|Manu|Part" | sed -Ez "s/\n\t(M|P)[^:]*: (\S*)/\t\2/g" | sort',
> >  		'lscpu',
> > +		'apt list *microcode 2>/dev/null | column -tL',
> While `apt` works really well and its output hasn't changed since I
> started using it (wheezy or jessie) - I still want to mention it's output
> when piping:
> ```
> WARNING: apt does not have a stable CLI interface. Use with caution in
> scripts. ```
> potentially consider either using our code directly or switching to 
> `dpkg -l`?
> (but as said `apt` has been pretty stable, and we simply dump the output -
> so probably the warning is not too relevant here)
Thank you! I have noticed the missing -a to list possible further package
versions for downgrading if needed. So `dpkg` and its verbose output would
not be an equal solution. However, since previous package versions can be
looked up in the Debian repo, the whole command may not be needed in the
first place.

Instead it may be better to include the current installed microcode version
in `pveversion` and use the

> > +		'dmesg | grep -i "microcode\|vuln"',

to see if microcode was loaded during this boot.

> >  		'lspci -nnk',
> >  	    ],
> >  	},
>