feat: add microcode support

nkraetzschmar · nkraetzschmar · commit a7b58dcf475a · 2024-07-02T20:29:55.000+02:00
diff --git a/hack/README.md b/hack/README.md
@@ -6,6 +6,7 @@ This directory includes scripts to run FeOS as the pid 1 process within a VM.
     make build-container
     make kernel
     make initramfs
+    make ucode
     make uki
 
     # create `vm-br0` bridge on your machine:
@@ -41,5 +42,3 @@ If you want to run FeOS within a [cloud-hypervisor](https://www.cloudhypervisor.
         --kernel target/kernel/vmlinuz \
         --initramfs target/initramfs.zst \
         --cmdline "`cat target/cmdline`"
-
-
diff --git a/hack/build-container/Dockerfile b/hack/build-container/Dockerfile
@@ -9,7 +9,9 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
     libprotobuf-dev \
     sbsigntool python3-pefile systemd-boot \
     musl-tools \
-    ca-certificates
+    ca-certificates \
+    iucode-tool \
+    libarchive-tools
 
 RUN cargo new xyz; cd xyz; cargo fetch; cd ..; rm -rf xyz
 RUN rustup component add clippy
diff --git a/hack/hack.mk b/hack/hack.mk
@@ -3,6 +3,7 @@ SHELL := /bin/bash
 include hack/build-container/make.mk
 include hack/kernel/make.mk
 include hack/initramfs/make.mk
+include hack/ucode/make.mk
 include hack/cloud-hypervisor/make.mk
 include hack/cloud-hypervisor-firmware/make.mk
 include hack/uki/make.mk
diff --git a/hack/ucode/make.mk b/hack/ucode/make.mk
@@ -0,0 +1,2 @@
+ucode:
+	docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder ./hack/ucode/mk-ucode
diff --git a/hack/ucode/mk-ucode b/hack/ucode/mk-ucode
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -exuo pipefail
+
+target_dir="$(realpath target)"
+
+on_exit() {
+	cd /
+	[ -z "${tmp_dir-}" ] || rm -rf "$tmp_dir"
+}
+
+trap on_exit EXIT
+
+tmp_dir="$(mktemp -d)"
+cd "$tmp_dir"
+
+git clone --depth 1 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git intel-microcode
+git clone --depth 1 https://gitlab.com/kernel-firmware/linux-firmware.git linux-firmware
+
+mkdir -p kernel/x86/microcode
+iucode_tool --write-to=kernel/x86/microcode/GenuineIntel.bin intel-microcode/intel-ucode
+cat linux-firmware/amd-ucode/microcode_amd*.bin > kernel/x86/microcode/AuthenticAMD.bin
+
+bsdtar --uid 0 --gid 0 -cf - kernel | bsdtar -cf - --format=newc @- > "$target_dir/ucode.cpio"
diff --git a/hack/uki/make.mk b/hack/uki/make.mk
@@ -11,6 +11,7 @@ uki: keys
 	  --os-release @/feos/hack/uki/os-release.txt \
 	  --linux /feos/target/kernel/vmlinuz \
 	  --initrd /feos/target/initramfs.zst \
+	  --microcode /feos/target/ucode.cpio \
 	  --cmdline @/feos/target/cmdline \
 	  --secureboot-private-key /feos/keys/secureboot.key \
 	  --secureboot-certificate /feos/keys/secureboot.pem \

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ucode:`
	`2`	+ docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder ./hack/ucode/mk-ucode