feat: add microcode support

nkraetzschmar · nkraetzschmar · commit d773513edc25 · 2024-06-28T00:05:18.000+02:00
diff --git a/hack/build-container/Dockerfile b/hack/build-container/Dockerfile
@@ -9,7 +9,9 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
     libprotobuf-dev \
     sbsigntool python3-pefile systemd-boot \
     musl-tools \
-    ca-certificates
+    ca-certificates \
+    iucode-tool \
+    libarchive-tools
 
 RUN cargo new xyz; cd xyz; cargo fetch; cd ..; rm -rf xyz
 RUN rustup component add clippy
diff --git a/hack/hack.mk b/hack/hack.mk
@@ -3,6 +3,7 @@ SHELL := /bin/bash
 include hack/build-container/make.mk
 include hack/kernel/make.mk
 include hack/initramfs/make.mk
+include hack/ucode/make.mk
 include hack/cloud-hypervisor/make.mk
 include hack/cloud-hypervisor-firmware/make.mk
 include hack/uki/make.mk
diff --git a/hack/ucode/make.mk b/hack/ucode/make.mk
@@ -0,0 +1,2 @@
+ucode:
+	docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder ./hack/ucode/mk-ucode
diff --git a/hack/ucode/mk-ucode b/hack/ucode/mk-ucode
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -exuo pipefail
+
+target_dir="$(realpath target)"
+
+on_exit() {
+	cd /
+	[ -z "${tmp_dir-}" ] || rm -rf "$tmp_dir"
+}
+
+trap on_exit EXIT
+
+tmp_dir="$(mktemp -d)"
+cd "$tmp_dir"
+
+git clone --depth 1 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git intel-microcode
+git clone --depth 1 https://gitlab.com/kernel-firmware/linux-firmware.git linux-firmware
+
+mkdir -p kernel/x86/microcode
+iucode_tool --write-to=kernel/x86/microcode/GenuineIntel.bin intel-microcode/intel-ucode
+cat linux-firmware/amd-ucode/microcode_amd*.bin > kernel/x86/microcode/AuthenticAMD.bin
+
+bsdtar --uid 0 --gid 0 -cf - kernel | bsdtar -cf - --format=newc @- > "$target_dir/ucode.cpio"
diff --git a/hack/uki/make.mk b/hack/uki/make.mk
@@ -11,6 +11,7 @@ uki: keys
 	  --os-release @/feos/hack/uki/os-release.txt \
 	  --linux /feos/target/kernel/vmlinuz \
 	  --initrd /feos/target/initramfs.zst \
+	  --microcode /feos/target/ucode.cpio \
 	  --cmdline @/feos/target/cmdline \
 	  --secureboot-private-key /feos/keys/secureboot.key \
 	  --secureboot-certificate /feos/keys/secureboot.pem \

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+ucode:`
	`2`	+ docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder ./hack/ucode/mk-ucode