[gentoo-commits] repo/gentoo:master commit in: sys-firmware/intel-microcode/

["Thomas Deutschmann" <whissi@gentoo.org>]

commit:     5ce32fc8d76bf0b0cc0c569f998d4c1283cc178d
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Sun Jul 22 16:22:54 2018 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Sun Jul 22 16:25:16 2018 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ce32fc8

sys-firmware/intel-microcode: bump

- Downgraded Microcodes:

  sig 0x000706a1, pf_mask 0x01, 2018-05-11, rev 0x0026 -> 2017-12-26, rev 0x0022

  "This MCU has been reverted to a previous version while Intel
  investigates a sighting related to this MCU. This error is currently
  under investigation and no workaround has been identified. Intel
  currently is recommending to stop deployment of version 0x26 and revert
  to the previous production version 0x22. Intel will provide an update on
  progress in 2 weeks." [Link 1]

- Updated Microcodes:

  sig 0x000106a5, pf_mask 0x03, 2018-01-24, rev 0x001c    -> 2018-05-11, rev 0x001d
  sig 0x000206c2, pf_mask 0x03, 2018-01-23, rev 0x001e    -> 2018-05-08, rev 0x001f
  sig 0x000206e6, pf_mask 0x04, 2018-01-18, rev 0x000c    -> 2018-05-15, rev 0x000d
  sig 0x000206f2, pf_mask 0x05, 2018-01-19, rev 0x003a    -> 2018-05-16, rev 0x003b
  sig 0x00050662, pf_mask 0x10, 2018-01-22, rev 0x0015    -> 2018-05-25, rev 0x0017
  sig 0x00050663, pf_mask 0x10, 2018-01-22, rev 0x7000012 -> 2018-04-20, rev 0x7000013
  sig 0x00050664, pf_mask 0x10, 2018-01-22, rev 0xf000011 -> 2018-04-20, rev 0xf000012
  sig 0x00050665, pf_mask 0x10, 2018-01-22, rev 0xe000009 -> 2018-04-20, rev 0xe00000a
  sig 0x00060663, pf_mask 0x80, 2018-01-25, rev 0x0016    -> 2018-04-17, rev 0x002a
  sig 0x000806eb, pf_mask 0xc0, 2018-02-11, rev 0x0084    -> 2018-05-30, rev 0x0098
  sig 0x000906ec, pf_mask 0x22, 2018-02-19, rev 0x0084    -> 2018-05-08, rev 0x0096

Link 1: https://www.intel.com/content/dam/www/public/us/en/documents/sa00115-microcode-update-guidance.pdf
Package-Manager: Portage-2.3.43, Repoman-2.3.10

 sys-firmware/intel-microcode/Manifest              |   1 +
 .../intel-microcode-20180721.ebuild                | 212 +++++++++++++++++++++
 2 files changed, 213 insertions(+)

diff --git a/sys-firmware/intel-microcode/Manifest b/sys-firmware/intel-microcode/Manifest
index a473005982d..0e5865d7bb8 100644
--- a/sys-firmware/intel-microcode/Manifest
+++ b/sys-firmware/intel-microcode/Manifest
@@ -1,2 +1,3 @@
 DIST intel-microcode-collection-20180630.tar.xz 4456400 BLAKE2B 493229bb8ce65c62b4a894a219bd89e677a5908a774e1104389335f88fe27479de8e117bbd3b1c5bd1d9e70ed0f1c79ddba684357138dbb559141d48d5a3c456 SHA512 66a1217514c43dcc308cc1e9e4737041c48cad85cd846a9adaabd5885197ffffca3fef71c43ccdaaf25d10df747a3c3e837d95ae332d53961579e4bb3c1f0bed
+DIST intel-microcode-collection-20180721.tar.xz 4460612 BLAKE2B a4af173f62d3f603812ed42751fd208bd9d6115b7a1349a978641c8a39824ffaf63e9b65c8bc14793664e68c69a4fcf4ea731b7f8b300bd750a04a4d3c991ec5 SHA512 2baebb2148a9c913723949b7fbde86808a0ad5e49faeb3a79fa2f3eb1f843777e74c049dc45a97b01485c8f091b87d779c626c7f20cc2940a1c422283d29abcf
 DIST microcode-20180703.tgz 1550181 BLAKE2B edf86dcc8dedeffd22a9b608cc11e5b043d36617ae6325e14326d402388f42ead29c8483a0312ab9ea2015604803cc07506d6f119b314b922639a71f9d65a39d SHA512 25af4158f97fba2fb88f05a44f42ed7d2415001ccc58f573d366f405ff198472517468f619628f4f6e5a371793c41ea8faf5a932d2362b2a51726bb5c84e0eed

diff --git a/sys-firmware/intel-microcode/intel-microcode-20180721.ebuild b/sys-firmware/intel-microcode/intel-microcode-20180721.ebuild
new file mode 100644
index 00000000000..c434e235786
--- /dev/null
+++ b/sys-firmware/intel-microcode/intel-microcode-20180721.ebuild
@@ -0,0 +1,212 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit linux-info toolchain-funcs mount-boot
+
+# Find updates by searching and clicking the first link (hopefully it's the one):
+# https://www.intel.com/content/www/us/en/search.html?keyword=Processor+Microcode+Data+File
+
+COLLECTION_SNAPSHOT="20180721"
+INTEL_SNAPSHOT="20180703"
+NUM="27945"
+DESCRIPTION="Intel IA32/IA64 microcode update data"
+HOMEPAGE="http://inertiawar.com/microcode/ https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=${NUM}"
+SRC_URI="https://downloadmirror.intel.com/${NUM}/eng/microcode-${INTEL_SNAPSHOT}.tgz
+	https://dev.gentoo.org/~whissi/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz"
+
+LICENSE="intel-ucode"
+SLOT="0"
+KEYWORDS="-* ~amd64 ~x86"
+IUSE="hostonly initramfs +split-ucode vanilla"
+REQUIRED_USE="|| ( initramfs split-ucode )"
+
+DEPEND="sys-apps/iucode_tool"
+
+# !<sys-apps/microcode-ctl-1.17-r2 due to bug #268586
+RDEPEND="!<sys-apps/microcode-ctl-1.17-r2
+	hostonly? ( sys-apps/iucode_tool )"
+
+S=${WORKDIR}
+
+# Blacklist bad microcode here.
+# 0x000406f1 aka 06-4f-01 aka CPUID 406F1 require newer microcode loader
+MICROCODE_BLACKLIST_DEFAULT="-s !0x000406f1"
+MICROCODE_BLACKLIST="${MICROCODE_BLACKLIST:=${MICROCODE_BLACKLIST_DEFAULT}}"
+
+# In case we want to set some defaults ...
+MICROCODE_SIGNATURES_DEFAULT=""
+
+# Advanced users only:
+# merge with:
+# only current CPU: MICROCODE_SIGNATURES="-S"
+# only specific CPU: MICROCODE_SIGNATURES="-s 0x00000f4a -s 0x00010676"
+# exclude specific CPU: MICROCODE_SIGNATURES="-s !0x00000686"
+MICROCODE_SIGNATURES="${MICROCODE_SIGNATURES:=${MICROCODE_SIGNATURES_DEFAULT}}"
+
+pkg_pretend() {
+	if [[ "${MICROCODE_BLACKLIST}" != "${MICROCODE_BLACKLIST_DEFAULT}" ]]; then
+		ewarn "MICROCODE_BLACKLIST is set to \"${MICROCODE_BLACKLIST}\" instead of default \"${MICROCODE_BLACKLIST_DEFAULT}\". You are on your own!"
+	fi
+
+	if [[ "${MICROCODE_SIGNATURES}" != "${MICROCODE_SIGNATURES_DEFAULT}" ]]; then
+		ewarn "The user has opted in for advanced use:"
+		ewarn "MICROCODE_SIGNATURES is set to \"${MICROCODE_SIGNATURES}\" instead of default \"${MICROCODE_SIGNATURES_DEFAULT}\"!"
+	fi
+
+	use initramfs && mount-boot_pkg_pretend
+}
+
+src_prepare() {
+	default
+
+	# Prevent "invalid file format" errors from iucode_tool
+	rm -f "${S}"/intel-ucod*/list || die
+}
+
+src_install() {
+	# This will take ALL of the upstream microcode sources:
+	# - microcode.dat
+	# - intel-ucode/
+	# In some cases, they have not contained the same content (eg the directory has newer stuff).
+	MICROCODE_SRC=(
+		"${S}"/intel-ucode/
+		"${S}"/intel-ucode-with-caveats/
+	)
+
+	# Allow users who are scared about microcode updates not included in Intel's official
+	# microcode tarball to opt-out and comply with Intel marketing
+	if ! use vanilla; then
+		MICROCODE_SRC+=( "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT} )
+	fi
+
+	opts=(
+		${MICROCODE_BLACKLIST}
+		${MICROCODE_SIGNATURES}
+		# be strict about what we are doing
+		--overwrite
+		--strict-checks
+		--no-ignore-broken
+		# we want to install latest version
+		--no-downgrade
+		# show everything we find
+		--list-all
+		# show what we selected
+		--list
+	)
+
+	# The earlyfw cpio needs to be in /boot because it must be loaded before
+	# rootfs is mounted.
+	use initramfs && dodir /boot && opts+=( --write-earlyfw="${ED%/}"/boot/intel-uc.img )
+	# split location (we use a temporary location so that we are able
+	# to re-run iucode_tool in pkg_preinst; use keepdir instead of dodir to carry
+	# this folder to pkg_preinst to avoid an error even if no microcode was selected):
+	keepdir /tmp/intel-ucode && opts+=( --write-firmware="${ED%/}"/tmp/intel-ucode )
+
+	iucode_tool \
+		"${opts[@]}" \
+		"${MICROCODE_SRC[@]}" \
+		|| die "iucode_tool ${opts[@]} ${MICROCODE_SRC[@]}"
+
+	dodoc releasenote
+}
+
+pkg_preinst() {
+	use initramfs && mount-boot_pkg_preinst
+
+	if use hostonly; then
+		einfo "Removing ucode(s) not supported by any currently available (=online) processor(s) due to USE=hostonly ..."
+		opts=(
+			--scan-system
+			# be strict about what we are doing
+			--overwrite
+			--strict-checks
+			--no-ignore-broken
+			# we want to install latest version
+			--no-downgrade
+			# show everything we find
+			--list-all
+			# show what we selected
+			--list
+		)
+
+		# The earlyfw cpio needs to be in /boot because it must be loaded before
+		# rootfs is mounted.
+		use initramfs && opts+=( --write-earlyfw="${ED%/}"/boot/intel-uc.img )
+		# split location:
+		use split-ucode && dodir /lib/firmware/intel-ucode && opts+=( --write-firmware="${ED%/}"/lib/firmware/intel-ucode )
+
+		iucode_tool \
+			"${opts[@]}" \
+			"${ED%/}"/tmp/intel-ucode \
+			|| die "iucode_tool ${opts[@]} ${ED%/}/tmp/intel-ucode"
+
+	else
+		if use split-ucode; then
+			# Temporary /tmp/intel-ucode will become final /lib/firmware/intel-ucode ...
+			dodir /lib/firmware
+			mv "${ED%/}/tmp/intel-ucode" "${ED%/}/lib/firmware" || die "Failed to install splitted ucodes!"
+		fi
+	fi
+
+	# Cleanup any temporary leftovers so that we don't merge any
+	# unneeded files on disk
+	rm -r "${ED%/}/tmp" || die "Failed to cleanup '${ED%/}/tmp'"
+}
+
+pkg_prerm() {
+	use initramfs && mount-boot_pkg_prerm
+}
+
+pkg_postrm() {
+	use initramfs && mount-boot_pkg_postrm
+}
+
+pkg_postinst() {
+	use initramfs && mount-boot_pkg_postinst
+
+	local _has_installed_something=
+	if use initramfs && [[ -s "${EROOT%/}/boot/intel-uc.img" ]]; then
+		_has_installed_something="yes"
+	elif use split-ucode; then
+		_has_installed_something=$(find "${EROOT%/}/lib/firmware/intel-ucode" -maxdepth 0 -not -empty -exec echo yes \;)
+	fi
+
+	if use hostonly && [[ -n "${_has_installed_something}" ]]; then
+		elog "You only installed ucode(s) for all currently available (=online)"
+		elog "processor(s). Remember to re-emerge this package whenever you"
+		elog "change the system's processor model."
+		elog ""
+	elif [[ -z "${_has_installed_something}" ]]; then
+		ewarn "WARNING:"
+		ewarn "No ucode was installed! You can ignore this warning if there"
+		ewarn "aren't any microcode updates available for your processor(s)."
+		ewarn "But if you use MICROCODE_SIGNATURES variable please double check"
+		ewarn "if you have an invalid select."
+		ewarn ""
+
+		if use hostonly; then
+			ewarn "Unset \"hostonly\" USE flag to install all available ucodes."
+			ewarn ""
+		fi
+	fi
+
+	# We cannot give detailed information if user is affected or not:
+	# If MICROCODE_BLACKLIST wasn't modified, user can still use MICROCODE_SIGNATURES
+	# to to force a specific, otherwise blacklisted, microcode. So we
+	# only show a generic warning based on running kernel version:
+	if kernel_is -lt 4 14 34; then
+		ewarn "${P} contains microcode updates which require"
+		ewarn "additional kernel patches which aren't yet included in kernel <4.14.34."
+		ewarn "Loading such a microcode through kernel interface from an unpatched kernel"
+		ewarn "can crash your system!"
+		ewarn ""
+		ewarn "Those microcodes are blacklisted per default. However, if you have altered"
+		ewarn "MICROCODE_BLACKLIST or MICROCODE_SIGNATURES, you maybe have unintentionally"
+		ewarn "re-enabled those microcodes...!"
+		ewarn ""
+		ewarn "Check \"${EROOT%/}/usr/share/doc/${PN}-*/releasenot*\" if your microcode update"
+		ewarn "requires additional kernel patches or not."
+	fi
+}