From 38ea3aa329bffa1933e2b5d82b50d9e098db3473 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Tue, 17 Sep 2024 15:15:44 +0200
Subject: builder: Add --all-microcode option

This will add all known CPU microcodes for AMD and Intel from about the
past decade.
---
 build-initramfs.sh | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)

diff --git a/build-initramfs.sh b/build-initramfs.sh
index 2bea05c4..e937e4e9 100755
--- a/build-initramfs.sh
+++ b/build-initramfs.sh
@@ -27,6 +27,8 @@ verbose='no'
 debug='no'
 cleanup='no'
 full_cleanup='no'
+update=no
+all_microcode=no
 
 declare -rg _repo_dir="${_root_dir}/systemd-init"
 declare -rg _dracut_dir="${_root_dir}/dracut"
@@ -79,6 +81,11 @@ declare -A module_xmount=(
 
 declare -A override
 
+perror() {
+	echo "ERROR: $*"
+	exit 1
+}
+
 bootstrap() {
 	for module in "core_repo" "core_dracut" "${!module_@}"; do
 		declare -n _ref="$module"
@@ -135,6 +142,46 @@ bootstrap() {
 	done
 }
 
+add_microcode() (
+	local sdir mcdir
+	local cpio="$1"
+	local tmp="${cpio}.tmp"
+
+	if ! [ -f "$cpio" ]; then
+		perror "No CPIO: $cpio - cannot add microcode"
+	fi
+
+	mkdir /tmp/ucode
+	cd /tmp/ucode || exit 1
+	
+	sdir="CPUMicrocodes-master"
+	if ! [ -d "CPUMicrocodes-master" ]; then
+		echo "Fetching microcodes..."
+		if curl -m 15 -L "https://github.com/platomav/CPUMicrocodes/archive/refs/heads/master.tar.gz" | tar xz \
+				&& [ -d "${sdir}" ]; then
+			:
+		elif git clone --depth 1 "https://github.com/platomav/CPUMicrocodes.git" "${sdir}"; then
+			:
+		else
+			perror "Cannot download microcode"
+		fi
+	fi
+	if ! [ -s "microcode.cpio" ]; then
+		echo "Building early cpio part..."
+		mcdir="kernel/x86/microcode"
+		mkdir -p "$mcdir"
+		cat "$sdir/"Intel/*_{2012..2035}-*-*_*.bin > "$mcdir/GenuineIntel.bin"
+		[ -s "$mcdir/GenuineIntel.bin" ] || perror "Intel microcode not found"
+		cat "$sdir/"AMD/*_{2012..2035}-*-*_*.bin   > "$mcdir/AuthenticAMD.bin"
+		[ -s "$mcdir/AuthenticAMD.bin" ] || perror   "AMD microcode not found"
+		find kernel | sort | cpio -o -H newc -R 0:0         > "microcode.cpio"
+		[ -s "microcode.cpio" ] || perror  "Could not generate microcode CPIO"
+	fi
+	echo "Building combined initramfs..."
+	cat "microcode.cpio" "$cpio" > "$tmp" || perror "Cannot combine microcode with cpio"
+	mv -f "$tmp" "$cpio" || perror "Cannot replace original cpio"
+)
+
 handler_git() {
 	if ! hash git 2>/dev/null; then
 		echo "'git' binary not found, please install it and try again."
@@ -310,6 +357,9 @@ parse_command_line() {
 				fi
 				override["$override_module"]+="$override_argument"
 				;;
+			--all-microcode)
+				all_microcode=yes
+				;;
 			-)
 				shift
 				dracut_parameter+=( "$@" )
@@ -526,6 +576,10 @@ main() {
 		--force
 		--no-hostonly
 	)
+	if [ "$all_microcode" = 'yes' ]; then
+		# We do it ourselves
+		dracut_parameter+=( "--no-early-microcode" )
+	fi
 	dracut_modules=(
 		busybox
 		dnbd3-rootfs
@@ -569,6 +623,9 @@ main() {
 		echo 'Building initramfs failed.'
 		exit 1
 	fi
+	if [ "$all_microcode" = 'yes' ]; then
+		add_microcode "$file_path"
+	fi
 	# NOTE: dracut generate the initramfs with 0600 permissions
 	chmod 0644 "${file_path}"
 }
-- 
cgit v1.2.3-55-g7522