[Buildroot] [PATCH 1/3] package/intel-microcode: install into images for early loading support

[Buildroot] [PATCH 1/3] package/intel-microcode: install into images for early loading support

[Peter Korsgaard]

Microcode based security mitigation (E.G.  MDS) requires that the microcode
gets loaded very early. This can be handled by one of:

- Concatenating (a subset of) the intel-microcode files and write to
  kernel/x86/microcode/GenuineIntel.bin in the initrd.  Requires that the
  (first) initrd is external from the kernel and NOT compressed.

- Build (a subset of) the intel-microcode files into the kernel using the
  CONFIG_EXTRA_FIRMWARE option.

Install the microcode files into images to support these use cases (E.G.
through a post-build script for the initrd, or by pointing
CONFIG_EXTRA_FIRMWARE_DIR to ${BR_BINARIES_DIR}, similar to how we include
the .cpio image inside the kernel).

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/intel-microcode/intel-microcode.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/intel-microcode/intel-microcode.mk b/package/intel-microcode/intel-microcode.mk
index aa3b1f4dbb..43cdc3d0b8 100644
--- a/package/intel-microcode/intel-microcode.mk
+++ b/package/intel-microcode/intel-microcode.mk
@@ -9,6 +9,13 @@ INTEL_MICROCODE_SITE = $(call github,intel,Intel-Linux-Processor-Microcode-Data-
 INTEL_MICROCODE_LICENSE = PROPRIETARY
 INTEL_MICROCODE_LICENSE_FILES = license
 INTEL_MICROCODE_REDISTRIBUTE = NO
+INTEL_MICROCODE_INSTALL_IMAGES = YES
+
+define INTEL_MICROCODE_INSTALL_IMAGES_CMDS
+	mkdir -p $(BINARIES_DIR)/intel-ucode
+	$(INSTALL) -m 0644 -t $(BINARIES_DIR)/intel-ucode \
+		$(@D)/intel-ucode/*
+endef
 
 define INTEL_MICROCODE_INSTALL_TARGET_CMDS
 	mkdir -p $(TARGET_DIR)/lib/firmware/intel-ucode
-- 
2.11.0

[Buildroot] [PATCH 2/3] linux: build after intel-microcode if enabled for early loading support

[Peter Korsgaard]

To support building in (a subset of) the intel-microcode files into the
kernel using the CONFIG_EXTRA_FIRMWARE option, we need to ensure that the
microcode files are installed before the Linux kernel is built.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 linux/linux.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/linux/linux.mk b/linux/linux.mk
index 51fd41fa15..dd182d06b2 100644
--- a/linux/linux.mk
+++ b/linux/linux.mk
@@ -64,7 +64,8 @@ LINUX_MAKE_ENV = \
 	BR_BINARIES_DIR=$(BINARIES_DIR)
 
 LINUX_INSTALL_IMAGES = YES
-LINUX_DEPENDENCIES = host-kmod
+LINUX_DEPENDENCIES = host-kmod \
+	$(if $(BR2_PACKAGE_INTEL_MICROCODE),intel-microcode)
 
 # Starting with 4.16, the generated kconfig paser code is no longer
 # shipped with the kernel sources, so we need flex and bison, but
-- 
2.11.0

[Buildroot] [PATCH 3/3] package/intel-microcode: make target installation optional

[Peter Korsgaard]

For early microcode loading, there is no need to install the individual
microcode files to /lib/firmware - So make that optional.

Let the option default to y for backwards compatibility, and select it from
iucode-tool as the init script relies on the /lib/firmware files.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/intel-microcode/Config.in          | 9 +++++++++
 package/intel-microcode/intel-microcode.mk | 4 ++++
 package/iucode-tool/Config.in              | 1 +
 3 files changed, 14 insertions(+)

diff --git a/package/intel-microcode/Config.in b/package/intel-microcode/Config.in
index 3f9199ec93..4a45aa1ef3 100644
--- a/package/intel-microcode/Config.in
+++ b/package/intel-microcode/Config.in
@@ -7,3 +7,12 @@ config BR2_PACKAGE_INTEL_MICROCODE
 	  proper kernel support are required to upload the microcode.
 
 	  https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+
+config BR2_PACKAGE_INTEL_MICROCODE_INSTALL_TARGET
+	bool "install microcode files to /lib/firmware in target"
+	default y
+	depends on BR2_PACKAGE_INTEL_MICROCODE
+	help
+	  Select this option to have the microcode files installed to
+	  /lib/firmware/intel-ucode in the target root filesystem, in
+	  addition to the images directory.
diff --git a/package/intel-microcode/intel-microcode.mk b/package/intel-microcode/intel-microcode.mk
index 43cdc3d0b8..dacb619a14 100644
--- a/package/intel-microcode/intel-microcode.mk
+++ b/package/intel-microcode/intel-microcode.mk
@@ -17,10 +17,14 @@ define INTEL_MICROCODE_INSTALL_IMAGES_CMDS
 		$(@D)/intel-ucode/*
 endef
 
+ifeq ($(BR2_PACKAGE_INTEL_MICROCODE_INSTALL_TARGET),y)
 define INTEL_MICROCODE_INSTALL_TARGET_CMDS
 	mkdir -p $(TARGET_DIR)/lib/firmware/intel-ucode
 	$(INSTALL) -m 0644 -t $(TARGET_DIR)/lib/firmware/intel-ucode \
 		$(@D)/intel-ucode/*
 endef
+else
+INTEL_MICROCODE_INSTALL_TARGET = NO
+endif
 
 $(eval $(generic-package))
diff --git a/package/iucode-tool/Config.in b/package/iucode-tool/Config.in
index d81dabb196..f9f2521a42 100644
--- a/package/iucode-tool/Config.in
+++ b/package/iucode-tool/Config.in
@@ -2,6 +2,7 @@ config BR2_PACKAGE_IUCODE_TOOL
 	bool "iucode-tool"
 	depends on BR2_x86_64 || BR2_i386
 	select BR2_PACKAGE_INTEL_MICROCODE
+	select BR2_PACKAGE_INTEL_MICROCODE_INSTALL_TARGET
 	select BR2_PACKAGE_ARGP_STANDALONE \
 	       if BR2_TOOLCHAIN_USES_UCLIBC || BR2_TOOLCHAIN_USES_MUSL
 	help
-- 
2.11.0

[Buildroot] [PATCH 1/3] package/intel-microcode: install into images for early loading support

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Microcode based security mitigation (E.G.  MDS) requires that the microcode
 > gets loaded very early. This can be handled by one of:

 > - Concatenating (a subset of) the intel-microcode files and write to
 >   kernel/x86/microcode/GenuineIntel.bin in the initrd.  Requires that the
 >   (first) initrd is external from the kernel and NOT compressed.

 > - Build (a subset of) the intel-microcode files into the kernel using the
 >   CONFIG_EXTRA_FIRMWARE option.

 > Install the microcode files into images to support these use cases (E.G.
 > through a post-build script for the initrd, or by pointing
 > CONFIG_EXTRA_FIRMWARE_DIR to ${BR_BINARIES_DIR}, similar to how we include
 > the .cpio image inside the kernel).

As pointed out by Thomas on IRC, there may be licensing concerns when
embedding non-GPL firmware inside the kernel.

Committed after adding a note about that, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/3] linux: build after intel-microcode if enabled for early loading support

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > To support building in (a subset of) the intel-microcode files into the
 > kernel using the CONFIG_EXTRA_FIRMWARE option, we need to ensure that the
 > microcode files are installed before the Linux kernel is built.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 3/3] package/intel-microcode: make target installation optional

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > For early microcode loading, there is no need to install the individual
 > microcode files to /lib/firmware - So make that optional.

 > Let the option default to y for backwards compatibility, and select it from
 > iucode-tool as the init script relies on the /lib/firmware files.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/3] package/intel-microcode: install into images for early loading support

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > Microcode based security mitigation (E.G.  MDS) requires that the microcode
 > gets loaded very early. This can be handled by one of:

 > - Concatenating (a subset of) the intel-microcode files and write to
 >   kernel/x86/microcode/GenuineIntel.bin in the initrd.  Requires that the
 >   (first) initrd is external from the kernel and NOT compressed.

 > - Build (a subset of) the intel-microcode files into the kernel using the
 >   CONFIG_EXTRA_FIRMWARE option.

 > Install the microcode files into images to support these use cases (E.G.
 > through a post-build script for the initrd, or by pointing
 > CONFIG_EXTRA_FIRMWARE_DIR to ${BR_BINARIES_DIR}, similar to how we include
 > the .cpio image inside the kernel).

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2019.02.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 2/3] linux: build after intel-microcode if enabled for early loading support

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > To support building in (a subset of) the intel-microcode files into the
 > kernel using the CONFIG_EXTRA_FIRMWARE option, we need to ensure that the
 > microcode files are installed before the Linux kernel is built.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2019.02.x, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 3/3] package/intel-microcode: make target installation optional

[Peter Korsgaard]

>>>>> "Peter" == Peter Korsgaard <peter@korsgaard.com> writes:

 > For early microcode loading, there is no need to install the individual
 > microcode files to /lib/firmware - So make that optional.

 > Let the option default to y for backwards compatibility, and select it from
 > iucode-tool as the init script relies on the /lib/firmware files.

 > Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Committed to 2019.02.x, thanks.

-- 
Bye, Peter Korsgaard