[PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[Sohil Mehta]

The kernel maintains a table of minimum expected microcode revisions for
Intel CPUs in intel-ucode-defs.h. Systems with microcode older than
these revisions are flagged with X86_BUG_OLD_MICROCODE.

The static list of microcode revisions needs to be updated periodically
in response to releases of the official microcode at:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git.

Introduce a simple script to extract the revision information from the
microcode files and print it in the precise format expected by the
microcode header.

Maintaining the script in the kernel tree ensures a central location
that a submitter can use to generate the kernel-specific update. This
not only reduces the possibility of errors but also makes it easier to
validate the changes for reviewers and maintainers.

Typically, someone at Intel would see a new public release, wait for at
least three months to ensure the update is stable, run this script to
refresh the intel-ucode-defs.h file, and send a patch upstream to update
the mainline and stable versions.

Having a standard update script and a defined process minimizes the
ambiguity when refreshing the old microcode list. As always, there can
be exceptions to this process which should be supported with appropriate
justification.

Originally-by: Dave Hansen <dave.hansen@linux.intel.com>
Signed-off-by: Sohil Mehta <sohil.mehta@intel.com>
---
v4:
 - Add suggested timeline to the update process.
 - Include platform ID information based on Dave's series:
   https://lore.kernel.org/all/20260119195047.86E3C696@davehans-spike.ostc.intel.com/
   This patch should be applied after the bug-fix series has merged.

v3: https://lore.kernel.org/lkml/20250825171510.3332029-1-sohil.mehta@intel.com/
 - Include motivation for having the script in the kernel. (Boris)
 - Update instructions to clarify typical usage. (Boris)
---
 MAINTAINERS                        |   1 +
 scripts/update-intel-ucode-defs.py | 128 +++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+)
 create mode 100755 scripts/update-intel-ucode-defs.py

diff --git a/MAINTAINERS b/MAINTAINERS
index 0d044a58cbfe..861c0c42c95d 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -28245,6 +28245,7 @@ S:	Maintained
 F:	Documentation/admin-guide/hw-vuln/
 F:	arch/x86/include/asm/nospec-branch.h
 F:	arch/x86/kernel/cpu/bugs.c
+F:	scripts/update-intel-ucode-defs.py
 
 X86 MCE INFRASTRUCTURE
 M:	Tony Luck <tony.luck@intel.com>
diff --git a/scripts/update-intel-ucode-defs.py b/scripts/update-intel-ucode-defs.py
new file mode 100755
index 000000000000..50ec47cea1c5
--- /dev/null
+++ b/scripts/update-intel-ucode-defs.py
@@ -0,0 +1,128 @@
+#!/usr/bin/python3
+# SPDX-License-Identifier: GPL-2.0
+import argparse
+import re
+import shutil
+import subprocess
+import sys
+import os
+
+script = os.path.relpath(__file__)
+
+DESCRIPTION = f"""
+For Intel CPUs, update the microcode revisions that determine
+X86_BUG_OLD_MICROCODE.
+
+This script is intended to be run in response to releases of the
+official Intel microcode GitHub repository:
+https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
+
+It takes the Intel microcode files as input and uses iucode-tool to
+extract the revision information. It prints the output in the format
+expected by intel-ucode-defs.h.
+
+Usage:
+    ./{script} /path/to/microcode/files > /path/to/intel-ucode-defs.h
+
+Typically, someone at Intel would see a new public release, wait for at
+least three months to ensure the update is stable, run this script to
+refresh the intel-ucode-defs.h file, and send a patch upstream to update
+the mainline and stable versions.
+
+As always, there can be exceptions to the above process which should be
+supported by appropriate justification.
+"""
+
+parser = argparse.ArgumentParser(description=DESCRIPTION,
+                                 formatter_class=argparse.RawDescriptionHelpFormatter)
+parser.add_argument('ucode_files', nargs='+', help='Path(s) to the microcode files')
+
+args = parser.parse_args()
+
+# Process the microcode files using iucode-tool
+if shutil.which("iucode-tool") is None:
+    print("Error: iucode-tool not found, please install it", file=sys.stderr)
+    sys.exit(1)
+
+cmd = ['iucode-tool', '--list-all' ]
+cmd.extend(args.ucode_files)
+
+process = subprocess.Popen(cmd, stdout=subprocess.PIPE, universal_newlines=True)
+process.wait()
+if process.returncode != 0:
+    print("Error: iucode-tool ran into an error, exiting", file=sys.stderr)
+    sys.exit(1)
+
+# Functions to extract family, model, and stepping
+def bits(val, bottom, top):
+    mask = (1 << (top + 1 - bottom)) - 1
+    mask = mask << bottom
+    return (val & mask) >> bottom
+
+def family(sig):
+    if bits(sig, 8, 11) == 0xf:
+        return bits(sig, 8, 11) + bits(sig, 20, 27)
+    return bits(sig, 8, 11)
+
+def model(sig):
+    return bits(sig, 4, 7)  | (bits(sig, 16, 19) << 4)
+
+def step(sig):
+    return bits(sig, 0, 3)
+
+# Parse the output of iucode-tool
+ucode_list = []
+for line in process.stdout:
+    if line.find(" sig ") == -1:
+        continue
+    sig = re.search('sig (0x[0-9a-fA-F]+)', line).group(1)
+    rev = re.search('rev (0x[0-9a-fA-F]+)', line).group(1)
+    pfm = re.search('pf_mask (0x[0-9a-fA-F]+)', line).group(1)
+    sig = int(sig, 16)
+    rev = int(rev, 16)
+    pfm = int(pfm, 16)
+    debug_rev = bits(rev, 31, 31)
+    if debug_rev != 0:
+        print("Error: Debug ucode file found, exiting", file=sys.stderr)
+        sys.exit(1)
+
+    ucrev = {}
+    ucrev['sig']       = sig
+    ucrev['platforms'] = pfm
+    ucrev['rev']       = rev
+    ucode_list.append(ucrev)
+
+# Remove duplicates, if any
+ucode_dict = {}
+for rev in ucode_list:
+    ucode_key = (rev['sig'], rev['platforms'])
+    existing = ucode_dict.get(ucode_key)
+    if existing is not None:
+        # If the existing one is newer, just move on:
+        if existing['rev'] > rev['rev']:
+            continue
+    ucode_dict[ucode_key] = rev
+
+# Prepare the microcode entries
+ucode_entries = []
+for ucode_key in ucode_dict:
+    rev = ucode_dict[ucode_key]
+    sig = rev['sig']
+    ucode_entries.append({
+        'family': family(sig),
+        'model': model(sig),
+        'steppings': 1 << step(sig),
+        'platforms': rev['platforms'],
+        'rev': rev['rev'],
+        'sig': sig
+    })
+
+if not ucode_entries:
+    print("Error: No valid microcode files found, exiting", file=sys.stderr)
+    sys.exit(1)
+
+# Sort and print the microcode entries
+ucode_entries.sort(key=lambda x: (x['family'], x['model'], x['steppings'], x['platforms']))
+for entry in ucode_entries:
+    print("{ .flags = X86_CPU_ID_FLAG_ENTRY_VALID, .vendor = X86_VENDOR_INTEL, .family = 0x%x,  .model = 0x%02x, .steppings = 0x%04x, .platform_mask = 0x%02x, .driver_data = 0x%x }," %
+          (entry['family'], entry['model'], entry['steppings'], entry['platforms'], entry['rev']))
-- 
2.43.0

Re: [PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[Andrew Cooper]

[-- Attachment #1: Type: text/plain, Size: 4350 bytes --]

On 30/01/2026 7:47 pm, Sohil Mehta wrote:
> diff --git a/scripts/update-intel-ucode-defs.py b/scripts/update-intel-ucode-defs.py
> new file mode 100755
> index 000000000000..50ec47cea1c5
> --- /dev/null
> +++ b/scripts/update-intel-ucode-defs.py
> @@ -0,0 +1,128 @@
> +#!/usr/bin/python3
> +# SPDX-License-Identifier: GPL-2.0
> +import argparse
> +import re
> +import shutil
> +import subprocess
> +import sys
> +import os
> +
> +script = os.path.relpath(__file__)
> +
> +DESCRIPTION = f"""
> +For Intel CPUs, update the microcode revisions that determine
> +X86_BUG_OLD_MICROCODE.
> +
> +This script is intended to be run in response to releases of the
> +official Intel microcode GitHub repository:
> +https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git
> +
> +It takes the Intel microcode files as input and uses iucode-tool to
> +extract the revision information. It prints the output in the format
> +expected by intel-ucode-defs.h.
> +
> +Usage:
> +    ./{script} /path/to/microcode/files > /path/to/intel-ucode-defs.h
> +
> +Typically, someone at Intel would see a new public release, wait for at
> +least three months to ensure the update is stable, run this script to
> +refresh the intel-ucode-defs.h file, and send a patch upstream to update
> +the mainline and stable versions.
> +
> +As always, there can be exceptions to the above process which should be
> +supported by appropriate justification.
> +"""
> +
> +parser = argparse.ArgumentParser(description=DESCRIPTION,
> +                                 formatter_class=argparse.RawDescriptionHelpFormatter)
> +parser.add_argument('ucode_files', nargs='+', help='Path(s) to the microcode files')
> +
> +args = parser.parse_args()
> +
> +# Process the microcode files using iucode-tool
> +if shutil.which("iucode-tool") is None:
> +    print("Error: iucode-tool not found, please install it", file=sys.stderr)
> +    sys.exit(1)
> +
> +cmd = ['iucode-tool', '--list-all' ]
> +cmd.extend(args.ucode_files)
> +
> +process = subprocess.Popen(cmd, stdout=subprocess.PIPE, universal_newlines=True)
> +process.wait()
> +if process.returncode != 0:
> +    print("Error: iucode-tool ran into an error, exiting", file=sys.stderr)
> +    sys.exit(1)
> +
> +# Functions to extract family, model, and stepping
> +def bits(val, bottom, top):
> +    mask = (1 << (top + 1 - bottom)) - 1
> +    mask = mask << bottom
> +    return (val & mask) >> bottom

return (val >> bottom) & mask


> +
> +def family(sig):
> +    if bits(sig, 8, 11) == 0xf:
> +        return bits(sig, 8, 11) + bits(sig, 20, 27)
> +    return bits(sig, 8, 11)
> +
> +def model(sig):
> +    return bits(sig, 4, 7)  | (bits(sig, 16, 19) << 4)
> +
> +def step(sig):
> +    return bits(sig, 0, 3)
> +
> +# Parse the output of iucode-tool
> +ucode_list = []
> +for line in process.stdout:
> +    if line.find(" sig ") == -1:
> +        continue
> +    sig = re.search('sig (0x[0-9a-fA-F]+)', line).group(1)
> +    rev = re.search('rev (0x[0-9a-fA-F]+)', line).group(1)
> +    pfm = re.search('pf_mask (0x[0-9a-fA-F]+)', line).group(1)
> +    sig = int(sig, 16)
> +    rev = int(rev, 16)
> +    pfm = int(pfm, 16)
> +    debug_rev = bits(rev, 31, 31)
> +    if debug_rev != 0:
> +        print("Error: Debug ucode file found, exiting", file=sys.stderr)
> +        sys.exit(1)
> +
> +    ucrev = {}
> +    ucrev['sig']       = sig
> +    ucrev['platforms'] = pfm
> +    ucrev['rev']       = rev
> +    ucode_list.append(ucrev)
> +
> +# Remove duplicates, if any
> +ucode_dict = {}
> +for rev in ucode_list:
> +    ucode_key = (rev['sig'], rev['platforms'])
> +    existing = ucode_dict.get(ucode_key)
> +    if existing is not None:
> +        # If the existing one is newer, just move on:
> +        if existing['rev'] > rev['rev']:
> +            continue
> +    ucode_dict[ucode_key] = rev
> +
> +# Prepare the microcode entries
> +ucode_entries = []
> +for ucode_key in ucode_dict:
> +    rev = ucode_dict[ucode_key]
> +    sig = rev['sig']
> +    ucode_entries.append({
> +        'family': family(sig),
> +        'model': model(sig),
> +        'steppings': 1 << step(sig),
> +        'platforms': rev['platforms'],
> +        'rev': rev['rev'],
> +        'sig': sig
> +    })

This is crying out for a small class, and for the use of set()

Try the attached version, which is rather more pythonic.

~Andrew

[-- Attachment #2: update-intel-ucode-defs.py --]
[-- Type: text/x-python, Size: 3703 bytes --]

#!/usr/bin/python3
# SPDX-License-Identifier: GPL-2.0
import argparse
import re
import shutil
import subprocess
import sys
import os

script = os.path.relpath(__file__)

DESCRIPTION = f"""
For Intel CPUs, update the microcode revisions that determine
X86_BUG_OLD_MICROCODE.

This script is intended to be run in response to releases of the
official Intel microcode GitHub repository:
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git

It takes the Intel microcode files as input and uses iucode-tool to
extract the revision information. It prints the output in the format
expected by intel-ucode-defs.h.

Usage:
    ./{script} /path/to/microcode/files > /path/to/intel-ucode-defs.h

Typically, someone at Intel would see a new public release, wait for at
least three months to ensure the update is stable, run this script to
refresh the intel-ucode-defs.h file, and send a patch upstream to update
the mainline and stable versions.

As always, there can be exceptions to the above process which should be
supported by appropriate justification.
"""

parser = argparse.ArgumentParser(description=DESCRIPTION,
                                 formatter_class=argparse.RawDescriptionHelpFormatter)
parser.add_argument('ucode_files', nargs='+', help='Path(s) to the microcode files')

args = parser.parse_args()

# Process the microcode files using iucode-tool
if shutil.which("iucode-tool") is None:
    print("Error: iucode-tool not found, please install it", file=sys.stderr)
    sys.exit(1)

cmd = ['iucode-tool', '--list-all' ]
cmd.extend(args.ucode_files)

process = subprocess.Popen(cmd, stdout=subprocess.PIPE, universal_newlines=True)
process.wait()
if process.returncode != 0:
    print("Error: iucode-tool ran into an error, exiting", file=sys.stderr)
    sys.exit(1)

# Functions to extract family, model, and stepping
def bits(val, bottom, top):
    mask = (1 << (top + 1 - bottom)) - 1
    return (val >> bottom) & mask

def family(sig):
    if bits(sig, 8, 11) == 0xf:
        return bits(sig, 8, 11) + bits(sig, 20, 27)
    return bits(sig, 8, 11)

def model(sig):
    return bits(sig, 4, 7)  | (bits(sig, 16, 19) << 4)

def step(sig):
    return bits(sig, 0, 3)

class Ucode:
    def __init__(self, sig, pfm, rev):
        self.sig = sig
        self.platforms = pfm
        self.rev = rev

        self.family = family(sig)
        self.model = model(sig)
        self.steppings = 1 << step(sig)

        self.key = (self.family, self.model, self.steppings, self.platforms)

    def __eq__(self, other):
        return self.key == other.key

    def __hash__(self):
        return hash(self.key)

    def __str__(self):
        return "{ .flags = X86_CPU_ID_FLAG_ENTRY_VALID, .vendor = X86_VENDOR_INTEL, .family = 0x%x,  .model = 0x%02x, .steppings = 0x%04x, .platform_mask = 0x%02x, .driver_data = 0x%x }," % \
            (self.family, self.model, self.steppings, self.platforms, self.rev)

ucodes = set()

# Parse the output of iucode-tool
for line in process.stdout:
    if line.find(" sig ") == -1:
        continue
    sig = re.search('sig (0x[0-9a-fA-F]+)', line).group(1)
    rev = re.search('rev (0x[0-9a-fA-F]+)', line).group(1)
    pfm = re.search('pf_mask (0x[0-9a-fA-F]+)', line).group(1)
    sig = int(sig, 16)
    rev = int(rev, 16)
    pfm = int(pfm, 16)
    debug_rev = bits(rev, 31, 31)
    if debug_rev != 0:
        print("Error: Debug ucode file found, exiting", file=sys.stderr)
        sys.exit(1)

    ucodes.add(Ucode(sig, pfm, rev))

if not ucodes:
    print("Error: No valid microcode files found, exiting", file=sys.stderr)
    sys.exit(1)

# Sort and print the microcode entries
for u in sorted(ucodes, key=lambda x: x.key):
    print(u)

Re: [PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[Sohil Mehta]

On 1/30/2026 2:00 PM, Andrew Cooper wrote:
> On 30/01/2026 7:47 pm, Sohil Mehta wrote:
>> +# Functions to extract family, model, and stepping
>> +def bits(val, bottom, top):
>> +    mask = (1 << (top + 1 - bottom)) - 1
>> +    mask = mask << bottom
>> +    return (val & mask) >> bottom
> 
> return (val >> bottom) & mask
> 

Yup, that is better. Saves an extra step/line.


>> +# Prepare the microcode entries
>> +ucode_entries = []
>> +for ucode_key in ucode_dict:
>> +    rev = ucode_dict[ucode_key]
>> +    sig = rev['sig']
>> +    ucode_entries.append({
>> +        'family': family(sig),
>> +        'model': model(sig),
>> +        'steppings': 1 << step(sig),
>> +        'platforms': rev['platforms'],
>> +        'rev': rev['rev'],
>> +        'sig': sig
>> +    })
> 
> This is crying out for a small class, and for the use of set()
> 

> Try the attached version, which is rather more pythonic.

Thank you for improving the script. It looks cleaner and "pythonic". It
works for my usage with unique ucode files in a single directory.

Dave probably has a use case where he passes multiple directories to the
script. IIUC, the new version just inserts a unique entry for every FMS
+ pf_mask and skips the repeats. But it doesn't necessarily use the
latest revision for the duplicates. We probably need an equivalent logic
for this:

    if existing is not None:
        # If the existing one is newer, just move on:
        if existing['rev'] > rev['rev']:
            continue

Dave, opinion?

Re: [PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[Dave Hansen]

On 1/30/26 15:09, Sohil Mehta wrote:
> Dave probably has a use case where he passes multiple directories to the
> script. IIUC, the new version just inserts a unique entry for every FMS
> + pf_mask and skips the repeats. But it doesn't necessarily use the
> latest revision for the duplicates. We probably need an equivalent logic
> for this:
> 
>     if existing is not None:
>         # If the existing one is newer, just move on:
>         if existing['rev'] > rev['rev']:
>             continue
> 
> Dave, opinion?

I can't think of a case where I wanted to use multiple directories for a
single run of the script. The only thing I tend to do is switch between
the distr-provided ucode in /lib/firmware and a local clone of the Intel
microcode git repo. So, one or the other, not both at once.

Re: [PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[Sohil Mehta]

On 2/2/2026 10:01 AM, Dave Hansen wrote:
>>     if existing is not None:
>>         # If the existing one is newer, just move on:
>>         if existing['rev'] > rev['rev']:
>>             continue
>>
>> Dave, opinion?
> 
> I can't think of a case where I wanted to use multiple directories for a
> single run of the script. The only thing I tend to do is switch between
> the distr-provided ucode in /lib/firmware and a local clone of the Intel
> microcode git repo. So, one or the other, not both at once.

Great, I think we can avoid the find duplicates logic in that case.

Re: [PATCH v4] scripts/x86/intel: Add a script to update the old microcode list

[Luck, Tony]

On Fri, Jan 30, 2026 at 11:47:53AM -0800, Sohil Mehta wrote:
> +cmd = ['iucode-tool', '--list-all' ]

On Fedora this is named with "_", not "-".

$ type iucode_tool
iucode_tool is hashed (/usr/bin/iucode_tool)

-Tony