The officially official Devuan Forum!

You are not logged in.

#1 2019-07-09 00:54:00

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Microcode updates built into a Kernel

Greetings again, back with another fun one! Still working on this custom setup and realized that the CPU microcode didn't contain any of the patches for those wonderful Meltdown, Spectre, and other bugs from the past year. So I set off to roll the processor microcode into the custom kernel (not using an initramfs and would prefer to apply the patch as soon as possible in the boot process still).

So some quick Gentoo and LFS research showed that baking in firmware into a custom kernel was pretty simple or so I though! So the necessary 4.9 kernel configuration parameters appear to be the following:

CONFIG_FW_LOADER=y
CONFIG_FIRMWARE_IN_KERNEL=y
CONFIG_EXTRA_FIRMWARE="Intel_ucode/xx-xx-xx"   - xx-xx-xx being the proper code for the Intel CPU
CONFIG_EXTRA_FIRMWARE_DIR="firmware"

CONFG_PREVENT_FIRMWARE_BUILD=y
## Not sure what this one does and can't seem to find a clear explanation of what it is for

So going forth with the configuration options above, I placed the Intel microcode into the directory kernel/firmware/Intel_ucode and then proceeded to build the kernel. Watching the build output I see the process pick up the microcode (three lines; there's a MK-FW, AS, and then an LD line referencing the Intel Microcode). However when I boot the kernel on the device the kernel doesn't appear to load the updated microcode but I do know that the microcode is the right one for the CPU as I can late load it and it'll work.

Anyone have an idea what I'm missing/doing wrong?

Relevant post on the topic:
1) https://wiki.gentoo.org/wiki/Intel_micr … -fs.2Fdisk
2) http://www.linuxfromscratch.org/blfs/vi … mware.html

Offline

#2 2019-07-09 16:13:10

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 295  
Website

Re: Microcode updates built into a Kernel

The Gentoo wiki says that CONFIG_EXTRA_FIRMWARE_DIR should be set to "/lib/firmware" and I think you need to add the actual firmware files to that directory.

If you can't get this working then you could try using the Arch Linux intel-ucode package — that includes a custom initramfs image that will load the µcode if it is added to grub.cfg like this:

   initrd /boot/intel-ucode.img

Just download the package, untar it and copy intel-ucode.img to /boot


Fabricando fit faber

Offline

#3 2019-07-10 00:26:39

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Re: Microcode updates built into a Kernel

Thanks HoaS, I did get it working today.

I was reading the CONFIG_EXTRA_FIRMWARE_DIR as a temporary place to hold firmware until it was compiled into the kernel but it seems that's not the purpose of that parameter. Seems that the configuration parameter simply states where within the root file-system the microcode resides and then the kernel loads it from that path on startup? I was naively assuming that the firmware was actually built into the kernel and then loaded from within the kernel itself rather than from an external source like initramfs or rootfs. Is that assessment correct?

Offline

#4 2019-07-10 17:56:48

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 295  
Website

Re: Microcode updates built into a Kernel

aut0exec wrote:

Seems that the configuration parameter simply states where within the root file-system the microcode resides and then the kernel loads it from that path on startup?

I think so, yes. But I'm no expert smile

It would make more sense not to have it baked in because live updates would not be possible if it was.


Fabricando fit faber

Offline

#5 2019-07-12 11:41:46

aut0exec
Member
Registered: 2018-11-21
Posts: 45  

Re: Microcode updates built into a Kernel

Head_on_a_Stick wrote:

It would make more sense not to have it baked in because live updates would not be possible if it was.

Hmm you don't think you'd still be able to late-load a newer one? Luckily for this, anytime there would be an update a new kernel would be rolled out anyways so late-load wouldn't really be needed!

Offline

Board footer