Received: from services.wan.fiasko-nw.net (services.wan.fiasko-nw.net [178.63.125.138])
	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 50037781A6A
	for <~alpine/devel@lists.alpinelinux.org>; Sun,  3 May 2020 21:34:23 +0000 (UTC)
Received: from [10.2.0.254]
	by services.wan.fiasko-nw.net with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.89)
	(envelope-from <thomas@fiasko-nw.net>)
	id 1jVMFa-0003je-HW
	for ~alpine/devel@lists.alpinelinux.org; Sun, 03 May 2020 23:34:23 +0200
To: ~alpine/devel@lists.alpinelinux.org
From: Thomas Liske <thomas@fiasko-nw.net>
Subject: mkimage.sh and cpu microcode updates
Message-ID: <5b2d3dd4-6bb2-a926-a808-c5fadbd79fe1@fiasko-nw.net>
Date: Sun, 3 May 2020 23:34:14 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Score: -1.0
X-Spam_bar: -

Hi,

this is related to aports #11478 and !7493. I wonder how could I use CPU 
microcode updates on Alpine while using the diskless mode (directly from 
a usb stick without setup-bootable installation). As a result I think 
the situation should be improved.

For Intel and AMD CPUs it is required to use a early initrd to apply 
microcode updates. For Intel we have the intel-ucode package, for AMD it 
is missing (there are the linux-firmware-amd* packages containing the 
vanilla ucode updates, details see below).


*mkimage.sh*

I've created a small patch[1] for mkimage.sh to make it possible a image 
profile can add packages which provides additional files into boot and 
use that files as early initrd by chain loading them (like ArchLinux 
does with syslinux[2] and grub[3]).

[1] 
https://gitlab.alpinelinux.org/alpine/aports/-/commit/9b9e4b106ce96fe71e1c1deae11c7fcb61d78da5
[2] https://wiki.archlinux.org/index.php/Microcode#Syslinux
[3] https://wiki.archlinux.org/index.php/Microcode#GRUB

I think loading those early initrds should not be a problem on foreign 
CPUs (Intel CPU|ucode vs. AMD ucode|CPU).

Should microcode updates loaded by default, only in extended or only be 
advanced users building their own images using mkimage.sh?


*AMD*

There are the two related packages linux-firmware-amd and 
linux-firmware-amd-ucode for AMD CPU and APU (btw: they are packaged for 
all architectures but can only be used on x86 and x86_64).

This does *not* help for early boot ucode updates. I think we require a 
amd-ucode package simiular to the intel-ucode package. It should be 
possible since ArchLinux does it the same way[4].

[4] https://www.archlinux.org/packages/core/any/amd-ucode/

Both intel-ucode and amd-ucode packages should be added to the .iso 
images and can be chain loaded as early initrd or used for individual 
image profiles.


*Documentation*

It was hard for me to find any details how microcode updates are handled 
in alpine. I think it would be useful to have a site in the alpine wiki 
giving some hints on this topic for other users.



Regards,
Thomas