1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Re: Intel Microcode updates

    From Henrique de Moraes Holschuh@21:1/5 to All on Sun Dec 8 01:20:01 2024
    Hello Elmar,

    I feel it is best to be very clear on this: I will *not* add automatic downloading of Intel microcode updates from unofficial place.

    The reasons are:

    1. License issues. Non-negotiable. And this has been covered in this half-a-decade-old thread that raised from the grave, so I won't expand on it.


    I won't add an "easy one-run/click download-and-update script" from Intel's official distribution either, because:

    2. Microcode updates often have dependencies on other firmware components.

    Although the simple version of it is already covered by intel-microcode's README, we now have THIS little piece which is by far the very best public description of the whole mess nowadays. Read it:
    https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/87#issuecomment-2455439665

    I will eventually get that information into the README, but it is low-priority.

    So, no automated updates without at least cursory inspection of their contents (and yes, it IS done, and yes, it takes a considerable amount of effort sometimes).

    All that said:

    3. You can add your own microcode data file easily enough to /usr/share/misc/intel-microcode* and the package will do the right thing, at least in initramfs mode. And this is all explained in README.Debian, although I suppose it could use an update that
    no longer mentions ".dat" files and tells user to just copy the correct file to /usr/share/misc/intel-microcode-whatever.bin or use iucode_tool -w /usr/share/misc/intel-microcode-whatever.bin, and then update the initramfs image.

    Failing that, you can just overwrite whatever is in /lib/firmware/intel-ucode (/usr/lib/firmware/intel-ucode in usr-merged systems) with new content. The iucode-tool package can help you with that, it is what the intel-microcode package uses internally.
    But see point (4) below.

    4. The intel-microcode *source* package has functionality to easily add extra microcode to it, if you need a .deb with your extra microcode inside, or need to package an older version of a specific microcode update, etc. The whole thing is described in
    debian/README.source in the intel-microcode Debian package source.

    You could just drop your core2 microcode update file inside the toplevel directory of an unpacked intel-microcode source package. Name that core2 microcode update file with a name that matches microcode-*.bin, and the intel-microcode build will pick it
    up and include into the resulting binary package when you "dpkg-buildpackage" it. (if this is too cryptic, please search for some introductory guide to building debian packages, it is really quite simple to download, unpack, and rebuild a debian package)
    .


    So, finally:

    Please feel free to write an automated download script for whatever unofficial sources you want, but hopefully it is now a bit more clear why that isn't something I am willing to add to the Debian package, and why my position on this has not changed in
    the last half-decade.

    --
    Henrique de Moraes Holschuh <hmh@debian.org>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)