From a7b58dcf475ab2fa506a34e6729b544569519ee4 Mon Sep 17 00:00:00 2001 From: nkraetzschmar <9020053+nkraetzschmar@users.noreply.github.com> Date: Fri, 28 Jun 2024 00:05:18 +0200 Subject: [PATCH 1/2] feat: add microcode support --- hack/README.md | 3 +-- hack/build-container/Dockerfile | 4 +++- hack/hack.mk | 1 + hack/ucode/make.mk | 2 ++ hack/ucode/mk-ucode | 24 ++++++++++++++++++++++++ hack/uki/make.mk | 1 + 6 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 hack/ucode/make.mk create mode 100755 hack/ucode/mk-ucode diff --git a/hack/README.md b/hack/README.md index e68fe99..9b00e44 100644 --- a/hack/README.md +++ b/hack/README.md @@ -6,6 +6,7 @@ This directory includes scripts to run FeOS as the pid 1 process within a VM. make build-container make kernel make initramfs + make ucode make uki # create `vm-br0` bridge on your machine: @@ -41,5 +42,3 @@ If you want to run FeOS within a [cloud-hypervisor](https://www.cloudhypervisor. --kernel target/kernel/vmlinuz \ --initramfs target/initramfs.zst \ --cmdline "`cat target/cmdline`" - - diff --git a/hack/build-container/Dockerfile b/hack/build-container/Dockerfile index 2785d91..65ff643 100644 --- a/hack/build-container/Dockerfile +++ b/hack/build-container/Dockerfile @@ -9,7 +9,9 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \ libprotobuf-dev \ sbsigntool python3-pefile systemd-boot \ musl-tools \ - ca-certificates + ca-certificates \ + iucode-tool \ + libarchive-tools RUN cargo new xyz; cd xyz; cargo fetch; cd ..; rm -rf xyz RUN rustup component add clippy diff --git a/hack/hack.mk b/hack/hack.mk index 8afa52d..9fa4286 100644 --- a/hack/hack.mk +++ b/hack/hack.mk @@ -3,6 +3,7 @@ SHELL := /bin/bash include hack/build-container/make.mk include hack/kernel/make.mk include hack/initramfs/make.mk +include hack/ucode/make.mk include hack/cloud-hypervisor/make.mk include hack/cloud-hypervisor-firmware/make.mk include hack/uki/make.mk diff --git a/hack/ucode/make.mk b/hack/ucode/make.mk new file mode 100644 index 0000000..d9245e6 --- /dev/null +++ b/hack/ucode/make.mk @@ -0,0 +1,2 @@ +ucode: + docker run --rm -u $${UID} -v "`pwd`:/feos" feos-builder ./hack/ucode/mk-ucode diff --git a/hack/ucode/mk-ucode b/hack/ucode/mk-ucode new file mode 100755 index 0000000..4794ff7 --- /dev/null +++ b/hack/ucode/mk-ucode @@ -0,0 +1,24 @@ +#!/usr/bin/env bash + +set -exuo pipefail + +target_dir="$(realpath target)" + +on_exit() { + cd / + [ -z "${tmp_dir-}" ] || rm -rf "$tmp_dir" +} + +trap on_exit EXIT + +tmp_dir="$(mktemp -d)" +cd "$tmp_dir" + +git clone --depth 1 https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files.git intel-microcode +git clone --depth 1 https://gitlab.com/kernel-firmware/linux-firmware.git linux-firmware + +mkdir -p kernel/x86/microcode +iucode_tool --write-to=kernel/x86/microcode/GenuineIntel.bin intel-microcode/intel-ucode +cat linux-firmware/amd-ucode/microcode_amd*.bin > kernel/x86/microcode/AuthenticAMD.bin + +bsdtar --uid 0 --gid 0 -cf - kernel | bsdtar -cf - --format=newc @- > "$target_dir/ucode.cpio" diff --git a/hack/uki/make.mk b/hack/uki/make.mk index 0b353eb..e885a35 100644 --- a/hack/uki/make.mk +++ b/hack/uki/make.mk @@ -11,6 +11,7 @@ uki: keys --os-release @/feos/hack/uki/os-release.txt \ --linux /feos/target/kernel/vmlinuz \ --initrd /feos/target/initramfs.zst \ + --microcode /feos/target/ucode.cpio \ --cmdline @/feos/target/cmdline \ --secureboot-private-key /feos/keys/secureboot.key \ --secureboot-certificate /feos/keys/secureboot.pem \ From 307fc5e1a6a792b3f26dd1fe5e4a500fcc9dd59b Mon Sep 17 00:00:00 2001 From: nkraetzschmar <9020053+nkraetzschmar@users.noreply.github.com> Date: Thu, 4 Jul 2024 16:42:38 +0200 Subject: [PATCH 2/2] fix: hack/ucode: create target directory if not exists --- hack/ucode/mk-ucode | 1 + 1 file changed, 1 insertion(+) diff --git a/hack/ucode/mk-ucode b/hack/ucode/mk-ucode index 4794ff7..e5bfd6b 100755 --- a/hack/ucode/mk-ucode +++ b/hack/ucode/mk-ucode @@ -2,6 +2,7 @@ set -exuo pipefail +mkdir -p target target_dir="$(realpath target)" on_exit() {