Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.security > #6388
| From | "Henrique de Moraes Holschuh" <hmh@debian.org> |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Re: Intel Microcode updates |
| Date | 2024-12-08 01:20 +0100 |
| Message-ID | <JRdbH-exaY-3@gated-at.bofh.it> (permalink) |
| References | (1 earlier) <y7Eyd-52j-1@gated-at.bofh.it> <y7NBv-1L8-7@gated-at.bofh.it> <y7O4x-29Y-1@gated-at.bofh.it> <y8cTg-78-3@gated-at.bofh.it> <yak0h-3JW-19@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
Hello Elmar, I feel it is best to be very clear on this: I will *not* add automatic downloading of Intel microcode updates from unofficial place. The reasons are: 1. License issues. Non-negotiable. And this has been covered in this half-a-decade-old thread that raised from the grave, so I won't expand on it. I won't add an "easy one-run/click download-and-update script" from Intel's official distribution either, because: 2. Microcode updates often have dependencies on other firmware components. Although the simple version of it is already covered by intel-microcode's README, we now have THIS little piece which is by far the very best public description of the whole mess nowadays. Read it: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/87#issuecomment-2455439665 I will eventually get that information into the README, but it is low-priority. So, no automated updates without at least cursory inspection of their contents (and yes, it IS done, and yes, it takes a considerable amount of effort sometimes). All that said: 3. You can add your own microcode data file easily enough to /usr/share/misc/intel-microcode* and the package will do the right thing, at least in initramfs mode. And this is all explained in README.Debian, although I suppose it could use an update that no longer mentions ".dat" files and tells user to just copy the correct file to /usr/share/misc/intel-microcode-whatever.bin or use iucode_tool -w /usr/share/misc/intel-microcode-whatever.bin, and then update the initramfs image. Failing that, you can just overwrite whatever is in /lib/firmware/intel-ucode (/usr/lib/firmware/intel-ucode in usr-merged systems) with new content. The iucode-tool package can help you with that, it is what the intel-microcode package uses internally. But see point (4) below. 4. The intel-microcode *source* package has functionality to easily add extra microcode to it, if you need a .deb with your extra microcode inside, or need to package an older version of a specific microcode update, etc. The whole thing is described in debian/README.source in the intel-microcode Debian package source. You could just drop your core2 microcode update file inside the toplevel directory of an unpacked intel-microcode source package. Name that core2 microcode update file with a name that matches microcode-*.bin, and the intel-microcode build will pick it up and include into the resulting binary package when you "dpkg-buildpackage" it. (if this is too cryptic, please search for some introductory guide to building debian packages, it is really quite simple to download, unpack, and rebuild a debian package). So, finally: Please feel free to write an automated download script for whatever unofficial sources you want, but hopefully it is now a bit more clear why that isn't something I am willing to add to the Debian package, and why my position on this has not changed in the last half-decade. -- Henrique de Moraes Holschuh <hmh@debian.org>
Back to linux.debian.security | Previous | Next | Find similar
Re: Intel Microcode updates "Henrique de Moraes Holschuh" <hmh@debian.org> - 2024-12-08 01:20 +0100
csiph-web