diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use
index 09246476c9..3c0e1fee21 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/generic/package.use
@@ -8,3 +8,7 @@ sys-apps/coreutils	    selinux
 
 # Enable SELinux for runc
 app-emulation/runc          selinux
+
+# Only ship microcode currently distributed by Intel
+# See https://bugs.gentoo.org/654638#c11 by iucode-tool maintainer
+sys-firmware/intel-microcode vanilla
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/Manifest
index e4bbfa3cd9..78f1666053 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/Manifest
@@ -1 +1,2 @@
-DIST microcode-20180312.tgz 3789662 BLAKE2B e948d74833fe75b9bbdff1e4676f5d49a13bdd06aa6525c39be3448b822203947a5f55515484401ee0c96e8ade19ea580718949bed65883d983509661a16e637 SHA512 cc2cabf6d12c83b65eeb30fca7eb0b503e037dbee3d7ce9cb307b02ed8ac9426b2bafc2c1f1281dddff0945f8308f0d3cd320edea4596551354188d64760b854
+DIST intel-microcode-collection-20180616.tar.xz 4413444 BLAKE2B 4ba5371914f64c8a7261720512dff128f83cc25950a4bdf8d41e9eeb724c6d3150212b1a7f2ee966a2b9c835a2622ac885625fada497ec2bc0aa3c435a2968e8 SHA512 5c0cd4e764397f8c2593153256d573db8f57cce1fc062f5e687a108e5a430c7ed506f63d0d324ea2b88cc8bf8762d3fec507252ee9890c55bb9d3b5604151afe
+DIST microcode-20180425.tgz 1565473 BLAKE2B 70e0a56f0f5f720e00ab18d6553bc221147589e83df34fdc0c130c6f74a239e48355bfe1845b1de919ed1bce9ade7b7db298883eb3de1d53732a694b15d76f62 SHA512 6cea53cc0f486891fb9ddffc1e03e8e0a6d1d91df6bfda81250b2c60714e7b4111caa9df5afa7f13d8144e591550ef7eb4fd1e153fc67fc904afb83ccc2e3bb0
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/intel-microcode-20180312-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/intel-microcode-20180312-r1.ebuild
deleted file mode 100644
index 992dedccfa..0000000000
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/intel-microcode-20180312-r1.ebuild
+++ /dev/null
@@ -1,95 +0,0 @@
-# Copyright 1999-2018 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI="6"
-
-inherit toolchain-funcs mount-boot
-
-# Find updates by searching and clicking the first link (hopefully it's the one):
-# http://www.intel.com/content/www/us/en/search.html?keyword=Processor+Microcode+Data+File
-
-NUM="27591"
-DESCRIPTION="Intel IA32/IA64 microcode update data"
-HOMEPAGE="http://inertiawar.com/microcode/ https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=${NUM}"
-SRC_URI="https://downloadmirror.intel.com/${NUM}/eng/microcode-${PV}.tgz"
-
-LICENSE="intel-ucode"
-SLOT="0/${PVR}"
-KEYWORDS="-* amd64 x86"
-IUSE="initramfs +split-ucode"
-REQUIRED_USE="|| ( initramfs split-ucode )"
-
-DEPEND="sys-apps/iucode_tool"
-RDEPEND="!<sys-apps/microcode-ctl-1.17-r2" #268586
-
-S=${WORKDIR}
-
-# TODO: 
-# Blacklist bad microcode here.
-DEFAULT_MICROCODE_SIGNATURES=""
-
-# Advanced users only:
-# merge with:
-# only current CPU: MICROCODE_SIGNATURES="-S"
-# only specific CPU: MICROCODE_SIGNATURES="-s 0x00000f4a -s 0x00010676"
-# exclude specific CPU: MICROCODE_SIGNATURES="-s !0x00000686"
-MICROCODE_SIGNATURES="${MICROCODE_SIGNATURES:=${DEFAULT_MICROCODE_SIGNATURES}}"
-
-pkg_pretend() {
-	if [[ "${MICROCODE_SIGNATURES}" != "${DEFAULT_MICROCODE_SIGNATURES}" ]]; then
-		ewarn "MICROCODE_SIGNATURES is set!"
-		ewarn "The user has decided to install only a SUBSET of microcode."
-	fi
-	use initramfs && mount-boot_pkg_pretend
-}
-
-src_install() {
-	# This will take ALL of the upstream microcode sources:
-	# - microcode.dat
-	# - intel-ucode/
-	# In some cases, they have not contained the same content (eg the directory has newer stuff).
-	MICROCODE_SRC=(
-		"${S}"/microcode.dat
-		"${S}"/intel-ucode/
-	)
-	opts=(
-		${MICROCODE_SIGNATURES}
-		# be strict about what we are doing
-		--overwrite
-		--strict-checks
-		--no-ignore-broken
-		# show everything we find
-		--list-all
-		# show what we selected
-		--list
-	)
-
-	# The earlyfw cpio needs to be in /boot because it must be loaded before
-	# rootfs is mounted.
-	use initramfs && dodir /boot && opts+=( --write-earlyfw="${ED%/}"/boot/intel-uc.img )
-	# split location:
-	use split-ucode && dodir /lib/firmware/intel-ucode && opts+=( --write-firmware="${ED%/}"/lib/firmware/intel-ucode )
-
-	iucode_tool \
-		"${opts[@]}" \
-		"${MICROCODE_SRC[@]}" \
-		|| die "iucode_tool ${opts[@]} ${MICROCODE_SRC[@]}"
-
-	dodoc releasenote
-}
-
-pkg_preinst() {
-	use initramfs && mount-boot_pkg_preinst
-}
-
-pkg_prerm() {
-	use initramfs && mount-boot_pkg_prerm
-}
-
-pkg_postrm() {
-	use initramfs && mount-boot_pkg_postrm
-}
-
-pkg_postinst() {
-	use initramfs && mount-boot_pkg_postinst
-}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/intel-microcode-20180616.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/intel-microcode-20180616.ebuild
new file mode 100644
index 0000000000..f394ae70f2
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/intel-microcode-20180616.ebuild
@@ -0,0 +1,211 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit linux-info toolchain-funcs mount-boot
+
+# Find updates by searching and clicking the first link (hopefully it's the one):
+# http://www.intel.com/content/www/us/en/search.html?keyword=Processor+Microcode+Data+File
+
+COLLECTION_SNAPSHOT="20180616"
+INTEL_SNAPSHOT="20180425"
+NUM="27776"
+DESCRIPTION="Intel IA32/IA64 microcode update data"
+HOMEPAGE="http://inertiawar.com/microcode/ https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=${NUM}"
+SRC_URI="https://downloadmirror.intel.com/${NUM}/eng/microcode-${INTEL_SNAPSHOT}.tgz
+	https://dev.gentoo.org/~whissi/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz"
+
+LICENSE="intel-ucode"
+SLOT="0/${PVR}"
+KEYWORDS="-* amd64 x86"
+IUSE="hostonly initramfs +split-ucode vanilla"
+REQUIRED_USE="|| ( initramfs split-ucode )"
+
+DEPEND="sys-apps/iucode_tool"
+
+# !<sys-apps/microcode-ctl-1.17-r2 due to bug #268586
+RDEPEND="!<sys-apps/microcode-ctl-1.17-r2
+	hostonly? ( sys-apps/iucode_tool )"
+
+S=${WORKDIR}
+
+# Blacklist bad microcode here.
+MICROCODE_BLACKLIST_DEFAULT=""
+MICROCODE_BLACKLIST="${MICROCODE_BLACKLIST:=${MICROCODE_BLACKLIST_DEFAULT}}"
+
+# In case we want to set some defaults ...
+MICROCODE_SIGNATURES_DEFAULT=""
+
+# Advanced users only:
+# merge with:
+# only current CPU: MICROCODE_SIGNATURES="-S"
+# only specific CPU: MICROCODE_SIGNATURES="-s 0x00000f4a -s 0x00010676"
+# exclude specific CPU: MICROCODE_SIGNATURES="-s !0x00000686"
+MICROCODE_SIGNATURES="${MICROCODE_SIGNATURES:=${MICROCODE_SIGNATURES_DEFAULT}}"
+
+pkg_pretend() {
+	if [[ "${MICROCODE_BLACKLIST}" != "${MICROCODE_BLACKLIST_DEFAULT}" ]]; then
+		ewarn "MICROCODE_BLACKLIST is set to \"${MICROCODE_BLACKLIST}\" instead of default \"${MICROCODE_BLACKLIST_DEFAULT}\". You are on your own!"
+	fi
+
+	if [[ "${MICROCODE_SIGNATURES}" != "${MICROCODE_SIGNATURES_DEFAULT}" ]]; then
+		ewarn "The user has opted in for advanced use:"
+		ewarn "MICROCODE_SIGNATURES is set to \"${MICROCODE_SIGNATURES}\" instead of default \"${MICROCODE_SIGNATURES_DEFAULT}\"!"
+	fi
+
+	use initramfs && mount-boot_pkg_pretend
+}
+
+src_prepare() {
+	default
+
+	# Prevent "invalid file format" errors from iucode_tool
+	rm -f "${S}"/intel-ucod*/list || die
+}
+
+src_install() {
+	# This will take ALL of the upstream microcode sources:
+	# - microcode.dat
+	# - intel-ucode/
+	# In some cases, they have not contained the same content (eg the directory has newer stuff).
+	MICROCODE_SRC=(
+		"${S}"/intel-ucode/
+		"${S}"/intel-ucode-with-caveats/
+	)
+
+	# Allow users who are scared about microcode updates not included in Intel's official
+	# microcode tarball to opt-out and comply with Intel marketing
+	if ! use vanilla; then
+		MICROCODE_SRC+=( "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT} )
+	fi
+
+	opts=(
+		${MICROCODE_BLACKLIST}
+		${MICROCODE_SIGNATURES}
+		# be strict about what we are doing
+		--overwrite
+		--strict-checks
+		--no-ignore-broken
+		# we want to install latest version
+		--no-downgrade
+		# show everything we find
+		--list-all
+		# show what we selected
+		--list
+	)
+
+	# The earlyfw cpio needs to be in /boot because it must be loaded before
+	# rootfs is mounted.
+	use initramfs && dodir /boot && opts+=( --write-earlyfw="${ED%/}"/boot/intel-uc.img )
+	# split location (we use a temporary location so that we are able
+	# to re-run iucode_tool in pkg_preinst; use keepdir instead of dodir to carry
+	# this folder to pkg_preinst to avoid an error even if no microcode was selected):
+	keepdir /tmp/intel-ucode && opts+=( --write-firmware="${ED%/}"/tmp/intel-ucode )
+
+	iucode_tool \
+		"${opts[@]}" \
+		"${MICROCODE_SRC[@]}" \
+		|| die "iucode_tool ${opts[@]} ${MICROCODE_SRC[@]}"
+
+	dodoc releasenote
+}
+
+pkg_preinst() {
+	use initramfs && mount-boot_pkg_preinst
+
+	if use hostonly; then
+		einfo "Removing ucode(s) not supported by any currently available (=online) processor(s) due to USE=hostonly ..."
+		opts=(
+			--scan-system
+			# be strict about what we are doing
+			--overwrite
+			--strict-checks
+			--no-ignore-broken
+			# we want to install latest version
+			--no-downgrade
+			# show everything we find
+			--list-all
+			# show what we selected
+			--list
+		)
+
+		# The earlyfw cpio needs to be in /boot because it must be loaded before
+		# rootfs is mounted.
+		use initramfs && opts+=( --write-earlyfw="${ED%/}"/boot/intel-uc.img )
+		# split location:
+		use split-ucode && dodir /lib/firmware/intel-ucode && opts+=( --write-firmware="${ED%/}"/lib/firmware/intel-ucode )
+
+		iucode_tool \
+			"${opts[@]}" \
+			"${ED%/}"/tmp/intel-ucode \
+			|| die "iucode_tool ${opts[@]} ${ED%/}/tmp/intel-ucode"
+
+	else
+		if use split-ucode; then
+			# Temporary /tmp/intel-ucode will become final /lib/firmware/intel-ucode ...
+			dodir /lib/firmware
+			mv "${ED%/}/tmp/intel-ucode" "${ED%/}/lib/firmware" || die "Failed to install splitted ucodes!"
+		fi
+	fi
+
+	# Cleanup any temporary leftovers so that we don't merge any
+	# unneeded files on disk
+	rm -r "${ED%/}/tmp" || die "Failed to cleanup '${ED%/}/tmp'"
+}
+
+pkg_prerm() {
+	use initramfs && mount-boot_pkg_prerm
+}
+
+pkg_postrm() {
+	use initramfs && mount-boot_pkg_postrm
+}
+
+pkg_postinst() {
+	use initramfs && mount-boot_pkg_postinst
+
+	local _has_installed_something=
+	if use initramfs && [[ -s "${EROOT%/}/boot/intel-uc.img" ]]; then
+		_has_installed_something="yes"
+	elif use split-ucode; then
+		_has_installed_something=$(find "${EROOT%/}/lib/firmware/intel-ucode" -maxdepth 0 -not -empty -exec echo yes \;)
+	fi
+
+	if use hostonly && [[ -n "${_has_installed_something}" ]]; then
+		elog "You only installed ucode(s) for all currently available (=online)"
+		elog "processor(s). Remember to re-emerge this package whenever you"
+		elog "change the system's processor model."
+		elog ""
+	elif [[ -z "${_has_installed_something}" ]]; then
+		ewarn "WARNING:"
+		ewarn "No ucode was installed! You can ignore this warning if there"
+		ewarn "aren't any microcode updates available for your processor(s)."
+		ewarn "But if you use MICROCODE_SIGNATURES variable please double check"
+		ewarn "if you have an invalid select."
+		ewarn ""
+
+		if use hostonly; then
+			ewarn "Unset \"hostonly\" USE flag to install all available ucodes."
+			ewarn ""
+		fi
+	fi
+
+	# We cannot give detailed information if user is affected or not:
+	# If MICROCODE_BLACKLIST wasn't modified, user can still use MICROCODE_SIGNATURES
+	# to to force a specific, otherwise blacklisted, microcode. So we
+	# only show a generic warning based on running kernel version:
+	if kernel_is -lt 4 14 34; then
+		ewarn "${P} contains microcode updates which require"
+		ewarn "additional kernel patches which aren't yet included in kernel <4.14.34."
+		ewarn "Loading such a microcode through kernel interface from an unpatched kernel"
+		ewarn "can crash your system!"
+		ewarn ""
+		ewarn "Those microcodes are blacklisted per default. However, if you have altered"
+		ewarn "MICROCODE_BLACKLIST or MICROCODE_SIGNATURES, you maybe have unintentionally"
+		ewarn "re-enabled those microcodes...!"
+		ewarn ""
+		ewarn "Check \"${EROOT%/}/usr/share/doc/${PN}-*/releasenot*\" if your microcode update"
+		ewarn "requires additional kernel patches or not."
+	fi
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/metadata.xml b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/metadata.xml
index f8bcf6658d..6613dbb47e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/sys-firmware/intel-microcode/metadata.xml
@@ -7,7 +7,8 @@
 </maintainer>
 <use>
 	<flag name="initramfs">install a small initramfs for use with CONFIG_MICROCODE_EARLY</flag>
-	<flag name="monolithic">install the large text microcode.dat (used by older kernels via microcode_ctl)</flag>
+	<flag name="hostonly">only install ucode(s) supported by currently available (=online) processor(s)</flag>
 	<flag name="split-ucode">install the split binary ucode files (used by the kernel directly)</flag>
+	<flag name="vanilla">install only microcode updates from Intel's official microcode tarball</flag>
 </use>
 </pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
index e7ec1e7bf7..d441b0e612 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
@@ -1,2 +1 @@
-DIST linux-firmware-20180103.tar.gz 138263360 SHA256 07b46a7ec8fc7337d5e64598b2aa9220c30c6bc03930787dfd15b08326391981 SHA512 ed95205c075b47a2f30d9c96181ca0047de017abb1b5904f7c504a0afb8ea673c179980eb92d5690dd1a5cfb29815f224f384b4dcc472f80ddc90af3b2cbd4ce WHIRLPOOL 7a00ed9795b394f09cd50fdecf3417d585d42513f7210025425cf2234a6f359652a92558a67ec7169a6c47bc4adc67fa1974d710bc4263b8fe103d09998434e9
-DIST microcode_amd_fam17h.tar.gz 2204 SHA256 a09b9f9a799ed0124fc108783e4955f3dd3aa345a3424d3ac48acae4bf5b9499 SHA512 d3b52797a5968f8da76d39322780e61d04bab5d810b0b07d64e469fcd67998e4191b0e0a9ab7e4c27189941369ef1b2850bbbb1458fd9bbeb958c98f6e378510 WHIRLPOOL 227439fd174347fdc511d898baa366a05afd9246dc6fa52bb13438f9f059f32ada217bb31c47b3947e00141c3b8f2451833a8374e3f8753e26ce311b2114bda4
+DIST linux-firmware-20180606.tar.gz 152670671 BLAKE2B 7c4fb07451c1c459bd0bf8bec15e3bff41bdb64166decfd7776650c85f0b373c97dfa23330ebb7ddd4bc144bffb57751f3a94bb4a352e5f8ef1dd0b8a3679c81 SHA512 4eb02e11beffde5bf8daff45af78304881e01eb51004ff0758bfff3a4a4cb59f6a2e081b7a3c3e07734a29954f09fa6277f920c2bdab6aeb608065936861c650
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103-r1.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180606.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103-r1.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180606.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
index 3c90c83aeb..7fc1d1a36e 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
@@ -15,10 +15,8 @@ if [[ ${PV} == 99999999* ]]; then
 	EGIT_REPO_URI="git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git"
 	KEYWORDS=""
 else
-	GIT_COMMIT="2eefafb2e9dcbafdf4b83d8c43fcd6b75fd4ac78"
-	SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/linux-firmware-${GIT_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz
-		mirror://gentoo/microcode_amd_fam17h.tar.gz
-		https://dev.gentoo.org/~whissi/dist/${PN}/microcode_amd_fam17h.tar.gz"
+	GIT_COMMIT="d1147327232ec4616a66ab898df84f9700c816c1"
+	SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/linux-firmware-${GIT_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz"
 	KEYWORDS="~alpha amd64 ~arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86"
 fi
 
@@ -84,10 +82,6 @@ src_unpack() {
 }
 
 src_prepare() {
-	# Move the amd ucode as well. This can be dropped once gentoo drops it from
-	# their ebuild.
-	mv "${WORKDIR}"/microcode_amd_fam17h.bin "${S}"/amd-ucode || die
-
 	local kernel_mods="${ROOT}/lib/modules/${KV_FULL}"
 
 	# Fail if any firmware is missing.