sys-firmware/intel-microcode: Sync with Gentoo

It's from Gentoo commit 1bc27f5173298af323c44e4138d90faf4428845f.

sdk_container/src/third_party/portage-stable/sys-firmware/intel-microcode/Manifest

@@ -1,7 +1,9 @@
 DIST intel-microcode-collection-20240312.tar.xz 13484040 BLAKE2B 947f78698211b372472629e7fdf076021db97f156d812ec2a84c5ab3d5ee374e04191f7881c956c261c6a6a5935b2c779b837879677ee98d44cf8c753a4393b8 SHA512 de577f232035a92ce563475edb4572c6fa40a0a2ee8e76b858de1ca42f905d366d107bf02e4968127ad6fe150baf37e11ed93191e40c1c5913ba34fe77184c00
 DIST intel-microcode-collection-20240514.tar.xz 13421016 BLAKE2B 83b7d213709bf8c1ea1b62456974cf6a2087470d9e2456ef3de93569007cfa8c94021a21a9f3f7b638ffe4b2ad0f516deda04a1c630e54f35709e92a113a7683 SHA512 4cc364b19355f133dae0178f7d10b50abcc0e6e7919e646cfc756c8ff8dc1d6d0819abae6f5cb7f659f0466ee31196625cf022bb994f500ab08e93238a66d104
 DIST intel-microcode-collection-20240526.tar.xz 14673584 BLAKE2B 262f667ac46e190994e86f547c98ac776c73b1576c208fa32df96a2dd60af6cda9bd0b0367ca68bb6b85fd19f75913e73069d0064eb2b4c560068c3da50618c8 SHA512 4227c68ba60aea940b851f10d1006ee42b45d55425eb143210adeb363468238329d4a2720d117f5bdaeb9857ae29a6952a3df22769f4436638a9080ded6793ba
+DIST intel-microcode-collection-20240815.tar.xz 15458512 BLAKE2B 17b3719961a30d18aecb7b5094de5250e36a6eaa2f880a020ca38762d8a037b7e25f322cc1cbb3000a520007beb0d47d6b4f4940c47fac2082c9c2a3fa3be5d4 SHA512 6faddcac20184424bbe0488dce8df31479b89da9affb5c2f2d93f2bccc045d41105d5a10e3c56ba48cf27853a089334adac6e42a27c5fb63e86f0ed7c51bbc42
 DIST intel-ucode-sig_0x406e3-rev_0xd6.bin 101376 BLAKE2B 66d55867954d69dda1425febd93bb8c89f7aa836d504f8b5fee127f8505bcf2246f4fcc55cc245bc5e532528d60cca2eee278de7ab5174dc2862db7982a2b36f SHA512 248066b521bf512b5d8e4a8c7e921464ce52169c954d6e4ca580d8c172cd789519e22b4cf56c212e452b4191741f0202019f7061d322c9433b5af9ce5413b567
 DIST microcode-20240312.tar.gz 12825665 BLAKE2B 43c771becef0f6dbfd41bf78a9a3cc8f6679a43ea48765d0e7f555c138dca6e3db42a4d33f743d8d51f38b0b6aa69322bba0c00ae9f1ff4c533b52166ee54747 SHA512 f5f3dfb1706675060b00057b5f017c2cb4ac0df74727139185fd167ca67fc6c611e205b1caeded23b006e4d8d314f87537007e7bafba2c87373f6d960988c911
 DIST microcode-20240514.tar.gz 12870457 BLAKE2B 2a3a357ecf8d9f17fd20cd651386e5687fbbca8a3a323caf846e7c84d440241c3c99cadd00016642c8d11f297c1d2ab63c54ea062644839b74f84d66b04c703e SHA512 1c0f1707bf7db70d04e94a0728c0f61a1f9c25fead8c2c3716cafd20c976973cf636e411d12f81b34bf0076d7c7601c11b1bcd92a2e1be35d98003bb61ace569
 DIST microcode-20240531.tar.gz 12870497 BLAKE2B 6a2c5ee6b6f3543b28f3753b30812e360bad50776b4f81e32a832e2169f38c11f8d5108ce0a81ddcdf1ecf7557baf1fd62c053a365f39a33ded5fd5018580b1f SHA512 fb9d772491f279ebb691248e4a665da45c986ca7b4668ecf311c5fcb91a42400f7a5b35e8bfc31ceb1c9d598e753c817359900e3fa316d825f8ecec21ec63cfe
+DIST microcode-20240813.tar.gz 12879301 BLAKE2B f6a157de1f2c14e0e4d08ec71304451a52c7a0ffcfc79a1ebce7e8c16c7405587369c9cad994b8bdb0a987d4fe2769b2988948ffd9fe1e7f117eb624cf579b63 SHA512 ba1fa7d9bed7d90756ea959f5878afca0deacc9b1e932a936a15d74a411b7efb6103a4af75dc3731d9cbb2e464439ce9a7d448f75bc6f38b616907ff6dec6ee3

sdk_container/src/third_party/portage-stable/sys-firmware/intel-microcode/intel-microcode-20240813_p20240815.ebuild

@@ -0,0 +1,338 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit dist-kernel-utils linux-info mount-boot
+
+# Find updates by searching and clicking the first link (hopefully it's the one):
+# https://www.intel.com/content/www/us/en/search.html?keyword=Processor+Microcode+Data+File
+#
+#
+# Package Maintenance instructions:
+# 1. The ebuild is in the form of intel-microcode-<INTEL_SNAPSHOT>_p<COLLECTION_SNAPSHOT>.ebuild
+# 2. The INTEL_SNAPSHOT upstream is located at: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+# 3. The COLLECTION_SNAPSHOT is created manually using the following steps:
+#   a. Clone the repository https://github.com/platomav/CPUMicrocodes
+#   b. Rename the Intel directory to intel-microcode-collection-<YYYYMMDD>
+#   c. From the CPUMicrocodes directory tar and xz compress the contents of intel-microcode-collection-<YYYYMMDD>:
+#      tar -cJf intel-microcode-collection-<YYYYMMDD>.tar.xz intel-microcode-collection-<YYYYMMDD>/
+#   d. This file can go in your devspace, add the URL to SRC_URI if it's not there
+#      https://dev.gentoo.org/~<dev nick>/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz
+#
+# PV:
+# * the first date is upstream
+# * the second date is snapshot (use last commit date in repo) from intel-microcode-collection
+
+COLLECTION_SNAPSHOT="${PV##*_p}"
+INTEL_SNAPSHOT="${PV/_p*}"
+#NUM="28087"
+
+#https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=${NUM}
+#https://downloadmirror.intel.com/${NUM}/eng/microcode-${INTEL_SNAPSHOT}.tgz
+
+DESCRIPTION="Intel IA32/IA64 microcode update data"
+HOMEPAGE="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files https://github.com/platomav/CPUMicrocodes http://inertiawar.com/microcode/"
+SRC_URI="
+	https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-${INTEL_SNAPSHOT}.tar.gz
+	https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/437f382b1be4412b9d03e2bbdcda46d83d581242/intel-ucode/06-4e-03 -> intel-ucode-sig_0x406e3-rev_0xd6.bin
+	https://dev.gentoo.org/~mpagano/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz
+	https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz
+"
+S="${WORKDIR}"
+
+LICENSE="intel-ucode"
+SLOT="0"
+KEYWORDS="-* ~amd64 ~x86"
+IUSE="dist-kernel hostonly +initramfs +split-ucode vanilla"
+REQUIRED_USE="
+	|| ( initramfs split-ucode )
+	dist-kernel? ( split-ucode )
+"
+RESTRICT="binchecks strip"
+
+BDEPEND=">=sys-apps/iucode_tool-2.3"
+# !<sys-apps/microcode-ctl-1.17-r2 due to bug #268586
+RDEPEND="
+	dist-kernel? (
+		virtual/dist-kernel
+		initramfs? (
+			sys-apps/iucode_tool
+		)
+	)
+"
+IDEPEND="
+	hostonly? ( sys-apps/iucode_tool )
+	dist-kernel? (
+		initramfs? ( sys-kernel/installkernel )
+	)
+"
+
+# Blacklist bad microcode here.
+# 0x000406f1 aka 06-4f-01 aka CPUID 406F1 require newer microcode loader
+MICROCODE_BLACKLIST_DEFAULT="-s !0x000406f1"
+
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+MICROCODE_BLACKLIST_DEFAULT+=" -s !0x000406e3,0xc0,eq:0x00dc"
+
+# https://bugs.gentoo.org/722768
+MICROCODE_BLACKLIST_DEFAULT+=" -s !0x000406e3,0xc0,eq:0x00da"
+
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/commit/49bb67f32a2e3e631ba1a9a73da1c52e1cac7fd9
+MICROCODE_BLACKLIST_DEFAULT+=" -s !0x000806c1,0x80,eq:0x0068"
+
+# In case we want to set some defaults ...
+MICROCODE_SIGNATURES_DEFAULT=""
+
+# Advanced users only!
+# Set MIRCOCODE_SIGNATURES to merge with:
+# only current CPU: MICROCODE_SIGNATURES="-S"
+# only specific CPU: MICROCODE_SIGNATURES="-s 0x00000f4a -s 0x00010676"
+# exclude specific CPU: MICROCODE_SIGNATURES="-s !0x00000686"
+
+pkg_pretend() {
+	if use initramfs; then
+		if use dist-kernel; then
+			# Check, but don't die because we can fix the problem and then
+			# emerge --config ... to re-run installation.
+			[[ -z ${ROOT} ]] && nonfatal mount-boot_check_status
+		else
+			mount-boot_pkg_pretend
+		fi
+	fi
+}
+
+src_prepare() {
+	default
+
+	if cd Intel-Linux-Processor-Microcode-Data* &>/dev/null; then
+		# new tarball format from GitHub
+		mv * ../ || die "Failed to move Intel-Linux-Processor-Microcode-Data*"
+		cd .. || die
+		rm -r Intel-Linux-Processor-Microcode-Data* || die
+	fi
+
+	mkdir intel-ucode-old || die
+	cp "${DISTDIR}"/intel-ucode-sig_0x406e3-rev_0xd6.bin "${S}"/intel-ucode-old/ || die
+
+	# Prevent "invalid file format" errors from iucode_tool
+	rm -f "${S}"/intel-ucod*/list || die
+
+	# https://gitlab.com/iucode-tool/iucode-tool/-/issues/4
+	rm "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT}/cpu106C0_plat01_ver00000007_2007-08-24_PRD_923CDFA3.bin || die
+
+	# Remove non-microcode file from list
+	rm -f "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT}/LICENSE || die
+	rm -f "${S}"/intel-ucode*/LICENSE || die
+}
+
+src_install() {
+	# This will take ALL of the upstream microcode sources:
+	# - microcode.dat
+	# - intel-ucode/
+	# In some cases, they have not contained the same content (eg the directory has newer stuff).
+	MICROCODE_SRC=(
+		"${S}"/intel-ucode/
+		"${S}"/intel-ucode-with-caveats/
+		"${S}"/intel-ucode-old/
+	)
+
+	# Allow users who are scared about microcode updates not included in Intel's official
+	# microcode tarball to opt-out and comply with Intel marketing
+	if ! use vanilla; then
+		MICROCODE_SRC+=( "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT} )
+	fi
+
+	# These will carry into pkg_preinst via env saving.
+	: ${MICROCODE_BLACKLIST=${MICROCODE_BLACKLIST_DEFAULT}}
+	: ${MICROCODE_SIGNATURES=${MICROCODE_SIGNATUES_DEFAULT}}
+
+	opts=(
+		${MICROCODE_BLACKLIST}
+		${MICROCODE_SIGNATURES}
+		# be strict about what we are doing
+		--overwrite
+		--strict-checks
+		--no-ignore-broken
+		# we want to install latest version
+		--no-downgrade
+		# show everything we find
+		--list-all
+		# show what we selected
+		--list
+	)
+
+	# Instruct Dracut on whether or not we want the microcode in initramfs
+	# Use here 15 instead of 10, intel-microcode overwrites linux-firmware
+	(
+		insinto /usr/lib/dracut/dracut.conf.d
+		newins - 15-${PN}.conf <<<"early_microcode=$(usex initramfs)"
+	)
+	if use initramfs; then
+		# Install installkernel/kernel-install hooks for non-dracut initramfs
+		# generators that don't bundled the microcode
+		(
+			exeinto /usr/lib/kernel/preinst.d
+			doexe "${FILESDIR}/35-intel-microcode.install"
+			exeinto /usr/lib/kernel/install.d
+			doexe "${FILESDIR}/35-intel-microcode-systemd.install"
+		)
+	fi
+
+	# The earlyfw cpio needs to be in /boot because it must be loaded before
+	# rootfs is mounted.
+	if ! use dist-kernel && use initramfs; then
+		dodir /boot && opts+=( --write-earlyfw="${ED}/boot/intel-uc.img" )
+	fi
+
+	keepdir /lib/firmware/intel-ucode
+	opts+=( --write-firmware="${ED}/lib/firmware/intel-ucode" )
+
+	iucode_tool \
+		"${opts[@]}" \
+		"${MICROCODE_SRC[@]}" \
+		|| die "iucode_tool ${opts[@]} ${MICROCODE_SRC[@]}"
+
+	dodoc releasenote.md
+}
+
+pkg_preinst() {
+	if [[ ${MICROCODE_BLACKLIST} != ${MICROCODE_BLACKLIST_DEFAULT} ]]; then
+		ewarn "MICROCODE_BLACKLIST is set to \"${MICROCODE_BLACKLIST}\" instead of default \"${MICROCODE_BLACKLIST_DEFAULT}\". You are on your own!"
+	fi
+
+	if [[ ${MICROCODE_SIGNATURES} != ${MICROCODE_SIGNATURES_DEFAULT} ]]; then
+		ewarn "Package was created using advanced options:"
+		ewarn "MICROCODE_SIGNATURES is set to \"${MICROCODE_SIGNATURES}\" instead of default \"${MICROCODE_SIGNATURES_DEFAULT}\"!"
+	fi
+
+	# Make sure /boot is available if needed.
+	use initramfs && ! use dist-kernel && mount-boot_pkg_preinst
+
+	local _initramfs_file="${ED}/boot/intel-uc.img"
+
+	if use hostonly; then
+		# While this output looks redundant we do this check to detect
+		# rare cases where iucode_tool was unable to detect system's processor(s).
+		local _detected_processors=$(iucode_tool --scan-system 2>&1)
+		if [[ -z "${_detected_processors}" ]]; then
+			ewarn "Looks like iucode_tool was unable to detect any processor!"
+		else
+			einfo "Only installing ucode(s) for ${_detected_processors#iucode_tool: system has } due to USE=hostonly ..."
+		fi
+
+		opts=(
+			--scan-system
+			# be strict about what we are doing
+			--overwrite
+			--strict-checks
+			--no-ignore-broken
+			# we want to install latest version
+			--no-downgrade
+			# show everything we find
+			--list-all
+			# show what we selected
+			--list
+		)
+
+		# The earlyfw cpio needs to be in /boot because it must be loaded before
+		# rootfs is mounted.
+		if ! use dist-kernel && use initramfs; then
+			opts+=( --write-earlyfw=${_initramfs_file} )
+		fi
+
+		if use split-ucode; then
+			opts+=( --write-firmware="${ED}/lib/firmware/intel-ucode" )
+		fi
+
+		opts+=( "${ED}/lib/firmware/intel-ucode-temp" )
+
+		mv "${ED}"/lib/firmware/intel-ucode{,-temp} || die
+		keepdir /lib/firmware/intel-ucode
+
+		iucode_tool "${opts[@]}" || die "iucode_tool ${opts[@]}"
+
+		rm -r "${ED}"/lib/firmware/intel-ucode-temp || die
+
+	elif ! use split-ucode; then # hostonly disabled
+		rm -r "${ED}"/lib/firmware/intel-ucode || die
+	fi
+
+	# Because it is possible that this package will install not one single file
+	# due to user selection which is still somehow unexpected we add the following
+	# check to inform user so that the user has at least a chance to detect
+	# a problem/invalid select.
+	local _has_installed_something=
+	if use initramfs && [[ -s "${_initramfs_file}" ]]; then
+		_has_installed_something="yes"
+	elif use split-ucode; then
+		_has_installed_something=$(find "${ED}/lib/firmware/intel-ucode" -maxdepth 0 -not -empty -exec echo yes \;)
+	fi
+
+	if use hostonly && [[ -n "${_has_installed_something}" ]]; then
+		elog "You only installed ucode(s) for all currently available (=online)"
+		elog "processor(s). Remember to re-emerge this package whenever you"
+		elog "change the system's processor model."
+		elog ""
+	elif [[ -z "${_has_installed_something}" ]]; then
+		ewarn "WARNING:"
+		if [[ ${MICROCODE_SIGNATURES} != ${MICROCODE_SIGNATURES_DEFAULT} ]]; then
+			ewarn "No ucode was installed! Because you have created this package"
+			ewarn "using MICROCODE_SIGNATURES variable please double check if you"
+			ewarn "have an invalid select."
+			ewarn "It's rare but it is also possible that just no ucode update"
+			ewarn "is available for your processor(s). In this case it is safe"
+			ewarn "to ignore this warning."
+		else
+			ewarn "No ucode was installed! It's rare but it is also possible"
+			ewarn "that just no ucode update is available for your processor(s)."
+			ewarn "In this case it is safe to ignore this warning."
+		fi
+
+		ewarn ""
+
+		if use hostonly; then
+			ewarn "Unset \"hostonly\" USE flag to install all available ucodes."
+			ewarn ""
+		fi
+	fi
+}
+
+pkg_prerm() {
+	# Make sure /boot is mounted so that we can remove /boot/intel-uc.img!
+	use initramfs && ! use dist-kernel && mount-boot_pkg_prerm
+}
+
+pkg_postrm() {
+	# Don't forget to umount /boot if it was previously mounted by us.
+	use initramfs && ! use dist-kernel && mount-boot_pkg_postrm
+}
+
+pkg_postinst() {
+	if use initramfs; then
+		if use dist-kernel; then
+			[[ -z ${ROOT} ]] && dist-kernel_reinstall_initramfs "${KV_DIR}" "${KV_FULL}"
+		else
+			# Don't forget to umount /boot if it was previously mounted by us.
+			mount-boot_pkg_postinst
+		fi
+	fi
+
+	# We cannot give detailed information if user is affected or not:
+	# If MICROCODE_BLACKLIST wasn't modified, user can still use MICROCODE_SIGNATURES
+	# to to force a specific, otherwise blacklisted, microcode. So we
+	# only show a generic warning based on running kernel version:
+	if kernel_is -lt 4 14 34; then
+		ewarn "${P} contains microcode updates which require"
+		ewarn "additional kernel patches which aren't yet included in kernel <4.14.34."
+		ewarn "Loading such a microcode through kernel interface from an unpatched kernel"
+		ewarn "can crash your system!"
+		ewarn ""
+		ewarn "Those microcodes are blacklisted per default. However, if you have altered"
+		ewarn "MICROCODE_BLACKLIST or MICROCODE_SIGNATURES, you maybe have unintentionally"
+		ewarn "re-enabled those microcodes...!"
+		ewarn ""
+		ewarn "Check \"${EROOT}/usr/share/doc/${PN}-*/releasenot*\" if your microcode update"
+		ewarn "requires additional kernel patches or not."
+	fi
+}