From c0baf9bed41c77d8129e6ecd91a44c6e88a7a10f Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 20 Oct 2025 14:24:23 +0900
Subject: [PATCH] sys-firmware/intel-microcode: Use kernel built-in microcode

The Intel microcode wasn't applied anymore after it was reworked to be
in the initrd instead of being built-in as part of the kernel image.
This was due to how the kernel build system can't handle combined
initrds and skip the early cpio when compressing. The AMD microcode was
still built-in as part of the kernel image.
Let the kernel build system pick up the Intel microcode by installing it
to the firmware directory. Disable the inclusion of microcode in the
initrd. Also, we can drop the preservation of the early cpio when
generating the minimal initrd.

Signed-off-by: Kai Lueke <kailuke@microsoft.com>
---
 .../bugfixes/2025-10-20-microcode-updates.md     |  1 +
 .../profiles/coreos/base/package.use             |  5 +----
 .../coreos-kernel/coreos-kernel-6.12.51.ebuild   | 16 +++-------------
 3 files changed, 5 insertions(+), 17 deletions(-)
 create mode 100644 changelog/bugfixes/2025-10-20-microcode-updates.md

diff --git a/changelog/bugfixes/2025-10-20-microcode-updates.md b/changelog/bugfixes/2025-10-20-microcode-updates.md
new file mode 100644
index 0000000000..4d0b8cafc5
--- /dev/null
+++ b/changelog/bugfixes/2025-10-20-microcode-updates.md
@@ -0,0 +1 @@
+- Fixed Intel microcode updates which were broken in recent Alpha and Beta releases by switching back to built-in extra firmware instead of early cpio inclusion ([Flatcar#1909](https://github.com/flatcar/Flatcar/issues/1909))
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
index 8e35aecd7a..037ffd9faf 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use
@@ -157,13 +157,10 @@ sys-libs/libsemanage -python
 sys-fs/zfs minimal -rootfs
 
 # Do not tinker with /boot partition at installation time.
+sys-firmware/intel-microcode -initramfs
 sys-fs/zfs-kmod -initramfs
 sys-kernel/coreos-firmware -initramfs
 
-# Only needed for direct loading by the kernel, which is dangerous, and we
-# include all the microcode in the initrd anyway.
-sys-firmware/intel-microcode -split-ucode
-
 # For sys-auth/sssd
 net-dns/bind       gssapi
 net-dns/bind-tools gssapi
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild
index 8e50a61a5e..77094b324d 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-6.12.51.ebuild
@@ -96,20 +96,9 @@ src_compile() {
 	lsinitrd --kver SILENCEERROR --unpack "${S}"/build/bootengine.cpio || die
 	mksquashfs . "${S}"/build/bootengine.img -noappend -xattrs-exclude ^btrfs. || die
 	popd || die
+	# No early cpio, drop full initrd
+	> "${S}"/build/bootengine.cpio
 	# Create minimal initrd
-	if use amd64; then
-		mkdir "${S}"/build/early-cpio || die
-		pushd "${S}"/build/early-cpio || die
-		lsinitrd --kver SILENCEERROR --unpackearly "${S}"/build/bootengine.cpio || die
-		# Recreate to only contain the early cpio for microcode
-		find . -print0 | cpio --null --create --verbose --format=newc > "${S}"/build/bootengine.cpio || die
-		# Debug: List contents after recreation
-		cpio -t < "${S}"/build/bootengine.cpio
-		popd || die
-	else
-		# No early cpio, drop full initrd
-		> "${S}"/build/bootengine.cpio
-	fi
 	mkdir "${S}"/build/minimal || die
 	pushd "${S}"/build/minimal || die
 	mkdir -p {etc,dev,proc,sys,dev,usr/bin,usr/lib64,realinit,sysusr/usr} || die
@@ -141,6 +130,7 @@ src_compile() {
 	mknod ./dev/random c 1 8 || die
 	mknod ./dev/zero c 1 5 || die
 	# No compression because CONFIG_INITRAMFS_COMPRESSION_XZ should take care of it
+	# (Note: The kernel build system does not support prepending an uncompressed microcode early cpio here)
 	find . -print0 | cpio --null --create --verbose --format=newc >> "${S}"/build/bootengine.cpio || die
 	popd || die
 	kmake "$(kernel_target)"