sys-firmware/intel-microcode: Sync with Gentoo

It's from Gentoo commit c0221699cb3e36b5bd56031703940274ed2e28a0.

sdk_container/src/third_party/portage-stable/sys-firmware/intel-microcode/Manifest

@@ -4,6 +4,7 @@ DIST intel-microcode-collection-20220421.tar.xz 9442704 BLAKE2B 9c0d682d4ae07c6c
 DIST intel-microcode-collection-20220508.tar.xz 9444060 BLAKE2B 1737143f5227d95590f325f7205c04816d7791bebb27573dc30774fe5f40f74c1e0506d41774474a8b2495b0dc210528fac1362545d670a085c5c502aa903b24 SHA512 b9d7f2d5db0f625a219959f52822c8d6fba2e0bc682257a204c9b33cd19ed2101f5f661e7f2e2b98a8ad8d105fcb3309699d193469ee4d67d99ae188dc7034d9
 DIST intel-microcode-collection-20220809.tar.xz 9863700 BLAKE2B 266deba0890cc68de72dab28cb76b9aedd81258c2da1c1c00a19f927c73e9856c9dc6a18c08a768d1df2d5c5c3b21aab13446cdb4f84e13078ff2124859cdb00 SHA512 4c35e26d5887e9182dce5cf4cce46d4cfe8cab926e833396a645561adab775b8a5eac9a27f50a4c83887c50e56384917680a596eb02d50f1a14a56e8c163f4c2
 DIST intel-microcode-collection-20221102.tar.xz 11125112 BLAKE2B 6054a3278b694ee4b1d1a92ad586ce37cbbfbead1fc7100541f7b71fb0b9e0eb9fd9560a459f8ba861eb95595a89b79e8dbb8ef2e70ef6513245e206fecd3667 SHA512 76426f6f491a17302bc312cfd1d58849d42ffa8d454c05ab086f493de20cd24d328a7b05689493e1fa70c025097c61fd09fd765bc02485ba6efe81d0fac014cd
+DIST intel-microcode-collection-20230212.tar.xz 13213352 BLAKE2B b2548908632cc65e997186e7af60a35ba4a44edb88263f5018c1cc9619299816c6184352653076413b95fb914f799b765e4fa6a5c46513d1425bde353e4dcde2 SHA512 27f2aacbf409acb005f83f0f486b59128ebac4c8d6b1b329cff7e33b237a8d47e579c6afb064d7a9ff634ad652ae0c2b9bc9302e6269007e12bd4aa391075430
 DIST intel-ucode-sig_0x406e3-rev_0xd6.bin 101376 BLAKE2B 66d55867954d69dda1425febd93bb8c89f7aa836d504f8b5fee127f8505bcf2246f4fcc55cc245bc5e532528d60cca2eee278de7ab5174dc2862db7982a2b36f SHA512 248066b521bf512b5d8e4a8c7e921464ce52169c954d6e4ca580d8c172cd789519e22b4cf56c212e452b4191741f0202019f7061d322c9433b5af9ce5413b567
 DIST microcode-20210608.tar.gz 4782451 BLAKE2B 2eac43aaa7832365e428bf2de20797ef42293a53087545920d205bd3b11a3d8ca2afb33931af5d36b8f3a224b9c22ed89ff828acc8afdcfa1b8220884c55ae89 SHA512 61acd2e76aa019fa0002fbf56c503791080a937ff93d81e020f8f0cc089dc08928b4c7e9884f713b886e2f9d4a8409fea59e39f628ef534a588515e1c3fc861d
 DIST microcode-20220207.tar.gz 4590237 BLAKE2B 8c47a330794615b6684084976b6bb9e8800cd2869f81ecc33b28b54441b220a645502c0ade0cbd58e91879a652ff6bca181800004de477fc74033413ea4b1c8f SHA512 efa9f80815947cf2be371e7da7185634cbacefe779d1d6dfef0c15b78ccae7d2740ea6681b967a19dfbcc3014edce5bcdcdba87c9dea1f19d0415a03fca9e936
@@ -11,3 +12,4 @@ DIST microcode-20220419.tar.gz 4590171 BLAKE2B 69d296efad5329324a47640eace5d1a10
 DIST microcode-20220510.tar.gz 5912115 BLAKE2B 5f8c238b00970ddda132dbcf9059df759bb768e1eb2fe0b9912ffe69cf9a6104b32ea816e7574660ea74e3d08af1aa45cc46b5f38d0b315e6e466d8ca466f37d SHA512 00329ce62a6d9cc66fb8594d132ef67951086ab1250ceaf908d5a357753ed62557275f55c5eb7b3ad55d1fdd312b5d1a436b214cdcbf6e3e1a840c8bf6f4795d
 DIST microcode-20220809.tar.gz 5929894 BLAKE2B 3765995c88b67aff78fe8c4280b3293c60a2013f2b8c9ec155a2ef187af55a7e562c73a000e45828cf5309e2c1b644dac5849347130b1a98c831bdad117df437 SHA512 1c91df1cbba33953f4ad19cc53215cad843c61a08509596fad32a84b4f0012d9d29bce64b58eb405c345af7f646d5982e45227570ce3605780be6e8bf31a63e1
 DIST microcode-20221108.tar.gz 6436305 BLAKE2B e149e001656f45e8da9a83817a6f83fc6663edbfc8a98b27ab4f9d326f0999921aea03f1ea3628d35978ad5534e017f2d394d1d00d0c992aee54a539a582abf2 SHA512 d86bee1269d31d3028f0d2b7d4886795b96d8f1f9d5dbd5149c2dd4cec3b0319fd869f8138f283e2135ecb0bb6387cfd3c2ef1f597b4194a250ac4f2df7f15a4
+DIST microcode-20230214.tar.gz 12088391 BLAKE2B d98d054a8cfd66e3d0549d1e8f4a4745cad342d45f36a82d2f2f51fedc29635125fdad95ee4970069e134facc1ab3092b97837c6f8744ffedf220a5d3d022dd5 SHA512 6456cd6719923eeacb1f9d6d7372efd2bcd0de9e04350c722543ff41e45c7715ba52a2d330ad5818fbf44ea9df6b2ac482d6f8bd420b191427881dcfe3bd81e2

sdk_container/src/third_party/portage-stable/sys-firmware/intel-microcode/intel-microcode-20230214_p20230212.ebuild

@@ -0,0 +1,281 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit linux-info mount-boot
+
+# Find updates by searching and clicking the first link (hopefully it's the one):
+# https://www.intel.com/content/www/us/en/search.html?keyword=Processor+Microcode+Data+File
+
+COLLECTION_SNAPSHOT="${PV##*_p}"
+INTEL_SNAPSHOT="${PV/_p*}"
+#NUM="28087"
+#https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=${NUM}
+#https://downloadmirror.intel.com/${NUM}/eng/microcode-${INTEL_SNAPSHOT}.tgz
+DESCRIPTION="Intel IA32/IA64 microcode update data"
+HOMEPAGE="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files http://inertiawar.com/microcode/"
+SRC_URI="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/archive/microcode-${INTEL_SNAPSHOT}.tar.gz
+	https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/raw/437f382b1be4412b9d03e2bbdcda46d83d581242/intel-ucode/06-4e-03 -> intel-ucode-sig_0x406e3-rev_0xd6.bin
+	https://dev.gentoo.org/~mpagano/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz
+	https://dev.gentoo.org/~sam/distfiles/${CATEGORY}/${PN}/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz"
+
+LICENSE="intel-ucode"
+SLOT="0"
+KEYWORDS="-* ~amd64 ~x86"
+IUSE="hostonly initramfs +split-ucode vanilla"
+REQUIRED_USE="|| ( initramfs split-ucode )"
+
+BDEPEND=">=sys-apps/iucode_tool-2.3"
+
+# !<sys-apps/microcode-ctl-1.17-r2 due to bug #268586
+RDEPEND="hostonly? ( sys-apps/iucode_tool )"
+
+RESTRICT="binchecks strip"
+
+S=${WORKDIR}
+
+# Blacklist bad microcode here.
+# 0x000406f1 aka 06-4f-01 aka CPUID 406F1 require newer microcode loader
+MICROCODE_BLACKLIST_DEFAULT="-s !0x000406f1"
+
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/31
+MICROCODE_BLACKLIST_DEFAULT+=" -s !0x000406e3,0xc0,eq:0x00dc"
+
+# https://bugs.gentoo.org/722768
+MICROCODE_BLACKLIST_DEFAULT+=" -s !0x000406e3,0xc0,eq:0x00da"
+
+# https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/commit/49bb67f32a2e3e631ba1a9a73da1c52e1cac7fd9
+MICROCODE_BLACKLIST_DEFAULT+=" -s !0x000806c1,0x80,eq:0x0068"
+
+# In case we want to set some defaults ...
+MICROCODE_SIGNATURES_DEFAULT=""
+
+# Advanced users only!
+# Set MIRCOCODE_SIGNATURES to merge with:
+# only current CPU: MICROCODE_SIGNATURES="-S"
+# only specific CPU: MICROCODE_SIGNATURES="-s 0x00000f4a -s 0x00010676"
+# exclude specific CPU: MICROCODE_SIGNATURES="-s !0x00000686"
+
+# Package Maintenance instructions :
+# 1. The ebuild is in the form of intel-microcode-<INTEL_SNAPSHOT>_p<COLLECTION_SNAPSHOT>.ebuild
+# 2. The INTEL_SNAPSHOT upstream is located at: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
+# 3. The COLLECTION_SNAPSHOT is created manually using the following steps:
+#   a. Clone the repository https://github.com/platomav/CPUMicrocodes
+#   b. Rename the Intel directory to intel-microcode-collection-<YYYYMMDD>
+#   c. From the CPUMicrocodes directory tar and xz compress the contents of intel-microcode-collection-<YYYYMMDD>:
+#      tar -cJf intel-microcode-collection-<YYYYMMDD>.tar.xz intel-microcode-collection-<YYYYMMDD>/
+#   d. This file can go in your devspace, add the URL to SRC_URI if it's not there
+#      https://dev.gentoo.org/~<dev nick>/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz
+
+pkg_pretend() {
+	use initramfs && mount-boot_pkg_pretend
+}
+
+src_prepare() {
+	default
+
+	if cd Intel-Linux-Processor-Microcode-Data* &>/dev/null; then
+		# new tarball format from GitHub
+		mv * ../ || die "Failed to move Intel-Linux-Processor-Microcode-Data*"
+		cd .. || die
+		rm -r Intel-Linux-Processor-Microcode-Data* || die
+	fi
+
+	mkdir intel-ucode-old || die
+	cp "${DISTDIR}"/intel-ucode-sig_0x406e3-rev_0xd6.bin "${S}"/intel-ucode-old/ || die
+
+	# Prevent "invalid file format" errors from iucode_tool
+	rm -f "${S}"/intel-ucod*/list || die
+
+	# https://gitlab.com/iucode-tool/iucode-tool/-/issues/4
+	rm "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT}/cpu106C0_plat01_ver00000007_2007-08-24_PRD_923CDFA3.bin || die
+
+	# Remove non-microcode file from list
+	rm -f "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT}/LICENSE || die
+	rm -f "${S}"/intel-ucode*/LICENSE || die
+}
+
+src_install() {
+	# This will take ALL of the upstream microcode sources:
+	# - microcode.dat
+	# - intel-ucode/
+	# In some cases, they have not contained the same content (eg the directory has newer stuff).
+	MICROCODE_SRC=(
+		"${S}"/intel-ucode/
+		"${S}"/intel-ucode-with-caveats/
+		"${S}"/intel-ucode-old/
+	)
+
+	# Allow users who are scared about microcode updates not included in Intel's official
+	# microcode tarball to opt-out and comply with Intel marketing
+	if ! use vanilla; then
+		MICROCODE_SRC+=( "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT} )
+	fi
+
+	# These will carry into pkg_preinst via env saving.
+	: ${MICROCODE_BLACKLIST=${MICROCODE_BLACKLIST_DEFAULT}}
+	: ${MICROCODE_SIGNATURES=${MICROCODE_SIGNATUES_DEFAULT}}
+
+	opts=(
+		${MICROCODE_BLACKLIST}
+		${MICROCODE_SIGNATURES}
+		# be strict about what we are doing
+		--overwrite
+		--strict-checks
+		--no-ignore-broken
+		# we want to install latest version
+		--no-downgrade
+		# show everything we find
+		--list-all
+		# show what we selected
+		--list
+	)
+
+	# The earlyfw cpio needs to be in /boot because it must be loaded before
+	# rootfs is mounted.
+	use initramfs && dodir /boot && opts+=( --write-earlyfw="${ED}/boot/intel-uc.img" )
+
+	keepdir /lib/firmware/intel-ucode
+	opts+=( --write-firmware="${ED}/lib/firmware/intel-ucode" )
+
+	iucode_tool \
+		"${opts[@]}" \
+		"${MICROCODE_SRC[@]}" \
+		|| die "iucode_tool ${opts[@]} ${MICROCODE_SRC[@]}"
+
+	dodoc releasenote.md
+}
+
+pkg_preinst() {
+	if [[ ${MICROCODE_BLACKLIST} != ${MICROCODE_BLACKLIST_DEFAULT} ]]; then
+		ewarn "MICROCODE_BLACKLIST is set to \"${MICROCODE_BLACKLIST}\" instead of default \"${MICROCODE_BLACKLIST_DEFAULT}\". You are on your own!"
+	fi
+
+	if [[ ${MICROCODE_SIGNATURES} != ${MICROCODE_SIGNATURES_DEFAULT} ]]; then
+		ewarn "Package was created using advanced options:"
+		ewarn "MICROCODE_SIGNATURES is set to \"${MICROCODE_SIGNATURES}\" instead of default \"${MICROCODE_SIGNATURES_DEFAULT}\"!"
+	fi
+
+	# Make sure /boot is available if needed.
+	use initramfs && mount-boot_pkg_preinst
+
+	local _initramfs_file="${ED}/boot/intel-uc.img"
+
+	if use hostonly; then
+		# While this output looks redundant we do this check to detect
+		# rare cases where iucode_tool was unable to detect system's processor(s).
+		local _detected_processors=$(iucode_tool --scan-system 2>&1)
+		if [[ -z "${_detected_processors}" ]]; then
+			ewarn "Looks like iucode_tool was unable to detect any processor!"
+		else
+			einfo "Only installing ucode(s) for ${_detected_processors#iucode_tool: system has } due to USE=hostonly ..."
+		fi
+
+		opts=(
+			--scan-system
+			# be strict about what we are doing
+			--overwrite
+			--strict-checks
+			--no-ignore-broken
+			# we want to install latest version
+			--no-downgrade
+			# show everything we find
+			--list-all
+			# show what we selected
+			--list
+		)
+
+		# The earlyfw cpio needs to be in /boot because it must be loaded before
+		# rootfs is mounted.
+		use initramfs && opts+=( --write-earlyfw=${_initramfs_file} )
+
+		if use split-ucode; then
+			opts+=( --write-firmware="${ED}/lib/firmware/intel-ucode" )
+		fi
+
+		opts+=( "${ED}/lib/firmware/intel-ucode-temp" )
+
+		mv "${ED}"/lib/firmware/intel-ucode{,-temp} || die
+		keepdir /lib/firmware/intel-ucode
+
+		iucode_tool "${opts[@]}" || die "iucode_tool ${opts[@]}"
+
+		rm -r "${ED}"/lib/firmware/intel-ucode-temp || die
+
+	elif ! use split-ucode; then # hostonly disabled
+		rm -r "${ED}"/lib/firmware/intel-ucode || die
+	fi
+
+	# Because it is possible that this package will install not one single file
+	# due to user selection which is still somehow unexpected we add the following
+	# check to inform user so that the user has at least a chance to detect
+	# a problem/invalid select.
+	local _has_installed_something=
+	if use initramfs && [[ -s "${_initramfs_file}" ]]; then
+		_has_installed_something="yes"
+	elif use split-ucode; then
+		_has_installed_something=$(find "${ED}/lib/firmware/intel-ucode" -maxdepth 0 -not -empty -exec echo yes \;)
+	fi
+
+	if use hostonly && [[ -n "${_has_installed_something}" ]]; then
+		elog "You only installed ucode(s) for all currently available (=online)"
+		elog "processor(s). Remember to re-emerge this package whenever you"
+		elog "change the system's processor model."
+		elog ""
+	elif [[ -z "${_has_installed_something}" ]]; then
+		ewarn "WARNING:"
+		if [[ ${MICROCODE_SIGNATURES} != ${MICROCODE_SIGNATURES_DEFAULT} ]]; then
+			ewarn "No ucode was installed! Because you have created this package"
+			ewarn "using MICROCODE_SIGNATURES variable please double check if you"
+			ewarn "have an invalid select."
+			ewarn "It's rare but it is also possible that just no ucode update"
+			ewarn "is available for your processor(s). In this case it is safe"
+			ewarn "to ignore this warning."
+		else
+			ewarn "No ucode was installed! It's rare but it is also possible"
+			ewarn "that just no ucode update is available for your processor(s)."
+			ewarn "In this case it is safe to ignore this warning."
+		fi
+
+		ewarn ""
+
+		if use hostonly; then
+			ewarn "Unset \"hostonly\" USE flag to install all available ucodes."
+			ewarn ""
+		fi
+	fi
+}
+
+pkg_prerm() {
+	# Make sure /boot is mounted so that we can remove /boot/intel-uc.img!
+	use initramfs && mount-boot_pkg_prerm
+}
+
+pkg_postrm() {
+	# Don't forget to umount /boot if it was previously mounted by us.
+	use initramfs && mount-boot_pkg_postrm
+}
+
+pkg_postinst() {
+	# Don't forget to umount /boot if it was previously mounted by us.
+	use initramfs && mount-boot_pkg_postinst
+
+	# We cannot give detailed information if user is affected or not:
+	# If MICROCODE_BLACKLIST wasn't modified, user can still use MICROCODE_SIGNATURES
+	# to to force a specific, otherwise blacklisted, microcode. So we
+	# only show a generic warning based on running kernel version:
+	if kernel_is -lt 4 14 34; then
+		ewarn "${P} contains microcode updates which require"
+		ewarn "additional kernel patches which aren't yet included in kernel <4.14.34."
+		ewarn "Loading such a microcode through kernel interface from an unpatched kernel"
+		ewarn "can crash your system!"
+		ewarn ""
+		ewarn "Those microcodes are blacklisted per default. However, if you have altered"
+		ewarn "MICROCODE_BLACKLIST or MICROCODE_SIGNATURES, you maybe have unintentionally"
+		ewarn "re-enabled those microcodes...!"
+		ewarn ""
+		ewarn "Check \"${EROOT}/usr/share/doc/${PN}-*/releasenot*\" if your microcode update"
+		ewarn "requires additional kernel patches or not."
+	fi
+}

sdk_container/src/third_party/portage-stable/sys-firmware/intel-microcode/metadata.xml

@@ -6,10 +6,10 @@
 		<name>Gentoo Base System</name>
 	</maintainer>
 	<use>
-		<flag name="initramfs">install a small initramfs for use with CONFIG_MICROCODE_EARLY</flag>
-		<flag name="hostonly">only install ucode(s) supported by currently available (=online) processor(s)</flag>
-		<flag name="split-ucode">install the split binary ucode files (used by the kernel directly)</flag>
-		<flag name="vanilla">install only microcode updates from Intel's official microcode tarball</flag>
+		<flag name="initramfs">Install a small initramfs for use with CONFIG_MICROCODE_EARLY</flag>
+		<flag name="hostonly">Only install ucode(s) supported by currently available (=online) processor(s)</flag>
+		<flag name="split-ucode">Install the split binary ucode files (used by the kernel directly)</flag>
+		<flag name="vanilla">Only install microcode updates from Intel's official microcode tarball</flag>
 	</use>
 	<upstream>
 		<remote-id type="github">intel/Intel-Linux-Processor-Microcode-Data-Files</remote-id>