From 6670c6e2568d76fbae69dc1d18aa0f46a31fded8 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 16 Jan 2018 16:17:53 -0800
Subject: [PATCH 1/6] sys-kernel/coreos-firmware: include amd microcode

coreos-firmware currently ignores everything not needed by a module.
Update it to not ignore files in the amd-ucode directory.
---
 .../coreos-firmware/coreos-firmware-99999999.ebuild           | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
index 87241401f2..644854c2a5 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
@@ -104,6 +104,10 @@ src_prepare() {
 		die "Missing firmware"
 	fi
 
+	# AMD's microcode is shipped as part of coreos-firmware, but not a dependency to
+	# any module, so add it manually
+	use amd64 && find amd-ucode/ -type f -not -name "*.asc" >> "${T}/firmware-scan"
+
 	einfo "Pruning all unneeded firmware files..."
 	sort -u "${T}/firmware-scan" > "${T}/firmware"
 	find * -not -type d \

From 324a9526ea0e385c18dde087ffb236ff6cc52b48 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 16 Jan 2018 16:35:18 -0800
Subject: [PATCH 2/6] sys-kernel/coreos-firmware: update to 20180103

---
 .../coreos-overlay/sys-kernel/coreos-firmware/Manifest          | 2 +-
 ...firmware-20170622.ebuild => coreos-firmware-20180103.ebuild} | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/{coreos-firmware-20170622.ebuild => coreos-firmware-20180103.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
index 41eeaa666b..6e3e1ae628 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
@@ -1 +1 @@
-DIST linux-firmware-20170622.tar.gz 104302528 SHA256 03d220c1747ed71b54b53ce04bfb178fe937ba585309b4a0b32eb351d709fcb0 SHA512 946b31666ef79a21e29a757340482dfdb70b43f7818ca47bf5e16fb6a79bb585822af014731b6c6034944dd37269ae948bbc23fc1f104bccfd7b7b405f41bbd5 WHIRLPOOL dedfef88d4ba7fdc9b5e7c07f6a04221d4d34256678e366f3182d4180d0e8de4071ded809d285c89aa0ab68bdf05cd9b9c0139084d9497df4d420e7e91ba48c8
+DIST linux-firmware-20180103.tar.gz 138263360 SHA256 07b46a7ec8fc7337d5e64598b2aa9220c30c6bc03930787dfd15b08326391981 SHA512 ed95205c075b47a2f30d9c96181ca0047de017abb1b5904f7c504a0afb8ea673c179980eb92d5690dd1a5cfb29815f224f384b4dcc472f80ddc90af3b2cbd4ce WHIRLPOOL 7a00ed9795b394f09cd50fdecf3417d585d42513f7210025425cf2234a6f359652a92558a67ec7169a6c47bc4adc67fa1974d710bc4263b8fe103d09998434e9
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20170622.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20170622.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103.ebuild

From 34672dbe01c3c44b001616ef3103de7a4ae30fd5 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 16 Jan 2018 17:05:33 -0800
Subject: [PATCH 3/6] sys-kernel/coreos-firmware: include new amd ucode

Gentoo is shipping ucode not in linux-firmware for Spectre mitigation.
We should do the same. Update the ebuild to include their sources as
well.
---
 .../sys-kernel/coreos-firmware/Manifest               |  1 +
 ...0103.ebuild => coreos-firmware-20180103-r1.ebuild} |  0
 .../coreos-firmware/coreos-firmware-99999999.ebuild   | 11 +++++++++--
 3 files changed, 10 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/{coreos-firmware-20180103.ebuild => coreos-firmware-20180103-r1.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
index 6e3e1ae628..e7ec1e7bf7 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/Manifest
@@ -1 +1,2 @@
 DIST linux-firmware-20180103.tar.gz 138263360 SHA256 07b46a7ec8fc7337d5e64598b2aa9220c30c6bc03930787dfd15b08326391981 SHA512 ed95205c075b47a2f30d9c96181ca0047de017abb1b5904f7c504a0afb8ea673c179980eb92d5690dd1a5cfb29815f224f384b4dcc472f80ddc90af3b2cbd4ce WHIRLPOOL 7a00ed9795b394f09cd50fdecf3417d585d42513f7210025425cf2234a6f359652a92558a67ec7169a6c47bc4adc67fa1974d710bc4263b8fe103d09998434e9
+DIST microcode_amd_fam17h.tar.gz 2204 SHA256 a09b9f9a799ed0124fc108783e4955f3dd3aa345a3424d3ac48acae4bf5b9499 SHA512 d3b52797a5968f8da76d39322780e61d04bab5d810b0b07d64e469fcd67998e4191b0e0a9ab7e4c27189941369ef1b2850bbbb1458fd9bbeb958c98f6e378510 WHIRLPOOL 227439fd174347fdc511d898baa366a05afd9246dc6fa52bb13438f9f059f32ada217bb31c47b3947e00141c3b8f2451833a8374e3f8753e26ce311b2114bda4
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-20180103-r1.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
index 644854c2a5..3c90c83aeb 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-firmware/coreos-firmware-99999999.ebuild
@@ -15,8 +15,11 @@ if [[ ${PV} == 99999999* ]]; then
 	EGIT_REPO_URI="git://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git"
 	KEYWORDS=""
 else
-	SRC_URI="mirror://gentoo/linux-firmware-${PV}.tar.gz"
-	KEYWORDS="amd64 arm64"
+	GIT_COMMIT="2eefafb2e9dcbafdf4b83d8c43fcd6b75fd4ac78"
+	SRC_URI="https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/snapshot/linux-firmware-${GIT_COMMIT}.tar.gz -> linux-firmware-${PV}.tar.gz
+		mirror://gentoo/microcode_amd_fam17h.tar.gz
+		https://dev.gentoo.org/~whissi/dist/${PN}/microcode_amd_fam17h.tar.gz"
+	KEYWORDS="~alpha amd64 ~arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86"
 fi
 
 DESCRIPTION="Linux firmware files"
@@ -81,6 +84,10 @@ src_unpack() {
 }
 
 src_prepare() {
+	# Move the amd ucode as well. This can be dropped once gentoo drops it from
+	# their ebuild.
+	mv "${WORKDIR}"/microcode_amd_fam17h.bin "${S}"/amd-ucode || die
+
 	local kernel_mods="${ROOT}/lib/modules/${KV_FULL}"
 
 	# Fail if any firmware is missing.

From e2158041dc104d9ffa02440919bf48602c0d6bdf Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Tue, 16 Jan 2018 17:22:15 -0800
Subject: [PATCH 4/6] sys-kernel/coreos-kernel: include microcode

Include microcode via the CONFIG_EXTRA_FIRMWARE option since prepending
a cpio archive to bootengine.cpio doesn't work (needs to be a seperate
initrd).
---
 ...4.14.14.ebuild => coreos-kernel-4.14.14-r1.ebuild} | 11 +++++++++--
 ....14.14.ebuild => coreos-modules-4.14.14-r1.ebuild} |  0
 2 files changed, 9 insertions(+), 2 deletions(-)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/{coreos-kernel-4.14.14.ebuild => coreos-kernel-4.14.14-r1.ebuild} (84%)
 rename sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/{coreos-modules-4.14.14.ebuild => coreos-modules-4.14.14-r1.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.14-r1.ebuild
similarity index 84%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.14.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.14-r1.ebuild
index abc3b4ff57..8e6f61c1ee 100644
--- a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.14.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-kernel/coreos-kernel-4.14.14-r1.ebuild
@@ -26,10 +26,11 @@ DEPEND="${RDEPEND}
 	sys-fs/e2fsprogs
 	sys-fs/mdadm
 	sys-fs/xfsprogs
-	>=sys-kernel/coreos-firmware-20160331-r1:=
+	>=sys-kernel/coreos-firmware-20180103-r1:=
 	>=sys-kernel/bootengine-0.0.4:=
 	sys-kernel/dracut
-	virtual/udev"
+	virtual/udev
+	amd64? ( sys-firmware/intel-microcode )"
 
 # We are bad, we want to get around the sandbox.  So do the creation of the
 # cpio image in pkg_setup() where we are free to mount filesystems, chroot,
@@ -60,6 +61,12 @@ src_prepare() {
 	# Symlink to bootengine.cpio so we can stick with relative paths in .config
 	ln -sv "${ROOT}"/usr/share/bootengine/bootengine.cpio build/ || die
 	config_update 'CONFIG_INITRAMFS_SOURCE="bootengine.cpio"'
+
+	# include all intel and amd microcode files, avoiding the signatures
+	local fw_dir="${ROOT}lib/firmware"
+	use amd64 && config_update "CONFIG_EXTRA_FIRMWARE=\"$(find ${fw_dir} -type f \
+		\( -path ${fw_dir}'/intel-ucode/*' -o -path ${fw_dir}'/amd-ucode/*' \) -printf '%P ')\""
+	use amd64 && config_update "CONFIG_EXTRA_FIRMWARE_DIR=\"${fw_dir}\""
 }
 
 src_compile() {
diff --git a/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.14.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.14-r1.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.14.ebuild
rename to sdk_container/src/third_party/coreos-overlay/sys-kernel/coreos-modules/coreos-modules-4.14.14-r1.ebuild

From ee51cb15933bafe5afec3316df9bd7d311ca59c4 Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Wed, 17 Jan 2018 10:38:47 -0800
Subject: [PATCH 5/6] coreos-devel/sdk-depends: add iucode_tool dep

The intel-microcode ebuild is broken and attempts to use the host's copy
of iucode_tool, so add it here so it can find it
---
 ...sdk-depends-0.0.1-r34.ebuild => sdk-depends-0.0.1-r35.ebuild} | 0
 .../coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild            | 1 +
 2 files changed, 1 insertion(+)
 rename sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/{sdk-depends-0.0.1-r34.ebuild => sdk-depends-0.0.1-r35.ebuild} (100%)

diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r34.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r35.ebuild
similarity index 100%
rename from sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r34.ebuild
rename to sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1-r35.ebuild
diff --git a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
index 820934d3c0..899aec207e 100644
--- a/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-devel/sdk-depends/sdk-depends-0.0.1.ebuild
@@ -38,6 +38,7 @@ DEPEND="
 	net-misc/curl
 	sys-apps/debianutils
 	sys-apps/iproute2
+	sys-apps/iucode_tool
 	sys-apps/seismograph
 	sys-boot/grub
 	sys-boot/shim

From 06de65aef04b396f4ccd295a856894f20e2f818c Mon Sep 17 00:00:00 2001
From: Andrew Jeddeloh <andrew.jeddeloh@coreos.com>
Date: Wed, 17 Jan 2018 16:54:10 -0800
Subject: [PATCH 6/6] profiles/amd64: mask new intel ucode

There are reports of instability with intel's new microcode. Hold off on
updating until that clears. See:
 - https://bugzilla.redhat.com/show_bug.cgi?id=1532283#c15
 - https://bugzilla.redhat.com/show_bug.cgi?id=1532216
---
 .../coreos-overlay/profiles/coreos/amd64/package.mask            | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.mask

diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.mask b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.mask
new file mode 100644
index 0000000000..b47d34eb4e
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/amd64/package.mask
@@ -0,0 +1 @@
+>=sys-firmware/intel-microcode-20180100