sys-firmware/intel-microcode: add ucode image generator hooks

This creates a intel microcode image when installing the kernel and when
installkernel/kernel-install is configured to use an initramfs generator other
then dracut. Dracut bundles the microcode in the image it generates, many
other initramfs generators do not and we want these users to also get the
latest CPU microcode.

installkernel-gentoo.git has recently gained support for handling these ucode
images and passing them on to bootloaders and UKI generators.

Note that this should be here and not in installkernel-gentoo.git because we
only want to install this when the initramfs flag is enabled to avoid the
situation where users who don't want an ucode.img get one anyway.

Note that we don't have to worry about MICROCODE_SIGNATURES and
MICROCODE_BLAKCLIST since this selection is taken into account when installing
the microcode to /lib/firmware, at run-time when we read the files from there
we therefore automatically get only the files we want.

Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>

3 files changed, 106 insertions, 0 deletions

diff --git a/sys-firmware/intel-microcode/files/35-intel-microcode-systemd.install b/sys-firmware/intel-microcode/files/35-intel-microcode-systemd.install
new file mode 100644
index 000000000000..7ad7b8c49e83
--- /dev/null
+++ b/sys-firmware/intel-microcode/files/35-intel-microcode-systemd.install
@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Gentoo Authors
+# This script is installed by sys-firmware/intel-microcode, it is executed by
+# systemd's kernel-install, NOT by the traditional installkernel. I.e. this
+# plugin is run when the systemd USE flag is enabled or
+# SYSTEMD_KERNEL_INSTALL=1 is set in the environment.
+
+COMMAND="${1}"
+
+if [[ ${COMMAND} != add ]]; then
+	exit 0
+fi
+
+if [[ ${KERNEL_INSTALL_INITRD_GENERATOR} == dracut ]]; then
+	# Dracut bundles microcode in its initramfs images
+	[[ ${KERNEL_INSTALL_VERBOSE} == 1 ]] && echo \
+		"initrd_generator=${KERNEL_INSTALL_INITRD_GENERATOR} bundles CPU microcode, nothing to do here."
+	exit 0
+fi
+
+# do nothing if somehow iucode_tool is not installed
+if ! command -v iucode_tool >/dev/null; then
+	[[ ${KERNEL_INSTALL_VERBOSE} == 1 ]] && echo \
+		"iucode_tool command not available"
+	exit 1
+fi
+
+# use same opts as intel-microcode.ebuild
+opts=(
+	--write-earlyfw="${KERNEL_INSTALL_STAGING_AREA}/microcode-intel"
+	--overwrite
+	--strict-checks
+	--no-ignore-broken
+	--no-downgrade
+)
+
+if [[ ${KERNEL_INSTALL_VERBOSE} == 1 ]]; then
+	echo "Generating Intel CPU Microcode early initramfs image..."
+	opts+=(
+		--list-all
+		--list
+	)
+fi
+
+iucode_tool /lib/firmware/intel-ucode "${opts[@]}" ||
+	{ echo "iucode_tool failed" && exit 1; }
diff --git a/sys-firmware/intel-microcode/files/35-intel-microcode.install b/sys-firmware/intel-microcode/files/35-intel-microcode.install
new file mode 100644
index 000000000000..d4e9ef19d56b
--- /dev/null
+++ b/sys-firmware/intel-microcode/files/35-intel-microcode.install
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+# Copyright 2024 Gentoo Authors
+# This script is installed by sys-firmware/intel-microcode, it is executed by
+# the traditional installkernel, NOT by systemd's kernel-install. I.e. this
+# plugin is run when the systemd USE flag is disabled or
+# SYSTEMD_KERNEL_INSTALL=0 is set in the environment.
+
+# familiar helpers, we intentionally don't use Gentoo functions.sh
+die() {
+	echo -e " ${NOCOLOR-\e[1;31m*\e[0m }${*}" >&2
+	exit 1
+}
+
+einfo() {
+	echo -e " ${NOCOLOR-\e[1;32m*\e[0m }${*}" >&2
+}
+
+main() {
+	# re-define for subst to work
+	[[ -n ${NOCOLOR+yes} ]] && NOCOLOR=
+
+	if [[ ${INSTALLKERNEL_INITRD_GENERATOR} == dracut ]]; then
+		# Dracut bundles microcode in its initramfs images
+		echo "initrd_generator=${INSTALLKERNEL_INITRD_GENERATOR} bundles CPU microcode, nothing to do here."
+		exit 0
+	fi
+
+	# do nothing if somehow iucode_tool is not installed
+	[[ -x $(command -v iucode_tool) ]] || die "iucode_tool command not available"
+
+	[[ ${EUID} -eq 0 ]] || die "Please run this script as root"
+
+	local opts=(
+		--write-earlyfw="/boot/intel-uc.img"
+		--overwrite
+		--strict-checks
+		--no-ignore-broken
+		--no-downgrade
+		--list-all
+		--list
+	)
+
+	einfo "Generating Intel CPU Microcode early initramfs image..."
+	iucode_tool /lib/firmware/intel-ucode "${opts[@]}" ||
+		die "iucode_tool failed"
+}
+
+main
diff --git a/sys-firmware/intel-microcode/intel-microcode-20240531_p20240526.ebuild b/sys-firmware/intel-microcode/intel-microcode-20240531_p20240526-r1.ebuild
index c33321a94497..6ad9cfa826b6 100644
--- a/sys-firmware/intel-microcode/intel-microcode-20240531_p20240526.ebuild
+++ b/sys-firmware/intel-microcode/intel-microcode-20240531_p20240526-r1.ebuild
@@ -152,6 +152,16 @@ src_install() {
 		insinto /usr/lib/dracut/dracut.conf.d
 		newins - 15-${PN}.conf <<<"early_microcode=$(usex initramfs)"
 	)
+	if use initramfs; then
+		# Install installkernel/kernel-install hooks for non-dracut initramfs
+		# generators that don't bundled the microcode
+		(
+			exeinto /usr/lib/kernel/preinst.d
+			doexe "${FILESDIR}/35-intel-microcode.install"
+			exeinto /usr/lib/kernel/install.d
+			doexe "${FILESDIR}/35-intel-microcode-systemd.install"
+		)
+	fi
 
 	# The earlyfw cpio needs to be in /boot because it must be loaded before
 	# rootfs is mounted.