nick133 · June 19, 2023 14:27
diff --git a/getucode.zsh b/getucode.zsh
 #!/bin/zsh
 #
 # Autodetect CPU signature, download corresponding Intel microcode
 # and cook initrd image from it
 #
 # https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html
 repo_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files"
 ucodes_url="$repo_url/raw/main/intel-ucode"
 release_url="$repo_url/blob/main/intel-ucode"
 fwimg="hostcpu-intel-ucode.img"

 get_release() {
    git log -1 --format=format:%s -- intel-ucode/$ucode | awk '{ print gensub(/[^0-9]/, "", "g", $1) }'
 }

 cd $(dirname $(realpath $0))

 echo -en "===> Decoding CPU Family-Model-Stepping: "
 ucode=$(lscpu | awk '/^CPU family:/ { printf "%.2x-", $3 } /^Model:/ { printf "%.2x-", $2 } /^Stepping:/ { printf "%.2x", $2 }')
 [[ -n "$ucode" ]] && echo $ucode || exit 1
 ucode_path="intel-repo/intel-ucode/$ucode"

 echo -en "===> Select microcode by scanning CPU signatures: "
 cpuid="$(iucode_tool -S 2>&1 | awk '{ print $NF }')"
 [[ -n "$cpuid" ]] && echo $cpuid || exit 2

 if [[ ! -d intel-repo/.git ]]; then
    echo "===> Fetching Intel git repository data.."
    mkdir intel-repo
    git clone --filter=blob:none --no-checkout --single-branch --branch main $repo_url intel-repo
    pushd intel-repo > /dev/null
    git checkout origin/main -- intel-ucode/$ucode
    remote_rel=$(get_release)
    popd > /dev/null
 else
    echo "===> Checking Intel repository for new microcode release.."
    pushd intel-repo > /dev/null
    local_rel="$(get_release)"
    git pull
    remote_rel="$(get_release)"
    popd > /dev/null

    if [[ "$local_rel" == "$remote_rel" && -f "$fwimg" ]]; then
        echo "Nothing to do, exiting.." && exit 3
    elif [[ "$local_rel" == "$remote_rel" && ! -f "$fwimg" ]]; then
        echo "Generated kernel initrd microcode image is missing, rebuilding.."
    else
        echo "===> Found new release: $remote_rel (installed: $local_rel)"
    fi
 fi

 echo -n "===> Comparing downloaded vs host microcode signatures: "
 scanid=$(iucode_tool -L $ucode_path | awk '/: sig 0x/ { sub(/,/, "", $3); print $3 }')
 if [[ "$scanid" == "$cpuid" ]]; then
    echo "MATCH (OK)"
 else
    echo "$cpuid != $scanid" && exit 4
 fi

 [[ -f "$fwimg" ]] && mv -f $fwimg $fwimg.bak
 iucode_tool --write-earlyfw=$fwimg $ucode_path
	#!/bin/zsh
	#
	# Autodetect CPU signature, download corresponding Intel microcode
	# and cook initrd image from it
	#
	# https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html
	repo_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files"
	ucodes_url="$repo_url/raw/main/intel-ucode"
	release_url="$repo_url/blob/main/intel-ucode"
	fwimg="hostcpu-intel-ucode.img"

	get_release() {
	git log -1 --format=format:%s -- intel-ucode/$ucode \| awk '{ print gensub(/[^0-9]/, "", "g", $1) }'
	}

	cd $(dirname $(realpath $0))

	echo -en "===> Decoding CPU Family-Model-Stepping: "
	ucode=$(lscpu \| awk '/^CPU family:/ { printf "%.2x-", $3 } /^Model:/ { printf "%.2x-", $2 } /^Stepping:/ { printf "%.2x", $2 }')
	[[ -n "$ucode" ]] && echo $ucode \|\| exit 1
	ucode_path="intel-repo/intel-ucode/$ucode"

	echo -en "===> Select microcode by scanning CPU signatures: "
	cpuid="$(iucode_tool -S 2>&1 \| awk '{ print $NF }')"
	[[ -n "$cpuid" ]] && echo $cpuid \|\| exit 2

	if [[ ! -d intel-repo/.git ]]; then
	echo "===> Fetching Intel git repository data.."
	mkdir intel-repo
	git clone --filter=blob:none --no-checkout --single-branch --branch main $repo_url intel-repo
	pushd intel-repo > /dev/null
	git checkout origin/main -- intel-ucode/$ucode
	remote_rel=$(get_release)
	popd > /dev/null
	else
	echo "===> Checking Intel repository for new microcode release.."
	pushd intel-repo > /dev/null
	local_rel="$(get_release)"
	git pull
	remote_rel="$(get_release)"
	popd > /dev/null

	if [[ "$local_rel" == "$remote_rel" && -f "$fwimg" ]]; then
	echo "Nothing to do, exiting.." && exit 3
	elif [[ "$local_rel" == "$remote_rel" && ! -f "$fwimg" ]]; then
	echo "Generated kernel initrd microcode image is missing, rebuilding.."
	else
	echo "===> Found new release: $remote_rel (installed: $local_rel)"
	fi
	fi

	echo -n "===> Comparing downloaded vs host microcode signatures: "
	scanid=$(iucode_tool -L $ucode_path \| awk '/: sig 0x/ { sub(/,/, "", $3); print $3 }')
	if [[ "$scanid" == "$cpuid" ]]; then
	echo "MATCH (OK)"
	else
	echo "$cpuid != $scanid" && exit 4
	fi

	[[ -f "$fwimg" ]] && mv -f $fwimg $fwimg.bak
	iucode_tool --write-earlyfw=$fwimg $ucode_path