kgpe: move microcode blob out of ownerboot

The microcode blob is only needed for Opteron 63xx chips. I have a few of these, so I add the blob in a local overlay. If other people are interested in this I will publish the overlay. The 63xx chips are kind of rare and more expensive than the 62xx chips -- their only real benefit is lower power draw. I ended up receiving some by accident due to an incorrect eBay listing.
2 years ago · 218f2f8e83
parent 0eb193a149
commit 218f2f8e83
1 changed files with 10 additions and 22 deletions
--- a/src/platform/kgpe/default.nix
+++ b/src/platform/kgpe/default.nix
@ -1,9 +1,7 @@
 { lib ? import <nixpkgs/lib>
 , hostPlatform ? lib.systems.examples.gnu64
 }:
-let
-  update_microcode = true;
-in
+
 {
  inherit hostPlatform;

@ -29,23 +27,13 @@ in
      '';
    });

-    coreboot = let
-      # does include spectre mitigations (performance hit)
-      #linux-firmware = final.nixpkgsOnBuildForBuild.linux-firmware;
-      #path-within-linux-firmware = "lib/firmware/amd-ucode/microcode_amd_fam15h.bin";
+    # microcode updates are needed only for Opteron 63xx
+    #
+    # TODO: check processor type at boot time and refuse to boot
+    # insecure configurations? (63xx without microcode)
+    microcode-blob = null;

-      # does *not* include spectre mitigations (no performance hit)
-      linux-firmware = final.nixpkgsOnBuildForBuild.fetchgit {
-        # most recent update that does *not* include spectre
-        # mitigations; needed for 63xx processors due to an exploitable
-        # NMI defect in that series (only)
-        url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
-        rev = "5f8ca0c1db6106a2d6d7e85eee778917ff03c3de";
-        branchName = "main";
-        #sparseCheckout = path-within-linux-firmware;
-        hash = "sha256-uwzz0z2+uPke8AVKb80Cy620efdRBSuwjfoIrQhepc8=";
-      };
-      path-within-linux-firmware = "amd-ucode/microcode_amd_fam15h.bin";
+    coreboot = let
    in
      final.lib.makeOverridable (prev.coreboot.override {
      iasl = final.iasl_20180531;
@ -55,14 +43,14 @@ in
      coreboot-toolchain = with final.coreboot-toolchain; [ x64 i386 ];
      linux-command-line = "console=ttyS1,115200n8";
    }).overrideAttrs (a: {
-      postConfigure = if update_microcode then ''
+      postConfigure = if final.microcode-blob != null then ''
        echo CONFIG_CPU_MICROCODE_MULTIPLE_FILES=y >> .config
      '' else ''
        echo CONFIG_CPU_MICROCODE_CBFS_NONE=y >> .config
      '';
-      preBuild = final.lib.optionalString update_microcode ''
+      preBuild = final.lib.optionalString (final.microcode-blob != null) ''
        mkdir -p 3rdparty/blobs/cpu/amd/family_15h/
-        ln -sfT ${linux-firmware}/${path-within-linux-firmware} \
+        ln -sfT ${final.microcode-blob} \
          3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin
        mkdir -p 3rdparty/blobs/cpu/amd/family_10h-family_14h/
        touch 3rdparty/blobs/cpu/amd/family_10h-family_14h/microcode_amd.bin