Merge pull request #2858 from rn/ucode

Add the intel ucode cpio archive to the kernel package

kernel/Dockerfile

@@ -1,4 +1,4 @@
-FROM linuxkit/alpine:d307c8a386fa3f32cddda9409b9687e191cdd6f1 AS kernel-build
+FROM linuxkit/alpine:34518265c6cb63ff02074549cc5b64bef40c336f AS kernel-build
 RUN apk add \
     argp-standalone \
     automake \
@@ -157,6 +157,18 @@ RUN if [ "${KERNEL_SERIES}" != "4.4.x" ]; then \
        cp /build/perf/perf /out; \
      fi
 
+# Download Intel ucode and create a CPIO archive for it
+ENV UCODE_URL=https://downloadmirror.intel.com/27431/eng/microcode-20180108.tgz
+RUN set -e && \
+    if [ $(uname -m) == x86_64 ]; then \
+        cd /ucode && \
+        curl -sSL -o microcode.tar.gz ${UCODE_URL} && \
+        md5sum -c intel-ucode-md5sums && \
+        tar xf microcode.tar.gz && \
+        iucode_tool --normal-earlyfw --write-earlyfw=/out/intel-ucode.cpio ./intel-ucode && \
+        cp intel-ucode-license.txt /out; \
+    fi
+
 FROM scratch
 ENTRYPOINT []
 CMD []

kernel/README.md

@@ -1,23 +1 @@
-See [../docs/kernels.md](../docs/kernels.md) for more
-information on kernel builds.
-
-To build with various debug options enabled, build the kernel with
-`make DEBUG=1`. The options enabled are listed in `kernel_config.debug`.
-This allocates a significant amount of memory on boot and you may need to
-adjust the kernel config on some systems. Specifically:
-
-```diff
---- a/alpine/kernel/kernel_config
-+++ b/alpine/kernel/kernel_config
-@@ -415,8 +415,8 @@ CONFIG_DMI=y
- # CONFIG_CALGARY_IOMMU is not set
- CONFIG_SWIOTLB=y
- CONFIG_IOMMU_HELPER=y
--CONFIG_MAXSMP=y
--CONFIG_NR_CPUS=8192
-+CONFIG_MAXSMP=n
-+CONFIG_NR_CPUS=8
- # CONFIG_SCHED_SMT is not set
- CONFIG_SCHED_MC=y
- # CONFIG_PREEMPT_NONE is not set
-```
+See [../docs/kernels.md](../docs/kernels.md) for more information on kernel builds.

kernel/ucode/intel-ucode-license.txt

@@ -0,0 +1,219 @@
+The terms of the software license agreement included with any software you download will control your use of the software.
+
+INTEL SOFTWARE LICENSE AGREEMENT
+IMPORTANT - READ BEFORE COPYING, INSTALLING OR USING.
+
+Do not use or load this software and any associated materials (collectively,
+
+the "Software") until you have carefully read the following terms and
+
+conditions. By loading or using the Software, you agree to the terms of this
+
+Agreement. If you do not wish to so agree, do not install or use the Software.
+
+LICENSES: Please Note:
+
+- If you are a network administrator, the "Site License" below shall
+
+apply to you.
+
+- If you are an end user, the "Single User License" shall apply to you.
+
+- If you are an original equipment manufacturer (OEM), the "OEM License"
+
+shall apply to you.
+
+SITE LICENSE. You may copy the Software onto your organization's computers
+
+for your organization's use, and you may make a reasonable number of
+
+back-up copies of the Software, subject to these conditions:
+
+1. This Software is licensed for use only in conjunction with Intel
+
+component products. Use of the Software in conjunction with non-Intel
+
+component products is not licensed hereunder.
+
+2. You may not copy, modify, rent, sell, distribute or transfer any part
+
+of the Software except as provided in this Agreement, and you agree to
+
+prevent unauthorized copying of the Software.
+
+3. You may not reverse engineer, decompile, or disassemble the Software.
+
+4. You may not sublicense or permit simultaneous use of the Software by
+
+more than one user.
+
+5. The Software may include portions offered on terms in addition to those
+
+set out here, as set out in a license accompanying those portions.
+
+SINGLE USER LICENSE. You may copy the Software onto a single computer for
+
+your personal, noncommercial use, and you may make one back-up copy of the
+
+Software, subject to these conditions:
+
+1. This Software is licensed for use only in conjunction with Intel
+
+component products. Use of the Software in conjunction with non-Intel
+
+component products is not licensed hereunder.
+
+2. You may not copy, modify, rent, sell, distribute or transfer any part
+
+of the Software except as provided in this Agreement, and you agree to
+
+prevent unauthorized copying of the Software.
+
+3. You may not reverse engineer, decompile, or disassemble the Software.
+
+4. You may not sublicense or permit simultaneous use of the Software by
+
+more than one user.
+
+5. The Software may include portions offered on terms in addition to those
+
+set out here, as set out in a license accompanying those portions.
+
+OEM LICENSE: You may reproduce and distribute the Software only as an
+
+integral part of or incorporated in Your product or as a standalone
+
+Software maintenance update for existing end users of Your products,
+
+excluding any other standalone products, subject to these conditions:
+
+1. This Software is licensed for use only in conjunction with Intel
+
+component products. Use of the Software in conjunction with non-Intel
+
+component products is not licensed hereunder.
+
+2. You may not copy, modify, rent, sell, distribute or transfer any part
+
+of the Software except as provided in this Agreement, and you agree to
+
+prevent unauthorized copying of the Software.
+
+3. You may not reverse engineer, decompile, or disassemble the Software.
+
+4. You may only distribute the Software to your customers pursuant to a
+
+written license agreement. Such license agreement may be a "break-the-
+
+seal" license agreement. At a minimum such license shall safeguard
+
+Intel's ownership rights to the Software.
+
+5. The Software may include portions offered on terms in addition to those
+
+set out here, as set out in a license accompanying those portions.
+
+NO OTHER RIGHTS. No rights or licenses are granted by Intel to You, expressly
+
+or by implication, with respect to any proprietary information or patent,
+
+copyright, mask work, trademark, trade secret, or other intellectual property
+
+right owned or controlled by Intel, except as expressly provided in this
+
+Agreement.
+
+OWNERSHIP OF SOFTWARE AND COPYRIGHTS. Title to all copies of the Software
+
+remains with Intel or its suppliers. The Software is copyrighted and
+
+protected by the laws of the United States and other countries, and
+
+international treaty provisions. You may not remove any copyright notices
+
+from the Software. Intel may make changes to the Software, or to items
+
+referenced therein, at any time without notice, but is not obligated to
+
+support or update the Software. Except as otherwise expressly provided, Intel
+
+grants no express or implied right under Intel patents, copyrights,
+
+trademarks, or other intellectual property rights. You may transfer the
+
+Software only if the recipient agrees to be fully bound by these terms and if
+
+you retain no copies of the Software.
+
+LIMITED MEDIA WARRANTY. If the Software has been delivered by Intel on
+
+physical media, Intel warrants the media to be free from material physical
+
+defects for a period of ninety days after delivery by Intel. If such a defect
+
+is found, return the media to Intel for replacement or alternate delivery of
+
+the Software as Intel may select.
+
+EXCLUSION OF OTHER WARRANTIES. EXCEPT AS PROVIDED ABOVE, THE SOFTWARE IS
+
+PROVIDED "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTY OF ANY KIND
+
+INCLUDING WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT, OR FITNESS FOR A
+
+PARTICULAR PURPOSE. Intel does not warrant or assume responsibility for the
+
+accuracy or completeness of any information, text, graphics, links or other
+
+items contained within the Software.
+
+LIMITATION OF LIABILITY. IN NO EVENT SHALL INTEL OR ITS SUPPLIERS BE LIABLE
+
+FOR ANY DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, LOST PROFITS,
+
+BUSINESS INTERRUPTION, OR LOST INFORMATION) ARISING OUT OF THE USE OF OR
+
+INABILITY TO USE THE SOFTWARE, EVEN IF INTEL HAS BEEN ADVISED OF THE
+
+POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS PROHIBIT EXCLUSION OR
+
+LIMITATION OF LIABILITY FOR IMPLIED WARRANTIES OR CONSEQUENTIAL OR INCIDENTAL
+
+DAMAGES, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU. YOU MAY ALSO HAVE
+
+OTHER LEGAL RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION.
+
+TERMINATION OF THIS AGREEMENT. Intel may terminate this Agreement at any time
+
+if you violate its terms. Upon termination, you will immediately destroy the
+
+Software or return all copies of the Software to Intel.
+
+APPLICABLE LAWS. Claims arising under this Agreement shall be governed by the
+
+laws of California, excluding its principles of conflict of laws and the
+
+United Nations Convention on Contracts for the Sale of Goods. You may not
+
+export the Software in violation of applicable export laws and regulations.
+
+Intel is not obligated under any other agreements unless they are in writing
+
+and signed by an authorized representative of Intel.
+
+GOVERNMENT RESTRICTED RIGHTS. The Software is provided with "RESTRICTED
+
+RIGHTS." Use, duplication, or disclosure by the Government is subject to
+
+restrictions as set forth in FAR52.227-14 and DFAR252.227-7013 et seq. or its
+
+successor. Use of the Software by the Government constitutes acknowledgment
+
+of Intel's proprietary rights therein. Contractor or Manufacturer is Intel
+
+2200 Mission College Blvd., Santa Clara, CA 95052.
+
+I accept the terms in the license agreement
+
+I do not accept the terms in the license agreement
+

kernel/ucode/intel-ucode-md5sums

@@ -0,0 +1 @@
+871df55f0ab010ee384dabfc424f2c12  microcode.tar.gz

tools/alpine/Dockerfile

@@ -53,6 +53,26 @@ RUN apk add --no-cache btrfs-progs-dev gcc libc-dev linux-headers make
 RUN cd $GOPATH/src/github.com/containerd/containerd && \
   make binaries EXTRA_FLAGS="-buildmode pie" EXTRA_LDFLAGS='-extldflags "-fno-PIC -static"' BUILD_TAGS="static_build"
 
+# Checkout and compile iucode-tool for Intel CPU microcode
+# On non-x86_64 create a dummy file to copy below.
+ENV IUCODE_REPO=https://gitlab.com/iucode-tool/iucode-tool
+ENV IUCODE_COMMIT=v2.2
+WORKDIR /
+ADD iucode-tool.patch /
+RUN set -e && \
+    mkdir /iucode_tool && \
+    if [ $(uname -m) = "x86_64" ]; then \
+        apk add --no-cache automake autoconf argp-standalone git gcc make musl-dev patch && \
+        git clone ${IUCODE_REPO} && \
+        cd /iucode-tool && \
+        git checkout ${IUCODE_COMMIT} && \
+        patch -p 1 < /iucode-tool.patch && \
+        ./autogen.sh && \
+        ./configure && \
+        make && \
+        cp iucode_tool /iucode_tool; \
+    fi
+
 FROM alpine:3.7
 
 COPY --from=mirror /etc/apk/repositories /etc/apk/repositories
@@ -62,6 +82,7 @@ COPY --from=mirror /mirror /mirror/
 COPY --from=mirror /go/bin /go/bin/
 COPY --from=mirror /Dockerfile /Dockerfile
 COPY --from=mirror /go/src/github.com/containerd/containerd /go/src/github.com/containerd/containerd/
+COPY --from=mirror /iucode_tool /usr/bin/
 
 RUN apk update && apk upgrade -a
 

tools/alpine/iucode-tool.patch

@@ -0,0 +1,12 @@
+diff --git a/iucode_tool.c b/iucode_tool.c
+index 460087c..8825ed6 100644
+--- a/iucode_tool.c
++++ b/iucode_tool.c
+@@ -31,6 +31,7 @@
+ #include <dirent.h>
+ #include <time.h>
+ #include <cpuid.h>
++#include <limits.h>
+ 
+ #include "intel_microcode.h"
+ 

tools/alpine/versions.aarch64

@@ -1,4 +1,4 @@
-# linuxkit/alpine:7dedd0ef748530ece641d931b6f77aa2992d90e5-arm64
+# linuxkit/alpine:5b74d32d7b79489e3b1ea483484e7df1a2fbe759-arm64
 # automatically generated list of installed packages
 abuild-3.1.0-r3
 alpine-baselayout-3.0.5-r2

tools/alpine/versions.x86_64

@@ -1,4 +1,4 @@
-# linuxkit/alpine:99dec12a5e8524b7a262c6bdfcea733191354883-amd64
+# linuxkit/alpine:34518265c6cb63ff02074549cc5b64bef40c336f-amd64
 # automatically generated list of installed packages
 abuild-3.1.0-r3
 alpine-baselayout-3.0.5-r2