nick133/getucode.zsh

## getucode.zsh
#!/bin/zsh
#
# Autodetect CPU signature, download corresponding Intel microcode
# and cook initrd image from it
#
# https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html
repo_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files"
ucodes_url="$repo_url/raw/main/intel-ucode"
release_url="$repo_url/blob/main/intel-ucode"
fwimg="hostcpu-intel-ucode.img"

get_release() {
    git log -1 --format=format:%s -- intel-ucode/$ucode | awk '{ print gensub(/[^0-9]/, "", "g", $1) }'
}

cd $(dirname $(realpath $0))

echo -en "===> Decoding CPU Family-Model-Stepping: "
ucode=$(lscpu | awk '/^CPU family:/ { printf "%.2x-", $3 } /^Model:/ { printf "%.2x-", $2 } /^Stepping:/ { printf "%.2x", $2 }')
[[ -n "$ucode" ]] && echo $ucode || exit 1
ucode_path="intel-repo/intel-ucode/$ucode"

echo -en "===> Select microcode by scanning CPU signatures: "
cpuid="$(iucode_tool -S 2>&1 | awk '{ print $NF }')"
[[ -n "$cpuid" ]] && echo $cpuid || exit 2

if [[ ! -d intel-repo/.git ]]; then
    echo "===> Fetching Intel git repository data.."
    mkdir intel-repo
    git clone --filter=blob:none --no-checkout --single-branch --branch main $repo_url intel-repo
    pushd intel-repo > /dev/null
    git checkout origin/main -- intel-ucode/$ucode
    remote_rel=$(get_release)
    popd > /dev/null
else
    echo "===> Checking Intel repository for new microcode release.."
    pushd intel-repo > /dev/null
    local_rel="$(get_release)"
    git pull
    remote_rel="$(get_release)"
    popd > /dev/null

    if [[ "$local_rel" == "$remote_rel" && -f "$fwimg" ]]; then
        echo "Nothing to do, exiting.." && exit 3
    elif [[ "$local_rel" == "$remote_rel" && ! -f "$fwimg" ]]; then
        echo "Generated kernel initrd microcode image is missing, rebuilding.."
    else
        echo "===> Found new release: $remote_rel (installed: $local_rel)"
    fi
fi

echo -n "===> Comparing downloaded vs host microcode signatures: "
scanid=$(iucode_tool -L $ucode_path | awk '/: sig 0x/ { sub(/,/, "", $3); print $3 }')
if [[ "$scanid" == "$cpuid" ]]; then
    echo "MATCH (OK)"
else
    echo "$cpuid != $scanid" && exit 4
fi

[[ -f "$fwimg" ]] && mv -f $fwimg $fwimg.bak
iucode_tool --write-earlyfw=$fwimg $ucode_path
	#!/bin/zsh
	#
	# Autodetect CPU signature, download corresponding Intel microcode
	# and cook initrd image from it
	#
	# https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/secure-coding/loading-microcode-os.html
	repo_url="https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files"
	ucodes_url="$repo_url/raw/main/intel-ucode"
	release_url="$repo_url/blob/main/intel-ucode"
	fwimg="hostcpu-intel-ucode.img"

	get_release() {
	git log -1 --format=format:%s -- intel-ucode/$ucode \| awk '{ print gensub(/[^0-9]/, "", "g", $1) }'
	}

	cd $(dirname $(realpath $0))

	echo -en "===> Decoding CPU Family-Model-Stepping: "
	ucode=$(lscpu \| awk '/^CPU family:/ { printf "%.2x-", $3 } /^Model:/ { printf "%.2x-", $2 } /^Stepping:/ { printf "%.2x", $2 }')
	[[ -n "$ucode" ]] && echo $ucode \|\| exit 1
	ucode_path="intel-repo/intel-ucode/$ucode"

	echo -en "===> Select microcode by scanning CPU signatures: "
	cpuid="$(iucode_tool -S 2>&1 \| awk '{ print $NF }')"
	[[ -n "$cpuid" ]] && echo $cpuid \|\| exit 2

	if [[ ! -d intel-repo/.git ]]; then
	echo "===> Fetching Intel git repository data.."
	mkdir intel-repo
	git clone --filter=blob:none --no-checkout --single-branch --branch main $repo_url intel-repo
	pushd intel-repo > /dev/null
	git checkout origin/main -- intel-ucode/$ucode
	remote_rel=$(get_release)
	popd > /dev/null
	else
	echo "===> Checking Intel repository for new microcode release.."
	pushd intel-repo > /dev/null
	local_rel="$(get_release)"
	git pull
	remote_rel="$(get_release)"
	popd > /dev/null

	if [[ "$local_rel" == "$remote_rel" && -f "$fwimg" ]]; then
	echo "Nothing to do, exiting.." && exit 3
	elif [[ "$local_rel" == "$remote_rel" && ! -f "$fwimg" ]]; then
	echo "Generated kernel initrd microcode image is missing, rebuilding.."
	else
	echo "===> Found new release: $remote_rel (installed: $local_rel)"
	fi
	fi

	echo -n "===> Comparing downloaded vs host microcode signatures: "
	scanid=$(iucode_tool -L $ucode_path \| awk '/: sig 0x/ { sub(/,/, "", $3); print $3 }')
	if [[ "$scanid" == "$cpuid" ]]; then
	echo "MATCH (OK)"
	else
	echo "$cpuid != $scanid" && exit 4
	fi

	[[ -f "$fwimg" ]] && mv -f $fwimg $fwimg.bak
	iucode_tool --write-earlyfw=$fwimg $ucode_path