sys-firmware/intel-microcode: Bump

Ebuild changes:
===============
- Based on Intel's microcode tarball from 2018-04-25.

- Added 210+ additional microcode updates (for production, no beta release!),
  which are signed by Intel and publicly available but are not distributed
  via Intel's microcode tarball for marketing/product phase out reasons.
  You can prevent the usage of these microcode updates and stick with
  content from Intel's official release tarball via new "vanilla"
  USE flag.

- Blacklisted microcode 0x000604f1 aka 06-4f-01 aka CPUID 406F1 which
  requires a newer microcode loader in kernel which is only available
  in kernel >=4.14.34.
  It is blacklisted because loading via older loader could crash the
  system. A news item with instructions will follow.

Closes: gentoo#8532
Bug: https://bugs.gentoo.org/654638
Package-Manager: Portage-2.3.38, Repoman-2.3.9

sys-firmware/intel-microcode/Manifest

@@ -1,3 +1,4 @@
+DIST intel-microcode-collection-20180426.tar.xz 4155132 BLAKE2B 222c48ba0123887b4ae299e0acc4696512dc1c7528f1b735dd79b2d2f0bf6d988d061e773fb3949b2ab9ddcb69e4224ddb431ccda1c4b329ca37e9409ca60380 SHA512 038d43cd698183baa14b14f1b05e76c93386568494b2621e49338cf3c02fd0e663284ca864a50b3df4188bde5669bf4794cdcf7f4a287dcd42efbb8717809990
 DIST microcode-20140430.tgz 785594 BLAKE2B e51a187ca99ad496804f117871b50693b03b50759c9dd23002149ff7fa4b74888c83e8e1fcf078a973dea82e6a9439de8415c56c902ed0163e55ceaaff0eaf23 SHA512 12954522629ce15c4b95c158b6288b3877a3d1f87bea838f8138e53987ef1b6c0edc7a8cbb802a981ccca178b70b4323907aafa7479c0c2fed4497f6fb7bbc1c
 DIST microcode-20140624.tgz 787237 BLAKE2B 1c2d8f39bf142570283e80f370f41c502ef04d24b4348ca4b44c881e3b1e54df72a88e09350d45a33d47d9955d84a80ae8a11e44561b1a8944a59f9326d4d81a SHA512 c774006aae639e7fae90bc1f5d8308b407e7cd3b7d0da6e35577560bf6201c2b15f7d7b6b0cd727c50be1e9d508b484b067856631fa2598498982109bff0e44c
 DIST microcode-20140913.tgz 830537 BLAKE2B 665c72fc3a3e1e13d9e58eba0ed202b30856532eee590006c02112df926b879985a97ba9a96b58a6aad0285bff95a3fbb27b22d533f958fe170887f0ab37eef1 SHA512 e179fe0001b1157cc95aee39185f51fd182d53c1bdb30bfc95bc3a70795c32012050f3a4adf06735a77d8ef9c703a330c6a2610b73b70f09f5760e31d39cb89c
@@ -13,3 +14,4 @@ DIST microcode-20171117_p20171215-r1.tgz 1477015 BLAKE2B 3911aed3bbbd350be69a99b
 DIST microcode-20171117_p20171215.tgz 1468587 BLAKE2B 58777a39f843ae880f7dd8971a9570dbfc176d69541bb9d3cdc948d7be71a7df2559265fb1c8a199bc7567bb5a60176ade1d2c36624d0193dbac98d82401d0dd SHA512 25db94dbf18b1fea9497ec1e61bb5349d7bc78b0578d8869546bc3ec579b96bee7cd62657e66ebd3d4616805e85d790ac7ee7c0fed70b5db30236ffd12b33293
 DIST microcode-20180108.tgz 3676678 BLAKE2B 197e0188e516a3071be9e2e7a6261d78208613db8b746c7df533ce37884197dbd06a4e6ab027cbddba38903f590130f2d974e46da8fbab0613561523653460ab SHA512 f4010d83353948df27beeb804ef11e4f019f63397a4936f9d139e2842f7944d1ae864b9376987eaffc7db5b97201d5de2f4c1d7cc6b0f545ae15ec53a61fce2b
 DIST microcode-20180312.tgz 3789662 BLAKE2B e948d74833fe75b9bbdff1e4676f5d49a13bdd06aa6525c39be3448b822203947a5f55515484401ee0c96e8ade19ea580718949bed65883d983509661a16e637 SHA512 cc2cabf6d12c83b65eeb30fca7eb0b503e037dbee3d7ce9cb307b02ed8ac9426b2bafc2c1f1281dddff0945f8308f0d3cd320edea4596551354188d64760b854
+DIST microcode-20180425.tgz 1565473 BLAKE2B 70e0a56f0f5f720e00ab18d6553bc221147589e83df34fdc0c130c6f74a239e48355bfe1845b1de919ed1bce9ade7b7db298883eb3de1d53732a694b15d76f62 SHA512 6cea53cc0f486891fb9ddffc1e03e8e0a6d1d91df6bfda81250b2c60714e7b4111caa9df5afa7f13d8144e591550ef7eb4fd1e153fc67fc904afb83ccc2e3bb0

sys-firmware/intel-microcode/intel-microcode-20180426.ebuild

@@ -0,0 +1,129 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="6"
+
+inherit linux-info toolchain-funcs mount-boot
+
+# Find updates by searching and clicking the first link (hopefully it's the one):
+# http://www.intel.com/content/www/us/en/search.html?keyword=Processor+Microcode+Data+File
+
+COLLECTION_SNAPSHOT="20180426"
+INTEL_SNAPSHOT="20180425"
+NUM="27776"
+DESCRIPTION="Intel IA32/IA64 microcode update data"
+HOMEPAGE="http://inertiawar.com/microcode/ https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=${NUM}"
+SRC_URI="https://downloadmirror.intel.com/${NUM}/eng/microcode-${INTEL_SNAPSHOT}.tgz
+	https://dev.gentoo.org/~whissi/dist/intel-microcode/intel-microcode-collection-${COLLECTION_SNAPSHOT}.tar.xz"
+
+LICENSE="intel-ucode"
+SLOT="0"
+KEYWORDS=""
+IUSE="initramfs +split-ucode vanilla"
+REQUIRED_USE="|| ( initramfs split-ucode )"
+
+DEPEND="sys-apps/iucode_tool"
+RDEPEND="!<sys-apps/microcode-ctl-1.17-r2" #268586
+
+S=${WORKDIR}
+
+# Blacklist bad microcode here.
+# 0x000604f1 aka 06-4f-01 aka CPUID 406F1 require newer microcode loader
+DEFAULT_MICROCODE_SIGNATURES="-s !0x000604f1"
+
+# Advanced users only:
+# merge with:
+# only current CPU: MICROCODE_SIGNATURES="-S"
+# only specific CPU: MICROCODE_SIGNATURES="-s 0x00000f4a -s 0x00010676"
+# exclude specific CPU: MICROCODE_SIGNATURES="-s !0x00000686"
+MICROCODE_SIGNATURES="${MICROCODE_SIGNATURES:=${DEFAULT_MICROCODE_SIGNATURES}}"
+
+pkg_pretend() {
+	if [[ "${MICROCODE_SIGNATURES}" != "${DEFAULT_MICROCODE_SIGNATURES}" ]]; then
+		ewarn "The user has opted in for advanced use:"
+		ewarn "MICROCODE_SIGNATURES is set to \"${MICROCODE_SIGNATURES}\" instead of default \"${DEFAULT_MICROCODE_SIGNATURES}\"!"
+	fi
+	use initramfs && mount-boot_pkg_pretend
+}
+
+src_prepare() {
+	default
+
+	# Prevent "invalid file format" errors from iucode_tool
+	rm -f "${S}"/intel-ucod*/list || die
+}
+
+src_install() {
+	# This will take ALL of the upstream microcode sources:
+	# - microcode.dat
+	# - intel-ucode/
+	# In some cases, they have not contained the same content (eg the directory has newer stuff).
+	MICROCODE_SRC=(
+		"${S}"/intel-ucode/
+		"${S}"/intel-ucode-with-caveats/
+	)
+
+	# Allow users who are scared about microcode updates not included in Intel's official
+	# microcode tarball to opt-out and comply with Intel marketing
+	if ! use vanilla; then
+		MICROCODE_SRC+=( "${S}"/intel-microcode-collection-${COLLECTION_SNAPSHOT} )
+	fi
+
+	opts=(
+		${MICROCODE_SIGNATURES}
+		# be strict about what we are doing
+		--overwrite
+		--strict-checks
+		--no-ignore-broken
+		# we want to install latest version
+		--no-downgrade
+		# show everything we find
+		--list-all
+		# show what we selected
+		--list
+	)
+
+	# The earlyfw cpio needs to be in /boot because it must be loaded before
+	# rootfs is mounted.
+	use initramfs && dodir /boot && opts+=( --write-earlyfw="${ED%/}"/boot/intel-uc.img )
+	# split location:
+	use split-ucode && dodir /lib/firmware/intel-ucode && opts+=( --write-firmware="${ED%/}"/lib/firmware/intel-ucode )
+
+	iucode_tool \
+		"${opts[@]}" \
+		"${MICROCODE_SRC[@]}" \
+		|| die "iucode_tool ${opts[@]} ${MICROCODE_SRC[@]}"
+
+	dodoc releasenote
+}
+
+pkg_preinst() {
+	use initramfs && mount-boot_pkg_preinst
+}
+
+pkg_prerm() {
+	use initramfs && mount-boot_pkg_prerm
+}
+
+pkg_postrm() {
+	use initramfs && mount-boot_pkg_postrm
+}
+
+pkg_postinst() {
+	use initramfs && mount-boot_pkg_postinst
+
+	if [[ "${MICROCODE_SIGNATURES}" != "${DEFAULT_MICROCODE_SIGNATURES}" ]]; then
+		if kernel_is -lt 4 14 34; then
+			ewarn "${P} contains microcode updates which require"
+			ewarn "additional kernel patches which aren't yet included in kernel <4.14.34."
+			ewarn "Loading such a microcode through kernel interface from an unpatched kernel"
+			ewarn "can crash your system!"
+			ewarn ""
+			ewarn "Those microcodes are blacklisted per default. However, you have altered"
+			ewarn "MICROCODE_SIGNATURES and maybe unintentionally re-enabled those microcodes."
+			ewarn ""
+			ewarn "Check ${EROOT%/}/usr/share/doc/${P}/releasenot* if your microcode update"
+			ewarn "requires additional kernel patches or not."
+		fi
+	fi
+}

sys-firmware/intel-microcode/metadata.xml

@@ -9,5 +9,6 @@
 	<flag name="initramfs">install a small initramfs for use with CONFIG_MICROCODE_EARLY</flag>
 	<flag name="monolithic">install the large text microcode.dat (used by older kernels via microcode_ctl)</flag>
 	<flag name="split-ucode">install the split binary ucode files (used by the kernel directly)</flag>
+	<flag name="vanilla">install only microcode updates from Intel's official microcode tarball</flag>
 </use>
 </pkgmetadata>