Re: amd64-microcode, test

To: Emilio Pozuelo Monfort <pochu@debian.org>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: amd64-microcode, test
From: Anton Gladky <gladk@debian.org>
Date: Fri, 13 Mar 2020 14:03:13 +0100
Message-id: <[🔎] f18aa656-ad11-c4ed-7dba-bf4567df2103@debian.org>
In-reply-to: <[🔎] 24c7bc91-b2be-ad94-1bb1-13b2f8aab763@debian.org>
References: <[🔎] 8e68ac98-254a-a98f-a850-e308a17afe47@debian.org> <[🔎] 20200311200608.GA2924636@eldamar.local> <[🔎] 1b32140c-afac-70af-4cd5-2e1b9ce3c400@debian.org> <[🔎] dd8bb40e-13ff-d523-223d-b4fe86e5d8aa@debian.org> <[🔎] 24c7bc91-b2be-ad94-1bb1-13b2f8aab763@debian.org>

Thanks again, Emilio,

I have updated the package, uploaded it here [1] and attached a new
debdiff. Now I have an experience of backporting packages into older
releases.

[1] https://people.debian.org/~gladk/amd64-microcode_jessie/

Regards

Anton

On 3/13/20 10:39 AM, Emilio Pozuelo Monfort wrote:
> Well you used 3.20181128.1+deb8u1, which is higher than what is in buster. You
> should use ~ when backporting a version from a newer release.
> 
> Cheers,
> Emilio
>

diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.default amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.default
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.default	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.default	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,13 @@
+# Configuration script for amd64-microcode version 3
+
+#
+# initramfs helper
+#
+
+#
+# Set this to "no" to disable automatic microcode updates on boot;
+# Set this to "early" to always install microcode updates to the early initramfs
+# Set this to "auto" to autodetect mode for current system (default);
+#
+#AMD64UCODE_INITRAMFS=auto
+
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.dirs amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.dirs
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.dirs	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.dirs	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,3 @@
+etc/default
+etc/modprobe.d
+lib/firmware/amd-ucode
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.docs amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.docs
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.docs	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.docs	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,3 @@
+README
+microcode_amd.bin.README
+microcode_amd_fam*.README
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.install amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.install
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.install	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.install	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,2 @@
+microcode_amd.bin	/lib/firmware/amd-ucode
+microcode_amd_fam*.bin	/lib/firmware/amd-ucode
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.modprobe-blacklist amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.modprobe-blacklist
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.modprobe-blacklist	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.modprobe-blacklist	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,3 @@
+# The microcode module attempts to apply a microcode update when
+# it autoloads.  This is not always safe, so we block it by default.
+blacklist microcode
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.postinst amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.postinst
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.postinst	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.postinst	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,46 @@
+#!/bin/sh
+# postinst script for amd64-microcode
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postinst> `configure' <most-recently-configured-version>
+#        * <old-postinst> `abort-upgrade' <new version>
+#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
+#          <new-version>
+#        * <postinst> `abort-remove'
+#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
+#          <failed-install-package> <version> `removing'
+#          <conflicting-package> <version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    configure)
+	# do it like udev and firmware-linux-*
+	if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
+	    update-initramfs -u && {
+		echo "amd64-microcode: microcode will be updated at next boot" >&2
+	    }
+	else
+	    echo "amd64-microcode: initramfs support missing" >&2
+	fi
+    ;;
+
+    abort-upgrade|abort-remove|abort-deconfigure)
+    ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.postrm amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.postrm
--- amd64-microcode-2.20160316.1~deb8u1/debian/amd64-microcode.postrm	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/amd64-microcode.postrm	2018-12-15 03:43:55.000000000 +0100
@@ -0,0 +1,42 @@
+#!/bin/sh
+# postrm script for amd64-microcode
+#
+# see: dh_installdeb(1)
+
+set -e
+
+# summary of how this script can be called:
+#        * <postrm> `remove'
+#        * <postrm> `purge'
+#        * <old-postrm> `upgrade' <new-version>
+#        * <new-postrm> `failed-upgrade' <old-version>
+#        * <new-postrm> `abort-install'
+#        * <new-postrm> `abort-install' <old-version>
+#        * <new-postrm> `abort-upgrade' <old-version>
+#        * <disappearer's-postrm> `disappear' <overwriter>
+#          <overwriter-version>
+# for details, see http://www.debian.org/doc/debian-policy/ or
+# the debian-policy package
+
+case "$1" in
+    purge|remove)
+	if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
+	    update-initramfs -u
+	fi
+    ;;
+
+    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+    ;;
+
+    *)
+        echo "postrm called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
+
+# dh_installdeb will replace this with shell code automatically
+# generated by other debhelper scripts.
+
+#DEBHELPER#
+
+exit 0
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/changelog amd64-microcode-3.20181128.1~deb8u1/debian/changelog
--- amd64-microcode-2.20160316.1~deb8u1/debian/changelog	2016-03-19 18:22:44.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/changelog	2020-03-12 20:29:09.000000000 +0100
@@ -1,8 +1,119 @@
-amd64-microcode (2.20160316.1~deb8u1) stable; urgency=critical
+amd64-microcode (3.20181128.1~deb8u1) jessie-security; urgency=high
 
-  * This is exactly the same release as 2.20160316.1
+  * Non-maintainer upload by the LTS Security Team.
+  * New upstream release.
+  * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+    (since version 3.20180515.1).
 
- -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 19 Mar 2016 14:21:54 -0300
+ -- Anton Gladky <gladk@debian.org>  Thu, 12 Mar 2020 20:29:09 +0100
+
+amd64-microcode (3.20181128.1) unstable; urgency=medium
+
+  * New microcode update packages from AMD upstream:
+    + New Microcodes:
+      sig 0x00800f82, patch id 0x0800820b, 2018-06-20
+  * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 15 Dec 2018 18:42:12 -0200
+
+amd64-microcode (3.20180524.1) unstable; urgency=high
+
+  * New microcode update packages from AMD upstream:
+    + Re-added Microcodes:
+      sig 0x00610f01, patch id 0x06001119, 2012-07-13
+  * This update avoids regressing sig 0x610f01 processors on systems with
+    outdated firmware by adding back exactly the same microcode patch that was
+    present before [for these processors].  It does not implement Spectre-v2
+    mitigation for these processors.
+  * README: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Fri, 25 May 2018 15:38:22 -0300
+
+amd64-microcode (3.20180515.1) unstable; urgency=high
+
+  * New microcode update packages from AMD upstream:
+    + New Microcodes:
+      sig 0x00800f12, patch id 0x08001227, 2018-02-09
+    + Updated Microcodes:
+      sig 0x00600f12, patch id 0x0600063e, 2018-02-07
+      sig 0x00600f20, patch id 0x06000852, 2018-02-06
+    + Removed Microcodes:
+      sig 0x00610f01, patch id 0x06001119, 2012-07-13
+  * Adds Spectre v2 (CVE-2017-5715) microcode-based mitigation support,
+    plus other unspecified fixes/updates.
+  * README, debian/copyright: update for new release
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 19 May 2018 13:51:06 -0300
+
+amd64-microcode (3.20171205.2) unstable; urgency=medium
+
+  * debian/control: update Vcs-* fields for salsa.debian.org
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Fri, 04 May 2018 07:51:40 -0300
+
+amd64-microcode (3.20171205.1) unstable; urgency=high
+
+  * New microcode updates (closes: #886382):
+    sig 0x00800f12, patch id 0x08001213, 2017-12-05
+    Thanks to SuSE for distributing these ahead of AMD's official release!
+  * Add IBPB support for family 17h AMD processors (CVE-2017-5715)
+  * README: describe source for faml17h microcode update
+  * Upload to unstable to match IBPB microcode support on Intel in Debian
+    unstable.
+  * WARNING: requires at least kernel 4.15, 4.14.13, 4.9.76, 4.4.111 (or a
+    backport of commit f4e9b7af0cd58dd039a0fb2cd67d57cea4889abf
+    "x86/microcode/AMD: Add support for fam17h microcode loading") otherwise
+    it will not be applied to the processor.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Mon, 08 Jan 2018 12:19:57 -0200
+
+amd64-microcode (3.20160316.3) unstable; urgency=medium
+
+  * initramfs: Make the early initramfs reproducible (closes: #845194)
+  * rules: switch to simplified dh-based build (debhelper v9)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Tue, 29 Nov 2016 23:54:53 -0200
+
+amd64-microcode (3.20160316.2) unstable; urgency=medium
+
+  * NEWS.debian: fix minor typo
+  * debian/control, debian/compat: bump debhelper compat mode to 9
+  * debian/control: bump standards version to 3.9.8 (no changes needed)
+  * debian/: prefix binary-package control files with package name
+  * debian/control: recommend tiny-initramfs as an alternative to
+    initramfs-tools tiny-initramfs specifically supports early microcode
+    updates, so it is a viable alternative to initramfs-tools
+    (closes: #839882)
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sun, 09 Oct 2016 15:43:16 -0300
+
+amd64-microcode (3.20160316.1) unstable; urgency=low
+
+  * Bump major version number to 3: early-initramfs support
+  * Support is now restricted to Linux kernel 3.14 and later.  For older
+    kernels, please use the version 2 (older) branch of the package.
+  * Implement early-initramfs mode, and remove normal mode
+    * debian/control: add versioned recommends for initramfs-tools and
+      dracut.  Note that dracut 044 is required for Linux 4.4 and later,
+      otherwise dracut 040 would be enough
+    * debian/default: add early mode, remove normal mode from comments
+    * initramfs hook: use cpio to generate an early-initramfs with
+      microcode for all processors, blacklist kernels older than 3.14,
+      and remove normal mode support.
+    * initramfs.init-premount: remove, not needed for early-initramfs
+    * debian/rules: don't install init-premount initramfs script.
+  * initramfs.hook: detect a missing microcode.ko and don't attempt to
+    force_load() it.  In verbose mode, log when the microcode driver is
+    modular.  For Linux 4.4 and later, skip the module loading logic
+    (closes: #809444)
+  * README.Debian: update for early initramfs support, and add information
+    on how to disable early updates using the dis_ucode_ldr kernel boot
+    parameter
+  * Support for x32 was enabled in debian/control for the 2.20160316.1
+    upload, but the changelog did not record this by mistake.  The missing
+    entry was retroactively added to debian/changelog by this upload
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>  Sun, 10 Apr 2016 16:31:23 -0300
 
 amd64-microcode (2.20160316.1) unstable; urgency=critical
 
@@ -28,6 +139,7 @@
     ring 0 code injection attack.
   * The erratum is timing-dependant, easily triggered by workloads that cause
     a high number of NMIs, such as running the "perf" tool.
+  * debian/control: enable buiding on x32 (closes: #777233)
 
  -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 19 Mar 2016 14:02:44 -0300
 
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/compat amd64-microcode-3.20181128.1~deb8u1/debian/compat
--- amd64-microcode-2.20160316.1~deb8u1/debian/compat	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/compat	2018-12-15 03:43:55.000000000 +0100
@@ -1 +1 @@
-7
+9
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/control amd64-microcode-3.20181128.1~deb8u1/debian/control
--- amd64-microcode-2.20160316.1~deb8u1/debian/control	2016-03-19 18:21:48.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/control	2018-12-15 03:43:55.000000000 +0100
@@ -3,14 +3,15 @@
 Priority: standard
 Maintainer: Henrique de Moraes Holschuh <hmh@debian.org>
 Uploaders: Giacomo Catenazzi <cate@debian.org>
-Build-Depends: debhelper (>= 7)
-Standards-Version: 3.9.6
-Vcs-Git: git://git.debian.org/users/hmh/amd64-microcode.git
-Vcs-Browser: http://git.debian.org/?p=users/hmh/amd64-microcode.git
+Build-Depends: debhelper (>= 9)
+Standards-Version: 3.9.8
+Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git
+Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode
 XS-Autobuild: yes
 
 Package: amd64-microcode
 Architecture: i386 amd64 x32
+Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
 Depends: ${misc:Depends}
 Breaks: intel-microcode (<< 2)
 Description: Processor microcode firmware for AMD CPUs
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/copyright amd64-microcode-3.20181128.1~deb8u1/debian/copyright
--- amd64-microcode-2.20160316.1~deb8u1/debian/copyright	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/copyright	2018-12-15 03:43:55.000000000 +0100
@@ -2,8 +2,9 @@
 Sun Jun 10 10:54:36 BRT 2012
 
 It was downloaded from http://www.amd64.org/support/microcode.html up to
-version 20120910 (now: http://www.amd64.org/microcode.html).  It was built from
-the linux-firmware git tree at  for version 20131007 onwards.
+version 20120910 (now: http://www.amd64.org/microcode.html).  For version
+20131007 onwards, it was built from the linux-firmware git repository at:
+https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/
 
 Debian only distributes the AMD64 microcode file in its unaltered form.
 
@@ -13,7 +14,7 @@
 
 Upstream Copyright: 
 
-    Copyright (C) 2010-2014 Advanced Micro Devices, Inc.,
+    Copyright (C) 2010-2018 Advanced Micro Devices, Inc.
     All rights reserved.
 
 Upstream License:
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/default amd64-microcode-3.20181128.1~deb8u1/debian/default
--- amd64-microcode-2.20160316.1~deb8u1/debian/default	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/default	1970-01-01 01:00:00.000000000 +0100
@@ -1,16 +0,0 @@
-# Configuration script for amd64-microcode version 2
-
-#
-# initramfs helper
-#
-
-# Set this to "no" to disable automatic microcode updates on boot;
-# Set this to "yes" to always install microcode updates to the initramfs;
-# Set this to "auto" to use initramfs mode automatically (default);
-#
-# Note: "early" mode is not yet supported in amd64-microcode version 2.
-# It will be implemented in version 3, at which point "yes" will alias
-# to "early", and only "early microcode updates" will be supported.
-#
-#AMD64UCODE_INITRAMFS=auto
-
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/dirs amd64-microcode-3.20181128.1~deb8u1/debian/dirs
--- amd64-microcode-2.20160316.1~deb8u1/debian/dirs	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/dirs	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-etc/default
-etc/modprobe.d
-lib/firmware/amd-ucode
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/docs amd64-microcode-3.20181128.1~deb8u1/debian/docs
--- amd64-microcode-2.20160316.1~deb8u1/debian/docs	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/docs	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-README
-microcode_amd.bin.README
-microcode_amd_fam*.README
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/initramfs.hook amd64-microcode-3.20181128.1~deb8u1/debian/initramfs.hook
--- amd64-microcode-2.20160316.1~deb8u1/debian/initramfs.hook	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/initramfs.hook	2018-12-15 03:43:55.000000000 +0100
@@ -1,11 +1,10 @@
 #!/bin/sh
 # amd64-microcode initramfs-tools hook script
-# Copyright (C) 2012-2014 Henrique de Moraes Holschuh <hmh@debian.org>
+# Copyright (C) 2012-2016 Henrique de Moraes Holschuh <hmh@debian.org>
 # Released under the GPL v2 or later license
 #
-# Generates a copy of the minimal microcode for the current system if
-# possible, and installs it in the initramfs.
-#
+# Generates a copy of the minimal microcode for all AMD processors
+# and installs it to the early initramfs
 
 PREREQ=""
 AMD64UCODE_CONFIG=/etc/default/amd64-microcode
@@ -26,10 +25,10 @@
 
 verbose()
 {
-	if [ "${verbose}" = "y" ] ; then
-		echo "amd64-microcode: $*"
-	fi
-	:
+    if [ "${verbose}" = "y" ] ; then
+        echo "I: amd64-microcode: $*"
+    fi
+    :
 }
 
 AUCODE_FW_DIR=/lib/firmware/amd-ucode
@@ -39,8 +38,8 @@
 [ -z "${AMD64UCODE_INITRAMFS}" ] && AMD64UCODE_INITRAMFS=no
 
 if [ ! -d "${AUCODE_FW_DIR}" ] ; then
-	verbose "no AMD64 processor microcode datafiles to install"
-	exit 0;
+    verbose "no AMD64 processor microcode datafiles to install"
+    exit 0
 fi
 
 case "${AMD64UCODE_INITRAMFS}" in
@@ -48,11 +47,11 @@
         verbose "disabled by ${AMD64UCODE_CONFIG}"
         exit 0
         ;;
-    early)
-	echo "W: amd64-microcode: early mode not supported, forcing late initramfs mode" >&2
-        AMD64UCODE_INITRAMFS=yes
+    auto|early)
         ;;
-    yes|1|auto)
+    yes|1)
+        echo "W: amd64-microcode: initramfs mode not supported, using early-initramfs mode" >&2
+        AMD64UCODE_INITRAMFS=early
         ;;
     *)
         echo "E: amd64-microcode: invalid AMD64UCODE_INITRAMFS, using automatic mode" >&2
@@ -60,39 +59,69 @@
 esac
 
 if [ "${AMD64UCODE_INITRAMFS}" = "auto" ] ; then
-        grep -q "^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD" /proc/cpuinfo || {
-                verbose "no AMD processors detected, nothing to do"
-                exit 0
-        }
+    grep -q "^vendor_id[[:blank:]]*:[[:blank:]]*.*AuthenticAMD" /proc/cpuinfo || {
+        verbose "no AMD processors detected, nothing to do"
+        exit 0
+    }
 fi
 
-# See Debian bug #716917.  Blacklist all non-LTS/non-Debian kernel versions
-# before kernel 3.4  Only known-bad kernel is 2.6.38.
-#
-# This doesn't blacklist early kernels in the LTS branches, we don't have enough
-# information at the initramfs-tools layer, due to the way Debian and Ubuntu version
-# kernel packages.
-
-if dpkg --compare-versions "${version}" le 3.4 && \
-     { dpkg --compare-versions "${version}" lt 2.6.32 || \
-      { dpkg --compare-versions "${version}" ge 2.6.33 && dpkg --compare-versions "${version}" lt 3.0 ; } || \
-      { dpkg --compare-versions "${version}" ge 3.1 && dpkg --compare-versions "${version}" lt 3.2 ; } || \
-      dpkg --compare-versions "${version}" ge 3.3 ; \
-     }; then
-	echo "E: amd64-microcode: unsupported kernel version!" >&2
-	exit 0
+# whitelist AMD early updates for kernels 3.14 and later
+if dpkg --compare-versions "${version}" lt 3.14 ; then
+    echo "E: amd64-microcode: unsupported kernel version!" >&2
+    exit 0
 fi
 
-verbose "installing all microcode datafiles for AMD64 processors"
+verbose "installing AMD64 microcode into the early initramfs..."
+
+# set during package build to the date from the package *version*
+CHANGELOG_TS=@CHANGELOG_TS@
+
+EFWD=$(mktemp -d "${TMPDIR:-/var/tmp}/mkinitramfs-EFW_XXXXXXXXXX") || {
+    echo "E: amd64-microcode: cannot create temporary directory" >&2
+    exit 1
+}
+# paranoia
+[ ! -d "${EFWD}" ] && {
+    echo "E: amd64-microcode: mktemp -d malfunction" >&2
+    exit 1
+}
 
-# Generate firmware dir
-mkdir -m 755 -p "${DESTDIR}${AUCODE_FW_DIR}" || true
-cp -fr "${AUCODE_FW_DIR}/." "${DESTDIR}${AUCODE_FW_DIR}/."
-
-if ! rmdir "${DESTDIR}${AUCODE_FW_DIR}" 2>/dev/null ; then
-	# The directory was not empty, so we have work to do
-	verbose "installing AMD64 processor microcode update support into initramfs..."
-	force_load microcode
+EFWE="${EFWD}/early-initramfs.cpio"
+
+EFWCD="${EFWD}/d/kernel/x86/microcode"
+EFWF="${EFWCD}/AuthenticAMD.bin"
+
+# note: to build a reproducible early initramfs, we force
+# the microcode component ordering inside the microcode
+# firmware file, as well as the timestamp and ordering of
+# all cpio members.
+mkdir -p "${EFWCD}" && \
+ find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \
+ find "${EFWD}" -print0 | xargs -0r touch --no-dereference --date="@${CHANGELOG_TS}" && { \
+    # --reproducible requires cpio >= 2.12
+    cpio --usage | grep -qs -- "--reproducible" && cpio_reproducible="--reproducible" || true
+ } && test -s "${EFWF}" && \
+ ( cd "${EFWD}/d" ; find . -print0 | LC_ALL=C sort -z | cpio --null $cpio_reproducible -R 0:0 -H newc -o --quiet > "${EFWE}" ) \
+&& prepend_earlyinitramfs "${EFWE}" || {
+    # something failed somewhere in that pipeline
+    [ -d "${EFWD}" ] && rm -fr "${EFWD}"
+    echo "E: amd64-microcode: failed to create or prepend the early initramfs to the initramfs" >&2
+    exit 0
+}
+
+[ -d "${EFWD}" ] && rm -fr "${EFWD}"
+
+# attempt to load microcode module to get proper logging.
+# microcode support cannot be made modular since Linux 4.4
+
+if dpkg --compare-versions "${version}" lt 4.4 ; then
+    manual_add_modules microcode && {
+        # force_load has broken semanthics when the .ko file is missing
+        find "${DESTDIR}/${MODULESDIR}" -type f -print | grep -qc '/microcode\.ko$' && {
+          verbose "modular microcode driver detected"
+          force_load microcode
+        }
+    }
 fi
 
 :
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/initramfs.init-premount amd64-microcode-3.20181128.1~deb8u1/debian/initramfs.init-premount
--- amd64-microcode-2.20160316.1~deb8u1/debian/initramfs.init-premount	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/initramfs.init-premount	1970-01-01 01:00:00.000000000 +0100
@@ -1,63 +0,0 @@
-#!/bin/sh
-# amd64-microcode initramfs-tools boot script
-# Copyright (C) 2012,2013 Henrique de Moraes Holschuh <hmh@debian.org>
-# Released under the GPL v2 or later license
-#
-# Triggers kernel firmware update requests for processor microcode
-# when required.
-#
-
-# dependencies: firmware loader, microcode kernel support (built-in/module)
-
-PREREQ=""
-
-prereqs()
-{
-   echo "$PREREQ"
-}
-
-case $1 in
-prereqs)
-   prereqs
-   exit 0
-   ;;
-esac
-
-# hack to strip spaces
-is_amd()
-{
-    [ "x$1" = "xvendor_id" ] && [ "x$2" = "xAuthenticAMD" ] && HAS_AMD=1
-}
-
-# Only continue if we do possibly have firmware to install
-[ -d /lib/firmware/amd-ucode ] || exit 0
-
-# module load will already have caused the microcode to be fetched
-{ while read -r module trash ; do [ "x$module" = "xmicrocode" ] && exit 0 ; done ; } < /proc/modules
-
-# don't run on non-AMD
-HAS_AMD=0
-{ while IFS=: read -r field value ; do is_amd $field $value ; done ; } < /proc/cpuinfo
-[ $HAS_AMD -eq 0 ] && exit 0;
-
-. /scripts/functions
-
-if [ -e /sys/devices/system/cpu/microcode/reload ] ; then
-    echo 1 > /sys/devices/system/cpu/microcode/reload || {
-	log_warning_msg "could not update the microcode of every processor"
-    }
-else
-    # Try all online processors, broken kernels need this,
-    # fixed kernels will accept it only on the BSP and update
-    # all processors anyway, and -EINVAL all others... but we
-    # don't know which one is the BSP, so we try all of them
-    # and hide errors, the kernel will log any real problem.
-
-    log_begin_msg "Requesting microcode update using per-core interface"
-    for i in /sys/devices/system/cpu/cpu[0-9]*/microcode/reload ; do
-	echo 1 2>/dev/null > "$i" || true
-    done
-    log_end_msg
-fi
-
-:
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/install amd64-microcode-3.20181128.1~deb8u1/debian/install
--- amd64-microcode-2.20160316.1~deb8u1/debian/install	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/install	1970-01-01 01:00:00.000000000 +0100
@@ -1,2 +0,0 @@
-microcode_amd.bin	/lib/firmware/amd-ucode
-microcode_amd_fam*.bin	/lib/firmware/amd-ucode
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/modprobe-blacklist amd64-microcode-3.20181128.1~deb8u1/debian/modprobe-blacklist
--- amd64-microcode-2.20160316.1~deb8u1/debian/modprobe-blacklist	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/modprobe-blacklist	1970-01-01 01:00:00.000000000 +0100
@@ -1,3 +0,0 @@
-# The microcode module attempts to apply a microcode update when
-# it autoloads.  This is not always safe, so we block it by default.
-blacklist microcode
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/NEWS amd64-microcode-3.20181128.1~deb8u1/debian/NEWS
--- amd64-microcode-2.20160316.1~deb8u1/debian/NEWS	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/NEWS	2018-12-15 03:43:55.000000000 +0100
@@ -8,9 +8,10 @@
     issues caused by the AMD microcode update itself when done outside of
     the boot process.
 
-    However, updating only on boot works around a very elusive issue in the
-    the Linux kernel microcode update driver for AMD processors, which may
-    or may not have been fixed in the latest stable/long-term kernels.
+    However, updating only on boot works around a very elusive issue in
+    the Linux kernel microcode update driver for AMD processors, which
+    may or may not have been fixed in the latest stable/long-term
+    kernels.
 
     It is now possible to configure how the amd64-microcode package should
     behave through the /etc/default/amd64-microcode file.  By default, it
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/postinst amd64-microcode-3.20181128.1~deb8u1/debian/postinst
--- amd64-microcode-2.20160316.1~deb8u1/debian/postinst	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/postinst	1970-01-01 01:00:00.000000000 +0100
@@ -1,46 +0,0 @@
-#!/bin/sh
-# postinst script for amd64-microcode
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <postinst> `configure' <most-recently-configured-version>
-#        * <old-postinst> `abort-upgrade' <new version>
-#        * <conflictor's-postinst> `abort-remove' `in-favour' <package>
-#          <new-version>
-#        * <postinst> `abort-remove'
-#        * <deconfigured's-postinst> `abort-deconfigure' `in-favour'
-#          <failed-install-package> <version> `removing'
-#          <conflicting-package> <version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
-    configure)
-	# do it like udev and firmware-linux-*
-	if [ -x /usr/sbin/update-initramfs ] && [ -e /etc/initramfs-tools/initramfs.conf ] ; then
-	    update-initramfs -u && {
-		echo "amd64-microcode: microcode will be updated at next boot" >&2
-	    }
-	else
-	    echo "amd64-microcode: initramfs support missing" >&2
-	fi
-    ;;
-
-    abort-upgrade|abort-remove|abort-deconfigure)
-    ;;
-
-    *)
-        echo "postinst called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/postrm amd64-microcode-3.20181128.1~deb8u1/debian/postrm
--- amd64-microcode-2.20160316.1~deb8u1/debian/postrm	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/postrm	1970-01-01 01:00:00.000000000 +0100
@@ -1,42 +0,0 @@
-#!/bin/sh
-# postrm script for amd64-microcode
-#
-# see: dh_installdeb(1)
-
-set -e
-
-# summary of how this script can be called:
-#        * <postrm> `remove'
-#        * <postrm> `purge'
-#        * <old-postrm> `upgrade' <new-version>
-#        * <new-postrm> `failed-upgrade' <old-version>
-#        * <new-postrm> `abort-install'
-#        * <new-postrm> `abort-install' <old-version>
-#        * <new-postrm> `abort-upgrade' <old-version>
-#        * <disappearer's-postrm> `disappear' <overwriter>
-#          <overwriter-version>
-# for details, see http://www.debian.org/doc/debian-policy/ or
-# the debian-policy package
-
-case "$1" in
-    purge|remove)
-	if [ -x /usr/sbin/update-initramfs -a -e /etc/initramfs-tools/initramfs.conf ] ; then
-	    update-initramfs -u
-	fi
-    ;;
-
-    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
-    ;;
-
-    *)
-        echo "postrm called with unknown argument \`$1'" >&2
-        exit 1
-    ;;
-esac
-
-# dh_installdeb will replace this with shell code automatically
-# generated by other debhelper scripts.
-
-#DEBHELPER#
-
-exit 0
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/README.Debian amd64-microcode-3.20181128.1~deb8u1/debian/README.Debian
--- amd64-microcode-2.20160316.1~deb8u1/debian/README.Debian	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/README.Debian	2018-12-15 03:43:55.000000000 +0100
@@ -27,20 +27,74 @@
 outdated microcode, increasing the chances of incorrect system operation.
 
 Debian can apply microcode updates to the system processors during the
-operating system boot.  The following configurations are supported for
-the microcode driver:
+operating system boot automatically.  This requires the use of a suitably
+configured Linux kernel 3.14 or later, and an initramfs.
 
-1. When an initramfs image is used (Debian default), both modular and
-   built-in configs for the microcode driver will work, and microcode
-   will be updated by the initramfs.  You must run "update-initramfs -u"
-   when new microcode is manually installed to /lib/firmware (this will
-   be done automatically when new microcode is installed by a package
-   upgrade).
-
-2. When an initramfs image is not used, only the modular microcode
-   driver is supported.  If it doesn't autoload by itself in your kernel
-   version, you should add it to /etc/modules.  You must install either
-   the kmod or module-init-tools package, and the root filesystem with
-   /lib/firmware must be available when the modules are loaded.
 
- -- Henrique de Moraes Holschuh <hmh@debian.org>, 2012-07-09
+Installing microcode updates:
+
+For the Debian default kernel, it is enough to install the amd64-microcode
+package as well as the initramfs-tools package and the microcode update
+will be applied automatically at the next reboot.
+
+It is also possible to use "dracut" instead of initramfs-tools, but the
+support for early microcode updates must be enabled manually in
+dracut.conf (set the option "early_microcode=yes").  Force an update of
+the initramfs using dracut, and reboot.  Note that since Linux kernel 4.4,
+one must use dracut 044 or later.
+
+Applying the microcode updates without the use of an early initramfs is
+not automatically supported anymore, due to future safety concerns.
+However, the local administrator may trigger an immediate microcode update
+attempt at any time, at her own risk:
+
+  USING AN INITRAMFS+REBOOT IS SAFER.  DO THIS ONLY WHEN YOU KNOW BETTER:
+  as root:
+  echo 1 > /sys/devices/system/cpu/microcode/reload
+
+
+RECOVERY PROCEDURE:
+
+It is possible for a microcode update to not work well, or to not work at
+all on specific system models.  This is very rare when using the safe
+microcode update procedure described above and an up-to-date Linux kernel,
+but it has happened at least once.
+
+Should you experience problems because of the microcode update, you will
+have to bypass the microcode update process that happens during operating
+system startup (boot), and remove the amd64-microcode package until the
+underlying issue is fixed.
+
+To bypass the microcode update during system startup, you must instruct the
+boot loader (grub, lilo, etc) to pass the "dis_ucode_ldr" parameter
+(without the quotes) to the kernel.
+
+If your system uses grub (the default bootloader in Debian):
+
+  1. Access the grub menu during boot (press and hold the left "Shift"
+     key right after starting the system up if you don't see a grub menu
+     during boot);
+
+  2. Move the highlight/cursor to the kernel/boot option you want to
+     use, and press the "e" key to edit it;
+
+  3. Locate the line that starts with "linux" using the cursor
+     keys.  You must add the word "dis_ucode_ldr" (without the quotes) to
+     the end of that line;
+
+  4. Press "Ctrl+X" to start (boot) the system.  The microcode updates
+     will be skipped.
+
+After the system is running, remove or purge the amd64-microcode package.
+
+If removing/purging the package doesn't do it automatically for some
+reason, refresh the initramfs using the "update-initramfs -u" command (as
+the root user), and possibly "update-initramfs -u -k <kernel version>".
+
+"dracut" users, please refer to the dracut documentation on how to update
+the initramfs images for every installed kernel.
+
+Please report any issues caused by microcode updates to the mailing-list or
+to the Debian bug tracker.
+
+ -- Henrique de Moraes Holschuh <hmh@debian.org>, 2016-04-05
diff -Nru amd64-microcode-2.20160316.1~deb8u1/debian/rules amd64-microcode-3.20181128.1~deb8u1/debian/rules
--- amd64-microcode-2.20160316.1~deb8u1/debian/rules	2016-03-19 17:43:16.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/debian/rules	2018-12-15 03:43:55.000000000 +0100
@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 # debian/rules for amd64-microcode
-# Copyright (C) 2012-2014 by Henrique de Moraes Holschuh
+# Copyright (C) 2012-2016 by Henrique de Moraes Holschuh
 # Published under the GNU GPL license version 2 or any later versions
 
 PACKAGE := amd64-microcode
@@ -13,52 +13,21 @@
 # Work around Debian bug #688794
 INITRAMFS_NAME := $(subst -,_,$(subst +,_,$(subst .,_,$(PACKAGE))))
 
-build-indep:
+# For reproducible builds...
+CHANGELOG_TS :=$(shell date -u +%s --date=$(shell dpkg-parsechangelog | sed -n -e "/^Version:/ {s/.*\.\([0-9]\{8\}\)\..*/\1/;p}"))
 
-build-arch:
+%:
+	dh $@
 
-build:
-
-clean:
-	dh_testdir
-	dh_testroot
-	dh_clean
-
-install:
+override_dh_auto_install:
 	dh_testdir
-	dh_testroot
-	dh_prep
-	dh_installdirs
 	dh_install
-
 	mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/hooks"
-	install -m 755 "$(DEBDIR)/initramfs.hook" \
-		"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
-	mkdir -p "$(PKGDIR)/usr/share/initramfs-tools/scripts/init-premount"
-	install -m 755 "$(DEBDIR)/initramfs.init-premount" \
-		"$(PKGDIR)/usr/share/initramfs-tools/scripts/init-premount/$(INITRAMFS_NAME)"
-
+	sed -e "s/@CHANGELOG_TS@/$(CHANGELOG_TS)/g" \
+	    <"$(DEBDIR)/initramfs.hook" \
+	    >"$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
+	chmod 755 "$(PKGDIR)/usr/share/initramfs-tools/hooks/$(INITRAMFS_NAME)"
 	# We have a /etc/default file, but no initscript
-	install -m 644 "$(DEBDIR)/default" "$(PKGDIR)/etc/default/$(PACKAGE)"
-
+	install -m 644 "$(DEBDIR)/$(PACKAGE).default" "$(PKGDIR)/etc/default/$(PACKAGE)"
 	# modprobe.d blacklist
-	install -m 644 "$(DEBDIR)/modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf"
-
-binary: install
-	dh_testdir
-	dh_testroot
-	dh_installdocs
-	dh_installchangelogs
-	dh_lintian
-	dh_compress
-	dh_fixperms
-	dh_installdeb
-	dh_gencontrol
-	dh_md5sums
-	dh_builddeb
-
-binary-indep:
-
-binary-arch: binary
-
-.PHONY: build clean binary install binary-arch binary-indep
+	install -m 644 "$(DEBDIR)/$(PACKAGE).modprobe-blacklist" "$(PKGDIR)/etc/modprobe.d/$(PACKAGE)-blacklist.conf"
diff -Nru amd64-microcode-2.20160316.1~deb8u1/LICENSE.amd-ucode amd64-microcode-3.20181128.1~deb8u1/LICENSE.amd-ucode
--- amd64-microcode-2.20160316.1~deb8u1/LICENSE.amd-ucode	2016-02-28 23:49:29.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/LICENSE.amd-ucode	2018-05-19 18:45:14.000000000 +0200
@@ -1,4 +1,4 @@
-Copyright (C) 2010-2014 Advanced Micro Devices, Inc., All rights reserved.
+Copyright (C) 2010-2018 Advanced Micro Devices, Inc., All rights reserved.
 
 Permission is hereby granted by Advanced Micro Devices, Inc. ("AMD"),
 free of any license fees, to any person obtaining a copy of this
Binary files /tmp/zvUVwzDcZ7/amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin and /tmp/1K7fAYenfb/amd64-microcode-3.20181128.1~deb8u1/microcode_amd_fam15h.bin differ
diff -Nru amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc amd64-microcode-3.20181128.1~deb8u1/microcode_amd_fam15h.bin.asc
--- amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam15h.bin.asc	2016-03-19 18:21:48.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/microcode_amd_fam15h.bin.asc	2018-12-15 03:36:28.000000000 +0100
@@ -1,11 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
-iQEcBAABAgAGBQJW6d1MAAoJEOS+UznzKK5zSxkH+gJLffKGRM9BHe0D0/fkb0Gs
-FZVp0eUNREOQoYwHJq9Ms1RebaZJkaUnd8SXCODJrqxDsxqUgunUtP6Qfh3Ru6fV
-n0wgFVISKSQVLDP+I/ANFbWA2KhV5e4LuLQp5cDSItv6916kmNlM5kxtJ5QBrNXu
-kr5bNReYgYTl7PSoCPuPfVILToG0ltZQMdKI1GImRCMVrYjGMbv8EyUC3r8ZbChG
-Lv6K0AsULA81lXBAW0JYlxu6cNv1MJ3mxttwCswaJNcd+Y11ZQA8r2sjJoWbNSlS
-nsDPLsUKE/RsW9MlMxiI2Jqo9PrZz923bu/cWMU1FPp+cJII0T7idWGUTVhQjc8=
-=MTxP
+iQEcBAABAgAGBQJbB09SAAoJEOS+UznzKK5z8kAIAK1In82D88fGFbhluAl13UFu
+rs8BhXKL2w7B2KAspBNTmYpIQnfvVDrZzn6t6nqssuJ4bnWH8sf0mC/w5dSQLG4M
+WdpDd+qkdkDGJFlbl3zkr14Q7ZCQPV44pT7BOF07VPflOeQQjRWug9cdyqRIfO4n
+XGR5wvBOJZ2BlriRkYagQHn6iB/UJWXodmTr8CRGIHTApQg6K0NPNvmbwa/W5Z9X
+bS6eniACMfFDH7NXG2uTpFiGa3DYbDyNZiZeM7Uv3BFxtAOGY8vTFghtRyk0qxAl
+o6d8fT6ozkTUxE40Lgb6MegDJPwJ+uDfB7jKVPnYsbDAp6K7L8k/7PQQQRJ69Pc=
+=k2EA
 -----END PGP SIGNATURE-----
Binary files /tmp/zvUVwzDcZ7/amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam17h.bin and /tmp/1K7fAYenfb/amd64-microcode-3.20181128.1~deb8u1/microcode_amd_fam17h.bin differ
diff -Nru amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam17h.bin.asc amd64-microcode-3.20181128.1~deb8u1/microcode_amd_fam17h.bin.asc
--- amd64-microcode-2.20160316.1~deb8u1/microcode_amd_fam17h.bin.asc	1970-01-01 01:00:00.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/microcode_amd_fam17h.bin.asc	2018-12-15 21:35:27.000000000 +0100
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEE15J9K0GJJtx9xI6sDKS4vABH4PkFAlv/CfcACgkQDKS4vABH
+4PksAhAAmfYROlv/xzR1iPxbxPLo9Cz9rv3iYwqAw8WD4Uum5KJHvkdyvofFWnPF
+FdH/wB3F6BniA/HxKHw4NoyhiKSqTcSl/RgKPwoSOFxBBUQQZdlkl1w5ta1mwiCu
+iSDP2+pdbjZmAKhH+GDkixZiECz8J9+oR8SM+VsWI6DopTIymc9mQaOSLV0iPJgX
+tc8wAw+X9LkpnfSuLGyzg/jHzHa9KWl4ki13ii6h46bdavxVHY39JTCa/Bg2wSXE
+zM3JFuJdRJJZrJaxcou/USa8l6lZS38x6OgThh3Rqf6O3vlJEpS4HSLB2yqJoDEj
+GUvoiJTiZLPXM7NT3/t+/lSk2bOHG6h0KqIUda41ZdtksWThgCs+WZmepyXn4StY
+sOyYMzBP2EqvHaA/FnYeezq5fCHVVLel7SggT8HZg9eYqQO+6rnOcXzuM39v1wm/
+GM+M4KYzLiHi9+1nVO2MByik21+QMc3EjTxEzyWd95+VzAT2kxxlkZ5cD8cTAfnB
+ysFNrd1jSBK5MeYBmjUkjTL9xy71rZjGWI61XU5G66h6Vu2XryCkBq/vA35rLnZB
+GBxq6ZpxdSAD96fdHEJuAaNX0ZvcWyNhvzJHe1dOPmeMHB/+gw1j1j4cUGNhkZ6C
+okTEcOKwmfOs8soZmkdJvoi/cwzVjy1nvZSkasQ8NfIhOgHZdMw=
+=FqUC
+-----END PGP SIGNATURE-----
diff -Nru amd64-microcode-2.20160316.1~deb8u1/README amd64-microcode-3.20181128.1~deb8u1/README
--- amd64-microcode-2.20160316.1~deb8u1/README	2016-03-19 18:21:48.000000000 +0100
+++ amd64-microcode-3.20181128.1~deb8u1/README	2018-12-15 21:35:27.000000000 +0100
@@ -1,43 +1,116 @@
 This amd64-microcode release was based on the linux-firmware tree.
+The linux-firmware tree can be found in kernel.org.
 
-From: Sherry Hurwitz <sherry.hurwitz@amd.com>
-Subject: [PATCH 1/1] linux-firmware: Update AMD microcode patch firmware
-Date: 2016-03-17 06:56:11 GMT
+commit 8aa9e3e3886d49b8e1427c1084cbbe567ca2b6ca
+Author:     Allen, John <John.Allen@amd.com>
+AuthorDate: Thu Nov 29 18:39:16 2018 +0000
+Commit:     Josh Boyer <jwboyer@kernel.org>
+CommitDate: Fri Dec 14 08:05:34 2018 -0500
+
+    linux-firmware: Update AMD cpu microcode
+    
+    * Update AMD cpu microcode for processor family 17h
+    
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+    
+    Signed-off-by: John Allen <john.allen@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
 
-    linux-firmware: Update AMD microcode patch firmware
+commit 7518922bd5b98b137af7aaf3c836f5a498e91609
+Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Date:   Thu May 24 20:57:59 2018 -0500
+
+    Update AMD cpu microcode for family 15h
+    
+    * Processor Revision ID 0x00610f01 was accidently not included in the previous
+      submitted microcode container file.
+    * Update the Version for family 15h microcode .bin file
+    
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+    
+    Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
+
+commit 77101513943ef198e2050667c87abf19e6cbb1d8
+Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Date:   Wed May 16 18:10:48 2018 -0500
+
+    linux-firmware: Update AMD cpu microcode
+    
+    * Add AMD cpu microcode for processor family 17h
+    * Update AMD cpu microcode for processor family 15h
+    * Update the AMD cpu microcode license copyright
+    * Add a Version for both microcode family 15h and 17h
+    
+    Key Name        = AMD Microcode Signing Key (for signing microcode container files only)
+    Key ID          = F328AE73
+    Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73
+    
+    Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Josh Boyer <jwboyer@kernel.org>
+
+commit 5f8ca0c1db6106a2d6d7e85eee778917ff03c3de
+Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
+Date:   Thu Mar 17 01:56:11 2016 -0500
 
+    linux-firmware: Update AMD microcode patch firmware
+    
     For AMD Family 15h Processors to fix bugs in prior microcode patch
     file: amd-ucode/microcode_amd_fam15h.bin
     md5sum: 2384ef1d8ec8ca3930b62d82ea5a3813
-
+    
     Version: 2016_03_16
-
+    
     Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Kyle McMartin <kyle@kernel.org>
 
 commit 8ac569dd3ca3ca685bd47ee86c1eeb6050864db3
 Author: Sherry Hurwitz <sherry.hurwitz@amd.com>
 Date:   Thu Nov 6 19:38:26 2014 -0600
 
     linux-firmware: Update AMD microcode patch firmware files
-
+    
     For AMD Family 15h Processors
     file:   amd-ucode/microcode_amd_family15h.bin
     md5sum: ee3f0f46936aa1788dc31ca3487e0ff3
-
+    
     For AMD Family 16h Processors
     file:   amd-ucode/microcode_amd_family16h.bin
     md5sum: 6a47a6393c52ddfc0b5b044efc076a77
-
+    
     Version: 2014_10_28
     Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
     Signed-off-by: Kyle McMartin <kyle@kernel.org>
 
-LICENSE.amd-ucode                      |    2 +-
-amd-ucode/microcode_amd_fam15h.bin     |binary
-amd-ucode/microcode_amd_fam15h.bin.asc |   16 ++++++++--------
-amd-ucode/microcode_amd_fam16h.bin     |binary
-amd-ucode/microcode_amd_fam16h.bin.asc |   11 +++++++++++
-6 files changed, 23 insertions(+), 10 deletions(-)
+commit 31f6b3076bab3c4b65f67fdb232f4579ed828b4f
+Author: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+Date:   Wed Jul 10 19:42:56 2013 -0500
+
+    linux-firmware: Add AMD microcode patch firmware files
+    
+    For AMD Families 10h ~ 14h Processors
+    file:   amd-ucode/microcode_amd.bin
+    md5sum: 55ae79b82cbfddcf7142058be3c9ec2d
+    
+    For AMD Family 15h Processors
+    file:   amd-ucode/microcode_amd_fam15h.bin
+    md5sum: 122ac7e56442c2b7c28eb26978b2d57c
+    
+    Version: 07_10_2013
+    
+    Signed-off-by: Sherry Hurwitz <sherry.hurwitz@amd.com>
+    Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
+    [bwh: Include version in WHENCE and GPG signatures as separate files]
+    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+
+The microcode update for family 17h came from SuSE, and depends on specific
+kernel support for family 17h to be applied.  It implements IBPB support
+for family 17h processors (Zen).  Microcode update support for family 17h
+should be present in Linux 4.15, 4.14.13, 4.9.76, 4.4.111, and later.
 
 AMD did not update the relevant microcode documentation (errata fixed,
 microcode patch levels, etc), so there is no documentation for the family 0x16

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- amd64-microcode, test
  - From: Anton Gladky <gladk@debian.org>
- Re: amd64-microcode, test
  - From: Salvatore Bonaccorso <carnil@debian.org>
- Re: amd64-microcode, test
  - From: Emilio Pozuelo Monfort <pochu@debian.org>
- Re: amd64-microcode, test
  - From: Anton Gladky <gladk@debian.org>
- Re: amd64-microcode, test
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: phppgadmin / CVE-2019-10784
Next by Date: Re: Limiting concurrent claims?
Previous by thread: Re: amd64-microcode, test
Next by thread: Re: amd64-microcode, test
Index(es):
- Date
- Thread