host/initramfs: install microcode

2 files changed, 15 insertions, 2 deletions

diff --git a/host/initramfs/Makefile b/host/initramfs/Makefile
index 6f8dac0..620b8be 100644
--- a/host/initramfs/Makefile
+++ b/host/initramfs/Makefile
@@ -11,8 +11,9 @@ CPIOFLAGS = --reproducible -R +0:+0 -H newc
 SCRIPTS = ../../scripts
 VERITYSETUP = veritysetup
 
-build/initramfs: build/local.cpio $(PACKAGES_CPIO)
-	cat build/local.cpio $(PACKAGES_CPIO) | gzip -9n > $@
+build/initramfs: $(MICROCODE) build/local.cpio $(PACKAGES_CPIO)
+	cat $(MICROCODE) > $@
+	cat build/local.cpio $(PACKAGES_CPIO) | gzip -9n >> $@
 
 # etc/init isn't included in ETC_FILES, because it gets installed to
 # the root.
diff --git a/host/initramfs/default.nix b/host/initramfs/default.nix
index f22f9c8..1ed54fd 100644
--- a/host/initramfs/default.nix
+++ b/host/initramfs/default.nix
@@ -8,6 +8,7 @@
 pkgs.callPackage (
 { lib, stdenv, makeModulesClosure, nixos, runCommand, writeReferencesToFile
 , pkgsStatic, busybox, cpio, cryptsetup, linux-firmware, lvm2
+, microcodeAmd, microcodeIntel
 }:
 
 let
@@ -63,6 +64,16 @@ let
     cp ${pkgsStatic.util-linuxMinimal}/bin/{findfs,lsblk} $out/bin
   '';
 
+  microcode = if stdenv.hostPlatform.isx86_64 then
+    runCommand "microcode.cpio" {
+      nativeBuildInputs = [ cpio ];
+    } ''
+      cpio -id < ${microcodeAmd}/amd-ucode.img
+      cpio -id < ${microcodeIntel}/intel-ucode.img
+      find kernel | cpio -oH newc -R +0:+0 --reproducible > $out
+    ''
+  else null;
+
   packagesCpio = runCommand "packages.cpio" {
     nativeBuildInputs = [ cpio ];
     storePaths = writeReferencesToFile packagesSysroot;
@@ -81,6 +92,7 @@ stdenv.mkDerivation {
     src = cleanSource ./.;
   };
 
+  MICROCODE = microcode;
   PACKAGES_CPIO = packagesCpio;
 
   nativeBuildInputs = [ cpio ];