add infrastructure for x86 CPU microcode updates

[jens-maus]

This PR adds the infrastructure to enable early application of CPU microcodes for the generic-x86_64 platform once the BR2_PACKAGE_INTEL_MICROCODE or BR2_PACKAGE_LINUX_FIRMWARE_AMD_UCODE options are enabled. Once enabled a kconfig fragment will be generated which will then dynamically add CONFIG_EXTRA_FIRMWARE option to the kernel config for embedding all microcode files accordingly. This should help to get CPU microcode fixes in place once HAos is directly installed on a x86-64 system using the generic-x86_64 platform images.

Summary by CodeRabbit

• New Features
  • Early CPU microcode updates for Intel and AMD are now bundled into the kernel, improving boot-time reliability and security on more x86_64 hardware.
  • Broader firmware coverage enabled for modern CPUs.
  • Reduced root filesystem size by excluding duplicate microcode files from the image.
  • Transparent to users: no configuration changes required; systems automatically benefit when supported CPUs are detected.

[coderabbitai]

📝 Walkthrough

Walkthrough

Enables Intel and AMD microcode packages in x86_64 defconfig, adds build logic to generate a kernel Kconfig fragment that embeds microcode when enabled, hooks it into the kernel pre-patch/config steps, and updates the rootfs script to remove microcode directories from the final image.

Changes

Cohort / File(s)	Summary
Defconfig updates buildroot-external/configs/generic_x86_64_defconfig	Enables BR2_PACKAGE_LINUX_FIRMWARE_AMD_UCODE=y and BR2_PACKAGE_INTEL_MICROCODE=y.
Kernel build microcode embedding buildroot-external/external.mk	Adds conditional generation of a microcode Kconfig fragment via a pre-patch hook when Intel/AMD microcode is enabled; registers fragment in LINUX_KCONFIG_FRAGMENT_FILES.
Rootfs cleanup buildroot-external/scripts/rootfs-layer.sh	Removes ${TARGET_DIR}/lib/firmware/intel-ucode and ${TARGET_DIR}/lib/firmware/amd-ucode during rootfs fix-up.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant BR as Buildroot
    participant EXT as external.mk
    participant LNX as Kernel Build
    participant RFS as rootfs-layer.sh

    BR->>EXT: Evaluate config (INTEL_MICROCODE / AMD_UCODE)
    alt Microcode enabled
        EXT->>EXT: Generate UCODE_FRAG (list firmware dirs/files)
        note over EXT: Registered via LINUX_PRE_PATCH_HOOKS
        EXT-->>LNX: Add fragment to LINUX_KCONFIG_FRAGMENT_FILES
    else
        EXT-->>LNX: No fragment added
    end

    rect rgba(230,240,255,0.5)
    LNX->>LNX: Apply Kconfig fragments
    LNX->>LNX: Build kernel (with embedded microcode if configured)
    end

    BR->>RFS: Run rootfs fix-up
    RFS->>RFS: Remove lib/firmware/intel-ucode, amd-ucode
    note over RFS: Ensures microcode not present in rootfs

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title accurately and concisely describes the primary change of the PR, which is adding infrastructure to support x86 CPU microcode updates in the build process; it clearly reflects the main objective without extraneous detail or ambiguity.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 92cb987 and a9531a5.

📒 Files selected for processing (3)

• buildroot-external/configs/generic_x86_64_defconfig (1 hunks)
• buildroot-external/external.mk (1 hunks)
• buildroot-external/scripts/rootfs-layer.sh (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

*/**(html|markdown|md)

⚙️ CodeRabbit configuration file

*/**(html|markdown|md): - For instructional content in documentation, use a direct and authoritative tone. Avoid expressions of politeness such as 'may' or 'please', and ensure the goal of the instruction is fronted.

• Apply the Microsoft Style Guide to ensure documentation maintains clarity and conciseness.
• In step-by-step instructions, front the location phrase in the instructional sentence.
• In step-by-step instructions, front the 'goal' in the instructional sentence.
• In step-by-step instructions, if in doubt what to front, front the 'goal' before the location phrase in the instructional sentence.
• do not hyphenate terms like 'top-right' or 'bottom-left' with 'corner'

*/**(html|markdown|md): - Use bold to mark UI strings.

• If "" are used to mark UI strings, replace them by bold.

• Be brief in your replies and don't add fluff like "thank you for..." and "Please let me know if"

• Use sentence-style capitalization also in headings.

do not comment on HTML used for icons

Avoid flagging inline HTML for embedding videos in future reviews for this repository.

Files:

• buildroot-external/external.mk

🔇 Additional comments (2)

buildroot-external/scripts/rootfs-layer.sh (1)

42-45: LGTM! Cleanup aligns with kernel embedding strategy.

The removal of microcode directories is correct since the microcode is now embedded into the kernel via CONFIG_EXTRA_FIRMWARE (as implemented in external.mk), making these firmware files in the rootfs redundant.

buildroot-external/configs/generic_x86_64_defconfig (1)

105-106: LGTM! Package enablement is correctly placed.

The AMD and Intel microcode packages are appropriately enabled and positioned after other firmware packages, following the existing configuration structure.

[jens-maus]

@sairon Any news of and when this PR might be integrated/merged? Would be great to get it potentially merged into 16.3!

[sairon]

@jens-maus I intentionally postponed it after the 16.3 beta cut to stage it for the 17.0 release. I will have a closer look later this week.

[jens-maus]

Thanks! Note, that I have this already integrated in two of my Buildroot projects and it works flawlessly so far! 😜

[sairon]

Besides the formal or factual issues commented below, I don't like this being added in external.mk - per Buildroot docs external.mk should serve to define package recipes, yet this is fundamentally changing the build results. Looking into the docs, infrastructure described in docs/manual/adding-packages-linux-kernel-spec-infra.adoc might be more appropriate but honestly I haven't thought it through yet.

Also, IMHO the in-situ generated config fragment isn't a nice pattern either. It might be better to use KCONFIG_SET_OPT along with LINUX_KCONFIG_FIXUP_CMDS instead.

[sairon]

This config option doesn't exist yet in 2025.02.x.

[home-assistant]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.

[jens-maus]

Thanks @sairon for your review. When I was first working on this PR I also thought if there might be a better idea than adding these things to buildroot-external/external.mk, however, that was currently the only possible and verbose way of adding the necessary modifications for dynamically generating such a kconfig fragement file on the fly before the linux kernel build which then uses it via CONFIG_EXTRA_FIRMWARE. But if you have another idea on how to dynamically inject the list of available microcodes located in BINARIES_DIR, feel free to put up a suggestion and I will try to work it out.

Regarding the missing BR2_PACKAGE_LINUX_FIRMWARE_AMD_UCODE in buildroot 2025.02.x, I indeed missed that because all of my other projects are already at 2025.08.x, of course ;-) But I can of course also remove it from the config file until you switch HAos to buildroot 2025.08.x. However, I would suggest to keep BR2_PACKAGE_LINUX_FIRMWARE_AMD_UCODE in the ifeq() in external.mk to have it ready for buildroot 2025.08.x and later.