[3ae81e1] | 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
|
---|
| 2 | <!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
---|
| 3 | "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
---|
| 4 | <!ENTITY % general-entities SYSTEM "../../general.ent">
|
---|
| 5 | %general-entities;
|
---|
| 6 | ]>
|
---|
| 7 |
|
---|
| 8 | <sect1 id="postlfs-firmware" xreflabel="About Firmware">
|
---|
| 9 | <?dbhtml filename="firmware.html"?>
|
---|
| 10 |
|
---|
| 11 |
|
---|
| 12 | <title>About Firmware</title>
|
---|
| 13 |
|
---|
| 14 | <indexterm zone="postlfs-firmware">
|
---|
| 15 | <primary sortas="e-lib-firmware">/lib/firmware</primary>
|
---|
| 16 | </indexterm>
|
---|
| 17 |
|
---|
[81a73ed8] | 18 | <para>
|
---|
| 19 | On some recent PCs it can be necessary, or desirable, to load firmware
|
---|
| 20 | to make them work at their best. There is a directory, <filename
|
---|
| 21 | class="directory">/lib/firmware</filename>, where the kernel or kernel
|
---|
| 22 | drivers look for firmware images.
|
---|
| 23 | </para>
|
---|
| 24 |
|
---|
| 25 | <para>
|
---|
| 26 | Currently, most firmware can be found at a <userinput>git</userinput>
|
---|
| 27 | repository: <ulink url=
|
---|
[cd29bc9] | 28 | "https://git.kernel.org/cgit/linux/kernel/git/firmware/linux-firmware.git/tree/"/>.
|
---|
[81a73ed8] | 29 | For convenience, the LFS Project has created a mirror, updated daily, where
|
---|
| 30 | these firmware files can be accessed via <userinput>wget</userinput> or a
|
---|
| 31 | web browser at <ulink url="&sources-anduin-http;/linux-firmware/"/>.
|
---|
| 32 | </para>
|
---|
| 33 |
|
---|
| 34 | <para>
|
---|
| 35 | To get the firmware, either point a browser to one of the above
|
---|
| 36 | repositories and then download the item(s) which you need, or install
|
---|
| 37 | <xref linkend="git"/> and clone that repository.
|
---|
| 38 | </para>
|
---|
| 39 |
|
---|
| 40 | <para>
|
---|
| 41 | For some other firmware, particularly for Intel microcode and certain
|
---|
| 42 | wifi devices, the needed firmware is not available in the above repository.
|
---|
| 43 | Some of this will be addressed below, but a search of the Internet for
|
---|
| 44 | needed firmware is sometimes necessary.
|
---|
| 45 | </para>
|
---|
| 46 |
|
---|
| 47 | <para>
|
---|
| 48 | Firmware files are conventionally referred to as blobs because you cannot
|
---|
| 49 | determine what they will do. Note that firmware is distributed under
|
---|
| 50 | various different licenses which do not permit disassembly or
|
---|
| 51 | reverse-engineering.
|
---|
| 52 | </para>
|
---|
| 53 |
|
---|
| 54 | <para>
|
---|
| 55 | Firmware for PCs falls into four categories:
|
---|
| 56 | </para>
|
---|
[3ae81e1] | 57 |
|
---|
| 58 | <itemizedlist spacing="compact">
|
---|
| 59 | <listitem>
|
---|
[81a73ed8] | 60 | <para>
|
---|
| 61 | Updates to the CPU to work around errata, usually referred to as
|
---|
| 62 | microcode.
|
---|
| 63 | </para>
|
---|
[3ae81e1] | 64 | </listitem>
|
---|
| 65 | <listitem>
|
---|
[81a73ed8] | 66 | <para>
|
---|
[3179c69] | 67 | Firmware for video controllers. On x86 machines this is required for
|
---|
| 68 | ATI devices (Radeon and AMDGPU chips) and may be useful for Intel (Skylake
|
---|
| 69 | and later) and Nvidia (Kepler and later) GPUs.
|
---|
| 70 | </para>
|
---|
| 71 |
|
---|
| 72 | <para>
|
---|
[b5da785b] | 73 | ATI Radeon and AMDGPU devices all require firmware to be able to use KMS
|
---|
[81a73ed8] | 74 | (kernel modesetting - the preferred option) as well as for Xorg. For
|
---|
[3179c69] | 75 | old radeon chips (before the R600), the firmware is still in the
|
---|
| 76 | kernel source.
|
---|
| 77 | </para>
|
---|
| 78 |
|
---|
| 79 | <para>
|
---|
| 80 | Intel integrated GPUs from Skylake onwards can use firmware for GuC
|
---|
| 81 | (the Graphics microcontroller), and also for the HuC (HEVC/H265
|
---|
| 82 | microcontroller which offloads to the GPU) and the DMC (Display
|
---|
| 83 | Microcontroller) to provide additional low-power states. The GuC and
|
---|
| 84 | HuC have had a chequered history in the kernel and updated firmware
|
---|
| 85 | may be disabled by default, depending on your kernel version. Further
|
---|
| 86 | details may be found at <ulink
|
---|
| 87 | url="https://01.org/linuxgraphics/downloads/firmware/">01.org</ulink>
|
---|
| 88 | and <ulink
|
---|
[14cec0f] | 89 | url="https://wiki.archlinux.org/index.php/intel_graphics">Arch
|
---|
[3179c69] | 90 | linux</ulink>.
|
---|
| 91 | </para>
|
---|
| 92 |
|
---|
| 93 | <para>
|
---|
| 94 | Nvidia GPUs from Kepler onwards require signed firmware, otherwise the
|
---|
| 95 | nouveau driver is unable to provide hardware acceleration. Nvidia has
|
---|
[083a8d7] | 96 | now released firmware up to Ampere (GeForce30 series) to linux-firmware.
|
---|
| 97 | Note that faster clocks than the default are not enabled
|
---|
[3179c69] | 98 | by the released firmware.
|
---|
[81a73ed8] | 99 | </para>
|
---|
[3ae81e1] | 100 | </listitem>
|
---|
| 101 | <listitem>
|
---|
[81a73ed8] | 102 | <para>
|
---|
| 103 | Firmware updates for wired network ports. Mostly they work even
|
---|
| 104 | without the updates, but probably they will work better with
|
---|
| 105 | the updated firmware. For some modern laptops, firmware for both
|
---|
| 106 | wired ethernet (e.g. rtl_nic) and also for bluetooth devices (e.g. qca)
|
---|
| 107 | is <emphasis>required</emphasis> before the wired network can be used.
|
---|
[89bdbf8] | 108 | </para>
|
---|
[3ae81e1] | 109 | </listitem>
|
---|
| 110 | <listitem>
|
---|
[81a73ed8] | 111 | <para>
|
---|
| 112 | Firmware for other devices, such as wifi. These devices are not
|
---|
| 113 | required for the PC to boot, but need the firmware before these devices
|
---|
| 114 | can be used.
|
---|
| 115 | </para>
|
---|
[3ae81e1] | 116 | </listitem>
|
---|
| 117 | </itemizedlist>
|
---|
| 118 |
|
---|
[81a73ed8] | 119 | <note>
|
---|
| 120 | <para>
|
---|
| 121 | Although not needed to load a firmware blob, the following
|
---|
| 122 | tools may be useful for determining, obtaining, or preparing the needed
|
---|
| 123 | firmware in order to load it into the system:
|
---|
| 124 | <xref linkend="cpio"/>,
|
---|
| 125 | <xref linkend="git"/>,
|
---|
| 126 | <xref linkend="pciutils"/>, and
|
---|
| 127 | <xref linkend="wget"/>
|
---|
| 128 | </para>
|
---|
| 129 | </note>
|
---|
[3ae81e1] | 130 |
|
---|
| 131 | <para condition="html" role="usernotes">User Notes:
|
---|
| 132 | <ulink url="&blfs-wiki;/aboutfirmware"/></para>
|
---|
| 133 |
|
---|
| 134 | <sect2 id="cpu-microcode">
|
---|
| 135 | <title>Microcode updates for CPUs</title>
|
---|
| 136 |
|
---|
[81a73ed8] | 137 | <para>
|
---|
| 138 | In general, microcode can be loaded by the BIOS or UEFI, and it might be
|
---|
| 139 | updated by upgrading to a newer version of those. On linux, you can also
|
---|
| 140 | load the microcode from the kernel if you are using an AMD family 10h or
|
---|
| 141 | later processor (first introduced late 2007), or an Intel processor from
|
---|
| 142 | 1998 and later (Pentium4, Core, etc), if updated microcode has been
|
---|
| 143 | released. These updates only last until the machine is powered off, so
|
---|
| 144 | they need to be applied on every boot.
|
---|
| 145 | </para>
|
---|
| 146 |
|
---|
| 147 | <para>
|
---|
[bd78d011] | 148 | Intel provide updates of their microcode for Skylake and later
|
---|
[83d1722c] | 149 | processors as new vulnerabilities come to light, and have in the past
|
---|
| 150 | provided updates for processors from SandyBridge onwards, although those
|
---|
| 151 | are no-longer supported for new fixes. New versions of AMD
|
---|
[81a73ed8] | 152 | firmware are rare and usually only apply to a few models, although
|
---|
[083a8d7] | 153 | motherboard manufacturers get AGESA (AMD Generic Encapsulated Software
|
---|
| 154 | Architecture) updates to change BIOS values, e.g. to support more memory
|
---|
[39eae8f1] | 155 | variants, new vulnerability fixes or newer CPUs.
|
---|
[81a73ed8] | 156 | </para>
|
---|
| 157 |
|
---|
| 158 | <para>
|
---|
[3b50f0de] | 159 | There were two ways of loading the microcode, described as 'early' and
|
---|
[81a73ed8] | 160 | 'late'. Early loading happens before userspace has been started, late
|
---|
[3b50f0de] | 161 | loading happens after userspace has started. However, late loading is
|
---|
| 162 | known to be problematic and not supported anymore (see the kernel commit
|
---|
| 163 | <ulink url="https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d23d33e">
|
---|
| 164 | x86/microcode: Taint and warn on late loading</ulink>.) Indeed, early
|
---|
| 165 | loading is needed to work around one particular erratum in early Intel
|
---|
| 166 | Haswell processors which had TSX enabled. (See <ulink url=
|
---|
[cd29bc9] | 167 | "https://www.anandtech.com/show/8376/intel-disables-tsx-instructions-erratum-found-in-haswell-haswelleep-broadwelly/">
|
---|
[81a73ed8] | 168 | Intel Disables TSX Instructions: Erratum Found in Haswell,
|
---|
[3b50f0de] | 169 | Haswell-E/EP, Broadwell-Y</ulink>.)
|
---|
| 170 | Without this update glibc can do the wrong thing in uncommon
|
---|
[8558044] | 171 | situations.
|
---|
[81a73ed8] | 172 | </para>
|
---|
| 173 |
|
---|
[083a8d7] | 174 | <para>
|
---|
| 175 | In previous versions of this book, late loading of microcode to see if
|
---|
| 176 | it gets applied was recommended, followed by using an initrd to force
|
---|
| 177 | early loading. But now that the contents of the Intel microcode tarball
|
---|
| 178 | is documented, and AMD microcode can be read by a Python script to
|
---|
| 179 | determine which machines it covers, there is no real reason to use late
|
---|
| 180 | loading.
|
---|
| 181 | </para>
|
---|
| 182 |
|
---|
[81a73ed8] | 183 | <para>
|
---|
[3b50f0de] | 184 | It might be still possible to manually force late loading of microcode.
|
---|
| 185 | But it may cause kernel malfunction and you should take the risk yourself.
|
---|
| 186 | You will need to reconfigure your kernel for either method. The
|
---|
| 187 | instructions here will show you how to create an initrd for early
|
---|
| 188 | loading. It is also possible to build the same microcode bin file into
|
---|
| 189 | the kernel, which allows early loading but requires the kernel to be
|
---|
| 190 | recompiled to update the microcode.
|
---|
[81a73ed8] | 191 | </para>
|
---|
| 192 |
|
---|
| 193 | <para>
|
---|
| 194 | To confirm what processor(s) you have (if more than one, they will be
|
---|
[083a8d7] | 195 | identical) look in /proc/cpuinfo. Determine the decimal values of the cpu
|
---|
| 196 | family, model and stepping by running the following command (it will also
|
---|
| 197 | report the current microcode version):
|
---|
| 198 | </para>
|
---|
| 199 |
|
---|
| 200 | <screen><userinput>head -n7 /proc/cpuinfo</userinput></screen>
|
---|
| 201 |
|
---|
| 202 | <para>
|
---|
[3b50f0de] | 203 | Convert the cpu family, model and stepping to pairs of hexadecimal
|
---|
| 204 | digits, and remember the value of the <quote>microcode</quote> field.
|
---|
[083a8d7] | 205 | You can now check if there is any microcode available.
|
---|
[81a73ed8] | 206 | </para>
|
---|
[3ae81e1] | 207 |
|
---|
[83d1722c] | 208 | <para>
|
---|
| 209 | If you are creating an initrd to update firmware for different machines,
|
---|
| 210 | as a distro would do, go down to 'Early loading of microcode' and cat all
|
---|
| 211 | the Intel blobs to GenuineIntel.bin or cat all the AMD blobs to
|
---|
| 212 | AuthenticAMD.bin. This creates a larger initrd - for all Intel machines in
|
---|
[083a8d7] | 213 | the 20200609 update the size was 3.0 MB compared to typically 24 KB for one
|
---|
[83d1722c] | 214 | machine.
|
---|
| 215 | </para>
|
---|
| 216 |
|
---|
[3ae81e1] | 217 | <sect3 id="intel-microcode">
|
---|
| 218 | <title>Intel Microcode for the CPU</title>
|
---|
[ba78ebe2] | 219 |
|
---|
[81a73ed8] | 220 | <para>
|
---|
| 221 | The first step is to get the most recent version of the Intel
|
---|
| 222 | microcode. This must be done by navigating to <ulink url=
|
---|
[3179c69] | 223 | 'https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/'/>
|
---|
[81a73ed8] | 224 | and downloading the latest file there. As of this writing the most
|
---|
[bfd2ba3c] | 225 | <!-- at one time, some skylakes had problems with a certain revision
|
---|
| 226 | secure version of the microcode, for those machines which can boot it, -->
|
---|
| 227 | secure version of the microcode
|
---|
[32bbead] | 228 | is microcode-20230214.<!-- If you have a Skylake machine, please read the
|
---|
[bd78d011] | 229 | Caution in the 'Early loading of microcode' section below.--> Extract this
|
---|
[81a73ed8] | 230 | file in the normal way, the microcode is in the <filename>intel-ucode
|
---|
| 231 | </filename> directory, containing various blobs with names in the form
|
---|
| 232 | XX-YY-ZZ. There are also various other files, and a releasenote.
|
---|
| 233 | </para>
|
---|
| 234 |
|
---|
| 235 | <para>
|
---|
| 236 | In the past, intel did not provide any details of which blobs had
|
---|
[3b50f0de] | 237 | changed versions, but now the releasenote details this. You can
|
---|
| 238 | compare the microcode version in <filename>/proc/cpuinfo</filename>
|
---|
| 239 | with the version for your CPU model in the releasenote to know if
|
---|
| 240 | there is an update.
|
---|
[81a73ed8] | 241 | </para>
|
---|
| 242 |
|
---|
| 243 | <para>
|
---|
| 244 | The recent firmware for older processors is provided to deal with
|
---|
| 245 | vulnerabilities which have now been made public, and for some of these
|
---|
| 246 | such as Microarchitectural Data Sampling (MDS) you might wish to
|
---|
| 247 | increase the protection by disabling hyperthreading, or alternatively
|
---|
| 248 | to disable the kernel's default mitigation because of its impact on
|
---|
| 249 | compile times. Please read the online documentation at <ulink url=
|
---|
| 250 | 'https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html'/>.
|
---|
| 251 | </para>
|
---|
| 252 |
|
---|
| 253 | <para>
|
---|
[3b50f0de] | 254 | For an Icelake mobile (described as Intel(R) Core(TM) i7-1065G7
|
---|
| 255 | CPU) the relevant values are cpu family 6, model 126, stepping 5 so
|
---|
| 256 | in this case the required identification is 06-7e-05. The
|
---|
[32bbead] | 257 | releasenote says the latest microcode for it is versioned 0xb8. If
|
---|
[3b50f0de] | 258 | the value of the <quote>microcode</quote> field in
|
---|
[32bbead] | 259 | <filename>/proc/cpuinfo</filename> is 0xb8 or greater, it indicates
|
---|
[3b50f0de] | 260 | the microcode update is already applied by the BIOS. Otherwise,
|
---|
| 261 | configure the kernel to support loading Intel microcode, and then
|
---|
| 262 | proceed to <xref linkend='early-microcode'/>:
|
---|
[81a73ed8] | 263 | </para>
|
---|
[3ae81e1] | 264 |
|
---|
[0576c595] | 265 | <screen><literal>General Setup --->
|
---|
[f39cf0d0] | 266 | [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support [CONFIG_BLK_DEV_INITRD]
|
---|
[0576c595] | 267 | Processor type and features --->
|
---|
[f39cf0d0] | 268 | [*] CPU microcode loading support [CONFIG_MICROCODE]
|
---|
| 269 | [*] Intel microcode loading support [CONFIG_MICROCODE_INTEL]</literal></screen>
|
---|
[0576c595] | 270 |
|
---|
[3ae81e1] | 271 | </sect3>
|
---|
| 272 |
|
---|
[bd78d011] | 273 | <sect3 id="amd-microcode">
|
---|
[3ae81e1] | 274 | <title>AMD Microcode for the CPU</title>
|
---|
| 275 |
|
---|
[81a73ed8] | 276 | <para>
|
---|
| 277 | Begin by downloading a container of firmware for your CPU family
|
---|
| 278 | from <ulink url=
|
---|
| 279 | '&sources-anduin-http;/linux-firmware/amd-ucode/'/>.
|
---|
| 280 | The family is always specified in hex. Families 10h to 14h (16 to 20)
|
---|
[083a8d7] | 281 | are in microcode_amd.bin. Families 15h, 16h, 17h (Zen, Zen+, Zen2) and
|
---|
[39eae8f1] | 282 | 19h (Zen3) have their own containers, but very few machines are likely to
|
---|
| 283 | get updated microcode. Instead, AMD provide an updated AGESA to the
|
---|
| 284 | motherboard makers, who may provide an updated BIOS using this.
|
---|
| 285 | There is a Python3 script at <ulink url=
|
---|
[083a8d7] | 286 | 'https://github.com/AMDESE/amd_ucode_info/blob/master/amd_ucode_info.py'/>.
|
---|
| 287 | Download that script and run it against the bin file to check which
|
---|
| 288 | processors have updates.
|
---|
| 289 | </para>
|
---|
| 290 |
|
---|
| 291 | <para>
|
---|
| 292 | For the very old Athlon(tm) II X2 in these examples the values were
|
---|
| 293 | cpu family 16, model 5, stepping 3 giving an identification of
|
---|
[3b50f0de] | 294 | Family=0x10 Model=0x05 Stepping=0x03. One line of the
|
---|
| 295 | <command>amd_ucode_info.py</command> script output describes the
|
---|
| 296 | microcode version for it:
|
---|
[083a8d7] | 297 | </para>
|
---|
| 298 |
|
---|
[3b50f0de] | 299 | <screen><computeroutput>Family=0x10 Model=0x05 Stepping=0x03: Patch=0x010000c8 Length=960 bytes</computeroutput></screen>
|
---|
[3ae81e1] | 300 |
|
---|
[81a73ed8] | 301 | <para>
|
---|
[3b50f0de] | 302 | If the value of the <quote>microcode</quote> field in
|
---|
| 303 | <filename>/proc/cpuinfo</filename> is 0x10000c8 or greater, it
|
---|
| 304 | indicates the BIOS has already applied the microcode update.
|
---|
[7dd1546] | 305 | Otherwise, configure the kernel to support loading AMD microcode,
|
---|
[3b50f0de] | 306 | and then proceed to <xref linkend='early-microcode'/>:
|
---|
[81a73ed8] | 307 | </para>
|
---|
[0576c595] | 308 |
|
---|
| 309 | <screen><literal>General Setup --->
|
---|
[f39cf0d0] | 310 | [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support [CONFIG_BLK_DEV_INITRD]
|
---|
[0576c595] | 311 | Processor type and features --->
|
---|
[f39cf0d0] | 312 | [*] CPU microcode loading support [CONFIG_MICROCODE]
|
---|
| 313 | [*] AMD microcode loading support [CONFIG_MICROCODE_AMD]</literal></screen>
|
---|
[3ae81e1] | 314 | </sect3>
|
---|
| 315 |
|
---|
| 316 | <sect3 id="early-microcode">
|
---|
| 317 | <title>Early loading of microcode</title>
|
---|
| 318 |
|
---|
[81a73ed8] | 319 | <para>
|
---|
| 320 | If you have established that updated microcode is available for
|
---|
| 321 | your system, it is time to prepare it for early loading. This requires
|
---|
| 322 | an additional package, <xref linkend='cpio'/> and the creation of an
|
---|
| 323 | initrd which will need to be added to grub.cfg.
|
---|
| 324 | </para>
|
---|
[3ae81e1] | 325 |
|
---|
[81a73ed8] | 326 | <para>
|
---|
| 327 | It does not matter where you prepare the initrd, and once it is
|
---|
| 328 | working you can apply the same initrd to later LFS systems or newer
|
---|
| 329 | kernels on this same machine, at least until any newer microcode is
|
---|
| 330 | released. Use the following commands:
|
---|
| 331 | </para>
|
---|
[3ae81e1] | 332 |
|
---|
| 333 | <screen><userinput>mkdir -p initrd/kernel/x86/microcode
|
---|
| 334 | cd initrd</userinput></screen>
|
---|
| 335 |
|
---|
[81a73ed8] | 336 | <para>
|
---|
| 337 | For an AMD machine, use the following command (replace
|
---|
| 338 | <MYCONTAINER> with the name of the container for your CPU's
|
---|
| 339 | family):
|
---|
| 340 | </para>
|
---|
[3ae81e1] | 341 |
|
---|
[ab0b034f] | 342 | <screen><userinput>cp -v ../<MYCONTAINER> kernel/x86/microcode/AuthenticAMD.bin</userinput></screen>
|
---|
[3ae81e1] | 343 |
|
---|
[81a73ed8] | 344 | <para>
|
---|
| 345 | Or for an Intel machine copy the appropriate blob using this command:
|
---|
| 346 | </para>
|
---|
[3ae81e1] | 347 |
|
---|
[ab0b034f] | 348 | <screen><userinput>cp -v ../intel-ucode/<XX-YY-ZZ> kernel/x86/microcode/GenuineIntel.bin</userinput></screen>
|
---|
[3ae81e1] | 349 |
|
---|
[bd78d011] | 350 | <!-- new version from 20201110 release onwards, assumed to work on all skylakes
|
---|
| 351 | But complaints about previous version took some days to appear, so keep as a comment for now.
|
---|
[fe2553a] | 352 | <caution>
|
---|
| 353 | <para>
|
---|
[3179c69] | 354 | On some Skylake machines with hex Model Number '4e' (78 decimal) the
|
---|
| 355 | upgrade to microcode version '0xdc' is reported to cause the machine to
|
---|
| 356 | hang in early boot, and the fix is to revert to version 0xd6 which was
|
---|
| 357 | first shipped in the 20191115 microcode release.
|
---|
[fe2553a] | 358 | </para>
|
---|
| 359 |
|
---|
| 360 | <para>
|
---|
[3179c69] | 361 | At least one model '5e' Skylake does boot successfully with version
|
---|
| 362 | 0xdc, but Intel has now shipped a 20200616 release which is intended for
|
---|
| 363 | distros which need an initrd that will boot on everyone's machine: it
|
---|
| 364 | reverts both Skylake variants ('4e' and '5e') to the old 0xd6.
|
---|
[fe2553a] | 365 | </para>
|
---|
| 366 |
|
---|
| 367 | <para>
|
---|
[3179c69] | 368 | For a Skylake which does not boot with 0xdc, reverting to 0xd6 will make
|
---|
| 369 | the machine usable, but without the SRBDS mitigations.
|
---|
[fe2553a] | 370 | </para>
|
---|
[bd78d011] | 371 | </caution>-->
|
---|
[fe2553a] | 372 |
|
---|
[81a73ed8] | 373 | <para>
|
---|
| 374 | Now prepare the initrd:
|
---|
| 375 | </para>
|
---|
[3ae81e1] | 376 |
|
---|
| 377 | <screen><userinput>find . | cpio -o -H newc > /boot/microcode.img</userinput></screen>
|
---|
| 378 |
|
---|
[81a73ed8] | 379 | <para>
|
---|
| 380 | You now need to add a new entry to /boot/grub/grub.cfg and
|
---|
| 381 | here you should add a new line after the linux line within the stanza.
|
---|
| 382 | If /boot is a separate mountpoint:
|
---|
| 383 | </para>
|
---|
[3ae81e1] | 384 |
|
---|
| 385 | <screen><userinput>initrd /microcode.img</userinput></screen>
|
---|
| 386 |
|
---|
[81a73ed8] | 387 | <para>
|
---|
| 388 | or this if it is not:
|
---|
| 389 | </para>
|
---|
[3ae81e1] | 390 |
|
---|
| 391 | <screen><userinput>initrd /boot/microcode.img</userinput></screen>
|
---|
| 392 |
|
---|
[81a73ed8] | 393 | <para>
|
---|
| 394 | If you are already booting with an initrd (see <xref
|
---|
[8558044] | 395 | linkend="initramfs"/>), you should run <command>mkinitramfs</command>
|
---|
[81a73ed8] | 396 | again after putting the appropriate blob or container into <filename
|
---|
[15a485c3] | 397 | class="directory">/lib/firmware</filename>. More precisely, put an
|
---|
| 398 | intel blob in a <filename
|
---|
| 399 | class="directory">/lib/firmware/intel-ucode</filename> directory
|
---|
| 400 | or an AMD container in a <filename
|
---|
| 401 | class="directory">/lib/firmware/amd-ucode</filename> directory before
|
---|
| 402 | running <command>mkinitramfs</command>.
|
---|
[81a73ed8] | 403 | Alternatively, you can have both initrd on the same line, such as
|
---|
| 404 | <userinput>initrd /microcode.img /other-initrd.img</userinput> (adapt
|
---|
| 405 | that as above if /boot is not a separate mountpoint).
|
---|
| 406 | </para>
|
---|
[a7c5f47] | 407 |
|
---|
[81a73ed8] | 408 | <para>
|
---|
[15a485c3] | 409 | You can now reboot with the added initrd, and then use the following
|
---|
[81a73ed8] | 410 | command to check that the early load worked:
|
---|
| 411 | </para>
|
---|
[3ae81e1] | 412 |
|
---|
[0576c595] | 413 | <screen><userinput>dmesg | grep -e 'microcode' -e 'Linux version' -e 'Command line'</userinput></screen>
|
---|
| 414 |
|
---|
[81a73ed8] | 415 | <para>
|
---|
[3b50f0de] | 416 | If you updated to address vulnerabilities, you can look at the
|
---|
| 417 | output of the <command>lscpu</command> command to see what is now
|
---|
| 418 | reported.
|
---|
[81a73ed8] | 419 | </para>
|
---|
[3c19265] | 420 |
|
---|
[81a73ed8] | 421 | <para>
|
---|
| 422 | The places and times where early loading happens are very different
|
---|
[3b50f0de] | 423 | in AMD and Intel machines. First, an example of an Intel (Icelake
|
---|
| 424 | mobile) with early loading:
|
---|
[81a73ed8] | 425 | </para>
|
---|
[b174fb1] | 426 |
|
---|
[32bbead] | 427 | <screen><literal>[ 0.000000] microcode: microcode updated early to revision 0xb8, date = 2022-08-31
|
---|
| 428 | [ 0.000000] Linux version 6.1.11 (xry111@stargazer) (gcc (GCC) 12.2.0, GNU ld (GNU Binutils) 2.40) #2 SMP PREEMPT_DYNAMIC Tue Feb 14 23:23:31 CST 2023
|
---|
| 429 | [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-6.1.11-lfs-11.3-rc1 root=PARTUUID=<replaceable><CLASSIFIED></replaceable> ro
|
---|
| 430 | [ 0.452924] microcode: sig=0x706e5, pf=0x80, revision=0xb8
|
---|
| 431 | [ 0.453197] microcode: Microcode Update Driver: v2.2.</literal></screen>
|
---|
[83d1722c] | 432 |
|
---|
[0576c595] | 433 |
|
---|
[81a73ed8] | 434 | <para>
|
---|
| 435 | A historic AMD example:
|
---|
| 436 | </para>
|
---|
[0576c595] | 437 |
|
---|
[c6d338e] | 438 | <screen><literal>[ 0.000000] Linux version 4.15.3 (ken@testserver) (gcc version 7.3.0 (GCC))
|
---|
| 439 | #2 SMP Sun Feb 18 02:32:03 GMT 2018
|
---|
| 440 | [ 0.000000] Command line: BOOT_IMAGE=/vmlinuz-4.15.3-sda5 root=/dev/sda5 ro
|
---|
| 441 | [ 0.307619] microcode: microcode updated early to new patch_level=0x010000c8
|
---|
| 442 | [ 0.307678] microcode: CPU0: patch_level=0x010000c8
|
---|
| 443 | [ 0.307723] microcode: CPU1: patch_level=0x010000c8
|
---|
| 444 | [ 0.307795] microcode: Microcode Update Driver: v2.2.</literal></screen>
|
---|
[3ae81e1] | 445 |
|
---|
| 446 | </sect3>
|
---|
| 447 |
|
---|
| 448 | </sect2>
|
---|
| 449 |
|
---|
[1cc5345] | 450 | <sect2 id="video-firmware">
|
---|
| 451 | <title>Firmware for Video Cards</title>
|
---|
| 452 |
|
---|
[81a73ed8] | 453 | <sect3 id="ati-video-firmware">
|
---|
| 454 | <title>Firmware for ATI video chips (R600 and later)</title>
|
---|
| 455 |
|
---|
| 456 | <para>
|
---|
| 457 | These instructions do NOT apply to old radeons before the R600
|
---|
| 458 | family. For those, the firmware is in the kernel's <filename
|
---|
| 459 | class='directory'>/lib/firmware/</filename> directory. Nor do they
|
---|
| 460 | apply if you intend to avoid a graphical setup such as Xorg and are
|
---|
| 461 | content to use the default 80x25 display rather than a framebuffer.
|
---|
| 462 | </para>
|
---|
| 463 |
|
---|
| 464 | <para>
|
---|
| 465 | Early radeon devices only needed a single 2K blob of firmware. Recent
|
---|
| 466 | devices need several different blobs, and some of them are much bigger.
|
---|
| 467 | The total size of the radeon firmware directory is over 500K —
|
---|
| 468 | on a large modern system you can probably spare the space, but it is
|
---|
| 469 | still redundant to install all the unused files each time you build
|
---|
| 470 | a system.
|
---|
| 471 | </para>
|
---|
| 472 |
|
---|
| 473 | <para>
|
---|
| 474 | A better approach is to install <xref linkend='pciutils'/> and then
|
---|
| 475 | use <userinput>lspci</userinput> to identify which VGA controller is
|
---|
| 476 | installed.
|
---|
| 477 | </para>
|
---|
| 478 |
|
---|
| 479 | <para>
|
---|
| 480 | With that information, check the RadeonFeature page of the Xorg wiki
|
---|
[cd29bc9] | 481 | for <ulink url="https://wiki.x.org/wiki/RadeonFeature/#index5h2">Decoder
|
---|
[81a73ed8] | 482 | ring for engineering vs marketing names</ulink> to identify the family
|
---|
| 483 | (you may need to know this for the Xorg driver in BLFS —
|
---|
| 484 | Southern Islands and Sea Islands use the radeonsi driver) and the
|
---|
| 485 | specific model.
|
---|
| 486 | </para>
|
---|
| 487 |
|
---|
| 488 | <para>
|
---|
| 489 | Now that you know which controller you are using, consult the
|
---|
| 490 | <ulink url="https://wiki.gentoo.org/wiki/Radeon#Firmware">
|
---|
| 491 | Radeon</ulink> page of the Gentoo wiki which has a table listing
|
---|
| 492 | the required firmware blobs for the various chipsets. Note that
|
---|
| 493 | Southern Islands and Sea Islands chips use different firmware for
|
---|
| 494 | kernel 3.17 and later compared to earlier kernels. Identify and
|
---|
| 495 | download the required blobs then install them:
|
---|
| 496 | </para>
|
---|
[3ae81e1] | 497 |
|
---|
| 498 | <screen><userinput>mkdir -pv /lib/firmware/radeon
|
---|
| 499 | cp -v <YOUR_BLOBS> /lib/firmware/radeon</userinput></screen>
|
---|
| 500 |
|
---|
[81a73ed8] | 501 | <para>
|
---|
| 502 | There are actually two ways of installing this firmware. BLFS, in the
|
---|
| 503 | 'Kernel Configuration for additional firmware' section part of the
|
---|
| 504 | <xref linkend="xorg-ati-driver"/> section gives an example of
|
---|
| 505 | compiling the firmware into the kernel - that is slightly faster to
|
---|
| 506 | load, but uses more kernel memory. Here we will use the alternative
|
---|
| 507 | method of making the radeon driver a module. In your kernel config
|
---|
| 508 | set the following:
|
---|
| 509 | </para>
|
---|
[3ae81e1] | 510 |
|
---|
| 511 | <screen><literal>Device Drivers --->
|
---|
| 512 | Graphics support --->
|
---|
| 513 | Direct Rendering Manager --->
|
---|
[f39cf0d0] | 514 | [*] Direct Rendering Manager (XFree86 ... support) [CONFIG_DRM]
|
---|
| 515 | [M] ATI Radeon [CONFIG_DRM_RADEON]</literal></screen>
|
---|
[3ae81e1] | 516 |
|
---|
[81a73ed8] | 517 | <para>
|
---|
| 518 | Loading several large blobs from /lib/firmware takes a noticeable
|
---|
| 519 | time, during which the screen will be blank. If you do not enable the
|
---|
| 520 | penguin framebuffer logo, or change the console size by using a bigger
|
---|
| 521 | font, that probably does not matter. If desired, you can slightly
|
---|
| 522 | reduce the time if you follow the alternate method of specifying 'y'
|
---|
| 523 | for CONFIG_DRM_RADEON covered in BLFS at the link above — you
|
---|
| 524 | must specify each needed radeon blob if you do that.
|
---|
| 525 | </para>
|
---|
[3ae81e1] | 526 |
|
---|
[81a73ed8] | 527 | </sect3>
|
---|
[1cc5345] | 528 |
|
---|
[83cc2cc3] | 529 | <sect3 id="amdgpu-video-firmware">
|
---|
| 530 | <title>Firmware for AMD/ATI amdgpu video chips</title>
|
---|
| 531 |
|
---|
| 532 | <para>
|
---|
| 533 | All video controllers using the amdgpu kernel driver require firmware,
|
---|
| 534 | whether you will be using the xorg amdgpu driver, the xserver's modesetting
|
---|
| 535 | driver, or just kernel modesetting to get a console framebuffer larger than
|
---|
| 536 | 80x25.
|
---|
| 537 | </para>
|
---|
| 538 |
|
---|
| 539 | <para>
|
---|
| 540 | Install <xref linkend="pciutils"/> and use that to check the model name
|
---|
| 541 | (look for 'VGA compatible controller:'). If you have an APU (Accelerated
|
---|
| 542 | Processing Unit, i.e. CPU and video on the same chip) that will probably
|
---|
| 543 | tell you the name. If you have a separate amdgpu video card you will need
|
---|
| 544 | to search to determine which name it uses (e.g. a card described as
|
---|
| 545 | Advanced Micro Devices, Inc. [AMD/ATI] Baffin [Radeon RX 550 640SP / RX
|
---|
| 546 | 560/560X] needs Polaris11 firmware. There is a table of "Family, Chipset
|
---|
| 547 | name, Product name and Firmware" at the end of the Kernel sections in
|
---|
[4e207bb] | 548 | <ulink url="https://wiki.gentoo.org/wiki/AMDGPU#Known_firmware_blobs">
|
---|
[83cc2cc3] | 549 | AMDGPU</ulink> page of the Gentoo wiki.
|
---|
| 550 | </para>
|
---|
| 551 |
|
---|
| 552 | <para>
|
---|
| 553 | Once you have identified the firmware name, install all the relevant
|
---|
| 554 | files for it. For example, the Baffin card mentioned above has 21 different
|
---|
| 555 | polaris11* files, APUs such as renoir and picasso have at least 12 files and
|
---|
| 556 | might gain more in future updates (e.g. the raven APU now has a 13th file,
|
---|
| 557 | raven_ta.bin).
|
---|
| 558 | </para>
|
---|
| 559 |
|
---|
| 560 | <screen><userinput>mkdir -pv /lib/firmware/amdgpu
|
---|
| 561 | cp -v <YOUR_BLOBS> /lib/firmware/amdgpu</userinput></screen>
|
---|
| 562 |
|
---|
| 563 | <para>
|
---|
| 564 | If disk space is not a problem, you could install all the current amdgpu
|
---|
| 565 | firmware files and not worry about exactly which chipset is installed.
|
---|
| 566 | </para>
|
---|
| 567 |
|
---|
| 568 | <para>
|
---|
[c2ee90d4] | 569 | Building the kernel amdgpu driver as a module is recommended.
|
---|
[83cc2cc3] | 570 | In your kernel .config set at least the following options and review
|
---|
[c2ee90d4] | 571 | the other AMDGPU options according to your target hardware,
|
---|
| 572 | for example "ACP (Audio Co-Processor) Configuration":
|
---|
[83cc2cc3] | 573 | </para>
|
---|
| 574 |
|
---|
| 575 | <screen><literal>Device Drivers --->
|
---|
| 576 | Graphics support --->
|
---|
| 577 | Direct Rendering Manager --->
|
---|
| 578 | [*] Direct Rendering Manager (XFree86 ... support) [CONFIG_DRM]
|
---|
| 579 | [M] AMD GPU [CONFIG_DRM_AMDGPU]
|
---|
| 580 | Display Engine Configuration --->
|
---|
| 581 | [*] AMD DC - Enable new display engine (NEW) [CONFIG_DRM_AMD_DC]</literal></screen>
|
---|
| 582 |
|
---|
| 583 | <para>
|
---|
| 584 | As written above at the end of the section on 'Firmware for ATI video
|
---|
| 585 | chips', loading large blobs from /lib/firmware can take a noticeable
|
---|
| 586 | time during which the screen will be blank. On a slow machine you might
|
---|
| 587 | wish to refer to the 'Kernel Configuration for additional firmware'
|
---|
| 588 | part of <xref linkend="xorg-amdgpu-driver"/> and compile all the
|
---|
| 589 | required modules into the kernel to reduce this time, at the cost of
|
---|
| 590 | using more kernel memory.
|
---|
| 591 | </para>
|
---|
| 592 |
|
---|
| 593 | </sect3>
|
---|
| 594 |
|
---|
[81a73ed8] | 595 | <sect3 id="nvidia-video-firmware">
|
---|
| 596 | <title>Firmware for Nvidia video chips</title>
|
---|
[1cc5345] | 597 |
|
---|
[81a73ed8] | 598 | <para>
|
---|
[083a8d7] | 599 | Nvidia has released basic signed firmware for recent graphics chips,
|
---|
| 600 | but significantly after the chips and its own binary drivers were first
|
---|
| 601 | available. For other chips it has been necessary to extract the firmware
|
---|
| 602 | from the binary driver.
|
---|
| 603 | </para>
|
---|
| 604 | <para>
|
---|
| 605 | For more exact information about which chips need extracted firmware, see
|
---|
[81a73ed8] | 606 | <ulink url=
|
---|
| 607 | "https://nouveau.freedesktop.org/wiki/VideoAcceleration/#firmware"/>.
|
---|
| 608 | </para>
|
---|
[8558044] | 609 |
|
---|
[81a73ed8] | 610 | <para>
|
---|
| 611 | First, the kernel Nvidia driver must be activated:
|
---|
| 612 | </para>
|
---|
[1cc5345] | 613 |
|
---|
| 614 | <screen><literal>Device Drivers --->
|
---|
| 615 | Graphics support --->
|
---|
| 616 | Direct Rendering Manager --->
|
---|
| 617 | <*> Direct Rendering Manager (XFree86 ... support) [CONFIG_DRM]
|
---|
[f39cf0d0] | 618 | <*/M> Nouveau (NVIDIA) cards [CONFIG_DRM_NOUVEAU]</literal></screen>
|
---|
[1cc5345] | 619 |
|
---|
[81a73ed8] | 620 | <para>
|
---|
[083a8d7] | 621 | If the necessary firmware is available in the
|
---|
| 622 | <filename class="directory">nvidia/</filename> directory of
|
---|
| 623 | linux-firmware, copy it to
|
---|
| 624 | <filename class="directory">/lib/firmware/nouveau</filename>.
|
---|
| 625 | </para>
|
---|
| 626 | <para>
|
---|
| 627 | If the firmware has not been made available in linux-firmware,
|
---|
| 628 | for the old chips mentioned in the nouveau wiki link above ensure you have
|
---|
| 629 | installed <xref linkend="python2"/> and run the following commands:
|
---|
[81a73ed8] | 630 | </para>
|
---|
[1cc5345] | 631 |
|
---|
[cd29bc9] | 632 | <!-- Someone please port this to Python 3. -->
|
---|
[1cc5345] | 633 | <screen><userinput>wget https://raw.github.com/imirkin/re-vp2/master/extract_firmware.py
|
---|
[cd29bc9] | 634 | wget https://us.download.nvidia.com/XFree86/Linux-x86/325.15/NVIDIA-Linux-x86-325.15.run
|
---|
[1cc5345] | 635 | sh NVIDIA-Linux-x86-325.15.run --extract-only
|
---|
[083a8d7] | 636 | python2 extract_firmware.py
|
---|
[1cc5345] | 637 | mkdir -p /lib/firmware/nouveau
|
---|
| 638 | cp -d nv* vuc-* /lib/firmware/nouveau/</userinput></screen>
|
---|
| 639 |
|
---|
[81a73ed8] | 640 | </sect3>
|
---|
[3ae81e1] | 641 | </sect2>
|
---|
| 642 |
|
---|
| 643 | <sect2 id="nic-firmware">
|
---|
| 644 | <title>Firmware for Network Interfaces</title>
|
---|
| 645 |
|
---|
[81a73ed8] | 646 | <para>
|
---|
| 647 | The kernel likes to load firmware for some network drivers, particularly
|
---|
| 648 | those from Realtek (the /lib/linux-firmware/rtl_nic/) directory, but
|
---|
| 649 | they generally appear to work without it. Therefore, you can boot the
|
---|
| 650 | kernel, check dmesg for messages about this missing firmware, and if
|
---|
| 651 | necessary download the firmware and put it in the specified directory in
|
---|
| 652 | <filename class="directory">/lib/firmware</filename> so that it will
|
---|
| 653 | be found on subsequent boots. Note that with current kernels this
|
---|
| 654 | works whether or not the driver is compiled in or built as a module,
|
---|
| 655 | there is no need to build this firmware into the kernel.
|
---|
| 656 | Here is an example where the R8169 driver has been compiled in but the
|
---|
| 657 | firmware was not made available. Once the firmware had been provided,
|
---|
| 658 | there was no mention of it on later boots.
|
---|
| 659 | </para>
|
---|
[3ae81e1] | 660 |
|
---|
| 661 | <screen><literal>dmesg | grep firmware | grep r8169
|
---|
| 662 | [ 7.018028] r8169 0000:01:00.0: Direct firmware load for rtl_nic/rtl8168g-2.fw failed with error -2
|
---|
| 663 | [ 7.018036] r8169 0000:01:00.0 eth0: unable to load firmware patch rtl_nic/rtl8168g-2.fw (-2)</literal></screen>
|
---|
| 664 |
|
---|
| 665 | </sect2>
|
---|
| 666 |
|
---|
[0f5515d] | 667 | <sect2 id="regulatory-db">
|
---|
| 668 | <title>Firmware for Regulatory Database of Wireless Devices</title>
|
---|
| 669 |
|
---|
| 670 | <para>
|
---|
| 671 | Different countries have different regulations on the radio spectrum
|
---|
| 672 | usage of wireless devices. You can install a firmware to make the
|
---|
| 673 | wireless devices obey local spectrum regulations, so you won't be
|
---|
| 674 | inquired by local authority or find your wireless NIC jamming the
|
---|
| 675 | frequencies of other devices (for example, remote controllers).
|
---|
| 676 | The regulatory database firmware can be downloaded from
|
---|
| 677 | <ulink url = 'https://kernel.org/pub/software/network/wireless-regdb/'/>.
|
---|
| 678 | To install it, simply extract <filename>regulatory.db</filename> and
|
---|
| 679 | <filename>regulatory.db.p7s</filename> from the tarball into
|
---|
| 680 | <filename class="directory">/lib/firmware</filename>. Note that either
|
---|
| 681 | the <option>cfg80211</option> driver needs to be selected as a module
|
---|
| 682 | for the <filename>regulatory.*</filename>
|
---|
| 683 | files to be loaded, or those files need to be included as firmware into
|
---|
| 684 | the kernel, as explained above in <xref linkend="video-firmware"/>.
|
---|
| 685 | </para>
|
---|
| 686 |
|
---|
| 687 | <para>
|
---|
| 688 | The access point (AP) would send a country code to your wireless NIC,
|
---|
| 689 | and <xref linkend='wpa_supplicant'/> would tell the kernel to load
|
---|
| 690 | the regulation of this country from
|
---|
| 691 | <filename>regulatory.db</filename>, and enforce it. Note that several AP
|
---|
| 692 | don't send this country code, so you may be locked to a rather
|
---|
| 693 | restricted usage (specially if you want to use your interface as an AP).
|
---|
| 694 | </para>
|
---|
| 695 | </sect2>
|
---|
| 696 |
|
---|
[3ae81e1] | 697 | <sect2 id="other-firmware">
|
---|
| 698 | <title>Firmware for Other Devices</title>
|
---|
| 699 |
|
---|
[81a73ed8] | 700 | <para>
|
---|
| 701 | Identifying the correct firmware will typically require you to install
|
---|
| 702 | <xref linkend='pciutils'/>, and then use <userinput>lspci</userinput>
|
---|
| 703 | to identify the device. You should then search online to check which
|
---|
| 704 | module it uses, which firmware, and where to obtain the firmware —
|
---|
| 705 | not all of it is in linux-firmware.
|
---|
| 706 | </para>
|
---|
| 707 |
|
---|
| 708 | <para>
|
---|
| 709 | If possible, you should begin by using a wired connection when you first
|
---|
| 710 | boot your LFS system. To use a wireless connection you will need to
|
---|
[0f5515d] | 711 | use a network tools such as <xref linkend="iw"/>,
|
---|
| 712 | <xref linkend='wireless_tools'/>, or <xref linkend='wpa_supplicant'/>.
|
---|
[c18f6acb] | 713 | </para>
|
---|
| 714 |
|
---|
[81a73ed8] | 715 | <para>
|
---|
| 716 | Firmware may also be needed for other devices such as some SCSI
|
---|
| 717 | controllers, bluetooth adaptors, or TV recorders. The same principles
|
---|
| 718 | apply.
|
---|
| 719 | </para>
|
---|
[3ae81e1] | 720 |
|
---|
| 721 | </sect2>
|
---|
| 722 |
|
---|
| 723 | </sect1>
|
---|