diff --git a/README b/README index ef55531..df1a223 100644 --- a/README +++ b/README @@ -11,6 +11,81 @@ amdtee/ currently includes firmware for the amd_pmf driver. latest commits in this release: +commit e637542fa8b9e0a88b0b2885072eea7df3737969 +Author: John Allen +Date: Thu Oct 30 17:23:31 2025 -0500 + + linux-firmware: Update AMD cpu microcode + + * Update AMD cpu microcode for processor family 1ah + + Key Name = AMD Microcode Signing Key (for signing microcode container files only) + Key ID = F328AE73 + Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73 + + Signed-off-by: John Allen + +commit ad91544767665e911386e62ecebaa969e2cfb1c0 +Author: John Allen +Date: Mon Oct 27 17:25:01 2025 -0500 + + linux-firmware: Update AMD cpu microcode + + * Update AMD cpu microcode for processor family 19h + + Key Name = AMD Microcode Signing Key (for signing microcode container files only) + Key ID = F328AE73 + Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73 + + Signed-off-by: John Allen + +commit 3a49a7356a8c83a33d0214edfc5d8fd835caa93a +Author: Andrew Cooper +Date: Tue Oct 21 14:20:56 2025 +0100 + + amd-ucode: Fix minimum revisions in README + + ... to match the minimum revisions stated in the binaries. + + Signed-off-by: Andrew Cooper + +commit 3768c184de68a85b9df6697e7f93a2f61de90a99 +Author: John Allen +Date: Tue Jul 29 10:21:29 2025 -0500 + + linux-firmware: Update AMD cpu microcode + + * Update AMD cpu microcode for processor family 19h + * Add AMD cpu microcode for processor family 1ah + + Key Name = AMD Microcode Signing Key (for signing microcode + container files only) + Key ID = F328AE73 + Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73 + + Signed-off-by: John Allen + +commit 331eac9144402d6cfa02ff3b2888a40bb9a7a01a +Author: John Allen +Date: Mon Jul 7 18:56:23 2025 +0000 + + linux-firmware: Update AMD cpu microcode + + * Update AMD cpu microcode for processor family 19h + + Key Name = AMD Microcode Signing Key (for signing microcode container files only) + Key ID = F328AE73 + Key Fingerprint = FC7C 6C50 5DAF CC14 7183 57CA E4BE 5339 F328 AE73 + + Signed-off-by: John Allen + Signed-off-by: Josh Boyer + +commit 86d528c261657497967cb2b2051374639e6ad476 +Author: Shyam Sundar S K +Date: Wed May 7 14:22:26 2025 +0000 + + amd_pmf: Update AMD PMF TA Firmware to v3.1 + commit 3660cb7665df91e664b240c19c560f138d74f483 Author: John Allen Date: Wed Feb 19 20:29:05 2025 +0000 diff --git a/WHENCE.amd b/WHENCE.amd new file mode 100644 index 0000000..ce093e0 --- /dev/null +++ b/WHENCE.amd @@ -0,0 +1,58 @@ + ********** + * WHENCE * + ********** + +This file attempts to document the origin and licensing information, +if known, for each piece of firmware distributed for use with the Linux +kernel. + +-------------------------------------------------------------------------- + +Driver: amd_pmf - AMD Platform Management Framework TA + +File: amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin +Link: amdtee/amd_pmf_v3.bin -> 773bd96f-b83f-4d52-b12dc529b13d8543.bin +File: amdtee/f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin +Link: amdtee/amd_pmf_v3_1.bin -> f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin + +Licence: Redistributable. See LICENSE.amd_pmf for details. + +-------------------------------------------------------------------------- + +Driver: ccp - Platform Security Processor (PSP) device + +File: amd/amd_sev_fam17h_model0xh.sbin +Version: 2022-2-25 +File: amd/amd_sev_fam17h_model3xh.sbin +Version: 2024-8-20 +File: amd/amd_sev_fam19h_model0xh.sbin +Version: 2025-2-20 +File: amd/amd_sev_fam19h_model1xh.sbin +Version: 2025-2-20 +File: amd/amd_sev_fam19h_modelaxh.sbin +Version: 2025-2-20 +File: amd/amd_sev_fam1ah_model0xh.sbin +Version: 2025-2-20 + +License: Redistributable. See LICENSE.amd-sev for details + +-------------------------------------------------------------------------- + +Driver: microcode_amd - AMD CPU Microcode Update Driver for Linux + +RawFile: amd-ucode/microcode_amd.bin +Version: 2013-07-10 +RawFile: amd-ucode/microcode_amd_fam15h.bin +Version: 2018-05-24 +RawFile: amd-ucode/microcode_amd_fam16h.bin +Version: 2014-10-28 +RawFile: amd-ucode/microcode_amd_fam17h.bin +Version: 2024-11-21 +RawFile: amd-ucode/microcode_amd_fam19h.bin +Version: 2025-10-27 +RawFile: amd-ucode/microcode_amd_fam1ah.bin +Version: 2025-12-02 +File: amd-ucode/README + +License: Redistributable. See LICENSE.amd-ucode for details + diff --git a/amd-ucode/README b/amd-ucode/README index 138b24d..3bb5ce7 100644 --- a/amd-ucode/README +++ b/amd-ucode/README @@ -30,7 +30,6 @@ Microcode patches in microcode_amd_fam15h.bin: Microcode patches in microcode_amd_fam16h.bin: Family=0x16 Model=0x00 Stepping=0x01: Patch=0x0700010f Length=3458 bytes - Microcode patches in microcode_amd_fam17h.bin: Family=0x17 Model=0x71 Stepping=0x00: Patch=0x08701034 Length=3200 bytes Family=0x17 Model=0x01 Stepping=0x02: Patch=0x0800126f Length=3200 bytes @@ -42,23 +41,53 @@ Microcode patches in microcode_amd_fam17h.bin: Microcode patches in microcode_amd_fam19h.bin: Family=0x19 Model=0x01 Stepping=0x00: Patch=0x0a00107a Length=5568 bytes - Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c005 Length=5568 bytes - Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705206 Length=5568 bytes - Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820c Length=5568 bytes - Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes - Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes - Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404107 Length=5568 bytes - Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708007 Length=5568 bytes - Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102d Length=5568 bytes - Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704107 Length=5568 bytes + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011de Length=5568 bytes + Minimum base ucode version for loading: 0x0a0011d9 Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001247 Length=5568 bytes + Minimum base ucode version for loading: 0x0a001242 + Family=0x19 Model=0x08 Stepping=0x02: Patch=0x0a00820d Length=5568 bytes Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes - Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a601209 Length=5568 bytes - Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101158 Length=5568 bytes + Minimum base ucode version for loading: 0x0a101153 + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101253 Length=5568 bytes + Minimum base ucode version for loading: 0x0a10124e + Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108109 Length=5568 bytes + Family=0x19 Model=0x21 Stepping=0x00: Patch=0x0a20102e Length=5568 bytes + Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201211 Length=5568 bytes + Family=0x19 Model=0x44 Stepping=0x01: Patch=0x0a404108 Length=5568 bytes + Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500012 Length=5568 bytes + Family=0x19 Model=0x61 Stepping=0x02: Patch=0x0a60120a Length=5568 bytes + Family=0x19 Model=0x74 Stepping=0x01: Patch=0x0a704108 Length=5568 bytes + Family=0x19 Model=0x75 Stepping=0x02: Patch=0x0a705208 Length=5568 bytes + Family=0x19 Model=0x78 Stepping=0x00: Patch=0x0a708008 Length=5568 bytes + Family=0x19 Model=0x7c Stepping=0x00: Patch=0x0a70c008 Length=5568 bytes Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Length=5568 bytes - Family=0x19 Model=0x18 Stepping=0x01: Patch=0x0a108108 Length=5568 bytes - Family=0x19 Model=0x50 Stepping=0x00: Patch=0x0a500011 Length=5568 bytes - Family=0x19 Model=0x21 Stepping=0x02: Patch=0x0a201210 Length=5568 bytes + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa0021c Length=5568 bytes + Minimum base ucode version for loading: 0x0aa00218 + +Microcode patches in microcode_amd_fam1ah.bin: + Family=0x1a Model=0x02 Stepping=0x01: Patch=0x0b002161 Length=14368 bytes + Minimum base ucode version for loading: 0x0b002140 + Family=0x1a Model=0x08 Stepping=0x01: Patch=0x0b008121 Length=14368 bytes + Minimum base ucode version for loading: 0x0b008112 + Family=0x1a Model=0x11 Stepping=0x00: Patch=0x0b101058 Length=14368 bytes + Minimum base ucode version for loading: 0x0b101040 + Family=0x1a Model=0x24 Stepping=0x00: Patch=0x0b204037 Length=14368 bytes + Minimum base ucode version for loading: 0x0b204032 + Family=0x1a Model=0x44 Stepping=0x00: Patch=0x0b404035 Length=14368 bytes + Minimum base ucode version for loading: 0x0b404032 + Family=0x1a Model=0x44 Stepping=0x01: Patch=0x0b404108 Length=14368 bytes + Minimum base ucode version for loading: 0x0b404102 + Family=0x1a Model=0x60 Stepping=0x00: Patch=0x0b600037 Length=14368 bytes + Minimum base ucode version for loading: 0x0b600032 + Family=0x1a Model=0x68 Stepping=0x00: Patch=0x0b608038 Length=14368 bytes + Minimum base ucode version for loading: 0x0b608032 + Family=0x1a Model=0x70 Stepping=0x00: Patch=0x0b700037 Length=14368 bytes + Minimum base ucode version for loading: 0x0b700032 NOTE: For Genoa (Family=0x19 Model=0x11) and Bergamo (Family=0x19 Model=0xa0), either AGESA version >= 1.0.0.8 OR a kernel with the following commit is @@ -77,3 +106,20 @@ the required minimum patch levels to address this problem: Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a10123e Family=0x19 Model=0xa0 Stepping=0x01: Patch=0x0aa00116 Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00212 + +NOTE: In order to not fully abandon machines affected by AMD-SB-7033 [1] that +have not received the BIOS update, the family 19h microcode container now +includes a second patch for these machines that brings the microcode to the +highest possible level without the microcode signing fix. While a BIOS update +is highly recommended to receive the latest security updates issued after the +microcode signing vulnerability, this will allow non-updated systems to at +least receive some microcode updates beyond the version provided by BIOS. + +The list of additional patches can be seen below: + Family=0x19 Model=0x01 Stepping=0x01: Patch=0x0a0011d5 Length=5568 bytes + Family=0x19 Model=0x01 Stepping=0x02: Patch=0x0a001238 Length=5568 bytes + Family=0x19 Model=0x11 Stepping=0x01: Patch=0x0a101148 Length=5568 bytes + Family=0x19 Model=0x11 Stepping=0x02: Patch=0x0a101248 Length=5568 bytes + Family=0x19 Model=0xa0 Stepping=0x02: Patch=0x0aa00215 Length=5568 bytes + +[1]: https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html diff --git a/amd-ucode/microcode_amd_fam19h.bin b/amd-ucode/microcode_amd_fam19h.bin index 7646010..41154d6 100644 Binary files a/amd-ucode/microcode_amd_fam19h.bin and b/amd-ucode/microcode_amd_fam19h.bin differ diff --git a/amd-ucode/microcode_amd_fam19h.bin.asc b/amd-ucode/microcode_amd_fam19h.bin.asc index 5f54185..2ce8866 100644 --- a/amd-ucode/microcode_amd_fam19h.bin.asc +++ b/amd-ucode/microcode_amd_fam19h.bin.asc @@ -1,11 +1,11 @@ -----BEGIN PGP SIGNATURE----- -iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmc/W4EACgkQ5L5TOfMo -rnPSAwf/UozBxuAEmSJMgUE3CVKyuvs0VpI1fvUpybW5Dqgz+6DLXtLJBFQLjLn1 -UlxhkHmiZ63QXazpu3QUBGUkUh5fpKDsn8P1XVRPTtOc4IMsWVlCh3RJwFpmQRqW -8h30WDwxRzIb0VvGg8bclLGH/t1dozagk87eYbq9sz8I/qV9P/kd/BFifNSqANOq -xQmb9oNFu3JuFHqNoLdR02dQ9T/l21TDoLQwjjyFwAY8B1JNQTjTlq6brfnOKICu -SRF3PMAS+EOwplGtgUXYhgYBHNikKM9Vk7Ua3DFxcMm1ZKhL3Z+O0OloLapLaR3x -HEivYRaVoKdVNZfl4rMsjyp7fnU07w== -=ex8u +iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmj4/hcACgkQ5L5TOfMo +rnN+pAgAqw2g0/vMt82S58O5q2Ec35xqEBabSaeQkI9T2tolQmlBx45ggT8eWitf +Wx4Oopq13lLvHNk7d7Isvi0nZ/+4yu7IoBNPqR1jkbgUOW1qmhkGK3PJROUphPGZ +r6GPd/sRW/ugDECO7fiheqop9OzGlOwMzovSJNUDvQL8MfRK9bKUNSPmmKYLeKzw +5cWtKKhC3AMxaCGiL4gJIXrT+SG+VxR3rMOiFLu2vYi5wJvYbutXX4GspjXPg9PV +HjE1cQt8pgGEVmGDD47yLNttAN1OVTxf4tBcJmc9svxmFrI6f3TKU99h+fzmH/Zj +1MGoWAW4FP8L4AEqjJkiUjof08hiVw== +=IB2l -----END PGP SIGNATURE----- diff --git a/amd-ucode/microcode_amd_fam1ah.bin b/amd-ucode/microcode_amd_fam1ah.bin new file mode 100644 index 0000000..74c9b68 Binary files /dev/null and b/amd-ucode/microcode_amd_fam1ah.bin differ diff --git a/amd-ucode/microcode_amd_fam1ah.bin.asc b/amd-ucode/microcode_amd_fam1ah.bin.asc new file mode 100644 index 0000000..975eebe --- /dev/null +++ b/amd-ucode/microcode_amd_fam1ah.bin.asc @@ -0,0 +1,11 @@ +-----BEGIN PGP SIGNATURE----- + +iQEzBAABCgAdFiEE/HxsUF2vzBRxg1fK5L5TOfMornMFAmkvhcIACgkQ5L5TOfMo +rnMHnQf/VMb4t4zk3y/XtMaff219LqrPsthI3z821nrv7L6Hg4Hy6bQRBH+7JkzF +p/+jdZkbkp2dKN05RqRTg/vL+jXK9IbmSZoacTjkVtaEwRLyiU3IQz+gWThuBqwj ++ptsAUf+YH7YHpwJ8Xb8KfY43YVMaOnDbsFcWrnxxzdkEfOEKNOwxJMJvpZtzKW0 +HoIxeHfNjIDmpFBGui0ojTxShpH1JNi/ujWHfyHqauIdO/HcHkLhtQIrBjXFDxeg +3UvS/uzwwu3/xhdzygyvBAoHOMSnrKByjfC6TeFrnPEhmfAiTV32qberDZr4LKAi +INUNC4I/DDDEG0nYqeJw1O2cdmTrdg== +=gKQm +-----END PGP SIGNATURE----- diff --git a/amdtee/amd_pmf_v3_1.bin b/amdtee/amd_pmf_v3_1.bin new file mode 120000 index 0000000..41a664e --- /dev/null +++ b/amdtee/amd_pmf_v3_1.bin @@ -0,0 +1 @@ +f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin \ No newline at end of file diff --git a/amdtee/f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin b/amdtee/f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin new file mode 100644 index 0000000..5c41d32 Binary files /dev/null and b/amdtee/f29bb3d9-bd66-5441-afb88acc2b2b60d6.bin differ diff --git a/debian/NEWS b/debian/NEWS index 0780d06..53256ee 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,41 @@ +amd64-microcode (3.20251030.1) unstable; urgency=high + + This release ships microcode for family 0x1ah (Zen5) that cannot be + loaded by very outdated system firmware, due to the fix for the + "Entrysign" microcode signature issue (as described by AMD-SB-7033). + + This release ships two sets of microcode for family 0x19h (Zen3, + Zen3+, Zen4): + + * The most recent set of microcode updates, which will only work for + systems that had their system firmware (BIOS) properly updated to + address the Entrysign microcode signature vulnerability. + + * A second set of older microcode "updates", for systems with outdated + system firmware still vulnerable to the Entrysign vulnerability. + + As described by AMD: + "In order to not fully abandon machines affected by AMD-SB-7033 that + have not received the BIOS update, the family 19h microcode container + now includes a second patch for these machines that brings the microcode + to the highest possible level without the microcode signing fix. While a + BIOS update is highly recommended to receive the latest security updates + issued after the microcode signing vulnerability, this will allow + non-updated systems to at least receive some microcode updates beyond + the version provided by BIOS." + + Note that any such systems *will remain vulnerable* to Entrysign and + anything else that has been fixed by microcode updates since then. + + For more details, refer to AMD-SB-7033: + https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7033.html + + IMPORTANT NOTE: an updated Linux kernel with an updated AMD microcode + update driver is required in order to the "set of older microcode + updates" to be selected on systems with outdated firmware. + + -- Henrique de Moraes Holschuh Sat, 08 Nov 2025 19:20:02 -0300 + amd64-microcode (3.20230808.1) unstable; urgency=high This release requires *either* new-enough system firmware, *or* a diff --git a/debian/amd64-microcode.docs b/debian/amd64-microcode.docs index e845566..0e067fc 100644 --- a/debian/amd64-microcode.docs +++ b/debian/amd64-microcode.docs @@ -1 +1,3 @@ README +WHENCE.amd +LICENSE* diff --git a/debian/changelog b/debian/changelog index 0d70ff4..64ca680 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,52 @@ +amd64-microcode (3.20251202.1) unstable; urgency=medium + + * Update package data from linux-firmware 20251202 + * ATTENTION: regression risk if backported to stable or LTS. + The amd processor microcode updates in this release will not load on + systems with outdated BIOS vulnerable to "Entrysign" unless a number of + kernel patches are present. + * amd-tee: update AMD PMF TA Firmware to v3.1. + * amd-ucode: update with release 2025-12-02: + + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626) + Fix RDSEED Failure on more AMD Zen 5 Processor models + (closes: #1120005) + * amd-ucode: update with release 2025-11-13: + + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626) + Fix RDSEED Failure on more AMD Zen 5 Processor models + * amd-ucode: update with release 2025-10-30: + + SECURITY UPDATE (AMD-SB-7055 / CVE-2025-62626) + Fix RDSEED Failure on some AMD Zen 5 Processor models + + amd-ucode: update with release 2025-10-27: + * This is the final microcode release for systems that have not + been updated to fix vulnerability AMD-SB-7033 "Entrysign"). + * A kernel update is needed for the microcode driver to be able + to select the appropriate microcode updates for outdated system + firmware vulnerable to "Entrysign". + * On non-updated kernels, this will potentially *regress* the + microcode version on the running system back to the one in the + (outdated, unpatched-for-Entrysign) BIOS. + + amd-ucode: update with release 2025-07-29: + + SECURITY UPDATE (AMD-SB-7029: CVE-2024-36350, CVE-2024-36357): + Mitigate transient execution vulnerabilities in some AMD processors + which might allow an attacker to infer data from previous stores + (TSA-SQ) or data in the L1D cache (TSA-L1), potentially resulting in + the leakage of privileged information and sensitive information across + priviledged boundaries (closes: #1109035) + * NOTE: Requires kernel and hypervisor changes for the security + mitigations to be applied (issue VERW instruction at appropriate + times). + * initramfs: guard against copying non-microcode data into the + early-initramfs bundle, for the benefit of those that copy all files from + linux-firmware into /lib/firmware/*. Thanks to Eric Valette for tracking + it down (closes: #1101350) + * debian/control: recommend cpio (closes: #1110987) + * NEWS.Debian: update for post-Entrysign microcode updates + Document that kernel patches are needed to avoid regressing the microcode + release on vulnerable Zen2/3/4 systems (family 0x19), and also that these + systems will not receive any future microcode updates. + + -- Henrique de Moraes Holschuh Sat, 06 Dec 2025 12:04:29 -0300 + amd64-microcode (3.20250311.1) unstable; urgency=medium * Update package data from linux-firmware 20250311 diff --git a/debian/control b/debian/control index 735cea0..05cf5db 100644 --- a/debian/control +++ b/debian/control @@ -11,7 +11,7 @@ XS-Autobuild: yes Package: amd64-microcode Architecture: i386 amd64 x32 -Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs +Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs, cpio Depends: ${misc:Depends} Breaks: intel-microcode (<< 2) Description: Platform firmware and microcode for AMD CPUs and SoCs diff --git a/debian/initramfs.hook b/debian/initramfs.hook index 1f6b696..3e1ca36 100755 --- a/debian/initramfs.hook +++ b/debian/initramfs.hook @@ -96,7 +96,7 @@ EFWF="${EFWCD}/AuthenticAMD.bin" # firmware file, as well as the timestamp and ordering of # all cpio members. mkdir -p "${EFWCD}" && \ - find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \ + find "${AUCODE_FW_DIR}/." -maxdepth 1 -type f -name 'microcode_amd*.bin' -print0 | LC_ALL=C sort -z | xargs -0 -r cat 2>/dev/null >"${EFWF}" && \ find "${EFWD}" -print0 | xargs -0r touch --no-dereference --date="@${CHANGELOG_TS}" && { \ # --reproducible requires cpio >= 2.12 cpio --usage | grep -qs -- "--reproducible" && cpio_reproducible="--reproducible" || true