Please merge amd64-microcode 3.20220411.1 (main) from Debian unstable (non-free)

Since last release Debian began shipping AMD-SEV firmware with AMD-UCODE.

https://salsa.debian.org/hmh/amd64-microcode

The linux-firmware package installs amdgpu and amd-sev firmware, but removes amd-ucode firmware through debian/remove-firmware.list.

amd-sev requires kernel command mem_encrypt=on to function.

@superm1 could you please advise on how to proceed?

I could prepare a patch that excludes AMD-SEV from amd64-microcode, so that only linux-firmware contains it.

I don't believe that's true that you need mem_encrypt=on to function. If the BIOS advertises support and the kernel has the config option set it can automatically opt-in I thought.

Before making any decisions, I think it's best to talk to the maintainer in Debian to find out why they opted to ship the SEV firmware with the microcode package instead.

If they have a good argument for it, it's probably worthwhile mirroring what they do to avoid carrying a delta in amd64-microcode and linux-firmware in Ubuntu.

Appreciate your guidance @superm1!

Henrique, Debian's amd64-maintainer, said that AMD64 processor microcode and AMD SEV are packaged together as AMD's microcodes have caused regression in the past and are therefore easier to maintain without other firmwares. Indeed, the Ubuntu Security Team has needed to revert regressions caused by the microcode as well (LP: #1779092, LP: #1853614). Debian never packaged AMD SEV with other firmwares, so amd64-microcode was a logical package to add it to.

Additionally, users who need AMD SEV may need AMD64 microcode.

I will prepare this merge without deltas and prepare a patch to remove AMD SEV from linux-firmware.

Merge is ready for review: https://launchpad.net/~eslerm/+archive/ubuntu/share/+sourcepub/13861919/+listing-archive-extra

For linux-firmware, adding the following to debian/remove-firmware.list creates a deb file without AMD-SEV files:
```
# LP: #1983409
# Remove AMD-SEV which is now part of amd64-microcode
LICENSE.amd-sev
amd

```

Attached is the debdiff between Debian and the proposed package.

Attached is the debdiff between the old Ubuntu package and this proposed package.

> For linux-firmware, adding the following to debian/remove-firmware.list creates a deb file without AMD-SEV files:

Presumably amd64-microcode will also need some handholding with Conflicts/Replaces to make sure that it works on upgrade as it will probably upgrade before linux-firmware does, right?

The attachment "amd64-microcode_3.20220411.1-3.202204.11.1ubuntu1.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Moving files from linux-firmware to amd64-microcode is #10 from https://wiki.debian.org/PackageTransition, no?

So linux-firmware needs:
Depends: amd64-microcode (>=NEW_VERSION) [amd64]

and amd64-microcode needs:
Breaks: linux-firmware (<<NEW_VERSION)
Replaces: linux-firmware (<<NEW_VERSION)

I think...

Thank you @superm1 and @juergh! I have not made packages outside of security patches and I immensely appreciate the advice.

Since not everyone who needs linux-firmware wants amd64-micocode, I believe it should be #9: "Reorg: A and B existed; move some files from A to B; new A does not require new B".

So linux-firmware needs:
Depends: amd64-microcode (<<NEW_VERSION) [amd64]

and amd64-microcode needs:
Breaks: linux-firmware (<<NEW_VERSION)
Replaces: linux-firmware (<<NEW_VERSION)

Does that sound appropriate?

In the above comment I did not apply rule 9 to linux-firmware properly.

Since the next linux-firmware version number is unknown, the amd64-microcode relationship to linux-firmware will use earlier or equal to (<=) the current linux-firmware version https://www.debian.org/doc/debian-policy/ch-relationships.html

So linux-firmware needs:
Breaks: amd64-microcode (<< 3.20220411.1ubuntu1) [amd64]

and amd64-microcode needs:
Breaks: linux-firmware (<= 20220711.gitdfa29317-0ubuntu1)
Replaces: linux-firmware (<= 20220711.gitdfa29317-0ubuntu1)

Keeping replaces feels odd.

An updated merge is ready for review.
https://launchpad.net/~eslerm/+archive/ubuntu/share2/+sourcepub/13867943/+listing-archive-extra

This package has a d/control with:
```
Source: amd64-microcode
Section: non-free/admin
Priority: standard
Maintainer: Ubuntu Developers <email address hidden>
XSBC-Original-Maintainer: Henrique de Moraes Holschuh <email address hidden>
Uploaders: Giacomo Catenazzi <email address hidden>
Build-Depends: debhelper (>= 9)
Standards-Version: 3.9.8
Vcs-Git: https://salsa.debian.org/hmh/amd64-microcode.git
Vcs-Browser: https://salsa.debian.org/hmh/amd64-microcode
XS-Autobuild: yes

Package: amd64-microcode
Architecture: i386 amd64 x32
Recommends: initramfs-tools (>= 0.113~) | dracut (>= 044) | tiny-initramfs
Depends: ${misc:Depends}
Breaks: intel-microcode (<< 2), linux-firmware (<= 20220711.gitdfa29317-0ubuntu1)
Replaces: linux-firmware (<= 20220711.gitdfa29317-0ubuntu1)
Description: Processor microcode firmware for AMD CPUs
 This package contains microcode patches for all AMD AMD64
 processors. AMD releases microcode patches to correct
 processor behavior as documented in the respective processor
 revision guides. This package includes both AMD CPU microcode
 patches and AMD SEV firmware updates.
 .
 For Intel processors, please refer to the intel-microcode package.
```

@vorlon suggested to use "linux-firmware (<< 20220711.gitdfa29317-0~)" to make this SRU-proof for the future.

d/control now contains:
```
Breaks: intel-microcode (<< 2), linux-firmware (<< 20220711.gitdfa29317-0~)
Replaces: linux-firmware (<< 20220711.gitdfa29317-0~)
```

Please see the latest proposed merge:
https://launchpad.net/~eslerm/+archive/ubuntu/share3/+sourcepub/13868029/+listing-archive-extra

Please see the proposed diff for the next linux-firmware update:
https://launchpad.net/~eslerm/+archive/ubuntu/share/+sourcepub/13868068/+listing-archive-extra

I was not able to specify [amd64] in the Breaks line, since that broke build: "error: the Breaks field ... 'linux-firmware' is architecture all"

I am setting this to confirmed and assigning owning teams per https://wiki.ubuntu.com/UbuntuDevelopment/Merging

Please let me know if I assigned teams incorrectly or if I can do more work for this merge.

It doesn't look like the new amd64_microcode package contains the necessary Breaks/Replaces lines in the control file.

@juergh, the amd64-microcode in kinetic proposed could be fixed by using the control file in https://launchpad.net/~eslerm/+archive/ubuntu/share3/+sourcepub/13868029/+listing-archive-extra

sorry, the assigning of this bug to the Foundations Team led to this being treated as a request for the Foundations Team to do the merge, not to sponsor an upload - so the Breaks/Replaces were missed. amd64-microcode has been reuploaded now with this change.

the error message that I get with Kubuntu 22.10 and try to install amd64-microcode is:

The following packages will be upgraded:
  amd64-microcode
1 to upgrade, 0 to newly install, 0 to remove and 0 not to upgrade.
9 not fully installed or removed.
Need to get 0 B/120 kB of archives.
After this operation, 181 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Preparing to unpack .../amd64-microcode_3.20220411.1ubuntu2_amd64.deb ...
Unpacking amd64-microcode (3.20220411.1ubuntu1) over (3.20191218.1ubuntu2) ...
dpkg: error processing archive /var/cache/apt/archives/amd64-microcode_3.20220411.1ubuntu2_amd64.deb (--unpack):
 trying to overwrite '/lib/firmware/amd/amd_sev_fam17h_model0xh.sbin', which is also in package linux-firmware 20220711.gitdfa29317-0ubuntu1
Errors were encountered while processing:
 /var/cache/apt/archives/amd64-microcode_3.20220411.1ubuntu2_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

linux-firmware (20220711.gitdfa29317-0ubuntu1) kinetic; urgency=medium

marcin@msi:~/Pobrane/linux-firmware/amd$ md5sum *
704fd05f08ecfb3ecaab04d5557cf70e amd_sev_fam17h_model0xh.sbin
a28892b5e4ed93c56132035b63a1cf01 amd_sev_fam17h_model3xh.sbin
d3b65309d5b672b5e256028f79623e67 amd_sev_fam19h_model0xh.sbin

amd64-microcode (3.20220411.1ubuntu2) kinetic

marcin@msi:~/Pobrane/amd64-firmware/amd$ md5sum *
704fd05f08ecfb3ecaab04d5557cf70e amd_sev_fam17h_model0xh.sbin
a28892b5e4ed93c56132035b63a1cf01 amd_sev_fam17h_model3xh.sbin
d3b65309d5b672b5e256028f79623e67 amd_sev_fam19h_model0xh.sbin

they are the same files, what for do you duplicate them ?

ok, then the breaks/replaces versions are wrong, as these were done assuming that the current version of linux-firmware in kinetic had the necessary changes.

Juerg, you marked the linux-firmware task as fix committed - where is this committed?

It seems amd64-microcode still conflicts with the latest version of linux-firmware, even with the breaks line.
➜ sudo apt install amd64-microcode
agi='sudo apt install'
age='sudo apt'
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  firmware-sof-signed linux-headers-generic-hwe-22.04
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  linux-firmware
The following NEW packages will be installed:
  amd64-microcode
0 upgraded, 1 newly installed, 1 to remove and 0 not upgraded.
Need to get 0 B/120 kB of archives.
After this operation, 924 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
My linux-firmware package is in the version 20220819.git8413c63c-0ubuntu1, that is theoretically higher than the version mentioned in the breaks field.

The current version of linux-firmware (20220819.git8413c63c-0ubuntu1) contains a Breaks line with: `amd64-microcode (<= 3.20220411.1ubuntu1)`.

The linux-firmware patch proposed in comment 16 contains a Breaks line with: `amd64-microcode (<< 3.20220411.1~)`.

The patch in comment 16 works.

Using the Breaks line `amd64-microcode (<< 3.20220411.1~)` in the current version of linux-firmware (20220819.git8413c63c-0ubuntu1) I was able to install both linux-firmware and amd64-microcode in a fresh kinetic VM with:

sudo apt install linux-firmware
sudo apt --fix-broken install
sudo apt install linux-firmware

eslerm@sec-kinetic-amd64:~$ apt-cache policy linux-firmware
linux-firmware:
  Installed: 20220819.git8413c63c-0ubuntu3
  Candidate: 20220819.git8413c63c-0ubuntu3
  Version table:
 *** 20220819.git8413c63c-0ubuntu3 500
        500 http://192.168.122.1/debs/testing kinetic/ Packages
        100 /var/lib/dpkg/status
     20220819.git8413c63c-0ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu kinetic-proposed/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu kinetic-proposed/main i386 Packages
     20220711.gitdfa29317-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu kinetic/main amd64 Packages
        500 http://archive.ubuntu.com/ubuntu kinetic/main i386 Packages

eslerm@sec-kinetic-amd64:~$ apt-cache policy amd64-microcode
amd64-microcode:
  Installed: 3.20220411.1ubuntu2
  Candidate: 3.20220411.1ubuntu2
  Version table:
 *** 3.20220411.1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu kinetic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     3.20191218.1ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu kinetic/main amd64 Packages

I was able to install both package with latest linux-firmware package:
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-=============================-============-=========================================
ii amd64-microcode 3.20220411.1ubuntu2 amd64 Processor microcode firmware for AMD CPUs
ii linux-firmware 20220819.git8413c63c-0ubuntu2 all Firmware for Linux kernel drivers
(END)
It seems everything ok now.

\o/ woo!

Thanks everyone who helped get this into Kinetic before feature freeze!

A fresh install might work but an upgrade doesn't:

Unpacking amd64-microcode (3.20220411.1ubuntu2) over (3.20191218.1ubuntu2) ...
dpkg: error processing archive /tmp/apt-dpkg-install-XXY0Ti/112-amd64-microcode_3.20220411.1ubuntu2_amd64.deb (--unpack):
 trying to overwrite '/lib/firmware/amd/amd_sev_fam17h_model0xh.sbin', which is also in package linux-firmware 20220711.gitdfa29317-0ubuntu1
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
dpkg: considering deconfiguration of amd64-microcode, which would be broken by installation of linux-firmware ...
dpkg: yes, will deconfigure amd64-microcode (broken by linux-firmware)

The breaks/replaces linux-firmware version in amd64-microcode is wrong, as vorlon pointed out. It should be (<< 20220819.git8413c63c-0~).

This debdiff fixes uprgades for me. Sample package in ppa:juergh/firmware.
https://launchpad.net/~juergh/+archive/ubuntu/firmware/+packages

For reference: kinetic linux-firmware https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux-firmware/log/?h=kinetic

Juerg, yes.

The Breaks line of comment 15 used the most recently available version (<< 20220711.gitdfa29317-0~).

This bug was fixed in the package linux-firmware - 20220819.git8413c63c-0ubuntu2

---------------
linux-firmware (20220819.git8413c63c-0ubuntu2) kinetic; urgency=medium

  * Miscellaneous Ubuntu changes
    - [Packaging] debian/control: Fix Breaks line

 -- Juerg Haefliger <email address hidden> Sat, 20 Aug 2022 14:13:38 +0200

This bug was fixed in the package amd64-microcode - 3.20220411.1ubuntu3

---------------
amd64-microcode (3.20220411.1ubuntu3) kinetic; urgency=medium

  * Bump the Breaks/Replaces on linux-firmware to match the version which
    actually drops the conflicting files. LP: #1983409.

 -- Steve Langasek <email address hidden> Tue, 23 Aug 2022 15:23:32 +0000