feat: add blacklisted Intel ucode detection

Some Intel microcodes are known to cause instabilities
such as random reboots. Intel advises to revert to a
previous version if a newer one that fixes those issues
is not available. Detect such known bad microcodes.

spectre-meltdown-checker.sh

@@ -625,6 +625,71 @@ is_coreos()
 	return 1
 }
 
+is_ucode_blacklisted()
+{
+	# if it's not an Intel, don't bother: it's not blacklisted
+	grep -q GenuineIntel /proc/cpuinfo || return 1
+	# it also needs to be family=6
+	grep -qE '^cpu family.+ 6$' /proc/cpuinfo || return 1
+	cpu_model=$(   grep '^model'    /proc/cpuinfo | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+	cpu_stepping=$(grep '^stepping' /proc/cpuinfo | awk '{print $3}' | grep -E '^[0-9]+$' | head -1)
+	cpu_ucode=$(grep '^microcode' /proc/cpuinfo | awk '{print $3}' | head -1)
+	# now, check each known bad microcode
+	# source: http://lkml.iu.edu/hypermail/linux/kernel/1801.2/06349.html
+	INTEL_FAM6_KABYLAKE_DESKTOP=158
+	INTEL_FAM6_KABYLAKE_MOBILE=142
+	INTEL_FAM6_SKYLAKE_X=85
+	INTEL_FAM6_SKYLAKE_MOBILE=78
+	INTEL_FAM6_SKYLAKE_DESKTOP=94
+	INTEL_FAM6_BROADWELL_CORE=61
+	INTEL_FAM6_BROADWELL_GT3E=71
+	INTEL_FAM6_HASWELL_ULT=69
+	INTEL_FAM6_HASWELL_GT3E=70
+	INTEL_FAM6_HASWELL_CORE=60
+	INTEL_FAM6_IVYBRIDGE_X=62
+	INTEL_FAM6_HASWELL_X=63
+	INTEL_FAM6_BROADWELL_XEON_D=86
+	INTEL_FAM6_BROADWELL_GT3E=71
+	INTEL_FAM6_BROADWELL_X=79
+	# model,stepping,microcode
+	for tuple in \
+		$INTEL_FAM6_KABYLAKE_DESKTOP,0x0B,0x80      \
+		$INTEL_FAM6_KABYLAKE_MOBILE,0x0A,0x80       \
+		$INTEL_FAM6_KABYLAKE_MOBILE,0x09,0x80       \
+		$INTEL_FAM6_KABYLAKE_DESKTOP,0x09,0x80      \
+		$INTEL_FAM6_SKYLAKE_X,0x04,0x0200003C       \
+		$INTEL_FAM6_SKYLAKE_MOBILE,0x03,0x000000C2  \
+		$INTEL_FAM6_SKYLAKE_DESKTOP,0x03,0x000000C2 \
+		$INTEL_FAM6_BROADWELL_CORE,0x04,0x28        \
+		$INTEL_FAM6_BROADWELL_GT3E,0x01,0x0000001B  \
+		$INTEL_FAM6_HASWELL_ULT,0x01,0x21           \
+		$INTEL_FAM6_HASWELL_GT3E,0x01,0x18          \
+		$INTEL_FAM6_HASWELL_CORE,0x03,0x23          \
+		$INTEL_FAM6_IVYBRIDGE_X,0x04,0x42a          \
+		$INTEL_FAM6_HASWELL_X,0x02,0x3b             \
+		$INTEL_FAM6_HASWELL_X,0x04,0x10             \
+		$INTEL_FAM6_HASWELL_CORE,0x03,0x23          \
+		$INTEL_FAM6_BROADWELL_XEON_D,0x02,0x14      \
+		$INTEL_FAM6_BROADWELL_XEON_D,0x03,0x7000011 \
+		$INTEL_FAM6_BROADWELL_GT3E,0x01,0x0000001B  \
+		$INTEL_FAM6_BROADWELL_X,0x01,0x0b000025     \
+		$INTEL_FAM6_KABYLAKE_DESKTOP,0x09,0x80      \
+		$INTEL_FAM6_SKYLAKE_X,0x03,0x100013e        \
+		$INTEL_FAM6_SKYLAKE_X,0x04,0x200003c
+	do
+		model=$(echo $tuple | cut -d, -f1)
+		stepping=$(( $(echo $tuple | cut -d, -f2) ))
+		ucode=$(echo $tuple | cut -d, -f3)
+		if [ "$cpu_model" = "$model" ] && [ "$cpu_stepping" = "$stepping" ] && echo "$cpu_ucode" | grep -qi "^$ucode$"; then
+			_debug "is_ucode_blacklisted: we have a match! ($model/$stepping/$ucode)"
+			bad_ucode_found="Intel CPU Family 6 Model $model Stepping $stepping with microcode $ucode"
+			return 0
+		fi
+	done
+	_debug "is_ucode_blacklisted: no ($model/$stepping/$ucode)"
+	return 1
+}
+
 # check for mode selection inconsistency
 if [ "$opt_live_explicit" = 1 ]; then
 	if [ -n "$opt_kernel" -o -n "$opt_config" -o -n "$opt_map" ]; then
@@ -1029,6 +1094,19 @@ check_cpu()
 		pstatus blue NO
 	fi
 
+	_info_nol "  * CPU microcode is known to cause stability problems: "
+	if is_ucode_blacklisted; then
+		pstatus red YES "$bad_ucode_found"
+		_warn
+		_warn "The microcode your CPU is running on is known to cause instability problems,"
+		_warn "such as intempestive reboots or random crashes."
+		_warn "You are advised to either revert to a previous microcode version (that might not have"
+		_warn "the mitigations for Spectre), or upgrade to a newer one if available."
+		_warn
+	else
+		pstatus green NO
+	fi
+
 	_info     "* CPU vulnerability to the three speculative execution attacks variants"
 	for v in 1 2 3; do
 		_info_nol "  * Vulnerable to Variant $v: "