core178: insert urgent core update for new cpu vulnerability mitigations

this contain kernel-6.1.45, intel-microcode-20230808, linux-firmware-20230804 + fam19h patches and a fix
for early microcode load from initramdisk.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

config/rootfiles/core/178/filelists/files

@@ -0,0 +1 @@
+srv/web/ipfire/cgi-bin/vulnerabilities.cgi

config/rootfiles/core/178/filelists/linux-firmware-update

@@ -0,0 +1,66 @@
+lib/firmware/amdgpu/dcn_3_1_4_dmcub.bin
+lib/firmware/amdgpu/dcn_3_1_5_dmcub.bin
+lib/firmware/amdgpu/dcn_3_2_0_dmcub.bin
+lib/firmware/amdgpu/dcn_3_2_1_dmcub.bin
+lib/firmware/amdgpu/gc_11_0_3_imu.bin
+lib/firmware/amdgpu/gc_11_0_3_me.bin
+lib/firmware/amdgpu/gc_11_0_3_mec.bin
+lib/firmware/amdgpu/gc_11_0_3_mes1.bin
+lib/firmware/amdgpu/gc_11_0_3_mes_2.bin
+lib/firmware/amdgpu/gc_11_0_3_pfp.bin
+lib/firmware/amdgpu/gc_11_0_3_rlc.bin
+lib/firmware/amdgpu/green_sardine_vcn.bin
+lib/firmware/amdgpu/picasso_vcn.bin
+lib/firmware/amdgpu/psp_13_0_10_sos.bin
+lib/firmware/amdgpu/psp_13_0_10_ta.bin
+lib/firmware/amdgpu/raven2_vcn.bin
+lib/firmware/amdgpu/raven_vcn.bin
+lib/firmware/amdgpu/renoir_vcn.bin
+lib/firmware/amdgpu/sdma_6_0_3.bin
+lib/firmware/amdgpu/smu_13_0_10.bin
+lib/firmware/amdgpu/vcn_4_0_0.bin
+lib/firmware/amdgpu/yellow_carp_dmcub.bin
+lib/firmware/amd-ucode/microcode_amd_fam17h.bin
+lib/firmware/amd-ucode/microcode_amd_fam19h.bin
+lib/firmware/i915/adlp_dmc.bin
+lib/firmware/i915/dg2_guc_70.bin
+lib/firmware/i915/mtl_dmc.bin
+lib/firmware/i915/mtl_guc_70.bin
+lib/firmware/i915/mtl_huc_gsc.bin
+lib/firmware/intel/ibt-0040-0041.sfi
+lib/firmware/intel/ibt-0040-4150.sfi
+lib/firmware/intel/ibt-0041-0041.sfi
+lib/firmware/intel/ibt-1040-0041.sfi
+lib/firmware/intel/ibt-1040-4150.sfi
+lib/firmware/intel/ibt-19-0-0.sfi
+lib/firmware/intel/ibt-19-0-1.sfi
+lib/firmware/intel/ibt-19-0-4.sfi
+lib/firmware/intel/ibt-19-16-4.sfi
+lib/firmware/intel/ibt-19-240-1.sfi
+lib/firmware/intel/ibt-19-240-4.sfi
+lib/firmware/intel/ibt-19-32-0.sfi
+lib/firmware/intel/ibt-19-32-1.sfi
+lib/firmware/intel/ibt-19-32-4.sfi
+lib/firmware/intel/ibt-20-0-3.sfi
+lib/firmware/intel/ibt-20-1-3.sfi
+lib/firmware/intel/ibt-20-1-4.sfi
+lib/firmware/intel/ice/ddp-lag
+lib/firmware/iwlwifi-cc-a0-77.ucode
+lib/firmware/iwlwifi-Qu-b0-hr-b0-77.ucode
+lib/firmware/iwlwifi-Qu-b0-jf-b0-77.ucode
+lib/firmware/iwlwifi-Qu-c0-hr-b0-77.ucode
+lib/firmware/iwlwifi-Qu-c0-jf-b0-77.ucode
+lib/firmware/iwlwifi-QuZ-a0-hr-b0-77.ucode
+lib/firmware/iwlwifi-so-a0-gf4-a0-83.ucode
+lib/firmware/iwlwifi-so-a0-gf4-a0.pnvm
+lib/firmware/iwlwifi-so-a0-gf-a0-83.ucode
+lib/firmware/iwlwifi-so-a0-gf-a0.pnvm
+lib/firmware/iwlwifi-ty-a0-gf-a0-83.ucode
+lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm
+lib/firmware/mediatek/BT_RAM_CODE_MT7922_1_1_hdr.bin
+lib/firmware/mediatek/mt8195/scp.img
+lib/firmware/mediatek/WIFI_MT7922_patch_mcu_1_1_hdr.bin
+lib/firmware/mediatek/WIFI_RAM_CODE_MT7922_1.bin
+lib/firmware/nxp/sr150_fw.bin
+lib/firmware/rtw89/rtw8851b_fw.bin
+lib/firmware/wfx/wfm_wf200_C0.sec

config/rootfiles/core/178/filelists/x86_64/intel-microcode

@@ -0,0 +1 @@
+../../../../common/x86_64/intel-microcode

config/rootfiles/core/178/update.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 3 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2023 IPFire-Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+#
+. /opt/pakfire/lib/functions.sh
+/usr/local/bin/backupctrl exclude >/dev/null 2>&1
+
+core=178
+
+exit_with_error() {
+    # Set last succesfull installed core.
+    echo $(($core-1)) > /opt/pakfire/db/core/mine
+    # force fsck at next boot, this may fix free space on xfs
+    touch /forcefsck
+    # don't start pakfire again at error
+    killall -KILL pak_update
+    /usr/bin/logger -p syslog.emerg -t ipfire \
+	"core-update-${core}: $1"
+    exit $2
+}
+
+
+# Remove old core updates from pakfire cache to save space...
+for (( i=1; i<=$core; i++ )); do
+	rm -f /var/cache/pakfire/core-upgrade-*-$i.ipfire
+done
+
+# Stop services
+/etc/rc.d/init.d/squid stop
+
+KVER="xxxKVERxxx"
+
+# Backup uEnv.txt if exist
+if [ -e /boot/uEnv.txt ]; then
+    cp -vf /boot/uEnv.txt /boot/uEnv.txt.org
+fi
+
+# Do some sanity checks prior to the kernel update
+case $(uname -r) in
+    *-ipfire*)
+	# Ok.
+	;;
+    *)
+	exit_with_error "ERROR cannot update. No IPFire Kernel." 1
+	;;
+esac
+
+# Check diskspace on root
+ROOTSPACE=$( df / -Pk | sed "s| * | |g" | cut -d" " -f4 | tail -n 1 )
+
+if [ $ROOTSPACE -lt 100000 ]; then
+    exit_with_error "ERROR cannot update because not enough free space on root." 2
+    exit 2
+fi
+
+# Remove the old kernel
+rm -rvf \
+	/boot/System.map-* \
+	/boot/config-* \
+	/boot/ipfirerd-* \
+	/boot/initramfs-* \
+	/boot/vmlinuz-* \
+	/boot/uImage-* \
+	/boot/zImage-* \
+	/boot/uInit-* \
+	/boot/dtb-* \
+	/lib/modules
+
+# Extract files
+extract_files
+
+# Remove files
+#rm -rvf \
+
+# update linker config
+ldconfig
+
+# Update Language cache
+/usr/local/bin/update-lang-cache
+
+# Filesytem cleanup
+/usr/local/bin/filesystem-cleanup
+
+# Start services
+/etc/init.d/sshd restart
+/etc/init.d/unbound reload
+if [ -f /var/ipfire/proxy/enable ]; then
+	/etc/init.d/squid start
+fi
+
+# Rebuild initial ramdisks
+dracut --regenerate-all --force
+KVER="xxxKVERxxx"
+case "$(uname -m)" in
+	aarch64)
+		mkimage -A arm64 -T ramdisk -C lzma -d /boot/initramfs-${KVER}-ipfire.img /boot/uInit-${KVER}-ipfire
+		# dont remove initramfs because grub need this to boot.
+		;;
+esac
+
+# remove lm_sensor config after collectd was started
+# to re-search sensors at next boot with updated kernel
+rm -f  /etc/sysconfig/lm_sensors
+
+# Upadate Kernel version in uEnv.txt
+if [ -e /boot/uEnv.txt ]; then
+    sed -i -e "s/KVER=.*/KVER=${KVER}/g" /boot/uEnv.txt
+fi
+
+# Call user update script (needed for some ARM boards)
+if [ -e /boot/pakfire-kernel-update ]; then
+    /boot/pakfire-kernel-update ${KVER}
+fi
+
+# This update needs a reboot...
+touch /var/run/need_reboot
+
+# Finish
+/etc/init.d/fireinfo start
+sendprofile
+
+# Update grub config to display new core version
+if [ -e /boot/grub/grub.cfg ]; then
+	grub-mkconfig -o /boot/grub/grub.cfg
+fi
+
+sync
+
+# Don't report the exitcode last command
+exit 0

config/rootfiles/oldcore/177/exclude

@@ -0,0 +1,35 @@
+boot/config.txt
+boot/grub/grub.cfg
+boot/grub/grubenv
+boot/uEnv.txt
+etc/alternatives
+etc/collectd.custom
+etc/default/grub
+etc/ipsec.conf
+etc/ipsec.secrets
+etc/ipsec.user.conf
+etc/ipsec.user.secrets
+etc/localtime
+etc/shadow
+etc/snort/snort.conf
+etc/ssl/openssl.cnf
+etc/sudoers
+etc/sysconfig/firewall.local
+etc/sysconfig/rc.local
+etc/udev/rules.d/30-persistent-network.rules
+srv/web/ipfire/html/proxy.pac
+var/ipfire/dma
+var/ipfire/time
+var/ipfire/firewall/locationblock
+var/ipfire/fwhosts/customlocationgrp
+var/ipfire/ovpn
+var/ipfire/urlfilter/blacklist
+var/ipfire/urlfilter/settings
+var/lib/alternatives
+var/lib/location/database.db
+var/lib/location/ipset
+var/log/cache
+var/log/dhcpcd.log
+var/log/messages
+var/state/dhcp/dhcpd.leases
+var/updatecache

config/rootfiles/oldcore/177/filelists/aarch64/linux

@@ -0,0 +1 @@
+../../../../common/aarch64/linux

config/rootfiles/oldcore/177/filelists/aarch64/u-boot-mkimage

@@ -0,0 +1 @@
+../../../../common/aarch64/u-boot-mkimage

config/rootfiles/oldcore/177/filelists/core-files

@@ -0,0 +1,5 @@
+etc/system-release
+etc/issue
+etc/os-release
+srv/web/ipfire/cgi-bin/credits.cgi
+var/ipfire/langs

config/rootfiles/oldcore/177/filelists/x86_64/linux

@@ -0,0 +1 @@
+../../../../common/x86_64/linux

make.sh

@@ -23,7 +23,7 @@ NAME="IPFire"							# Software name
 SNAME="ipfire"							# Short name
 # If you update the version don't forget to update backupiso and add it to core update
 VERSION="2.27"							# Version number
-CORE="177"							# Core Level (Filename)
+CORE="178"							# Core Level (Filename)
 SLOGAN="www.ipfire.org"						# Software slogan
 CONFIG_ROOT=/var/ipfire						# Configuration rootdir
 MAX_RETRIES=1							# prefetch/check loop