iucode-tool is a system administration tool to manipulate Intel® X86 and X86-64 processor microcode update collections. It is tailored to help Linux distros do Intel microcode update release management.
iucode-tool cannot change either the microcode itself (the opaque data that is sent unmodified to the system processor to perform the microcode update) or the microcode update container (a documented wrapper with metadata about the microcode update). It lets one create new collections of microcode update containers, by selecting which microcode update containers should be copied unmodified from the microcode data files published by Intel.
It can also display the contents of microcode update collections, in order to help the Linux distro maintainer keep track of the microcode updates available for each Intel processor, for release management purposes.
This release management is necessary to avoid microcode patch level regressions when updating the stable or long-term-service releases of a Linux distro. Intel removes microcode updates for very old end-of-line processors from the public distribution. When a Linux distro blindly propagates such updates to their stable branches, they potentially regress the microcode for some of their users.
iucode-tool was initially written for internal use by the Debian GNU/Linux distro, however, it is maintained with clear separation between upstream code and Debian-specific details and packaging, so it is appropriate for use by any Linux distro.
The release tarballs for iucode-tool, as well as all git tags, and git commits in the repository are signed by subkeys of the maintainer's GNUpg main key (RSA, 4096 bits):
Key ID (full fingerprint) = 0xC467A717507BBAFED3C160920BD9E81139CB4807
General instructions about how to use gnupg to validate signatures can be found in the gnupg pages.
External contributions as code change requests ("pull requests"), bug reports and feature requests are welcome. Please use the lightweight issue tracker, or directly email the maintainer.
iucode_tool is not particularly security-sensitive, but if you need to contact me about a security issue that should not be made public before a fix is deployed, you have two options:
Direct encrypted email (gnupg key id/fingerprint 0xC467A717507BBAFED3C160920BD9E81139CB4807);
Alternatively, please contact the Debian security team. They will forward the issue to me, and they can independently coordinate with vendor-sec and the other Linux distros as required.
Use by other Linux distributions
Downstream maintainers of Linux distributions that decide to use iucode-tool are asked to send an e-mail to the iucode-tool maintainer, introducing themselves, as there is no specific iucode-tool mailinglist at this time.
Currently, iucode-tool is available^* on several Linux distros, such as:
^* iucode-tool might not be present in the stable releases of some of these distros yet.
Either the fully-featured Debian bug tracking system, or the lightweight GitLab issue tracker can be used to report bugs and request new features for iucode-tool.
When using the Debian bug tracking system for upstream iucode-tool bugs and feature requests, please tag such bug reports with the upstream tag. Distro-specific bugs should be tracked on the distro's bug tracking system.
The Debian bug tracking system (BTS) uses an e-mail based interface to submit and manipulate bug reports. Instructions are available at: Debian BTS.