CPU Microcode
Processor manufacturers release stability and security updates to the processor microcode. While microcode is usually updated through the BIOS, not all vendors will release timely updates for their firmware, and most users don't update their system firmware in a timely fashion (or at all) anyway. The Linux kernel is also able to apply these updates during boot. These updates provide bug fixes that can be critical to the stability of your system. Without these updates, you may experience spurious crashes or unexpected system halts that can be difficult to track down.
Users of CPUs belonging to the Intel Haswell and Broadwell processor families in particular must install these microcode updates to ensure system stability but all users should install microcode updates as a matter of course. Use the inxi command to determine which CPU/family your system has.
[terry@xxxxx ~]$ inxi -xC
CPU: Quad core Intel Core i7-2600K (-HT-MCP-) arch: Sandy Bridge rev.7 cache: 8192 KB
flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 27290
clock speeds: max: 3800 MHz 1: 1600 MHz 2: 1599 MHz 3: 1599 MHz 4: 1599 MHz 5: 1601 MHz 6: 2050 MHz
7: 1606 MHz 8: 1677 MHz
Microcode updates can only be performed on real hardware, not from inside a VirtualBox or VMware machine
Microcode updates are lost after hard-reset or power off and so must be reapplied at every boot and after the system wakes up from suspend to RAM or to disk. The procedure outlined below explains how to use the early microcode update driver in the kernel to apply microcode updates on each system boot.
Contents
Creating the early microcode file
This section details the procedures for creating the early microcode initrd image for the bootloader to pass to the kernel. The procedure is different depending on whether it is for an Intel or AMD processor.
Intel processors
The actual microcode update files are included in the kernel-firmware-extra package. This package should be installed and kept up-to-date as part of the the normal Synaptic update process
To enable the microcode update, users should install the iucode-tool package and then use the following command in a root terminal to generate an initrd image which can be loaded by the bootloader to update the microcode.
[root@xxxx x86_64]# iucode_tool -S --write-earlyfw=/boot/early_ucode.img /lib/firmware/intel-ucode/*
iucode_tool: system has processor(s) with signature 0x000206a7
iucode_tool: Writing selected microcodes to: /boot/early_ucode.img
This will need to be repeated whenever new microcode issued.
The iucode_tool will not overwrite the target file so you should delete the existing file before running the command again.
AMD processors
The actual microcode update files are included in the kernel-firmware package. This package should be installed and kept up-to-date as part of the the normal Synaptic update process
To enable the microcode update, users should install the aucode-tool package and then use the following command in a root terminal to generate an initrd image which can be loaded by the bootloader to update the microcode.
[root@xxxx x86_64]# aucode-tool
AuthenticAMD
CPU family: 23
Microcode file: microcode_amd_fam17h.bin
Writing early_ucode image to /boot/early_ucode.img
15 blocks
This will need to be repeated whenever new microcode issued.
Enabling Microcode Updates
Microcode is loaded by the bootloader by adding /boot/early_ucode.img as the first initrd in the bootloader config file. This is in addition to the normal initrd file.
For grub-legacy it can be added to the initrd line in the config file /boot/grub/menu.lst
title linux kernel (hd0,6)/boot/vmlinuz BOOT_IMAGE=linux root=UUID=e9f56fb4-2348-41ae-94d3-b92f0ee541c8 root (hd0,6) initrd /boot/early_ucode.img /boot/initrd.img
Users of grub2 just need to run update-grub2 to generate the new config file:
[root@xxxxx x86_64]# update-grub2 Generating grub configuration file ... Found theme: /boot/grub2/themes/pclinuxos/theme.txt Found linux image: /boot/vmlinuz-4.8.12-pclos1 Found initrd image: /boot/early_ucode.img /boot/initrd-4.8.12-pclos1.img
Notice how the early_ucode.img has been added to the initrd line. If all looks good then reboot the system
Verifying that microcode got updated on boot
Use dmesg to check that the update has been applied successfully
[terry@xxxxx ~]$ dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0x29, date = 2013-06-12
[ 0.890510] microcode: sig=0x206a7, pf=0x2, revision=0x29
[ 0.890752] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
The first line shows that the update has been applied.
Other useful commands
To see what version of microcode is currently running on the CPU:
[terry@xxxxx ~]$ grep -m 1 microcode /proc/cpuinfo microcode : 0x2d
For Intel processors
To see latest version available in kernel-firmware-extra package for your processor, first find the processor signature:
[terry@xxxxx ~]$ iucode_tool -S
iucode_tool: system has processor(s) with signature 0x000206a7
then use that signature to grep for the latest version available:
[terry@xxxxx ~]$ iucode_tool -L /lib/firmware/intel-ucode/ | grep 0x000206a7 074/001: sig 0x000206a7, pf_mask 0x12, 2018-02-07, rev 0x002d, size 12288
