Microcode

CPU microcode is a form of firmware that controls the processor's internals. This document Article description::describes various ways to update a CPU's microcode in Gentoo.

In modern x86 processors, the microcode often handles execution of complex and highly specialized instructions. Parts of the microcode also act as firmware for the processor's embedded controllers, and it is even used to fix or to mitigate processor design/implementation errata/bugs. Given the complexity of modern processors, a CPU may have over a hundred such errata.

Microcode updates
Recent processors have the ability to patch their microcode via microcode updates. Active microcode updates are stored in volatile memory and thus have to be applied during each system boot.

The system firmware can perform a microcode update early in the boot process. This kind of microcode update is provided the system manufacturer in the firmware, on x86 by the BIOS or UEFI. Since the system firmware can be upgraded like most firmware via a BIOS update, the shipped microcode version depends on the motherboard and/or system firmware vendor.

Only on x86, the kernel itself can also perform a microcode update from firmware binary blobs during boot. Common use cases are e.g. when the vendor of a system (or mainboard) does not supply firmware updates (BIOS updates, which include microcode updates) in a timely manner, when it is preferred to stay on an older version of the system firmware (BIOS, UEFI) for some reason, or when a system is out of warranty and does not receive further updates for the BIOS or its successor UEFI. In any case, the kernel microcode update facility allows patching the CPU's microcode, provided microcode firmware files are made available for the specific CPU by its manufacturer, Intel or AMD. When out of warranty (i.e. too old), Intel and AMD may also stop providing microcode updates for the specific CPU, resulting in newly discovered bugs no longer being fixed and security issues not fully mitigated.

Because Gentoo is about customization there is a choice of ways to update a CPU's microcode. Please choose the workflow which best suits the affected system.

Kernel configuration
Ensure the correct package to provide microcode updates for the current processor is installed: and/or.

The only way to load this microcode into the CPU is through the kernel, so the necessary kernel options must be enabled. Depending on the make of the CPU installed on the system, choose AMD or Intel microcode loading support (it does not hurt to choose both):

Depending on the method used to supply the microcode firmware files, it will also necessary to enable the initrd support.

Microcode firmware blobs
It may be necessary to tell Portage to accept the relevant license before installing these packages:

Install (which includes, among others, AMD x86 microcode) and/or  (for Intel x86 microcode):

Dracut
Dracut is an initramfs infrastructure, it can be used to load microcode at boot.

Genkernel
Once the correct microcode packages and genkernel are installed, call with the   option:

To generate a new initramfs with microcode included, call:

Be sure to instruct the bootloader to load the newly generated initramfs.

It is recommended that be updated to contain the following code, in order to avoid passing   parameter each time on the command-line:

Manual initramfs creation (AMD)
Using this method the microcode is built-in to (an additional) initrd. This way the microcode is kept separate from both the kernel and the main initramfs/initrd, and therefore can be updated without recompiling either.

In any case the system will require a reboot to apply updated microcode files.

Create the specified directory and into it. It might be a different dir than. The part is important.

Concatenate the AMD firmware files into a single file. The path and filename of the output file must not be altered.

Create a archive in  using  from :

The initrd/initramfs kernel option must be enabled. Genkernel may be used to automatically copy relevant microcode into the initrd. This also requires the  USE flag for the relevant  or  package.

Early microcode loading
For early microcode leading, microcode is provided as the first initramfs (aka initrd, in cpio format) to the kernel during boot. Grub (both legacy and grub2) permits specifying multiple cpio images separated by space in the initrd command.

GRUB2 supports loading an early microcode. If the microcode file is named after one of the following:, , , , , or , it will be automatically detected when running. To declare a microcode file named differently, e.g. ucode.cpio, add this line to :

Regenerate the with:

The output above is similar to what should be seen, minus the initramfs if one is not used by the system, when microcode is loaded through GRUB.

Late microcode loading
To manually instruct the kernel to reload microcodes, run:

Be sure to watch for any errors. This loading mechanism looks for microcode blobs in the location.

With kernel version 6.1 a late microcode loading is not possible anymore because it is now disabled by default. If needed it must be enabled in the kernel configuration. Of course it is not recommended.

Specifics


AMD specifics
AMD microcodes are bundled in the package. A more lengthy guide is found in the AMD microcode article.

Intel specifics
Intel microcodes are bundled in the package. Detailed instructions can be found in the Intel microcode article.

External resources

 * Reverse Engineering x86 Processor Microcode Paper describing microcode in common x86 processors.