Microcode

Resources

Article status

This article has some todo items:

Mention that recommended way to load microcode is using sys-firmware/intel-microcode[initramfs] or sys-kernel/linux-firmware[initramfs]

This document describes various ways how to update a CPU's microcode in Gentoo.

Introduction

The microcode is a form of firmware that controls the processor's internals. In modern x86 processors the microcode often handles execution of complex and highly specialized instructions. Parts of microcode also act as firmware for processor's embedded controllers. Furthermore, the microcode can be used to fix or mitigate processor design and implementation errata/bugs. Given the complexity of modern processors, a processor may have over one hundred of such errata^[1].

Recent processors have ability to patch their microcode via microcode updates. Microcode updates are stored in volatile memory and thus they have to be applied during each system boot.

A BIOS/EFI can perform a microcode update early in the boot process. This kind of microcode updates are provided by BIOS/EFI and thus their version depends on the installed BIOS/EFI version. BIOS/EFI firmware can be upgraded via a BIOS update but still, the shipped microcode version depends on motherboard/BIOS vendor.

The kernel itself can also perform a microcode update^[2] from given firmware binary blobs during boot. This way it is possible to patch the microcode with a newer microcode update than the one provided by the BIOS/EFI.

Note
Severity of processor errata patched by microcode updates varies. It ranges from an extremely rare system instability to data corruption or a severe hardware vulnerability^[3].

Because Gentoo is about choices there there is not one way to update a CPU's microcode. Please choose the workflow which best suits the affected system.

Preconditions

Ensure you have installed the package which is providing microcode updates for your processor. Install sys-kernel/linux-firmware and/or sys-firmware/intel-microcode:

root #emerge --ask sys-kernel/linux-firmware sys-firmware/intel-microcode

Any way to load microcode into the CPU must go through the kernel. Thus the respective options need to be enabled in the kernel configuration. Depending on the make of the CPU installed on the system, choose AMD or Intel microcode loading support (it does not hurt to choose both):

KERNEL Configuring a kernel to support microcode loading

Processor type and features --->
   [*] CPU microcode loading support
   [*]   Intel microcode loading support
   [*]   AMD microcode loading support

Dracut

root #dracut --early-microcode

FILE /etc/dracut.conf.d/microcode.conf

early_microcode="yes"

Genkernel

When using sys-kernel/genkernel, ensure the package containing microcode updates for the processor(s) have been installed (see below). Be sure to call genkernel with the --microcode option:

root #genkernel --microcode

To generate a new initramfs with microcode included, call:

root #genkernel --microcode initramfs

Be sure to instruct the bootloader to load the newly generated initramfs.

It is recommended genkernel.conf is updated to contains the following code:

FILE /etc/genkernel.conf

# Add in early microcode support: this sets the kernel options for early microcode loading
# Possible values: empty/"no", "all", "intel", "amd"
MICROCODE="all"

so that you don't need to remember to pass the --microcode parameter all the time.

Note
You need >=sys-kernel/genkernel-3.5.0.7 for microcode support.

The manual way

Early microcode loading

Basically you provide the microcode as the first initramfs (aka initrd, in cpio format) to the kernel during boot. Grub (both legacy and grub2) lets you specify multiple cpio images separated by space in the initrd command.

GRUB2 supports loading an early microcode. If the microcode file is named after one of the following: intel-uc.img, intel-ucode.img, amd-uc.img, amd-ucode.img, early_ucode.cpio, or microcode.cpio, it will be automatically detected when running grub-mkconfig. To declare a microcode file named differently, e.g. ucode.cpio, add this line to /etc/default/grub:

FILE /etc/default/grub

GRUB_EARLY_INITRD_LINUX_CUSTOM="ucode.cpio"

Regenerate the grub.cfg with:

root #grub-mkconfig -o /boot/grub/grub.cfg

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.6.3-gentoo
Found initrd image: /boot/early_ucode.cpio /initramfs-genkernel-x86_64-4.6.3-gentoo
done

Note
This is similar to what you should see, minus the initramfs if you do not have one.

Late microcode loading

To manually instruct the kernel to reload microcodes, do

root #echo 1 > /sys/devices/system/cpu/microcode/reload

and watch dmesg for any errors. This loading mechanism looks for microcode blobs in /lib/firmware/{intel-ucode,amd-ucode}.

Note
You must run the command above after every reboot or firmware package update.

Specifics

AMD specifics

AMD microcodes are bundled in the sys-kernel/linux-firmware package. A more lengthy guide is found in the AMD microcode article.

Intel specifics

Intel microcodes are bundled in the sys-firmware/intel-microcode package. Detailed instructions can be found in the Intel microcode article.

External resources

Reverse Engineering x86 Processor Microcode Paper describing microcode in common x86 processors.

References

↑ 6th Generation Intel® Processor Family, Intel. Retrieved on October 24, 2018
↑ Fenghua Yu, Borislav Petkov, The Linux Microcode Loader, kernel.org. Retrieved on October 24, 2018
↑ Microcode Revision Guidance, Intel. Retrieved on October 24, 2018

[1] 6th Generation Intel® Processor Family, Intel. Retrieved on October 24, 2018

[2] Fenghua Yu, Borislav Petkov, The Linux Microcode Loader, kernel.org. Retrieved on October 24, 2018

[3] Microcode Revision Guidance, Intel. Retrieved on October 24, 2018

[1]

[2]

[3]