Microcode

Resources

Article status

This article has some todo items:

Mention that recommended way to load microcode is using sys-firmware/intel-microcode[initramfs] or sys-kernel/linux-firmware[initramfs]

CPU microcode is a form of firmware that controls the processor's internals. This document describes various ways to update a CPU's microcode in Gentoo.

In modern x86 processors, the microcode often handles execution of complex and highly specialized instructions. Parts of the microcode also act as firmware for the processor's embedded controllers, and it is even used to fix or to mitigate processor design/implementation errata/bugs. Given the complexity of modern processors, a CPU may have over a hundred such errata^[1].

Recent processors have the ability to patch their microcode via microcode updates. Active microcode updates are stored in volatile memory and thus have to be applied during each system boot.

A BIOS/EFI can perform a microcode update early in the boot process. This kind of microcode update is provided by BIOS/EFI and thus their version depends on the installed BIOS/EFI version. BIOS/EFI firmware can be upgraded via a BIOS update, but the shipped microcode version depends on motherboard/BIOS vendor.

The kernel itself can also perform a microcode update^[2] from firmware binary blobs, during boot. This way allows patching the microcode with a newer update than the one provided by the BIOS/EFI.

Note
Severity of processor errata patched by microcode updates varies. The issues concerned range from extremely rare system instabilities, to data corruption, or severe hardware vulnerabilities^[3].

Because Gentoo is about customization there is a choice of ways to update a CPU's microcode. Please choose the workflow which best suits the affected system.

Preconditions

Ensure the correct package to provide microcode updates for the current processor is installed: sys-kernel/linux-firmware and/or sys-firmware/intel-microcode.

It may be necessary to tell Portage to accept the relevant license before installing these packages:

root #echo "sys-kernel/linux-firmware @BINARY-REDISTRIBUTABLE" >> /etc/portage/package.license

Install sys-kernel/linux-firmware and/or sys-firmware/intel-microcode:

root #emerge --ask sys-kernel/linux-firmware sys-firmware/intel-microcode

The only way to load this microcode into the CPU is through the kernel, so the necessary kernel options must be enabled. Depending on the make of the CPU installed on the system, choose AMD or Intel microcode loading support (it does not hurt to choose both):

KERNEL Configuring a kernel to support microcode loading

Processor type and features --->
   [*] CPU microcode loading support
   [*]   Intel microcode loading support
   [*]   AMD microcode loading support

Dracut

Note
Todo: Explain instructions.

Dracut is an initramfs infrastructure, it can be used to load microcode at boot.

root #dracut --early-microcode

FILE /etc/dracut.conf.d/microcode.conf

early_microcode="yes"

Genkernel

Once the correct microcode packages and genkernel are installed, call genkernel with the --microcode option:

root #genkernel --microcode

To generate a new initramfs with microcode included, call:

root #genkernel --microcode initramfs

Be sure to instruct the bootloader to load the newly generated initramfs.

It is recommended that genkernel.conf be updated to contain the following code, in order to avoid passing --microcode parameter each time on the command-line:

FILE /etc/genkernel.conf

# Add in early microcode support: this sets the kernel options for early microcode loading
# Possible values: empty/"no", "all", "intel", "amd"
MICROCODE="all"

The manual way

Early microcode loading

For early microcode leading, microcode is provided as the first initramfs (aka initrd, in cpio format) to the kernel during boot. Grub (both legacy and grub2) permits specifying multiple cpio images separated by space in the initrd command.

GRUB2 supports loading an early microcode. If the microcode file is named after one of the following: intel-uc.img, intel-ucode.img, amd-uc.img, amd-ucode.img, early_ucode.cpio, or microcode.cpio, it will be automatically detected when running grub-mkconfig. To declare a microcode file named differently, e.g. ucode.cpio, add this line to /etc/default/grub:

FILE /etc/default/grub

GRUB_EARLY_INITRD_LINUX_CUSTOM="ucode.cpio"

Regenerate the grub.cfg with:

root #grub-mkconfig -o /boot/grub/grub.cfg

Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.6.3-gentoo
Found initrd image: /boot/early_ucode.cpio /initramfs-genkernel-x86_64-4.6.3-gentoo
done

The output above is similar to what should be seen, minus the initramfs if one is not used by the system, when microcode is loaded through GRUB.

Late microcode loading

To manually instruct the kernel to reload microcodes, do

root #echo 1 > /sys/devices/system/cpu/microcode/reload

and watch dmesg for any errors. This loading mechanism looks for microcode blobs in /lib/firmware/{intel-ucode,amd-ucode}.

Note
Run the command above after every reboot or firmware package update.

Specifics

AMD specifics

AMD microcodes are bundled in the sys-kernel/linux-firmware package. A more lengthy guide is found in the AMD microcode article.

Intel specifics

Intel microcodes are bundled in the sys-firmware/intel-microcode package. Detailed instructions can be found in the Intel microcode article.

External resources

Reverse Engineering x86 Processor Microcode Paper describing microcode in common x86 processors.

References

↑ 6th Generation Intel® Processor Family, Intel. Retrieved on October 24, 2018
↑ Fenghua Yu, Borislav Petkov, The Linux Microcode Loader, kernel.org. Retrieved on October 24, 2018
↑ Microcode Revision Guidance, Intel. Retrieved on October 24, 2018

[1] 6th Generation Intel® Processor Family, Intel. Retrieved on October 24, 2018

[2] Fenghua Yu, Borislav Petkov, The Linux Microcode Loader, kernel.org. Retrieved on October 24, 2018

[3] Microcode Revision Guidance, Intel. Retrieved on October 24, 2018

[1]

[2]

[3]