Microcode

Processor manufacturers release stability and security updates to the processor microcode. These updates provide bug fixes that can be critical to the stability of your system. Without them, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

All users with an AMD or Intel CPU should install the microcode updates to ensure system stability.

Loading microcode

Microcode updates are usually shipped with the motherboard's firmware and applied during firmware initialization. Since OEMs might not release firmware updates in a timely fashion and old systems do not get new firmware updates at all, the ability to apply CPU microcode updates during boot was added to the Linux kernel. The Linux microcode loader supports three loading methods:

  1. Built-in microcode can be compiled into the kernel and then applied by the early loader.
  2. Early loading updates the microcode very early during boot, before the initramfs stage, and is preferred over late loading. This is mandatory for CPUs with severe hardware bugs, like the Intel Haswell and Broadwell processor families.
  3. Late loading (dangerous) updates the microcode after booting which could be too late since the CPU might have already tried to use a bugged instruction set. Even if already using early loading, late loading can still be used to apply a newer microcode update without needing to reboot.

To acquire updated microcode, depending on the processor, install one of the following packages:

Microcode built in the initramfs

One can prepend the microcode cpio into the initramfs. Some initramfs generators, like dracut (see dracut.conf(5) §DESCRIPTION), do this by default. This makes #Early loading and #Late loading unnecessary. However, Arch Linux defaults to using mkinitcpio to generate its initial ramdisk (initramfs), which does not support this. It does, however, support loading the microcode via a UEFI stub: see #Unified kernel images.

Early loading

If not compiled into the kernel, microcode must be loaded by the early loader. It can be passed to the loader as part of a unified kernel image, or as an initrd image by your boot loader.

Note that because of the wide variability in users' early-boot configuration, microcode updates may not be triggered automatically by Arch's default configuration.

Unified kernel images

See Unified kernel images for guidance on how to include microcode in single-file images.

Initrd images

Microcode updates must otherwise be enabled by adding /boot/amd-ucode.img or /boot/intel-ucode.img as the first initrd in the bootloader configuration file. This is before the normal initrd file. See below for instructions for common bootloaders.

In the following sections replace cpu_manufacturer with your CPU manufacturer, i.e. amd or intel.

Tip: For Arch Linux on a removable drive, which could be run on any of these processors, install both packages and add both microcode files as initrd to the boot loader configuration. Their order does not matter as long as they both are specified before the initramfs image.
Enabling early microcode loading in custom kernels

In order for early loading to work in custom kernels, "CPU microcode loading support" needs to be compiled into the kernel, not compiled as a module. This will enable the "Early load microcode" prompt which should be set to Y.

CONFIG_BLK_DEV_INITRD=Y
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=Y
CONFIG_MICROCODE_AMD=y
GRUB

grub-mkconfig will automatically detect the microcode update and configure GRUB appropriately. After installing the microcode package, regenerate the GRUB configuration to activate loading the microcode update by running:

# grub-mkconfig -o /boot/grub/grub.cfg

Alternatively, users that manage their GRUB configuration file manually can add (or if is a separate partition) as follows:

Repeat it for each menu entry.

systemd-boot

Use the initrd option to load the microcode, before the initial ramdisk, as follows:

/boot/loader/entries/''entry''.conf
title   Arch Linux
linux   /vmlinuz-linux
'''initrd  /''cpu_manufacturer''-ucode.img'''
initrd  /initramfs-linux.img
...

The latest microcode must be available at boot time in your EFI system partition (ESP). The ESP must be mounted as in order to have the microcode updated every time amd-ucode or intel-ucode is updated. Otherwise, copy to your ESP at every update of the microcode package.

EFISTUB

Append two options:

initrd=\cpu_manufacturer-ucode.img initrd=\initramfs-linux.img
rEFInd

Edit boot options in and add (or initrd=cpu_manufacturer-ucode.img if is a separate partition) as the first initramfs. For example:

"Boot using default options"     "root=PARTUUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX rw add_efi_memmap initrd=boot\cpu_manufacturer-ucode.img initrd=boot\initramfs-%v.img"

Users employing manual stanzas in to define the kernels should simply add (or initrd=cpu_manufacturer-ucode.img if is a separate partition) as required to the options line, and not in the main part of the stanza. E.g.:

options  "root=PARTUUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX rw add_efi_memmap initrd=boot\cpu_manufacturer-ucode.img"
Syslinux

Multiple initrd's can be separated by commas in :

LABEL arch
    MENU LABEL Arch Linux
    LINUX ../vmlinuz-linux
    INITRD ../cpu_manufacturer-ucode.img,../initramfs-linux.img
...
LILO

LILO and potentially other old bootloaders do not support multiple initrd images. In that case, and will have to be merged into one image.

Warning: The merged image must be recreated after each kernel update!

To merge both images into one image named , the following command can be used:

# cat /boot/cpu_manufacturer-ucode.img /boot/initramfs-linux.img > /boot/initramfs-merged.img

Now, edit to load the new image.

...
initrd=/boot/initramfs-merged.img
...

And run as root:

# lilo

Late loading

Late loading of microcode updates happens after the system has booted. It uses files in and . On Linux 5.19+ late loading requires the kernel to be built with .

For AMD processors the microcode update files are provided by linux-firmware.

For Intel processors no package provides the microcode update files (FS#59841). To use late loading you need to manually extract from Intel's provided archive.

Enabling late microcode updates

Unlike early loading, late loading of microcode updates on Arch Linux are enabled by default using . After boot the file gets parsed by and CPU microcode gets updated.

To manually reload the microcode, e.g. after updating the microcode files in or , run:

# echo 1 > /sys/devices/system/cpu/microcode/reload

This allows to apply newer microcode updates without rebooting the system.

Disabling late microcode updates

For AMD systems the CPU microcode will get updated even if amd-ucode is not installed since the files in are provided by the linux-firmware package ().

For virtual machines and containers () it is not possible to update the CPU microcode, so you may want to disable microcode updates.

To disable the dangerous late microcode updates, override the tmpfile that is provided by linux-firmware. It can be done by creating a file with the same filename in :

# ln -s /dev/null /etc/tmpfiles.d/linux-firmware.conf

Verifying that microcode got updated on boot

Check the kernel messages with journalctl to see if the microcode has been updated:

# journalctl -k --grep=microcode

On Intel systems one should see something similar to the following on every boot, indicating that microcode is updated very early on:

microcode: microcode updated early to revision 0xde, date = 2020-05-18
microcode: sig=0x806ec, pf=0x80, revision=0xde
microcode: Microcode Update Driver: v2.2.

It is entirely possible, particularly with newer hardware, that there is no microcode update for the CPU. In that case, the output may look like this:

microcode: sig=0x806ec, pf=0x80, revision=0xde
microcode: Microcode Update Driver: v2.2.

On AMD systems using early loading the output would look something like this:

microcode: microcode updated early to new patch_level=0x0700010f
microcode: CPU0: patch_level=0x0700010f
microcode: CPU1: patch_level=0x0700010f
microcode: CPU2: patch_level=0x0700010f
microcode: CPU3: patch_level=0x0700010f
microcode: Microcode Update Driver: v2.2.

On AMD systems using late loading the output will show the version of the old microcode before reloading the microcode and the new one once it is reloaded. It would look something like this:

microcode: CPU0: patch_level=0x0700010b
microcode: CPU1: patch_level=0x0700010b
microcode: CPU2: patch_level=0x0700010b
microcode: CPU3: patch_level=0x0700010b
microcode: Microcode Update Driver: v2.2.
microcode: CPU2: new patch_level=0x0700010f
microcode: CPU0: new patch_level=0x0700010f
microcode: CPU1: new patch_level=0x0700010f
microcode: CPU3: new patch_level=0x0700010f
x86/CPU: CPU features have changed after loading microcode, but might not take effect.

Which CPUs accept microcode updates

Users may consult either Intel own website or Gentoo's wiki on AMD at the following links to see if a particular model is supported:

Detecting available microcode update

It is possible to find out if the contains a microcode image for the running CPU with iucode-tool.

  1. Install intel-ucode (changing initrd is not required for detection)
  2. Install iucode-tool
  3. Load the cpuid kernel module:
  4. Extract microcode image and search it for your cpuid:
  5. If an update is available, it should show up below selected microcodes
  6. The microcode might already be in your vendor bios and not show up loading in dmesg. Compare to the current microcode running
gollark: PotatOS may need major reworks soon™ as I found a somewhat wide ranging possible sandbox escape regarding provided APIs.
gollark: I mostly just rewrite stuff by components, it's much easier.
gollark: Why even rewrite then?
gollark: There's one known in-the-wild exploit, another alleged one, and one hypothetical one I thought of when working on some other components.
gollark: It might not, really, assuming I do most things the same.

See also

This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.