CPU Microcode

Processor manufacturers release stability and security updates to the processor microcode. While microcode is usually updated through the BIOS, not all vendors will release timely updates for their firmware, and most users don't update their system firmware in a timely fashion (or at all) anyway. The Linux kernel is also able to apply these updates during boot. These updates provide bug fixes that can be critical to the stability of your system. Without these updates, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

Users of CPUs belonging to the Intel Haswell and Broadwell processor families in particular must install these microcode updates to ensure system stability but all Intel users should install microcode updates as a matter of course. Use the inxi command to determine which CPU/family your system has.

[terry@xxxxx ~]$ inxi -xC CPU:      Quad core Intel Core i7-2600K (-HT-MCP-) arch: Sandy Bridge rev.7  cache: 8192 KB            flags: (lm nx sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx) bmips: 27290 clock speeds: max: 3800 MHz 1: 1600 MHz 2: 1599 MHz 3: 1599 MHz 4: 1599 MHz 5: 1601 MHz 6: 2050 MHz 7: 1606 MHz 8: 1677 MHz

Microcode updates are lost after hard-reset or power off and so must be reapplied at every boot and after the system wakes up from suspend to RAM or to disk. The procedure outlined below explains how to use the early microcode update driver in the kernel to apply microcode updates on each system boot.

Installation
The actual microcode update files are included in the kernel-firmware-extra package. This package should be installed and kept up-to-date as part of the the normal Synaptic update process

To enable the microcode update, users should install iucode-tool package and then use the following command in a root terminal to generate an initrd image which can be loaded by the bootloader to update the microcode.

[root@xxxx x86_64]# iucode_tool -S --write-earlyfw=/boot/early_ucode.img /lib/firmware/intel-ucode/* iucode_tool: system has processor(s) with signature 0x000206a7 iucode_tool: Writing selected microcodes to: /boot/early_ucode.img

This will need to be repeated if new microcode issued. Note that iucode_tool will not overwrite the target file so you should delete the existing file before running the command again.

Enabling Microcode Updates
Microcode is loaded by the bootloader by adding /boot/early_ucode.img as the first initrd in the bootloader config file. This is in addition to the normal initrd file.

For grub-legacy it can be added to the initrd line in the config file /boot/grub/menu.lst

title linux kernel (hd0,6)/boot/vmlinuz BOOT_IMAGE=linux root=UUID=e9f56fb4-2348-41ae-94d3-b92f0ee541c8 root (hd0,6) initrd /boot/early_ucode.img /boot/initrd.img

Users of grub2 just need to run update-grub2 to generate the new config file:

[root@xxxxx x86_64]# update-grub2 Generating grub configuration file ... Found theme: /boot/grub2/themes/pclinuxos/theme.txt Found linux image: /boot/vmlinuz-4.8.12-pclos1 Found initrd image: /boot/early_ucode.img /boot/initrd-4.8.12-pclos1.img

Notice how the early_ucode.img has been added to the initrd line. If all looks good then reboot the system

Verifying that microcode got updated on boot
Use dmesg to check that the update has been applied successfully

[terry@xxxxx ~]$ dmesg | grep microcode [   0.000000] microcode: microcode updated early to revision 0x29, date = 2013-06-12 [   0.890510] microcode: sig=0x206a7, pf=0x2, revision=0x29 [   0.890752] microcode: Microcode Update Driver: v2.01 , Peter Oruba

The first line shows that the update has been applied.

Other useful commands
To see what version of microcode is currently running on the CPU:

[terry@xxxxx ~]$ grep -m 1 microcode /proc/cpuinfo microcode      : 0x2d

To see latest version available in kernel-firmware-extra package for your processor, first find the processor signature:

[terry@xxxxx ~]$ iucode_tool -S iucode_tool: system has processor(s) with signature 0x000206a7

then use that signature to grep for the latest version available:

[terry@xxxxx ~]$ iucode_tool -L /lib/firmware/intel-ucode/ | grep 0x000206a7 074/001: sig 0x000206a7, pf_mask 0x12, 2018-02-07,  rev 0x002d , size 12288