Intel microcode

From Gentoo Wiki
Jump to:navigation Jump to:search

This article describes the process of updating the microcode on Intel processors.

Installation

Kernel

The following kernel support is required to be built-in:

KERNEL Enable CONFIG_BLK_DEV_INITRD, CONFIG_MICROCODE, and CONFIG_MICROCODE_INTEL
General setup  --->
    [*] Initial RAM filesystem and RAM disk (initramfs/initrd) support
Processor type and features  --->
    <*> CPU microcode loading support
    [*]   Intel microcode loading support
Warning
Modules do not work for early microcode, so make sure microcode loading is built-in.
Important
Since kernel version 6.6, the microcode loading support is enabled by default, and the above configuration no longer exists:CONFIG_MICROCODE_INTEL was replaced with CONFIG_CPU_SUP_INTEL. [1]

Emerge

Install the microcode firmware package and the manipulation tool:

root #emerge --ask --noreplace sys-firmware/intel-microcode

Configuration

Note
If the initramfs USE flag is active the intel-microcode ebuild will automatically install a cpio archive of all microcode into /boot/intel-uc.img.

To manually generate the microcode cpio archive use iucode_tool:

root #iucode_tool -S --write-earlyfw=/boot/early_ucode.cpio /lib/firmware/intel-ucode/*
iucode_tool: system has processor(s) with signature 0x000306c3
iucode_tool: Writing selected microcodes to: /boot/early_ucode.cpio

Genkernel

If genkernel is used to generate the initrd then add the --microcode-initramfs option to have it prepend an early cpio with the Intel and AMD microcode inside. No modifications to the bootloader config are necessary below.

Syslinux

Multiple initrd files are separated by commas in the INITRD line. Set early_ucode.cpio to load first:

FILE /boot/syslinux.cfg
LABEL gentoo
    MENU LABEL Gentoo Linux 4.4.6
    LINUX /vmlinuz-4.4.6-gentoo
    INITRD /early_ucode.cpio,/initrd-4.4.6-gentoo.img

GRUB Legacy

Add the generated microcode to the kernel command-line as the first initrd. The root initramfs goes second separated by space. This step is necessary even if the system does not use an initrd image in order to boot. The microcode update merely leverages the initrd hooks:

FILE /boot/grub/grub.confExample GRUB Legacy configuration for microcode update
title Gentoo Linux 4.4.6
root (hd0,0)
kernel /boot/vmlinuz-4.4.6-gentoo root=/dev/sda3
initrd /boot/intel-uc.img /boot/initrd.img

GRUB

Starting with version 2.02-r1, GRUB supports loading an early microcode. If the microcode file is named after one of the following: intel-uc.img, intel-ucode.img, amd-uc.img, amd-ucode.img, early_ucode.cpio, or microcode.cpio, it will be automatically detected when running grub-mkconfig. To declare a microcode file named differently, e.g. ucode.cpio, add this line to /etc/default/grub:

FILE /etc/default/grub
GRUB_EARLY_INITRD_LINUX_CUSTOM="ucode.cpio"

Regenerate the grub.cfg with:

root #grub-mkconfig -o /boot/grub/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-4.6.3-gentoo
Found initrd image: /boot/early_ucode.cpio /initramfs-genkernel-x86_64-4.6.3-gentoo
done

Or, for earlier versions than 2.02-r1, edit grub.cfg directly to add the early_ucode.cpio as the first initrd:

FILE /boot/grub/grub.cfg
menuentry 'Gentoo Linux 4.14' {
  root=hd0,1
  linux /boot/linux-4.14.12 root=LABEL=ROOT rootfstype=ext4 ro
  initrd /boot/early_ucode.cpio /boot/initrd.img
}

Finally, reboot.

rEFInd

FILE /efi/EFI/refind/refind.conf
menuentry Linux {
  icon EFI/refind/icons/os_gentoo.png
  volume foo
  loader boot/vmlinuz
  options "initrd=boot/early_ucode.cpio initrd=boot/bootsplash-initramfs console=tty1 ro root=foo"
 
  submenuentry "Old Kernel" {
    loader boot/vmlinuz.old
  }
}

This example system has the EFI partition /dev/sda1 mounted to /efi. The Linux kernel and initrd files have been placed in /boot on the Linux rootfs.

If using the initrd keyword instead of the options keyword for specifying initrd, then try specifying multiple initrd files via separate initrd keywords, or migrate the declarations into options. Specifying multiple initrd via one initrd keyword fails on rEFInd. As always, make sure boot/early_code.cpio is the first initrd specified.

Review and edit the kernel cmdline options from the rEFInd bootloader. With the Gentoo OS entry highlighted, press F2 to access the menu entries, and press F2 again over the desired entry to review and edit. This is very useful for quick experimenting without need to edit refind.conf.

FILE /boot/refind_linux.conf
"Boot using default options"     "root=PARTUUID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX rw initrd=boot\intel-ucode.img initrd=boot\amd-ucode.img initrd=boot\initramfs-%v.img"

Finalize the configuration in /boot/refind_linux.conf. Keep in mind that rEFInd searches initramfs relatively partition, so if the /boot partition is separate, search it with "initrd=intel-ucode.img initrd=initramfs-%v.img" (because boot partition don't have /boot folder). Use backslashes \, or the kernel may not find the files. See refind.conf for keyword descriptions and The rEFInd Homepage for more on how to use rEFInd.

systemd-boot

Add the microcode as an argument to an initrd line. If an initrd line already exists, ensure the microcode entry occurs first. The path to the microcode should be absolute to the root of the ESP.

FILE /boot/EFI/loader/entries/example
title      Gentoo/Linux
version    4.13.13
options    root=/dev/sda1
linux      /4.13.13/linux
initrd     /4.13.13/intel_ucode
initrd     /4.13.13/initrd

For more information, see The Boot Loader Specification.

Xen (EFI)

Add a line to the xen.cfg with the ucode option. The path to the microcode is relative to the xen.efi binary. Ensure to write the microcode into the correct location (default is /boot/EFI/Gentoo) or copy it there.

FILE /boot/EFI/Gentoo/xen.cfg
[global]
default=gentoo
 
[gentoo]
kernel=vmlinuz-4.4.6-gentoo root=/dev/sda1
ramdisk=initrd-4.4.6-gentoo.img
ucode=early_ucode.cpio

For more information, see the Xen EFI documentation.

New method without initram-fs/disk (efistub compatible)

Warning
This will only work on a 64-bit kernel and will have no effect otherwise. 32-bit systems need to use an initramfs.
Note
This method should be preferable, especially for EFI-Stub systems (some motherboard firmware might have issues with parsing/passing custom boot command line options), since these changes are less likely to leave the system unbootable (and possibly unrepairable without an EFI compatible rescue disk which can be very tricky on headless machines) the way a broken firmware boot entry and/or incorrect initram-fs/disk would, while it also works on BIOS systems or EFI systems with custom bootloaders on disk.

Software

The sys-firmware/intel-microcode-20171117-r1 package has been rewritten to use iucode_tool to process microcode data files. Users can now use the MICROCODE_SIGNATURES variable to install only a subset of microcode data files.

To install microcode data files for the system processor(s):

FILE /etc/portage/make.conf
MICROCODE_SIGNATURES="-S"

To install microcode data files for a specific processor use MICROCODE_SIGNATURES="-s 0x000306c3", or MICROCODE_SIGNATURES="-s !0x000306c3" to exclude a specific processor. An empty or undefined MICROCODE_SIGNATURES variable will install all microcode data files.

Install the microcode data files:

root #emerge --ask sys-firmware/intel-microcode

The sys-firmware/intel-microcode-20171117-r1 installs iucode_tool which can be used to identify the processor signature(s).

user $iucode_tool -S
iucode_tool: system has processor(s) with signature 0x000306c3

To find the appropriate filename(s) for the listed signature(s) use:

user $iucode_tool -S -l /lib/firmware/intel-ucode/*
iucode_tool: system has processor(s) with signature 0x000306c3
[...]
microcode bundle 49: /lib/firmware/intel-ucode/06-3c-03
[...]
selected microcodes:
  049/001: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528

The signature is found in microcode bundle 49, so the filename to use is /lib/firmware/intel-ucode/06-3c-03.

See also
See the intel ucode for Core i7-8650U forums post for an easier way to get the necessary microcode file.

Kernel

Enable and configure the CONFIG_MICROCODE, CONFIG_MICROCODE_INTEL, CONFIG_FIRMWARE_IN_KERNEL, CONFIG_EXTRA_FIRMWARE and CONFIG_EXTRA_FIRMWARE_DIR kernel options.

Warning
Every option must be set as built into the kernel, not as a kernel module.
KERNEL Enabling Microcode Loading Support
Processor type and features  --->
    <*> CPU microcode loading support
    [*]   Intel microcode loading support

Device Drivers  --->
  Generic Driver Options  --->
    Firmware Loader  --->
      -*-   Firmware loading facility 
      (intel-ucode/06-3c-03) Build named firmware blobs into the kernel binary 
      (/lib/firmware) Firmware blobs root directory
Note
The CONFIG_EXTRA_FIRMWARE and CONFIG_EXTRA_FIRMWARE_DIR options need to be set to the values identified by iucode_tool. In this example for an Intel i7-4790K processor, CONFIG_EXTRA_FIRMWARE is set to intel-ucode/06-3c-03 and CONFIG_EXTRA_FIRMWARE_DIR is set to /lib/firmware.
Note
The CONFIG_EXTRA_FIRMWARE option allows specifying multiple firmware files by listing them space-separated.

Rebuild and install the kernel as usual.

Verification

After the next reboot, the loaded microcode revision can be verified by running:

user $grep microcode /proc/cpuinfo
microcode	: 0x22
microcode	: 0x22

The dmesg output should include:

root #dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27
[    1.153262] microcode: sig=0x306c3, pf=0x2, revision=0x22
[    1.153815] microcode: Microcode Update Driver: v2.2.

Here is an example of a CPU with no available microcode updates (microcode already current) or the system was not configured to load them properly:

root #dmesg | grep microcode
[    1.196567] microcode: CPU0 sig=0x6fd, pf=0x80, revision=0xa3
[    1.196575] microcode: CPU1 sig=0x6fd, pf=0x80, revision=0xa3
[    1.196623] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

Here is the same CPU but with microcode updates being applied successfully:

root #dmesg | grep microcode
[    0.000000] microcode: microcode updated early to revision 0xa4, date = 2010-10-02
[    1.207385] microcode: CPU0 sig=0x6fd, pf=0x80, revision=0xa4
[    1.207393] microcode: CPU1 sig=0x6fd, pf=0x80, revision=0xa4
[    1.207445] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
Note
If genkernel and legacy GRUB are used, the first line may be absent. Instead, check the microcode revision before and after the changes.
Note
Note how this is the very first step of the kernel logs now.
Important
It is possible the microcode has already been fully updated by your BIOS vendor. In that case the dmesg output does not contain the update log message.
Note
Be aware that injecting the microcode update directly into the motherboard firmware (which might sounds tempting) might result in CPU0 being updated but the rest of the CPUs (or CPU cores in a multi-core system) being left at their initial revision (which might cause more problems than running them all at the same initial version). And, since most stock motherboard firmware has some microcode updates (even in their initial release versions), it's probably a good enough reason for everybody to make sure their kernel tries to update all CPUs (and cores) to the same version (so, let this update driver running even if the kernel has the same version which is stored in the motherboard firmware). Injecting the microcode into the firmware might be desirable still (to make sure it's loaded for the boot CPU before the kernel is loaded and able to update the rest of the microcode).

See also

External resources

Important
The microcode-ctl utility has been deprecated as of version 1.28-r1 (Gentoo unstable)[2] and was removed from the Gentoo repository.

References

  1. https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e6bcfdd75d53390a67f67237f4eafc77d9772056
  2. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=719cc5ef240b766953ddbe1e7a6593f8091eed12 The microcode-ctl utility has been deprecated as of version 1.28-r1 (Gentoo unstable) and no longer contains the init script. It also does not work on certain CPUs such as Intel Haswells.