Intel microcode updates and what do they entail?

fufukauliza

fufukauliza

Hello,

a topic that I have never studied in depth and therefore I ask you for an explanation as simple as possible.
In one of the many FreeBSD installation tutorials I remember seeing it suggested to also set up the microcode update which I think is possible for both Intel and AMD CPUs.
I have an Intel processor and FreeBSD 13.1
What does this type of update entail, can there be risks and what is the best way to do it?
I found this link but I wanted to ask the community first and wait for your advice.

Update Intel Microcode on FreeBSD - Thomas-Krenn-Wiki-en

FreeBSD provides support for updating the microcode of a processor at startup or at runtime. In this article, we use a server running FreeBSD 12.0 to show how to check the Intel Microcode version and how to install newer microcode versions if necessary.
www.thomas-krenn.com

Thank you all.
 
SirDice said:
A modern x86 based CPU is actually a complete computer inside the chip. This type of update updates the microcode inside the CPU itself. It's like updating the "OS" of the CPU itself.

Microcode - Wikipedia

en.wikipedia.org en.wikipedia.org
Click to expand...
OK thanks.
What is the safest method you recommend for doing this?
Furthermore, if the update is not successful, what are the risks, can there be malfunctions?
Thanks again.
 
I think it's just pkg install devcpu-data-intel and follow whatever instructions. It's probably add a variable to /etc/rc.conf and reboot.
Code: 
2. The second method, which uses the RC script included in this port can
   be enabled by adding the following line to /etc/rc.conf:

   microcode_update_enable="YES"

   The microcode update is then applied upon reboot or when the microcode
   update service is run via:

   # service microcode_update start

   If the CPU requires a microcode update, a console message such as the
   following will appear:

   Updating CPU Microcode...
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl0 from rev 0x17 to rev 0x22... done.
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl2 from rev 0x17 to rev 0x22... done.
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl4 from rev 0x17 to rev 0x22... done.
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl6 from rev 0x17 to rev 0x22... done.
   Done.
 
mer said:
I think it's just pkg install devcpu-data-intel and follow whatever instructions. It's probably add a variable to /etc/rc.conf and reboot.
Code: 
2. The second method, which uses the RC script included in this port can
   be enabled by adding the following line to /etc/rc.conf:

   microcode_update_enable="YES"

   The microcode update is then applied upon reboot or when the microcode
   update service is run via:

   # service microcode_update start

   If the CPU requires a microcode update, a console message such as the
   following will appear:

   Updating CPU Microcode...
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl0 from rev 0x17 to rev 0x22... done.
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl2 from rev 0x17 to rev 0x22... done.
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl4 from rev 0x17 to rev 0x22... done.
   %%DATADIR%%/m32306c3_00000022.fw: updating cpu /dev/cpuctl6 from rev 0x17 to rev 0x22... done.
   Done.
Click to expand...

I installed the package for Intel but when I manually ran the service command microcode_update start it told me it couldn't find the service.
I then uninstalled the package for intel and with the generic one which also includes amd it worked and gave me the same message as the page:
Updating CPU Microcode ...
%% DATADIR %% / m32306c3_00000022.fw: updating cpu / dev / cpuctl0 from rev 0x17 to rev 0x22 ... done.


I checked my microcode both before and after and it stayed the same: 0x00000000000000f0

Am I wrong something sure or there are no updates for my CPU?

I think I got confused.

Thank you.
 
Sorry, my mistake about the packages. If you just installed the devcpu-data-intel you could do the lines in the boot loader, but the service comes in with the devcpu-data package.
If the microcode was the same before and after it means "no updates for your CPU in the current package".
 
Hello,
I enabled the microcode update via the boot loader.
Where can I find the logs of the process to know that it has done an update check?

Thank you.
 
fufukauliza said:
Hello,
I enabled the microcode update via the boot loader.
Where can I find the logs of the process to know that it has done an update check?
Click to expand...
Hello,
Mine is FreeBSD 14.3p5-RELEASE, with Intel(R) Xeon(R) E-2236 CPU.
I have done:
Code: 
pkg install cpu-microcode-intel
and edit /boot/loader.conf with:
Code: 
cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"
and the check:
Code: 
pkg install x86info
x86info -a | grep Microcode
will not work because there is no more the package named x86info.
I'm stuck on how to check too.

P/S:
My willing to update microcode is the Alpine Linux guest that running under bhyve says:
Code: 
[0.250047] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[0.251040] Spectre V2 : Mitigation: Retpolines
[0.252038] Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
[0.253038] RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!
[0.254037] RETBleed: Vulnerable
 
SirDice said:
A modern x86 based CPU is actually a complete computer inside the chip. This type of update updates the microcode inside the CPU itself. It's like updating the "OS" of the CPU itself.

Microcode - Wikipedia

en.wikipedia.org en.wikipedia.org
Click to expand...
Microcode has been a thing since the 1960's. All IBM 360s, except for the Model 44, used microcode. I also recall working at a site which had IBM 3033 processors (post IBM 370). The microcode was buggy so IBM produced microcode logic manuals documenting the logic of each machine instruction so that customers, like the company I worked for, could intelligently file CPU bug reports.
 
FreeBSD.vn said:
Hello,
Mine is FreeBSD 14.3p5-RELEASE, with Intel(R) Xeon(R) E-2236 CPU.
I have done:
Code: 
pkg install cpu-microcode-intel
and edit /boot/loader.conf with:
Code: 
cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/intel-ucode.bin"
and the check:
Code: 
pkg install x86info
x86info -a | grep Microcode
will not work because there is no more the package named x86info.
I'm stuck on how to check too.

P/S:
My willing to update microcode is the Alpine Linux guest that running under bhyve says:
Code: 
[0.250047] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[0.251040] Spectre V2 : Mitigation: Retpolines
[0.252038] Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
[0.253038] RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!
[0.254037] RETBleed: Vulnerable
Click to expand...
Have you restarted FreeBSD AFTER you installed sysutils/cpu-microcode-intel?
Does it have updates (newer than the one your BIOS / UEFI firmware has) for your CPU?

And sysutils/x86info is removed at Jun.30, 2025.
If your CPU microcode is actually updated, you can see something like below in dmesg(8) after boot.
Code: 
CPU microcode: updated from 0xf8 to 0xfa

Note that the example is for CPU: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz (2200.00-MHz K8-class CPU), not Xeon.
 
FreeBSD.vn said:
My willing to update microcode is the Alpine Linux guest that running under bhyve says:
Code: 
[0.250047] Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
[0.251040] Spectre V2 : Mitigation: Retpolines
[0.252038] Spectre V2 : Spectre v2 / SpectreRSB: Filling RSB on context switch and VMEXIT
[0.253038] RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!
[0.254037] RETBleed: Vulnerable
Click to expand...

It is not clear to me whether this complains about a lack of a mitigation in:
- the BIOS-loaded microcode
- microcode loaded by the FreeBSD kernel
- mitigation in the FreeBSD kernel
- mitigation in the VM's Linux kernel
 
cracauer@ said:
It is not clear to me whether this complains about a lack of a mitigation in:
- the BIOS-loaded microcode
- microcode loaded by the FreeBSD kernel
- mitigation in the FreeBSD kernel
- mitigation in the VM's Linux kernel
Click to expand...
It's not clear., but a vulnerable CPU could have a microcode update to mitigate? Or something missing from bhyve?
 
cracauer@ said:
No, some vulnerabilities don't have microcode fixes but need kernel workarounds instead.
Click to expand...
Some vulnerabilities can be mitigated via tunable and/or sysctls.
I have below in my /boot/loader.conf
Code: 
## Indirect Branch Restricted Speculation
## Set 0 to enable.
hw.ibrs_disable=0


## Select 0 to 3 for TAA mitigation mode.
##  0: No mitigation enabled.
##  1: Disable TSX via MSR.
##  2: Use VERW mitigation.
##  3: Automatically select the mitigation.
##
## Below are not selectable (report only)
##  4: Mitigation present in microcode.
##  5: TSX is not present.
machdep.mitigations.taa.enable=3

Maybe some more exists, though.

And some vulnerabilities could be mitigated via BIOS/UEFI firmware configurations (enable, disable or changing values), depends on their implementations.
No one-stop-for-everything exists, anyway.
 
dmesg from my Broadwell system


Code: 
CPU microcode: updated from 0xb00002e to 0xb000040
CPU: Intel(R) Xeon(R) CPU E5-2699 v4 @ 2.20GHz (2200.11-MHz K8-class CPU)
FreeBSD/SMP: Multiprocessor System Detected: 44 CPUs
 
fufukauliza said:
Furthermore, if the update is not successful, what are the risks, can there be malfunctions?
Thanks again.
Click to expand...
No it is a one time overlay. It does not affect anything on CPU. Merely how CPU interacts with software.
Nothing permanent. Just a software patch for CPU code.

Ideally your BIOS updates should fix some of this. Permanently.
At how much performance hit though...
 
You must log in or register to reply here.
Back
Top