Microcode updates not activated Why!?

  • Hello,

    This morning I looked at the loaded.conf file and was surprised to see following lines

    Microcode loading configuration

    cpu_microcode_load="NO" # Set this to YES to load and apply a
    # microcode update file during boot.
    cpu_microcode_name="/boot/firmware/ucode.bin" # Set this to the microcode
    # update file path.
    cpu_microcode_type="cpu_microcode" # Required for the kernel to find
    # the microcode update file.

    That is because cpu_microcode updates are/can be important e.g. for security fixes. Especially if the BIOS is not up to date (e.g. older motherboard).
    So I wonder why microcode is not loaded. Is there a special reason for that !??


  • @louis2


    this setting should be handled gently
    Pls., imagine that, the CPU microcodes being updated uncontrollably at any time
    (there are a lot of manufacturers in MOBO / CPU theme)

    the feature is live, but gives you a choice?!
    (or rather to developers)

  • Note that e.g. Intel does not exactly have a good reputation as it comes to CPU security bugs .....

    And .... I am running an Intel CPU here. I would surely prefer to have as much patched as possible ....


  • @louis2

    Exactly 😉
    that is why I am using AMD Epyc 3151 (only for NGFW)

    CPU microcodes come form BIOS update
    surely this is taken into account when loading the kernel...

    or (by self)
    (I do not recommend until approved by the developers)

    I am also a maximalist, but also careful!

  • Hello,

    I just had a crash ..... and a crash dump ..... and guess what I saw in that crash dump ...

    <118>Welcome to pfSense 2.5.0-DEVELOPMENT...
    <118>savecore 126 - - reboot after panic: page fault
    <118>savecore 126 - - writing core to /var/crash/textdump.tar.0
    <118>...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.30/mach/CORE
    <118>32-bit compatibility ldconfig path:
    <118>>>> Removing vital flag from php73... done.
    <118>External config loader 1.0 is now starting...
    <118>Launching the init system ...Updating CPU Microcode...
    CPU: Intel(R) Pentium(R) CPU G4620 @ 3.70GHz (3696.18-MHz K8-class CPU)
    Origin="GenuineIntel" Id=0x906e9 Family=0x6 Model=0x9e Stepping=9



    So the simple answer is, ..... NetGate does update the micro code (just in another way).

    So glad I saw this!

    Thanks Netgate !!


