Microcode updates not activated Why!?



  • Hello,

    This morning I looked at the loaded.conf file and was surprised to see following lines

    Microcode loading configuration

    cpu_microcode_load="NO" # Set this to YES to load and apply a
    # microcode update file during boot.
    cpu_microcode_name="/boot/firmware/ucode.bin" # Set this to the microcode
    # update file path.
    cpu_microcode_type="cpu_microcode" # Required for the kernel to find
    # the microcode update file.

    That is because cpu_microcode updates are/can be important e.g. for security fixes. Especially if the BIOS is not up to date (e.g. older motherboard).
    So I wonder why microcode is not loaded. Is there a special reason for that !??

    Louis



  • @louis2

    hi,

    this setting should be handled gently
    Pls., imagine that, the CPU microcodes being updated uncontrollably at any time
    (there are a lot of manufacturers in MOBO / CPU theme)

    the feature is live, but gives you a choice?!
    (or rather to developers)



  • Note that e.g. Intel does not exactly have a good reputation as it comes to CPU security bugs .....

    And .... I am running an Intel CPU here. I would surely prefer to have as much patched as possible ....

    Louis



  • @louis2

    Exactly 😉
    that is why I am using AMD Epyc 3151 (only for NGFW)

    CPU microcodes come form BIOS update
    surely this is taken into account when loading the kernel...

    or (by self)
    https://www.thomas-krenn.com/en/wiki/Update_Intel_Microcode_on_FreeBSD
    (I do not recommend until approved by the developers)

    I am also a maximalist, but also careful!



  • Hello,

    I just had a crash ..... and a crash dump ..... and guess what I saw in that crash dump ...

    <118>Welcome to pfSense 2.5.0-DEVELOPMENT...
    <118>
    <118>savecore 126 - - reboot after panic: page fault
    <118>savecore 126 - - writing core to /var/crash/textdump.tar.0
    <118>...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.30/mach/CORE
    <118>32-bit compatibility ldconfig path:
    <118>done.
    <118>>>> Removing vital flag from php73... done.
    <118>External config loader 1.0 is now starting...
    <118>Launching the init system ...Updating CPU Microcode...
    CPU: Intel(R) Pentium(R) CPU G4620 @ 3.70GHz (3696.18-MHz K8-class CPU)
    Origin="GenuineIntel" Id=0x906e9 Family=0x6 Model=0x9e Stepping=9
    Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>

    etc

    <118>Done.

    So the simple answer is, ..... NetGate does update the micro code (just in another way).

    So glad I saw this!

    Thanks Netgate !!

    Louis


Log in to reply