Microcode updates not activated Why!?

louis2 · Jul 3, 2020, 10:00 AM

Hello,

This morning I looked at the loaded.conf file and was surprised to see following lines

Microcode loading configuration

cpu_microcode_load="NO" # Set this to YES to load and apply a
# microcode update file during boot.
cpu_microcode_name="/boot/firmware/ucode.bin" # Set this to the microcode
# update file path.
cpu_microcode_type="cpu_microcode" # Required for the kernel to find
# the microcode update file.

That is because cpu_microcode updates are/can be important e.g. for security fixes. Especially if the BIOS is not up to date (e.g. older motherboard).
So I wonder why microcode is not loaded. Is there a special reason for that !??

Louis

DaddyGo · Jul 3, 2020, 10:32 AM

@louis2

hi,

this setting should be handled gently
Pls., imagine that, the CPU microcodes being updated uncontrollably at any time
(there are a lot of manufacturers in MOBO / CPU theme)

the feature is live, but gives you a choice?!
(or rather to developers)

louis2 · Jul 3, 2020, 10:42 AM

Note that e.g. Intel does not exactly have a good reputation as it comes to CPU security bugs .....

And .... I am running an Intel CPU here. I would surely prefer to have as much patched as possible ....

Louis

DaddyGo · Jul 3, 2020, 11:03 AM

@louis2

Exactly
that is why I am using AMD Epyc 3151 (only for NGFW)

CPU microcodes come form BIOS update
surely this is taken into account when loading the kernel...

or (by self)
https://www.thomas-krenn.com/en/wiki/Update_Intel_Microcode_on_FreeBSD
(I do not recommend until approved by the developers)

I am also a maximalist, but also careful!

louis2 · Jul 10, 2020, 7:30 PM

Hello,

I just had a crash ..... and a crash dump ..... and guess what I saw in that crash dump ...

<118>Welcome to pfSense 2.5.0-DEVELOPMENT...
<118>
<118>savecore 126 - - reboot after panic: page fault
<118>savecore 126 - - writing core to /var/crash/textdump.tar.0
<118>...ELF ldconfig path: /lib /usr/lib /usr/lib/compat /usr/local/lib /usr/local/lib/compat/pkg /usr/local/lib/compat/pkg /usr/local/lib/ipsec /usr/local/lib/perl5/5.30/mach/CORE
<118>32-bit compatibility ldconfig path:
<118>done.
<118>>>> Removing vital flag from php73... done.
<118>External config loader 1.0 is now starting...
<118>Launching the init system ...Updating CPU Microcode...
CPU: Intel(R) Pentium(R) CPU G4620 @ 3.70GHz (3696.18-MHz K8-class CPU)
Origin="GenuineIntel" Id=0x906e9 Family=0x6 Model=0x9e Stepping=9
Features=0xbfebfbff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CLFLUSH,DTS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE>

etc

<118>Done.

So the simple answer is, ..... NetGate does update the micro code (just in another way).

So glad I saw this!

Thanks Netgate !!

Louis