CPU Microcode: Difference between revisions
m (→Verifying that the microcode image has loaded: Use HTML entities so the codeline template will behave) |
mNo edit summary |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 6: | Line 6: | ||
== Obtaining microcode updates on Alpine == | == Obtaining microcode updates on Alpine == | ||
{{Warning| Certain Intel CPUs, such Intel Atom with PSE errata, and Intel Haswell + Broadwell with TSX errata, can only be fixed via BIOS or UEFI update (which includes microcode); if you are using one of these CPUs, please do not use the instructions below}} | |||
On Alpine Linux, CPU microcode is loaded early via initrd images, premade images are available from packages: | On Alpine Linux, CPU microcode is loaded early via initrd images, premade images are available from packages: | ||
Line 15: | Line 17: | ||
{{cmd|apk add {{pkg|intel-ucode}}}} | {{cmd|apk add {{pkg|intel-ucode}}}} | ||
If you are using syslinux or grub in a typical setup, the packages will automatically append your extlinux.conf or grub.conf file and merely a reboot will be required to run the new microcode. Users using UEFI's built-in boot manager will have to use efibootmgr to add a second initrd line. | If you are using syslinux or grub in a typical setup, the packages will automatically append your {{path|extlinux.conf}} or {{path|grub.conf}} file and merely a reboot will be required to run the new microcode. Users using UEFI's built-in boot manager will have to use efibootmgr to add a second initrd line. Likewise if you are using the limine bootoader will need to add a 2nd MODULE_PATH directive in {{path|limine.cfg}} pointing to the ucode file. | ||
== Verifying that the microcode image has loaded == | == Verifying that the microcode image has loaded == | ||
Line 22: | Line 24: | ||
If the microcode initrd image was loaded, the microcode update driver will print a signature and revision | If the microcode initrd image was loaded, the microcode update driver will print a signature and revision | ||
Example for Intel: | |||
<pre> | |||
[ 2.198775 ] microcode: sig=0x6fd, pf=0x80, revision=0xa4 | |||
</pre> | |||
Example for AMD: | |||
<pre> | |||
[ 11.442146] microcode: Current revision: 0x0a0011d5 | |||
[ 11.447027] microcode: Updated early from: 0x0a0011d3 | |||
</pre> | |||
{{Todo|Example needed for VIA CPUs, they seem to print slightly differently.}} | |||
== Check if CPU mitigation is working == | |||
This command not only shows if microcode is working, but other CPU vulnerabilities affected: | |||
{{cmd|cat /sys/devices/system/cpu/vulnerabilities/*}} | |||
[[Category:Security]] |
Latest revision as of 01:14, 30 December 2024
CPU microcode is a form of firmware that controls the processor's internals.
In modern processors, the microcode handles execution of complex and highly specialized instructions. Parts of the microcode also act as firmware for the processor's embedded controllers, and it is even used to fix or to mitigate processor design/implementation errata/bugs. Given the complexity of modern processors, a CPU may have over a hundred such errata.
Recently, microcode updates have become mandatory for security due to side-channel attacks against CPUs.
Obtaining microcode updates on Alpine
On Alpine Linux, CPU microcode is loaded early via initrd images, premade images are available from packages:
To obtain the microcode update package for AMD processors:
apk add amd-ucode
To obtain the microcode update package for Intel processors:
apk add intel-ucode
If you are using syslinux or grub in a typical setup, the packages will automatically append your extlinux.conf or grub.conf file and merely a reboot will be required to run the new microcode. Users using UEFI's built-in boot manager will have to use efibootmgr to add a second initrd line. Likewise if you are using the limine bootoader will need to add a 2nd MODULE_PATH directive in limine.cfg pointing to the ucode file.
Verifying that the microcode image has loaded
Run the command:
dmesg | grep microcode
If the microcode initrd image was loaded, the microcode update driver will print a signature and revision
Example for Intel:
[ 2.198775 ] microcode: sig=0x6fd, pf=0x80, revision=0xa4
Example for AMD:
[ 11.442146] microcode: Current revision: 0x0a0011d5 [ 11.447027] microcode: Updated early from: 0x0a0011d3
Check if CPU mitigation is working
This command not only shows if microcode is working, but other CPU vulnerabilities affected:
cat /sys/devices/system/cpu/vulnerabilities/*