Difference between revisions of "Microcode"

From ArchWiki
Jump to: navigation, search
(Undo revision 480787 by Frankenchokey (talk) - the rEFInd page uses paths including /boot/)
(Enabling early microcode updates: add tip about adding both microcode files)
 
(63 intermediate revisions by 16 users not shown)
Line 1: Line 1:
 
[[Category:CPU]]
 
[[Category:CPU]]
 +
[[Category:Security]]
 
[[de:Microcode]]
 
[[de:Microcode]]
 
[[es:Microcode]]
 
[[es:Microcode]]
Line 7: Line 8:
 
Processor manufacturers release stability and security updates to the processor [[Wikipedia:Microcode|microcode]]. While microcode can be updated through the BIOS, the Linux kernel is also able to apply these updates during boot. These updates provide bug fixes that can be critical to the stability of your system. Without these updates, you may experience spurious crashes or unexpected system halts that can be difficult to track down.
 
Processor manufacturers release stability and security updates to the processor [[Wikipedia:Microcode|microcode]]. While microcode can be updated through the BIOS, the Linux kernel is also able to apply these updates during boot. These updates provide bug fixes that can be critical to the stability of your system. Without these updates, you may experience spurious crashes or unexpected system halts that can be difficult to track down.
  
Users of CPUs belonging to the Intel Haswell and Broadwell processor families in particular must install these microcode updates to ensure system stability. But all Intel users should install the updates as a matter of course.
+
Users of CPUs belonging to the Intel Haswell and Broadwell processor families in particular must install these microcode updates to ensure system stability. But all users should install the updates as a matter of course.
  
 
== Installation ==
 
== Installation ==
  
For AMD processors the microcode updates are available in {{Pkg|linux-firmware}}, which is installed as part of the base system. No further action is needed.
+
For AMD processors, [[install]] the {{Pkg|amd-ucode}} package.
  
For Intel processors, [[install]] the {{Pkg|intel-ucode}} package, and continue reading.
+
For Intel processors, [[install]] the {{Pkg|intel-ucode}} package.
  
== Enabling Intel microcode updates ==
+
If your Arch installation is [[Installing Arch Linux on a USB key|on a removable drive]] that needs to have microcode for both manufacturer processors, install both of the packages.
  
Microcode must be loaded by the bootloader. Because of the wide variability in users' early-boot configuration, Intel microcode updates may not be triggered automatically by Arch's default configuration. Many AUR kernels have followed the path of the official Arch kernels in this regard.
+
== Enabling early microcode updates ==
  
These updates must be enabled by adding {{ic|/boot/intel-ucode.img}} as the '''first initrd in the bootloader config file'''. This is in addition to the normal initrd file. See below for instructions for common bootloaders.
+
Microcode must be loaded by the [[boot loader]]. Because of the wide variability in users' early-boot configuration, microcode updates may not be triggered automatically by Arch's default configuration. Many AUR kernels have followed the path of the official Arch [[kernels]] in this regard.
 +
 
 +
These updates must be enabled by adding {{ic|/boot/amd-ucode.img}} or {{ic|/boot/intel-ucode.img}} as the '''first initrd in the bootloader config file'''. This is in addition to the normal initrd file. See below for instructions for common bootloaders.
 +
 
 +
{{Note|In the following sections replace {{ic|''cpu_manufacturer''}} with your CPU manufacturer, i.e. {{ic|amd}} or {{ic|intel}}.}}
 +
 
 +
{{Tip|For [[Installing Arch Linux on a USB key|Arch Linux on a removable drive]] add both microcode files as {{ic|initrd}} to the boot loader configuration. Their order does not matter as long as they both are specified before the real initramfs image.}}
  
 
=== GRUB ===
 
=== GRUB ===
Line 25: Line 32:
 
==== Automatic method ====
 
==== Automatic method ====
  
''grub-mkconfig'' will automatically detect the microcode update and configure [[GRUB]] appropriately. After installing the {{Pkg|intel-ucode}} package, users are directed to regenerate the GRUB config to activate loading the microcode update by running:
+
''grub-mkconfig'' will automatically detect the microcode update and configure [[GRUB]] appropriately. After installing the microcode package, regenerate the GRUB config to activate loading the microcode update by running:
 +
 
 
  # grub-mkconfig -o /boot/grub/grub.cfg
 
  # grub-mkconfig -o /boot/grub/grub.cfg
  
 
==== Manual method ====
 
==== Manual method ====
  
Alternatively, users that manage their GRUB config file manually can add {{ic|/intel-ucode.img}} or {{ic|/boot/intel-ucode.img}} to {{ic|grub.cfg}} as follows:
+
Alternatively, users that manage their GRUB config file manually can add {{ic|/boot/''cpu_manufacturer''-ucode.img}} (or {{ic|/''cpu_manufacturer''-ucode.img}} if {{ic|/boot}} is a separate partition) as follows:
  
[...]
+
{{hc|/boot/grub/grub.cfg|
    echo 'Loading initial ramdisk ...'
+
...
    initrd /intel-ucode.img /initramfs-linux.img
+
echo 'Loading initial ramdisk'
[...]
+
initrd '''/boot/''cpu_manufacturer''-ucode.img''' /boot/initramfs-linux.img
 +
...
 +
}}
  
 
Repeat it for each menu entry.
 
Repeat it for each menu entry.
 
{{Warning|This file will automatically be overwritten by {{ic|/usr/bin/grub-mkconfig}} during certain updates negating the changes. It is strongly recommended to use the configuration directory in {{ic|/etc/grub.d/}} to manage your GRUB configuration needs.}}
 
  
 
=== systemd-boot ===
 
=== systemd-boot ===
  
Use the {{ic|initrd}} option twice in {{ic|/boot/loader/entries/''entry''.conf}}:
+
Use the {{ic|initrd}} option to load the microcode, before the initial ramdisk, as follows:
  
title  Arch Linux
+
{{hc|/boot/loader/entries/''entry''.conf|
linux  /vmlinuz-linux
+
title  Arch Linux
initrd  /intel-ucode.img
+
linux  /vmlinuz-linux
initrd  /initramfs-linux.img
+
'''initrd  /''cpu_manufacturer''-ucode.img'''
options ...
+
initrd  /initramfs-linux.img
 +
...
 +
}}
  
If you do not mount the ESP to {{ic|/boot}}, copy {{ic|/boot/intel-ucode.img}} to your [[EFI System Partition]].
+
The latest microcode {{ic|''cpu_manufacturer''-ucode.img}} must be available at boot time in your [[EFI system partition]] (ESP). The ESP must be mounted as {{ic|/boot}} in order to have the microcode updated every time {{Pkg|amd-ucode}} or {{Pkg|intel-ucode}} is updated. Otherwise, copy {{ic|/boot/''cpu_manufacturer''-ucode.img}} to your ESP at every update of the microcode package.
  
 
=== EFI boot stub / EFI handover ===
 
=== EFI boot stub / EFI handover ===
Line 57: Line 67:
 
Append two {{ic|1=initrd=}} options:
 
Append two {{ic|1=initrd=}} options:
  
{{bc|1=initrd=/intel-ucode.img initrd=/initramfs-linux.img}}
+
'''initrd=/''cpu_manufacturer''-ucode.img''' initrd=/initramfs-linux.img
  
 
{{Accuracy|What does this do, why isn't the above enough and why/how is it specific to this particular section?|section=Addition in EFI Boot stub}}
 
{{Accuracy|What does this do, why isn't the above enough and why/how is it specific to this particular section?|section=Addition in EFI Boot stub}}
Line 63: Line 73:
 
For kernels that have been generated as a single file containing all initrd, cmdline and kernel, first generate the initrd to integrate by creating a new one as follows:  
 
For kernels that have been generated as a single file containing all initrd, cmdline and kernel, first generate the initrd to integrate by creating a new one as follows:  
  
{{bc|1=cat /boot/intel-ucode.img /boot/initramfs-linux.img > my_new_initrd
+
{{bc|1=
 +
cat /boot/''cpu_manufacturer''-ucode.img /boot/initramfs-linux.img > my_new_initrd
 
objcopy ... --add-section .initrd=my_new_initrd  
 
objcopy ... --add-section .initrd=my_new_initrd  
 
}}
 
}}
Line 71: Line 82:
 
Edit boot options in {{ic|/boot/refind_linux.conf}} as per EFI boot stub above, example:
 
Edit boot options in {{ic|/boot/refind_linux.conf}} as per EFI boot stub above, example:
  
  "Boot with standard options" "rw root=UUID=(...) quiet initrd=/boot/intel-ucode.img initrd=/boot/initramfs-linux.img"
+
  "Boot with standard options" "rw root=UUID=(...) '''initrd=/boot/''cpu_manufacturer''-ucode.img''' initrd=/boot/initramfs-linux.img"
  
Users employing [[rEFInd#Manual_boot_stanzas|manual stanzas]] in {{ic|''esp''/EFI/refind/refind.conf}} to define the kernels should simply add {{ic|1=initrd=/intel-ucode.img}} or {{ic|/boot/intel-ucode.img}} as required to the options line, and not in the main part of the stanza.
+
Users employing [[rEFInd#Manual boot stanzas|manual stanzas]] in {{ic|''esp''/EFI/refind/refind.conf}} to define the kernels should simply add {{ic|1=initrd=/boot/''cpu_manufacturer''-ucode.img}} (or {{ic|/''cpu_manufacturer''-ucode.img}} if {{ic|/boot}} is a separate partition)  as required to the options line, and not in the main part of the stanza. E.g.:
 +
 
 +
options  "root=root=UUID=(...) rw add_efi_memmap '''initrd=/boot/''cpu_manufacturer''-ucode.img'''"
  
 
=== Syslinux ===
 
=== Syslinux ===
  
{{Note|There must be no spaces between the {{ic|intel-ucode}} and {{ic|initramfs-linux}} initrd files. The period signs also do not signify any shorthand or missing code; the {{ic|INITRD}} line must be exactly as illustrated below.}}
+
{{Note|There must be no spaces between the {{ic|''cpu_manufacturer''-ucode.img}} and {{ic|initramfs-linux.img}} initrd files. The {{ic|INITRD}} line must be exactly as illustrated below.}}
  
 
Multiple initrd's can be separated by commas in {{ic|/boot/syslinux/syslinux.cfg}}:
 
Multiple initrd's can be separated by commas in {{ic|/boot/syslinux/syslinux.cfg}}:
Line 84: Line 97:
 
     MENU LABEL Arch Linux
 
     MENU LABEL Arch Linux
 
     LINUX ../vmlinuz-linux
 
     LINUX ../vmlinuz-linux
     INITRD ../intel-ucode.img,../initramfs-linux.img
+
     INITRD '''../''cpu_manufacturer''-ucode.img''',../initramfs-linux.img
    APPEND ''<your kernel parameters>''
+
...
  
 
=== LILO ===
 
=== LILO ===
  
LILO and potentially other old bootloaders do not support multiple initrd images. In that case, {{ic|intel-ucode}} and {{ic|initramfs-linux}} will have to be merged into one image.
+
LILO and potentially other old bootloaders do not support multiple initrd images. In that case, {{ic|''cpu_manufacturer''-ucode.img}} and {{ic|initramfs-linux.img}} will have to be merged into one image.
 +
 
 
{{Warning|The merged image must be recreated after each kernel update!}}
 
{{Warning|The merged image must be recreated after each kernel update!}}
{{Note|The additional image, in this case {{ic|intel-ucode}} must not be compressed. Otherwise, the kernel might complain that it can only find garbage in the uncompressed image and fail to boot.}}
+
 
{{ic|intel-ucode.img}} should be a cpio archive, as in this case. It is advised to check whether the archive is compressed after each microcode update, as there is no guarantee that the image will stay non-compressed in the future.
+
{{Note|The order is important. The original image {{ic|initramfs-linux.img}} must be concatenated '''on top''' of the {{ic|''cpu_manufacturer''-ucode.img}} image.}}
In order to check whether {{ic|intel-ucode}} is compressed, you can use the {{ic|file}} command:
+
 
$ file /boot/intel-ucode.img
 
/boot/intel-ucode.img: ASCII cpio archive (SVR4 with no CRC)
 
{{Note|The order is important. The original image {{ic|initramfs-linux}} must be concatenated '''on top''' of the {{ic|intel-ucode}} image.}}
 
 
To merge both images into one image named {{ic|initramfs-merged.img}}, the following command can be used:
 
To merge both images into one image named {{ic|initramfs-merged.img}}, the following command can be used:
 
   
 
   
  # cat /boot/intel-ucode.img /boot/initramfs-linux.img > /boot/initramfs-merged.img
+
  # cat /boot/''cpu_manufacturer''-ucode.img /boot/initramfs-linux.img > /boot/initramfs-merged.img
  
 
Now, edit {{ic|/etc/lilo.conf}} to load the new image.
 
Now, edit {{ic|/etc/lilo.conf}} to load the new image.
  
  [...]
+
  ...
    initrd=/boot/initramfs-merged.img
+
initrd=/boot/initramfs-merged.img
  [...]
+
  ...
  
 
And run {{ic|lilo}} as root:
 
And run {{ic|lilo}} as root:
 
   
 
   
 
  # lilo
 
  # lilo
 +
 +
== Late microcode updates ==
 +
 +
Late loading of microcode updates happens after the system has booted. It uses files in {{ic|/usr/lib/firmware/amd-ucode/}} and {{ic|/usr/lib/firmware/intel-ucode/}}.
 +
 +
For AMD processors the microcode update files are provided by {{Pkg|linux-firmware}}.
 +
 +
For Intel processors no package provides the microcode update files ({{Bug|59841}}). To use late loading you need to manually extract {{ic|intel-ucode/}} from Intel's provided archive.
 +
 +
=== Enabling late microcode updates ===
 +
 +
Unlike early loading, late loading of microcode updates on Arch Linux are enabled by default using {{ic|/usr/lib/tmpfiles.d/linux-firmware.conf}}. After boot the file gets parsed by {{man|8|systemd-tmpfiles-setup.service}} and CPU microcode gets updated.
 +
 +
To manually update the microcode on a running system run:
 +
 +
# echo 1 > /sys/devices/system/cpu/microcode/reload
 +
 +
This allows to apply microcode updates after {{Pkg|linux-firmware}} has updated without rebooting the system. You can even automate it with a [[pacman hook]], e.g.:
 +
 +
{{hc|/etc/pacman.d/hooks/microcode_reload.hook|2=
 +
[Trigger]
 +
Operation = Install
 +
Operation = Upgrade
 +
Operation = Remove
 +
Type = File
 +
Target = usr/lib/firmware/amd-ucode/*
 +
 +
[Action]
 +
Description = Applying CPU microcode updates...
 +
When = PostTransaction
 +
Depends = sh
 +
Exec = /bin/sh -c 'echo 1 > /sys/devices/system/cpu/microcode/reload'
 +
}}
 +
 +
=== Disabling late microcode updates ===
 +
 +
For AMD systems the CPU microcode will get updated even if {{Pkg|amd-ucode}} in not installed since the files are provided by {{Pkg|linux-firmware}} ({{Bug|59840}}). To disable late loading you must override the [[tmpfile]] {{ic|/usr/lib/tmpfiles.d/linux-firmware.conf}}. It can be done by creating a file with the same filename in {{ic|/etc/tmpfiles.d/}}:
 +
 +
# ln -s /dev/null /etc/tmpfiles.d/linux-firmware.conf
  
 
== Verifying that microcode got updated on boot ==
 
== Verifying that microcode got updated on boot ==
  
Use {{ic|/usr/bin/dmesg}} to see if the microcode has been updated:
+
Use ''dmesg'' to see if the microcode has been updated:
  
 
  $ dmesg | grep microcode
 
  $ dmesg | grep microcode
  
On Intel systems one should see something similar to the following, indicating that microcode is updated early:
+
On Intel systems one should see something similar to the following on every boot, indicating that microcode is updated very early on:
  
 
  [    0.000000] CPU0 microcode updated early to revision 0x1b, date = 2014-05-29
 
  [    0.000000] CPU0 microcode updated early to revision 0x1b, date = 2014-05-29
Line 131: Line 181:
 
  [    0.507296] microcode: CPU6 sig=0x306a9, pf=0x2, revision=0x1b
 
  [    0.507296] microcode: CPU6 sig=0x306a9, pf=0x2, revision=0x1b
 
  [    0.507300] microcode: CPU7 sig=0x306a9, pf=0x2, revision=0x1b
 
  [    0.507300] microcode: CPU7 sig=0x306a9, pf=0x2, revision=0x1b
  [    0.507335] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
+
  [    0.507335] microcode: Microcode Update Driver: v2.2.
 +
 
 +
{{Note|The date displayed does not correspond to the version of the {{Pkg|intel-ucode}} package installed. It does show the last time Intel updated the microcode that corresponds to the specific hardware being updated.}}
  
 
It is entirely possible, particularly with newer hardware, that there is no microcode update for the CPU. In that case, the output may look like this:
 
It is entirely possible, particularly with newer hardware, that there is no microcode update for the CPU. In that case, the output may look like this:
Line 139: Line 191:
 
  [    0.292906] microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x1c
 
  [    0.292906] microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x1c
 
  [    0.292912] microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x1c
 
  [    0.292912] microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x1c
  [    0.292956] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
+
  [    0.292956] microcode: Microcode Update Driver: v2.2.
  
On AMD systems microcode is updated a bit later in the boot process, so the output would look something like this:
+
On AMD systems using early loading the output would look something like this:
  
  [    0.807879] microcode: CPU0: patch_level=0x01000098
+
  [    2.119089] microcode: microcode updated early to new patch_level=0x0700010f
  [    0.807888] microcode: CPU1: patch_level=0x01000098
+
[    2.119157] microcode: CPU0: patch_level=0x0700010f
  [    0.807983] microcode: Microcode Update Driver: v2.00 <tigran@aivazian.fsnet.co.uk>, Peter Oruba
+
  [    2.119171] microcode: CPU1: patch_level=0x0700010f
  [   16.150642] microcode: CPU0: new patch_level=0x010000c7
+
  [    2.119183] microcode: CPU2: patch_level=0x0700010f
  [   16.150682] microcode: CPU1: new patch_level=0x010000c7
+
  [   2.119189] microcode: CPU3: patch_level=0x0700010f
 +
  [   2.119269] microcode: Microcode Update Driver: v2.2.
  
{{Note|The date displayed does not correspond to the version of the {{Pkg|intel-ucode}} package installed. It does show the last time Intel updated the microcode that corresponds to the specific hardware being updated.}}
+
On AMD systems using late loading the output will show the version of the old microcode before reloading the microcode and the new one once it is reloaded. It would look something like this:
 +
 
 +
[    2.112919] microcode: CPU0: patch_level=0x0700010b
 +
[    2.112931] microcode: CPU1: patch_level=0x0700010b
 +
[    2.112940] microcode: CPU2: patch_level=0x0700010b
 +
[    2.112951] microcode: CPU3: patch_level=0x0700010b
 +
[    2.113043] microcode: Microcode Update Driver: v2.2.
 +
[    6.429109] microcode: CPU2: new patch_level=0x0700010f
 +
[    6.430416] microcode: CPU0: new patch_level=0x0700010f
 +
[    6.431722] microcode: CPU1: new patch_level=0x0700010f
 +
[    6.433029] microcode: CPU3: new patch_level=0x0700010f
 +
[    6.433073] x86/CPU: CPU features have changed after loading microcode, but might not take effect.
  
 
== Which CPUs accept microcode updates ==
 
== Which CPUs accept microcode updates ==
Line 156: Line 220:
  
 
* [http://www.amd64.org/microcode.html AMD's Operating System Research Center].
 
* [http://www.amd64.org/microcode.html AMD's Operating System Research Center].
* [https://downloadcenter.intel.com/download/26798/Linux-Processor-Microcode-Data-File Intel's download center].
+
* [https://downloadcenter.intel.com/SearchResult.aspx?lang=eng&keyword=processor%20microcode%20data%20file Intel's download center].
  
 
=== Detecting available microcode update ===
 
=== Detecting available microcode update ===
  
It is possible to find out if the {{ic|intel-ucode.img}} contains a microcode image for the running CPU with {{AUR|iucode-tool}}.
+
It is possible to find out if the {{ic|intel-ucode.img}} contains a microcode image for the running CPU with {{Pkg|iucode-tool}}.
  
* Install {{Pkg|intel-ucode}} (changing initrd is not required for detection)
+
# Install {{Pkg|intel-ucode}} (changing initrd is not required for detection)
* Install {{AUR|iucode-tool}} from the [[AUR]]
+
# Install {{Pkg|iucode-tool}}
* {{ic|# modprobe cpuid}}
+
# {{bc|# modprobe cpuid}}
* {{ic|<nowiki># bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb -lS - </nowiki>}}
+
# Extract microcode image and search it for your cpuid:<br/>{{bc|# bsdtar -Oxf /boot/intel-ucode.img {{!}} iucode_tool -tb -lS -}}
:(extract microcode image and search it for your cpuid)
+
# If an update is available, it should show up below ''selected microcodes''
* If an update is available, it should show up below ''selected microcodes''
+
# The microcode might already be in your vendor bios and not show up loading in dmesg. Compare to the current microcode running {{ic|grep microcode /proc/cpuinfo}}
* The microcode might already be in your vendor bios and not show up loading in dmesg. Compare to the current microcode running {{ic|grep microcode /proc/cpuinfo}}
 
  
== Enabling Intel early microcode loading in custom kernels ==
+
== Enabling early microcode loading in custom kernels ==
  
In order for early loading to work in custom kernels, "CPU microcode loading support" needs to be compiled into the kernel, NOT compiled as a module. This will enable the "Early load microcode" prompt which should be set to "Y".
+
In order for early loading to work in custom kernels, "CPU microcode loading support" needs to be compiled into the kernel, '''not''' compiled as a module. This will enable the "Early load microcode" prompt which should be set to {{ic|Y}}.
  
 
  CONFIG_BLK_DEV_INITRD=Y
 
  CONFIG_BLK_DEV_INITRD=Y
 
  CONFIG_MICROCODE=y
 
  CONFIG_MICROCODE=y
 
  CONFIG_MICROCODE_INTEL=Y
 
  CONFIG_MICROCODE_INTEL=Y
 +
CONFIG_MICROCODE_AMD=y
  
 
== See also ==
 
== See also ==
  
* [https://flossexperiences.wordpress.com/2013/11/17/updating-microcodes/ Updating microcodes]
+
* [https://flossexperiences.wordpress.com/2013/11/17/updating-microcodes/ Updating microcodes – Experiences in the community]
* [http://inertiawar.com/microcode/ Notes on Intel Microcode updates]
+
* [http://inertiawar.com/microcode/ Notes on Intel Microcode updates – Ben Hawkes]
* [https://www.kernel.org/doc/Documentation/x86/early-microcode.txt Kernel early microcode]
+
* [https://www.kernel.org/doc/Documentation/x86/microcode.txt Kernel microcode loader – kernel documentation]
* [http://www.anandtech.com/show/8376/intel-disables-tsx-instructions-erratum-found-in-haswell-haswelleep-broadwelly Erratum found in Haswell/Broadwell]
+
* [http://www.anandtech.com/show/8376/intel-disables-tsx-instructions-erratum-found-in-haswell-haswelleep-broadwelly Erratum found in Haswell/Broadwell – AnandTech]
* [https://gitlab.com/iucode-tool/iucode-tool Technical details]
+
* [https://gitlab.com/iucode-tool/iucode-tool iucode-tool GitLab project]

Latest revision as of 15:17, 29 November 2018

Processor manufacturers release stability and security updates to the processor microcode. While microcode can be updated through the BIOS, the Linux kernel is also able to apply these updates during boot. These updates provide bug fixes that can be critical to the stability of your system. Without these updates, you may experience spurious crashes or unexpected system halts that can be difficult to track down.

Users of CPUs belonging to the Intel Haswell and Broadwell processor families in particular must install these microcode updates to ensure system stability. But all users should install the updates as a matter of course.

Installation

For AMD processors, install the amd-ucode package.

For Intel processors, install the intel-ucode package.

If your Arch installation is on a removable drive that needs to have microcode for both manufacturer processors, install both of the packages.

Enabling early microcode updates

Microcode must be loaded by the boot loader. Because of the wide variability in users' early-boot configuration, microcode updates may not be triggered automatically by Arch's default configuration. Many AUR kernels have followed the path of the official Arch kernels in this regard.

These updates must be enabled by adding /boot/amd-ucode.img or /boot/intel-ucode.img as the first initrd in the bootloader config file. This is in addition to the normal initrd file. See below for instructions for common bootloaders.

Note: In the following sections replace cpu_manufacturer with your CPU manufacturer, i.e. amd or intel.
Tip: For Arch Linux on a removable drive add both microcode files as initrd to the boot loader configuration. Their order does not matter as long as they both are specified before the real initramfs image.

GRUB

Automatic method

grub-mkconfig will automatically detect the microcode update and configure GRUB appropriately. After installing the microcode package, regenerate the GRUB config to activate loading the microcode update by running:

# grub-mkconfig -o /boot/grub/grub.cfg

Manual method

Alternatively, users that manage their GRUB config file manually can add /boot/cpu_manufacturer-ucode.img (or /cpu_manufacturer-ucode.img if /boot is a separate partition) as follows:

/boot/grub/grub.cfg
...
echo 'Loading initial ramdisk'
initrd	/boot/cpu_manufacturer-ucode.img /boot/initramfs-linux.img
...

Repeat it for each menu entry.

systemd-boot

Use the initrd option to load the microcode, before the initial ramdisk, as follows:

/boot/loader/entries/entry.conf
title   Arch Linux
linux   /vmlinuz-linux
initrd  /cpu_manufacturer-ucode.img
initrd  /initramfs-linux.img
...

The latest microcode cpu_manufacturer-ucode.img must be available at boot time in your EFI system partition (ESP). The ESP must be mounted as /boot in order to have the microcode updated every time amd-ucode or intel-ucode is updated. Otherwise, copy /boot/cpu_manufacturer-ucode.img to your ESP at every update of the microcode package.

EFI boot stub / EFI handover

Append two initrd= options:

initrd=/cpu_manufacturer-ucode.img initrd=/initramfs-linux.img

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: What does this do, why isn't the above enough and why/how is it specific to this particular section? (Discuss in Talk:Microcode#Addition in EFI Boot stub)

For kernels that have been generated as a single file containing all initrd, cmdline and kernel, first generate the initrd to integrate by creating a new one as follows:

cat /boot/cpu_manufacturer-ucode.img /boot/initramfs-linux.img > my_new_initrd
objcopy ... --add-section .initrd=my_new_initrd

rEFInd

Edit boot options in /boot/refind_linux.conf as per EFI boot stub above, example:

"Boot with standard options" "rw root=UUID=(...) initrd=/boot/cpu_manufacturer-ucode.img initrd=/boot/initramfs-linux.img"

Users employing manual stanzas in esp/EFI/refind/refind.conf to define the kernels should simply add initrd=/boot/cpu_manufacturer-ucode.img (or /cpu_manufacturer-ucode.img if /boot is a separate partition) as required to the options line, and not in the main part of the stanza. E.g.:

options  "root=root=UUID=(...) rw add_efi_memmap initrd=/boot/cpu_manufacturer-ucode.img"

Syslinux

Note: There must be no spaces between the cpu_manufacturer-ucode.img and initramfs-linux.img initrd files. The INITRD line must be exactly as illustrated below.

Multiple initrd's can be separated by commas in /boot/syslinux/syslinux.cfg:

LABEL arch
    MENU LABEL Arch Linux
    LINUX ../vmlinuz-linux
    INITRD ../cpu_manufacturer-ucode.img,../initramfs-linux.img
...

LILO

LILO and potentially other old bootloaders do not support multiple initrd images. In that case, cpu_manufacturer-ucode.img and initramfs-linux.img will have to be merged into one image.

Warning: The merged image must be recreated after each kernel update!
Note: The order is important. The original image initramfs-linux.img must be concatenated on top of the cpu_manufacturer-ucode.img image.

To merge both images into one image named initramfs-merged.img, the following command can be used:

# cat /boot/cpu_manufacturer-ucode.img /boot/initramfs-linux.img > /boot/initramfs-merged.img

Now, edit /etc/lilo.conf to load the new image.

...
initrd=/boot/initramfs-merged.img
...

And run lilo as root:

# lilo

Late microcode updates

Late loading of microcode updates happens after the system has booted. It uses files in /usr/lib/firmware/amd-ucode/ and /usr/lib/firmware/intel-ucode/.

For AMD processors the microcode update files are provided by linux-firmware.

For Intel processors no package provides the microcode update files (FS#59841). To use late loading you need to manually extract intel-ucode/ from Intel's provided archive.

Enabling late microcode updates

Unlike early loading, late loading of microcode updates on Arch Linux are enabled by default using /usr/lib/tmpfiles.d/linux-firmware.conf. After boot the file gets parsed by systemd-tmpfiles-setup.service(8) and CPU microcode gets updated.

To manually update the microcode on a running system run:

# echo 1 > /sys/devices/system/cpu/microcode/reload

This allows to apply microcode updates after linux-firmware has updated without rebooting the system. You can even automate it with a pacman hook, e.g.:

/etc/pacman.d/hooks/microcode_reload.hook
[Trigger]
Operation = Install
Operation = Upgrade
Operation = Remove
Type = File
Target = usr/lib/firmware/amd-ucode/*

[Action]
Description = Applying CPU microcode updates...
When = PostTransaction
Depends = sh
Exec = /bin/sh -c 'echo 1 > /sys/devices/system/cpu/microcode/reload'

Disabling late microcode updates

For AMD systems the CPU microcode will get updated even if amd-ucode in not installed since the files are provided by linux-firmware (FS#59840). To disable late loading you must override the tmpfile /usr/lib/tmpfiles.d/linux-firmware.conf. It can be done by creating a file with the same filename in /etc/tmpfiles.d/:

# ln -s /dev/null /etc/tmpfiles.d/linux-firmware.conf

Verifying that microcode got updated on boot

Use dmesg to see if the microcode has been updated:

$ dmesg | grep microcode

On Intel systems one should see something similar to the following on every boot, indicating that microcode is updated very early on:

[    0.000000] CPU0 microcode updated early to revision 0x1b, date = 2014-05-29
[    0.221951] CPU1 microcode updated early to revision 0x1b, date = 2014-05-29
[    0.242064] CPU2 microcode updated early to revision 0x1b, date = 2014-05-29
[    0.262349] CPU3 microcode updated early to revision 0x1b, date = 2014-05-29
[    0.507267] microcode: CPU0 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507272] microcode: CPU1 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507276] microcode: CPU2 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507281] microcode: CPU3 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507286] microcode: CPU4 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507292] microcode: CPU5 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507296] microcode: CPU6 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507300] microcode: CPU7 sig=0x306a9, pf=0x2, revision=0x1b
[    0.507335] microcode: Microcode Update Driver: v2.2.
Note: The date displayed does not correspond to the version of the intel-ucode package installed. It does show the last time Intel updated the microcode that corresponds to the specific hardware being updated.

It is entirely possible, particularly with newer hardware, that there is no microcode update for the CPU. In that case, the output may look like this:

[    0.292893] microcode: CPU0 sig=0x306c3, pf=0x2, revision=0x1c
[    0.292899] microcode: CPU1 sig=0x306c3, pf=0x2, revision=0x1c
[    0.292906] microcode: CPU2 sig=0x306c3, pf=0x2, revision=0x1c
[    0.292912] microcode: CPU3 sig=0x306c3, pf=0x2, revision=0x1c
[    0.292956] microcode: Microcode Update Driver: v2.2.

On AMD systems using early loading the output would look something like this:

[    2.119089] microcode: microcode updated early to new patch_level=0x0700010f
[    2.119157] microcode: CPU0: patch_level=0x0700010f
[    2.119171] microcode: CPU1: patch_level=0x0700010f
[    2.119183] microcode: CPU2: patch_level=0x0700010f
[    2.119189] microcode: CPU3: patch_level=0x0700010f
[    2.119269] microcode: Microcode Update Driver: v2.2.

On AMD systems using late loading the output will show the version of the old microcode before reloading the microcode and the new one once it is reloaded. It would look something like this:

[    2.112919] microcode: CPU0: patch_level=0x0700010b
[    2.112931] microcode: CPU1: patch_level=0x0700010b
[    2.112940] microcode: CPU2: patch_level=0x0700010b
[    2.112951] microcode: CPU3: patch_level=0x0700010b
[    2.113043] microcode: Microcode Update Driver: v2.2.
[    6.429109] microcode: CPU2: new patch_level=0x0700010f
[    6.430416] microcode: CPU0: new patch_level=0x0700010f
[    6.431722] microcode: CPU1: new patch_level=0x0700010f
[    6.433029] microcode: CPU3: new patch_level=0x0700010f
[    6.433073] x86/CPU: CPU features have changed after loading microcode, but might not take effect.

Which CPUs accept microcode updates

Users may consult either Intel or AMD at the following links to see if a particular model is supported:

Detecting available microcode update

It is possible to find out if the intel-ucode.img contains a microcode image for the running CPU with iucode-tool.

  1. Install intel-ucode (changing initrd is not required for detection)
  2. Install iucode-tool
  3. # modprobe cpuid
  4. Extract microcode image and search it for your cpuid:
    # bsdtar -Oxf /boot/intel-ucode.img | iucode_tool -tb -lS -
  5. If an update is available, it should show up below selected microcodes
  6. The microcode might already be in your vendor bios and not show up loading in dmesg. Compare to the current microcode running grep microcode /proc/cpuinfo

Enabling early microcode loading in custom kernels

In order for early loading to work in custom kernels, "CPU microcode loading support" needs to be compiled into the kernel, not compiled as a module. This will enable the "Early load microcode" prompt which should be set to Y.

CONFIG_BLK_DEV_INITRD=Y
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=Y
CONFIG_MICROCODE_AMD=y

See also