Update AMD/Intel microcode

Should I update my CPU microcode or not? How is it done? Is it necessary for amd64 architecture (AMD or Intel)? Is it dangerous? These questions are discussed in this blog post. #microcode

Update AMD/Intel microcode
Photo by Brian Kostiuk / Unsplash

How to install or update microcode firmware for Intel/AMD CPUs on Linux using the command line option? Or do I do it at all?

What are microcodes

A microcode is CPU firmware provided by AMD or Intel. The Linux kernel can update the CPU’s firmware without the BIOS update at boot time. Processor microcode is stored in RAM, and kernel update the microcode during every boot. These microcode updates from AMD or Intel needed to fix bugs or apply errata to avoid CPU bugs. This page shows how to install AMD or Intel microcode update using package manager or processor microcode updates supplied by Intel on Linux.

The BIOS (or UEFI) updates the CPU microcode during boot, however most of the time either the motherboard vendor won't issue frequent BIOS/UEFI updates, or the user won't install such updates. For these reasons, the system processor is likely to be running with outdated microcode on a vast number of systems.

Microcodes don't fix everything.

There are other issues that require more than just fixing the microcode, such as the old L1TF issue CVE-2018-3646. Please see this link.

What is the current status

How to find out the current status of my microcode? Run the following dmesg command as root or sudo/doas: dmesg | grep microcode.

If I want to Update

It is recommended that you check your system's vendor support site for BIOS/UEFI updates for your system and apply those. By ensuring the computer's BIOS/UEFI is up-to-date, you will reduce the chances of problems with the microcode update (which are very low, but not zero) and also fix other firmware bugs unrelated to microcode. Some computers have the feature in the UEFI setup menu, other need to do it by an installed command.
By default, the intel-microcode or amd64-microcode command may not be installed on your system. The reason behind this is that it's a non-free package. Another reason is that it may potentially cause a bricking of your box by render it unbootable. It rarely happens, but it has happened to me a few times.

Install the command

On Debian, it's not installed by default due to the nature of it, it's a non-free-firmware package.

To install the microcode update packages from the latest point-release, enable contrib and non-free in /etc/apt/sources.list if they're not already enabled, for example:

# non-free-firmware
deb http://deb.debian.org/debian bookworm main non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main non-free-firmware

Older versions use main contrib non-free

Another way is to use deb http://ftp.de.debian.org/debian bookworm main non-free-firmware and switch .de. to your country designation (us, uk, sv, fi ...) according to the Debian documentation.

# non-free-firmware
deb http://ftp.de.debian.org/debian bookworm main non-free-firmware

Then install by


Working around boot problems

caused by microcode updates

The full recovery procedure, including step-by-step instructions for Grub2, is described in the intel-microcode package's README.Debian file. This same procedure also works for amd64-microcode, just replace intel-microcode with amd64-microcode in the README. Debian instructions.


References

Microcode [1] Intel [2]


  1. Microcode ArchWiki, Wikipedia, Debian intel-microcode README, wiki ↩︎

  2. Intel Microcode Update Points ↩︎