intel-microcode for Debian -------------------------- Introduction: IntelĀ® 64 and IA-32 processors (x86_64 and i686 processors) are capable of field-upgrading their control program (microcode). These microcode updates correct processor errata, and are often important for safe, correct system operation. While most of the microcode updates fix problems that happen extremely rarely, there are enough updates fixing issues that would cause system lockup, memory corruption, or unpredictable system behavior, to warrant taking it seriously. Microcode updates are ephemeral: they will be lost after a processor hard reset or after the processor is powered off. They must be reapplied at every boot and after the system wakes up from suspend to RAM or disk. Updating the processor microcode is the responsibility of the system firmware (BIOS or EFI). However, not all vendors will release timely updates for their firmware when Intel releases updated microcode, and most users don't update their system firmware in a timely fashion (or at all) anyway. The end result is that, unless some other method of distributing microcode updates is in place, the processor in many systems will be running with outdated microcode, increasing the chances of incorrect system operation. Safely updating the system processor microcode: 1. install the initramfs-tools, iucode-tool and intel-microcode packages; 2. configure the system to use a initramfs created by initramfs-tools during boot (Debian kernels do this by default); NOTE: if you're compiling your own kernel, you must use Linux v3.10 or later, and you must make sure early microcode update support is compiled in (see below). 3. make sure the initramfs for the kernel you will use was updated (it should have been done automatically for the default boot kernel, at least for Debian kernels), using update-initramfs -u, and possibly update-initramfs -u -k 4. reboot. Triggering an immediate microcode update (without a reboot): **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING **** This procedure used to be safe before microcode update 20140913. It is not safe anymore in the general case. While it is likely to continue to be safe for the Intel micro- architectures that preceded Haswell and Silvermont, this is not in any way assured. You have been warned. Do not do this unless you really know what you are doing. **** WARNING **** **** WARNING **** **** WARNING **** **** WARNING **** The microcode kernel module will attempt to apply a microcode update when loaded by "modprobe". If the module is already loaded or compiled-in, run this command (as root): echo -n 1 >/sys/devices/system/cpu/microcode/reload Alternatively, run the commands (as root): rmmod microcode ; modprobe microcode For kernels before Linux v3.6, refer to the iucode_tool(8) manpage. Microcode update details: Debian can apply microcode updates to the system processors during the operating system boot, with the help of the intel-microcode and iucode-tool packages. For safety reasons, this requires Linux v3.10 or above and the use of the "early microcode update" driver. This greatly reduces the chances of system malfunction due to any issues that are corrected by the microcode update. In some cases, early microcode updates will allow the kernel to sidestep the need to disable functionality, as an example, there's the "Atom PSE erratum". In other cases, it will be the only safe way to apply a microcode update. For example, the Intel TSX erratum in Intel Haswell processors, where applying the microcode update will crash anything that might be using Intel TSX at the time the microcode update is applied. The early microcode update requires both kernel support and that the iucode-tool package to be installed to work. It also requires the use of an initramfs built by "update-initramfs -u". The kernel must be compiled with kconfig options CONFIG_MICROCODE_EARLY=y and CONFIG_MICROCODE_INTEL_EARLY=y. For Linux v3.9 and earlier kernels, the early microcode update functionality is either not available, or buggy. These kernels are not supported anymore by this branch of the intel-microcode package, please use the 1.* branch of intel-microcode. When the iucode-tool package is installed, the initramfs helpers will attempt to restrict the number of microcodes added to the initramfs to the bare minimum. This behavior can be changed and fine-tuned through the /etc/default/intel-microcode file. Also, when iucode-tool is installed, microcode from files matching /usr/share/misc/intel-microcode* will be considered. This allows the easy use of microcode.dat files distributed directly by Intel. Be careful to not leave old files there, or you may end up using microcode that Intel stopped distributing on purpose for unknown reasons. Downloading new microcode data from Intel: A new version of the microcode bundle can be downloaded directly from Intel, either by navigating to the support section looking for downloads for your processor, or through one of these RSS feeds: http://feeds.downloadcenter.intel.com/rss/?p=483&lang=eng http://feeds.downloadcenter.intel.com/rss/?p=2371&lang=eng To manually install the downloaded microcode bundle, unpack the archive you got from Intel and copy the microcode-*.dat file from the archive to /usr/share/misc/intel-microcode.dat. You should make sure the microcode data file is owned by root, and that it can only be written to by root (e.g. mode 0644) for security reasons: chown root:root /usr/share/misc/intel-microcode.dat chmod 0644 /usr/share/misc/intel-microcode.dat After you install the updated intel-microcode.dat file, run as root: modprobe cpuid iucode_tool --scan-system --write-firmware /usr/share/misc/intel-microcode.dat update-initramfs -u * Note: Intel is a registered trademark of Intel Corporation. -- Henrique de Moraes Holschuh Tue, 09 Oct 2014 10:45:09 -0300