Translation(s): English - Fran├žais


CPU Microcode

Processor microcode is akin to processor firmware. The kernel is able to update the processor's firmware without the need to update it via a BIOS update.

Processors from Intel and AMD may need updates to their microcode to operate correctly. These updates fix bugs/errata that can cause anything from incorrect processing, to code and data corruption, and system lockups.

It is very difficult to know for sure whether you need a microcode update or not, but it is not safe at all to just ignore them. You might not notice their effect and have precious data silently corrupted, or an important program silently misbehave. Or you could experience one of those unexplainable and infrequent software issues (such as kernel oops, application segfaults) or hardware issues (including sudden reboots and hangs).

Releases of new microcode updates are more frequent on young processors, but the release of new microcode updates for older processors do happen.

The BIOS (or UEFI) updates the CPU microcode during boot, however most of the time either the motherboard vendor won't issue frequent BIOS/UEFI updates, or the user won't install such updates. For these reasons, the system processor is likely to be running with outdated microcode on a vast number of systems.

Updating CPU microcode within Debian (Intel or AMD)

Note: before you install the microcode update packages in a computer for the first time, it is recommended that you check your system's vendor support site for BIOS/UEFI updates for your system and apply those. By ensuring the computer's BIOS/UEFI is up-to-date, you will reduce the chances of problems with the microcode update (which are very low, but not zero) and also fix other firmware bugs unrelated to microcode.

Please install the amd64-microcode package (for systems with AMD AMD64 processors), or the intel-microcode package (for systems with Intel processors). You will have to enable both contrib and non-free in /etc/apt/sources.list.

Microcode updates are only applied at boot, so you have to reboot to activate them. You will have to keep the packages installed as explained above: the microcode updates have to be reapplied at every boot.

Microcode update support for current and older Debian releases

Debian 7 "Wheezy" (oldoldstable)

Debian 7, codename "Wheezy", is no longer supported, and will no longer receive newer microcode updates barring exceptional circumstances.

Debian 8 "Jessie" (oldstable)

Debian 8, codename "Jessie", is supported, and will receive updates both through the jessie-backports-sloppy official backports repository (faster than point-releases), and through Debian oldstable point-releases.

To install the microcode update packages from the latest point-release, enable contrib and non-free in /etc/apt/sources.list if they're not already enabled, for example:

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
deb  http://deb.debian.org/debian jessie main contrib non-free
deb-src  http://deb.debian.org/debian jessie main contrib non-free

After modifying /etc/apt/sources.list, update the package lists in your package manager, and install package amd64-microcode (AMD processors), or intel-microcode package (Intel processors). For example:

apt-get update
apt-get install amd64-microcode

or

apt-get update
apt-get install intel-microcode

To enable and use jessie-backports or jessie-backports-sloppy, consult the official backports repository instructions.

Debian 9 "Stretch" (stable)

Debian 9, codename "Stretch" is supported, and will receive updates both through the stretch-backports official backports repository (faster than point-releases), and through Debian stable point-releases.

To install the microcode update packages from the latest point-release, enable contrib and non-free in /etc/apt/sources.list if they're not already enabled, for example:

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
deb  http://deb.debian.org/debian stretch main contrib non-free
deb-src  http://deb.debian.org/debian stretch main contrib non-free

After modifying /etc/apt/sources.list, update the package lists in your package manager, and install package amd64-microcode (AMD processors), or intel-microcode package (Intel processors). For example:

apt-get update
apt-get install amd64-microcode

or

apt-get update
apt-get install intel-microcode

To enable and use stretch-backports, consult the official backports repository instructions.

Debian testing and Debian unstable

Ensure contrib and non-free are enabled in /etc/apt/sources.list, and install the packages.

Checking the microcode version of your CPU

You can check which version of the microcode your processors are running by looking for "microcode" lines on /proc/cpuinfo.

You can check if the kernel updated the microcode on boot by looking for "microcode updated early to" lines in the kernel log:

dmesg | grep "microcode updated early to"
journalctl -b -k | grep "microcode updated early to"
zgrep "microcode updated early to" /var/log/kern.log*

Working around boot problems caused by microcode updates

Very rarely, it is possible for a kernel or a microcode update bug to cause boot issues (hangs or resets at the very beginning of the boot process) on specific processor models.

For this reason, it is possible to pass a kernel command line parameter that skips the microcode update process entirely. The parameter to disable microcode loading is dis_ucode_ldr.

This dis_ucode_ldr parameter must be set in the boot loader, typically Grub2.

The full recovery procedure, including step-by-step instructions for Grub2, is described in the intel-microcode package's README.Debian file. This same procedure also works for amd64-microcode, just replace intel-microcode with amd64-microcode in the README.Debian instructions.

References