Translation(s): English - Fran├žais


CPU Microcode

Processor microcode is akin to processor firmware. The kernel is able to update the processor's firmware without the need to update it via a BIOS update. A microcode update is kept in volatile memory, thus the BIOS/UEFI or kernel updates the microcode during every boot.

Processors from Intel and AMD may need updates to their microcode to operate correctly. These updates fix bugs/errata that can cause anything from incorrect processing, to code and data corruption, and system lockups.

It is very difficult to know for sure whether you need a microcode update or not, but it is not safe at all to just ignore them. You might not notice their effect and have precious data silently corrupted, or an important program silently misbehave. Or you could experience one of those unexplainable and infrequent software issues (such as kernel oops, application segfaults) or hardware issues (including sudden reboots and hangs).

Releases of new microcode updates are more frequent on young processors, but the release of new microcode updates for older processors do happen.

The BIOS (or UEFI) updates the CPU microcode during boot, however most of the time either the motherboard vendor won't issue frequent BIOS/UEFI updates, or the user won't install such updates. For these reasons, the system processor is likely to be running with outdated microcode on a vast number of systems.

CPU microcode non-freeness

The CPU microcode update system is composed of software (kernel drivers, user-space utilities), and CPU-vendor-provided "opaque" update data.

The kernel drivers and user-space utilities related to CPU microcode updates are free software, compliant to the Debian Free Software Guidelines.

The CPU-vendor-provided "opaque" update data itself, however, is non-free, and its contents are unknown to Debian. This "opaque" data is sent as-is to the CPU for processing, but only when the kernel and user-space utilities deem it necessary to do so. This means the microcode update is not sent to the system processor unless it is actually needed.

For example, the system will never send microcode update data to the processor when the processor reports that its already running either the same version or a newer version of the microcode (because the UEFI/BIOS already updated it). It will also not send microcode update data that is not appropriate to that system processor.

Updating CPU microcode within Debian (Intel or AMD)

Note: before you install the microcode update packages in a computer for the first time, it is recommended that you check your system's vendor support site for BIOS/UEFI updates for your system and apply those. By ensuring the computer's BIOS/UEFI is up-to-date, you will reduce the chances of problems with the microcode update (which are very low, but not zero) and also fix other firmware bugs unrelated to microcode.

Please install the amd64-microcode package (for systems with AMD AMD64 processors), or the intel-microcode package (for systems with Intel processors). You will have to enable both contrib and non-free in /etc/apt/sources.list.

Microcode updates are only applied at boot, so you have to reboot to activate them. You will have to keep the packages installed as explained above: the microcode updates have to be reapplied at every boot.

Microcode update support for current and older Debian releases

Debian 7 "Wheezy" (oldoldstable)

Debian 7, codename "Wheezy", is no longer officially supported for microcode updates, and will no longer receive newer microcode updates.

Debian 8 "Jessie" (oldstable)

Debian 8, codename "Jessie", is supported, and will receive updates both through the jessie-backports-sloppy official backports repository (faster than point-releases), and through Debian oldstable point-releases.

To install the microcode update packages from the latest point-release, enable contrib and non-free in /etc/apt/sources.list if they're not already enabled, for example:

deb http://security.debian.org/ jessie/updates main contrib non-free
deb-src http://security.debian.org/ jessie/updates main contrib non-free
deb  http://deb.debian.org/debian jessie main contrib non-free
deb-src  http://deb.debian.org/debian jessie main contrib non-free

After modifying /etc/apt/sources.list, update the package lists in your package manager, and install package amd64-microcode (AMD processors), or intel-microcode package (Intel processors). For example:

apt-get update
apt-get install amd64-microcode

or

apt-get update
apt-get install intel-microcode

Debian 9 "Stretch" (stable)

Debian 9, codename "Stretch" is supported, and will receive updates both through the stretch-backports official backports repository (faster than point-releases), and through Debian stable point-releases.

To install the microcode update packages from the latest point-release, enable contrib and non-free in /etc/apt/sources.list if they're not already enabled, for example:

deb http://security.debian.org/ stretch/updates main contrib non-free
deb-src http://security.debian.org/ stretch/updates main contrib non-free
deb  http://deb.debian.org/debian stretch main contrib non-free
deb-src  http://deb.debian.org/debian stretch main contrib non-free

After modifying /etc/apt/sources.list, update the package lists in your package manager, and install package amd64-microcode (AMD processors), or intel-microcode package (Intel processors). For example:

apt-get update
apt-get install amd64-microcode

or

apt-get update
apt-get install intel-microcode

Debian testing and Debian unstable

Ensure contrib and non-free are enabled in /etc/apt/sources.list, and install the packages.

Microcode packages are first uploaded to non-free unstable, and after one or two weeks, if no issues are reported, are automatically migrated to non-free testing.

Getting microcode updates sooner using Debian backports

Stable point-releases and oldstable point-releases are done every 2-4 months. This can be a long time to wait for a microcode update that would fix an issue that afflicts your particular system.

An alternative is possible: microcode update packages are first uploaded to non-free unstable, and if no issues are reported, will eventually migrate into non-free testing. Backports of the packages in testing will then be uploaded to stable-backports (currently stretch-backports) and to oldstable-backports-sloppy (currently jessie-backports-sloppy).

Full instructions about enabling backported packages are available. Note that you need to explicitly install the package from backports. After the first install from backports, the system should remain updating microcode packages from backports until the next point release that supersedes them.

Examples (you must first enable fetching backported packages, do not forget that you also need contrib and non-free):

  apt-get install -t stable-backports amd64-microcode
  apt-get install -t stable-backports intel-microcode

or for oldstable-backports-sloppy:

  apt-get install -t oldstable-backports-sloppy amd64-microcode
  apt-get install -t oldstable-backports-sloppy intel-microcode

Checking the microcode version of your CPU

You can check which version of the microcode your processors are running by looking for "microcode" lines on /proc/cpuinfo.

You can check if the kernel updated the microcode on boot by looking for "microcode updated early to" lines in the kernel log:

dmesg | grep "microcode updated early to"
journalctl -b -k | grep "microcode updated early to"
zgrep "microcode updated early to" /var/log/kern.log*

Working around boot problems caused by microcode updates

Very rarely, it is possible for a kernel or a microcode update bug to cause boot issues (hangs or resets at the very beginning of the boot process) on specific processor models.

For this reason, it is possible to pass a kernel command line parameter that skips the microcode update process entirely. The parameter to disable microcode loading is dis_ucode_ldr.

This dis_ucode_ldr parameter must be set in the boot loader, typically Grub2.

The full recovery procedure, including step-by-step instructions for Grub2, is described in the intel-microcode package's README.Debian file. This same procedure also works for amd64-microcode, just replace intel-microcode with amd64-microcode in the README.Debian instructions.

References