Intel Microcode Updates in Linux

Topic

New Reply

I just received an Intel Microcode update in the Update Manager of my Linux Mint 19.1.  I’m seeing good things said about these coming from comments on the Windows Updates, so I’m assuming it’s safe to install the one I got on my 2007 Sony VAIO with an Intel Core Duo CPU?

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

Replies

One of the things I’m wondering is whether this microcode update will cause a CPU performance hit.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

One of the reasons I switched to Linux as my primary OS/daily driver is the experience I had with Ubuntu 16.04 LTS and then later with 18.04 LTS, both on a circa 2009 HP laptop. As a test to see how easy it was to keep updated I installed EVERY update offered to me since August of 2016. Not a single problem (and at about 5 to 10 patches per week for four plus years, that’s a lot of patches). Among those patches have been a fair number of Intel microcode updates, especially back in 2017 (I think) when there was the huge scare about a couple Intel flaws that were going to doom the universe. I don’t remember the names of the flaws but it made international news. I never noticed any kind of performance hit on the HP laptop for any patch – microcode or not.

In the last year or so I’ve had Mint 19.2 Cinnamon running on an old Gateway netbook, an old Acer laptop and a relatively new (2016) Dell Inspiron (my daily driver). I’ve kept them all patched with every offered update, including a couple microcode patches, and never detected any kind of performance hit (or any other issue).

I got the same microcode update you did and plan to install it and all the other week’s patches tomorrow or Friday. Personally, I have no qualms about it, but if you want to wait, I’ll let you know how it turns out for me.

4 users thanked author for this post.

jburk07, OscarCP, Charlie, HiFlyer

Reply | Quote

I don’t think it will make any difference. The Core 2 Duo is old enough that Intel dropped plans to release Spectre/Meltdown updates back when they hit, and they probably still have not. I can check for you, though… just enter

dmesg | grep microcode

into the terminal, and if you tell me what it says for ‘sig=0x??????’, I can see if it is in the list of included microcodes. The intel-microcode package is pushed to all Intel CPUs, even if there is no updated microcode inside.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

3 users thanked author for this post.

jburk07, Charlie, HiFlyer

Reply | Quote

Here are the results Ascaris.  Sorry it took me so long, I had a very busy day.

dmesg | grep microcode

[ 0.000000] microcode: microcode updated early to revision 0xa4, date = 2010-10-02

[ 0.024000] MDS: Vulnerable: Clear CPU buffers attempted, no microcode

[ 2.198775] microcode: sig=0x6fd, pf=0x80, revision=0xa4

[ 2.198830] microcode: Microcode Update Driver: v2.2.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

Indeed, that is the newest microcode listed for your CPU, way back from 2010. This line describes your CPU (this is from the intel-microcode package log), and is the version provided:

sig 0x000006fd, pf mask 0x80, 2010-10-02, rev 0x00a4, size 4096

That matches what you reported exactly.

So you’re vulnerable to the exploits that require a microcode update, but you’re immune to the performance losses they may cause.  I have a computer from that era (2008 manufacturing date) when Spectre and Meltdown landed, and at first, Intel was planning to release microcodes for Core 2, but they changed their mind and didn’t. I didn’t worry about it much when I was using that PC as one of my main set (I use more than one each day).  I since bought my Swift, which took over the role of the Core 2 Duo laptop (about the same performance, but much lighter and several times longer battery life).

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Charlie

Reply | Quote

Thanks very much Ascaris.  So I guess the question now is – do I need to install the microcode update I have waiting in Linux Mint Update Manager?  Will this update benefit me in any way or should I just disregard it?

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

FWIW, I installed all the Mint 19.2 Cinnamon updates offered (12 for me) on my guinnea pig Gateway netbook with an Atom Intel processor. I didn’t check whether it needed the microcode, but it installed without issue and I can’t tell any difference in performance. All 11 other updates went in just fine as well.

I’ve got 2 more machines to update, probably tonight or tomorrow.

1 user thanked author for this post.

Charlie

Reply | Quote

You can install the microcode updates. When you boot Linux, the boot loader queries the CPU for its CPUID. If a newer microcode matching the CPUID is found, it is loaded into the CPU at boot time. If no new microcode for the CPUID is found, then nothing happens.

Windows 10 does the exact same thing as Linux. I can’t remember if Microsoft did the same thing for Windows 8. Microsoft decided not to do this for Windows 7. The only thing which Windows 7 got was Meltdown protection. No Spectre protection for Windows 7.

1 user thanked author for this post.

Charlie

Reply | Quote

If the PC’s/Laptop’s OEM decides to push out a firmware update then any older 7/8/8.1 machines will get that microcode update via the firmware method but only 10 and Linux get an OS pushed out microcode patch and older Windows OS have to have the user apply the microcode shim and that’s an involved process.

From my understanding of the Spectre/Meltdown fixes from Intel that may only go back as far as Sandy Bridge generation core i series processors but I may be wrong there and I do have one older Arrandale(Mobile Westmere) Intel core i3 series laptop that’s the first generation “Core i” series that Intel released. But I my 4, Ivy Bridge/Older, Laptops are running Linux Mint 20 and they all received that  Intel Microcode patch but that’s the usual for Linux as there is so much there that’s unrelated to Intel processors that still get patched anyways regardless.

I’d rather get any microcode patches via the OS and not be flashing the the firmware on my laptops unless needed as that’s a risky process if the firmware update get corrupted and the laptop bricked. Folks on PCs with Dual BIOSs and/or BIOS Flashback are more protected there on Motherboards that support that and folks able, in the case of BIOS flashback, to update the MB’s UEFI/BIOS without even needing to have a CPU socketed into the MB and that Frmware update done from a Thumb-drive/Flash-Stick.

Reply | Quote

? says:

i just installed the intel microcode patch:

“Upgraded the following packages:
intel-microcode (3.20201110.0ubuntu0.16.04.1) to 3.20201110.0ubuntu0.16.04.2”

however this machine has an AMD K8 processer:

amd64-microcode (3.20191021.1ubuntu0.16.04.1) to 3.20191021.1+really3.20180524.1~ubuntu0.16.04.2

but i don’t think it even loads (at boot)?

Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Nov 12 07:17:19 ubuntu kernel: [    0.024474] Spectre V2 : Spectre mitigation: LFENCE not serializing, switching to generic retpoline
Nov 12 07:17:19 ubuntu kernel: [    0.024517] Spectre V2 : Mitigation: Full generic retpoline
Nov 12 07:17:19 ubuntu kernel: [    0.024519] Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch

and it still keeps on ticking…

Reply | Quote

Yes, my Intel PCs also have the AMD microcode packages from Ubuntu installed. They don’t do anything, of course, as none of the AMD microcodes are compatible with an Intel CPU. This happens because the Ubuntu kernel stacks list both AMD and Intel microcodes as dependencies, so they both get pulled in. They’re quite small, so the extra disk space used is negligible.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Yep, it is loading at boot. Your AMD K8 CPU’s performance is affected very little. I bet that you don’t even notice the very small reduction in performance.

Reply | Quote

? says:

GTP, you are correct about the performance after adding the microcode patches on the old K8. the old girl can still whip my computation skills without even breaking a sweat. i was running a dell desktop with the first intel hyperthreader (a costa rican) p4 3.06 on windows up to 7 and even ubuntu 14, and 16 on usb like a dream and avoided the microcode fiasco(s) luckily.

here is a  current “top i” on ‘buntu 16.04 usb as i reply,

top – 18:18:42 up  1:10,  1 user,  load average: 0.31, 0.44, 0.32
Tasks: 178 total,   1 running, 177 sleeping,   0 stopped,   0 zombie
%Cpu(s):  1.2 us,  0.8 sy,  0.0 ni, 98.0 id,  0.0 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem :  3875060 total,  2748348 free,   522432 used,   604280 buff/cache
KiB Swap:        0 total,        0 free,        0 used.  2942660 avail Mem

PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND
898 root      20   0  137624  53580  39896 S   1.7  1.4   1:49.90 Xorg
2307 ubuntu    20   0  477936 129244  99776 S   0.7  3.3   0:13.31 Web Content
2805 ubuntu    20   0  101312  30380  25824 S   0.7  0.8   0:01.96 gnome-term+
2825 ubuntu    20   0    8060   3356   2844 R   0.7  0.1   0:00.55 top
738 root      20   0  108644  15408  12776 S   0.3  0.4   0:20.16 NetworkMan+
1321 ubuntu    20   0  322800 165860  69288 S   0.3  4.3   0:49.94 compiz
1443 ubuntu    20   0  135856  31088  26628 S   0.3  0.8   0:18.30 nm-applet
2250 ubuntu    20   0  886584 256228 135860 S   0.3  6.6   1:50.83 firefox
2358 ubuntu    20   0  514420 124184  85536 S   0.3  3.2   0:08.88 WebExtensi+

Reply | Quote

At ? says,

I hope that you decide to join the forum since I like your writing style. I have a strong feeling that you would be helpful to others. You might as well jinks it up a bit by registering here on a Friday the 13th!

Best regards,

–GTP

 

Reply | Quote

? says:

GTP, thank you you are too kind. once, woody leonhard himself thanked me? for some inane comment i made and i almost fainted. i enjoy visiting here because of people like you.

i love working to get computers to divulge their inner secrets (inquiring minds, you know.) i am blown away absorbing the cumulative knowledge of so many great minds who share here all for the satisfaction of helping another fellow traveller. well, i’ve been in the warm sunshine for a moment so, now back to the bunker to work on some more glitchy zeros and ones…

Reply | Quote

? says:

thank you, Ascaris. this mitigation shenanigans that started a few years ago was yet another reason i shifted my computing from intel\windows toward amd\linux. i tried the “dmesg | grep microcode,” but that only seems to work on an intel processor (comes up blank.)

“grep -F -m 1 “cpu family” /proc/cpuinfo,” told me about the amd family 15, (cpu family    : 15) which is too long-in-the-tooth for the mitigations, and

“dmesg | grep -e ‘microcode’ -e ‘Linux version’ -e ‘Command line,’ gives: “([    0.000000] Linux version 4.4.0-194-generic (buildd@lcy01-amd64-015) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) ) #226-Ubuntu SMP Wed Oct 21 10:20:20 UTC 2020 (Ubuntu 4.4.0-194.226-generic 4.4.236),” which means i dunno…

1 user thanked author for this post.

Ascaris

Reply | Quote

[Charlie]

Just tried to install the Intel Microcode update and it failed.  I suppose this old Sony computer is too old.  It didn’t go away so I’ll wait a bit.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

• This reply was modified 4 years, 6 months ago by Charlie.

Reply | Quote

? says:

hi Charlie,

this acer from the same era had 1 bios update offered shortly after it came into being and no microcode updates available that i’m aware of. ubuntu has pushed out several amd and intel patches over the last few years which are installed.  when booting this machine i get the “LFENCE not serializing, switching to generic retpoline,” line in the syslog. i found a linux mint blog that may help:

https://forums.linuxmint.com/viewtopic.php?t=326361

1 user thanked author for this post.

Charlie

Reply | Quote

? says:

just to kick the can all the way down the street from the mint blog i refered to above which explains Ascaris’ post #2311564 above in greater detail i ran terminal cmd “grep . /sys/devices/system/cpu/vulnerabilities/*,” and all the others to verify and got this result:

/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Not affected
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected
/sys/devices/system/cpu/vulnerabilities/mds:Not affected
/sys/devices/system/cpu/vulnerabilities/meltdown:Not affected
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Not affected
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: kernel-off, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected

so in summation, please don’t worry-be happy!

 

1 user thanked author for this post.

Charlie

Reply | Quote

Here’s what I got on my 2007 Sony VAIO with an Intel Core2 Duo:

/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable:

Clear CPU buffers attempted, no microcode; SMT disabled
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/srbds:Not affected
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

? says:

charlie, i don’t like the vulnerable part(s). i remember reading something about AMD not being as wide open as intel back when the story came out. maybe that is why your report differs on the KVM, mds, and specc_store_bypass? at any rate i don’t know if these vulnerabilities are actively being exploited and wrecking havoc. another reason i run linux live and usb sticks. wash rinse repeat and keep anything worth keeping in a safe place…

1 user thanked author for this post.

Charlie

Reply | Quote

I remember a lot of talk back when Spector & Meltdown were a big thing scaring everyone.  I remember it being said that it took a lot of time and effort for a hacker to use them.  Hacking into a CPU seems like a waist of time unless there’s something of great value on that particular computer.  Think I’ll just stay being happy.  

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

Charlie wrote:

I remember it being said that it took a lot of time and effort for a hacker to use them. Hacking into a CPU seems like a waist of time unless there’s something of great value on that particular computer. Think I’ll just stay being happy.

I agree. It seems that the threat of random, drive-by exploitation of this by a rogue script on a compromised site is minimal, with the main risk being specific computers targeted by someone for the info therein.

The hoopla may have served a purpose, though, if it resulted in so many people getting the updates (or being perceived as getting them) that the baddies think it’s not worth their time to write malware that uses the side-channel attack method, or to give up on it sooner if it does not work at first. It’s not as if this is the only tool in the box, from their perspective.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

Charlie

Reply | Quote

If a computer gets a microcode update through Mint 19.2, and that computer is also capable of booting into Win 7, is the microcode automatically effective when a Win 7 boot occurs?

Reply | Quote

This is my interpretation:
If you download a firmware update from the MB mfg, and you flash the BIOS, it will affect anything that uses the BIOS (ie Mint and Win7). You are making changes to something used by both systems .

If you download microcode from Linux (do not flash the BIOS) it is applied by the Linux OS and shouldn’t affect the Win7 OS. If you download the microcode from MS  (do not flash the BIOS), it is applied by the Win OS and shouldn’t affect the Linux OS.

 

2 users thanked author for this post.

Ascaris, DrBonzo

Reply | Quote

? says:

you are correct (again) PK. volatile vs non-.

https://www.askwoody.com/forums/topic/dual-boot-linux-to-update-bios-on-win-7-pc/

and

https://forums.linuxmint.com/viewtopic.php?t=262777

1 user thanked author for this post.

Ascaris

Reply | Quote

For informational purposes – I updated my Linux Kernel to 4.15.0-123, and when that was done and after I rebooted, I tried the Intel Microcode update again.  This time it downloaded and installed!  I rebooted again and then ran another check to see if any vulnerabilities had been patched and they were not.  So I think I’ve done as much as I can do.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote

? says:

thank you for the information on the kernel update + the now freshly installed intel microcode, Charlie. i’m running kernel 4.15.0-123 on 18.04lts and got the intel patch last wednesday. as Ascaris said on post #2312097 above “minimal threat,” so i’ll rest with that…

Reply | Quote

? says:

this just came down the synaptic chute for ubuntu 10.04 lts with kernel 4.15.0.144:

Commit Log for Wed Jun  9 10:11:25 2021
Upgraded the following packages:
intel-microcode (3.20210216.0ubuntu0.18.04.1) to 3.20210608.0ubuntu0.18.04.1

i use AMD for the cpu duties, however: i can stick the stick into any box (Intel, AMD, whatever)…

Reply | Quote

? says:

also:

Commit Log for Wed Jun  9 10:40:24 2021
Upgraded the following packages:
intel-microcode (3.20210216.0ubuntu0.20.04.1) to 3.20210608.0ubuntu0.20.04.1

20.04 lts w\ 5.4 and 5.8.0.55 kernels

Reply | Quote

The usual Intel Microcode updates for my 4 Intel based laptops, and even my all AMD laptop and AMD Mini PC got those Intel Microcode updates for Linux Mint 20.0(Kernel 5.4)/20.1(Edge ISO Linux kernel 5.8) but that’s always been the case for Linux where there’s a lot of stuff in the Kernel for all sorts of hardware besides Intel’s processor hardware. I also got the latest Linux firmware update as well for all those other controllers and such that have their own firmware that needs updating so that’s not unusual to see as well. Most of that Microcode or firmware that does not apply never gets loaded as at boot-up in the devices UEFI/Firmware there are tables that get set and enumerate what hardware is installed and then the Linux Kernel bring-up comes in with its set of Microcode/Firmware shims in the Kernel that can update things there if that’s not already been flashed on the UEFI/Firmware via a Motherboard OEM’s or Laptop OEM’s provided UEFI/Firmware update.

One nice thing about Linux, Windows 10 as well, is that there can be OS/Kernel provided Microcode or Firmware patches for Processors and controllers and no waiting for any MB/Laptop OEM’s to come out with the newer UEFI/Firmware update with the newer Processor microcode, other firmware  patches included and for some Laptop OEMs that firmware update may never come with any needed microcode/firmware update so the OS/Kernel provided automatic shim method is a nice feature that’s been in Linux but way only available in Windows 10 as for earlier Windows versions that Shim had to be hand plumbed in, if even available.

 

Reply | Quote

I got another Intel Microcode update in with all the other updates in my Linux Mint 19.1’s Update Manager.  The microcode update installed okay this time too.

Being 20 something in the 70's was so much better than being 70 something in the insane 20's

Reply | Quote