A microcode is nothing but CPU firmware provided by Intel or AMD. The Linux kernel can update the CPU’s firmware without the BIOS update at boot time. Processor microcode is stored in RAM and kernel update the microcode during every boot. These microcode updates from Intel/AMD needed to fix bugs or apply errata to avoid CPU bugs. This page shows how to install AMD or Intel microcode update using package manager or processor microcode updates supplied by Intel on Linux.
How to find out current status of microcode
Run the following command as root user:
# dmesg | grep microcode
Please note that it is entirely possible that there is no microcode update available for your CPU. In that case it will look as follows:
[ 0.952699] microcode: sig=0x306a9, pf=0x10, revision=0x1c [ 0.952773] microcode: Microcode Update Driver: v2.2.
How to install Intel microcode firmware on Linux using a package manager
Tool to transform and deploy CPU microcode update for x86/amd64 comes with Linux. The procedure to install AMD or Intel microcode firmware on Linux is as follows:
- Open the terminal app
- Debian/Ubuntu Linux user type: sudo apt install intel-microcode
- CentOS/RHEL Linux user type: sudo yum install microcode_ctl
The package names are as follows for popular Linux distros:
- microcode_ctl and linux-firmware – CentOS/RHEL microcode update package
- intel-microcode – Debian/Ubuntu and clones microcode update package for Intel CPUS
- amd64-microcode – Debian/Ubuntu and clones microcode firmware for AMD CPUs
- linux-firmware – Arch Linux microcode firmware for AMD CPUs (installed by default and no action is needed on your part)
- intel-ucode – Arch Linux microcode firmware for Intel CPUs
- microcode_ctl, linux-firmware and ucode-intel – Suse/OpenSUSE Linux microcode update package
Warning: In some cases, microcode update may cause boot issues such as server getting hang or resets automatically at the time of boot. The procedure worked for me, and I am an experienced sysadmin. I do not take responsibility for any hardware failures. Do it at your own risk.
Type the following apt command/apt-get command on a Debian/Ubuntu Linux for Intel CPU:
$ sudo apt-get install intel-microcode
You must reboot the box to activate micocode update:
$ sudo reboot
Verify it after reboot:
# dmesg | grep 'microcode'
[ 0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26 [ 1.604672] microcode: sig=0x306a9, pf=0x10, revision=0x1c [ 1.604976] microcode: Microcode Update Driver: v2.01 <email@example.com>, Peter Oruba
If you are using RHEL/CentOS try installing or updating the following two packages using yum command:
$ sudo yum install linux-firmware microcode_ctl
$ sudo reboot
$ sudo dmesg | grep 'microcode'
How to update/install microcode downloaded from Intel site
Only use the following method when recommended by your vendor otherwise stick to Linux packages as described above. Most Linux distro maintainer update microcode via the package manager. Package manager method is safe as tested by many users.
How to install Intel processor microcode blob for Linux (20180108 release)
Ok, first visit AMD or Intel site to grab the latest microcode firmware. In this example, I have a file named ~/Downloads/microcode-20180108.tgz (don’t forget to check for checksum) that suppose to help with meltdown/Spectre. First extract it using the tar command:
$ mkdir firmware
$ cd firmware
$ tar xvf ~/Downloads/microcode-20180108.tgz
$ ls -l
drwxr-xr-x 2 vivek vivek 4096 Jan 8 12:41 intel-ucode -rw-r--r-- 1 vivek vivek 4847056 Jan 8 12:39 microcode.dat -rw-r--r-- 1 vivek vivek 1907 Jan 9 07:03 releasenote
I tested the following instructions on a CentOS 7.x/RHEL 7.x/Debian 9.x and Ubuntu 17.10 only. Older kernel shipped with older distro might not work if you do not see /sys/devices/system/cpu/microcode/reload file. See discussion below. Please note that few customers getting of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center cpus used in server. Do not apply Intel firmware release 20180108 on Intel Broadwell and Haswell CPUs. If possible use package manager method.
Make sure /sys/devices/system/cpu/microcode/reload exits:
$ ls -l /sys/devices/system/cpu/microcode/reload
You must copy all files from intel-ucode to /lib/firmware/intel-ucode/ using the cp command:
$ sudo cp -v intel-ucode/* /lib/firmware/intel-ucode/
You just copied intel-ucode directory to /lib/firmware/. Write the reload interface to 1 to reload the microcode files:
# echo 1 > /sys/devices/system/cpu/microcode/reload
Update an existing initramfs so that next time it get loaded via kernel:
$ sudo update-initramfs -u
$ sudo reboot
Verifying that microcode got updated on boot or reloaded by echo command:
# dmesg | grep microcode
That is all. You have just updated firmware for your Intel CPU.
- How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
- How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
- How to check Linux for Spectre and Meltdown vulnerability
- How to install/update Intel microcode firmware on Linux
- How to patch Meltdown vulnerability on OpenBSD Unix
- How to patch Meltdown and Spectre vulnerabilities on FreeBSD