How to install/update Intel microcode firmware on Linux

in Categories , , , , last updated January 13, 2018

I am a new Linux sysadmin. How do I install or update microcode firmware for Intel/AMD CPUs on Linux using the command line option?

A microcode is nothing but CPU firmware provided by Intel or AMD. The Linux kernel can update the CPU’s firmware without the BIOS update at boot time. Processor microcode is stored in RAM and kernel update the microcode during every boot. These microcode updates from Intel/AMD needed to fix bugs or apply errata to avoid CPU bugs. This page shows how to install AMD or Intel microcode update using package manager or processor microcode updates supplied by Intel on Linux.

How to find out current status of microcode

Run the following command as root user:
# dmesg | grep microcode
Sample outputs:
Verify microcode update on a CentOS RHEL Fedora Ubuntu Debian Linux
Please note that it is entirely possible that there is no microcode update available for your CPU. In that case it will look as follows:

[    0.952699] microcode: sig=0x306a9, pf=0x10, revision=0x1c
[    0.952773] microcode: Microcode Update Driver: v2.2.

How to install Intel microcode firmware on Linux using a package manager

Tool to transform and deploy CPU microcode update for x86/amd64 comes with Linux. The procedure to install AMD or Intel microcode firmware on Linux is as follows:

  1. Open the terminal app
  2. Debian/Ubuntu Linux user type: sudo apt install intel-microcode
  3. CentOS/RHEL Linux user type: sudo yum install microcode_ctl

The package names are as follows for popular Linux distros:

  • microcode_ctl and linux-firmware – CentOS/RHEL microcode update package
  • intel-microcode – Debian/Ubuntu and clones microcode update package for Intel CPUS
  • amd64-microcode – Debian/Ubuntu and clones microcode firmware for AMD CPUs
  • linux-firmware – Arch Linux microcode firmware for AMD CPUs (installed by default and no action is needed on your part)
  • intel-ucode – Arch Linux microcode firmware for Intel CPUs
  • microcode_ctl, linux-firmware and ucode-intel – Suse/OpenSUSE Linux microcode update package

Warning: In some cases, microcode update may cause boot issues such as server getting hang or resets automatically at the time of boot. The procedure worked for me, and I am an experienced sysadmin. I do not take responsibility for any hardware failures. Do it at your own risk.

Examples

Type the following apt command/apt-get command on a Debian/Ubuntu Linux for Intel CPU:
$ sudo apt-get install intel-microcode
Sample outputs:
How to install Intel microcode firmware Linux
You must reboot the box to activate micocode update:
$ sudo reboot
Verify it after reboot:
# dmesg | grep 'microcode'
Sample outputs:

[    0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
[    1.604672] microcode: sig=0x306a9, pf=0x10, revision=0x1c
[    1.604976] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>, Peter Oruba

If you are using RHEL/CentOS try installing or updating the following two packages using yum command:
$ sudo yum install linux-firmware microcode_ctl
$ sudo reboot
$ sudo dmesg | grep 'microcode'

How to update/install microcode downloaded from Intel site

Only use the following method when recommended by your vendor otherwise stick to Linux packages as described above. Most Linux distro maintainer update microcode via the package manager. Package manager method is safe as tested by many users.

How to install Intel processor microcode blob for Linux (20180108 release)

Ok, first visit AMD or Intel site to grab the latest microcode firmware. In this example, I have a file named ~/Downloads/microcode-20180108.tgz (don’t forget to check for checksum) that suppose to help with meltdown/Spectre. First extract it using the tar command:
$ mkdir firmware
$ cd firmware
$ tar xvf ~/Downloads/microcode-20180108.tgz
$ ls -l

Sample outputs:

drwxr-xr-x 2 vivek vivek    4096 Jan  8 12:41 intel-ucode
-rw-r--r-- 1 vivek vivek 4847056 Jan  8 12:39 microcode.dat
-rw-r--r-- 1 vivek vivek    1907 Jan  9 07:03 releasenote

I tested the following instructions on a CentOS 7.x/RHEL 7.x/Debian 9.x and Ubuntu 17.10 only. Older kernel shipped with older distro might not work if you do not see /sys/devices/system/cpu/microcode/reload file. See discussion below. Please note that few customers getting of higher system reboots after applying firmware updates. Specifically, these systems are running Intel Broadwell and Haswell CPUs for both client and data center cpus used in server. Do not apply Intel firmware release 20180108 on Intel Broadwell and Haswell CPUs. If possible use package manager method.

Make sure /sys/devices/system/cpu/microcode/reload exits:
$ ls -l /sys/devices/system/cpu/microcode/reload
You must copy all files from intel-ucode to /lib/firmware/intel-ucode/ using the cp command:
$ sudo cp -v intel-ucode/* /lib/firmware/intel-ucode/
You just copied intel-ucode directory to /lib/firmware/. Write the reload interface to 1 to reload the microcode files:
# echo 1 > /sys/devices/system/cpu/microcode/reload
Update an existing initramfs so that next time it get loaded via kernel:
$ sudo update-initramfs -u
$ sudo reboot

Verifying that microcode got updated on boot or reloaded by echo command:
# dmesg | grep microcode
That is all. You have just updated firmware for your Intel CPU.

References

This entry is 4 of 4 in the Processor/CPU Speculative Execution Patching on Linux Tutorial series. Keep reading the rest of the series:
  1. How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
  2. How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
  3. How to check Linux for Spectre and Meltdown vulnerability
  4. How to install/update Intel microcode firmware on Linux

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on (or read 21 comments/add one below):

Notable Replies

  1. For Fedora Linux try:

    sudo dracut -fv
    sudo reboot
    

    Almost all sysadmin command must run as root user. I will update guide later.

  2. Method 1

    CentOS 6.x is older distro with older micocode format for kernel. What you need to do is run the following as root when you use firmware downloaded from Intel site:

    yum install microcode_ctl
    ### extract firmware downladed from the Intel site ###
    tar xvf microcode-20180108.tgz
    ### You will have a file named microcode.dat when extracted copy that one to /lib/firmware/ ###
    cp microcode.dat /lib/firmware/microcode.dat
    ### load firmware #
    /sbin/microcode_ctl -u
    ### Verify it ###  
    dmesg | grep microcode
    

    Another option (method 2)

    On older kernel such as yours is to to update the microcode.dat to the system, one need:

    1. Ensure the existence of /dev/cpu/microcode
    ls -l /dev/cpu/microcode
    
    1. If exists write microcode.dat to the file, e.g.
     dd if=microcode.dat of=/dev/cpu/microcode bs=1M
    
    1. Verify it
    dmesg | grep microcode
    

    I hope this helps. Let me know. Make sure you reboot the box and verify it with dmesg | grep microcode

  3. Hi I have Arch Linux installed, I have Intel i7 with the cpu incriminate, I looked in:

    /lib/firmware/intel-ucode/ and you do not find this directory. I found this directory: /lib/firmware/intel and the microcode is installed by giving:

    ls -l /sys/devices/system/cpu/microcode/reload
    --w ------- 1 root root 4096 13 Jan 10.08 /sys/devices/system/cpu/microcode/ reload
    

    How should I copy the microcode on an Arch Linux?
    Thanks for your help

  4. Microcode update not released by any distro or Intel yet for normal user. It is only released for big customers like Google Cloud/AWS and so on. At this time only Meltdown patched on all Linux distros. To patch Spectre v1 and v2 you need:

    • Kernel update
    • Microcode blob from Intel

    Everyone is waiting for it and there is nothing you can do to fix it. HTH.

  5. @Bayu_Permadi/@akandima

    Two issues

    • Not all CPUs is going to get microcode updates ASAP. Latest XEON that was purchase in Dec/2017. Got update. But older Intel i7/i5/i3/Pentium/Xeon may or many not see microcode update. That is upto Intel. They will release it slowly. You and I wait.
    • Intel released buggy update. It is so bad all distros and OEM (HP/Dell/Red Hat) are pulling out. microcode-20180108.tgz is no good. We all now waiting for next updated release. Only big vendors and data centre operator like Google/AWS getting correct updates and they had 6 months to fix mess. My advice either wait like everyone else (we don’t have choice here, do we now?) or move to AWS/Google cloud if security is that important.

    The warning from RHEL/CentOS for 20180108.tgz is scary too:

Continue the discussion www.nixcraft.com

16 more replies

Participants