Intel CPUs receive updates, including security relevant upgrades, through 2 channels:
intel-microcode
package can patch the microcode in the CPU at boot time, given the kernel is cooperating. This patch is ephemeral and will be lost after a processor hard-reset or power-off.Yes. From the README.Debian.gz
in the intel-microcode
package:
While most of the microcode updates fix problems that happen extremely
rarely, they also fix high-profile, high-hitting issues
If one is available and deemed sufficiently stable from Debian's or Ubuntu's perspective, the intel-microcode
package is updated and the new microcode is available after the next reboot.
Look for the revision
in
$ zgrep microcode /var/log/kern.log*
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: sig=0x50657, pf=0x1, revision=0x5003303
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: Microcode Update Driver: v2.2.
You can tell if your system has had its CPU microcode patched upon boot if you also get the following line:
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: microcode updated early to revision $some_revision
The intel-microcode
package is using a hook in the system's initrd
. It will patch the CPU before booting the rest of the operating system.