Intel CPUs receive updates, including security relevant upgrades, through 2 channels:
- Firmware/UEFI BIOS updates can also update the microcode in CPUs. This is the preferred and persistent way
- the
intel-microcodepackage can patch the microcode in the CPU at boot time, given the kernel is cooperating. This patch is ephemeral and will be lost after a processor hard-reset or power-off.
Is it important to install microcode updates?
Yes. From the README.Debian.gz in the intel-microcode package:
While most of the microcode updates fix problems that happen extremely
rarely, they also fix high-profile, high-hitting issues
How to install an microcode update?
If one is available and deemed sufficiently stable from Debian's or Ubuntu's perspective, the intel-microcode package is updated and the new microcode is available after the next reboot.
Which microcode version am I running?
Look for the revision in
$ zgrep microcode /var/log/kern.log*
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: sig=0x50657, pf=0x1, revision=0x5003303
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: Microcode Update Driver: v2.2.
You can tell if your system has had its CPU microcode patched upon boot if you also get the following line:
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: microcode updated early to revision $some_revision
Where and how exactly does the microcode update happen?
The intel-microcode package is using a hook in the system's initrd. It will patch the CPU before booting the rest of the operating system.
