Intel Microcode Versions and Updates

Posted . Visible to the public.

Intel CPUs receive updates, including security relevant upgrades, through 2 channels:

  • Firmware/UEFI BIOS updates can also update the microcode in CPUs. This is the preferred and persistent way
  • the intel-microcode package can patch the microcode in the CPU at boot time, given the kernel is cooperating. This patch is ephemeral and will be lost after a processor hard-reset or power-off.

Is it important to install microcode updates?

Yes. From the README.Debian.gz in the intel-microcode package:

While most of the microcode updates fix problems that happen extremely
rarely, they also fix high-profile, high-hitting issues

How to install an microcode update?

If one is available and deemed sufficiently stable from Debian's or Ubuntu's perspective, the intel-microcode package is updated and the new microcode is available after the next reboot.

Which microcode version am I running?

Look for the revision in

$ zgrep microcode /var/log/kern.log*
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: sig=0x50657, pf=0x1, revision=0x5003303
var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: Microcode Update Driver: v2.2.

You can tell if your system has had its CPU microcode patched upon boot if you also get the following line:

var/log/kern.log.1.gz:Dec 24 13:37:00 random_hostname kernel: microcode: microcode updated early to revision $some_revision

Where and how exactly does the microcode update happen?

The intel-microcode package is using a hook in the system's initrd. It will patch the CPU before booting the rest of the operating system.

Emma Heinle
Last edit
Emma Heinle
License
Source code in this card is licensed under the MIT License.