Discussion:
Is the CPU microcode updated?
(too old to reply)
Franco Martelli
2024-09-24 19:40:01 UTC
Permalink
Hi everyone,

In the latest Debian's minor update (12.7) it was updated the
"amd64-microcode" package, during the update process a message that it
said: "The cpu microcode will be updated at the next reboot" was showed.

The issue is that I'm running an homemade Kernel image that it had the
CONFIG_MICROCODE_AMD item disabled by me mistakenly, so I'm not sure
that the microcode of my CPU was updated. Of course I've rebuild and
installed a new kernel with that item enabled before rebooting.

I've read the lscpu's man-page but I didn't find anything about the CPU
microcode version, the following command shows:

$ cat /proc/cpuinfo | grep microcode | head -1
microcode : 0x6000822

the value returned is from an updated microcode? How can I verify that
the microcode was updated or not?

Thanks for any hints, kind regards
--
Franco Martelli
Jeffrey Walton
2024-09-24 23:00:01 UTC
Permalink
Post by Franco Martelli
Hi everyone,
In the latest Debian's minor update (12.7) it was updated the
"amd64-microcode" package, during the update process a message that it
said: "The cpu microcode will be updated at the next reboot" was showed.
The issue is that I'm running an homemade Kernel image that it had the
CONFIG_MICROCODE_AMD item disabled by me mistakenly, so I'm not sure
that the microcode of my CPU was updated. Of course I've rebuild and
installed a new kernel with that item enabled before rebooting.
I've read the lscpu's man-page but I didn't find anything about the CPU
$ cat /proc/cpuinfo | grep microcode | head -1
microcode : 0x6000822
the value returned is from an updated microcode? How can I verify that
the microcode was updated or not?
I think the microcode can be updated at three different times in the
boot sequence. See
<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html>.

Jeff
Franco Martelli
2024-09-25 15:10:01 UTC
Permalink
Post by Jeffrey Walton
I think the microcode can be updated at three different times in the
boot sequence. See
<https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html>.
To check whether is the latest microcode installed I followed the
instructions at the "Debugging" section:

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html#inpage-nav-1-2

but I've a AMD CPU not an Intel one, I tried the command reported in
that section, then adjusting it for AMD microcode:

~$ od -t x4 /lib/firmware/amd-ucode/microcode_amd_fam15h.bin
0000000 00414d44 00000000 00000040 00600f20
0000020 00000000 00000000 00006020 00610f01
0000040 00000000 00000000 00006101 00600f12
0000060 00000000 00000000 00006012 00000000
0000100 00000000 00000000 00000000 00000001
0000120 00000a20 02072018 0600063e 00008002
0000140 00000000 00000000 00000000 00006012
0000160 00000000 9a6f0301 4818af19 bafc759b
0000200 6fd1c6b5 236d9140 c65e7559 fc6c6c9c
<snip>

I don't know how to interpret the output, maybe that command doesn't
apply for AMD microcode, any hints?
Thanks
--
Franco Martelli
Jörg-Volker Peetz
2024-09-25 13:00:01 UTC
Permalink
What is the output of

sudo dmesg | grep -E '(microcode|model)'

?
This should show information about your CPU model and if its microcode is
actually updated.

Regards,
Jörg.
Franco Martelli
2024-09-25 15:10:01 UTC
Permalink
Post by Jörg-Volker Peetz
What is the output of
sudo dmesg | grep -E '(microcode|model)'
?
This should show information about your CPU model and if its microcode
is actually updated.
Regards,
Jörg.
It returns:

~# dmesg | grep -E '(microcode|model)'
[ 0.131534] smpboot: CPU0: AMD FX(tm)-8350 Eight-Core Processor
(family: 0x15, model: 0x2, stepping: 0x0)
[ 0.470751] microcode: microcode updated early to new
patch_level=0x06000852
[ 0.470889] microcode: CPU0: patch_level=0x06000852
[ 0.470968] microcode: CPU1: patch_level=0x06000852
[ 0.471078] microcode: CPU2: patch_level=0x06000852
[ 0.471166] microcode: CPU3: patch_level=0x06000852
[ 0.471276] microcode: CPU4: patch_level=0x06000852
[ 0.471360] microcode: CPU5: patch_level=0x06000852
[ 0.471438] microcode: CPU6: patch_level=0x06000852
[ 0.471523] microcode: CPU7: patch_level=0x06000852
[ 0.471627] microcode: Microcode Update Driver: v2.2.

Is the CPU updated to the latest microcode?
Thanks
--
Franco Martelli
Dan Ritter
2024-09-25 16:40:01 UTC
Permalink
Post by Franco Martelli
Post by Jörg-Volker Peetz
What is the output of
sudo dmesg | grep -E '(microcode|model)'
?
This should show information about your CPU model and if its microcode
is actually updated.
Regards,
Jörg.
~# dmesg | grep -E '(microcode|model)'
0x15, model: 0x2, stepping: 0x0)
[ 0.470751] microcode: microcode updated early to new
patch_level=0x06000852
[ 0.470889] microcode: CPU0: patch_level=0x06000852
[ 0.470968] microcode: CPU1: patch_level=0x06000852
[ 0.471078] microcode: CPU2: patch_level=0x06000852
[ 0.471166] microcode: CPU3: patch_level=0x06000852
[ 0.471276] microcode: CPU4: patch_level=0x06000852
[ 0.471360] microcode: CPU5: patch_level=0x06000852
[ 0.471438] microcode: CPU6: patch_level=0x06000852
[ 0.471523] microcode: CPU7: patch_level=0x06000852
[ 0.471627] microcode: Microcode Update Driver: v2.2.
Is the CPU updated to the latest microcode?
Yes.

Resources I needed to find that out for you:
https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=22328

and

https://github.com/platomav/CPUMicrocodes/blob/master/AMD/cpu00600F20_ver06000852_2018-02-06_893C1544.bin

-dsr-
Franco Martelli
2024-09-25 19:40:01 UTC
Permalink
Post by Dan Ritter
Post by Franco Martelli
Is the CPU updated to the latest microcode?
Yes.
https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=22328
Thank you for the time you spent for me
Post by Dan Ritter
and
https://github.com/platomav/CPUMicrocodes/blob/master/AMD/cpu00600F20_ver06000852_2018-02-06_893C1544.bin
So the CPU's microcode currently installed is dated February 2018, am I
right?
What I'm looking for it was a procedure to discover if the CPU's
microcode is synced with that provided by "amd64-microcode" package.
Like that posted by Jeffrey Walton:

https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/best-practices/microcode-update-guidance.html#inpage-nav-1-2

But for AMD CPU, that post it was for Intel CPU.

If you haven't installed "amd64-microcode" package it contains:

~$ dpkg -L amd64-microcode
/.
/etc
/etc/default
/etc/default/amd64-microcode
/etc/modprobe.d
/etc/modprobe.d/amd64-microcode-blacklist.conf
/lib
/lib/firmware
/lib/firmware/amd
/lib/firmware/amd/amd_sev_fam17h_model0xh.sbin
/lib/firmware/amd/amd_sev_fam17h_model3xh.sbin
/lib/firmware/amd/amd_sev_fam19h_model0xh.sbin
/lib/firmware/amd/amd_sev_fam19h_model1xh.sbin
/lib/firmware/amd/amd_sev_fam19h_modelaxh.sbin
/lib/firmware/amd-ucode
/lib/firmware/amd-ucode/microcode_amd.bin
/lib/firmware/amd-ucode/microcode_amd_fam15h.bin
/lib/firmware/amd-ucode/microcode_amd_fam16h.bin
/lib/firmware/amd-ucode/microcode_amd_fam17h.bin
/lib/firmware/amd-ucode/microcode_amd_fam19h.bin
/lib/firmware/amdtee
/lib/firmware/amdtee/773bd96f-b83f-4d52-b12dc529b13d8543.bin
/usr
/usr/share
/usr/share/doc
/usr/share/doc/amd64-microcode
/usr/share/doc/amd64-microcode/NEWS.Debian.gz
/usr/share/doc/amd64-microcode/README.Debian
/usr/share/doc/amd64-microcode/README.gz
/usr/share/doc/amd64-microcode/changelog.gz
/usr/share/doc/amd64-microcode/copyright
/usr/share/initramfs-tools
/usr/share/initramfs-tools/hooks
/usr/share/initramfs-tools/hooks/amd64_microcode
/lib/firmware/amdtee/amd_pmf_v3.bin

The file that contains the microcode for my CPU is dated April 2022:

$ LANG=C ls -l /lib/firmware/amd-ucode/microcode_amd_fam15h.bin
-rw-r--r-- 1 root root 7876 Apr 15 2022
/lib/firmware/amd-ucode/microcode_amd_fam15h.bin

So why you are sure that the microcode dated 2018 is the latest?
Thanks again
--
Franco Martelli
Dan Ritter
2024-09-25 20:10:01 UTC
Permalink
Post by Franco Martelli
Post by Dan Ritter
Post by Franco Martelli
Is the CPU updated to the latest microcode?
Yes.
https://www.cpu-world.com/cgi-bin/CPUID.pl?CPUID=22328
Thank you for the time you spent for me
Post by Dan Ritter
and
https://github.com/platomav/CPUMicrocodes/blob/master/AMD/cpu00600F20_ver06000852_2018-02-06_893C1544.bin
So the CPU's microcode currently installed is dated February 2018, am I
right?
Correct. And it is not surprising, because AMD hasn't produced a
chip with that core since 2015.
Post by Franco Martelli
What I'm looking for it was a procedure to discover if the CPU's microcode
is synced with that provided by "amd64-microcode" package. Like that posted
Doesn't matter: it has the latest available from AMD, and either
amd64-microcode has the same version, or it has an earlier
version -- which is unlikely.

-dsr-
Michel Verdier
2024-09-26 08:40:01 UTC
Permalink
Post by Franco Martelli
$ LANG=C ls -l /lib/firmware/amd-ucode/microcode_amd_fam15h.bin
-rw-r--r-- 1 root root 7876 Apr 15 2022
/lib/firmware/amd-ucode/microcode_amd_fam15h.bin
Same for me. And :

# dpkg -l amd64-microcode
ii amd64-microcode 3.20240820.1~deb12u1 amd64 Platform firmware and microcode for AMD CPUs and SoCs

But I got :

# cat /proc/cpuinfo | grep microcode
microcode : 0xa601206
[x cpu nb]
Post by Franco Martelli
The issue is that I'm running an homemade Kernel image that it had the
CONFIG_MICROCODE_AMD item disabled by me mistakenly, so I'm not sure that the
microcode of my CPU was updated. Of course I've rebuild and installed a new
kernel with that item enabled before rebooting.
I also build my custom kernel. I use sources from 6.10.6-1~bpo12+1. I
have no CONFIG_MICROCODE_AMD but a CONFIG_MICROCODE set by
CONFIG_CPU_SUP_AMD. Which kernel version do you use ?
Franco Martelli
2024-09-26 13:40:02 UTC
Permalink
Post by Michel Verdier
Post by Franco Martelli
$ LANG=C ls -l /lib/firmware/amd-ucode/microcode_amd_fam15h.bin
-rw-r--r-- 1 root root 7876 Apr 15 2022
/lib/firmware/amd-ucode/microcode_amd_fam15h.bin
# dpkg -l amd64-microcode
ii amd64-microcode 3.20240820.1~deb12u1 amd64 Platform firmware and microcode for AMD CPUs and SoCs
I've the same package:

ii amd64-microcode 3.20240820.1~deb12u1 amd64 Platform firmware
and microcode for AMD CPUs and SoCs
Post by Michel Verdier
# cat /proc/cpuinfo | grep microcode
microcode : 0xa601206
[x cpu nb]
If you have the same CPU this is really unusual, likely you have a newer
CPU, I've a:

~$ grep "model name" /proc/cpuinfo | head -1
model name : AMD FX(tm)-8350 Eight-Core Processor
Post by Michel Verdier
Post by Franco Martelli
The issue is that I'm running an homemade Kernel image that it had the
CONFIG_MICROCODE_AMD item disabled by me mistakenly, so I'm not sure that the
microcode of my CPU was updated. Of course I've rebuild and installed a new
kernel with that item enabled before rebooting.
I also build my custom kernel. I use sources from 6.10.6-1~bpo12+1. I
have no CONFIG_MICROCODE_AMD but a CONFIG_MICROCODE set by
CONFIG_CPU_SUP_AMD. Which kernel version do you use ?
The one provided by Debian 12.7:

$ LANG=C dpkg -l linux-source-6.1
Desired=Unknown/Install/Remove/Purge/Hold
|
Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-================-============-============-=======================================================
ii linux-source-6.1 6.1.106-3 all Linux kernel source for
version 6.1 with Debian patches

Me too I've CONFIG_CPU_SUP_AMD but looking at the help page it doesn't
select anything.
--
Franco Martelli
Jörg-Volker Peetz
2024-09-26 13:00:02 UTC
Permalink
Hi Franco,
Post by Franco Martelli
Post by Jörg-Volker Peetz
What is the output of
sudo dmesg | grep -E '(microcode|model)'
?
This should show information about your CPU model and if its microcode is
actually updated.
Regards,
Jörg.
~# dmesg | grep -E '(microcode|model)'
0x15, model: 0x2, stepping: 0x0)
[    0.470751] microcode: microcode updated early to new patch_level=0x06000852
[    0.470889] microcode: CPU0: patch_level=0x06000852
<snip>

A new microcode for your CPU should be inside of

/usr/lib/firmware/amd-ucode/microcode_amd_fam15h.bin

since it says 'family: 0x15' in your output.
There is a little program on https://github.com/AMDESE/amd_ucode_info to look
into the microcode file. For the package amd64-microcode on Debian testing
version 3.20240820.1 it yields:

$ amd_ucode_info.py /usr/lib/firmware/amd-ucode/microcode_amd_fam15h.bin
Microcode patches in xx/usr/lib/firmware/amd-ucode/microcode_amd_fam15h.bin:
Family=0x15 Model=0x01 Stepping=0x02: Patch=0x0600063e Length=2592 bytes
Family=0x15 Model=0x02 Stepping=0x00: Patch=0x06000852 Length=2592 bytes
Family=0x15 Model=0x10 Stepping=0x01: Patch=0x06001119 Length=2592 bytes

So yes, your CPU microcode is up-to-date.

Regards,
Jörg.
Loading...