Skip to content

Apply CPU microcode updates for x86 devices

Intel and AMD provide CPU microcode updates that fix certain subtle issues and are recently also needed for various mitigations of CPU vulnerabilities to work (such as Spectre etc). Normally these microcode updates are integrated into BIOS updates by the mainboard vendor. However, old "postmarket" devices often do not receive BIOS updates anymore, or the user simply forgets to install them. In that case, the kernel might be vulnerable to certain security problems.

CPU microcode updates can also be applied by the kernel (see e.g. the explanations in the Arch Linux wiki: https://wiki.archlinux.org/title/Microcode). The most reliable approach is to load them very early during startup. For this, the microcode updates are packaged into an an initrd that should be loaded in addition to the main one supplied by the distro. In Alpine, this initrd is provided by the intel-ucode and amd-ucode package.

Example usage with systemd-boot can be found for example on the pmOS wiki page for asus-me176c. device-asus-me176c has intel-ucode in depends and the user is currently required to set up the systemd-boot configuration manually:

title    postmarketOS
linux    /vmlinuz-edge
initrd   /intel-ucode.img
initrd   /initramfs
options  console=null

Note the extra initrd line with /intel-ucode.img.

It looks like asus-me176c is the only device port that automatically installs microcode updates at the moment. Ideally it should be installed on all x86 device ports and in particular also the generic ones to improve the boot/system reliability and security.

I noticed this while investigating using the systemd-boot support provided in boot-deploy for asus-me176c, in the context of !4446 (closed). From a quick look I didn't see an obvious way to make boot-deploy generate those extra initrd lines. So solving this issue would likely involve:

  • Adding support for those extra initrd lines in boot-deploy
  • Adjusting the generic x86 device ports to install and configure both intel-ucode and amd-ucode by default
  • (Maybe) adjusting other x86 device ports to install the needed microcode updates by default

@craftyguy: I was wondering if you would be willing to investigate this further given that you're working on both the UEFI unification in !4446 (closed) and unifying the generic x86 device ports in !4554 (merged). I've started looking into the device specifics for asus-me176c which needs this for parity with the current manual configuration but I don't have enough time to investigate necessary changes in boot-deploy/deviceinfo/... for the microcode stuff right now.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information