Microcode Update - only temporarily ?

[SvenTej]

Hey there,
I currently build up a testsystem with my "old" Intel XEON E3-1241 v3.

At startup the console states, that

L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.

I digged in a bit and checked the microcode version with

grep -E 'family|model|stepping|microcode' /proc/cpuinfo | head -

The output states it is 0x28

But if I boot wit PartedMagic and check the Haardware, the microcode is shown as 0x24

Where is my fault in thinking?
Is the update within PVE temporarily?
Any hints how I can update the MC to 0x28 permanently?

Regards
S.

 

[leesteken]

The microcode can indeed be updated temporarily during boot of the Linux kernel if the intel-microcode package is installed. If you want the latest version without depending on the installed kernel/firmware-package, you'll need a motherboard BIOS update (which loads the firmware before the operating system starts).

 

[Maximiliano]

Hello, please take a look at our documentation [1] for information on how to get microcode updates in Proxmox VE.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_firmware_cpu

 

[SvenTej]

Thanks to you 2,
As the MoBo manufacurer has no BIOS that is newer compared to the currently installed, I think the Linux kernel has to do the job.

So am I correct, that if

grep -E 'family|model|stepping|microcode' /proc/cpuinfo | head -

returns 0x28, the Linux kernel has installed a more recent microcode during runtime and I have nothing to do?

The documentation seems to describe, how to setup the update during runtime and as I have lines similar to this

# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xf0, date = 2021-11-12
[ 0.896580] microcode: Microcode Update Driver: v2.2.

in the log, I should be fine, correct ?

 

[Sasha]

Guys, whould You clarify is this really necessary to install that microcode patch?
Last 10 years with proxmox I never think about it )))

WARN: The matching CPU microcode package 'intel-microcode' could not be found! Consider installing it to receive the latest security and bug fixes for your CPU.
Ensure you enable the 'non-free-firmware' component in the apt sources and run:
apt install intel-microcode

 

[packetmonkey]

Yes, this is how vulnerabilities in your CPU can be mitigated. Things like the Spectre / Meltdown and others since are addressed this way.

 

[Maximiliano]

Guys, whould You clarify is this really necessary to install that microcode patch?
Last 10 years with proxmox I never think about it )))

Hello, we recommend installing microcode updates but they are not required.

Since Proxmox VE 9 the non-free-firmware component is enabled by default and the microcode package comes installed as part of the installation, however older installations need to adapt to this (as part of the upgrade process, or when opting-in) by adding the repository and installing the package as described at our documentation [1].

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_set_up_early_os_microcode_updates