Microcode Update - only temporarily ?

[SvenTej]

Hey there,
I currently build up a testsystem with my "old" Intel XEON E3-1241 v3.

At startup the console states, that

L1TF CPU bug present and SMT on, data leak possible. See CVE-2018-3646 and https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html for details.

I digged in a bit and checked the microcode version with

grep -E 'family|model|stepping|microcode' /proc/cpuinfo | head -

The output states it is 0x28

But if I boot wit PartedMagic and check the Haardware, the microcode is shown as 0x24

Where is my fault in thinking?
Is the update within PVE temporarily?
Any hints how I can update the MC to 0x28 permanently?

Regards
S.

 

[leesteken]

The microcode can indeed be updated temporarily during boot of the Linux kernel if the intel-microcode package is installed. If you want the latest version without depending on the installed kernel/firmware-package, you'll need a motherboard BIOS update (which loads the firmware before the operating system starts).

 

[Maximiliano]

Hello, please take a look at our documentation [1] for information on how to get microcode updates in Proxmox VE.

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#sysadmin_firmware_cpu

 

[SvenTej]

Thanks to you 2,
As the MoBo manufacurer has no BIOS that is newer compared to the currently installed, I think the Linux kernel has to do the job.

So am I correct, that if

grep -E 'family|model|stepping|microcode' /proc/cpuinfo | head -

returns 0x28, the Linux kernel has installed a more recent microcode during runtime and I have nothing to do?

The documentation seems to describe, how to setup the update during runtime and as I have lines similar to this

# dmesg | grep microcode
[ 0.000000] microcode: microcode updated early to revision 0xf0, date = 2021-11-12
[ 0.896580] microcode: Microcode Update Driver: v2.2.

in the log, I should be fine, correct ?

 

[Sasha]

Guys, whould You clarify is this really necessary to install that microcode patch?
Last 10 years with proxmox I never think about it )))

WARN: The matching CPU microcode package 'intel-microcode' could not be found! Consider installing it to receive the latest security and bug fixes for your CPU.
Ensure you enable the 'non-free-firmware' component in the apt sources and run:
apt install intel-microcode

 

[packetmonkey]

Yes, this is how vulnerabilities in your CPU can be mitigated. Things like the Spectre / Meltdown and others since are addressed this way.