Proxmox VE 8.0+ cpu microcode

[andy66]

Just a quick question: After updating / patchung the microcode, do we need to remove non-free-firmware from the sources again or can it be stay there?

 

[t.lamprecht]

Just a quick question: After updating / patchung the microcode, do we need to remove non-free-firmware from the sources again or can it be stay there?

It can stay there, as that way you continue to get future microcode updates through your normal package update flow.

 

[andy66]

It can stay there, as that way you continue to get future microcode updates through your normal package update flow.

Perfect, thank you for the quick response, appreciate that!

 

[JoshoSAI]

I'll chime in on this as I've just been updating my new PVE cluster (hosting Intel's 13th gen i9-13900 CPU) and 1 of the 3 nodes is unstable.
PVE installed version 8.2 came with kernel 6.8.4-2-pve.

I added the debian non-free-firmware repo to /etc/apt/sources.list (as explained above) then installed the following additional packages on my 3 new PVE nodes

apt update && \
apt install -y \
proxmox-secure-boot-support \
fwupd \
udisks2 \
udisks2-bcache \
udisks2-zram \
udisks2-lvm2 \
udisks2-btrfs \
intel-microcode && \
apt full-upgrade -y

After the above packages were installed, the following file was created. (also, not all the above packages were for upgrading the CPU microcode, but other firmware updates were required)
/etc/modprobe.d/intel-microcode-blacklist.conf

cat /etc/modprode.d/intel-microcode-blacklist.conf
# The microcode module attempts to apply a microcode update when
# it autoloads.  This is not always safe, so we block it by default.
blacklist microcode

The blacklist microcode line would, I believe, be inhibiting microcode "late" updates. The microcode for my Intel i9-13900 updated to version 0x123.

journalctl -k --grep=microcode
Aug 09 10:52:36 pve02 kernel: microcode: Current revision: 0x00000123
Aug 09 10:52:36 pve02 kernel: microcode: Updated early from: 0x0000011e

Point to note and slightly off-topic.
The recent Intel 13th and 14th gen CPU fix (MSI mobo's early release) is to apply Intel microcode 0x129. This "backs off" the CPU performance but stops the CPU's from failing with their voltage problem. Apparently CPU's in an already unstable state need to be replaced

 

[patch]

We will evaluate if it's practicable and workable to upload the microcode packages to our repositories too in the future, as that would be compatible with having the non-free-firmware repository added anyway.

The difference is what Proxmox Server Solutions GmbH is saying about what is most appropriate for most Proxmox installations.

• If most proxomox installations should have their processor microcode patched then Proxmox should have it in their repro or included in the default repros for Proxmox installations
• If routine Proxmox software testing is done with processor microcode fully patched then again Proxmox should have it in their repro or included in the default repros for Proxmox installations
• If neither of the above is the case then the microcode repro should NOT be in the default repro and users should ONLY add it at their own risk when as specific fault is encountered

It is not at all clear to me what Proxmox Server Solutions GmbH is say here

 

[Unspec]

Is it normal for microcode version to show as 0xf0 in Proxmox if the intel-microcode package doesn't actually have microcode that is newer than what is already on the MB?