What is correct way to install ... intel-microcode ?

In general, it is recommended, as often they patch security issues or the like - was somewhat the case with meltdown/spectre two years ago.

But, it can also make problems when getting fresh updates. Debian normally catches most of them and avoid releasing it to the repositories. Very old CPU models won't get any updates in the code itself.

If it does not make problems, I'd keep it installed.
 
  • Like
Reactions: chudak
In general, it is recommended, as often they patch security issues or the like - was somewhat the case with meltdown/spectre two years ago.

But, it can also make problems when getting fresh updates. Debian normally catches most of them and avoid releasing it to the repositories. Very old CPU models won't get any updates in the code itself.

If it does not make problems, I'd keep it installed.

Thanks!

I am a little confused, added repos as:

Code:
deb-src http://security.debian.org/ buster/updates main contrib non-free
deb  http://deb.debian.org/debian buster main contrib non-free
deb-src  http://deb.debian.org/debian buster main contrib non-free
deb http://deb.debian.org/debian buster-backports main

Installed intel-microcode

But running

Code:
root@pve:~# apt-get install -t stable-backports intel-microcode
Reading package lists... Done
E: The value 'stable-backports' is invalid for APT::Default-Release as such a release is not available in the sources

How do I test it ? Or its good as is ?
 
Code:
deb-src http://security.debian.org/ buster/updates main contrib non-free
deb  http://deb.debian.org/debian buster main contrib non-free
deb-src  http://deb.debian.org/debian buster main contrib non-free
deb http://deb.debian.org/debian buster-backports main

Change the deb-src to deb.
 
Done that and still @LnxBil

Code:
root@pve:~# apt-get install -t stable-backports intel-microcode --dry-run
Reading package lists... Done
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Translations (main/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Translations (main/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Packages (contrib/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Packages (contrib/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Translations (contrib/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Translations (contrib/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:6 and /etc/apt/sources.list:10
W: Target Packages (main/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Packages (main/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Translations (main/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Translations (main/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Packages (contrib/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Packages (contrib/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Translations (contrib/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Translations (contrib/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Packages (non-free/binary-amd64/Packages) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Packages (non-free/binary-all/Packages) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Translations (non-free/i18n/Translation-en_US) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
W: Target Translations (non-free/i18n/Translation-en) is configured multiple times in /etc/apt/sources.list:11 and /etc/apt/sources.list:12
E: The value 'stable-backports' is invalid for APT::Default-Release as such a release is not available in the sources
 
the error message are clear to me.

=> fix you sources.list entries, all information is listed
 

you need contrib and non-free here:

deb http://deb.debian.org/debian buster-backports main contrib non-free

And as you configure buster-backports, you need to install from buster-backports (and not from stable-backports):

apt-get install -t buster-backports intel-microcode
 
  • Like
Reactions: Moxxorp and chudak

Updating CPU microcode within Debian (Intel or AMD)​


Note: before you install the microcode update packages in a computer for the first time, it is recommended that you check your system's vendor support site for BIOS/UEFI updates for your system and apply those. By ensuring the computer's BIOS/UEFI is up-to-date, you will reduce the chances of problems with the microcode update (which are very low, but not zero) and also fix other firmware bugs unrelated to microcode.

Please install the amd64-microcode package (for systems with AMD AMD64 processors), or the intel-microcode package (for systems with Intel processors). You will have to enable both contrib and non-free in /etc/apt/sources.list.

Microcode updates are only applied at boot, so you have to reboot to activate them. You will have to keep the packages installed as explained above: the microcode updates have to be reapplied at every boot.

Updated Microcode for Debian 11.0 version
# check your version at your HOST use Shell with Proxmox on each separate node to update. This method will work only if you have Debian 9 or newer:

Code:
cat /etc/os-release

For Debian 11.0 version

Code:
cd /
cd /etc/apt/
ls
nano sources.list

# copy and paste this code block for Debian 11 only (no more Buster) it's Bullseye:cool:
Source packages (#deb-src) are needed only if you want to compile some package yourself, or inspect the source code for a bug.

Code:
#Debian 11 - Official Sources List
deb http://security.debian.org/debian-security bullseye-security main contrib


#Debian 11 - Contrib & Non-Free
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free


#Debian 11 - PVE no-subscription NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription


#Add Backports
deb http://deb.debian.org/debian bullseye-backports main contrib non-free

CTRL
X
Y
Enter



# For INTEL CPU(s)
Note that you need to explicitly install the package from backports. After the first install from backports, the system should remain updating microcode packages from backports until the next point release that supersedes them.

Code:
apt-get update
Code:
apt-get install -t bullseye-backports intel-microcode
Code:
apt-get upgrade -t bullseye-backports intel-microcode

#Do you want to continue?
[Y/n] y

#Verify that the microcode was updated on boot or reloaded:
Code:
grep 'stepping\|model\|microcode' /proc/cpuinfo
OR
Code:
cat /proc/cpuinfo | grep microcode | sort | uniq
or
Code:
dmesg | grep microcode


#Check link below for latest microcode that Debian has up
Debian Package intel-microcode
DebianBullseye Microcode.png
#Upgrade again to see if Matches what Debian has listed Currently intel-microcode (3.20210608.2)

apt-get upgrade -t bullseye intel-microcode

#Check link below for latest microcode TRACKER that Debian has up
https://tracker.debian.org/pkg/intel-microcode
https://salsa.debian.org/hmh/intel-microcode
# check CPU Details
Code:
lscpu
#To check Log files
Code:
dmesg | grep "microcode updated early to"
journalctl -b -k | grep "microcode updated early to"
zgrep "microcode updated early to" /var/log/kern.log*

#After Booting check
Code:
dmesg | grep microcode
----------------------------------------------------------------------------------------------------------------------

After updating Microcode Run Spectre-Meltdown Checker​

https://github.com/speed47/spectre-meltdown-checker

---------------------------------------------------------------------------------------------------------------------
#We are using a temp directory "tmp" meaning install it all over again and again. Plus we are going to read the open source code!
Code:
cd /tmp
Code:
wget https://meltdown.ovh -O spectre-meltdown-checker.sh
Code:
nano spectre-meltdown-checker.sh
Code:
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh
---------------------------------------------------------------------------------------------------------------------
Hope this helped you :)
12-toy-story-2.jpg
 
Last edited:

Updating CPU microcode within Debian (Intel or AMD)​


Note: before you install the microcode update packages in a computer for the first time, it is recommended that you check your system's vendor support site for BIOS/UEFI updates for your system and apply those. By ensuring the computer's BIOS/UEFI is up-to-date, you will reduce the chances of problems with the microcode update (which are very low, but not zero) and also fix other firmware bugs unrelated to microcode.

Please install the amd64-microcode package (for systems with AMD AMD64 processors), or the intel-microcode package (for systems with Intel processors). You will have to enable both contrib and non-free in /etc/apt/sources.list.

Microcode updates are only applied at boot, so you have to reboot to activate them. You will have to keep the packages installed as explained above: the microcode updates have to be reapplied at every boot.

Updated Microcode for Debian 11.0 version
# check your version at your HOST use Shell with Proxmox on each separate node to update. This method will work only if you have Debian 9 or newer:

Code:
cat /etc/os-release

For Debian 11.0 version

Code:
cd /
cd /etc/apt/
ls
nano sources.list

# copy and paste this code block for Debian 11 only (no more Buster) it's Bullseye:cool:
Source packages (#deb-src) are needed only if you want to compile some package yourself, or inspect the source code for a bug.

Code:
#Debian 11 - Official Sources List
deb http://security.debian.org/debian-security bullseye-security main contrib


#Debian 11 - Contrib & Non-Free
deb http://deb.debian.org/debian bullseye main contrib non-free
deb http://deb.debian.org/debian bullseye-updates main contrib non-free


#Debian 11 - PVE no-subscription NOT recommended for production use
deb http://download.proxmox.com/debian/pve bullseye pve-no-subscription


#Add Backports
deb http://deb.debian.org/debian bullseye-backports main contrib non-free

CTRL
X
Y
Enter



# For INTEL CPU(s)
Note that you need to explicitly install the package from backports. After the first install from backports, the system should remain updating microcode packages from backports until the next point release that supersedes them.

Code:
apt-get update
Code:
apt-get install -t bullseye-backports intel-microcode
Code:
apt-get upgrade -t bullseye-backports intel-microcode

#Do you want to continue?
[Y/n] y

#Verify that the microcode was updated on boot or reloaded:
Code:
grep 'stepping\|model\|microcode' /proc/cpuinfo
OR
Code:
cat /proc/cpuinfo | grep microcode | sort | uniq
or
Code:
dmesg | grep microcode


#Check link below for latest microcode that Debian has up
Debian Package intel-microcode
View attachment 29991
#Upgrade again to see if Matches what Debian has listed Currently intel-microcode (3.20210608.2)

apt-get upgrade -t bullseye intel-microcode

#Check link below for latest microcode TRACKER that Debian has up
https://tracker.debian.org/pkg/intel-microcode
https://salsa.debian.org/hmh/intel-microcode
# check CPU Details
Code:
lscpu
#To check Log files
Code:
dmesg | grep "microcode updated early to"
journalctl -b -k | grep "microcode updated early to"
zgrep "microcode updated early to" /var/log/kern.log*

#After Booting check
Code:
dmesg | grep microcode
----------------------------------------------------------------------------------------------------------------------

After updating Microcode Run Spectre-Meltdown Checker​

https://github.com/speed47/spectre-meltdown-checker

---------------------------------------------------------------------------------------------------------------------
#We are using a temp directory "tmp" meaning install it all over again and again. Plus we are going to read the open source code!
Code:
cd /tmp
Code:
wget https://meltdown.ovh -O spectre-meltdown-checker.sh
Code:
nano spectre-meltdown-checker.sh
Code:
chmod +x spectre-meltdown-checker.sh
sudo ./spectre-meltdown-checker.sh
---------------------------------------------------------------------------------------------------------------------
Hope this helped you :)
View attachment 30078
 
Why does it need to be upgraded via backports? I have upgraded it without having them. I am not questioning your knowledge, just trying to understand why. Thanks!
 
Why does it need to be upgraded via backports? I have upgraded it without having them. I am not questioning your knowledge, just trying to understand why. Thanks!
Debian does not update packages to newer versions (unless they are security or important bug fixes) for their releases. The firmware updates are seen totally new versions (because it is unclear what changes in each version) and are therefore destined for the backports repository.

PS: If there are any people here actually involved in the Debian project, please correct me if I misinterpreted Debian's stance on this,.
 
No, please do NOT enable the unstable repo!

I think it's okay to enable the unstable repo.

According to the toturial, packages except microcode packages from the Unstable repository have lower priority than packages from the stable repository.
Only microcode packages will install from unstable repo.

Code:
#/etc/apt/preferences.d/unstable-repo

# lower the priority
Package: *
Pin: release o=Debian,a=unstable
Pin-Priority: 10

# allow upgrading microcode
Package: intel-microcode
Pin: release o=Debian,a=unstable
Pin-Priority: 500
Package: amd64-microcode
Pin: release o=Debian,a=unstable
Pin-Priority: 500
 
Last edited:
I think it's okay to enable the unstable repo.
There is a reason why they call the repo unstable. This is only for experts and not a general recommendation.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!