General TC > General TC Talk
[Howto] Create and use AMD microcodes with grub2 bootloader
(1/1)
aus9:
Warning try at own risk
Introduction
ARM processors users can ignore this post as
--- Quote ---An Arm processor SNIP does not use digital microcode SNIP
--- End quote ---
https://www.zdnet.com/article/arm-processors-everything-you-need-to-know-now/
Bios updates are preferred over using early loading microcodes
Microcodes are useful if motherboard maker has no recent bios updates or
third party bios maker reluctant to provide updates or
you may be reluctant to flash bios as you may be concerned you might "brick" your motherboard.
Some motherboards can have dual bios setups YMMV
Kernel series 6.1 and higher no longer allow late loading of microcodes.
--- Quote ---With kernel version 6.1 a late microcode loading is not possible anymore because it is now disabled by default
--- End quote ---
https://wiki.gentoo.org/wiki/Microcode
Why else is it important to use early loading microcodes?
--- Quote ---Loading microcode early can fix CPU issues before they are observed during kernel boot time
--- End quote ---
https://www.kernel.org/doc/html/v5.18/x86/microcode.html
Contents
Post 2 create AMD all current microcodes
Post 3 create AMD microcode for your CPU family
Where possible I include a command and my output in a quote box. I use a quote box
to make certain links scrollable
Research current bios microcodes.
--- Code: ---grep microcode /proc/cpuinfo
--- End code ---
--- Quote ---grep microcode /proc/cpuinfo
microcode : 0x8108109
microcode : 0x8108109
microcode : 0x8108109
microcode : 0x8108109
--- End quote ---
The duplication of microcodes means 4 cores.
I also used
https://wiki.archlinux.org/title/microcode
Note that early loading microcodes reside in RAM so are lost on shutdown or reboot.
They can not update your bios firmware. But you can regain them by using the same bootloader menu.
If you are too lazy to have multiple boot loader menus, you could try
a live edit of bootloader to disable microcodes from *ucode image
--- Quote ---dis_ucode_ldr
--- End quote ---
Proof boot code worked can be seen by not giving any hits for
--- Code: ---dmesg | grep microcode
--- End code ---
Note that boot code needs understems and fails with hyphens.
For those migrating from persistent file distros, we do do not use
--- Code: ---sudo update-initramfs -u
--- End code ---
to embed microcodes into our core or rootfs
Research to see if you can use an early loading
microcode for your CPU
step 1
Identify your AMD cpu family
--- Code: ---grep -F -m 1 "cpu family" /proc/cpuinfo
--- End code ---
--- Quote ---cpu family :23
--- End quote ---
step 2
check link for possible matches
https://wiki.gentoo.org/wiki/AMD_microcode#Microcode_firmware_files
decimal 23 becomes 17 hexadecimal (=17h)
17h has 3 possible firmware but only one is Ryzen so...
step 3 if needed for 17h or 19h....one way to check
--- Code: ---tce-load -w -i inxi
inxi -Cxxx
--- End code ---
--- Quote ---inxi -Cxxx
CPU:
Info: quad core model: AMD Ryzen 3 3200G with Radeon Vega Graphics bits: 64
type: MCP smt: <unsupported> arch: Zen/Zen+ note: check rev: 1 cache:
--- End quote ---
step 4 If still unsure start a new forum post
I suggest you post inxi -Cxxx and inxi -Mxxx
--- Quote ---inxi -Mxxx
Machine:
Type: Desktop Mobo: Micro-Star model: B450 GAMING PLUS MAX (MS-7B86) v: 3.0
serial: <superuser required> BIOS: American Megatrends LLC. v: H.C0
date: 05/17/2021
--- End quote ---
You can not use early loading unless your current CPU falls under family
15h to 19h
aus9:
Create and use all available AMD microcodes
LIST1 may need more if members find my errors .
LIST2 will need new AMD families added at a later date.
Note sure why no family 18 at this stage. Maybe only for Windows 9? ;)
run command as a local user (not root) please
--- Code: ---cat >> ~/.local/bin/allamd.sh <<'EOF'
#!/bin/sh
USER=`cat /etc/sysconfig/tcuser`
LIST1="file libarchive "
for Z in $LIST1
do
su -c "tce-load -w $Z" $USER
su -c "tce-load -i $Z" $USER
done
echo 'provides bsdcpio and file commands'
cd /tmp
echo 'cleaning tmp of any microcodes and any old kernel dir'
rm -rf *amd*bin kernel
DIR=kernel/x86/microcode
mkdir -p $DIR
echo 'downloading git microcodes'
URL=https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
M=microcode_amd_fam
LIST2="15h 16h 17h 19h "
for Z in $LIST2
do
su -c "wget -nc --no-check-certificate $URL/$M$Z.bin" $USER
done
echo $DIR/microcode_amd*.bin > $DIR/AuthenticAMD.bin
echo $DIR/AuthenticAMD.bin | bsdcpio -o -H newc -R 0:0 > amd-ucode.img
file amd-ucode.img
EOF
--- End code ---
Make it executable
--- Code: ---chmod 755 ~/.local/bin/allamd.sh
--- End code ---
Now run it ( I have already downloaded and installed TCEs
to reduce lines of output)
--- Code: ---sudo allamd.sh
--- End code ---
--- Quote ---sudo allamd.sh
file is already downloaded.
file is already installed!
libarchive is already downloaded.
libarchive is already installed!
provides bsdcpio and file commands
cleaning tmp of any microcodes and any old kernel dir
downloading git microcodes
Connecting to git.kernel.org (145.40.73.55:443)
saving to 'microcode_amd_fam15h.bin'
microcode_amd_fam15h 100% |******************************************************************************| 56327 0:00:00 ETA
'microcode_amd_fam15h.bin' saved
Connecting to git.kernel.org (145.40.73.55:443)
saving to 'microcode_amd_fam16h.bin'
microcode_amd_fam16h 100% |******************************************************************************| 27188 0:00:00 ETA
'microcode_amd_fam16h.bin' saved
Connecting to git.kernel.org (145.40.73.55:443)
saving to 'microcode_amd_fam17h.bin'
microcode_amd_fam17h 100% |******************************************************************************| 68327 0:00:00 ETA
'microcode_amd_fam17h.bin' saved
Connecting to git.kernel.org (145.40.73.55:443)
saving to 'microcode_amd_fam19h.bin'
microcode_amd_fam19h 100% |******************************************************************************| 112k 0:00:00 ETA
'microcode_amd_fam19h.bin' saved
1 block
amd-ucode.img: ASCII cpio archive (SVR4 with no CRC)
--- End quote ---
Move /tmp/amd-ucode.img to your boot loader folder and adjust your boot loader menu
Copy curent grub2 menuentry (or whatever you are using) and then edit copy with a renamed menuentry to show microcode.
At time of post, I am booting into alpha 14x. Grub2 does not need a boot dir, instead you can use grub dir so line might read
initrd /grub/amd-ucode.img /grub/rootfs64.gz /grub/modules64.gz
--- Quote ---menuentry "microcodes" {
set root=blah blah
linux blah blah
initrd /boot/amd-ucode.img /boot/rootfs64.gz /boot/modules64.gz
}
--- End quote ---
Full reboot and run
--- Code: ---dmesg | grep microcode
--- End code ---
--- Quote ---dmesg | grep microcode
microcode: CPU0: patch_level=0x08108109
microcode: CPU1: patch_level=0x08108109
microcode: CPU2: patch_level=0x08108109
microcode: CPU3: patch_level=0x08108109
microcode: Microcode Update Driver: v2.2
--- End quote ---
From Gentoo wiki, to explain why "updated" is missing in my output
--- Quote ---It is possible the microcode has already been fully updated by the system's firmware vendor.
In that case the dmesg output does not contain the update log message
--- End quote ---
You may have different dmesg results with examples as per arch wiki.
Future updates
For AMD, you can bookmark the URL in your favourite web browser
and check for log date changes.
If you plan to build a specific microcode see next post.
aus9:
Create and use single AMD microcode
As per research, you already know your AMD family so just edit
the allamd.sh to name only your family.so for me LIST2="17h"
rename script to something you can recognise eg oneamd.sh
and then run it using sudo powers and move the amd-ucode.img to
boot dir etc
Not alot of space is saved, but its easier to bookmark only one git
log for one CPU family. eg for 17h...below url contains "log"
--- Quote ---https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/amd-ucode/microcode_amd_fam17h.bin
--- End quote ---
Good Luck
aus9:
Hi
on TC32 we do not have libarchive so adjust that to libarchive3 please.
2) Also I have only just read of "inception" malware for zen 3 or 4 CPUs
https://www.tomshardware.com/news/amd-inception-vulnerability-affects-zen-3-and-4
one way to check if you are affected if you have not kept your receipts/box etc is
--- Code: ---tce-load -i inxi
inxi -Cxxx
--- End code ---
my result in quote box
--- Quote ---inxi -Cxxx
CPU:
Info: quad core model: AMD Ryzen 3 3200G with Radeon Vega Graphics bits: 64
type: MCP smt: <unsupported> arch: Zen/Zen+ note: check rev: 1 cache:
L1: 384 KiB L2: 2 MiB L3: 4 MiB
SNIP
--- End quote ---
then go to
https://en.wikipedia.org/wiki/List_of_AMD_Ryzen_processors
and search for your string eg 3200G which tells me I have a ryzen+ which is older than a zen 3 or 4
thanks for reading
Navigation
[0] Message Index
Go to full version