Update CPU Microcode on NetBSD • RetroBSD Net

Title:: Update CPU Microcode on NetBSD
Authors:: Paolo Vincenzo Olivo
Date:: 15 Mar, 2022
Topics:: NetBSD
Id:: 57fd9

■ Preventing side-channel attacks

Following Meltdown and Spectre-v{1,2} public disclosure back in early 2018, NetBSD almost immediately provided a simple way to dynamically update x86(_64) Intel CPU firmware at boot, through the <https://netbsd.gw.com/cgi-bin/man-cgi?cpuctl++NetBSD-current> util; `cpuctl` loads the latest microcode definitions into volatile memory, without any need to constantly keep the BIOS/UEFI up to date (highly impractical). However, I'm under the impression that this passed largely unnoticed within the BSD community and that as a result, many NetBSD users missed this simple yet important fix.

So, how to update the Intel microcode on NetBSD? easier done than said:

$ cd /usr/pkgsrc/sysutils/intel-microcode-netbsd && make install clean clean-depends $ cp /usr/pkg/share/examples/rc.d/intel-microcode /etc/rc.d $ echo microcode=YES >> /etc/rc.conf

At next boot, on a dual-core Pentium like mine, the GENERIC kernel ring buffer will print:

cpu 0: ucode 0xa07->0xa0b cpu 1: ucode 0xa07->0xa0b

You can also look up the current firmware definition of each core up through *cpuctl(8)*: #!/bin/sh ncpu=`sysctl -n hw.ncpu`

for cpu in `jot - 0 \`expr $ncpu - 1\` 1`; do cpuctl identify $cpu | grep microcode || true done

Which in my case returns:

cpu0: microcode version 0xa0b, platform ID 7 cpu1: microcode version 0xa0b, platform ID 7

■ What about AMD CPUs? Will it work on it?

Yes, but, as specified in the *cpuctl(8)* man page, you need to manually fetch and install the latest AMD firmware from Linux kernel repo: <https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode>. Place the file microcode_amd_famXXh.bin (where XX is the CPU family starting with 15 ) inside either /libdata/firmware/x86/amd/ or /usr/pkg/libdata/firmware/x86/amd/, making sure, in the latter case, that /usr/pkg/libdata is included in the output of `sysctl hw.firmware.path`, as shown below:

hw.firmware.path = /libdata/firmware:/usr/libdata/firmware:/usr/pkg/libdata/firmware:/usr/pkg/libdata

Note: if using a cgd -encrypted root, firmware will naturally reside in /altroot, where the initial ramndisk actually mounts the decrypted filesystem before chrooting into it. Make sure to prepend /altroot to every directory in the firmware path. I think I'll cover this in a separate post.