I am making this due to seeing many mis-informed users that are engaging in dangerous practices.
Microcode updates should ALWAYS be installed unless you are an expert user and have repeatedly verified that your CPU doesn't require them and you are prepared for the risks which include for instance on the piledriver CPU's (opteron 63xx/43xx and the G505S's laptop cpus) a userland to root exploit, a broken IOMMU and a timer issue that means games and certain applications don't work properly.
Unfortunately x86 is stuck with non owner controlled undocumented proprietary microcode updates and in the case of intel they are encrypted for some reason - AFAIK only POWER has owner controlled microcode.
Despite this it is still a good idea to install them - I do on my coreboot computers and thus I don't ruin my security for no good reason.
NOTE: For microcode embedding in coreboot to work you must check both the "generate microcode update from tree" option and the "use non-free blob repo" option - doing the first but not the second will result in a silent fail.
Regarding a NOTE from your last message:
For microcode embedding in coreboot to work you must check both the "generate microcode update from tree" option and the "use non-free blob repo" option - doing the first but not the second will result in a silent fail.
It works for KGPE-D16 but doesn't work for G505S and maybe some other AMD boards. Currently the only working way for those "other boards" to get the latest microcodes is to " xxd -i -c 8 " a microcode binary and then put this array of hex values into their .c file containing a microcode ( path like [1] ) . Tired of doing this manually, yesterday I wrote these microcode updating scripts : https://review.coreboot.org/c/coreboot/+/28425 AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates Put those 4 files to your freshly cloned coreboot directory, run ./get_ucode_patches.sh , ./check... and ./apply... , and your fresh coreboot now has the latest microcodes ;-) But thats only for those "other boards" like G505S. To get the latest microcode for your KGPE-D16, you may also need to patch its' microcode_amd_fam15h.bin with a new 2018 microcode which sadly is not merged yet neither to linux-firmware nor to coreboot
[1] example of a path to .c file with microcode - ./coreboot/src/vendorcode/amd/agesa/f16kb/Proc/CPU/Family/0x16/KB/F16KbId7001MicrocodePatch.c On Sat, Sep 1, 2018 at 10:41 PM Taiidan@gmx.com Taiidan@gmx.com wrote:
I am making this due to seeing many mis-informed users that are engaging in dangerous practices.
Microcode updates should ALWAYS be installed unless you are an expert user and have repeatedly verified that your CPU doesn't require them and you are prepared for the risks which include for instance on the piledriver CPU's (opteron 63xx/43xx and the G505S's laptop cpus) a userland to root exploit, a broken IOMMU and a timer issue that means games and certain applications don't work properly.
Unfortunately x86 is stuck with non owner controlled undocumented proprietary microcode updates and in the case of intel they are encrypted for some reason - AFAIK only POWER has owner controlled microcode.
Despite this it is still a good idea to install them - I do on my coreboot computers and thus I don't ruin my security for no good reason.
NOTE: For microcode embedding in coreboot to work you must check both the "generate microcode update from tree" option and the "use non-free blob repo" option - doing the first but not the second will result in a silent fail. -- coreboot mailing list: coreboot@coreboot.org https://mail.coreboot.org/mailman/listinfo/coreboot
-
Mike Banon -
Taiidan@gmx.com