[coreboot] Microcode Updates PSA (New users please read)
Mike Banon
mikebdp2 at gmail.com
Sat Sep 1 22:30:49 CEST 2018
Regarding a NOTE from your last message:
> For microcode embedding in coreboot to work you must check
> both the "generate microcode update from tree" option and the
> "use non-free blob repo" option -
> doing the first but not the second will result in a silent fail.
It works for KGPE-D16 but doesn't work for G505S and maybe some other
AMD boards. Currently the only working way for those "other boards" to
get the latest microcodes is to " xxd -i -c 8 " a microcode binary and
then put this array of hex values into their .c file containing a
microcode ( path like [1] ) . Tired of doing this manually, yesterday
I wrote these microcode updating scripts :
https://review.coreboot.org/c/coreboot/+/28425
AMD microcodes: scripts for applying the unofficial (not-merged-yet) updates
Put those 4 files to your freshly cloned coreboot directory,
run ./get_ucode_patches.sh , ./check... and ./apply... ,
and your fresh coreboot now has the latest microcodes ;-)
But thats only for those "other boards" like G505S. To get the latest
microcode for your KGPE-D16, you may also need to patch its'
microcode_amd_fam15h.bin with a new 2018 microcode which sadly is not
merged yet neither to linux-firmware nor to coreboot
[1] example of a path to .c file with microcode -
./coreboot/src/vendorcode/amd/agesa/f16kb/Proc/CPU/Family/0x16/KB/F16KbId7001MicrocodePatch.c
On Sat, Sep 1, 2018 at 10:41 PM Taiidan at gmx.com <Taiidan at gmx.com> wrote:
>
> I am making this due to seeing many mis-informed users that are engaging
> in dangerous practices.
>
> Microcode updates should ALWAYS be installed unless you are an expert
> user and have repeatedly verified that your CPU doesn't require them and
> you are prepared for the risks which include for instance on the
> piledriver CPU's (opteron 63xx/43xx and the G505S's laptop cpus) a
> userland to root exploit, a broken IOMMU and a timer issue that means
> games and certain applications don't work properly.
>
>
> Unfortunately x86 is stuck with non owner controlled undocumented
> proprietary microcode updates and in the case of intel they are
> encrypted for some reason - AFAIK only POWER has owner controlled microcode.
>
> Despite this it is still a good idea to install them - I do on my
> coreboot computers and thus I don't ruin my security for no good reason.
>
>
> NOTE:
> For microcode embedding in coreboot to work you must check both the
> "generate microcode update from tree" option and the "use non-free blob
> repo" option - doing the first but not the second will result in a
> silent fail.
> --
> coreboot mailing list: coreboot at coreboot.org
> https://mail.coreboot.org/mailman/listinfo/coreboot
More information about the coreboot
mailing list