Following Meltdown and Spectre-v{1,2} public disclosure back in early 2018, NetBSD almost immediately provided a simple way to dynamically update x86(_64) Intel CPU firmware at boot, through the cpuctl(8) util; cpuctl
loads the latest microcode definitions into volatile memory, without any need to constantly keep the BIOS/UEFI up to date (highly impractical).
However, I'm under the impression that this passed largely unnoticed within the BSD community and that as a result, many NetBSD users missed this simple yet important fix.
So, how to update the Intel microcode on NetBSD? easier done than said:
$ cd /usr/pkgsrc/sysutils/intel-microcode-netbsd && make install clean clean-depends
$ cp /usr/pkg/share/examples/rc.d/intel-microcode /etc/rc.d
$ echo microcode=YES >> /etc/rc.conf
At next boot, on a dual-core Pentium like mine, the GENERIC kernel ring buffer will print:
cpu 0: ucode 0xa07->0xa0b
cpu 1: ucode 0xa07->0xa0b
You can also look up the current firmware definition of each core up through cpuctl(8):
#!/bin/sh
ncpu=`sysctl -n hw.ncpu`
for cpu in `jot - 0 \`expr $ncpu - 1\` 1`; do
cpuctl identify $cpu | grep microcode || true
done
Which in my case returns:
cpu0: microcode version 0xa0b, platform ID 7
cpu1: microcode version 0xa0b, platform ID 7
What about AMD CPUs? Will it work on it?
Yes, but, as specified in the cpuctl(8) man page, you need to manually fetch and install the latest AMD firmware from Linux kernel repo: https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/amd-ucode
Place the file microcode_amd_famXXh.bin (where XX is the CPU family starting with 15 [hex]) inside either /libdata/firmware/x86/amd/ or /usr/pkg/libdata/firmware/x86/amd/ (if for any reason you don't want it on root), making sure, in the latter case, that /usr/pkg/libdata dir is included in the output of sysctl hw.firmware.path
, as shown below:
hw.firmware.path = /libdata/firmware:/usr/libdata/firmware:/usr/pkg/libdata/firmware:/usr/pkg/libdata