[CentOS-virt] how to update ucode with xen

Wed Sep 19 19:59:19 UTC 2018
Kevin Stange <kevin at steadfast.net>

On 9/19/18 1:27 PM, Christoph wrote:
> it is working thx a lot...
> 
> but it has included the GenuineIntel.bin only in actually used kernel...
> do I need to reinstall microcode_ctl every time I update the kernel?
> And second question, I quess I still need the ucode = scan as xen
> parameter right?

You won't need to reinstall microcode_ctl.  Once you create the file at
/etc/microcode_ctl/ucode_with_caveats/force any time you update the
kernel or microcode_ctl it will put the microcode into the initramfs
automatically.

You do need to keep ucode=scan on the Xen command line because that is
how it knows to scan the initramfs for the microcode.

> 
> Am 2018-09-19 20:08, schrieb Kevin Stange:
>> On 9/19/18 1:55 AM, Christoph wrote:
>>>
>>> Hi
>>>
>>> can someone say me how to update the µcode of the cpu with xen?
>>>
>>> I have added the ucode=scan parameter to xen but it does not seem to
>>> work...
>>>
>>> the µcode version of my xeon is really old :/
>>>
>>> model name    : Intel(R) Xeon(R) CPU E3-1271 v3 @ 3.60GHz
>>> microcode    : 0x10
>>>
>>
>> There is a "caveat" in the current version of microcode_ctl which means
>> it doesn't automatically install the microcode into the initramfs if the
>> kernel isn't "known good" because of various issues with Linux kernel
>> patches being needed for certain microcode features.  There is a quick
>> way to get it to force the microcode into the initramfs of any kernel:
>>
>> mkdir -p /etc/microcode_ctl/ucode_with_caveats/
>> touch /etc/microcode_ctl/ucode_with_caveats/force
>>
>> This only works with the most recent version of microcode_ctl
>> (2.1-29.16.el7_5.x86_64).  If you do this, you can then run 'yum
>> reinstall microcode_ctl' and you should get the microcode in the
>> initramfs after it finishes.  Note that this will cause it to trust ALL
>> kernels and all microcode versions which might not always be a good
>> thing.  See this file for info:
>>
>> /usr/share/doc/microcode_ctl/README.caveats
>>
>> You can test that the initramfs has the microcode by running cpio:
>>
>> cpio -t < /boot/initramfs-4.9.112-32.el7.x86_64.img
>>
>> If there is a GenuineIntel.bin you should be good.  If you get spammed
>> with errors, then it isn't included.
> 


-- 
Kevin Stange
Chief Technology Officer
Steadfast | Managed Infrastructure, Datacenter and Cloud Services
800 S Wells, Suite 190 | Chicago, IL 60607
312.602.2689 X203 | Fax: 312.602.2688
kevin at steadfast.net | www.steadfast.net