Check CPU Microcode Version on Linux

Debian recently released a warning advisory regarding a hardware bug in the hyperthreading implementation on certain Skylake/Kaby Lake Intel CPUs. It can be mitigated by a microcode firmware update - at least on some models. This article is about checking a non-Debian system for this issue and verifying if the right microcode is in place.

The below console snippets are from a Dell notebook with Skylake CPU that runs Fedora 25. It turns out that Fedora, in contrast to Debian, installs some firmware packages, by default, including Intel microcode images (cf. microcode_ctl). Thus, a Fedora system on Skylake should already run with the microcode version that includes the fix.

Check for certain CPU features - e.g. if hypterthreading is enabled:

$ grep '\<ht\>' /proc/cpuinfo -q && echo 1
1

Display CPU model, stepping and active microcode version:

$ grep 'stepping\|model\|microcode' /proc/cpuinfo
model       : 78
model name  : Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz
stepping    : 3
microcode   : 0xba
[..]

The advisory states that Skylake model 78, stepping 3 is affected and that microcode version 0xba includes the fix.

Investigate whether the microcode was loaded by the BIOS or by the kernel:

# journalctl --no-hostname -o short-monotonic --boot -0 \
  | sed -n '1,/PM: Preparing system for sleep/p' | grep 'microcode\|smp'
[    0.000000] microcode: microcode updated early to revision 0xba, \
                   date = 2017-04-09
[    0.000000] smpboot: Allowing 4 CPUs, 0 hotplug CPUs
[    0.040087] smpboot: Max logical packages: 2
[    0.056402] smpboot: CPU0: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz \
                   (family: 0x6, model: 0x4e, stepping: 0x3)
[    0.056975] smp: Bringing up secondary CPUs ...
[    0.239023] smp: Brought up 1 node, 4 CPUs
[    0.239023] smpboot: Total of 4 processors activated (22476.05 BogoMIPS)
[    0.693589] microcode: sig=0x406e3, pf=0x80, revision=0xba
[    0.693671] microcode: Microcode Update Driver: v2.2.

That means the microcode image in the BIOS is older, thus, the Kernel loaded a newer version (the microcode date also matches the one mentioned in the advisory).

After a BIOS update, check that the BIOS loads the microcode before kernel start:

# journalctl --no-hostname -o short-monotonic --boot -0 \
    | sed -n '1,/PM: Preparing system for sleep/p' | grep 'microcode\|smp'
[    0.000000] smpboot: Allowing 4 CPUs, 0 hotplug CPUs
[    0.039057] smpboot: Max logical packages: 2
[    0.054709] smpboot: CPU0: Intel(R) Core(TM) i7-6600U CPU @ 2.60GHz \
                   (family: 0x6, model: 0x4e, stepping: 0x3)
[    0.055000] smp: Bringing up secondary CPUs ...
[    0.235034] smp: Brought up 1 node, 4 CPUs
[    0.235034] smpboot: Total of 4 processors activated (22560.93 BogoMIPS)
[    0.711458] microcode: sig=0x406e3, pf=0x80, revision=0xba
[    0.711662] microcode: Microcode Update Driver: v2.2.

(there is no microcode udpated early message, anymore)

Modern CPU microcode, like used by Intel CPUs, isn't persistent, i.e. it must be loaded at each boot, either by the BIOS or by the kernel. Apparently, it even has to be reloaded during resume after a suspend-to-RAM (cf. the kernel messages).