On January 8th Intel released new Linux Processor microcode data files that can be used to mitigate the Spectre and and Meltdown vulnerabilities in Intel CPUs. Using microcode files, an operating system can fix known bugs in Intel CPU without having to perform a BIOS update on the computer.

According to the Intel microcode download page, this release is available for 40 different versions of Linux and valid for 2,371 Intel processors all the way down to the 150 mhz Pentium Processor from 1995.

Update 1/11/18 10:45PM EST:

As pointed out in a comment to this article, this microcode release only fixes issues in certain processors.  Below are the list of processors from the release notes that received updates.

Based on information found here and on Intel's site, the first column is processor model, the second column is the abbreviation from the release notes, and the third is the new revision numbers from the release notes. 

Another reader pointed out that the numbers in parenthesis coincide with the CPUs family, model, and stepping. The format is (family-model-stepping:unknown) with the values being in hexadecimal. You can find the values associated with a particular processor by looking it up on cpu-world.com. We are still unsure what the value after the colon stands for.

For example, if you look up the Haswell processor that has an identifier of (06-3c-03:32) at cpu-world.com, you will see that the information on the site matches the identifier listed in the release notes.

Processor Model Abbreviated Model Revision
IvyTown IVT C0 (06-3e-04:ed) 428->42a
Skylake SKL-U/Y D0 (06-4e-03:c0) ba->c2
Broadwell BDW-U/Y E/F (06-3d-04:c0) 25->28
Haswell HSW-ULT Cx/Dx (06-45-01:72) 20->21
Crystal Well Crystalwell Cx (06-46-01:32) 17->18
Broadwell BDW-H E/G (06-47-01:22) 17->1b
Haswell Xeon HSX-EX E0 (06-3f-04:80) 0f->10
Skylake SKL-H/S R0 (06-5e-03:36) ba->c2
Haswell HSW Cx/Dx (06-3c-03:32) 22->23
Haswell Xeon HSX C0 (06-3f-02:6f) 3a->3b
Broadwell-DE Xeon BDX-DE V0/V1 (06-56-02:10) 0f->14
Broadwell-DE Xeon BDX-DE V2 (06-56-03:10) 700000d->7000011
Kaby Lake KBL-U/Y H0 (06-8e-09:c0) 62->80
Kaby Lake KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
Kaby Lake KBL-H/S B0 (06-9e-09:2a) 5e->80
Coffee Lake CFL U0 (06-9e-0a:22) 70->80
Coffee Lake CFL B0 (06-9e-0b:02) 72->80
Skylake Xeon SKX H0 (06-55-04:b7) 2000035->200003c
Gemini Lake GLK B0 (06-7a-01:01) 1e->22

Windows users can also benefit from updated microcodes, but these need to be first tested by Microsoft and then released as an update. The last microcode update, other than hotfixes, was released in 2015. It is not currently known if Microsoft will be releasing the new microcodes in a future update.

Applying the new microcode data files to Linux

For Linux users, applying a new microcode data file is fairly easy as Linux distributions typically release them as an update when they become available. To install a new microcode update, the best method is to use the package manager that is included with your Linux distribution.

For Debian and Ubuntu distributions, you should use apt to install the intel-microcode packages. The package manager will also install any other dependencies needed such as iucode-tool.  Redhat and Centos users can use yum and should search for microcode_ctl.

If you are unable to install an update through a package manager you can also install the microcodes manually. In modern Linux distributions this is typically done by copying the downloaded intel-ucode folder into the /lib/firmware folder and then running the echo 1 > /sys/devices/system/cpu/microcode/reload command. 

You can see an example of how NickAu, one of the BleepingComputer moderators, installed the updates manually in Ubuntu here.

Ubuntu using Microcode
Ubuntu using Microcode

The full instructions from the Intel microcode release can be found here:

-- Microcode update instructions --
This package contains Intel microcode files in two formats:
* microcode.dat
* intel-ucode directory 

microcode.dat is in a traditional text format. It is still used in some
Linux distributions. It can be updated to the system through the old microcode
update interface which is avaialble in the kernel with
CONFIG_MICROCODE_OLD_INTERFACE=y.

To update the microcode.dat to the system, one need:
1. Ensure the existence of /dev/cpu/microcode
2. Write microcode.dat to the file, e.g.
  dd if=microcode.dat of=/dev/cpu/microcode bs=1M

intel-ucode dirctory contains binary microcode files named in
family-model-stepping pattern. The file is supported in most modern Linux
distributions. It's generally located in the /lib/firmware directory,
and can be updated throught the microcode reload interface.

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
  echo 1 > /sys/devices/system/cpu/microcode/reload

 

Related Articles:

Decade-old Linux ‘wall’ bug helps make fake SUDO prompts, steal passwords

New ZenHammer memory attack impacts AMD Zen CPUs

New GoFetch attack on Apple Silicon CPUs can steal crypto keys

Windows 11, Tesla, and Ubuntu Linux hacked at Pwn2Own Vancouver

KDE advises extreme caution after theme wipes Linux user's files