Intel ucode Plugin vs Package

Started by BrandyWine, May 26, 2026, 04:32:44 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 26, 2026, 04:32:44 AM Last Edit: May 26, 2026, 04:42:37 AM by BrandyWine
I have the latest 26.1.x_x version of community OPNsense installed, but I see I still have the OPNsense Intel ucode v1.1 Plugin installed, and also the ucode package "cpu-microcode-intel-20260227" and the "os-cpu-microcode-intel-1.1". Is the plugin even needed if the latest ucode is in the Intel package?

IIRC, long ago I though in some of the upgrade text it had mentioned something about the plugin being deprecated, or something like that.
Mini-pc N150 i226v x520, FREEDOM
May 26, 2026, 10:11:46 AM #1
Uninstalling the plugin will uninstall the corresponding microcode. The real question is whether you need the microcode or you can just fallback to the one included in freebsd/opnsense. At this point, with what we have seen over the last 12 months, I would just remove it, and if nothing significant happens, keep it that way.
May 26, 2026, 10:31:30 AM #2
Quote from: sopex on May 26, 2026, 10:11:46 AMAt this point, with what we have seen over the last 12 months, I would just remove it

Then you will run your CPU without any ucode updates (apart from ones that might be in your MB manufacturer's BIOS). The updates the FreeBSD/OPNsense plugin provides are not permanent but need to be applied at every boot.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 26, 2026, 11:02:34 AM #3
Quote from: Patrick M. Hausen on May 26, 2026, 10:31:30 AM
Quote from: sopex on May 26, 2026, 10:11:46 AMAt this point, with what we have seen over the last 12 months, I would just remove it

Then you will run your CPU without any ucode updates (apart from ones that might be in your MB manufacturer's BIOS). The updates the FreeBSD/OPNsense plugin provides are not permanent but need to be applied at every boot.

Yes, I totally agree with you.
May 26, 2026, 11:53:27 AM #4
IIUC...

The package (cpu-microcode-intel) gets installed by the plugin (os-cpu-microcode-intel) - no plugin, no package!

It appears that it's the x86info utility (also installed by the plugin) that reports itself as deprecated, not the (whole) plugin.
May 26, 2026, 12:03:23 PM #5
Quote from: dseven on May 26, 2026, 11:53:27 AMIt appears that it's the x86info utility (also installed by the plugin) that reports itself as deprecated, not the (whole) plugin.

Correct. People also tend to overlook the message below that text box:

QuoteOutput shown here for diagnostic purposes. There is no general need for manual system intervention.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 27, 2026, 06:44:55 AM #6
Quote from: dseven on May 26, 2026, 11:53:27 AMIIUC...

The package (cpu-microcode-intel) gets installed by the plugin (os-cpu-microcode-intel) - no plugin, no package!

It appears that it's the x86info utility (also installed by the plugin) that reports itself as deprecated, not the (whole) plugin.
cpu-microcode-intel is a pkg from the freeBSD repo.

os-cpu-microcode-intel-1.1 is a pkg from the OPNsense repo. I assume this 1.1 package comes from the install of the v1.1 plugin?

Did I get that right?

Mini-pc N150 i226v x520, FREEDOM
May 27, 2026, 09:02:28 AM #7
Yes to your question about the plugin. But OPNsense pulls all packages from the OPNsense repo. If you manually activate the FreeBSD repo, you have a high probability of messing up you installation. Simply don't do that.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
May 27, 2026, 06:40:48 PM #8
Quote from: Patrick M. Hausen on May 27, 2026, 09:02:28 AMYes to your question about the plugin. But OPNsense pulls all packages from the OPNsense repo. If you manually activate the FreeBSD repo, you have a high probability of messing up you installation. Simply don't do that.
Perhaps where it downloads from, but pkg info shows one from opnsense and the other from git.
Mini-pc N150 i226v x520, FREEDOM
May 27, 2026, 08:34:44 PM #9
Hmmm...

Code Select
root@opnsense:~ # pkg info cpu-microcode-intel
cpu-microcode-intel-20260227
Name           : cpu-microcode-intel
Version        : 20260227
Installed on   : Tue May 26 08:34:48 2026 UTC
Origin         : sysutils/cpu-microcode-intel
Architecture   : FreeBSD:14:*
Prefix         : /usr/local
Categories     : sysutils
Licenses       : EULA
Maintainer     : jrm@FreeBSD.org
WWW            : https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Comment        : Intel CPU microcode updates
Options        :
        RC             : off
        SPLIT          : on
Annotations    :
        cpe            : cpe:2.3:o:intel:microcode:20260227:::::freebsd14:x64
        repo_type      : binary
        repository     : OPNsense
Flat size      : 30.2MiB
Description    :
This port uses the cpuctl(4) microcode update facility to keep your Intel
processor's firmware up-to-date.

Updating your microcode can help to mitigate certain potential security
vulnerabilities in CPUs as well as address certain functional issues that could,
for example, result in unpredictable system behavior such as hangs, crashes,
unexpected reboots, data errors, etc.
root@opnsense:~ #
Today at 01:46:35 AM #10
Quote from: dseven on May 27, 2026, 08:34:44 PMHmmm...

Code Select
root@opnsense:~ # pkg info cpu-microcode-intel
cpu-microcode-intel-20260227
Name           : cpu-microcode-intel
Version        : 20260227
Installed on   : Tue May 26 08:34:48 2026 UTC
Origin         : sysutils/cpu-microcode-intel
Architecture   : FreeBSD:14:*
Prefix         : /usr/local
Categories     : sysutils
Licenses       : EULA
Maintainer     : jrm@FreeBSD.org
WWW            : https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Comment        : Intel CPU microcode updates
Options        :
        RC             : off
        SPLIT          : on
Annotations    :
        cpe            : cpe:2.3:o:intel:microcode:20260227:::::freebsd14:x64
        repo_type      : binary
        repository     : OPNsense
Flat size      : 30.2MiB
Description    :
This port uses the cpuctl(4) microcode update facility to keep your Intel
processor's firmware up-to-date.

Updating your microcode can help to mitigate certain potential security
vulnerabilities in CPUs as well as address certain functional issues that could,
for example, result in unpredictable system behavior such as hangs, crashes,
unexpected reboots, data errors, etc.
root@opnsense:~ #

Just a copy from one location to another.

If there's a new version from git then why not just copy that newer pkg to the opsnsene repo, and when the FW does an updates check it installs the newer ucode pkg. I cant see how the opnsense v1.1 package would have anything newer than what comes from the Intel pkg.

My only gripe with the Intel ucode pkg, most of that pkg remains static, they bundle a whole bunch of cpuid updates into one pkg, but not every cpuid gets an update, some ucode in the pkg is many years old. Thus if the pkg is marked new but it does not contain new ucode for your cpuid, then installing the pkg is 100% moot.

And then I also wonder, why are some cpuid's getting frequent ucode updates?
Mini-pc N150 i226v x520, FREEDOM
Today at 07:14:00 AM #11
OPNsense uses the FreeBSD ports system to build FreeBSD packages. Until the FreeBSD port maintainer updates the port the package stays the same.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 10:14:10 AM #12
Quote from: BrandyWine on Today at 01:46:35 AMIf there's a new version from git then why not just copy that newer pkg to the opsnsene repo, and when the FW does an updates check it installs the newer ucode pkg. I cant see how the opnsense v1.1 package would have anything newer than what comes from the Intel pkg.

What do you mean by "git"?

The "os-cpu-microcode-intel" package doesn't "have" anything. It's just the plugin to make the microcode work on an OPNsense installation - actually all it is is a script to effect microcode loading on boot, and a package dependency on cpu-microcode-intel, which contains the actual microcode.

(UUIC) the actual firmware comes from an OPNsense build of the FreeBSD "cpu-microcode-intel" port. That port (presumably) grabs the ("Linux") microcode files from the Intel repo and packages them for FreeBSD. That port was updated to use the 2026-05-12 version on that date (https://cgit.freebsd.org/ports/log/sysutils/cpu-microcode-intel). Coincidentally, OPNsense 26.1.8 was released on that same day. I'm guessing that a minor release of OPNsense triggers a build of the plugins. It looks like it may have "just missed" the microcode update this time. I'm guessing that when 26.1.9 gets released, the microcode package will update to (at least) 20260512_1. (can anyone confirm that his is the process?)
Print
Go Up Pages1
User actions