How to enable automatic microcode updates

[meyergru]

I've just installed that according to the guide, and if I understood correctly, it can be done in three steps:

1. From a shell: echo y | pkg install cpu-microcode

2. Use the web UI to create these two tuneables in /boot/loader.conf:

     cpu_microcode_load="YES"

     cpu_microcode_name="/boot/firmware/intel-ucode.bin"   -> for Intel CPUs

     or

     cpu_microcode_name="/boot/firmware/amd-ucode.bin"   -> for AMD CPUs

3. Reboot

Is that right?

Tia.

No.

I explained this in detail. You cannot load AMD microcode in the early stage.

Also, you mixed up /etc/rc.loader.conf and /boot/loader.conf, as well as the syntax of what must be in there.

Just follow the instructions.

[grimelog]

Wouldn't having this in a plugin improve the security of OPNsense?

I don't like having to venture into the repos of non-hardened BSD to install microcode updates. But, definitely running on bare metal those updates could have security and performance benefits. Is there any means of including this in an official plugin since we do not need this for VMs.

[meyergru]

There is no need for the FreeBSD repos as the Package is in OpnSense already.

Other than that, open a feature request on GitHub.

[alirx]

I'm totally new to opnsense and having trouble with step 2.

a)
b)

Which is the right way to do it? I don't understand how to point the values "cpu_microcode_load="YES"" and "cpu_microcode_name="/boot/firmware/intel-ucode.bin"" to "/boot/loader.conf" specifically. Just dont want to mess things up.

I'd appreciate some guidance.

[Patrick M. Hausen]

Tunable: cpu_microcode_load
Value: YES
Description: whatever

All without quotes, = signs or similar.

[olmari]

It looks like in the future AMD variant can also be "early loaded" according to recent cpu-microcode message on OpnSense 24.7_9:

1. Early loading.
   This method does not use the RC script included here.
   This is the preferred method, because it ensures that any CPU features
   added or removed by a microcode update are visible to the kernel by
   applying the update before the kernel performs CPU feature detection.

   To enable updates using early loading, add the following lines to
   /boot/loader.conf:

   cpu_microcode_load="YES"

   and the appropriate one of these lines:

   cpu_microcode_name="/boot/firmware/intel-ucode.bin"
   cpu_microcode_name="/boot/firmware/amd-ucode.bin"

   The microcode update will be loaded when the system is rebooted.

   AMD systems running FreeBSD prior to 2024-02-22 snapshot
   34467bd76 only support late loading.

Now I don't know what exact Frisbee version OpnSense currently happens to have, but definitely looks promising overall for the future <3

[meyergru]

Interesting find, but it does not apply to the current OpnSense version yet, since it is based on FreeBSD 14.1, released on 2023-06-04, so it does not include the neccessary changes (unless Franco includes the patches).

[olmari]

I do understand that, hencewhy such future prospecting wording :)

[franco]

The issue with https://cgit.freebsd.org/src/commit/?id=34467bd76 as I see it is that there is no intention of bringing it to older FreeBSD releases than what is to be 15.0 some day (no MFC annotation and not on stable/14).

It also doesn't cleanly apply to FreeBSD 14.1 as a single commit. This means there is no exposure on FreeBSD 14 and therefore also no intentional bugfixing if there are problems with it.

So I'm not saying this won't ever be in OPNsense based on FreeBSD 14, but I am saying it's not because we don't want it. ;)


Cheers,
Franco

[olmari]

Translation from franco's text:

This will be natural part of OPNsense when FreeBSD 15 major update hits OPNsense in the future.  8)

[franco]

Yes, but also have fun trying it out:

# opnsense-update -zkr 24.7-amd

It's on a separate branch and will stay there for a bit in any case.


Cheers,
Franco

[olmari]

Hmm, what's in there? or is there an place to see? =) I mean I'd love to take na peek before I commit to something, but in general I could ;D

Yes, but also have fun trying it out:

# opnsense-update -zkr 24.7-amd

It's on a separate branch and will stay there for a bit in any case.


Cheers,
Franco

[meyergru]

That kernel contains among other improvements the patches to enable early microcode loading for AMD processors. I cannot test it because my boxes all have Intel CPUs.

[olmari]

Yes, but also have fun trying it out:

# opnsense-update -zkr 24.7-amd

It's on a separate branch and will stay there for a bit in any case.


Cheers,
Franco

Allright, I am testing this with DEC2752, 24.7_9 as "base",

Code Select Expand

olmari@router:~ $ uname -a
FreeBSD router.huutoniemi 14.1-RELEASE-p2 FreeBSD 14.1-RELEASE-p2 amd_early-n267771-478b7ed2f02d SMP amd64


I put early loading into tunables, which produced these in /boot/loader.conf:

Code Select Expand

# dynamically generated tunables settings follow
cpu_microcode_load="YES"
cpu_microcode_name="/boot/firmware/amd-ucode.bin"


/etc/rc.conf.d/cpu_microcode has the

Code Select Expand

microcode_update_enable="YES"

At least microcode still loads, No idea is it early or late stage =)

Code Select Expand

root@router:~ # kldload -q cpuctl; x86info -a | fgrep -i microcode
Microcode patch level: 0x810100b

[franco]

The branch is https://github.com/opnsense/src/tree/amd_early

Might be worth defanging the late loading code to verify the early load works now...


Cheeers,
Franco