Update Failed With This Error

[nbca2]

Thanks @nbca2

This info certainly helps a lot. Thus I'll uninstall the microcode plugin before the upgrade and won't install it afterwards.

P.S.: I don't know how to mention a user in this forum.

remember i'm not a tech guy, but a tech enthusiast
i don't understand if microcode is necessary for system security.
I have the concept of the microcode update and why I installed it.
However, I don't know why it conflicts with this version of opnsense and I don't know what it means by uninstalling the plugin (in addition to not have the CPU microcode updated).

[marka2k]

Similar situation, hooked up an Monitor and it appeared that the SSD was bad, stating when 25.7 was installed that it needed to recover clusters etc. then eventually would not boot. Uninstalled 25.7 and reinstalled 25.1.12 and no issues 2 days and counting. May try removing the Intel Microcode later and trying to install 25.7 again, spent an entire day troubleshooting. I am running the Glovary Mini PC with N100 Alder Lake CPU

[turipriv]

My Protectli NUC upgraded with no issues - I have os-cpu-microcode-intel installed

What model do you have? I have a VP2420 and plan to upgrade during the weekend.

[aperezva]

Thanks for your feedback, I dont have microcode plugin installed, but reading this experiences, i will wait till see how this issue progress. I´m also based in intel,snfd I don´t want to restore the installation at all.

[allenlook]

I've got a Minisforum UN100D that's based on the N100 Intel processor that is normally headless, and a bit of a chore to hook up to monitor and keyboard, and it has the microcode plugin installed.

Based on this I think I'll wait to upgrade, and I'll monitor here for people's experience.

I appreciate the forum all the more, thank you.

[OPNenthu]

There's a risk that we'll never know what the trigger is or that this "bug" will never be found/fixed (especially if it's a vendor issue).

FWIW, I had success on two Protectli units (a V1410 and a VP2410) both with the intel-microcode package installed prior to upgrade.  They both are running coreboot rather than the stock AMI UEFI, in case that makes a difference.

[axsdenied]

Uninstalled the os-cpu-microcode-intel microcode & rebooted to make sure it took effect.

Ran the upgrade to 25.7 device hung, power cycled it and it came up OK so removing the microcode did improve the situation. Unfortunately I'm running this router headless so could not see any errors on screen - I have to take it out of the rack to attach a monitor to it.

I'm going to continue running it without the microcode installed and see how it goes. Following on from Franco said earlier I will look it there is a BIOS update available, it's a small fan less PC so may need to do some research to find it.

PS big thank you to Franco for you extremely rapid and helpful suggestion, I love this community.

I highly recommend using a PIKVM for this type of situation.  I also run my servers headless but still need console from time to time.  Works flawlessly.

[marka2k]

Finally realized that I did Not have os_cpu_microcode_intel installed on v25.1.12 so I installed and checked for updates, installed v25.7 and it came up clean. Have rebooted three times to make sure and no issues.

[BrandyWine]

When you install the microcode plugin, does it tell you that the code updates are not reliable or not fruitful (or something like that), and that you might want to rethink installing it?

[marka2k]

When you install the microcode plugin, does it tell you that the code updates are not reliable or not fruitful (or something like that), and that you might want to rethink installing it?

It did indeed state that the microcode would no longer be supported nor updated. Decided to try it out anyway since I have had issues updating/clean install v25.7 since it was released.

[nbca2]

i tried update the backup router, topton with intel j6413, also with microcode plugin installed, also with ami bios (but different version/type from qotom one on my primary router); upgrade stuck with the same error.
I also tried to contact vendor to upgrade bios, qotom answered, i've upgraded to last firmware, but upgrade still stuck with same error.

i'm consider to remove the plugin and then upgrade to 25.7.

Is there a downside to run opnsense without microcode plugin installed (are there security risk?).
If the plugin wil be deprecated, why bothering about it?
Thanks

[Patrick M. Hausen]

If the plugin wil be deprecated, why bothering about it?

Who's claiming it is deprecated? Microcode updates are essential, IMHO.

[meyergru]

I also fail to see where that is said. The info about os-microcode-intel and/or os-cpu-microcode-amd does not state anything to that extent.

And there are no security risks as long as you can accomplish to update the microcode via BIOS updates. But: Many systems out there may not be elegible for that, either because they are out of warranty (being old repurposed boxes) or their manufacturers do no support that in the first place (many chinese boxes fall into that category).

IDK why some systems with that plugin failed on reboot after the update, FWIW, I did not have that problem on any of may 7 machines.

[marka2k]

I also fail to see where that is said. The info about os-microcode-intel and/or os-cpu-microcode-amd does not state anything to that extent.

And there are no security risks as long as you can accomplish to update the microcode via BIOS updates. But: Many systems out there may not be elegible for that, either because they are out of warranty (being old repurposed boxes) or their manufacturers do no support that in the first place (many chinese boxes fall into that category).

IDK why some systems with that plugin failed on reboot after the update, FWIW, I did not have that problem on any of may 7 machines.

During the install of the plug in 'Console Window' when it downloads, extracts and installs there is a message that states about depreciation. Sorry did not think about notating the details.

[meyergru]

Here are the details:

Code Select Expand

Reloading firmware configuration
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: No changes to trust store were made.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
=====
Message from cpu-microcode-rc-1.0_2:

--
This port includes an RC script, which is one of two methods to update
the CPU microcode on a FreeBSD system.

1. Early loading.
   This method does not use the RC script included here.
   This is the preferred method, because it ensures that any CPU features
   added or removed by a microcode update are visible to the kernel by
   applying the update before the kernel performs CPU feature detection.

   To enable updates using early loading, add the following lines to
   /boot/loader.conf:

   cpu_microcode_load="YES"

   and the appropriate one of these lines:

   cpu_microcode_name="/boot/firmware/intel-ucode.bin"
   cpu_microcode_name="/boot/firmware/amd-ucode.bin"

   The microcode update will be loaded when the system is rebooted.

   AMD systems running FreeBSD prior to 2024-02-22 snapshot
   34467bd76 only support late loading.


2. Late loading.
   This method, which does use the RC script included here, is enabled by
   adding the following line to /etc/rc.conf:

   microcode_update_enable="YES"

   The microcode update is then applied upon reboot or when the microcode
   update service is run via:

   # service microcode_update start

   If the CPU requires a microcode update, a console message such as the
   following will appear:

   Updating CPU Microcode...
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl0 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl2 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl4 from rev 0x17 to rev 0x22... done.
   /usr/local/share/cpucontrol/m32306c3_00000022.fw: updating cpu /dev/cpuctl6 from rev 0x17 to rev 0x22... done.
   Done.

It is safe to enable both methods.
=====
Message from x86info-1.31.s03_1:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Abandoned upstream, fails to identify anything remotely new according to upstream issue reports.

It is scheduled to be removed on or after 2025-06-30.
=====
Message from cpu-microcode-amd-20241121:

--
Refer to the cpu-microcode-rc installation notes to enable AMD microcode
updates.
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

And as you can see, the notice pertains only to the x86info package, which installs alongside the microcode update in order to be able to actually query which microcode is loaded, not to the microcode package itself.