25.7.11_1 os-cpu-microcode-amd

Started by MoonbeamFrame, January 17, 2026, 02:44:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 17, 2026, 02:44:51 PM Last Edit: January 17, 2026, 02:51:04 PM by MoonbeamFrame
I updated a firewall from 25.7.10 yesterday only to find the firewall would no longer boot.

Rebuilding from scratch to 25.7.11_1 and then re-installing plugins led to the same result.

Rebuilding and iterating through the plugins led to os-cpu-microcode-amd being the cause.

The hardware is a Minisforum Ryzen 9 9955HX MS-A2.
Today at 08:59:26 AM #1
Same problem here on business edition. There should be a way to blacklist the bad ones :/
Today at 09:41:26 AM #2
Are you using the same hardware?

Noting that my other Ryzen based firewalls had no problems with the same upgrade.
Today at 11:59:50 AM #3
Quote from: MoonbeamFrame on Today at 09:41:26 AMAre you using the same hardware?

Yes, same hardware.

I used this guide to fix it:

To resolve the boot loop caused by CPU microcode, you need to mount your ZFS boot environment from the USB stick and disable the loading instruction in the configuration file.

The reason "unloading" at the loader prompt often fails is that the microcode is frequently loaded as a specific firmware blob or environment variable set early in the boot process, which persists or gets re-read unless explicitly disabled in the configuration.

### Step-by-Step Recovery Guide

**1. Boot into the Live Environment**
Boot from your OPNsense or FreeBSD USB installer. When prompted, select **Shell** (or "Live CD" -> login as `root` / `opnsense` depending on the image).

**2. Import the ZFS Pool**
First, create a temporary mount point and import your pool. The pool is usually named `zroot`.

Code Select
mkdir -p /tmp/mnt
# List available pools to confirm the name
zpool import
# Import the pool with an alternate root (-R) to avoid mounting over the live system
# Use -f to force import since the pool was not exported cleanly
zpool import -f -R /tmp/mnt zroot

**3. Mount the Boot Environment**
OPNsense uses ZFS Boot Environments. The root file system is not at the top of the pool but in a dataset (usually `zroot/ROOT/default`). You must mount this specific dataset.

Code Select
# Identify the boot dataset (look for the 'bootfs' property)
zpool get bootfs zroot

# Mount the dataset identified above (e.g., zroot/ROOT/default)
zfs mount zroot/ROOT/default

**4. Disable Microcode Loading**
You need to edit `/boot/loader.conf`. In the mounted environment, this file is located at `/tmp/mnt/boot/loader.conf`.

Code Select
edit /tmp/mnt/boot/loader.conf
*(If you are uncomfortable with `vi`, try `ee` if available).*

Look for the following lines and either delete them or change `"YES"` to `"NO"`:

Code Select
cpu_microcode_load="YES"
**Check for local overrides:**
Sometimes plugins (like `os-cpu-microcode-intel`) write to a local file. Check if it exists and edit it as well:

Code Select
vi /tmp/mnt/boot/loader.conf.local
**5. Clean Up and Reboot**
Once the files are saved:

Code Select
# Unmount the dataset
zfs unmount zroot/ROOT/default

# Export the pool
zpool export zroot

# Reboot the system
reboot
Remove the USB stick. Your OPNsense server should now boot without loading the problematic microcode. Once booted, you can uninstall the microcode plugin (`os-cpu-microcode-intel` or similar) via the GUI to prevent it from re-enabling the setting during updates. [forum.opnsense](https://forum.opnsense.org/index.php?topic=14245.0)
Print
Go Up Pages1
User actions