Intel ucode Plugin vs Package

[BrandyWine]

I have the latest 26.1.x_x version of community OPNsense installed, but I see I still have the OPNsense Intel ucode v1.1 Plugin installed, and also the ucode package "cpu-microcode-intel-20260227" and the "os-cpu-microcode-intel-1.1". Is the plugin even needed if the latest ucode is in the Intel package?

IIRC, long ago I though in some of the upgrade text it had mentioned something about the plugin being deprecated, or something like that.

[sopex]

Uninstalling the plugin will uninstall the corresponding microcode. The real question is whether you need the microcode or you can just fallback to the one included in freebsd/opnsense. At this point, with what we have seen over the last 12 months, I would just remove it, and if nothing significant happens, keep it that way.

[Patrick M. Hausen]

At this point, with what we have seen over the last 12 months, I would just remove it

Then you will run your CPU without any ucode updates (apart from ones that might be in your MB manufacturer's BIOS). The updates the FreeBSD/OPNsense plugin provides are not permanent but need to be applied at every boot.

[sopex]

At this point, with what we have seen over the last 12 months, I would just remove it

Then you will run your CPU without any ucode updates (apart from ones that might be in your MB manufacturer's BIOS). The updates the FreeBSD/OPNsense plugin provides are not permanent but need to be applied at every boot.

Yes, I totally agree with you.

[dseven]

IIUC...

The package (cpu-microcode-intel) gets installed by the plugin (os-cpu-microcode-intel) - no plugin, no package!

It appears that it's the x86info utility (also installed by the plugin) that reports itself as deprecated, not the (whole) plugin.

[Patrick M. Hausen]

It appears that it's the x86info utility (also installed by the plugin) that reports itself as deprecated, not the (whole) plugin.

Correct. People also tend to overlook the message below that text box:

Output shown here for diagnostic purposes. There is no general need for manual system intervention.

[BrandyWine]

IIUC...

The package (cpu-microcode-intel) gets installed by the plugin (os-cpu-microcode-intel) - no plugin, no package!

It appears that it's the x86info utility (also installed by the plugin) that reports itself as deprecated, not the (whole) plugin.

cpu-microcode-intel is a pkg from the freeBSD repo.

os-cpu-microcode-intel-1.1 is a pkg from the OPNsense repo. I assume this 1.1 package comes from the install of the v1.1 plugin?

Did I get that right?

[Patrick M. Hausen]

Yes to your question about the plugin. But OPNsense pulls all packages from the OPNsense repo. If you manually activate the FreeBSD repo, you have a high probability of messing up you installation. Simply don't do that.

[BrandyWine]

Yes to your question about the plugin. But OPNsense pulls all packages from the OPNsense repo. If you manually activate the FreeBSD repo, you have a high probability of messing up you installation. Simply don't do that.

Perhaps where it downloads from, but pkg info shows one from opnsense and the other from git.

[dseven]

Hmmm...

Code Select Expand

root@opnsense:~ # pkg info cpu-microcode-intel
cpu-microcode-intel-20260227
Name           : cpu-microcode-intel
Version        : 20260227
Installed on   : Tue May 26 08:34:48 2026 UTC
Origin         : sysutils/cpu-microcode-intel
Architecture   : FreeBSD:14:*
Prefix         : /usr/local
Categories     : sysutils
Licenses       : EULA
Maintainer     : jrm@FreeBSD.org
WWW            : https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Comment        : Intel CPU microcode updates
Options        :
        RC             : off
        SPLIT          : on
Annotations    :
        cpe            : cpe:2.3:o:intel:microcode:20260227:::::freebsd14:x64
        repo_type      : binary
        repository     : OPNsense
Flat size      : 30.2MiB
Description    :
This port uses the cpuctl(4) microcode update facility to keep your Intel
processor's firmware up-to-date.

Updating your microcode can help to mitigate certain potential security
vulnerabilities in CPUs as well as address certain functional issues that could,
for example, result in unpredictable system behavior such as hangs, crashes,
unexpected reboots, data errors, etc.
root@opnsense:~ #

[BrandyWine]

Hmmm...

Code Select Expand

root@opnsense:~ # pkg info cpu-microcode-intel
cpu-microcode-intel-20260227
Name           : cpu-microcode-intel
Version        : 20260227
Installed on   : Tue May 26 08:34:48 2026 UTC
Origin         : sysutils/cpu-microcode-intel
Architecture   : FreeBSD:14:*
Prefix         : /usr/local
Categories     : sysutils
Licenses       : EULA
Maintainer     : jrm@FreeBSD.org
WWW            : https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files
Comment        : Intel CPU microcode updates
Options        :
        RC             : off
        SPLIT          : on
Annotations    :
        cpe            : cpe:2.3:o:intel:microcode:20260227:::::freebsd14:x64
        repo_type      : binary
        repository     : OPNsense
Flat size      : 30.2MiB
Description    :
This port uses the cpuctl(4) microcode update facility to keep your Intel
processor's firmware up-to-date.

Updating your microcode can help to mitigate certain potential security
vulnerabilities in CPUs as well as address certain functional issues that could,
for example, result in unpredictable system behavior such as hangs, crashes,
unexpected reboots, data errors, etc.
root@opnsense:~ #

Just a copy from one location to another.

If there's a new version from git then why not just copy that newer pkg to the opsnsene repo, and when the FW does an updates check it installs the newer ucode pkg. I cant see how the opnsense v1.1 package would have anything newer than what comes from the Intel pkg.

My only gripe with the Intel ucode pkg, most of that pkg remains static, they bundle a whole bunch of cpuid updates into one pkg, but not every cpuid gets an update, some ucode in the pkg is many years old. Thus if the pkg is marked new but it does not contain new ucode for your cpuid, then installing the pkg is 100% moot.

And then I also wonder, why are some cpuid's getting frequent ucode updates?

[Patrick M. Hausen]

OPNsense uses the FreeBSD ports system to build FreeBSD packages. Until the FreeBSD port maintainer updates the port the package stays the same.

[dseven]

If there's a new version from git then why not just copy that newer pkg to the opsnsene repo, and when the FW does an updates check it installs the newer ucode pkg. I cant see how the opnsense v1.1 package would have anything newer than what comes from the Intel pkg.

What do you mean by "git"?

The "os-cpu-microcode-intel" package doesn't "have" anything. It's just the plugin to make the microcode work on an OPNsense installation - actually all it is is a script to effect microcode loading on boot, and a package dependency on cpu-microcode-intel, which contains the actual microcode.

(UUIC) the actual firmware comes from an OPNsense build of the FreeBSD "cpu-microcode-intel" port. That port (presumably) grabs the ("Linux") microcode files from the Intel repo and packages them for FreeBSD. That port was updated to use the 2026-05-12 version on that date (https://cgit.freebsd.org/ports/log/sysutils/cpu-microcode-intel). Coincidentally, OPNsense 26.1.8 was released on that same day. I'm guessing that a minor release of OPNsense triggers a build of the plugins. It looks like it may have "just missed" the microcode update this time. I'm guessing that when 26.1.9 gets released, the microcode package will update to (at least) 20260512_1. (can anyone confirm that his is the process?)

[BrandyWine]

Why is a plugin needed to get the ucode.bin into loader? That makes no sense to me.
freeBSD has the ucode packages, they are not specific to OPNsense, they are specific to the OS, so not much packaging to do for delivery.

Why not just include the latest Intel and AMD ucode pkg's in the OPNsense installer, then install and activate the appropriate package during install. From there the system can periodically check for a newer ucode package, and you can opt to install it from webui, w/o doing any opnsense upgrades.

This would 100% cure the issue mentioned, waiting for a 26.1.9_0 to get new plugin, which updates the associated pkg, which has dependency on an updated ucode pkg.

Just include a ucode pkg in installer, drop in the loader file, maintain the actual ucode package. No plugin needed.

We can right now just follow directions from the intel pkg to activate the ucode, hence no need for plugin.

[Patrick M. Hausen]

Because OPNsense provides installing and managing additional software from the UI via plugins?