Updating microcode in Xen environments.
This document (7022546) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12
Situation
Updating microcode in bare-metal environments, (e.g. in order to address “Spectre” type vulnerabilities), is accomplished by installing the appropriate microcode package and rebooting. However, in Xen environment, additional steps may be required.
Resolution
SLES12SP2 and newer Xen environments:
Beginning with SLES12SP2, Dom0 is now a PVOPS based kernel (kernel-default), which has no interface for microcode updates while running as a Dom0. However, if the initrd contains an updated microcode, and Xen is made aware of its existence, the update will be applied during the Xen early boot process. Updates using this method required a host reboot after correctly adding the microcode to the initrd.
Installing a microcode update in SLES12SP2 and newer environments:
1. Determine current microcode level:
# grep -m1 microcode /proc/cpuinfo
microcode : 0x2000011
2. Install updated microcode package (ucode-intel, or ucode-amd).
3. Rebuild initrd using `mkinitrd`.
NOTE – The `lsinitrd` command can be used to verify the microcode is correctly inserted into the initrd.# lsinitrd /boot/initrd-4.12.14-23-default
Image: /boot/initrd-4.12.14-23-default: 11M
================================================================
Early CPIO image
================================================================
drwxr-xr-x 1 root root 0 Jul 13 13:05 .
-rw-r--r-- 1 root root 2 Jul 13 13:05 early_cpio
drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel
drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel/x86
drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel/x86/microcode
-rw-r--r-- 1 root root 31744 Jul 13 13:05 kernel/x86/microcode/GenuineIntel.bin
================================================================
4. Edit /etc/default/grub, and add “ucode=scan” to Xen hypervisor command line:
GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16
crashkernel=202M\<4G ucode=scan"
5. Reboot.
6. Verify microcode is updated:
# grep -m1 microcode /proc/cpuinfo
microcode : 0x200004a7. Verify new speculative mitigation features are available through `xl dmesg`.
# xl dmesg | grep Speculative -A5
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: IBRS/IBPB STIBP SSBD
(XEN) Compiled-in support: INDIRECT_THUNK
(XEN) Xen settings: BTI-Thunk JMP, SPEC_CTRL: IBRS+ SSBD-, Other: IBPB
(XEN) Support for VMs: PV: MSR_SPEC_CTRL RSB, HVM: MSR_SPEC_CTRL RSB
(XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled
Pre-SLES12SP1 Xen environments:
In SLES12SP1 and older
(including SLES11), the Dom0 kernel (kernel-xen) is based on
xenlinux. This environment can upgrade microcode from Dom0 at
run-time. However, the CPU is not re-sampled after such an update,
and therefore guests cannot use new features exposed with an online
microcode update. To avoid this problem, micocode updates should be
done using the following steps:
Installing a microcode update in SLES12SP1 and older environments:
1. Install updated microcode package (microcode_ctrl).
2. Determine correct microcode file:# grep -E 'family|model|stepping' -m 3 /proc/cpuinfo
cpu family : 6
model : 62
model name : Intel(R) Xeon(R) CPU E7-4890 v2 @ 2.80GHz
stepping : 7
Intel microcode is named “[cpu family]-[model]-[stepping]”, using hexadecimal values. In the above output, this would be “06-3e-07”.
AMD microcode is named "microcode_amd_fam[NN]h.bin", where [NN] is the hexadecimal value of the CPU family. For example:
# grep -E 'cpu family|model name' -m 2 /proc/cpuinfo
cpu family : 23
model name : AMD EPYC 7601 32-Core Processor
For the AMD CPU above, the applicable microcode would be /lib/firmware/amd-ucode/microcode_amd_fam17h.bin.
3. Copy the microcode file from /lib/firmware/intel-ucode to /boot as GenuineIntel.bin. (For AMD environments, use /lib/firmware/amd-ucode and AuthenticAMD.bin.)
# cp /lib/firmware/intel-ucode/06-3e-07 /boot/GenuineIntel.binNOTE – For EFI boot environments, the microcode should be copied to the EFI boot partition and directory used in booting. This is typically /boot/efi/efi/SuSE.
4. Edit /etc/default/grub, and make the following 2 changes:
- Add the following module line in the Xen boot section, following the initrd module:
module /boot/GenuineIntel.bin
- Add “ucode=2” (where "2" is the "module" line number containing the GenuineIntel.bin string, starting from 0) to Xen hypervisor command line:
"kernel /boot/xen.gz vga=mode-0x317 ucode=2"
NOTE for EFI boot environments, add the following line to the Xen efi boot configuration (/boot/efi/efi/SuSE/xen.cfg) entries.“ucode=GenuineIntel.bin”
5. Reboot.
6. Verify new speculative mitigation features are available through `xm dmesg`.
# xm dmesg | grep Speculative -A5(XEN) Speculative mitigation facilities:
(XEN) Hardware features: IBRS/IBPB STIBP SSBD
(XEN) Xen settings: BTI-Thunk N/A, SPEC_CTRL: IBRS+ SSBD-, Other: IBPB
(XEN) Support for VMs: PV: MSR_SPEC_CTRL RSB, HVM: MSR_SPEC_CTRL RSB
(XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled
NOTE: Multiple vendors may provide updated microcode. Ultimately,
only the updates which matches the running CPU (using hex cupid
comparison) will be applied during the update process.
Cause
Additional Information
- https://wiki.xenproject.org/wiki/XenParavirtOps/microcode_update
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7022546
- Creation Date: 12-Jan-2018
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
