Updating microcode in Xen environments.

This document (7022546) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 12

Situation

Updating microcode in bare-metal environments, (e.g. in order to address “Spectre” type vulnerabilities), is accomplished by installing the appropriate microcode package and rebooting. However, in Xen environment, additional steps may be required.

Resolution

SLES12SP2 and newer Xen environments:

Beginning with SLES12SP2, Dom0 is now a PVOPS based kernel (kernel-default), which has no interface for microcode updates while running as a Dom0. However, if the initrd contains an updated microcode, and Xen is made aware of its existence, the update will be applied during the Xen early boot process. Updates using this method required a host reboot after correctly adding the microcode to the initrd.

Installing a microcode update in SLES12SP2 and newer environments:

1. Determine current microcode level:

      # grep -m1 microcode /proc/cpuinfo

      microcode : 0x2000011

2. Install updated microcode package (ucode-intel, or ucode-amd).

3. Rebuild initrd using `mkinitrd`.

     NOTE – The `lsinitrd` command can be used to verify the microcode is correctly inserted into the initrd.

     # lsinitrd /boot/initrd-4.12.14-23-default

     Image: /boot/initrd-4.12.14-23-default: 11M

     ================================================================

     Early CPIO image

     ================================================================

     drwxr-xr-x 1 root root 0 Jul 13 13:05 .

     -rw-r--r-- 1 root root 2 Jul 13 13:05 early_cpio

     drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel

     drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel/x86

     drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel/x86/microcode

     -rw-r--r-- 1 root root 31744 Jul 13 13:05 kernel/x86/microcode/GenuineIntel.bin

     ================================================================

4. Edit /etc/default/grub, and add “ucode=scan” to Xen hypervisor command line:

      GRUB_CMDLINE_XEN_DEFAULT="vga=gfx-1024x768x16 crashkernel=202M\<4G ucode=scan"

5. Reboot.

6. Verify microcode is updated:

     # grep -m1 microcode /proc/cpuinfo

     microcode : 0x200004a

7. Verify new speculative mitigation features are available through `xl dmesg`.

     # xl dmesg | grep Speculative -A5
     (XEN) Speculative mitigation facilities:
     (XEN) Hardware features: IBRS/IBPB STIBP SSBD
     (XEN) Compiled-in support: INDIRECT_THUNK
     (XEN) Xen settings: BTI-Thunk JMP, SPEC_CTRL: IBRS+ SSBD-, Other: IBPB
     (XEN) Support for VMs: PV: MSR_SPEC_CTRL RSB, HVM: MSR_SPEC_CTRL RSB
     (XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled

Pre-SLES12SP1 Xen environments:

In SLES12SP1 and older (including SLES11), the Dom0 kernel (kernel-xen) is based on xenlinux. This environment can upgrade microcode from Dom0 at run-time. However, the CPU is not re-sampled after such an update, and therefore guests cannot use new features exposed with an online microcode update. To avoid this problem, micocode updates should be done using the following steps:


Installing a microcode update in SLES12SP1 and older environments:

1. Install updated microcode package (microcode_ctrl).

2. Determine correct microcode file:

     # grep -E 'family|model|stepping' -m 3 /proc/cpuinfo
     cpu family : 6
     model : 62
     model name : Intel(R) Xeon(R) CPU E7-4890 v2 @ 2.80GHz
     stepping : 7

     Intel microcode is named “[cpu family]-[model]-[stepping]”, using hexadecimal values. In the above output, this would be “06-3e-07”.

     AMD microcode is named "microcode_amd_fam[NN]h.bin", where [NN] is the hexadecimal value of the CPU family. For example:

     # grep -E 'cpu family|model name' -m 2 /proc/cpuinfo
     cpu family : 23
     model name : AMD EPYC 7601 32-Core Processor
     For the AMD CPU above, the applicable microcode would be /lib/firmware/amd-ucode/microcode_amd_fam17h.bin.

3. Copy the microcode file from /lib/firmware/intel-ucode to /boot as GenuineIntel.bin. (For AMD environments, use /lib/firmware/amd-ucode and AuthenticAMD.bin.)

     # cp /lib/firmware/intel-ucode/06-3e-07 /boot/GenuineIntel.bin

NOTE – For EFI boot environments, the microcode should be copied to the EFI boot partition and directory used in booting. This is typically /boot/efi/efi/SuSE.

4. Edit /etc/default/grub, and make the following 2 changes:

     - Add the following module line in the Xen boot section, following the initrd module:

     module /boot/GenuineIntel.bin

      - Add “ucode=2” (where "2" is the "module" line number containing the GenuineIntel.bin string, starting from 0) to Xen hypervisor command line:

      "kernel /boot/xen.gz vga=mode-0x317 ucode=2"

NOTE for EFI boot environments, add the following line to the Xen efi boot configuration (/boot/efi/efi/SuSE/xen.cfg) entries.

      “ucode=GenuineIntel.bin

5. Reboot.

6. Verify new speculative mitigation features are available through `xm dmesg`.

     # xm dmesg | grep Speculative -A5
     (XEN) Speculative mitigation facilities:
     (XEN) Hardware features: IBRS/IBPB STIBP SSBD
     (XEN) Xen settings: BTI-Thunk N/A, SPEC_CTRL: IBRS+ SSBD-, Other: IBPB
     (XEN) Support for VMs: PV: MSR_SPEC_CTRL RSB, HVM: MSR_SPEC_CTRL RSB
     (XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled

NOTE: Multiple vendors may provide updated microcode. Ultimately, only the updates which matches the running CPU (using hex cupid comparison) will be applied during the update process.


Cause


Additional Information

External references :
- https://wiki.xenproject.org/wiki/XenParavirtOps/microcode_update

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7022546
  • Creation Date: 12-Jan-2018
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center