SLES12SP2 and newer Xen environments:
Beginning withSLES12SP2, Dom0 is now a PVOPS based kernel (kernel-default), whichhas no interface for microcode updates while running as a Dom0.However, if the initrd contains an updated microcode, and Xen is madeaware of its existence, the update will be applied during the Xenearly boot process. Updates using this method required a host rebootafter correctly adding the microcode to the initrd.
Installing a microcode update in SLES12SP2 and newerenvironments:
1. Determine current microcode level:
# grep -m1 microcode/proc/cpuinfo
microcode : 0x2000011
2. Install updated microcode package (ucode-intel, or ucode-amd).
3. Rebuild initrd using `mkinitrd`.
NOTE – The `lsinitrd` command can beused to verify the microcode is correctly inserted into the initrd.
#lsinitrd /boot/initrd-4.12.14-23-default
Image:/boot/initrd-4.12.14-23-default:11M
================================================================
EarlyCPIOimage
================================================================
drwxr-xr-x 1 root root 0 Jul 13 13:05 .
-rw-r–r– 1root root 2 Jul 13 13:05 early_cpio
drwxr-xr-x 1 root root 0 Jul 13 13:05 kernel
drwxr-xr-x 1root root 0 Jul 13 13:05 kernel/x86
drwxr-xr-x 1 root root 0 Jul 13 13:05kernel/x86/microcode
-rw-r–r– 1 root root 31744Jul 13 13:05kernel/x86/microcode/GenuineIntel.bin
================================================================
4. Edit /etc/default/grub, and add “ucode=scan” to Xenhypervisor command line:
GRUB_CMDLINE_XEN_DEFAULT=”vga=gfx-1024x768x16crashkernel=202M<4G ucode=scan”
5. Reboot.
6. Verify microcode is updated:
# grep -m1 microcode/proc/cpuinfo
microcode : 0x200004a
7. Verify new speculative mitigation features are availablethrough `xl dmesg`.
# xl dmesg | grep Speculative-A5
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: IBRS/IBPB STIBP SSBD
(XEN) Compiled-insupport: INDIRECT_THUNK
(XEN) Xen settings: BTI-Thunk JMP,SPEC_CTRL: IBRS+ SSBD-, Other: IBPB
(XEN) Support for VMs: PV:MSR_SPEC_CTRL RSB, HVM: MSR_SPEC_CTRL RSB
(XEN) XPTI (64-bitPV only): Dom0 enabled, DomU enabled
Pre-SLES12SP1 Xen environments:
In SLES12SP1 and older(including SLES11), the Dom0 kernel (kernel-xen) is based onxenlinux. This environment can upgrade microcode from Dom0 atrun-time. However, the CPU is not re-sampled after such an update,and therefore guests cannot use new features exposed with an onlinemicrocode update. To avoid this problem, micocode updates should bedone using the following steps:
Installing a microcode update in SLES12SP1 and olderenvironments:
1. Install updated microcode package (microcode_ctrl).
2. Determine correct microcode file:
# grep -E ‘family|model|stepping’ -m 3/proc/cpuinfo
cpu family : 6
model : 62
model name :Intel(R) Xeon(R) CPU E7-4890 v2 @ 2.80GHz
stepping : 7
Intel microcode is named “[cpufamily]-[model]-[stepping]”, using hexadecimal values. In the aboveoutput, this would be “06-3e-07”.
AMD microcode is named”microcode_amd_fam[NN]h.bin”, where [NN] is the hexadecimalvalue of the CPU family. For example:
# grep -E ‘cpu family|model name’ -m 2/proc/cpuinfo
cpu family : 23
model name :AMD EPYC 7601 32-Core Processor
For the AMD CPU above, the applicablemicrocode would be /lib/firmware/amd-ucode/microcode_amd_fam17h.bin.
3. Copy the microcode file from /lib/firmware/intel-ucode to/boot as GenuineIntel.bin. (For AMD environments, use/lib/firmware/amd-ucode and AuthenticAMD.bin.)
# cp/lib/firmware/intel-ucode/06-3e-07 /boot/GenuineIntel.bin
NOTE – For EFI boot environments,the microcode should be copied to the EFI boot partition anddirectory used in booting. This is typically /boot/efi/efi/SuSE.
4. Edit /etc/default/grub, and make the following 2 changes:
– Add thefollowing module line in the Xen boot section, following the initrdmodule:
module /boot/GenuineIntel.bin
– Add “ucode=2” (where “2” is the “module” line number containing the GenuineIntel.bin string, starting from 0) to Xen hypervisor command line:
“kernel/boot/xen.gz vga=mode-0x317 ucode=2”
NOTEfor EFI boot environments, add the following line to the Xen efi bootconfiguration (/boot/efi/efi/SuSE/xen.cfg)entries.
“ucode=GenuineIntel.bin”
5. Reboot.
6. Verify new speculative mitigation features are availablethrough `xm dmesg`.
# xm dmesg | grep Speculative-A5
(XEN) Speculative mitigation facilities:
(XEN) Hardware features: IBRS/IBPB STIBP SSBD
(XEN) Xen settings:BTI-Thunk N/A, SPEC_CTRL: IBRS+ SSBD-, Other: IBPB
(XEN) Support for VMs: PV: MSR_SPEC_CTRL RSB, HVM: MSR_SPEC_CTRL RSB
(XEN) XPTI (64-bit PV only): Dom0 enabled, DomU enabled
NOTE: Multiple vendors may provide updated microcode. Ultimately,only the updates which matches the running CPU (using hex cupidcomparison) will be applied during the update process.