4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

Building Intel CPU Microcode Updates Directly into the Linux

Kernel

Facebook   Twitter   Google+   Reddit   LinkedIn

Firas Khalil Khana | 30/04/2017

DOTSLASHLINUX is proud to say that part of this article was added to the Gentoo Wiki 

To achieve our dream of booting the kernel without an initrd/initramfs we have to build our CPU’s
microcode updates directly into the linux kernel (removing any need for an initrd/initramfs). This is
doable, but due to lack of documentation on the process, one may find this thing hard to do. Yes, I
know, that’s why DOTSLASHLINUX was created xD. 

For those who’d like to know, I’m using Gentoo Linux. Any distro will be fine though, as long as you can
access your kernel’s source files. The version of the kernel’s source files that I’m using is 4.10.13.

1. Getting Ready

Fire up your favorite terminal emulator, navigate to your kernel’s source folder:

cd /usr/src/linux

Now make sure you have ncurses installed and type in:

make menuconfig

If you don’t have ncurses installed you can use: 

make gconfig if you had GTK installed

make xconfig if you had Qt installed

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 1/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

I personally prefer make menuconfig as it’s better maintained and can be accessed from your terminal
emulator or from a TTY. But as long as you can store your changes whenever you want, and go back
and forth with the configuration menus then you’re good to go. 

2. Enable CPU Microcode Loading Support

Navigate to Processor type and features and mark CONFIG_MICROCODE as built-in. You’ll receive two
options now “Blue vs Red” microcode loading support or should I
say CONFIG_MICROCODE_INTEL vs CONFIG_MICROCODE_AMD.

[∗] DMA memory allocation support

[∗] Symmetric multi-processing support
[ ] Enable MPS table
[ ] Intel Resource Director Technology Allocation support
[ ] Support for extended (non-PC) x86 platforms
[ ] Intel Low Power Subsystem Support
[ ] AMD ACPI2Platform devices support
< > Intel SoC IOSF Sideband support for SoC platforms
[ ] Single-depth WCHAN output
[ ] Linux guest support ----
Processor family (Core 2/newer Xeon) --->
[∗] Supported processor vendors --->
[∗] Enable DMI scanning
[ ] IBM Calgary IOMMU support
[ ] Enable Maximum number of SMP Processors and NUMA Nodes
(8) Maximum number of CPUs
[∗] SMT (Hyperthreading) scheduler support
[∗] Multi-core scheduler support
[∗] CPU core priorities scheduler support
Preemption Model (No Forced Preemption (Server)) --->
[ ] Reroute for broken boot IRQs
[∗] Machine Check / overheating reporting
[∗] Intel MCE features
< > Machine check injector support
Performance monitoring --->
[ ] Enable support for 16-bit segments
[∗] Enable vsyscall emulation
< > Dell i8k legacy laptop support
[∗] CPU microcode loading support
[∗] Intel microcode loading support
[ ] AMD microcode loading support
<∗> /dev/cpu/∗/msr - Model-specific register support
<∗> /dev/cpu/∗/cpuid - CPU information support
[∗] Numa Memory Allocation and Scheduler Support
[ ] Old style AMD Opteron NUMA detection
[∗] ACPI NUMA detection

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 2/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

[ ] NUMA emulation
(2) Maximum NUMA Nodes (as a power of 2)
Memory model (Sparse Memory) --->

3- Installing Intel CPU Microcode Updates

Gentoo Linux:

emerge --sync && emerge -av sys-firmware/intel-microcode

Void Linux:

xbps-install -Su && xbps-install -S intel-ucode

Arch Linux:

pacman -Syu intel-ucode

Now hold on, don’t follow your wiki’s guide on how to build microcode updates with an initrd/initramfs,
remember we’re not using an initrd/initramfs here. 

Instead, we’re going to check to see if /lib/firmware was populated with intel’s CPUs microcode update
files:

ls -l /lib/firmware

drwxr-xr-x 2 root root 4096 Apr 13 21:47 intel-ucode

Alright, looks like a new folder intel-ucode was created. Let’s see if it had the microcode update files:

ls -l /lib/firmware/intel-ucode

06-03-02 06-06-05 06-08-01 06-0a-01 06-0f-02 06-16-01 06-1c-02 06-26-01 06-3c-03

06-05-00 06-06-0a 06-08-03 06-0b-01 06-0f-06 06-17-06 06-1c-0a 06-2a-07 06-3d-04
06-05-01 06-06-0d 06-08-06 06-0b-04 06-0f-07 06-17-07 06-1d-01 06-2d-06 06-3e-04
06-05-02 06-07-01 06-08-0a 06-0d-06 06-0f-0a 06-17-0a 06-1e-05 06-2d-07 06-3e-06
06-05-03 06-07-02 06-09-05 06-0e-08 06-0f-0b 06-1a-04 06-25-02 06-2f-02 06-3e-07
06-06-00 06-07-03 06-0a-00 06-0e-0c 06-0f-0d 06-1a-05 06-25-05 06-3a-09 06-3f-02
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 3/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

Awesome, here are all of intel’s CPUs microcode update files! Now, we have to do some research to
figure out which file is the one to use for our cpu :D 

4- Choosing the Correct Microcode Update File

The file names here are somewhat related to the CPUID signature. The default way to get your CPUID
signature (as suggested by the Gentoo Wiki) is to install a tool called iucode_tool:

emerge --sync && emerge -av sys-apps/iucode_tool

iucode_tool is also available in Arch’s AUR. (This package isn’t available on Void Linux by the time this
article was written). 

Now run this:

iucode_tool -S

iucode_tool: system has processor(s) with signature 0x000306c3

As you can see my CPUID signature is  0x000306c3. If that didn’t work for you then don’t worry we
have other ways as well to get your CPUID signature. 

You can do your research and find your CPUID signature. For example, my CPU is a 4th Gen. Intel Core
i7 4700MQ, a little googling and I found this on cpu-world.com :

Another way to do this is to install cpuid:

emerge --sync && emerge -av sys-apps/cpuid

cpuid is also available in Arch’s AUR. (This package isn’t available on Void Linux by the time this article
was written). 

Now run:

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 4/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

cpuid | grep "processor serial number"

processor serial number = false

processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000
processor serial number = false
processor serial number: 0003-06C3-0000-0000-0000-0000

Notice how it says processor serial number:  0003-06C3-0000-0000-0000-0000. I’ve highlighted this
part 0003-06C3. 

Another way to do it, is to install dmidecode: 

Gentoo Linux:

emerge --sync && emerge -av sys-apps/dmidecode

Void Linux:

xbps-install -Su && xbps-install -S dmidecode

Arch Linux:

pacman -Syu dmidecode

Now run:

dmidecode | grep -w ID

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 5/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

ID: 0
ID: 1
ID: 2
ID: 3
ID: 4
ID: C3 06 03 00 FF FB EB BF

As you can see, (C, 3, 6, 0) are popping wherever I looked. You may simply choose to stop here if the
signature was pretty obvious to you and you could easily identify the correct microcode update file to
use (in my case I can easily tell that it’s 06-3c-03). 

Now we can use iucode_tool to identify the correct microcode update file (and with the magic of grep):

iucode_tool -L /lib/firmware/intel-ucode | grep 0x000306c3 -B 1

microcode bundle 26: /lib/firmware/intel-ucode/06-3c-03

026/001: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528
026/002: sig 0x000306c3, pf_mask 0x32, 2017-01-27, rev 0x0022, size 22528

As you can clearly see my microcode update file in /lib/firmware/intel-ucode is 06-3c-03. 

5- Configuring the Linux Kernel to Build with the Correct Microcode

Update File

Woot.. The hard part is done, all we have to do right now is to tell the linux kernel the location of our
microcode update file so that it’ll be included in the kernel’s build process. 

Fire up your favorite terminal, and run:

cd /usr/src/linux

make menuconfig

Navigate to Device Drivers then to Generic Driver Options. 

Now
include CONFIG_FIRMWARE_IN_KERNEL,CONFIG_EXTRA_FIRMWAREand CONFIG_EXTRA_FIRMWARE_DIR as
shown below:

[ ] Support for uevent helper

-∗- Maintain a devtmpfs filesystem to mount at /dev
[∗] Automount devtmpfs at /dev, after the kernel mounted the rootfs

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 6/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

[∗] Select only drivers that don't need compile-time external firmware
[∗] Prevent firmware from being built
-∗- Userspace firmware loading support
[∗] Include in-kernel firmware blobs in kernel binary
(intel-ucode/06-3c-03) External firmware blobs to build into the kernel binary
(/lib/firmware) Firmware blobs root directory
[ ] Fallback user-helper invocation for firmware loading
[ ] Allow device coredump
[ ] Driver Core verbose debug messages
[ ] Managed device resources verbose debug messages
[ ] Test driver remove calls during probe (UNSTABLE)
< > Build kernel module to test asynchronous driver probing
[ ] Enable verbose DMA_FENCE_TRACE messages

Change: 

CONFIG_EXTRA_FIRMWARE to intel-ucode/YOUR_MICROCODE_UPDATE_FILE_NAME 

CONFIG_EXTRA_FIRMWARE_DIR to /lib/firmware 

Save your configuration file, compile your kernel and reboot. Microcode updates should be working
now without using an initrd. 

6- Verify that Microcode Updates are Working

This is quite simple, just run:

dmesg | grep microcode

[ 0.000000] microcode: microcode updated early to revision 0x22, date = 2017-01-27

[ 0.795219] microcode: sig=0x306c3, pf=0x10, revision=0x22
[ 0.795433] microcode: Microcode Update Driver: v2.01 <tigran@aivazian.fsnet.co.uk>,

As you can see, microcode updates are 100% working, final revision 0x22 is being used. 

Conclusion
If you followed our previous article Booting the Linux Kernel Without an initrd/initramfs, your boot folder
now should only have the kernel inside it, as it contains everything from your modules to your
microcode updates! 

8 Comments

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 7/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

atbd

03/06/2017

Hello, thank you for your articles, this one particularly! To be sure to not miss one, can you make them
available via rss ?

DOTSLASHLINUX

03/06/2017

@atbd, you’re most welcome! RSS feed is now available!

atbd

03/06/2017

By the way, I found a « method » to be sure about microcode signature: * install iucode_tool (available
on gentoo, i don’t know for others) * run  dmesg | grep microcode  & search for signature *
run iucode_tool -L /lib/firmware/intel-ucode/ and grep the signature found in your dmesg

DOTSLASHLINUX

03/06/2017

@atbd, I agree that should be the most obvious way to get the signature;however, on some
installations the output of “dmesg” may be a lot more that it can be truncated and the microcode
part won’t be shown, another thing is that the user may reduce the verbosity of dmesg so the
microcode updates won’t be shown.

The user might also be using a custom kernel build and has disabled “early microcode updates
support” from his/her kernel.

The point is to get the signature from more than one source to successfully choose your microcode
update file. Another way would be to choose all microcode update files and let the kernel pick the
right one for you. That might work but still the article was intended to make things easier for the
reader.

Thanks for your reply! Your suggestion is much appreciated!

rabbit

27/06/2017

Best article ever! Thank you a lot for your work! Great stuff!!!

DOTSLASHLINUX

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 8/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX

27/06/2017

@rabbit, thanks a lot! Your feedback means a lot and it sure motivated me further more to
continue writing useful articles. Really glad that you found this one helpful. And I’m proud to say
that part of this article was added to the Gentoo wiki.

Joe

07/11/2017

Thanks for this.

But the folder intel-ucode does not exist on Arch Linux after installing the package. It just installs a .img
file in /boot which works with initrd only I guess!

Any tips appreciated!

DOTSLASHLINUX

10/11/2017

@Joe, Thanks and I’m sorry to hear that. Arch linux tends to build the microcode update files as an
image into the initramfs itself (which is the sane thing to do for a distribution targeting such a large
user base). You can still manually download the microcode update files from Intel’s website (a 2-
3MB microcode-date.tgz file) and extract it to ‘/lib/firmware’. Make sure that it’s owned by root:root
and it has 755 permissions.

Hope that helps! Let me know if you have any more questions!

Leave A Comment

Name

Your comment here.

Comments support Markdown.

Comments are being moderated to prevent spam so it may take a while

before your comment is posted.

Submit

Copyrights © 2017-2018 DOTSLASHLINUX | Licensed under CC BY 4.0

https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 9/9