Académique Documents
Professionnel Documents
Culture Documents
DOTSLASHLINUX is proud to say that part of this article was added to the Gentoo Wiki
To achieve our dream of booting the kernel without an initrd/initramfs we have to build our CPU’s
microcode updates directly into the linux kernel (removing any need for an initrd/initramfs). This is
doable, but due to lack of documentation on the process, one may find this thing hard to do. Yes, I
know, that’s why DOTSLASHLINUX was created xD.
For those who’d like to know, I’m using Gentoo Linux. Any distro will be fine though, as long as you can
access your kernel’s source files. The version of the kernel’s source files that I’m using is 4.10.13.
1. Getting Ready
Fire up your favorite terminal emulator, navigate to your kernel’s source folder:
cd /usr/src/linux
make menuconfig
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 1/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
I personally prefer make menuconfig as it’s better maintained and can be accessed from your terminal
emulator or from a TTY. But as long as you can store your changes whenever you want, and go back
and forth with the configuration menus then you’re good to go.
Navigate to Processor type and features and mark CONFIG_MICROCODE as built-in. You’ll receive two
options now “Blue vs Red” microcode loading support or should I
say CONFIG_MICROCODE_INTEL vs CONFIG_MICROCODE_AMD.
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 2/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
[ ] NUMA emulation
(2) Maximum NUMA Nodes (as a power of 2)
Memory model (Sparse Memory) --->
Gentoo Linux:
Void Linux:
Arch Linux:
Now hold on, don’t follow your wiki’s guide on how to build microcode updates with an initrd/initramfs,
remember we’re not using an initrd/initramfs here.
Instead, we’re going to check to see if /lib/firmware was populated with intel’s CPUs microcode update
files:
ls -l /lib/firmware
Alright, looks like a new folder intel-ucode was created. Let’s see if it had the microcode update files:
ls -l /lib/firmware/intel-ucode
Awesome, here are all of intel’s CPUs microcode update files! Now, we have to do some research to
figure out which file is the one to use for our cpu :D
The file names here are somewhat related to the CPUID signature. The default way to get your CPUID
signature (as suggested by the Gentoo Wiki) is to install a tool called iucode_tool:
iucode_tool is also available in Arch’s AUR. (This package isn’t available on Void Linux by the time this
article was written).
iucode_tool -S
As you can see my CPUID signature is 0x000306c3. If that didn’t work for you then don’t worry we
have other ways as well to get your CPUID signature.
You can do your research and find your CPUID signature. For example, my CPU is a 4th Gen. Intel Core
i7 4700MQ, a little googling and I found this on cpu-world.com :
cpuid is also available in Arch’s AUR. (This package isn’t available on Void Linux by the time this article
was written).
Now run:
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 4/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
Notice how it says processor serial number: 0003-06C3-0000-0000-0000-0000. I’ve highlighted this
part 0003-06C3.
Gentoo Linux:
Void Linux:
Arch Linux:
Now run:
dmidecode | grep -w ID
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 5/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
ID: 0
ID: 1
ID: 2
ID: 3
ID: 4
ID: C3 06 03 00 FF FB EB BF
As you can see, (C, 3, 6, 0) are popping wherever I looked. You may simply choose to stop here if the
signature was pretty obvious to you and you could easily identify the correct microcode update file to
use (in my case I can easily tell that it’s 06-3c-03).
Now we can use iucode_tool to identify the correct microcode update file (and with the magic of grep):
Woot.. The hard part is done, all we have to do right now is to tell the linux kernel the location of our
microcode update file so that it’ll be included in the kernel’s build process.
cd /usr/src/linux
make menuconfig
Now
include CONFIG_FIRMWARE_IN_KERNEL,CONFIG_EXTRA_FIRMWAREand CONFIG_EXTRA_FIRMWARE_DIR as
shown below:
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 6/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
[∗] Select only drivers that don't need compile-time external firmware
[∗] Prevent firmware from being built
-∗- Userspace firmware loading support
[∗] Include in-kernel firmware blobs in kernel binary
(intel-ucode/06-3c-03) External firmware blobs to build into the kernel binary
(/lib/firmware) Firmware blobs root directory
[ ] Fallback user-helper invocation for firmware loading
[ ] Allow device coredump
[ ] Driver Core verbose debug messages
[ ] Managed device resources verbose debug messages
[ ] Test driver remove calls during probe (UNSTABLE)
< > Build kernel module to test asynchronous driver probing
[ ] Enable verbose DMA_FENCE_TRACE messages
Change:
CONFIG_EXTRA_FIRMWARE to intel-ucode/YOUR_MICROCODE_UPDATE_FILE_NAME
CONFIG_EXTRA_FIRMWARE_DIR to /lib/firmware
Save your configuration file, compile your kernel and reboot. Microcode updates should be working
now without using an initrd.
As you can see, microcode updates are 100% working, final revision 0x22 is being used.
Conclusion
If you followed our previous article Booting the Linux Kernel Without an initrd/initramfs, your boot folder
now should only have the kernel inside it, as it contains everything from your modules to your
microcode updates!
8 Comments
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 7/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
atbd
03/06/2017
Hello, thank you for your articles, this one particularly! To be sure to not miss one, can you make them
available via rss ?
DOTSLASHLINUX
03/06/2017
atbd
03/06/2017
By the way, I found a « method » to be sure about microcode signature: * install iucode_tool (available
on gentoo, i don’t know for others) * run dmesg | grep microcode & search for signature *
run iucode_tool -L /lib/firmware/intel-ucode/ and grep the signature found in your dmesg
DOTSLASHLINUX
03/06/2017
@atbd, I agree that should be the most obvious way to get the signature;however, on some
installations the output of “dmesg” may be a lot more that it can be truncated and the microcode
part won’t be shown, another thing is that the user may reduce the verbosity of dmesg so the
microcode updates won’t be shown.
The user might also be using a custom kernel build and has disabled “early microcode updates
support” from his/her kernel.
The point is to get the signature from more than one source to successfully choose your microcode
update file. Another way would be to choose all microcode update files and let the kernel pick the
right one for you. That might work but still the article was intended to make things easier for the
reader.
rabbit
27/06/2017
Best article ever! Thank you a lot for your work! Great stuff!!!
DOTSLASHLINUX
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 8/9
4/27/2018 Building Intel CPU Microcode Updates Directly into the Linux Kernel | DOTSLASHLINUX
27/06/2017
@rabbit, thanks a lot! Your feedback means a lot and it sure motivated me further more to
continue writing useful articles. Really glad that you found this one helpful. And I’m proud to say
that part of this article was added to the Gentoo wiki.
Joe
07/11/2017
But the folder intel-ucode does not exist on Arch Linux after installing the package. It just installs a .img
file in /boot which works with initrd only I guess!
DOTSLASHLINUX
10/11/2017
@Joe, Thanks and I’m sorry to hear that. Arch linux tends to build the microcode update files as an
image into the initramfs itself (which is the sane thing to do for a distribution targeting such a large
user base). You can still manually download the microcode update files from Intel’s website (a 2-
3MB microcode-date.tgz file) and extract it to ‘/lib/firmware’. Make sure that it’s owned by root:root
and it has 755 permissions.
Hope that helps! Let me know if you have any more questions!
Leave A Comment
Name
Submit
https://web.archive.org/web/20180226135957/https://www.dotslashlinux.com/post/building-intel-cpu-microcode-updates-directly-int… 9/9