Microcode

From Wikitech

All our servers (with the exceptions of some very old ones which are not supported by Intel anymore) are expected to use mitigations for the following three Intel CPU vulnerability classes requiring microcode updates (some issues were fixed without needing additional microcode):

  • SSBD (cpu flag 'ssbd')
  • MDS/TAA (cpu flag 'md_clear')
  • L1TF (cpu flag 'flush_l1d')

There are two potential sources of error which might make microcode loading fail:

  • The server might have been freshly installed, but wasn't finally rebooted (maybe the reimage script, which does that by default, didn't complete or wasn't used). This may lead to a situation where Puppet pulled in the microcode package, but it only gets effective with the next reboot. Simply reboot and see if it recovers.
  • If a reboot doesn't help, have a look at dmesg. We had a few cases where servers were upgraded from Linux 4.9 to 4.19 and the new kernel refused to load microcode due to some outdated system firmware (T235250), so the firmware/BIOS needs to be updated.
Retrieved from "https://wikitech.wikimedia.org/w/index.php?title=Microcode&oldid=1853870"