Options for getting latest intel cpu microcode running in my librem 14

Joe · August 2, 2022, 2:51pm

am i correct in understanding that if i want the cpu in my librem 14 to be running the latest intel microcode, i need to do one of the following two actions?:

use the purism-supplied firmware updater at https://source.puri.sm/firmware/utility
install the non-pureos debian package “intel-microcode”

is there any other option i am overlooking?

am i correct in understanding that option 1 needs to be repeated for every intel microcode update if i always want to be running the latest?

am i correct in understanding that option 2 (debian package) needs to load the updated cpu microcode after every reboot? or does it update some flash memory somewhere with permanent changes?

for option 2, is it sufficient to install the debian package? that is, does the package automatically take care of all details merely by being installed?

thanks for any helpful information you can provide!

long live free software and free hardware!

mladen · August 2, 2022, 4:22pm

Hello,

You can simply update coreboot, see: https://puri.sm/projects/coreboot/

Joe · August 2, 2022, 6:55pm

hi mladen! how does your suggestion differ from my option 1? my understanding is that they are the same, but i might be very confused about this.

mladen · August 2, 2022, 8:31pm

Coreboot already includes the microcode. See: https://puri.sm/faq/what-is-the-difference-between-libreboot-and-my-librems-coreboot-firmware/

Joe · August 2, 2022, 8:41pm

hi mladen. let me try to clarify what i was asking, because it seems my question must have been poorly worded. i was interested in knowing whether the methods i listed were all the known ways of getting my cpu running the latest microcode. are you saying that method 2 is not such a way, i.e., if i do that i won’t be running the latest microcode? are you also saying there is no method 3, i.e., method 1 is the one and only way to do it? also, have you considered the possibility that some people might prefer to run the latest microcode with a method that has less risk of bricking their machine? or are you saying that method 2 is more risky, i.e., more likely to brick a machine?

mladen · August 2, 2022, 9:21pm

Now I have no idea what are you asking. If you want to update Intel microcode, simply update the latest coreboot version, as it already contains the latest microcode from Intel.

carlosgonz · August 2, 2022, 9:59pm

There 2 way to update the intel microcode: BLOB

We can update the Microcode by the Operating System like binary microcode.deb but Purism can NOT include this microcode.deb because Intel Microcode is a dirty propietary packages.
All intel computers require microcode either by the operating system or by the bios to work the CPU, in most cases the microcode works as a signature to start the cpu, if the microcode is new it is updated into the cpu only one time and later only keeps the signature every time you turn on the machine.
Intel CPUs should work without Microcode, but they violate the freedom of people who buy their Intel products, people should not buy Intel CPUs for this reason and others.
We can update the Intel Microcode by Bios like Coreboot, so Purism it uses this way to update the Microcode because in this way, Pure Operating System can be fully Free Software without including the Intel BLOB Microcode onto Pure. If you want the last new Microcode for L14 you need wait for the incoming Purism Coreboot 4.17 it around the corner to be released.
Also you can manually update the Microcode any time on Coreboot.
I would like delete the whole ME on Bios to remove Microcode on Bios and OS too. I not need it.

irvinewade · August 3, 2022, 4:36am

For sure but when people say “Intel CPU microcode”, as per the topic title, they are generally talking about the microcode that goes into the Intel x86_64 CPU, and not the firmware that is run by the Intel ME (believed to be an Intel x86 32-bit CPU).

That could be a question that is exceedingly difficult to answer, in that if someone is to say that those are the only ways then that is a claim of non-existence for any other way.

Regardless, I think you are being told that the recommended way is to update the boot firmware (which is a good idea anyway).

In the event that the CPU microcode is being updated in order to patch a serious vulnerability, some people would prefer to do it at the earliest possible time i.e. without booting the normal operating system - in case the exploit can be triggered before you ever get to perform the update.

It is generally not a good idea to pull in stuff from non-PureOS debian repositories. You can get yourself in a mess e.g. conflicting dependencies or e.g. duplicate packages.

carlosgonz · August 3, 2022, 1:34pm

I just putting an extra info about Microcode because Microcode-Signatures is related to ME too.