Updating AMD microcode from Qubes OS

This guide will show you how to extract AMD microcode from mainboard firmware updates, and convert it into a binary format that can be loaded by Xen.

Using UEFI firmware updates is recommended when updating AMD microcode, because it includes OEM updates and AGESA updates. Patching the microcode is a temporary solution, that can be used until a stable UEFI firmware update has been released.

Qubes OS includes the amd-ucode-firmware package, which contains microcode released by AMD, but it is primarily used to deploy microcode for AMD’s enterprise line of CPUs.

It is possible to dump the microcode from consumer mainboard firmware updates, and have Xen load the dump in the same way microcode from amd-ucode-firmware is loaded. The system will first load the microcode from the UEFI firmware, Xen then checks if the OS provided microcode is newer, and only use it if it is an update.

AMD CPU microcode signature verification vulnerability

A vulnerability was found in the method used by AMD to sign microcode, which could allow an attacker to modify microcode.
The issue was fixed in AGESA 1.2.0.3C for Zen 5 and 4, and 1.2.0.E for prior versions, make sure you are using UEFI firmware with an updated version of the AGESA.
The security update changed how the microcode is verified, systems without the update are not able to load microcode released after the AGESA update.

CPUID and current microcode version

You need to know your CPUID to find the correct microcode dump, and it can be useful to know which version of the microcode is currently being used.
In dom0, you can use cat /proc/cpuinfo | grep microcode to get the version of the currently used microcode.
On my system the CPUID is the first 4 bytes of the ID, in reverse order, but I don’t know if this is true for all CPUs
In dom0, you can use sudo dmidecode -t 4 | grep ID to get the ID, which should give an output similar to ID: 40 0F B4 00 FF FF FF FF, where the CPUID is 0x00B40F40

Extracting the microcode

Clone the MCExtractor repo GitHub - platomav/MCExtractor: Intel, AMD, VIA & Freescale Microcode Extraction Tool
MCE has a few dependencies that can be installed in venv with pip.
Download an OEM firmware update, it does not have to be for your mainboard, it just has to be for a mainboard that supports your CPU.
Use the MCE.py script on the firmware update, to extract the microcode. It will compare the microcode to its database, and tell you if the microcode matches the latest known version for the CPU.

$ python MCE.py <path to firmware>

The microcode dump will be in the Extracted directory. The format for the filename is CPUID_VERSION_DATA_CHECKSUM, find the file that match your CPUID, if the CPUID is 0x00B40F40 there should be a file that starts with cpu00B40F40.

Generate the microcode container

Clone the amd-ucodegen repo GitHub - AndyLavr/amd-ucodegen: Tool to generate AMD microcode files
Make the c file, using standard build tools, and use amd-ucodegen to make a microcode container.

$ ./amd-ucodegen <path to file extracted with MCE>

It should give you a file with a filename similar to microcode_and_famXXX.bin, where XXX is the ID for your CPU family.

Install the microcode

In dom0, check if there exist a file in /lib/firmware/amd-ucode, with the same name as the file generated with amd-ucodegen. If it exists, make a backup before overwriting it with the new microcode.

Copy the file you generated with amd-ucodegen to /lib/firmware/amd-ucode, use the command sudo dracut -f, and reboot the system.

After the system has reboot, you can use xl dmesg to check if Xen is loading the microcode. If you are getting an error about the digits-check failing, you need to add digest-check=off to the Xen ucode parameter.

When everything is working, xl dmesg should look similar to this:

(XEN) Microcode patch additional digest checks disabled<2>BSP microcode revision: 0x0b404022
(XEN) microcode: CPU0 updated from revision 0xb404022 to 0xb404023, date = 2024-09-20
3 Likes