The sysutils/devcpu-data port can update Intel microcode.
The questions about adding this port are:
Should the rc.conf entry be enabled by default? (microcode_update_enable="YES")
Should there be an alert if the user disables the tunable?
Can we verify that it is smart enough not to downgrade to an older version of firmware? (cpucontrol(8))
#1 Updated by Alexander Motin over 1 year ago
- Status changed from Unscreened to Screened
At this point we do not have it enabled by default at all. We should probably update it and enable as some point as soon as vendors finalize their microcode updates after the recent security issues. I am just not sure we should hurry here, since I've heard that at least some of Intel updates were not exactly successful. Let the dust settle a bit.
#2 Updated by Kris Moore over 1 year ago
- Target version changed from 11.1-U1 to 11.1-U2
Sounds like Alexander is right, some of the microcode updates may be getting fixed / refined over the next month or even more. We'll push this back a release to -U2. Meltdown really is still the highest priority here to bring in.
#9 Updated by Alexander Motin about 1 year ago
- Status changed from Blocked to In Progress
- Severity changed from New to Med High
- Reason for Blocked deleted (
Dependant on a related task to be completed)
It seems we have an updated Intel microcode in ports now. The only question is to enable the updating by default during boot by setting the rc.conf variable by default. We should test it at least on our main types of systems.
On the 18th of May, the port was updated with the following message:
Use new tool committed by Ed Maste of the FreeBSD Foundation to process Intel microcode files into a format cpucontrol can process.
Which sounds to me like
devcpu-data will still work. I think this issue should therefore be reopened.
- Status changed from In Progress to Ready for Testing
- Needs Merging changed from Yes to No
Latest microcode package version 1.18 should be present in next build. People who want to use it may set microcode_update_enable="YES" rc.conf option. General experiments we start in nightlies after 11.2-stable is branched or even released.