HomeUpgrading and downgrading CPU microcode

Upgrading and downgrading CPU microcode

Published on January 09, 2023

Introduction

As I often have to go through the process of downgrading CPU microcode to test and reproduce various speculative and transient-execution attacks, I am using this as an opportunity to document the process of checking what CPU microcode version is actually running, as well as how to downgrade/upgrade it from the operating system on both Linux and Microsoft Windows.

It is important to note that in addition to the operating system loading CPU microcode, both the CPU and the BIOS/UEFI also provide their own CPU microcode blobs. Since microcode updates can only be installed if the version is newer than what is currently running, we can only downgrade to the version fused into the CPU or provided by the BIOS/UEFI at best, if we are not resorting to more drastic measures such as modifying the BIOS/UEFI or flashing an older version of the BIOS/UEFI firmware. Thus, in this case "downgrading" means reverting to the version provided by the BIOS/UEFI on the system by ensuring that the operating system does not load any newer CPU microcode upon booting.

If instead you just want to get your performance back, you may want to look at the instructions on how to disable the mitigations instead.

Linux

Disabling Mitigations

In /etc/default/grub, add mitigations=off to GRUB_CMDLINE_LINUX:

GRUB_CMDLINE_LINUX="mitigations=off"

Run sudo grub-mkconfig -o /boot/grub/grub.cfg and reboot.

If you want to re-enable the mitigations, remove mitigations=off and run grub-mkconfig again.

Checking the Version

Run cat /proc/pcuinfo. The line that starts with microcode should indicate the microcode version that is currently running.

Programmatically, the microcode version that is currently running can be retrieved as follows on Intel CPUs:

  1. Write 0 to the IA32_BIOS_SIGN_ID (0x8B) MSR.
  2. Issue cpuid.
  3. Read the IA32_BIOS_SIGN_ID (0x8B) MSR. The upper 32 bits contains the microcode version.

This can be done through the msr kernel module.

Downgrading

Run cat /proc/cpuinfo. Check the lines that start with cpu_family, model and stepping. Convert the decimal to hexadecimal, then the filename of your microcode blob would be something like: 06-5e-03 (Intel Core i7-6700K).

Remove or rename the file for your CPU in /lib/firmware/intel-ucode. Then run update-initramfs -u to generate a new initramfs. The microcode is normally loaded by the Linux kernel during boot and the initramfs simply provides the microcode blobs for Linux to load.

Upgrading

Write the microcode blob to /lib/firmware/intel-ucode/06-5e-03 (replace with the correct family-model-stepping). Run echo 1 > /sys/devices/system/cpu/microcode/reload. You should now be running the new microcode version. To make this change "persistent", you can run update-initramfs -u to generate a new initramfs.

Microsoft Windows

Disabling Mitigations

To disable the mitigations on Microsoft Windows, you need to add the following two registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If you want to enable the mitigations again, but leave Intel Hyper-Threading enabled, you can add the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 72 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

If you also want to disable Intel Hyper-Threading, then you can add the following registry keys:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 8246 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverrideMask /t REG_DWORD /d 3 /f

See also KB4072698: Windows Server and Azure Stack HCI guidance to protect against silicon-based microarchitectural and speculative execution side-channel vulnerabilities for more information.

Checking the Version

The Intel Processor Identification Utility is one tool that you can use to check the microcode version that is currently running.

Programmatically, the microcode version that is currently running can be retrieved as follows on Intel CPUs:

  1. Write 0 to the IA32_BIOS_SIGN_ID (0x8B) MSR.
  2. Issue cpuid.
  3. Read the IA32_BIOS_SIGN_ID (0x8B) MSR. The upper 32 bits contains the microcode version.

Downgrading

To downgrade the microcode you will have to follow the following instructions to ensure you have the right permissions to change the filename of the DLLs:

  1. Open File Explorer.
  2. Navigate to C:\Windows\System32.
  3. Find mcupdate_GenuineIntel.dll or mcupdate_AuthenticAMD.dll.
  4. Right-click the DLL.
  5. Select Properties.
  6. In the Properties window, go to Advanced
  7. Click Change next to Owner: TrustedInstaller.
  8. In the text area named Enter the object name to select, write your username.
  9. Press OK.
  10. In the Properties window, click the Add button.
  11. Next to Principal click on Select a principal.
  12. In the text area named Enter the object name to select, write your username.
  13. Press OK.
  14. Check the Full control permission.
  15. Press OK.
  16. Press OK.

If everything went well, you should now have the permission to change the filenames. Make sure the DLLs are not named mcupdate_GenuineIntel.dll and mcupdate_AuthenticAMD.dll. For instance, you can name them mcupdate_GenuineIntel.dll.bak and mcupdate_AuthenticAMD.dll.bak.

Reboot Microsoft Windows to ensure that the microcode does not get loaded. Note that CPU microcode cannot be downgraded at run-time. The CPU has old microcode fused into the CPU, and other stages of the boot process have the opportunity to upgrade the CPU microcode to something more recent. These stages are the BIOS/UEFI and the operating system.

To revert to the most recent version, you can simply change the filename back to the original name.

Note: Microsoft Windows may install new versions of these DLLs during an update. You will have to go through this process again in that case.

[ #cpu #microcode #linux #windows ]

If you like my work or if my work has been useful to you in any way, then feel free to donate me a cup of coffee. Any donation is much appreciated!