Since I have hardware.cpu.amd.updateMicrocode set, I figured this would long have been fixed, so I guessed I needed a BIOS update or such, but after applying it that hasn’t fixed the problem.
I checked my cpuinfo:
tlater ~ $ grep 'model\|microcode' /proc/cpuinfo
model : 33
model name : AMD Ryzen 5 5600X 6-Core Processor
microcode : 0xa201025
The latest appears to be 0xaa00212.
This is a bit concerning, lots of NixOS systems will be vulnerable to that speculative execution bug, despite users believing they are mitigating it. Does anyone have any idea what’s going wrong?
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 5 5600 6-Core Processor
microcode : 0xa20120a
That’s not it, I went trawling through nixpkgs, latest linux-firmware is backported since ~March this year. We’re currently on August 9 as the version number states, but at least my microcode version is 2 years (!) old.
I’ve since learned that linux-firmware contains different microcodes for a variety of amd processor families. The nixpkgs package appears to bundle them all, but maybe one is missing? My next attempt was going to be grabbing a debian/arch/gentoo package and forcing it into initrd manually to see if it’s a packaging error.
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
model : 33
model name : AMD Ryzen 9 5950X 16-Core Processor
microcode : 0xa20120a
BIOS is version 4802 (2023-07-14) for Asus Prime X570-PRO with change notes:
Update AGESA version to ComboV2PI 1.2.0.A
Mitigate the AMD potential security vulnerabilities for AMD Athlon™ processors and Ryzen™ processors
Improve system stability
NixOS version is NixOS 23.11.20230728.2a9d660 (tapir). I believe this is before the microcode updates were added? My interpretation of the command output is that perhaps the BIOS update applied the mitigations to my system?
That’s two years old, your microcode is just as outdated as mine.
Don’t know why the warning doesn’t show. Your kernel might be different from linuxPackages_latest? I switched to xanmod recently which doesn’t apparently.
However, my microcode has not been updated since 2021, and I’ve kept up with BIOS updatea. Has there simply been no consumer-facing microcode update since? There clearly are other microcode numbers floating around, so I doubt it…
That would be why I don’t get the warning then. I am using the ZFS latestcompatiblelinux kernel, which is on an older version of Linux. And my NixOS revision would be before that warning would have been backported I believe.
If that’s true, well damn. Sucks to have an AMD processor. According to the documentation of the third party collection repo the motherboard vendors have some discretion as to whether to push the updates, in theory to ensure stability, but I’d not be surprised if Gigabyte just don’t bother.
I’ll wait until September and then see if I can contact support of either company to confirm this, and find out how AMD actually intends for users to upgrade their microcode. If it’s by BIOS update, and Gigabyte refuses to actually do so, guess I’ll add that unofficial workaround to nixos-hardware or something?
I checked the BIOS of my mainboard and found that the latest version from 2023-08-04 states “Update AGESA to ComboAM5 1.0.0.7b” which is of course older than the version AMD plans to push to OEMs (ComboAM5 1.0.8.0 (Target August 2023)). I wonder if AMD already published such a version. Personally I guess not
I’ve confirmed since then that the updates are tied to BIOS updates. Check their support to see if they’ve published an updated BIOS since.
It’s a bit unfortunate since we’re effectively stuck with 0-days until hardware manufacturers manage to push updates months down the line, but that’s AMD’s update model.
fwupd also works on a bunch of vendors’ laptops these days, I’d imagine framework publish updates with it - who knows if that includes BIOS though.
I’m late to the party, but for those who might come across this while searching, I’ve created a flake to fetch and apply AMD microcode updates for unsupported CPUs: ucodenix.
It has an option to automatically identify the CPU at build time. It’s not on by default, but it’s an impurity that I don’t think we can realistically accept upstream at all, even as an option. So that would have to be removed.
It’s based on this repo, which appears to be a crowdsourced collection of microcodes. This isn’t exactly something I would be encouraging typical users to use, especially given this warning in the repo:
It is generally advised to request and/or wait for your OEM/OS to release newer fixes. Latest is not always better or tested. Manufacturers and OS mainteners usually have some insider/confidential info from microcode vendors on what got changed/fixed at newer microcode releases so if they ship older microcodes, it could be that newer versions have not been thoroughly tested, have been retracted/downgraded by the microcode vendor or not contain anything important enough to warrant an update. The microcodes here are gathered and provided with the sole purpose of helping people who are out of other viable solutions. Thus, they can be extremely helpful to those who have major problems with their systems for which their manufacturer refuses to assist due to indifference and/or system age.
Great to have the option, but doesn’t exactly fit with upstream NixOS IMO.
I agree with the first point, but the current method serves as a temporary workaround until solutions enabling automatic identification of the CPU model ID without compromising build reproducibility are implemented.
Regarding the second point, the disclaimer in the repository is understandable. However, while accounting for the risk of regressions, I believe it’s more dangerous to rely on a microcode that is several years old with unpatched vulnerabilities or to update your BIOS just to obtain a recent microcode than to retrieve an update from that repository. These updates come from official sources and are tested for integrity.
That said, I’m perfectly fine with ucodenix being a flake for advanced users.