AMD CPU users - Updated Microcode for Vulnerabilities

Hi all, if you follow tech sites I'm sure you've heard about the new AMD CPU vulnerabilities. While we will be updating to the kernel with the fixes for this in the upcoming sync you should know that CPU vulnerabilities like this are usually fixed in BOTH the kernel code and the CPU microcode. Usually the kernel will check to see if the microcode of the CPU is new enough and if not will use a separate code path that works around the vulnerability somehow.

The kernel code path is almost always slower (sometimes significantly so) than if the issue was fixed in the microcode, so you always want to have the most updated microcode available so that the kernel doesn't need to do the more performance expensive fixes.

UNFORTUNATELY AMD has chosen not to distribute desktop and laptop CPU microcode in the linux-firmware package like they do for Epyc and Threadripper CPUs. They have instead opted to allow motherboard/laptop manufacturers distribute this themselves via BIOS updates.

Thus, if you care about the performance of your system and are not just completely disabling mitigations with mitigations=off then you should check your computer/motherboard manufacturer for the latest BIOS update and install that. Yes, this is annoying and also risky in that certain motherboard manufacturers like to wipe BIOS settings on updates which could render your system unbootable until you reconfigure the BIOS correctly. Note that this is all at your own risk, Solus developers/maintainers are not responsible for bricked hardware or unbootable systems. If this is Grandma's computer and you want to ensure that it keeps working stably it's probably best to just use the kernel mitigations and leave the BIOS alone (after all Grandma isn't likely to notice the performance hit).

Yes, this is ridiculous. AMD should distribute microcode for desktop/laptop class processors via linux-firmware. They distribute this microcode for those CPUs via Windows update (as far as I'm aware).

Yes, it is probably possible to extract the microcode from the BIOS update or from the Windows Update files and to place it in the correct place for it to be loaded by Linux so that a BIOS update isn't necessary. I don't know how to do that and doing so is neither advised nor supported on Solus (and may break your system/kill your dog).

No, Intel does the correct thing here and distributes microcode for ALL their CPUs via the intel-microcode package (as far as I can tell). If you're an Intel user you should receive the updated microcode and the kernel mitigations in the next sync, and your kernel will use the most performant mitigation possible.

Also, if you don't care about speculative execution vulnerabilities and/or need the maximum amount of performance from your system as possible you can run the following to disable ALL mitigations:

sudo mkdir -p /etc/kernel/cmdline.d
echo "mitigations=off" | sudo tee /etc/kernel/cmdline.d/99-i-dont-care-about-security-and-i-know-this-is-unsupported.conf
sudo clr-boot-manager update

And then reboot. If it works then cat /proc/cmdline will show mitigations=off in the output.