intel-microcode should be installed by default, when the CPU is GenuineIntel

Pull request sent upstream https://github.com/tseliot/ubuntu-drivers-common/pull/11

MIR filed in https://bugs.launchpad.net/ubuntu/+source/iucode-tool/+bug/1388889

I have strongly mixed feelings about installing intel-microcode by default.
Of course it's good to have the latest microcode bugfixes.
What worries me is that Intel provides no release notes at all.
They didn't even put up a warning for the update that disables the TSX instruction.
Removing an instruction while processes are already running is of course highly problematic, see bug #1370352.

@debfx this is precisely why intel microcode package should be consistently installed and this is done in response to the TSX problem described before. microcode update is the last resort that vendor has to correct firmware bugs in the field. microcode update removed TSX instruction because the implementation turned out to have issues. But that was not sufficient alone, due to incorrect detection in the user-space code and the fact that microcode is not updated on most client systems. This one of the corrective actions going forward to mitigate / contain similar type of problem in the future.

You will want the newer intel-microcode packages, then. This means a resync with Debian is highly advised.

Exactly due to the issue brought to the front by the Intel Haswell microcode update that disabled TSX, Debian has switched to enforcing that automated microcode updates be done only through the early initramfs. This, in fact, requires a reboot to apply the microcode update (just like a kernel update).

While I did blacklist the offending Haswell microcode updates in the Debian packages so that they will not be applied by accident using the late microcode driver (which results in an unusable system as described in #1370352), this kind of blacklisting is reactive, so the switch to early microcode updates is the only safe way forward right now.

Of course, it took ~10 years for the first Intel microcode update that had visible effects at the ISA level to show up, so it might be another 10 years before the next one...

MIR has been approved and intel-microcode has been seeded on to the images, thus whenever next images are build intel-microcode will be available from the package pool with the archive overrides done, but not yet automatically installed until after ubuntu-drivers-common change also lands on the images.

What about amd-microcode?

This bug was fixed in the package ubuntu-drivers-common - 1:0.4

---------------
ubuntu-drivers-common (1:0.4) vivid; urgency=medium

  [ Dimitri John Ledkov ]
  * Add cpu-microcode detect-plugin. (LP: #1386257)
 -- Martin Pitt <email address hidden> Thu, 19 Feb 2015 14:52:28 +0100

This bug has been fixed in UK15.04-0311-Daily-amd64.

I notice that the amd64-microcode package never gets updated in a stable Ubuntu release.

amd microcode is part of upstream linux-firmware. Is it also shipped inside the ubuntu linux-firmware package?

For example, this is the latest amd microcode commit upstream:
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/commit/?id=5f8ca0c1db6106a2d6d7e85eee778917ff03c3de

So my point is, is there a local policy to organize where the amd microcode is going to be shipped in Ubuntu? amd64-microcode or linux-firmware?

Ping for amd64-microcode!

im updating latest intel-microcode (sudo apt-get update && sudo apt-get upgrade -y) and it is also automatically install also amd-microcode in my laptop. Why? my laptop not use amd-microcode. it is use only intel. Why it install it when updating my laptop. Is this a bug or what?

Same happened also me. Updating system and intel-microcode is installed in AMD machine.
Updating intel laptop and also AMD-microcode is installed in intel-laptop. Is there no amendment here? What processor is used.

@amribrahim1987 you've probably noticed but we have released an amd64-microcode update recently:

  https://usn.ubuntu.com/3690-1/

Updates for AMD microcode will be provided in the amd64-microcode package and not in linux-firmware.

@lahtis deb packaging doesn't provide us the granularity to have the kernel packages specifically depend on intel-microcode packages on Intel x86 systems and amd64-microcde on AMD x86 systems. Instead, we have to depend on both packages. If you have an Intel processor, the AMD microcode is not used. If you have an AMD processor, the Intel microcode is not used.

The downside here is slightly increased storage requirements to store the unnecessary package on your device (and the bandwidth to download the updates). We apologize for the inconvenience but felt it was warranted in order to get updated microcode deployed to all users in order to address known vulnerabilities in processors.

Then I guess tis is fixed now.