Edit - Unix & Linux Stack Exchange

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

Rev

Required fields*

How to do AMD CPU microcode update (not BIOS update)?

Yesterday, I updated my UEFI/BIOS to the latest version (about 11 days old only).

Summary of my HW/OS:

# hostnamectl | grep -v ' ID'

 Static hostname: rog-g713pi
 Pretty hostname: ASUS ROG Strix G17 G713PI-LL044W
       Icon name: computer-laptop
         Chassis: laptop 💻
      Deployment: production
Operating System: Linux Mint 22.2
          Kernel: Linux 6.14.0-33-generic
    Architecture: x86-64
 Hardware Vendor: ASUSTeK COMPUTER INC.
  Hardware Model: ROG Strix G713PI_G713PI
Firmware Version: G713PI.336
   Firmware Date: Wed 2025-10-01
    Firmware Age: 1w 4d

Immediately after the BIOS update, I downloaded and ran a very popular script to intended to check CVEs mitigation status, if you wish, you can download it from GitHub here.

/root/spectre-meltdown-checker.sh --paranoid

with all-green result, no CVE can be exploited at this point according to the script.

But, since I ran it multiple times, and also with --update-builtin-fwdb option to update the CPU fw database, re-running it afterward, it says:

* CPU microcode is the latest known available version:  NO  (latest version is 0xa60120c dated 2024/11/10 according to local firmwares DB v344+i20250812+9d6d)

My laptop CPU in question is AMD Ryzen 9 7845HX, and I do have amd64-microcode package installed, as well as linux-firmware package.

The only lines mentioned in dmesg are these two:

# dmesg | grep microcode

[Sat Oct 11 21:03:36 2025] microcode: Current revision: 0x0a601209
[Sat Oct 11 21:03:36 2025] microcode: Updated early from: 0x0a601209

and

# grep microcode -m 1 /proc/cpuinfo

microcode   : 0xa601209

Since I never dealt with this, I want to ask if there possibly is some way to update CPU microcode without waiting for another newer BIOS, which may not come soon?

So, is there some mechanism to update CPU microcode manually? And if so, does it pose any risk?

Thank you.

Answer*

The `amd64-microcode` package hasn’t been updated to include the latest releases. To update your microcode to the latest cersions, you can replace the files in the package:

1. Clone the upstream repository:

   ```
   git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
   ```

1. Copy the appropriate files over those in the package:

   ```
   cd linux-firmware
   sudo cp -a amd amd-ucode amdtee /usr/lib/firmware/
   ```

1. Update the initramfs:

   ```
   sudo update-initramfs -u
   ```

1. Reboot.

The risk is the same as with any microcode update: it may introduce bugs. The updates published in this repository are provided by an AMD employee, so they should be fine (although recent commits from that employee are no longer signed); the updates themselves are signed by the manufacturer, but [the signing key has been extracted][1] so that’s no longer a guarantee, even [on Zen 5 CPUs][2]. See `/usr/share/doc/amd64-microcode/README.Debian` for instructions on recovering from microcode-related problems.

***

<sub>

**Recovery procedure**, in case the new microcode misbehaves, on Linux Mint 22.2 taken from:

```none
zcat /usr/share/doc/amd64-microcode/README.Debian.gz
```

1. Access the grub menu during boot (press and hold the left <kbd>Shift</kbd> key right after starting the system up if you don't see a grub menu during boot);

2. Move the highlight/cursor to the kernel/boot option you want to use, and press the <kbd>e</kbd> key to edit it;

3. Locate the line that starts with `linux` using the cursor keys. You must add the word **`dis_ucode_ldr`** to the end of that line;

4. Press <kbd>Ctrl</kbd>+<kbd>x</kbd> to boot the system. The microcode updates will be skipped.

</sub>


  [1]: https://bughunters.google.com/blog/5424842357473280/zen-and-the-art-of-microcode-hacking
  [2]: https://github.com/google/security-research/security/advisories/GHSA-4xq7-4mgh-gp6w

Edit Summary*

Cancel

1

The signing key for AMD Zen 1-4 cpus has leaked , meaning AMD CPUs between at least 2017-2022 are vulnerable to malicious microcode updates.

hanshenrik
– hanshenrik

2025-10-13 10:45:42 +00:00
Commented yesterday
1

actually seems Zen 5 is also affected, cpus up to 2025-03-04 seems to be affected: github.com/google/security-research/security/advisories/… - conflicting reports, some places say Zen 1-4, but the github advisory page also mention Zen 5 and "PI < 2025-03-04" 🤔

hanshenrik
– hanshenrik

2025-10-13 10:53:30 +00:00
Commented yesterday
Ah, good to know, thanks @hanshenrik!

Stephen Kitt
– Stephen Kitt

2025-10-13 10:57:30 +00:00
Commented yesterday
1

It's not that the signing key has been leaked; rather, there's a flaw in the signature verification procedure that lets an attacker create additional keypairs that will be accepted as valid.

Mark
– Mark

2025-10-14 01:13:20 +00:00
Commented 17 hours ago
@Mark Both, it seems. quote We were then able to recover the Zen 5 key on March 7, 2025 and reported this to AMD. We then jointly added Zen 5 to the list of affected products to our advisories on April 7, 2025.

hanshenrik
– hanshenrik

2025-10-14 08:58:41 +00:00
Commented 9 hours ago

Add a comment |

Correct minor typos or mistakes
Clarify meaning without changing it
Add related resources or links
Always respect the author’s intent
Don’t use edits to reply to the author

create code fences with backticks ` or tildes ~
```
like so
```
add language identifier to highlight code
```python
def function(foo):
print(foo)
```
put returns between paragraphs
for linebreak add 2 spaces at end
_italic_ or **bold**
indent code by 4 spaces
backtick escapes `like _so_`
quote by placing > at start of line
to make links (use https whenever possible)

<https://example.com>

[example](https://example.com)

<a href="https://example.com">example</a>

formatting help »
answering help »