How to do AMD CPU microcode update (not BIOS update)?

Question

Yesterday, I updated my UEFI/BIOS to the latest version (about 11 days old only).

Summary of my HW/OS:

# hostnamectl | grep -v ' ID'

 Static hostname: rog-g713pi
 Pretty hostname: ASUS ROG Strix G17 G713PI-LL044W
       Icon name: computer-laptop
         Chassis: laptop 💻
      Deployment: production
Operating System: Linux Mint 22.2
          Kernel: Linux 6.14.0-33-generic
    Architecture: x86-64
 Hardware Vendor: ASUSTeK COMPUTER INC.
  Hardware Model: ROG Strix G713PI_G713PI
Firmware Version: G713PI.336
   Firmware Date: Wed 2025-10-01
    Firmware Age: 1w 4d

---

Immediately after the BIOS update, I downloaded and ran a very popular script to intended to check CVEs mitigation status, if you wish, you can download it from GitHub here.

/root/spectre-meltdown-checker.sh --paranoid

with all-green result, no CVE can be exploited at this point according to the script.

But, since I ran it multiple times, and also with --update-builtin-fwdb option to update the CPU fw database, re-running it afterward, it says:

* CPU microcode is the latest known available version:  NO  (latest version is 0xa60120c dated 2024/11/10 according to local firmwares DB v344+i20250812+9d6d)

---

My laptop CPU in question is AMD Ryzen 9 7845HX, and I do have amd64-microcode package installed, as well as linux-firmware package.

The only lines mentioned in dmesg are these two:

# dmesg | grep microcode

[Sat Oct 11 21:03:36 2025] microcode: Current revision: 0x0a601209
[Sat Oct 11 21:03:36 2025] microcode: Updated early from: 0x0a601209

and

# grep microcode -m 1 /proc/cpuinfo

microcode   : 0xa601209

---

Since I never dealt with this, I want to ask if there possibly is some way to update CPU microcode without waiting for another newer BIOS, which may not come soon?

So, is there some mechanism to update CPU microcode manually? And if so, does it pose any risk?

Thank you.

Answer 1

The amd64-microcode package hasn’t been updated to include the latest releases. To update your microcode to the latest cersions, you can replace the files in the package:

1. Clone the upstream repository:

   git clone https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
   

2. Copy the appropriate files over those in the package:

   cd linux-firmware
   sudo cp -a amd amd-ucode amdtee /usr/lib/firmware/
   

3. Update the initramfs:

   sudo update-initramfs -u
   

4. Reboot.

The risk is the same as with any microcode update: it may introduce bugs. The updates published in this repository are provided by an AMD employee, so they should be fine (although recent commits from that employee are no longer signed); the updates themselves are signed by the manufacturer, but the signing key has been extracted so that’s no longer a guarantee, even on Zen 5 CPUs. See /usr/share/doc/amd64-microcode/README.Debian for instructions on recovering from microcode-related problems.

---

Recovery procedure, in case the new microcode misbehaves, on Linux Mint 22.2 taken from:

zcat /usr/share/doc/amd64-microcode/README.Debian.gz

1. Access the grub menu during boot (press and hold the left Shift key right after starting the system up if you don't see a grub menu during boot);

2. Move the highlight/cursor to the kernel/boot option you want to use, and press the e key to edit it;

3. Locate the line that starts with linux using the cursor keys. You must add the word dis_ucode_ldr to the end of that line;

4. Press Ctrl+x to boot the system. The microcode updates will be skipped.