deadsimple BSD Security Advisories and Announcements

FreeBSD Errata Notice FreeBSD-EN-21:06.microcode

Hash: SHA512

FreeBSD-EN-21:06.microcode                                      Errata Notice
                                                          The FreeBSD Project

Topic:          Boot-time microcode loading causes a boot hang

Category:       core
Module:         x86
Announced:      2021-02-24
Affects:        FreeBSD 12.2
Corrected:      2021-02-19 20:57:34 UTC (stable/12, 12.2-STABLE)
                2021-02-24 01:43:50 UTC (releng/12.2, 12.2-RELEASE-p4)

For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit

I.   Background

CPU microcode updates may include security fixes or mitigations.  The
boot-time microcode loader applies CPU microcode as early in the boot process
as possible, minimizing the amount of code executed without updated

Microcode updates for many different CPU types are concatenated into one file
and loaded by the boot loader.  After the kernel has determined the correct
update to apply, it frees the memory containing unused microcode updates,
keeping only the update for the CPU on which the kernel is running.

II.  Problem Description

An interaction between the code which frees the unused portions of the
microcode file and the rest of the system can cause boot hangs.

III. Impact

The kernel may hang during boot if boot-time microcode updates are configured.

IV.  Workaround

Systems not configured to load microcode at boot-time are unaffected.
Boot-time microcode loading is currently only supported with Intel CPUs.

On systems that are configured to load microcode at boot-time, setting the
"debug.ucode.release" loader tunable to 0 will prevent the microcode update
file from being freed, working around the problem.

V.   Solution

Upgrade your system to a supported FreeBSD stable or release / security
branch (releng) dated after the correction date.

Perform one of the following:

1) To update your system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

2) To update your system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch
# fetch
# gpg --verify microcode.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:> and reboot the

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/12/                                                        r369310
releng/12.2/                                                      r369355
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References

The latest revision of this advisory is available at

_______________________________________________ mailing list
To unsubscribe, send any mail to ""