Please update microcode for 06-5e-03

[alkisg]

Hi, using the latest microcode, I'm still vulnerable to GDS.
Here is my CPU and microcode information:

root@gpmd:~# grep -r Vulnerable /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Vulnerable: No microcode

root@gpmd:~# dmesg
[    0.194670] smpboot: CPU0: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (family: 0x6, model: 0x5e, stepping: 0x3)
[    0.155725] GDS: Vulnerable: No microcode
[    0.791740] microcode: Current revision: 0x000000f0
[    0.791752] microcode: Updated early from: 0x00000033

root@gpmd:~# dpkg -l intel-microcode
ii  intel-microcode 3.20250211.1 amd64        Processor microcode firmware for Intel CPUs

root@gpmd:~# iucode-tool -l /lib/firmware/intel-ucode/06-5e-03.initramfs
microcode bundle 1: /lib/firmware/intel-ucode/06-5e-03.initramfs
selected microcodes:
  001/001: sig 0x000506e3, pf_mask 0x36, 2021-11-12, rev 0x00f0, size 109568

[alexmurray]

This is a bug in the debian package - it explicitly blacklists this microcode file (hence the .initramfs suffix).

[alkisg]

Thank you! Although, if I'm reading the dmesg output above correctly, it says that:

• BIOS had revision 0x00000033
• And the initramfs successfully updated it to 0x000000f0

While in apt changelog intel-microcode, I see:

ucode-blacklist: do not late-load 0x406e3 and 0x506e3.
When the BIOS microcode is older than revision 0x7f (and perhaps in some
other cases as well), the latest microcode updates for 0x406e3 and
0x506e3 must be applied using the early update method. Otherwise, the
system might hang. Also: there must not be any other intermediate
microcode update attempts [other than the one done by the BIOS itself],
either. It must go from the BIOS microcode update directly to the
latest microcode update.

I.e. they blacklist the late-loading, not the initramfs loading, which is successful as dmesg reports.
Right?

[alkisg]

I've booted that server with the latest Fedora 42 live CD; the same problem happens there. I.e. it doesn't appear to be a bug with the Debian packaging.
I've also done the latest motherboard firmware updates, which got the UEFI/BIOS Intel microcode revision from 0x00000033 to 0x000000d6, to no avail.
Here is the latest troubleshooting information, from the Fedora live CD:

root@gpmd:~# grep -r Vulnerable /sys/devices/system/cpu/vulnerabilities/
/sys/devices/system/cpu/vulnerabilities/gather_data_sampling:Vulnerable: No microcode

root@gpmd:~# dmesg
[    0.184848] GDS: Vulnerable: No microcode
[    0.225478] smpboot: CPU0: Intel(R) Core(TM) i5-6400 CPU @ 2.70GHz (family: 0x6, model: 0x5e, stepping: 0x3)
[    0.775377] microcode: Current revision: 0x000000f0
[    0.775379] microcode: Updated early from: 0x000000d6

root@gpmd:~# rpm -qf /lib/firmware/intel-ucode
microcode_ctl-2.1-69.fc42.x86_64

root@gpmd:~# uname -a
Linux localhost-live 6.14.0-63.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Mar 24 19:53:37 UTC 2025 x86_64 GNU/Linux

root@gpmd:~# grep PRETTY_NAME /etc/os-release
PRETTY_NAME="Fedora Linux 42 (Workstation Edition)"

[hmh]

Well, the Intel CPU microcode guide recommends revison 0xf6 for signature 0x506e3, but that revision is not available for public distribution for some reason. The latest available is revision 0xf0.

Maybe Intel can either publish it in a future release, or tell us why (most likely reason: requires full firmware update) ?

https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/processors-affected-consolidated-product-cpu-model.html

[whpenner]

@hmh: Checking...

[whpenner]

This product has reached its End of Servicing Update (ESU) date. See our Support webpage for further information. For OEM customers interested in extended updates beyond ESU, contact your Intel representative for details. For end users, to determine if your system is supported beyond ESU, contact your system manufacturer for details.