I have a quad-core intel machine having i5-7400 CPU @ 3.00GHz .
Recently, Intel introduced a new bunch of updates for machines affected by the spectre vulnerabilities.
One can see the changelog.gz of the newest update at Debian paste. I have just shared the latest update.
Now when I run the following command -
$ sudo iucode_tool -tb -lS /lib/firmware/intel-ucode/*
I get a list of all the bundles and am able to confirm that the firmware was updated by checking the pf_mask hexcodes, dates, revision number and filesize in bytes.
My issue or question is: should I leave the modifications as I have put or comment them out again in /etc/default/microcode ?
$ cat /etc/default/intel-microcode
# Configuration script for intel-microcode version 3
#
# initramfs helper
#
# Set this to "no" to disable automatic microcode updates on boot;
# Set this to "auto" to use early initramfs mode automatically (default);
# Set this to "early" to always attempt to create an early initramfs;
IUCODE_TOOL_INITRAMFS=auto
# Set this to "yes" (default) to use "iucode_tool --scan-system" to reduce
# the initramfs size bloat, by detecting which Intel processors are active
# in this system, and installing only their microcodes.
#
# Set this to "no" to either include all microcodes, or only the microcodes
# selected through the use of IUCODE_TOOL_EXTRA_OPTIONS below.
#
# WARNING: including all microcodes will increase initramfs size greatly.
# This can cause boot issues if the initramfs is already large.
IUCODE_TOOL_SCANCPUS=yes
# Extra options to pass to iucode_tool, useful to forbid or to
# force the inclusion of microcode for specific processor signatures.
# See iucode_tool(8) for details.
#IUCODE_TOOL_EXTRA_OPTIONS=""
Looking forward to know what is the best way. I did also consult the wiki page for the same and it seemed to have some interesting details -
$ zgrep "microcode updated early to" /var/log/kern.log*
/var/log/kern.log:Nov 14 02:59:32 debian kernel: [    0.000000] microcode: microcode updated early to revision xxxx, date = 2019-04-01
/var/log/kern.log:Nov 15 10:16:23 debian kernel: [    0.000000] microcode: microcode updated early to revision xxxx, date = 2019-08-14
I did find that there were a couple of updates to intel-microcode and I have the latest update -
$ apt-cache policy intel-microcode
intel-microcode:
  Installed: 3.20191112.1
  Candidate: 3.20191112.1
  Version table:
 *** 3.20191112.1 900
        900 http://cdn-fastly.deb.debian.org/debian testing/non-free amd64 Packages
        100 http://cdn-fastly.deb.debian.org/debian unstable/non-free amd64 Packages
        100 /var/lib/dpkg/status
What seems to be interesting from the kernel log is that the revision hex code/version changed drastically from the version before.
