Update Intel Microcode via plugin under OPNsense

From Thomas-Krenn-Wiki
Jump to navigation Jump to search

OPNsense offers the possibility to update the Microcode of a processor via plugin. In this article, we show you how to install this plugin to update the Intel Microcode based on a LES network 6L v4 with OPNsense 25.1. These instructions apply analogously for AMD systems. There are also instructions on how to update the AMD Microcode via plugin under OPNsense.

Example setup

In this example, we use the following setup:

  • LES network 6L v4 with BIOS Version 5.27 and Intel Core i5-1235U
  • OPNsense 25.1.7_4 (FreeBSD 14.2-RELEASE-p3)

Installation of x86info

In order to read the microcode information, you must install the package x86info via console (or SSH shell): 

root@OPNsense:~ # pkg install x86info
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        libpci: 3.13.0
        pciids: 20250415
        x86info: 1.31.s03_1

Number of packages to be installed: 3

The process will require 2 MiB more space.
392 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/3] Fetching x86info-1.31.s03_1.pkg: 100%   66 KiB  67.9kB/s    00:01
[2/3] Fetching pciids-20250415.pkg: 100%  256 KiB 262.2kB/s    00:01
[3/3] Fetching libpci-3.13.0.pkg: 100%   70 KiB  71.2kB/s    00:01
Checking integrity... done (0 conflicting)
[1/3] Installing pciids-20250415...
[1/3] Extracting pciids-20250415: 100%
[2/3] Installing libpci-3.13.0...
[2/3] Extracting libpci-3.13.0: 100%
[3/3] Installing x86info-1.31.s03_1...
[3/3] Extracting x86info-1.31.s03_1: 100%

Microcode patch level query

Now, you can query the Microcode patch level: 

root@Intel-Firewall:~ # kldload cpuctl
root@Intel-Firewall:~ # x86info -a |grep -i Microcode
Microcode version: 0x0000000000000426

Activation of Intel-CPU Microcode plugin

The Microcode plugin can be installed via OPNsense webinterface.

  • In the OPNsense webinterface, go to System → Firmware → Plugins.
    In the OPNsense webinterface, go to System → Firmware → Plugins.
  • In this list, search for the plugin os-cpu-microcode-intel and click on the plus-button for the installation.
    In this list, search for the plugin os-cpu-microcode-intel and click on the plus-button for the installation.
  • The plugin is installed. Restart the system to use the Microcode update if available.
    The plugin is installed. Restart the system to use the Microcode update if available.

Restart

After activating the plug-in and restarting, the system will be updated at startup if a new microcode for the CPUID is available: 

root@OPNsense:~ # dmesg | grep -i micro
CPU microcode: no matching update found


Author: Thomas Niedermeier

Thomas Niedermeier working in the product management team at Thomas-Krenn, completed his bachelor's degree in business informatics at the Deggendorf University of Applied Sciences. Since 2013 Thomas is employed at Thomas-Krenn and takes care of OPNsense firewalls, the Thomas-Krenn-Wiki and firmware security updates.


Related articles

Adjustment of OPNsense keyboard layout in the command line
Show article
Low Energy Systems (LES) Firewall Server
Show article
OPNsense disable IPv6
Show article