Almost two years ago I wrote an FAQ post on CPU Microcode updates with ESXi 5.x. This still gets a lot of hits, but - although the general information about Microcodes still applies - the ESXi related information needs an update, because things have changed with ESXi 6.0.
So what's new and different now?
The following information is largely based on a recent VMware blog post by Tim Mann, a VMkernel developer - I highly recommend reading it. Since I already wrote about this topic with regard to ESXi 5.0 I will only summarize what changed in 6.0:
- CPU Microcode updates are now applied in a very early boot phase during VMkernel and CPU initialization. That is needed, because some updates cannot be safely applied when the CPU is already doing actual work.
- The vmkmicrocode utility is no longer available - so there is no way to apply or check a Microcode update during runtime.
- The Microcode patches are now contained in a separate VIB package (cpu-microcode) that can be updated independently from the base ESXi system.
- The update files use a new binary blob format. In his blog post Tim provides a way to convert published update files into this format.
To update the CPU Microcode files on an ESXi 6.0 system run the following commands in an ESXi shell:
esxcli software acceptance set --level=CommunitySupported esxcli network firewall ruleset set -e true -r httpClient esxcli software vib install -n cpu-microcode -d https://vibsdepot.v-front.deA reboot is needed to apply the updated files. I tested the current version (7.0.0) of my package on both an Intel and AMD system, and it worked fine in both cases, but please remember: It includes all published CPU Microcode updates of Intel and AMD as of today, not only the ones that VMware has approved and included in ESXi. So use it at your own risk, it is definitely not supported by VMware! On the other hand you might need an updated CPU Microcode that neither VMware has included in ESXi nor your system vendor in an updated BIOS version - to fix a bug like in this example -, then this package is for you!
For ESXi 5.x use the package cpu5-microcode (instead of cpu-microcode). Apart from that the same commands and comments apply.
If you want to check what Microcode version your CPU has built in and if and to what version it was updated by ESXi then you can use the vsish shell tool. Look at the nodes (0, 1, ... representing each CPU core, resp. thread in case of Hyperthreading) in /hardware/cpu/cpuList. This works for both ESXi 5.x and 6.0. The relevant information is near the end and you can extract it like this:
vsish -e cat /hardware/cpu/cpuList/0 | grep microcode -A 2
This will list the information for the first core of the first CPU. Use /1, /2 etc. (instead of /0) for the remaining cores, but they should really all list the same information. On one of my whiteboxes using an Intel Core i7-4770 processor the command produces e.g. the following output:
Number of microcode updates:1
gunzip -cd /var/log/boot.gz | grep MicrocodeUpdate
This post first appeared on the VMware Front Experience Blog and was written by Andreas Peetz. Follow him on Twitter to keep up to date with what he posts.