[PATCH] x86/microcode/intel: Panic on partial microcode update

From: Chang S. Bae

Date: Tue Jun 30 2026 - 15:39:45 EST


The MSR IA32_MCU_STATUS, if available, may report a partial update status
on a microcode update. This indicates that only a subset of microcode
components was updated successfully while other parts of updates failed,
which in turn leaves the system in an undefined and (potentially)
unreliable state.

Panic when such a fatal condition is reported, since the system can no
longer be trusted to make forward progress safely.

Signed-off-by: Chang S. Bae <chang.seok.bae@xxxxxxxxx>
---
This patch was once considered bundled with another feature enabling
(uniform). But it can stand on its own as a reliability improvement.

The status is possible on newer CPUs. While validation is expected to
prevent these error conditions in normal deployments, handling them
explicitly protects systems against an otherwise undefined state.

Considered refactoring the enumeration code was obvious enough to fold
into a signle patch here. Otherwise, next revision may separate it out.
---
arch/x86/include/asm/msr-index.h | 4 +++
arch/x86/kernel/cpu/microcode/intel.c | 35 +++++++++++++++++++++++++--
2 files changed, 37 insertions(+), 2 deletions(-)

diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h
index 18c4be75e927..7273d340470d 100644
--- a/arch/x86/include/asm/msr-index.h
+++ b/arch/x86/include/asm/msr-index.h
@@ -977,6 +977,10 @@
#define MSR_IA32_MCU_ENUMERATION 0x0000007b
#define MCU_STAGING BIT(4)

+#define MSR_IA32_MCU_STATUS 0x0000007c
+#define MCU_PARTIAL_UPDATE BIT(0)
+#define AUTH_FAIL_ON_MCU_COMPONENT BIT(1)
+
#define MSR_IA32_UCODE_REV 0x0000008b

/* Intel SGX Launch Enclave Public Key Hash MSRs */
diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
index f4a444e6114d..0b474a7c6986 100644
--- a/arch/x86/kernel/cpu/microcode/intel.c
+++ b/arch/x86/kernel/cpu/microcode/intel.c
@@ -76,6 +76,9 @@ static struct microcode_intel *ucode_patch_late __read_mostly;
/* last level cache size per core */
static unsigned int llc_size_per_core __ro_after_init;

+/* CPU capability for update status and staging support */
+static bool cpu_has_mcu __ro_after_init;
+
/* microcode format is extended from prescott processors */
struct extended_signature {
unsigned int sig;
@@ -702,6 +705,16 @@ static enum ucode_state __apply_microcode(struct ucode_cpu_info *uci,
/* write microcode via MSR 0x79 */
native_wrmsrq(MSR_IA32_UCODE_WRITE, (unsigned long)mc->bits);

+ /* Check if the update put the system in an unreliable state */
+ if (cpu_has_mcu) {
+ u64 status = native_rdmsrq(MSR_IA32_MCU_STATUS);
+
+ if (status & (MCU_PARTIAL_UPDATE | AUTH_FAIL_ON_MCU_COMPONENT)) {
+ pr_emerg("Partial update: MSR_IA32_MCU_STATUS=0x%llx\n", status);
+ nmi_panic(NULL, "Microcode load: fatal status from partial update");
+ }
+ }
+
rev = intel_get_microcode_revision();
if (rev != mc->hdr.rev)
return UCODE_ERROR;
@@ -779,11 +792,30 @@ static int __init save_builtin_microcode(void)
}
early_initcall(save_builtin_microcode);

+#define CPUID_EDX_ARCH_CAP BIT(29)
+
+static __init bool mcu_capable(void)
+{
+ if (native_cpuid_eax(0) < 7)
+ return false;
+
+ if (!(native_cpuid_edx(7) & CPUID_EDX_ARCH_CAP))
+ return false;
+
+ if (!(native_rdmsrq(MSR_IA32_ARCH_CAPABILITIES) & ARCH_CAP_MCU_ENUM))
+ return false;
+
+ return true;
+}
+
/* Load microcode on BSP from initrd or builtin blobs */
void __init load_ucode_intel_bsp(struct early_load_data *ed)
{
struct ucode_cpu_info uci;

+ /* Indicate early enough to cover the early-loading path */
+ cpu_has_mcu = mcu_capable();
+
uci.mc = get_microcode_blob(&uci, false);
ed->old_rev = uci.cpu_sig.rev;

@@ -1023,8 +1055,7 @@ static __init bool staging_available(void)
{
u64 val;

- val = x86_read_arch_cap_msr();
- if (!(val & ARCH_CAP_MCU_ENUM))
+ if (!cpu_has_mcu)
return false;

rdmsrq(MSR_IA32_MCU_ENUMERATION, val);
--
2.51.0