On 2023-07-25, Johannes Thyssen Tishman <li...@thyssentishman.com> wrote:
> Hi,
> I have a vps running OpenBSD 7.3 STABLE amd64 and I have a cronjob that runs
> once a day to install new errata patches (if available) and reboot after
> patching. With the last errata patches (amd firmware, wscons) I realized (too
> late) that I should've followed the steps described on the errata file before
> the system was rebooted. Luckily (I suppose) the server was able to boot, so I
> ran fw_update and installboot and rebooted again. Now even though everything
> seems to be running just fine, I wanted to make sure by asking here:
> 1. Could there be negative consequences of not running fw_update or 
> installboot
> before reboot?

It means that you don't get the microcode updates, if any are available
for your cpu.

> 2. If no, is it still bad practice to run 'syspatch && reboot' as a cronjob?

It depends whether you want to review patches before installing them, for
example to assess whether they're applicable to you, or the potential risk of
them breaking something. For some machines I do use automatic updates (usually
when there are multiple machines running a service so it doesn't matter if one
is down for a bit), for others it would be more of a problem if it didn't
come back up nicely afterwards and there I'd prefer to run it by hand.

> 3. fw_update did not install anything. Is this a consequence of the early
> reboot? Or is this perhaps the reason why the system was able to boot after 
> the
> patch?

For this recent erratum,

1) syspatch needs to be run to pick up the fw_update change (so that
it knows to pick up the new amd-firmware package for AMD cpus), and so
the new boot loaders with the AMD microcode loader are installed to

2) you must have an AMD CPU in order for that to match in fw_update anyway
(matching the usual CPU identifier strings used by AMD on their processors).

3) the 'live' boot loader must be updated from /usr/mdec files via

> cpu0 at mainbus0: apid 0 (boot processor)
> cpu0: QEMU Virtual CPU version 2.5+, 2844.97 MHz, 06-06-03
> cpu0: 

regardless of whether the physical CPU on your VM host is an affected AMD,
this string won't match what fw_update is looking for, so the microcode
"firmware" package won't be installed anyway.

(also for the case of a VM, microcode loading would be done by the VM host
not the guest)

Reply via email to