[blog@kernstock.net]$

patrik's playground

QuickTip: Disable cpu-microcode from loading on ESXi

by · Published · Updated

Just a random quick-tip for labs: Disabling cpu-microcode for better CPU power efficiency – with trade-off being security. By default, ESXi will load the cpu-microcode module shipped with the installation, if it is newer and applicable than what BIOS provides. It is typically updated with regular ESXi updates. This can be disabled.

The VIB installation is like:

[root@esxi01:~] vmware -vl
VMware ESXi 8.0.3 build-24674464
VMware ESXi 8.0 Update 3

[root@esxi01:~] esxcli software vib list | grep microcode
cpu-microcode                  8.0.3-0.70.24674464                   VMware  VMwareCertified   2025-04-29    host

If some performance wants to be regained, at the severe cost of security, cpu-microcode could be removed from the installation. Altought, this is tedious on a longer run and will be re-installed during each update. Hence preventing it from loading in the first place is the best way.

To check the current settings (which are also default as of 8.0 U3):

[root@esxi01:~] esxcli system settings kernel list -o microcodeUpdate
Name             Type  Configured  Runtime  Default  Description
---------------  ----  ----------  -------  -------  -----------
microcodeUpdate  Bool  TRUE        FALSE    TRUE     Update microcode from boot module if available

[root@esxi01:~] esxcli system settings kernel list -o microcodeUpdateForce
Name                  Type  Configured  Runtime  Default  Description
--------------------  ----  ----------  -------  -------  -----------
microcodeUpdateForce  Bool  FALSE       FALSE    FALSE    Disable check that microcode update is newer than installed microcode and that both are released versions

To disable it:

esxcli system settings kernel set -s microcodeUpdate -v FALSE
esxcli system settings kernel set -s microcodeUpdateForce -v FALSE

Then it will look like:

[root@esxi01:~] esxcli system settings kernel list -o microcodeUpdate
Name             Type  Configured  Runtime  Default  Description
---------------  ----  ----------  -------  -------  -----------
microcodeUpdate  Bool  FALSE       FALSE    TRUE     Update microcode from boot module if available

During boot time, it can then also be seen that microcode is not loaded anymore:

[root@esxi01:~] zcat /var/log/boot.gz | grep -i microcode
TSC: 393954 cpu0:1)BootConfig: 783: microcodeUpdate = FALSE (0)
TSC: 395993 cpu0:1)BootConfig: 783: microcodeUpdateForce = FALSE (0)
TSC: 398297 cpu0:1)BootConfig: 783: skipMicrocodeCompatCheck = FALSE (0)
0:00:00:00.000 cpu0:1)MicrocodeUpdate: 117: Early microcode patching disabled by boot option
0:00:00:00.000 cpu0:1)MicrocodeUpdate: 257: Microcode Update Signature (MSR 0x8b): 0x0b00003e; Platform ID (MSR 0x17): 0x0
0:00:00:05.570 cpu0:2097152)VMK init (95/192): MicrocodeUpdate_LateCleanup
0:00:00:05.571 cpu0:2097152)SysInitTable: 113: Finished sysInit step: MicrocodeUpdate_LateCleanup in 1023 us.

In this case, the cpu-microcode from BIOS will be loaded and used.

Tags:

Patrik Kernstock

May I introduce my self? I am Patrik Kernstock, 25 years old, perfectionist, born in Austria and living in Ireland, Cork. Me explained in short: Tech- and security enthusiast, series & movies junky. Interesting in Linux, Container-stuff and many software solutions by Microsoft, Veeam and VMware.

0 0 votes
Article Rating
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
newest
oldest most voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x