On 2023-07-25, Johannes Thyssen Tishman <li...@thyssentishman.com> wrote: > Hi, > > I have a vps running OpenBSD 7.3 STABLE amd64 and I have a cronjob that runs > once a day to install new errata patches (if available) and reboot after > patching. With the last errata patches (amd firmware, wscons) I realized (too > late) that I should've followed the steps described on the errata file before > the system was rebooted. Luckily (I suppose) the server was able to boot, so I > ran fw_update and installboot and rebooted again. Now even though everything > seems to be running just fine, I wanted to make sure by asking here: > > 1. Could there be negative consequences of not running fw_update or > installboot > before reboot?
It means that you don't get the microcode updates, if any are available for your cpu. > 2. If no, is it still bad practice to run 'syspatch && reboot' as a cronjob? It depends whether you want to review patches before installing them, for example to assess whether they're applicable to you, or the potential risk of them breaking something. For some machines I do use automatic updates (usually when there are multiple machines running a service so it doesn't matter if one is down for a bit), for others it would be more of a problem if it didn't come back up nicely afterwards and there I'd prefer to run it by hand. > 3. fw_update did not install anything. Is this a consequence of the early > reboot? Or is this perhaps the reason why the system was able to boot after > the > patch? For this recent erratum, 1) syspatch needs to be run to pick up the fw_update change (so that it knows to pick up the new amd-firmware package for AMD cpus), and so the new boot loaders with the AMD microcode loader are installed to /usr/mdec. 2) you must have an AMD CPU in order for that to match in fw_update anyway (matching the usual CPU identifier strings used by AMD on their processors). 3) the 'live' boot loader must be updated from /usr/mdec files via installboot. > cpu0 at mainbus0: apid 0 (boot processor) > cpu0: QEMU Virtual CPU version 2.5+, 2844.97 MHz, 06-06-03 > cpu0: > FPU,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,CX16,x2APIC,HV,NXE,LONG,LAHF regardless of whether the physical CPU on your VM host is an affected AMD, this string won't match what fw_update is looking for, so the microcode "firmware" package won't be installed anyway. (also for the case of a VM, microcode loading would be done by the VM host not the guest)
