Don’t install latest intel-microcode on Ubuntu

Ubuntu shipped an updated package for intel-microcode on Thursday 29th March to mitigate Spectre:

intel-microcode (3.20180312.0~ubuntu17.10.1) artful-security; urgency=medium * SECURITY UPDATE: New upstream microcode data file 20180312 to provide IBRS/IBPB/STIBP microcode support for Spectre variant 2 mitigation

Unfortunately, it blocked the boot process on my PC with logs like : NMI watchdog: Watchdog detected hard LOCKUP on cpu 0 …repeating for each CPU.

There’s a bug report open on LaunchPad.

Workaround

1a. Boot the system with a previous kernel which uses the previous microcode or 1b. Boot with the dis_ucode_ldr kernel boot parameter to temporary disable loading the Intel microcode (see https://wiki.ubuntu.com/Kernel/KernelBootParameters)

2. Install the previous version of the package from Ubuntu repo

wget https://launchpad.net/ubuntu/+archive/primary/+files/intel-microcode_3.20170707.1_amd64.deb
sudo dpkg -i intel-microcode_3.20170707.1_amd64.deb

3. Hold the package

sudo apt-mark hold intel-microcode

… and wait for a bugfix :-)