(In reply to Fabian Vogt from comment #3) > (In reply to Nikolay Borisov from comment #2) > > The timing of those printk's can't be trusted. The early microcode patcher > > is being run right after the kernel has been loaded from > > > > > x86_64_start_kernel -> load_ucode_bsp > > > > While the mitigation related code gets executed from : > > > > > arch_cpu_finalize_init -> cpu_select_mitigations -> ssb_select_mitigation > > > > And the default (if seccomp is not compiled) is to use the prctl bypass. So > > the only worrying thing here would be the ibpb-related warn about using > > microcode that fixes the rstack vulnerability. > > > > > > According to the AMD security bulletin > > https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7005.html > > > > > > the require microcode for AMD MILAN (which this Epyc seems to be is): > > > > Milan B0 – 0x0A001079 > > Milan B1 – 0x0A0011CF or 0x0A0011D1 > > Which is installed: > > CPU0: patch_level=0x0a0011d1 Indeed, I guess it's possible that the document is wrong, is there a newer firmware that could be installed?