On Saturday, 13 July 2019 23:03:11 BST Mick wrote:

> Unlike my old Intel which lights up like a christmas tree with "Vulnerable,
> no microcode found" because Intel has thrown its users to the kerb, both
> AMDs show "Not Vulnerable" and for some of the vulnerabilities it reports:
> 
> (your CPU vendor reported your CPU model as not vulnerable)

This last line made me think a bit more.  Scratching around I see there are 
separate patch files with AMD microcode updates offered for the various CPU 
families.  My simplistic assumption so far has been *all* CPUs of a certain 
family will apply the corresponding patch file microcode update, either via a 
new UEFI/BIOS firmware, or via the OS.

Clearly this is not so.  If I remove 'amd-ucode/microcode_amd_fam15h.bin' from 
my kernel firmware directive completely, or add amd-ucode/ patch files for 
every family, or even try to manually reload the microcode:

echo 1 > /sys/devices/system/cpu/microcode/reload

there is no change in dmesg.  Clearly my CPU does not load any microcode 
update, other than what might be already available in the old UEFI MoBo 
firmware and this is loaded before the OS starts booting.

Then I came across this old message regarding Piledriver CPUs:

https://lists.debian.org/debian-security/2016/03/msg00084.html

The post refers to model 2 of cpu family 21.  Not all models in the same 
family, only model 2.  So I am thinking although patch files are named per CPU 
family, whether they are applicable and applied as an update to the CPU is 
probably determined by the particular CPU *model*.  Logically, errata in 
previous CPU revisions may have been fixed in later models of the same family 
and therefore such microcode updates would not be needed.  When offered by the 
OS the CPU won't select to have them applied.

This explains why my AMD models, which are later revisions of the same 15h 
family do not apply any microcode updates - they don't need them.

Please share if you know differently and thank you all for your responses.
-- 
Regards,

Mick