diff --git a/src/platform/kgpe/default.nix b/src/platform/kgpe/default.nix
index 6644282..13d2001 100644
--- a/src/platform/kgpe/default.nix
+++ b/src/platform/kgpe/default.nix
@@ -1,9 +1,7 @@
 { lib ? import <nixpkgs/lib>
 , hostPlatform ? lib.systems.examples.gnu64
 }:
-let
-  update_microcode = true;
-in
+
 {
   inherit hostPlatform;
 
@@ -29,23 +27,13 @@ in
       '';
     });
 
-    coreboot = let
-      # does include spectre mitigations (performance hit)
-      #linux-firmware = final.nixpkgsOnBuildForBuild.linux-firmware;
-      #path-within-linux-firmware = "lib/firmware/amd-ucode/microcode_amd_fam15h.bin";
+    # microcode updates are needed only for Opteron 63xx
+    #
+    # TODO: check processor type at boot time and refuse to boot
+    # insecure configurations? (63xx without microcode)
+    microcode-blob = null;
 
-      # does *not* include spectre mitigations (no performance hit)
-      linux-firmware = final.nixpkgsOnBuildForBuild.fetchgit {
-        # most recent update that does *not* include spectre
-        # mitigations; needed for 63xx processors due to an exploitable
-        # NMI defect in that series (only)
-        url = "https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git";
-        rev = "5f8ca0c1db6106a2d6d7e85eee778917ff03c3de";
-        branchName = "main";
-        #sparseCheckout = path-within-linux-firmware;
-        hash = "sha256-uwzz0z2+uPke8AVKb80Cy620efdRBSuwjfoIrQhepc8=";
-      };
-      path-within-linux-firmware = "amd-ucode/microcode_amd_fam15h.bin";
+    coreboot = let
     in
       final.lib.makeOverridable (prev.coreboot.override {
       iasl = final.iasl_20180531;
@@ -55,14 +43,14 @@ in
       coreboot-toolchain = with final.coreboot-toolchain; [ x64 i386 ];
       linux-command-line = "console=ttyS1,115200n8";
     }).overrideAttrs (a: {
-      postConfigure = if update_microcode then ''
+      postConfigure = if final.microcode-blob != null then ''
         echo CONFIG_CPU_MICROCODE_MULTIPLE_FILES=y >> .config
       '' else ''
         echo CONFIG_CPU_MICROCODE_CBFS_NONE=y >> .config
       '';
-      preBuild = final.lib.optionalString update_microcode ''
+      preBuild = final.lib.optionalString (final.microcode-blob != null) ''
         mkdir -p 3rdparty/blobs/cpu/amd/family_15h/
-        ln -sfT ${linux-firmware}/${path-within-linux-firmware} \
+        ln -sfT ${final.microcode-blob} \
           3rdparty/blobs/cpu/amd/family_15h/microcode_amd_fam15h.bin
         mkdir -p 3rdparty/blobs/cpu/amd/family_10h-family_14h/
         touch 3rdparty/blobs/cpu/amd/family_10h-family_14h/microcode_amd.bin