Hi, Marco d'Itri <m...@linux.it> (2023-05-22): > When bookworm is installed on a virtualized system, the non-free-firmware > component will be enabled even if this is not needed: firmwares cannot be > loaded on virtualized systems because guests usually lack direct access to > the hardware.
For the record: non-free-firmware can be enabled because (1) the kernel logs firmware requests, (2) available hardware matches modalias information, (3) CPU matches one with microcode. (1) and (2) definitely make sense in a virtualized system as well: you can have whatever passthrough configuration to access hardware from the host, e.g. some USB Wi-Fi adapter (that's how I've tested many changes before switching to baremetal for final tests). I'm willing to consider tweaking (3), making it conditional. > As discussed on IRC with kibi, this is caused by hw-detect trying to > install the microcode packages. This is the relevant code: > > https://salsa.debian.org/installer-team/hw-detect/-/blob/master/hw-detect.post-base-installer.d/50install-firmware#L51 > https://salsa.debian.org/installer-team/hw-detect/-/blob/master/hw-detect.finish-install.d/08hw-detect > > microcode packages should not be installed on virtualized systems because > guests never have the privileges required to update the CPU microcode. > Otherwise guests could influence the whole system and possibly undermine > its security. Is that true for absolutely all virtualization systems detected by the file linked to above? Your latest message on IRC suggests we might have to pick and choose? > […] xen/hyperv dom0 is technically a VM but requires microcode This issue doesn't seem as clear-cut as it seemed when you first raised it. Since it's filed at severity normal I think I'll stick to my initial assessment which was: djust hw-detect during the Trixie release cycle, and consider cherry-picks for Bookworm, once we get a better picture. Cheers, -- Cyril Brulebois (k...@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance Consultant
signature.asc
Description: PGP signature
