Bug#1036523: should not enable non-free-firmware on virtualized systems

To: Marco d'Itri <md@linux.it>, 1036523@bugs.debian.org
Subject: Bug#1036523: should not enable non-free-firmware on virtualized systems
From: Cyril Brulebois <kibi@debian.org>
Date: Mon, 22 May 2023 07:55:26 +0200
Message-id: <[🔎] 20230522055526.b3tp7p7hf7x3er6p@mraw.org>
Reply-to: Cyril Brulebois <kibi@debian.org>, 1036523@bugs.debian.org
In-reply-to: <[🔎] ZGqbuTX9jEqibqnh@bongo.bofh.it>
References: <[🔎] ZGqbuTX9jEqibqnh@bongo.bofh.it> <[🔎] ZGqbuTX9jEqibqnh@bongo.bofh.it>

Hi,

Marco d'Itri <md@linux.it> (2023-05-22):
> When bookworm is installed on a virtualized system, the non-free-firmware
> component will be enabled even if this is not needed: firmwares cannot be
> loaded on virtualized systems because guests usually lack direct access to
> the hardware.

For the record: non-free-firmware can be enabled because (1) the kernel logs
firmware requests, (2) available hardware matches modalias information, (3)
CPU matches one with microcode.

(1) and (2) definitely make sense in a virtualized system as well: you can
have whatever passthrough configuration to access hardware from the host,
e.g. some USB Wi-Fi adapter (that's how I've tested many changes before
switching to baremetal for final tests).

I'm willing to consider tweaking (3), making it conditional.

> As discussed on IRC with kibi, this is caused by hw-detect trying to
> install the microcode packages. This is the relevant code:
> 
> https://salsa.debian.org/installer-team/hw-detect/-/blob/master/hw-detect.post-base-installer.d/50install-firmware#L51
> https://salsa.debian.org/installer-team/hw-detect/-/blob/master/hw-detect.finish-install.d/08hw-detect
> 
> microcode packages should not be installed on virtualized systems because
> guests never have the privileges required to update the CPU microcode.
> Otherwise guests could influence the whole system and possibly undermine 
> its security.

Is that true for absolutely all virtualization systems detected by the file
linked to above? Your latest message on IRC suggests we might have to pick
and choose?

> […] xen/hyperv dom0 is technically a VM but requires microcode

This issue doesn't seem as clear-cut as it seemed when you first raised it.
Since it's filed at severity normal I think I'll stick to my initial
assessment which was: djust hw-detect during the Trixie release cycle, and
consider cherry-picks for Bookworm, once we get a better picture.


Cheers,
-- 
Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#1036523: should not enable non-free-firmware on virtualized systems
  - From: Marco d'Itri <md@linux.it>
- Bug#1036523: should not enable non-free-firmware on virtualized systems
  - From: Cyril Brulebois <kibi@debian.org>
- Bug#1036523: should not enable non-free-firmware on virtualized systems
  - From: Cyril Brulebois <kibi@debian.org>

References:
- Bug#1036523: should not enable non-free-firmware on virtualized systems
  - From: Marco d'Itri <md@linux.it>

Prev by Date: Bug#1036371: marked as done (debian-installer: Blu-ray double-level iso is too large to burn to DLBD disk)
Next by Date: Bug#1034041: Should firmware-amd-graphics be automatically installed?
Previous by thread: Bug#1036523: should not enable non-free-firmware on virtualized systems
Next by thread: Bug#1036523: should not enable non-free-firmware on virtualized systems
Index(es):
- Date
- Thread