On May 22, Cyril Brulebois <kibi@debian.org> wrote: > For the record: non-free-firmware can be enabled because (1) the kernel logs > firmware requests, (2) available hardware matches modalias information, (3) > CPU matches one with microcode. > > (1) and (2) definitely make sense in a virtualized system as well: you can > have whatever passthrough configuration to access hardware from the host, > e.g. some USB Wi-Fi adapter (that's how I've tested many changes before > switching to baremetal for final tests). Fair enough: if somebody is exposing the hardware devices to the guest OS then they can surely deal with the consequences. > > microcode packages should not be installed on virtualized systems because > > guests never have the privileges required to update the CPU microcode. > > Otherwise guests could influence the whole system and possibly undermine > > its security. > Is that true for absolutely all virtualization systems detected by the file > linked to above? Your latest message on IRC suggests we might have to pick > and choose? Did it? I am not aware of any scenario in which it would make sense for an hypervisor to allow guests to change the CPU microcode. I am not familiar with HyperV, but from what I remember from the my Xen times the dom0 is for most practical purposes the host, not a guest, so I am not sure that it is useful al all to report it do d-i as a virtualized environment. -- ciao, Marco
Attachment:
signature.asc
Description: PGP signature