[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1036523: should not enable non-free-firmware on virtualized systems

On May 22, Cyril Brulebois <kibi@debian.org> wrote:

> For the record: non-free-firmware can be enabled because (1) the kernel logs
> firmware requests, (2) available hardware matches modalias information, (3)
> CPU matches one with microcode.
> (1) and (2) definitely make sense in a virtualized system as well: you can
> have whatever passthrough configuration to access hardware from the host,
> e.g. some USB Wi-Fi adapter (that's how I've tested many changes before
> switching to baremetal for final tests).
Fair enough: if somebody is exposing the hardware devices to the guest 
OS then they can surely deal with the consequences.

> > microcode packages should not be installed on virtualized systems because
> > guests never have the privileges required to update the CPU microcode.
> > Otherwise guests could influence the whole system and possibly undermine 
> > its security.
> Is that true for absolutely all virtualization systems detected by the file
> linked to above? Your latest message on IRC suggests we might have to pick
> and choose?
Did it? I am not aware of any scenario in which it would make sense for 
an hypervisor to allow guests to change the CPU microcode.

I am not familiar with HyperV, but from what I remember from the my Xen 
times the dom0 is for most practical purposes the host, not a guest, so 
I am not sure that it is useful al all to report it do d-i as 
a virtualized environment.


Attachment: signature.asc
Description: PGP signature

Reply to: