Bug#1036523: should not install CPU microcode on virtualized systems

To: Cyril Brulebois <kibi@debian.org>
Cc: 1036523@bugs.debian.org, "Marco d'Itri" <md@linux.it>
Subject: Bug#1036523: should not install CPU microcode on virtualized systems
From: Daniel Lewart <lewart3@gmail.com>
Date: Fri, 27 Dec 2024 05:10:00 -0600
Message-id: <[🔎] CALE_k2FbC0sd3_gH3BTfAhfkqgcLYq6SirVx_DfeBqfJ6SJZ+Q@mail.gmail.com>
Reply-to: Daniel Lewart <lewart3@gmail.com>, 1036523@bugs.debian.org
In-reply-to: <[🔎] 20241225073211.a24hmk4xpl7fyau6@mraw.org>
References: <[🔎] CALE_k2Hfhk5FqtGqnrdUhxU=EeL79XtSu1cjD0J0C1EpR4AJ4w@mail.gmail.com> <[🔎] 20241225073211.a24hmk4xpl7fyau6@mraw.org> <ZGqbuTX9jEqibqnh@bongo.bofh.it>

On Wed, Dec 25, 2024 at 1:32 AM Cyril Brulebois <kibi@debian.org> wrote:
>
> Daniel Lewart <lewart3@gmail.com> (2024-12-24):
> > I hope this can be resolved for Trixie.
> >
> > Patch attached.  Tested with QEMU.
>
> Thanks, but that doesn't look appropriate: this disables not just CPU
> microcode but also modalias-based firmware lookup entirely…

Revised patch attached.

Thank you!
Daniel Lewart
Urbana, Illinois

diff -ru a/hw-detect.post-base-installer.d/50install-firmware b/hw-detect.post-base-installer.d/50install-firmware
--- a/hw-detect.post-base-installer.d/50install-firmware	2023-05-09 15:01:46.000000000 -0500
+++ b/hw-detect.post-base-installer.d/50install-firmware	2024-12-27 00:00:00.000000000 -0600
@@ -48,20 +48,25 @@
 	fi
 done
 
-# Check whether microcode packages are desirable, based on CPU vendor.
-# Only detect and queue installation: they aren't needed in the
-# installer context, and they cannot be deployed via `dpkg -i` by the
-# install-firmware hook due their dependencies; let the finish-install
-# hook handle them instead. Note the component hardcoding.
-printf "GenuineIntel intel-microcode\nAuthenticAMD amd64-microcode\n" | while read vendor pkg; do
-	if grep -qs "^vendor_id.*$vendor$" /proc/cpuinfo; then
-		log "queuing $pkg installation ($vendor)"
-		echo $pkg >> /tmp/microcode.list
-		mkdir -p /var/cache/firmware
-		echo non-free-firmware >> /var/cache/firmware/components
-		echo "$pkg non-free-firmware cpu" >> /var/log/firmware-summary
-	fi
-done
+if chroot /target systemd-detect-virt --quiet; then
+	virt=$(chroot /target systemd-detect-virt)
+	log "detected virtualization '$virt', CPU microcode packages not installed"
+else
+	# Check whether microcode packages are desirable, based on CPU vendor.
+	# Only detect and queue installation: they aren't needed in the
+	# installer context, and they cannot be deployed via `dpkg -i` by the
+	# install-firmware hook due their dependencies; let the finish-install
+	# hook handle them instead. Note the component hardcoding.
+	printf "GenuineIntel intel-microcode\nAuthenticAMD amd64-microcode\n" | while read vendor pkg; do
+		if grep -qs "^vendor_id.*$vendor$" /proc/cpuinfo; then
+			log "queuing $pkg installation ($vendor)"
+			echo $pkg >> /tmp/microcode.list
+			mkdir -p /var/cache/firmware
+			echo non-free-firmware >> /var/cache/firmware/components
+			echo "$pkg non-free-firmware cpu" >> /var/log/firmware-summary
+		fi
+	done
+fi
 
 # enable components based on firmware packages that were installed:
 if [ -d /var/cache/firmware ]; then

Reply to:

References:
- Bug#1036523: should not install CPU microcode on virtualized systems
  - From: Daniel Lewart <lewart3@gmail.com>
- Bug#1036523: should not install CPU microcode on virtualized systems
  - From: Cyril Brulebois <kibi@debian.org>

Prev by Date: Re: Bug#885563: vte: Do not release with forky
Next by Date: Bug#1037256: debian-installer: GUI font for Japanese was incorrectly rendered
Previous by thread: Bug#1036523: should not install CPU microcode on virtualized systems
Next by thread: Bug#1036589: hw-detect: Investigate expanding virtualization detection
Index(es):
- Date
- Thread