From 1d65c7279ce469ef89a60653ac966b9e388f02ab Mon Sep 17 00:00:00 2001 From: Luflosi Date: Mon, 13 Mar 2023 20:04:21 +0100 Subject: [PATCH] nixos-generate-config: update microcode only on bare metal Guest operating systems inside VMs or containers can't update the host CPU's microcode for obvious security reasons, so setting the `hardware.cpu.*.updateMicrocode` options is pointless. --- .../installer/tools/nixos-generate-config.pl | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/nixos/modules/installer/tools/nixos-generate-config.pl b/nixos/modules/installer/tools/nixos-generate-config.pl index 212b2b3cd23a..db530533e428 100644 --- a/nixos/modules/installer/tools/nixos-generate-config.pl +++ b/nixos/modules/installer/tools/nixos-generate-config.pl @@ -127,9 +127,6 @@ if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") { push @kernelModules, "kvm-intel" if hasCPUFeature "vmx"; push @kernelModules, "kvm-amd" if hasCPUFeature "svm"; -push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD"; -push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel"; - # Look at the PCI devices and add necessary modules. Note that most # modules are auto-detected so we don't need to list them here. @@ -324,11 +321,15 @@ if ($virt eq "systemd-nspawn") { } -# Provide firmware for devices that are not detected by this script, -# unless we're in a VM/container. -push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")" - if $virt eq "none"; +# Check if we're on bare metal, not in a VM/container. +if ($virt eq "none") { + # Provide firmware for devices that are not detected by this script. + push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")"; + # Update the microcode. + push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD"; + push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel"; +} # For a device name like /dev/sda1, find a more stable path like # /dev/disk/by-uuid/X or /dev/disk/by-label/Y.