nixos-generate-config: update microcode only on bare metal

Guest operating systems inside VMs or containers can't update the host CPU's microcode for obvious security reasons, so setting the `hardware.cpu.*.updateMicrocode` options is pointless.
This commit is contained in:
Luflosi 2023-03-13 20:04:21 +01:00
parent cf76717a10
commit 1d65c7279c
No known key found for this signature in database
GPG key ID: 4E41E29EDCC345D0

View file

@ -127,9 +127,6 @@ if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") {
push @kernelModules, "kvm-intel" if hasCPUFeature "vmx";
push @kernelModules, "kvm-amd" if hasCPUFeature "svm";
push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD";
push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel";
# Look at the PCI devices and add necessary modules. Note that most
# modules are auto-detected so we don't need to list them here.
@ -324,11 +321,15 @@ if ($virt eq "systemd-nspawn") {
}
# Provide firmware for devices that are not detected by this script,
# unless we're in a VM/container.
push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")"
if $virt eq "none";
# Check if we're on bare metal, not in a VM/container.
if ($virt eq "none") {
# Provide firmware for devices that are not detected by this script.
push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")";
# Update the microcode.
push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD";
push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel";
}
# For a device name like /dev/sda1, find a more stable path like
# /dev/disk/by-uuid/X or /dev/disk/by-label/Y.