mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-03 12:23:02 +00:00
nixos-generate-config: update microcode only on bare metal
Guest operating systems inside VMs or containers can't update the host CPU's microcode for obvious security reasons, so setting the `hardware.cpu.*.updateMicrocode` options is pointless.
This commit is contained in:
parent
cf76717a10
commit
1d65c7279c
@ -127,9 +127,6 @@ if (-e "/sys/devices/system/cpu/cpu0/cpufreq/scaling_available_governors") {
|
||||
push @kernelModules, "kvm-intel" if hasCPUFeature "vmx";
|
||||
push @kernelModules, "kvm-amd" if hasCPUFeature "svm";
|
||||
|
||||
push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD";
|
||||
push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel";
|
||||
|
||||
|
||||
# Look at the PCI devices and add necessary modules. Note that most
|
||||
# modules are auto-detected so we don't need to list them here.
|
||||
@ -324,11 +321,15 @@ if ($virt eq "systemd-nspawn") {
|
||||
}
|
||||
|
||||
|
||||
# Provide firmware for devices that are not detected by this script,
|
||||
# unless we're in a VM/container.
|
||||
push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")"
|
||||
if $virt eq "none";
|
||||
# Check if we're on bare metal, not in a VM/container.
|
||||
if ($virt eq "none") {
|
||||
# Provide firmware for devices that are not detected by this script.
|
||||
push @imports, "(modulesPath + \"/installer/scan/not-detected.nix\")";
|
||||
|
||||
# Update the microcode.
|
||||
push @attrs, "hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "AuthenticAMD";
|
||||
push @attrs, "hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;" if cpuManufacturer "GenuineIntel";
|
||||
}
|
||||
|
||||
# For a device name like /dev/sda1, find a more stable path like
|
||||
# /dev/disk/by-uuid/X or /dev/disk/by-label/Y.
|
||||
|
Loading…
Reference in New Issue
Block a user