Hello,
See, e.g., https://pve.proxmox.com/wiki/Firmware_Updates
I'm running PVE 8.x, pinned to the 6.5.13 kernel on one machine and using the latest 6.8.x kernel on the other.
I've got a couple questions. I'm running two nodes in a homelab/home server environment. One is a Ryzen 3700X, and one is a an HP Elite Mini G9 600. Both are running systemd-boot without Secure Boot enabled.
Both systems still get motherboard firmware/UEFI updates, but rarely, so I'd like to keep up to date with threat mitigations and other firmware updates. That said, I'm conscious that these features aren't enabled by default, and I'm not sure why. My guess is the default chooses stability (e.g., by not updating firmware that's known to be stable) and max performance (by not grabbing microcode that might degrade performance via security mitigations.
However, as I plan to self-host at least some public facing services, I'm concerned about closing any potential attack vectors I can. I'm not doing high performance compute or gaming at ultra settings. (The newest GPU I have available to me is a Tesla P4 (similar to a GTX 1080) in the Ryzen machine. The HP machine has an iGPU, and that's it.
See, e.g., https://pve.proxmox.com/wiki/Firmware_Updates
I'm running PVE 8.x, pinned to the 6.5.13 kernel on one machine and using the latest 6.8.x kernel on the other.
I've got a couple questions. I'm running two nodes in a homelab/home server environment. One is a Ryzen 3700X, and one is a an HP Elite Mini G9 600. Both are running systemd-boot without Secure Boot enabled.
Both systems still get motherboard firmware/UEFI updates, but rarely, so I'd like to keep up to date with threat mitigations and other firmware updates. That said, I'm conscious that these features aren't enabled by default, and I'm not sure why. My guess is the default chooses stability (e.g., by not updating firmware that's known to be stable) and max performance (by not grabbing microcode that might degrade performance via security mitigations.
However, as I plan to self-host at least some public facing services, I'm concerned about closing any potential attack vectors I can. I'm not doing high performance compute or gaming at ultra settings. (The newest GPU I have available to me is a Tesla P4 (similar to a GTX 1080) in the Ryzen machine. The HP machine has an iGPU, and that's it.
- What are the potential negative implications of installing
fwupd? I'm assuming that it can be configured to notify me of available updates instead of installing them automatically. Using it purely as a notifier and optional updater seems safe enough. - Likewise, are there any reasons not to install the intel and amd microcode packages? I'm wary because they're not default, but like I said I believe that's to allow for user choice re: security vs. performance.