madaidan via Whonix Forum:
If the kernel doesn’t properly detect if the CPU is vulnerable or not then the patches won’t be applied.
How likely is that? Happening already? Would spectre-meltdown-checker
catch that?
This is especially problematic for people who use KVM as their hypervisor as it spoofs the host’s CPU model so the kernel in a VM has no way to know that the CPU is vulnerable, thus the patches won’t be applied.
HulaHoop changed Whonix KVM to host-passthrough:
https://github.com/Whonix/whonix-libvirt/blob/master/usr/share/whonix-libvirt/xml/Whonix-Gateway.xml
<cpu mode='host-passthrough'/>
Was discussed somewhere here also:
Also, some people may not want to install proprietary software. This is even worse for people using OSes like Parabola, PureOS or any other OS trying to be completely free as it won’t allow the user to install microcode updates.
I find this unreasonable. They do run proprietary software anyhow,
perhaps without knowing. Either, they’re running the unpatched nonfree
pre-installed CPU microcode and Intel AMT or AMD PSP or they’re running
the patches nonfree equivalents. Of these two evils, the patched nonfree
equivalent are better.