Instead of risking to make my system unbootable I found an old hard drive, disconnected all currently used drives and installed Leap 15.0 on it (formatting it and deliberately not installing kernel-firmware). The result:
All hardware works fine. I don’t see any special errors or warnings in dmesg or journalctl. Also /lib/firmware contains only 2 files:
$ l /lib/firmware/
total 12
drwxr-xr-x 1 root root 60 Jun 7 2018 ./
drwxr-xr-x 1 root root 78 Mar 11 11:36 ../
-rw-r--r-- 1 root root 4196 Feb 13 15:16 regulatory.db
-rw-r--r-- 1 root root 1182 Feb 13 15:16 regulatory.db.p7s
Then I mounted the old hard drives too and I was able to access them without issues (still using the freshly installed Leap).
I also ran the following test (and that shows a difference):
On the system without kernel-firmware:
# find /sys/devices/system/cpu/vulnerabilities/* -print -exec cat {} \;
/sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
/sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline, STIBP: disabled, RSB filling
When booting the regular system which is with kernel-firmware:
# find /sys/devices/system/cpu/vulnerabilities/* -print -exec cat {} \;
/sys/devices/system/cpu/vulnerabilities/l1tf
Mitigation: PTE Inversion; VMX: EPT disabled
/sys/devices/system/cpu/vulnerabilities/meltdown
Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass
Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1
Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling
I don’t know if that matters but on the later system there are additional kernel command line parameters which are not present on the first one:
elevator=deadline mem=33554428k kvm-intel.ept=0
I couldn’t think of any other tests for comparison, so please let me know if you can suggest any.
For this particular comparison: I have no idea what “STIBP: disabled” means and why it is present only on the first system. I also wonder what would be the way to have the full set of mitigations on it (which seems to be through BIOS/UEFI update as Intel recommends).
I also have not build from source “Libre kernel” as per question 3 in the OP. I don’t know if it is necessary, i.e. if kernel-default package contains blobs or they are completely isolated in kernel-firmware. If anyone can share info about it that would be helpful as I don’t know where else to ask.
BTW I wonder why the kernel-firmware is not on the Non-OSS repo. It is not open source obviously.