v0.3.0 bare-metal: detect-vm.sh writes multi-line HYPERVISOR= when systemd-detect-virt exits non-zero

[Moonwolf711]

Summary

/usr/libexec/secure-ai/detect-vm.sh writes a multi-line HYPERVISOR= value into /var/lib/secure-ai/vm.env on bare-metal hardware, and the consuming service then fails with none: command not found because the env file gets sourced by a shell.

Environment

• SecAI_OS v0.3.0
• Bare metal (no virtualization)

Reproduction

1. Boot v0.3.0 ISO on a bare-metal machine.
2. Watch first-boot wizard fail. Or, post-install:

   sudo /usr/libexec/secure-ai/detect-vm.sh
   cat /var/lib/secure-ai/vm.env
   

3. Note HYPERVISOR= is multi-line and contains the literal word none plus error fragments.

Root cause

systemd-detect-virt on bare metal prints none\n to stdout and exits with code 1. The script uses something like:

HYPERVISOR=$(systemd-detect-virt) || HYPERVISOR=none

Because systemd-detect-virt succeeded at producing output but exited non-zero, the || branch also runs, appending another none and any stderr fragments. The resulting HYPERVISOR value is multi-line, which then writes to vm.env as:

HYPERVISOR=none
none

When sourced by a downstream shell (. /var/lib/secure-ai/vm.env), the second line becomes a command lookup → none: command not found.

Suggested fix

H=$(systemd-detect-virt 2>/dev/null)
HYPERVISOR="${H:-none}"
# explicitly tolerate the exit code:
true

Or simply:

HYPERVISOR=$(systemd-detect-virt 2>/dev/null || true)
HYPERVISOR="${HYPERVISOR:-none}"

And always quote the value when writing the env file:

printf 'HYPERVISOR=%s\n' "$HYPERVISOR" >> /var/lib/secure-ai/vm.env

My local workaround

Replaced the script with a stub writing a known-good vm.env:

IS_VM=false
HYPERVISOR=none
GPU_PASSTHROUGH=true
VM_WARNINGS=
VM_GPU_ENABLED=false

Same root cause hits detect-tee.sh (filed separately).

🤖 Generated with claude-flow