Blacklisting a lot of modules in dom0?

I noticed in qubes 4.0 and qubes 4.1 that i need to blacklist many modules to get rid of a lot of dmesg errors in dom0
why are they availble and some even activated in dom0?
I think some of them should never be active in dom0 but they are!
On a fresh install on my (thinkpad p1 gen2) for instance i noticed trough dmesg logs that modules where activated by default that caused errors.

So my modprobe.d/blacklist.conf looks like this atm to get rid of some of these errors
Again: All of these modules where active on a fresh install at my thinkpad p1 gen2 with an ax200 wifi module

Pretty sure if i dig deeper i will find some more to disable…
the security implications are not that bad if i am right since all of the hardware are operating mostly in different sys vms.
Wouldnt it be way better to strip the dom0 kernel of all modules that make for example wireless comunication possible?
This would also be good to not distract “non technical users” when they discover dmesg logs.
i know i can use the qubes builder to build my own qubes with exactly the modules i need but i think some of them should never appear anyways in dom0 and should get stripped out of dom0.
or do i miss something else or messed something up? :smiley:


I only have cfg80211 and associated ath modules, on thinkpads.
As you say, not a problem since the hardware is associated with qubes.
I doubt that “non technical users” will discover this at all.