1. 1

    There should be live stream of the event via gotowebinar.

    1. 2

      very cool :)

      1. 3

        I saw once again someone mention online that we shouldn’t trust FBI or whoever due to Snowden leaks. I was telling people about surveillance long before the Snowden leaks. The word was ECHELON. It showed anyone worried about NSA or Five Eyes needed high-assurance security at least at links between networks or end-to-end crypto if possible. They got busted out by Europeans in a report but strangely not much happened. Always wondered about that.

        The leaked file in the article shows NSA bragging about how Congress tricked the European investigators into chilling out about it. Then, Five Eyes just kept using the tech on them and everyone else from there. Quite a weak ending to one of the biggest leaks in that part of history. At this point, it’s reasonable for Europeans to treat anything U.S. supplied as untrustworthy plus encrypt and harden everything they can. Most of that advice they should’ve been already following, though. They also have the talent and money to build high-assurance or just security-focused components they need.

        1. 2

          You might be interested in this talk from a few years ago from the reporter

        1. 1

          What is the use case for these?

          1. 2

            In this case, the stock device would allow you to bypass a pin locked machine. What interested me is that there is a port as standard to use a second ROM chip which means you could try coreboot on an Apple system without much change.

          1. 3

            Nice write-up! I went through this about 8 months ago with my x230. I also replaced the Wifi chip with the same Atheros one mentioned in the article, removed bluetooth, and made similar privacy/FOSS-friendly modifications. It’s a great feeling running a system with nearly 100% free software. Only proprietary bits are the skeleton ME, and whatever is in the SSD I installed.

            One trick if your external SPI programmer cannot supply enough current to power the chips on the x230 (e.g. my odroid-c0 failed to do so) is to enable WOL in the lenovo bios before you overwrite it with coreboot. Then you can plug in an ethernet cable, remove battery/AC power from laptop, and get a nice stable power supply to the SPI chips.

            1. 2

              that’s the method I used, just in the process of extracting bits from the dumped bios atm.
              The results from me_cleaner were impressive :)
              -rw-r--r-- 1 root root 5.0M Jan 1 01:08 flashregion_2_intel_me.bin
              -rw-r--r-- 1 root root 96K Jan 1 01:24 me_shrinked.bin

              1. 2

                Done, now to write up my post.

                1. 1

                  Congrats! It’s always a little stressful blowing away the BIOS on a system with your own :P

            1. 1

              I don’t fully understand this.

              What exactly does “thread context” mean in this case?

              1. 3

                Specifically not interrupt context. Meaning execution can be suspended and resumed while waiting for other things to complete.

                1. 1

                  Thanks for replying.

                  When are we in kernel-space but not because of an interrupt?

                  Why wouldn’t one want a “thread waiting around all the time”? Why is using a “job” resource better than a thread?

                  1. 3

                    You can be running in the kernel to handle a system call from userspace.

                    Classically, you would have lots of kernel threads. I’ve got a reaper, a swapper, an acpi thread, a usb thread, another usb thread, a sensors, a i915, a i915-hangcheck, and so on. But it’s a bit of clutter.

                    More pragmatically, the guts of all these threads tends to be very similar, a short loop sleeping and processing a list when something appears. Easier to just use a common API.

                    As a particular use case, in OpenBSD, you push the volume down key, so we want to lower the volume. But you don’t know the state of the audio system. And it’s bad to block and wait until audio is ready to adjust. So you add a task, which will run a little bit later, but allows the keyboard code to keep running.

                    1. 1

                      Ok. I think I understand this now.

                      So the ACPI handler or whatever recognises the media key, and kicks off the job.

                      The scheduler schedules the threadpool, and noting it’s got a ready job runs it. Timer ISR fires and schedular treats it just like any other (kernel) thread.

                      It’s “better” than a thread because it doesn’t show up in the process list, and you have less code (since you don’t have to emulate unix inside the unix kernel).

                      That about right?

                      1. 0

                        “More pragmatically, the guts of all these threads tends to be very similar, a short loop sleeping and processing a list when something appears. Easier to just use a common API.”

                        Yall are inching closer and closer to microkernel architecture. They just do that with everything in the system. :) Plus some optimizations…

                        1. 2

                          Though hopefully not all of it in ring 0.

                          1. 1

                            That’s exactly what Apple did. ;)

                  2. 0

                    In the scope of a thread

                  1. 1

                    In older releases of ntpd, you were warned to choose your NTP servers carefully. e.g see the manual from NeXTSTEP 3.3

                    1. 1

                      I’m interested in this but haven’t used it. Anybody have any experience actually using coreboot?

                      1. 3

                        If you’re running a BSD, then it seems like you might want to stay away.

                        1. 3

                          https://mail.coreboot.org/pipermail/coreboot/2018-December/088044.html indicates that NetBSD doesn’t have that issue.

                          The problem is less in the “project’s origins” as alluded by Bryan, but in the testing that people do: the ThinkPad support is community provided, and apparently most people working on coreboot-on-Thinkpads use Linux.

                          If somebody wants to get to the root of that issue, they can expect a supportive developer community, but coreboot is very much focused on developers, not consumers.

                        2. 3

                          I’m running coreboot on all my PC’s:

                          • PCengines APU2 with OpenBSD
                          • ThinkPad X200 with OpenBSD
                          • ASUS KGPE-D16 with dualboot Gentoo / HardenedBSD
                          • ASUS KGPE-D16 with HardenedBSD

                          I also ran in the past ASUS F2A85-M with dualboot Gentoo / FreeBSD and ASROCK E350M1 with dualboot FreeBSD / 9front.

                          My wife has ThinkPad X230 with Ubuntu.

                          Generally, coreboot has its quirks but once you work it around, it works. If you have some questions, feel free to ask.

                          1. 2

                            Yes, reflashed my ThinkPad x60s some years ago now, had success on dfly, free, open, NetBSD. reflashed it with a new build couple of weeks ago, no issues under NetBSD. Helped someone with an x220 to reflash it a couple of years back and there was not issues on OpenBSD at the time. No idea if there have been any regressions. Currently waiting for a SOIC-8 clip so I can reflash my x230. I use the SeaBIOS payload on the x60s and x220 image I put together, the x230 will likely be the same but I may try tianocore as well. Don’t care for grub.

                            1. 1

                              I “used” it to boot FreeBSD (with non-upstreamed tegra210 patches) on the Nintendo Switch :D (ultimately not that interesting since the only connection to the outside world was a janky UART.. nothing showed up on XHCI when plugging in stuff via a USB-C-to-A adapter)

                              A bit disappointed that there’s no framebuffer support for tegra210 in coreboot. (I thought Google would care to get display as early as possible on the Pixel C, but looks like they trust Linux to always start booting very quickly.)

                              Coreboot also supports the Rockchip RK3399 — because chromebooks — so I’d like to see coreboot on the ROCKPro64, but unlike the Chromebooks, this board has DDR4 memory instead of DDR3, so there’s no memory training code (I wonder if it’s possible to attach the blob?)

                              Also, I wonder if it’s possible to get an RK3399 Chromebook and just replace the depthcharge payload with TianoCore EDK2… (or at least U-Boot, that should work for sure)

                            1. 2

                              So when is your first n64 piece of software or game coming out?

                              1. 4

                                Apologies for the misleading title, I’m not the author. We were discussing SGI related matters and I wondered if you could one up the Linux on N64 by extending the support for NetBSD/sgimips to support the Ultra64 dev kit for a laugh. It’s the title of the forum post I came about on.

                              1. 1

                                It’s great that this has successfully found info leaks. That said, it feels like a somewhat simplistic solution. Set taint bytes, see if those bytes show up anywhere. Maybe the code complexity of the kernel prevents things like symbolic execution from being feasible.

                                This strategy works at runtime, and doesn’t require source. But, we have source.. could shadow memory based strategies be used? What about compile-time data dependency analysis - with marked variables, and a known list of functions which return data to userland, a walk of the control flow graph might be able to uncover issues (maybe that ‘known list’ assumption is too strong?).

                                It’s possible that these other strategies are infeasible for reasons I’m unaware of - thoughts?

                                1. 3

                                  It’s not that hard to start at copyout and scan backwards. Anything not provably zeroed is probably a leak. (I assert without evidence.)

                                  1. 1

                                    Take this with a huge pinch of salt (I didn’t work on it and I don’t know about the intent and decisions made) but I’m guessing it’s about making it easier for finding issues at runtime to fit in as part of a bigger picture of functionality. Extending your toolchain is not an easy task and that work mounts up as you look at multi platform support. You are likely to get an answer from people who worked on the project if you asked on the relevant list :)

                                  1. 1

                                    面白い、dmesgdというもんがあるなんて初めて聞いたんだ。けどさ、このプレゼンテーションはなんか「NetBSDはレトロコンピュティングしか使い価値が無い」みたいな感じしない?

                                    1. 2

                                      Nice :) I put it through google translate and my response in english is that surely the work others are doing on risc-v, x86 hypervisor and arm support contradicts that.

                                    1. 4

                                      “ Its replacement was a 2-way SMT-2 IBM POWER6 p520 Express running AIX 6.1 TL.mumble with some hand-rolled patches, and this system still runs floodgap.com and gopher.floodgap.com today.”

                                      I linked to floodgap in a gopher thread. Had no idea it ran on AIX. Pretty rare in the wild.

                                      1. 7

                                        When you get locked into a serious computer collection, the tendency is to push it as far as you can :D

                                        1. 2

                                          Floodgap admin, got an invite here. Yes, it runs AIX. In fact, floodgap.com has run AIX for its entire 18+ year existence (previously it was an Apple Network Server 500).

                                          However, ASMI and CUoD are getting annoying, and IBM locks APARs and system updates away nowadays unless you pay them for $ervice contract$, so this probably will be the last AIX incarnation when this POWER6 gets too old to be effective.

                                        1. 16

                                          Seems good to me. Every couple months is probably about all that could be useful for our smallish community.

                                          And speaking more broadly about the job tag: it exists for businesses to promote job opportunities, and them posting openings is not spam. If you don’t want to see them, you should filter them out, not flag them for mod attention.

                                          1. 2

                                            It could definitely be useful…provided we do a good job purging users that are just posting job opportunities. Recruiters and headhunters and people trying to hire will flock in to clog up threads.

                                            I really don’t think it’d benefit the community to have people joining just to shill and hire for their disruptive world-changing cryptocurrency for managing volume Plan9 licenses for cat flea collars.

                                            1. 4

                                              If someone’s entire involvement with Lobsters is to post links to their stuff (jobs or otherwise), sooner or later they get a nudge from a mod (timing based mostly on flagging/complaints) that we’d appreciate them actually joining and interacting with the community instead of treating it as a link dump. Most have, one or two have expressed indignation at the suggestion that treating Lobsters as a marketing channel (and inviting coworkers as their accounts have been flagged so hard they can’t submit stories) is inappropriate behavior and left.

                                              1. 2

                                                It’s evidently clear you are completely out of touch with how Plan 9 can be a driving force for disruptive change ;)

                                            1. 1

                                              Neat, I guess the next step is running the whole of plan9?

                                              1. 1

                                                I think HarveyOS is working on this, no?

                                                1. 4

                                                  In my opinion and with limited experience, HarveyOS’ team is attempting to port gcc and(?) llvm/clang to Plan 9. I don’t see the value on doing that other than importing lots of bloat to a relatively clean base system.

                                                  1. 1

                                                    Ah, good point. I forgot they were doing that.

                                                    1. 1

                                                      One man’s bloat is another man’s livelihood.

                                                1. 2

                                                  Hard to take this as a decent selling point.

                                                  • example: timing delay loop (for gcc):
                                                  for (int i = 0; i < 1000000; i++)
                                                    asm volatile ("" ::: "memory");
                                                  
                                                  • same thing for Plan 9 compiler:
                                                  for (int i = 0; i < 1000000; i++);
                                                  

                                                  Never, ever write timing loops this way. Never. Even on embedded devices (unless you have absolutely no hardware support). This is just terrible code (and it should be removed).

                                                  1. 1

                                                    The quote on the following slide is related

                                                    1. 4

                                                      What every such criticism of gcc, llvm, etc. I’ve ever seen on this topic fails to acknowledge is that this only happens with optimizations enabled – which they are not by default. By passing -O2 on the command line, you are explicitly opting in to (somewhat agressive) optimizations.

                                                      If you want “generate the code I meant”…maybe don’t do that?

                                                      $ cat loop.c
                                                      void spin(void)
                                                      {
                                                      	int i;
                                                      	for (i = 0; i < 10000; i++);
                                                      }
                                                      $ gcc -c -o loop.o loop.c
                                                      $ objdump -d loop.o
                                                      
                                                      loop.o:     file format elf64-x86-64
                                                      
                                                      
                                                      Disassembly of section .text:
                                                      
                                                      0000000000000000 <spin>:
                                                         0:   55                      push   %rbp
                                                         1:   48 89 e5                mov    %rsp,%rbp
                                                         4:   c7 45 fc 00 00 00 00    movl   $0x0,-0x4(%rbp)
                                                         b:   eb 04                   jmp    11 <spin+0x11>
                                                         d:   83 45 fc 01             addl   $0x1,-0x4(%rbp)
                                                        11:   81 7d fc 0f 27 00 00    cmpl   $0x270f,-0x4(%rbp)
                                                        18:   7e f3                   jle    d <spin+0xd>
                                                        1a:   90                      nop
                                                        1b:   5d                      pop    %rbp
                                                        1c:   c3                      retq   
                                                      $  gcc --version | head -n1
                                                      gcc (GCC) 8.2.0
                                                      

                                                      If anyone has cases where -O0 (the default) does “surprising”/undesirable things, I’d be curious to hear about them, but I’ve never seen one cited…

                                                      1. 2

                                                        The actual example in the slide is insignificant, what Richard was trying to convey was that you can reason about the output fairly consistently, you are not resorting to fighting your optimising compiler. This is a distraction for what you were intending to work on & having that consistency fits in as a part of a bigger picture. Think less cognitive load rather than sweet, tight, optimised loops.

                                                        The talk was record but I’m not sure when that will be published.

                                                  1. 1

                                                    Oh my goodness, lander. That was great!

                                                    1. 1

                                                      It was a sad day when the demo disk for lander broke at junior school.

                                                    1. 3

                                                      This looks interesting. Of course it’s a shame it’s based on Intel, but:

                                                      • PCI-e
                                                      • SATA
                                                      • 2 x gigabit ethernet
                                                      • x86
                                                      • VT-x + VT-d
                                                      • 32 GB ram
                                                      • 4 okay-ish cores

                                                      At first glance this looks like the first SBC that actually will be usable for stuff like routers, virtualization host/hypervisor (in a cluster for example) or a simple linux desktop stuck to the back of a monitor. Price will be important though, since you also need to get memory while a lot of other SBC’s have memory on the PCB.

                                                      1. 8

                                                        The fact that its based on Intel is, imho, a good thing .. I’ve got a drawer full of SBC’s that started out with lots of promise - ultimate power, great battery life, etc - but are sitting there unused because the vendors failed to keep the kernel promises.

                                                        That’ll be less likely to happen with an Intel-based SBC, imho.

                                                        1. 4

                                                          Most ARM SoCs are decently supported by mainline operating systems. Which boards do you have and what would you like to use them for?

                                                          1. 2

                                                            Which ARM SoCs do you have that are supported on mainline? I’ve had nothing but all kinds of issues with ARM. I tried using an overpriced SolidRun as a router and ran into nothing but issues and terrible support.

                                                            I wrote another post on seeing these issues in Android devices. ARM is not a platform. It’s just random shit soldered to random pins. At least Microsoft phones had ARM + UEFI. I mean we have device tress, but they’re usually broken to hell too and most phone vendors don’t use them.

                                                            Is the particular device in this post a 3rd party x86 clone? Is it free of Management Engine or other 3rd party controllers? I realize all x86 stuff has non-free binary blobs everywhere, where as you can get a lot of totally free ARM chips/boards, but long term support is often an issue. With x86+UEFI or even classic BIOS, you can run mainline Linux on them for years to come. There are even forks of Linux for older unsupported 386 chips if you really want to buy a ton of old 386 stock and use them in embedded applications. ARM is a clusterfuck by comparison.

                                                            1. 3

                                                              Rockchip RK3399/RK3328, Allwinner H3/H5/A64, Nvidia Tegra X1, the Broadcom junk that’s in the RPi…

                                                              I run FreeBSD (actually I worked on RK3399 support), so there’s no non-mainline :) but for Linux, Rockchip is actually mainlining their official drivers, and for Allwinner it’s the community.

                                                              Of course the cheap embedded boards aren’t as good as the high end server stuff (ThunderX/2/Centriq/eMAG/…), but there is a lot of support.

                                                              1. 2

                                                                OLIMEX has some interesting hardware and according to SUNXI Buying guide “Currently, Olimex is the only company creating Allwinner based OSHW, and Olimex actively contributes to the sunxi project.”.

                                                                For some cheaper but less open options(I use an orange pi zero as a home media server/nas/cups/whatever) armbian provides quite decent support.

                                                              2. 2

                                                                I bought the original PINE64 and found the is support to be pretty terrible, even today it feels like it’s all been hacked together by guests in China rather than the manufacturer doing much about it.

                                                                1. 1

                                                                  It’s very well supported in FreeBSD.

                                                                  For Linux, just don’t go to the vendor, ever. Check Arch Linux ARM and Armbian. (Apparently Ethernet support was merged into mainline as late as 4.15, but it’s there now)

                                                              3. 4

                                                                I think the parent was implying AMD would have less microcode updates and more trustworthiness due to better QA than Intel. Likely inspired by Meltdown/Spectre vulnerabilities. Also, AMD has been in the low-power, SoC game for some time. I don’t know if you’ll get lots of problems out of them that you wouldn’t out of Intel. It would surprise me a bit. I remember Soekris was using AMD Geodes.

                                                                Oh shit:

                                                                “Due to declining sales, limited resources available to design new products, and increased competition from Asia, Soekris Engineering, Inc. has suspended operations in the USA as of today.”

                                                                Glanced at their page to see product updates. Got sadder news than I was looking for.

                                                                1. 5

                                                                  I don’t know much about the Soekris boards, but pcengines.ch sells surprisingly affordable AMD Jaguar-based boards for embedded and network applications. I’m using one for my OPNSense firewall and have been perfectly happy with it.

                                                                  1. 1

                                                                    Thanks for the tip!

                                                                    1. 3

                                                                      From corebooting my ALIX2C3 I recalll the geode microcode has another issue in that it’s reliant on legacy tooling to build so you are encouraged to just use the blob (tooling is either DOS based or related to visual studio, can’t recall).

                                                                2. 2

                                                                  If I remember properly HardKernel had everything for their C2 platform mainlined so you could use modern kernels without having to use a vendor specific one.

                                                                3. 2

                                                                  it’s a shame it’s based on Intel […] Price will be important though

                                                                  I too immediately thought “why not Ryzen?” but, price is actually the reason they went with Intel, according to the blog post that’s linked here. Excerpt:

                                                                  2017 December, We considered AMD Ryzen 5 2500U 3.5Ghz mobile processor. The performance was very impressive, but the price of the CPU was also very impressive. Fortunately, Intel also announced the Gemini Lake processors. It was slower than Ryzen but much faster than Intel Apollo Lake, and the price was reasonable.

                                                                  Looks like the board will be considerably cheaper due to the Intel chip.

                                                                1. 5

                                                                  I bought an ODROID a while back, great specs. Dang thing wouldn’t boot (something in the post-bootstrap process, as near as I could tell), and the only support channel was through the forum; docs were in the form of a single magazine-styled PDF. I spent a bit with that, then decided I didn’t really want to be playing embedded engineer via debugging a board and probing physical connections and gave it & all my raspberry pis away.

                                                                  1. 3

                                                                    Recently I found out that official Fedora releases >= 28 just works on the Raspberry Pi 3B+ I got. Both in 32 bit (armhf) and 64 bit (aarch64). This is so great! No need to fiddle with anything, just install and go! It is a bit slow at times due to the crappy SD-card, but well :-)

                                                                    Update: I use the minimal install without desktop. GNOME 3 does not really work.

                                                                    1. 2

                                                                      The 3+ will boot directly from USB, you’ll do much better with a USB SSD instead if you’re actually using a Pi for desktop-style use cases.

                                                                      (you can also put a tiny bootloader on an sd card for the older Pis & achieve the same goal, but the 3+ dispenses with that altogether.)

                                                                    2. 1

                                                                      They certainly have their own style of booting, not sure if this applies to all of their arm boards but you would dd a u-boot image to a specific offset on your SD card and off you go.

                                                                      1. 1

                                                                        Interesting. I wish they had released a complete technical readout in their docs.

                                                                        I decided that as I was using the SBC systems to be low-key servers, I’d just boot up nodes in the cloud - spending hours debugging finicky proprietary-design systems was not a good use of my spare time. Then I went off and wrote some code and felt good.

                                                                    1. 6

                                                                      pre-linux era it was a Delphi application on Windows speaking to Postgresql.