Threads for nwildner

    1. 4

      Since your original secure boot posts I have released a version of sbctl which should make secure boot enrollment and signing easier then what it is these days.

      Keytool.efi shouldn’t be needed with either sbkeysync (what sbctl use) or efi-updatevar. bootctl is also getting secure boot key enrollment soon as well.

      Hopefully securing the boot chain should be easier with systemd-cryptenroll and easier access to secure boot tooling :) I was working on a similar blog post to showcase the implementation of Unified kernel images in mkinitcpio I have been working on along with the aforementioned tools.

      1. 1

        Hi Foxboron. Nice, marked star on your repository. Meanwhile, I was developing a dracut uefi hook for Arch Linux that is simple enough to only backup the main unified image, and recreate a new one. Just for personal use so far

        I was initially driven by that old thread about mkinicpio being deprecated but now i’m using dracut because of the early network modules and the possibility to further integrate with tang+clevis, and use something like a rpi at home as tang server for auto disk decryption.

        1. 2

          Nice, thanks :)

          I also have started on some UEFI stub implementation for mkinitcpio which is going to make things easier on that end as well.

          I don’t think clevis is necessarily going to be a thing much longer if the usability of the systemd tooling improves (atleast on systemd distros).

    2. 2

      “Hey dad, you’ve printed a 3D version of the save button”…

    3. 2

      But there are also some functional differences between a bonded interface and a team. For example, a team supports LACP load-balancing

      I use bond interfaces for lacp with “mode 4” while loading the module for Dynamic Link Aggregation (802.3ad).

      Maybe team interfaces implement better algorithms, more features and management flexibility, but it’s been a while (maybe 10 years or more) that i use bond interfaces, and if you create correctly a port-channel/EtherChannel/BridgeAggregation (depends on switch brand naming) at the switch side it’s a no brainer to have a active-active link with fast link recovery.

      So, what is the functional “LACP load-balance” that teamd has that bond does not when it comes to 802.3ad?

    4. 3

      “Cool Bear’s hot tip” is the best feature of this blog. Quite refreshing to the mind to get a pill of some concept that you forgot and you need at that time to keep reading it :)

    5. 34

      I haven’t bought a new dev machine in … eight years. Reconditioned, ex-corporate, Lenovo ThinkPads are where it’s at for me.

      Currently I’m running a W540 - high-res screen, 16GiB RAM (up to 32GiB), 500GiB SSD dual-booting Ubuntu (for play) and FreeBSD (for work). Cost me AUD$400 less the SSD. Prior to that, for several years, I was running FreeBSD on an X220 that I purchased for around AUD$300.

      My three children run Ubuntu on ThinkPad X250s. Having identical hardware and OSs makes management easy. Also purchased refurbed ex-corporate; most recently an 8GiB / 128GiB X250 for AUD$345 including shipping. Lightning fast with Ubuntu, and they can do all their kid stuff: Minecraft, Starbound, Spotify, Wesnoth, DOSBox (for retro games), etc.

      I might break the habit, though, with my next dev machine. Since the COVID-19 pandemic I’m looking at buying a new desktop (or maybe rackmount?) system and just using a laptop as a client when I’m not at my desk. If I do, though, it’ll be another refurbished X-series.

      1. 6

        My three children run Ubuntu on ThinkPad X250s

        Wow, you really spoil your kids; mine are on a T410 and T420. =) Works great for Minecraft, TIC-80, and SNES/Playstation emulation, and they don’t have to use a chiclet keyboard. The kid with the T420 has to put up with a 16:9 aspect ratio, but … life is never perfect.

        1. 5

          They used to run older X-series (our eldest, for example, had my old X220). But I standardised on current-generation power adaptors and docking stations for convenience (so we can share equipment). One of the reasons I’m looking at the X-series again for myself after the W is that the W requires 170W power adaptors o_O

          Our family tradition is that, when you turn three, you get your big boy / big girl’s bed, and you get your first ThinkPad with Ubuntu.

          1. 2

            Standardizing on power adapters is also part of why I won’t buy the newer ones with the chonky rectangles. I must have ten or twelve of the barrel jack adapters in various places around the house. =)

            1. 2

              You can get barrel -> rectangle adaptors I believe. If you don’t have docking stations to consider, that might be an option.

              The only reason I upgraded from my old X220 to a W540 is that I was doing a lot of work on trains at the time, and the 768px screen was a bit of a liability.

              I’m seriously tempted to switch back to an X200. They’re old, now, but I still think they represent the pinnacle of X-series design: old IBM-style ThinkPad keyboard, ThinkLight, no trackpad (only TrackPoint). Would make a fine client for a desktop / server, especially with a newer screen panel and CoreBoot.

              1. 1

                I’m seriously tempted to switch back to an X200.

                I used to have an X200 and I’d suggest considering the X301 instead; full-size classic keyboard, just as light, same 1440x900 resolution but slightly larger, and the palm rest is done with rubberized carbon fiber instead of plastic. Back in the day it also had a bonus of having two battery bays, but sadly these days you can’t buy a battery for the second bay unless you want to take a chance on a cheap one that will likely balloon up and crack your chassis from the inside. The main downside is that it requires a special 1.8-inch SSD.

                1. 3

                  Ooh, thanks for letting me know - that looks perfect. Found this article while Googling the 301, too:

      2. 4

        I haven’t bought a new dev machine in … eight years.

        I typically buy a new desktop computer every 5 years, so try to find a sweet spot in terms of good components that’ll be sufficiently performant for that long and allow for a bit of upgradability (usually a new GPU a few years in).

        I’m presently at 7 years on this machine. CPUs haven’t gotten majorly faster compared to previous cycles, so I’ve found it difficult to justify the expense for only a 2-3x speedup. The Ryzens look like they might be worth it though.

        1. 5

          Ryzen is absolutely worth it. The increase in core count is amazing for certain workloads (including compiling, if you’re into that)

          1. 1

            My main work use of more cores would be benchmarking to optimise some multi-core locking, as I’m limited to the 4 real cores I currently have. Might also be use for gaming, while a few other applications are running.

          2. 1

            I’m generally a fan of re-use but I totally agree. Not every workload or work pattern needs a monster machine, but I think many of us who do software environment on the regular could probably benefit from one.

            One question I’ve been pondering though is “Does my LAPTOP need to be something beefy?”

            I’ve been experimenting along these lines with my PineBook Pro for the last few months and for me and my use cases thus far the answer is a resounding no.

            I have my monster beast machine on my desktop, but for a laptop I am loving something that’s light and very energy efficient. It does 90% of what I need 90% of the time, and that’s plenty enough for me for a laptop :)

            1. 3

              Oooh! What’s your experience of the PineBook Pro been? I’m tossing up between one of those and a refurbished X-series ThinkPad as a next machine. My main sticking point is the lack of FreeBSD support; I’ve only recently switched back from Ubuntu as my work OS, and would hate to have to switch back again.

              1. 2

                Hiya! Expect to see a write-up posted here from me today or tomorrow, but real quick:

                I know there is a FreeBSD port underway but… RealTalk - if you plan to actually USE the laptop for productive work you should either A) suck it up and plan to use the already specially tuned Manjaro or Debian Linux images OR B) plan some sincere time for kernel hacking and tuning. The Pinebook Pro has a ‘big/little’ CPU combo that’s not something you see in the X86 world. If your kernel isn’t tuned specifically for that, performance will be utter crap.

                1. 3

                  Thanks :) Yeah I’d assumed (a) - which isn’t a deal-breaker mind you, especially if I’m using it essentially as a client for a FreeBSD desktop / server.

            2. 2

              I agree, I did a significant amount of development on a Lenovo IdeaPad with a super light wm and vim. I didn’t need anything more for what I was working on. Now my day job is a different story… I regularly make all 12 cores hurt.

      3. 4

        I too look for reconditioned ex-corporate, Lenovo ThinkPads and have been using a i7 X230 for a while, I was so impressed with it that on the day after it arrived I ordered another from the same re-conditioner, except I asked them to add the maximum RAM it would support and a bigger SSD so I could use it in a professional capacity.

        The only reason I might upgrade now is to a machine that plays Minecraft as I find that game a great relaxing exercise akin to colouring or reading a book.

        If you don’t mind a quick question: Would you say a X250 would suffice, or should I be looking at something newer?

        1. 2

          The X250 is just fine for Minecraft - in fact it played perfectly well on my old X220. It’d make a perfectly acceptable development system, actually, unless you were doing a lot of work with containers at which point 16GiB might become an issue.

      4. 1

        Where do you buy used in Australia?

      5. 1

        I haven’t bought a new dev machine in … eight years

        My main machine is over 10 years old, though I recently added RAM and a new gfx card.

      6. 1

        Amazing story. During the last 12 months me and my wife got used laptops.

        We got 2 laptops (A Lenovo Ideapad and Acer Nitro/VX series), mine with a better processor but her with a way better GPU(she does some rendering for his work/jobs) and we paid as much as 2/3 of what we would pay on her notebook alone. Both already equiped with 240GB ssds and 1TB HDs.

        Also, i had a FX-9370 on my desk and that thing was power hungry. Sold it to a friend by a modest price cause he wanted to play old games and do some console emulation.

    6. 2

      Excelent. I’m trying to put my hands on such board but, import taxes on Brazil make it prohibitively expensive to import it :(

      I wonder if in a near future we will have “RPi FPGA hats” or any hardware of this kind, creating an hybrid environment where FPGAs are used as a replacement for “emulation cores” while the rest of the board manages all the eyecandy stuff

      1. 2

        From what I understand, that’s not too far off from how the MiSTer actually works. The DE-10 Nano board has an ARM core in addition to the FPGA, and the ARM core handles a lot of the management tasks. With the MiSTer, it even runs Linux, if memory serves me.

        1. 3

          Yup, it provides a simple UI for those browsing videogames, but it’s rudimentary if you compare with more complete solutions like EmulationStation provided by retrogaming distros like Batocera, Recalbox, Retropie, etc.

    7. 24

      I really disagree with the statement “linux users are expected to figure things out on their own”. Linux users deserve documentation just as much as anyone else.

      1. 15

        I think the author was not deliberately saying that Linux users don’t need manpages. He is a macOS user and it seems that he miss some knowledge on Linux specific config files, keyring configuration, daemon starting, or that those were not part of his tutorial

        By letting the part “o maybe try apt install spotifyd spotify-tui followed by sudo systemctl start spotifyd and see if that works ¯\_(ツ)_/¯ out of your quoting line you are creating a misrepresentation of him/his opinions.

        It’s not that hard to access the spotifyd repository to find Linux specific instructions.

      2. 7

        Not only Linux users deserve documentation, Linux users have way more useful documentation than Windows or MacOS users.

    8. 3

      Opensource operating systems will be the ones who will preserve computer history through emulation or translation layers. And man, it’s great to turn on your laptop and play some old stuff :)

    9. 1

      But by and large, hardware and firmware providers still aren’t spending enough resources to build defenses needed for products to effectively withstand attacks. Secure boot, because it only protects the boot process during run time, isn’t the answer. And security companies are only now starting to design scanning for mainstream users.

      Maybe i’m missing something but, Secure Boot would block any non-signed efi to start and that sumed up with firmware password and fastboot/“don’t boot usb” should be enough to NOT execute that suspicious EFI file.

      Yeah, UEFI isn’t a security panacea, but you cant criticize Secure boot as a “standalone component” of all the infrastrutcture that is part of UEFI. It’s like saying that locks don’t work on shōji doors(japanese room dividers).

      But i have to agree that not all users are aware of firmware passwords and boot options at all. And thank god my current UEFI provider isn’t AMI :)

        1. 1

          Same way you can easily keep your firmware updated…

 and also MS16-094 and MS16-100.

          Some Linux laptops(mine included) running fwupd will have these key countermeasure as a dbx.

    10. 4

      Lenovo simply makes the best Laptops and now I don’t need to order one without an operating system anymore :D

      1. 1

        What makes them “best”?

        1. 2

          One aspect that makes ThinkPads better is that they tend to maintainable for the long term. A friend of me has a XPS15 that’s barely two years old with a bulging battery and Dell no longer manufactures or sells batteries for this model, and the third-party battery he bought refuses to charge because it’s “non-authentic”, leaving him with a dysfunctional 2-year old €1000 laptop; just because of a comparatively small issue like this.

          Other aspects are probably a bit more subjective; personally I like the discrete trackpad buttons (I really dislike the integrated ones so many have), that I can open the screen at a large angle (my old XPS13 didn’t tilt back far enough in some conditions), that there are little “gaps” between the function keys to make them easier to use without looking, that I can disable the power LED, and some other small details. These may sound like small issues, but I really missed them when I used the company-issued XPS. Good design is all about small details like this.

          I’ve also never had a ThinkPad that didn’t run Linux flawlessly out of the box without any mucking about. I think the “X1 carbon” models are a bit trickier in some cases though; I’ve only had X and T series.

          1. 1

            They sometimes don’t run flawless on day 1, but as the safest choice you have a near 100%-chance that everything works a few months after it comes out.

        2. 1

          In general I‘m more happy with Lenovos I‘ve used than from any other vendor, but here are some things I really like:

          • Great Linux support
          • They are really robust. Sometimes I‘ve had to work on a racetrack in the rain with the Laptop and never had any issues. Also I‘ve met so many people who had „ancient“ Lenovos working with them everyday.
          • The dedicated middle mouse button.
          • Some (like my personal one) have great extensibility, so you can add another harddrive or more memory or change the battery.
          • the great keyboard

          Hope that helps :) More than anything it is probably the robustness, which I really like. They are other Lapatops with better battery life or displays.

      2. 1

        If you buy one with Linux installed, maybe you’ll have good support. If you buy one with Windows, you are on your own.

        I have a Lenovo ideapad 320-15IKB and they are pretty complacent about:

        I hope that this Fedora/Lenovo partnership will push Lenovo into making their laptop ecosystem more Linux friendly. But i have little hope that this will affect their Laptops that are already being used.

    11. 2

      Fantastic article. It certainly goes against the common wisdom that discrete GPUs are more power hungry. But for low power GPUs in lower end laptops, it makes sense.

      Find out why while using specific softwares pulseaudio gets crazy and it spikes with 4W of Power Estimated usage.

      This is bananas. How long and how often are these spikes? What’s the total power usage per hour of PA with these spikes included? I’m not going to actually do anything useful with the data, I’m just curious.

      1. 2

        Fantastic article. It certainly goes against the common wisdom that discrete GPUs are more power hungry. But for low power GPUs in lower end laptops, it makes sense.

        Yeah. I feel that is almost the same when people say “hey, my simplephone has a 5000 mAH battery”, but comes with a SNES processor so, it spends lots of cpu cycles to actually get things done, while a high end phone with 2800 mAH battery will drain way less battery when you do a fair comparsion(daily usage, 4G, no gaming…).

        This is bananas. How long and how often are these spikes? What’s the total power usage per hour of PA with these spikes included? I’m not going to actually do anything useful with the data, I’m just curious.

        I’ve noticed that those spikes happen whenever I use a headphone with a p3 connector, and doing video streaming or gaming. Those energy drain behaviors sustain during about 15 seconds (sudo powertop -t 1) and after that, situation becomes normal again. usb-c headphones are natural drainers and i’m avoiding them(you can see the module sustaining a high energy drain during all the headphone usage).

        I’ll try to disable my sound_hda_intel energy saving settings on laptop mode tools and see if this is the reason for such behavior.

    12. 2

      There are a plenty of forum entries at the internet reporting that Win10 will screw your dualboot scheme after a sneaky update, no matter if UEFI or BIOS…

      Best way to avoid this is to install both OSs on different disks using UEFI, and relying on motherboard efi entries, or using the good old “hit f11/12/8” to select boot device :)

    13. 5

      CTWM is an X11 Window Manager. It was created by Claude Lecommandeur Claude.Lecommandeur@Epfl.Ch in 1992 as a fork of the TWM window manager.

      Thanks for the sharing. I knew ctwm existed, but didn’t know that it was forked 1992 :)

      Besides all the available “tiling” options that we have around while using any opensource OS, ctwm seems to be a safe default for those that need a minimum desktop with auto-generated menu entries to easly access basic software after an install.

      1. 2

        Your comment is a good summary of “why” anyone should be interested in a WM originally written in ’92. It is an interesting piece of software to try out.

        1. 1

          I usually just use twm if I’m just installing a quick X windows system. It’s still totally fine for managing terminal windows, which is basically all I use X for, anyway.

    14. 2

      Nice post!

      Deploy tpm2 boot policies to create a Security Violation if boot options are changed

      I did that and while it was nice for security there were numerous practical problems: selecting PCRs to use, if you use too little then the benefit disappears if you use too many (e.g. taking into account currently booting kernel) you may need to input recovery keys frequently (e.g. Arch updates kernels every week or so).

      Additionally TPM chip that I used (Dell XPS 13) randomly failed.

      Ultimately I just scrapped the solution but may return to it with some adjustments.

      Create a fake windows installation partition before your root luks partition

      Yep. Especially interesting is having boot partition on an USB drive and setting up boot to boot to windows if the USB drive is absent.

      1. 3

        Predicting the future kernel checksum value isn’t so hard, you just do the PE/COFF checksuming on the kernel.

        It’s documented as part of the Microsoft Authenticode spec,

        Grawity has written a tool that helps you do all of this to seal TPM secrets against:

        I have an implementation of PE/COFF checksuming in my Go UEFI library:

        1. 1

          Great, thanks for clearing the matter up.

          Is this something that actually works? Are you using it? Why it’s not in extra/community? :)

          1. 2

            Is this something that actually works?

            I think it works! I believe grawity has been trying to use it.

            Are you using it?

            I’m not. I have been largely focusing on fixing my secure boot stuff and look more into the TPM stuff when I’m happy with secure boot.

            Why it’s not in extra/community? :)

            I’d probably consider it experimental honestly. Use at own risk instead of a solution.

      2. 1

        Ultimately I just scrapped the solution but may return to it with some adjustments.

        Good to know. I’ve read online about TPM enforcement being a pain-in-the-arse due to non-standard PCR definitions done by specific manufacturers, but i didn’t know that it was worse because of these random failures.

    15. 25

      “The Linux usage on our cloud has surpassed Windows.” The proportion of Linux workloads looks set to increase with the trend towards Kubernetes, which is primarily a Linux technology. Linux already runs well on Hyper-V with a Windows root partition, but making this a complete Linux stack may improve performance.

      This “lets admit that a Linux fullstack will improve performance” comming from Microsoft is pure gold.

    16. 4

      Portability and Usability is always a nice thing to have. A Lightweight IRC client is also awesome.

      “Do one thing and do it well” — Emphasis was placed on building simple, short, clear, modular, and extensible code that can be easily maintained and repurposed (per the Unix philosophy).

      And here we go again. The vague “Do one thing and do it well” manta is used in another project slogan.

      The same way people tend to put all binaries from one project inside the same bucket and say “you know, this thing isn’t Unix Philosophy compliant”, cause isn’t doing “one thing well”, the “one thing” is a totally abstract concept.

      iproute2(specially ip command) is a pretty good example here: does “one thing well”, that is, network management. But it does not fit on the same mantra if we further expand what iproute can do: assign ip addresses, show/manage l2 related info, manage routes, policy routing, network namespaces, tunnels, etc. It does well but it isn’t only one thing.

      1. 15

        The « Do one thing well » concept is good per se. You don’t want you mail client to connect to IRC, or let you edit videos.

        This must no be used as a cool way to say « lack of features ». Because this is the case here. I gave it a quick try, and it’s like a bad reimplementation of suckless’ sic(1).

        There is no channel management, no prompt, no screen clearing, … Every log gets printed to stdout (with a hilight on nicknames), and you type your stuff in the middle of this giant IRC log. So the only thing it does well is to connect you to an IRC server. As @c-cube said, it doesn’t support TLS either, so I don’t consider it as a valid IRC client.

        On the other side of the “one thing well” spectrum, there is catgirl.

        1. 1

          Agree with the part that this is not mean to be used with software that lack basic features (oh, you need to patch the source code to configure a simple behavior on your tiling window manager).

          But also, people tend to use the “One thing well” to justify feature creep on softwares that are more than one binary, or as the iproute, does more than one thing well.

      2. 7

        It looks like a nice little client, it’s impressive what you can fit in < 400loc. However, it doesn’t seem to support TLS, which to me means it’s literally unusable as a daily driver. The same criterion (TLS support as a sign of maturity) more or less applies to IRC bot libraries.

    17. 1

      Coincidently, this link talks about Tasklets and today a story was published at LWN on how a patchset improving them triggered a discussion about vanishing away the existence of tasklets from the Linux Kernel…

      Tasklets offer a deferred-execution method in the Linux kernel; they have been available since the 2.3 development series. They allow interrupt handlers to schedule further work to be executed as soon as possible after the handler itself. The tasklet API has its shortcomings, but it has stayed in place while other deferred-execution methods, including workqueues, have been introduced. Recently, Kees Cook posted a security-inspired patch set (also including work from Romain Perrier) to improve the tasklet API. This change is uncontroversial, but it provoked a discussion that might lead to the removal of the tasklet API in the (not so distant) future.

      1. 2

        Yeah I want looking as a result of that LWN post.

    18. 2

      :s/Why putting/Why only putting/g

      There. Fixed that clickbait’sh for ya.

    19. 0

      would have been nice to use RFC example IP range instead of the public IPs used in the examples.

      1. 2

        maybe this example is trying to reinforce Dynamically Addressed Peers, and using RFC ips only would not take as much attention of the reader as using, or…