diff --git a/.codespellrc b/.codespellrc new file mode 100644 index 00000000..e5cef60e --- /dev/null +++ b/.codespellrc @@ -0,0 +1,2 @@ +[codespell] +skip = *.svg,*.pl.md,themes/3mbed/assets/*.js diff --git a/.conform.yaml b/.conform.yaml new file mode 100644 index 00000000..f96e4e09 --- /dev/null +++ b/.conform.yaml @@ -0,0 +1,16 @@ +--- +policies: + - type: commit + spec: + header: + length: 80 + imperative: false + invalidLastCharacters: . + body: + required: false + dco: true + gpg: + required: true + spellcheck: + locale: US + maximumOfOneCommit: false diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 66732f17..03ac86ba 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,3 +1,4 @@ +--- name: Build news-and-ideas on: push: @@ -68,4 +69,3 @@ jobs: FTP_PASSWORD: ${{ secrets.FTP_PASSWORD }} FTP_DOMAIN: ${{ secrets.FTP_DOMAIN }} run: cd ${GITHUB_WORKSPACE}/scripts && bash deploy.sh - diff --git a/.github/workflows/seo.yml b/.github/workflows/seo.yml new file mode 100644 index 00000000..740203f2 --- /dev/null +++ b/.github/workflows/seo.yml @@ -0,0 +1,104 @@ +--- +name: SEO CI +on: + push: + branches: + - master + pull_request: + branches: + - master + - develop + +jobs: + linkChecker: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Link Checker + id: lychee + uses: lycheeverse/lychee-action@v1.8.0 + with: + fail: true + args: | + --max-concurrency 20 --max-redirects 10 -a 403,429,500,502,503,999 . + + seo_spy_orphan_pages: + runs-on: ubuntu-latest + name: Check orphan pages + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + submodules: true + + - name: Checkout SEO Spy + uses: actions/checkout@v3 + with: + repository: 3mdeb/seo-spy + path: seo-spy + + - uses: actions/setup-python@v3 + with: + python-version: '3.9' + + - name: Install Dependencies + run: | + python -m pip install --upgrade pip + pip install -r seo-spy/requirements.txt + + - name: Setup Hugo + uses: peaceiris/actions-hugo@v2 + with: + extended: true + + - name: Serve site + run: | + npm install postcss-cli + hugo -s blog/ + hugo serve -s blog/ -b http://localhost:1313 --bind=0.0.0.0 & + + - name: Check orphan pages + uses: 3mdeb/seo-spy-action@main + with: + domain: 'http://localhost:1313' + + seo_spy_canonical_links: + runs-on: ubuntu-latest + name: Check canonical links + steps: + - name: Checkout repo + uses: actions/checkout@v3 + with: + submodules: true + + - name: Checkout SEO Spy + uses: actions/checkout@v3 + with: + repository: 3mdeb/seo-spy + path: seo-spy + + - uses: actions/setup-python@v3 + with: + python-version: '3.9' + + - name: Install Dependencies + run: | + python -m pip install --upgrade pip + pip install -r seo-spy/requirements.txt + + - name: Setup Hugo + uses: peaceiris/actions-hugo@v2 + with: + extended: true + + - name: Serve site + run: | + npm install postcss-cli + hugo -s blog/ + hugo serve -s blog/ -b http://localhost:1313 --bind=0.0.0.0 & + + - name: Check canonical links + uses: 3mdeb/seo-spy-action@main + with: + domain: 'http://localhost:1313' + args: '-c' diff --git a/.lycheeignore b/.lycheeignore new file mode 100644 index 00000000..fd239054 --- /dev/null +++ b/.lycheeignore @@ -0,0 +1,8 @@ +.Permalink +themes/3mdeb/layouts +account1@server.com +https://www.embedded-world.de/ +https://www.paypal.com/cgi-bin/webscr +https://www.aliexpress.com +https://twitter.com +localhost:1313 diff --git a/.markdown.yaml b/.markdown.yaml new file mode 100644 index 00000000..5597263b --- /dev/null +++ b/.markdown.yaml @@ -0,0 +1,41 @@ +--- +# MD013/line-length - Line length +MD013: + # Number of characters for code blocks + code_block_line_length: 400 + tables: false + + +# MD041/first-line-heading/first-line-h1 - First line in a file should be a top-level heading +MD041: + # Heading level + level: 1 + # RegExp for matching title in front matter + front_matter_title: "^\\s*title\\s*[:=]" + +# MD042/no-empty-links - No empty links +MD042: true + +# MD046/code-block-style - Code block style +# MD046: Rule temporarily disabled, it prevents new tabs from being formatted +# correctly - eg. docs/unified/novacustom/overview.md:9 +# Block style +# style: "fenced" + +# MD047/single-trailing-newline - Files should end with a single newline character +MD047: true + +# MD048/code-fence-style - Code fence style +MD048: + # Code fence style + style: "backtick" + +# MD049/emphasis-style - Emphasis style should be consistent +MD049: + # Emphasis style should be consistent + style: "underscore" + +# MD050/strong-style - Strong style should be consistent +MD050: + # Strong style should be consistent + style: "asterisk" diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..9cd74f61 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,61 @@ +# See https://pre-commit.com/hooks.html for more hooks +--- +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: check-added-large-files + - id: check-merge-conflict + - id: check-symlinks + - id: detect-private-key + - id: end-of-file-fixer + - id: trailing-whitespace + - id: mixed-line-ending + + - repo: https://github.com/adrienverge/yamllint + rev: v1.32.0 + hooks: + - id: yamllint + args: [-c=.yamllint] + + - repo: https://github.com/igorshubovych/markdownlint-cli + rev: v0.35.0 + hooks: + - id: markdownlint + args: [-c.markdown.yaml] + - id: markdownlint-fix + args: [-c.markdown.yaml] + + - repo: https://github.com/talos-systems/conform + rev: v0.1.0-alpha.27 + hooks: + - id: conform + stages: + - commit-msg + + - repo: https://github.com/codespell-project/codespell + rev: v2.2.4 + hooks: + - id: codespell + args: [ + -L, + 'ser,exite,lew,isplay,erro,hart,hve,som,gir,\ + synopsys,uests,datas,synopsys,tung,ot,hda,parm' + ] + + - repo: local + hooks: + - id: double_slashes_url_external + name: Check double slashes in external URLs + entry: https?:\/\/[^\s]*(? Important note: The author needs to verify the content using +> [Grammarly](#grammarly---a-must-have-for-content-verification) before +> requesting review. Ask your supervisor for the premium account access -### Table of contents +## Table of contents - [Deployment status](#deployment-status) - [Usage](#usage) - * [Add new post](#add-new-post) - + [Categories and tags](#categories-and-tags) - * [Local preview](#local-preview) - * [Deployment on https://beta.3mdeb.com](#deployment-on-https---beta3mdebcom) - * [Deployment on `production` blog](#deployment-on--production--blog) - * [Add new profile page](#add-new-profile-page) + - [Add new post](#add-new-post) + - [Categories](#categories) + - [Tags](#tags) + - [Local preview](#local-preview) + - [Deployment on https://beta.3mdeb.com](#deployment-on-beta-blog) + - [Deployment on `production` blog](#deployment-on-production-blog) + - [Add new profile page](#add-new-profile-page) - [Good practices](#good-practices) - * [Grammarly](#grammarly) - * [Markdown](#markdown) - * [Single or multiple authors](#single-or-multiple-authors) - * [SEO best known methods](#seo-best-known-methods) + - [Grammarly](#grammarly---a-must-have-for-content-verification) + - [Markdown](#markdown) + - [Single or multiple authors](#single-or-multiple-authors) + - [SEO best known methods](#seo-best-known-methods) @@ -47,13 +50,14 @@ To add new post to our blog, first prepare local repository: 1. Edit post: `vim blog/content/post/.md` Some valuable information: -* Familiarize yourself with [good practices](#good-practices) section. -* Use [Markdown](#Markdown) to write your blog post. -* You can use [local preview](#local-preview) -* Finished blog post should get reviewed - please create Github Pull Request to + +- Familiarize yourself with [good practices](#good-practices) section. +- Use [Markdown](#markdown) to write your blog post. +- You can use [local preview](#local-preview) +- Finished blog post should get reviewed - please create Github Pull Request to `develop` branch as described [here](#deployment) -* If deployment to beta doesn't show any issues please ask maintainer for sync - to [master](#deployment). +- If deployment to beta doesn't show any issues please ask maintainer for sync + to [master](#deployment). #### Categories @@ -70,8 +74,8 @@ We have several categories you can choose from: #### Tags Basically, we have a huge pool of tags available. Before creating a new tag, -check the currently [available tags](https://blog.3mdeb.com/tags/). If there -is no tag that properly describes your blog, create a **one** new tag. +check the currently [available tags](https://blog.3mdeb.com/tags/). If there is +no tag that properly describes your blog, create a **one** new tag. ### Local preview @@ -79,10 +83,13 @@ is no tag that properly describes your blog, create a **one** new tag. 1. Generated files can be found in `blog/public` There is possibility to check whether new post is well formatted: + 1. Run local server: `./scripts/local-preview.sh` 1. Go to [http://localhost:1313/](http://localhost:1313/) to view the changes. -### Deployment on https://beta.3mdeb.com +## Deployment + +### Deployment on beta blog 1. Push commits with your blog post to your branch. There are no strict rules for branch naming. It should refer to the post title. @@ -92,16 +99,16 @@ There is possibility to check whether new post is well formatted: 1. Once your Pull Request gets merged to `develop`, the blog should be automatically deployed to the [beta](https://beta.blog.3mdeb.com). You can check the deploy job status on the - [travis-ci.com](https://travis-ci.com/3mdeb/news-and-ideas) + [github action](https://github.com/3mdeb/news-and-ideas/actions/workflows/build.yml) ### Deployment on `production` blog -When the blog's status in [beta](https://beta.blog.3mdeb.com) is acceptable, -we can deploy to [production](https://blog.3dmeb.com). To do that, simply -create the Pull Request from `develop` to `master`. Once it gets merged, the -same version of blog should be deployed to -[production](https://blog.3mdeb.com). You can check the deploy job status on the -[travis-ci.com](https://travis-ci.com/3mdeb/news-and-ideas) +When the blog's status in [beta](https://beta.blog.3mdeb.com) is acceptable, we +can deploy to [production](https://blog.3mdeb.com). To do that, simply create +the Pull Request from `develop` to `master`. Once it gets merged, the same +version of blog should be deployed to [production](https://blog.3mdeb.com). You +can check the deploy job status on the +[github action](https://github.com/3mdeb/news-and-ideas/actions/workflows/build.yml) ### Add new profile page @@ -109,23 +116,82 @@ Employees and post authors profile pages are now implemented to our Hugo blog. To add new profile page, follow steps below: 1. Add `_index.md` file to `blog/content/authors/name-surname/` with the content -about the author (look at other profile pages for template). + about the author (look at other profile pages for template). 1. Add `name.surname.json` file to `blog/data/authors/` with the content about -the author for the post footer (look for other .json files for template) + the author for the post footer (look for other .json files for template) 1. Add `name.surname.png` image to `blog/static/authors/` for profile image. 1. After rebuilding the site (locally), new profile should be visible in the -authors list page: http://localhost:1313/authors/ + authors list page: ## Good practices +### Broken links checker + +Currently we are using [lychee](https://github.com/lycheeverse/lychee) a fast, +async, stream-based link checker written in Rust. The automatic check is +triggered on each push to the master pull request. + +You can also run it locally using a docker image: + +```bash +$ docker run --init -it --rm -w $(pwd) -v $(pwd):$(pwd) lycheeverse/lychee + --max-redirects 10 -a 403,429,500,502,503,999 . +``` + +### Relative links + +Please avoid using relative like: + +```md +[contact](../../pages/contact/) +``` + +Instead, use absolute links: + +```md +[contact](https://www.dasharo.com/pages/contact/) +``` + +### pre-commit hooks + +- [Install pre-commit](https://pre-commit.com/index.html#install), if you + followed [local build](#local-preview) procedure `pre-commit` should be + installed + +- [Install go](https://go.dev/doc/install) + +- Install hooks into repo: + +```shell +pre-commit install --hook-type commit-msg +``` + +- Enjoy automatic checks on each `git commit` action! + +- (Optional) Run hooks on all files (for example, when adding new hooks or + configuring existing ones): + +```shell +pre-commit run --all-files +``` + +#### To skip verification + +In some cases, it may be needed to skip `pre-commit` tests. To do that, please +use: + +```shell +git commit --no-verify +``` + ### Grammarly - a must have for content verification Grammarly is a great, free tool for all bloggers and anyone who needs to write -documentation in English. -It will let you know if you skipped a coma or made a typo, as well, as it will -check advanced grammar mistakes, too. Bear in mind, that the free version has -its limits, so you need to keep an eye on it at all times and still, you are -the one who distinguishes when to use a/an or the, as it only suggests changes. +documentation in English. It will let you know if you skipped a coma or made a +typo, as well, as it will check advanced grammar mistakes, too. Bear in mind, +that the free version has its limits, so you need to keep an eye on it at all +times and still, you are the one who distinguishes when to use a/an or the, as +it only suggests changes. Two versions of Grammarly are available: a plugin for Chrome/Chromium or online application. You need to create an account (it's for free) to be able to use @@ -133,8 +199,8 @@ Grammarly. Visit the website [Grammarly](https://app.grammarly.com/) and create an account. ->It is a MUST-HAVE application for anyone who writes posts or documentation, so -feel obliged to use it. +> It is a MUST-HAVE application for anyone who writes posts or documentation, so +> feel obliged to use it. ### Markdown @@ -145,44 +211,45 @@ It is awesome because it is short and clear. However, here are some most important commands: - #, ##, ###, ####, #####, ###### - headers (just like in HTML `

` -etc.) + etc.) - `- some text` - it is simply a list item for an unordered list. - `
  • ` in -HTML + HTML - `1. some text` - an ordered list. Number does not matter, it will be ordered -automatically. + automatically. - `[Visible text](URL)` - a link -- ` - inline code. Can be used as an inline quote -- ` x3 - block of code. You can write, next to it (connected) a programming -language. Supported aliases for language highlighting are listed -[here](https://gohugo.io/content-management/syntax-highlighting/#list-of-chroma-highlighting-languages) +- \` - inline code. Can be used as an inline quote +- \` x3 - block of code. You can write, next to it (connected) a programming + language. Supported aliases for language highlighting are listed + [here](https://gohugo.io/content-management/syntax-highlighting/#list-of-chroma-highlighting-languages) If your post includes any images, they must be located in `blog/static/img` directory. To link them in file written in Markdown, use the format below: -``` +```bash ![alt text](/img/image_name.jpg) ``` **Remember about newlines before markdown tables, lists, quotes (>) and blocks of text (\`\`\`).** -I hope this will help. To see more, visit [Markdown Cheatsheet](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) +I hope this will help. To see more, visit +[Markdown Cheatsheet](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet) ->You can write attach inline HTML into Markdown and it will work! ->`Some text` +> You can write attach inline HTML into Markdown and it will work! +> `Some text` ### Single or multiple authors In general, author meta-field MUST be strictly formatted (lowercase, non-polish letters): -``` +```bash author: name.surname ``` If post has multiple authors, author meta-field MUST be formatted as below: -``` +```bash author: - name.surname - name.surname @@ -190,25 +257,26 @@ author: ### SEO best known methods -* Meta description - each post should have single-sentence description with +- Meta description - each post should have single-sentence description with proper keywords (try to add as many keywords as possible) -> previously set in the Yoast SEO plugin [TBD - how to set them now] -* Tags selection - use proper tags (good examples are tags for articles of our - competition and results from the Google first site) +> previously set in the Yoast SEO plugin \[TBD - how to set them now\] + +- Tags selection - use proper tags (good examples are tags for articles of our + competition and results from the Google first site) -* Graphic/image title - description with keywords related to whole article. All -images uploaded to WordPress should be edited in terms of SEO (WP-admin panel in -the `Media` tab). It is required to complete the `Caption` field and add tags -with `Meta Tag manager` -> `Add Meta Tag` (at the bottom). +- Graphic/image title - description with keywords related to whole article. All + images uploaded to WordPress should be edited in terms of SEO (WP-admin panel + in the `Media` tab). It is required to complete the `Caption` field and add + tags with `Meta Tag manager` -> `Add Meta Tag` (at the bottom). ### Creating titles - Emotional Marketing Value Headline Analyzer The free tool, which analyze headline to determine the Emotional Marketing Value -(EMV) score. Headline is analyzed and scored based on the total number -of EMV words it has in relation to the total number of words it contains. This -will determine the EMV score of headline. Most professional copywriters' -headlines will have 30%-40% EMV Words in their headlines, while the most gifted +(EMV) score. Headline is analyzed and scored based on the total number of EMV +words it has in relation to the total number of words it contains. This will +determine the EMV score of headline. Most professional copywriters' headlines +will have 30%-40% EMV Words in their headlines, while the most gifted copywriters will have 50%-75% EMV words in headlines. diff --git a/blog/archetypes/default.md b/blog/archetypes/default.md index 00e77bd7..26f317f3 100644 --- a/blog/archetypes/default.md +++ b/blog/archetypes/default.md @@ -3,4 +3,3 @@ title: "{{ replace .Name "-" " " | title }}" date: {{ .Date }} draft: true --- - diff --git a/blog/content/authors/anastazja-lapanova/_index.md b/blog/content/authors/anastazja-lapanova/_index.md index bc497a17..bd01f8cf 100644 --- a/blog/content/authors/anastazja-lapanova/_index.md +++ b/blog/content/authors/anastazja-lapanova/_index.md @@ -1,4 +1,5 @@ --- +title: "Anastazja Lapanova" name: "Anastazja Lapanova" identifier: anastazja.lapanova photo: "/authors/anastazja.lapanova.png" @@ -7,6 +8,7 @@ twitter: "" linkedin: "" github: "" --- + Service and people oriented person. Second year student of criminology and a member of the Scientific Club of Forensics and Forensic Medicine - Dispecto. My goal is looking for solutions of security as much in cyberspace as in typical diff --git a/blog/content/authors/andrzej-pawlowicz/_index.md b/blog/content/authors/andrzej-pawlowicz/_index.md index 3f98b271..e823dbc4 100644 --- a/blog/content/authors/andrzej-pawlowicz/_index.md +++ b/blog/content/authors/andrzej-pawlowicz/_index.md @@ -1,4 +1,5 @@ --- +title: "Andrzej Pawłowicz" name: "Andrzej Pawłowicz" identifier: andrzej.pawlowicz photo: "/authors/andrzej.pawlowicz.png" diff --git a/blog/content/authors/arkadiusz-cichocki/_index.md b/blog/content/authors/arkadiusz-cichocki/_index.md index 060a5bb9..98971cd1 100644 --- a/blog/content/authors/arkadiusz-cichocki/_index.md +++ b/blog/content/authors/arkadiusz-cichocki/_index.md @@ -1,4 +1,5 @@ --- +title: "Arkadiusz Cichocki" name: "Arkadiusz Cichocki" identifier: arkadiusz.cichocki photo: "/authors/arkadiusz.cichocki.png" diff --git a/blog/content/authors/artur-kowalski/_index.md b/blog/content/authors/artur-kowalski/_index.md index 09956b24..e687ef1f 100644 --- a/blog/content/authors/artur-kowalski/_index.md +++ b/blog/content/authors/artur-kowalski/_index.md @@ -1,12 +1,14 @@ --- +title: "Artur Kowalski" name: "Artur Kowalski" identifier: artur.kowalski photo: "/authors/artur.kowalski.jpg" facebook: "" twitter: "" linkedin: "" -github: "https://github.com/arturkow2000" +github: "https://github.com/arturkow2" --- + Junior embedded developer at 3mdeb. Interested in low-level development ranging from microcontroller programming to hypervisor and kernel development. In free -time working on various personal open-source projects. \ No newline at end of file +time working on various personal open-source projects. diff --git a/blog/content/authors/artur-raglis/_index.md b/blog/content/authors/artur-raglis/_index.md index 5e88c13a..62138536 100644 --- a/blog/content/authors/artur-raglis/_index.md +++ b/blog/content/authors/artur-raglis/_index.md @@ -1,4 +1,5 @@ --- +title: "Artur Raglis" name: "Artur Raglis" identifier: artur.raglis photo: "/authors/artur.raglis.png" diff --git a/blog/content/authors/bartek-lew/_index.md b/blog/content/authors/bartek-lew/_index.md index ee55d0d0..2fc7258d 100644 --- a/blog/content/authors/bartek-lew/_index.md +++ b/blog/content/authors/bartek-lew/_index.md @@ -1,4 +1,5 @@ --- +title: "Bartek Lew" name: "Bartek Lew" identifier: bartek.lew photo: "/authors/bartek.lew.png" diff --git a/blog/content/authors/bartek-pastudzki/_index.md b/blog/content/authors/bartek-pastudzki/_index.md index bfe289a3..5eb1ccec 100644 --- a/blog/content/authors/bartek-pastudzki/_index.md +++ b/blog/content/authors/bartek-pastudzki/_index.md @@ -1,4 +1,5 @@ --- +title: "Bartek Pastudzki" name: "Bartek Pastudzki" identifier: bartek.pastudzki photo: "/authors/bartek.pastudzki.png" diff --git a/blog/content/authors/cezary-sobczak/_index.md b/blog/content/authors/cezary-sobczak/_index.md index 44bb14f1..95c45817 100644 --- a/blog/content/authors/cezary-sobczak/_index.md +++ b/blog/content/authors/cezary-sobczak/_index.md @@ -1,4 +1,5 @@ --- +title: "Cezary Sobczak" name: "Cezary Sobczak" identifier: cezary.sobczak photo: "/authors/cezary.sobczak.png" @@ -8,7 +9,7 @@ linkedin: "https://www.linkedin.com/in/cezary-sobczak" github: "https://github.com/Cezarus27" --- -Junior embedded systems developer at 3mdeb. -He require a lot from himself and want to extend his knowledge. He's now focused on +Junior embedded systems developer at 3mdeb. He require a lot from himself +and want to extend his knowledge. He's now focused on Linux embedded systems but also is interested in the modern automotive industry and microcontroller programming. diff --git a/blog/content/authors/daniel-konopski/_index.md b/blog/content/authors/daniel-konopski/_index.md index c8d82aa5..70647a24 100644 --- a/blog/content/authors/daniel-konopski/_index.md +++ b/blog/content/authors/daniel-konopski/_index.md @@ -1,4 +1,5 @@ --- +title: "Daniel Konopski" name: "Daniel Konopski" identifier: daniel.konopski photo: "/authors/daniel.konopski.png" diff --git a/blog/content/authors/dawid-zebacki/_index.md b/blog/content/authors/dawid-zebacki/_index.md index 3d7c32e0..99d12488 100644 --- a/blog/content/authors/dawid-zebacki/_index.md +++ b/blog/content/authors/dawid-zebacki/_index.md @@ -1,13 +1,14 @@ --- -name: "Dawid Zębacki" -identifier: dawid.zebacki -photo: "/authors/dawid.zebacki.png" +title: "Artur Kowalski" +name: "Artur Kowalski" +identifier: artur.kowalski +photo: "/authors/artur.kowalski.jpg" facebook: "" twitter: "" -linkedin: "https://www.linkedin.com/in/dawidzebacki" -github: "https://github.com/dawidzebacki" +linkedin: "" +github: "https://github.com/arturkow2" --- -Junior Web Engineer at 3mdeb - Embedded Systems Consulting. -Passionate about web development and Javascript lover. He follows the motto: -'Choose a job you love, and you will never have to work a day in your life.' +Junior Web Engineer at 3mdeb - Embedded Systems Consulting. Passionate about web +development and Javascript lover. He follows the motto: 'Choose a job you love, +and you will never have to work a day in your life.' diff --git a/blog/content/authors/ewa-krol/_index.md b/blog/content/authors/ewa-krol/_index.md index 13ed6a1b..0c8c530c 100644 --- a/blog/content/authors/ewa-krol/_index.md +++ b/blog/content/authors/ewa-krol/_index.md @@ -1,4 +1,5 @@ --- +title: "Ewa Król" name: "Ewa Król" identifier: ewa.krol photo: "/authors/ewa.krol.png" @@ -7,4 +8,5 @@ twitter: "" linkedin: "" github: "" --- + Bio - in progress diff --git a/blog/content/authors/igor-bagnucki/_index.md b/blog/content/authors/igor-bagnucki/_index.md index 3e585936..50ba6a4d 100644 --- a/blog/content/authors/igor-bagnucki/_index.md +++ b/blog/content/authors/igor-bagnucki/_index.md @@ -1,4 +1,5 @@ --- +title: "Igor Bagnucki" name: "Igor Bagnucki" identifier: igor.bagnucki photo: "/authors/igor.bagnucki.png" diff --git a/blog/content/authors/jakub-lecki/_index.md b/blog/content/authors/jakub-lecki/_index.md index 353a661d..72d5ddd7 100644 --- a/blog/content/authors/jakub-lecki/_index.md +++ b/blog/content/authors/jakub-lecki/_index.md @@ -1,4 +1,5 @@ --- +title: "Jakub Łęcki" name: "Jakub Łęcki" identifier: jakub.lecki photo: "/authors/jakub.lecki.png" @@ -9,5 +10,5 @@ github: "https://github.com/leckijakub" contribution: --- -Junior Embedded Systems Developer at 3mdeb. -Enthusiast of Linux, C, hardware and automotive. \ No newline at end of file +Junior Embedded Systems Developer at 3mdeb. Enthusiast of Linux, C, hardware and +automotive. diff --git a/blog/content/authors/kamil-wcislo/_index.md b/blog/content/authors/kamil-wcislo/_index.md index 435f9a1e..247c2752 100644 --- a/blog/content/authors/kamil-wcislo/_index.md +++ b/blog/content/authors/kamil-wcislo/_index.md @@ -1,4 +1,5 @@ --- +title: "Kamil Wcisło" name: "Kamil Wcisło" identifier: kamil.wcislo photo: "/authors/kamil.wcislo.png" diff --git a/blog/content/authors/kamila-banecka/_index.md b/blog/content/authors/kamila-banecka/_index.md index 9799ffe4..58794f91 100644 --- a/blog/content/authors/kamila-banecka/_index.md +++ b/blog/content/authors/kamila-banecka/_index.md @@ -1,4 +1,5 @@ --- +title: "Kamila Banecka" name: "Kamila Banecka" identifier: kamila.banecka photo: "/authors/kamila.banecka.jpg" @@ -8,4 +9,4 @@ linkedin: "" github: "" --- Junior firmware tester and a linguist. Eager to acquire new language skills of -both programming and natural sources. Huge fan of Natural Language Processing. +both programming and natural sources. Huge fan of Natural Language Processing. diff --git a/blog/content/authors/krystian-hebel/_index.md b/blog/content/authors/krystian-hebel/_index.md index 65f6359a..a7ca0bee 100644 --- a/blog/content/authors/krystian-hebel/_index.md +++ b/blog/content/authors/krystian-hebel/_index.md @@ -1,4 +1,5 @@ --- +title: "Krystian Hebel" name: "Krystian Hebel" identifier: krystian.hebel photo: "/authors/krystian.hebel.png" diff --git a/blog/content/authors/lukasz-laguna/_index.md b/blog/content/authors/lukasz-laguna/_index.md index 2b5da985..576c108e 100644 --- a/blog/content/authors/lukasz-laguna/_index.md +++ b/blog/content/authors/lukasz-laguna/_index.md @@ -1,4 +1,5 @@ --- +title: "Łukasz Łaguna" name: "Łukasz Łaguna" identifier: lukasz.laguna photo: "/authors/lukasz.laguna.png" diff --git a/blog/content/authors/lukasz-matysiewicz/_index.md b/blog/content/authors/lukasz-matysiewicz/_index.md index 2d384631..2bbd7a74 100644 --- a/blog/content/authors/lukasz-matysiewicz/_index.md +++ b/blog/content/authors/lukasz-matysiewicz/_index.md @@ -1,4 +1,5 @@ --- +title: "Łukasz Matysiewicz" name: "Łukasz Matysiewicz" identifier: lukasz.matysiewicz photo: "/authors/lukasz.matysiewicz.png" @@ -7,6 +8,6 @@ twitter: "" linkedin: "" github: "https://github.com/lukasz-matysiewicz" --- -Content & Graphics Designer. His resposibility is Visual concept of marketing +Content & Graphics Designer. His responsibility is Visual concept of marketing items, website, blog, shop and Company key visual. His goal is to provide Visual side on same level as Company hardware development which mean nearly perfect. diff --git a/blog/content/authors/lukasz-wcislo/_index.md b/blog/content/authors/lukasz-wcislo/_index.md index 4a276e84..da789944 100644 --- a/blog/content/authors/lukasz-wcislo/_index.md +++ b/blog/content/authors/lukasz-wcislo/_index.md @@ -1,4 +1,5 @@ --- +title: "Łukasz Wcisło" name: "Łukasz Wcisło" identifier: lukasz.wcislo photo: "/authors/lukasz.wcislo.png" diff --git a/blog/content/authors/maciej-pijanowski/_index.md b/blog/content/authors/maciej-pijanowski/_index.md index 2a087334..2c4b3f8a 100644 --- a/blog/content/authors/maciej-pijanowski/_index.md +++ b/blog/content/authors/maciej-pijanowski/_index.md @@ -1,4 +1,5 @@ --- +title: "Maciej Pijanowski" name: "Maciej Pijanowski" identifier: maciej.pijanowski photo: "/authors/maciej.pijanowski.png" diff --git a/blog/content/authors/maciej-rucinski/_index.md b/blog/content/authors/maciej-rucinski/_index.md index a5ed2eae..4922cc29 100644 --- a/blog/content/authors/maciej-rucinski/_index.md +++ b/blog/content/authors/maciej-rucinski/_index.md @@ -1,4 +1,5 @@ --- +title: "Maciej Ruciński" name: "Maciej Ruciński" identifier: maciej.rucinski photo: "/authors/maciej.rucinski.png" diff --git a/blog/content/authors/malwina-mika/_index.md b/blog/content/authors/malwina-mika/_index.md index f9d9a329..f9421a72 100644 --- a/blog/content/authors/malwina-mika/_index.md +++ b/blog/content/authors/malwina-mika/_index.md @@ -1,4 +1,5 @@ --- +title: "Malwina Mika" name: "Malwina Mika" identifier: malwina.mika photo: "/authors/malwina.mika.jpg" @@ -7,5 +8,8 @@ twitter: "" linkedin: "" github: "" --- -Junior Web Developer at 3mdeb. Responsible for writing well-designed, testable, efficient code, based on the best software development practices. -On a daily basis, busy with creating a page layouts / user interfaces, using standard HTML / CSS practices. + +Junior Web Developer at 3mdeb. Responsible for writing well-designed, testable, +efficient code, based on the best software development practices. +On a daily basis, busy with creating a page layouts / user interfaces, +using standard HTML / CSS practices. diff --git a/blog/content/authors/marek-kasiewicz/_index.md b/blog/content/authors/marek-kasiewicz/_index.md index fe2da23f..838817ff 100644 --- a/blog/content/authors/marek-kasiewicz/_index.md +++ b/blog/content/authors/marek-kasiewicz/_index.md @@ -1,4 +1,5 @@ --- +title: "Marek Kasiewicz" name: "Marek Kasiewicz" identifier: marek.kasiewicz photo: "/authors/marek.kasiewicz.png" diff --git a/blog/content/authors/marta-szelecka/_index.md b/blog/content/authors/marta-szelecka/_index.md index c02841dc..25f3fbd2 100644 --- a/blog/content/authors/marta-szelecka/_index.md +++ b/blog/content/authors/marta-szelecka/_index.md @@ -1,4 +1,5 @@ --- +title: "Marta Szelecka" name: "Marta Szelecka" identifier: marta.szelecka photo: "/authors/marta.szelecka.png" diff --git a/blog/content/authors/mateusz-grzelak/_index.md b/blog/content/authors/mateusz-grzelak/_index.md index e720de1f..a3bf91d4 100644 --- a/blog/content/authors/mateusz-grzelak/_index.md +++ b/blog/content/authors/mateusz-grzelak/_index.md @@ -1,4 +1,5 @@ --- +title: "Mateusz Grzelak" name: "Mateusz Grzelak" identifier: mateusz.grzelak photo: "/authors/mateusz.grzelak.png" diff --git a/blog/content/authors/michal-bullmann/_index.md b/blog/content/authors/michal-bullmann/_index.md index 3404c545..3a812af4 100644 --- a/blog/content/authors/michal-bullmann/_index.md +++ b/blog/content/authors/michal-bullmann/_index.md @@ -1,4 +1,5 @@ --- +title: "Michał Bullmann" name: "Michał Bullmann" identifier: michal.bullmann photo: "/authors/michal.bullmann.png" diff --git a/blog/content/authors/michal-kopec/_index.md b/blog/content/authors/michal-kopec/_index.md index aa91dc38..adaa6100 100644 --- a/blog/content/authors/michal-kopec/_index.md +++ b/blog/content/authors/michal-kopec/_index.md @@ -1,4 +1,5 @@ --- +title: "Michał Kopeć" name: "Michał Kopeć" identifier: michal.kopec photo: "/authors/no-image.png" diff --git a/blog/content/authors/michal-kotyla/_index.md b/blog/content/authors/michal-kotyla/_index.md index 6295328c..7234598c 100644 --- a/blog/content/authors/michal-kotyla/_index.md +++ b/blog/content/authors/michal-kotyla/_index.md @@ -1,4 +1,5 @@ --- +title: "Michał Kotyla" name: "Michał Kotyla" identifier: michal.kotyla photo: "/authors/michal.kotyla.jpg" @@ -9,4 +10,4 @@ github: "https://github.com/kotylamichal" --- Embedded Linux Developer at 3mdeb. Interested in a wide spectrum of embedded -systems and computer architecture. \ No newline at end of file +systems and computer architecture. diff --git a/blog/content/authors/michal-zygowski/_index.md b/blog/content/authors/michal-zygowski/_index.md index ab8701f9..63d30bd6 100644 --- a/blog/content/authors/michal-zygowski/_index.md +++ b/blog/content/authors/michal-zygowski/_index.md @@ -1,4 +1,5 @@ --- +title: "Michał Żygowski" name: "Michał Żygowski" identifier: michal.zygowski photo: "/authors/michal.zygowski.png" diff --git a/blog/content/authors/mike-banon/_index.md b/blog/content/authors/mike-banon/_index.md index 36043ac8..e56af11b 100644 --- a/blog/content/authors/mike-banon/_index.md +++ b/blog/content/authors/mike-banon/_index.md @@ -1,4 +1,5 @@ --- +title: "Mike Banon" name: "Mike Banon" identifier: mike.banon photo: "/authors/mike.banon.png" diff --git a/blog/content/authors/norbert-kaminski/_index.md b/blog/content/authors/norbert-kaminski/_index.md index dd8a80fb..d3bb4ae4 100644 --- a/blog/content/authors/norbert-kaminski/_index.md +++ b/blog/content/authors/norbert-kaminski/_index.md @@ -1,4 +1,5 @@ --- +title: "Norbert Kamiński" name: "Norbert Kamiński" identifier: norbert.kaminski photo: "/authors/norbert.kaminski.png" diff --git a/blog/content/authors/pawel-zaborny/_index.md b/blog/content/authors/pawel-zaborny/_index.md index 74826dc8..e10edf30 100644 --- a/blog/content/authors/pawel-zaborny/_index.md +++ b/blog/content/authors/pawel-zaborny/_index.md @@ -1,4 +1,5 @@ --- +title: "Paweł Zaborny" name: "Paweł Zaborny" identifier: pawel.zaborny photo: @@ -9,4 +10,6 @@ github: "https://github.com/pawelzaborny" contribution: --- -Junior Embedded Systems Engineer at 3mdeb. Gaining his experience on AI usage in medicine working on segmentation and forecasting algorithms. Interested in computer vision, statistics, and embedded systems. +Junior Embedded Systems Engineer at 3mdeb. Gaining his experience on AI usage +in medicine working on segmentation and forecasting algorithms. Interested in +computer vision, statistics, and embedded systems. diff --git a/blog/content/authors/piotr-kleinschmidt/_index.md b/blog/content/authors/piotr-kleinschmidt/_index.md index 1ce6ef87..a18bd28a 100644 --- a/blog/content/authors/piotr-kleinschmidt/_index.md +++ b/blog/content/authors/piotr-kleinschmidt/_index.md @@ -1,4 +1,5 @@ --- +title: "Piotr Kleinschmidt" name: "Piotr Kleinschmidt" identifier: piotr.kleinschmidt photo: "/authors/piotr.kleinschmidt.png" @@ -7,6 +8,7 @@ twitter: "" linkedin: "" github: "https://github.com/piotr-kleins" --- + Junior Firmware Engineer interested mostly in the embedded world and automatics. Likes when things work his way, but if there is an issue to debug and analysis - he faces it. diff --git a/blog/content/authors/piotr-konkol/_index.md b/blog/content/authors/piotr-konkol/_index.md index c5b0d196..607bb736 100644 --- a/blog/content/authors/piotr-konkol/_index.md +++ b/blog/content/authors/piotr-konkol/_index.md @@ -1,4 +1,5 @@ --- +title: "Piotr Konkol" name: "Piotr Konkol" identifier: piotr.konkol photo: "/authors/piotr.konkol.jpg" diff --git a/blog/content/authors/piotr-krol/_index.md b/blog/content/authors/piotr-krol/_index.md index 1a30fbce..c4e6f896 100644 --- a/blog/content/authors/piotr-krol/_index.md +++ b/blog/content/authors/piotr-krol/_index.md @@ -1,4 +1,5 @@ --- +title: "Piotr Król" name: "Piotr Król" identifier: piotr.krol photo: "/authors/piotr.krol.jpg" diff --git a/blog/content/authors/piotr-nowoslawski/_index.md b/blog/content/authors/piotr-nowoslawski/_index.md index 3d3ae64d..6d973b0c 100644 --- a/blog/content/authors/piotr-nowoslawski/_index.md +++ b/blog/content/authors/piotr-nowoslawski/_index.md @@ -1,4 +1,5 @@ --- +title: "Piotr Nowosławski" name: "Piotr Nowosławski" identifier: piotr.nowoslawski photo: "/authors/piotr.nowoslawski.png" @@ -9,4 +10,5 @@ github: "" --- Junior Web Engineer at 3mdeb - Embedded Systems Consulting. -I like JavaScript and its entire ecosystem. I am mainly interested in front-end technologies because appearance is what matters. +I like JavaScript and its entire ecosystem. I am mainly interested in front-end +technologies because appearance is what matters. diff --git a/blog/content/authors/rafal-janicki/_index.md b/blog/content/authors/rafal-janicki/_index.md index 9ef69777..1d7a7c75 100644 --- a/blog/content/authors/rafal-janicki/_index.md +++ b/blog/content/authors/rafal-janicki/_index.md @@ -1,4 +1,5 @@ --- +title: "Rafał Janicki" name: "Rafał Janicki" identifier: rafal.janicki photo: "/authors/rafal.janicki.png" diff --git a/blog/content/authors/stanislaw-bieniek/_index.md b/blog/content/authors/stanislaw-bieniek/_index.md index abb010b2..9aa298d6 100644 --- a/blog/content/authors/stanislaw-bieniek/_index.md +++ b/blog/content/authors/stanislaw-bieniek/_index.md @@ -1,4 +1,5 @@ --- +title: "Stanisław Bieniek" name: "Stanisław Bieniek" identifier: stanislaw.bieniek photo: "/authors/stanislaw.bieniek.png" @@ -7,4 +8,5 @@ twitter: "" linkedin: "" github: "https://github.com/Stanislaw-bnk" --- + Bio - in progress diff --git a/blog/content/authors/tomasz-zyjewski/_index.md b/blog/content/authors/tomasz-zyjewski/_index.md index c79f8198..76732150 100644 --- a/blog/content/authors/tomasz-zyjewski/_index.md +++ b/blog/content/authors/tomasz-zyjewski/_index.md @@ -1,4 +1,5 @@ --- +title: "Tomasz Żyjewski" name: "Tomasz Żyjewski" identifier: tomasz.zyjewski photo: "/authors/tomasz.zyjewski.png" diff --git a/blog/content/authors/wojciech-niewiadomski/_index.md b/blog/content/authors/wojciech-niewiadomski/_index.md index 93859945..01a96a4d 100644 --- a/blog/content/authors/wojciech-niewiadomski/_index.md +++ b/blog/content/authors/wojciech-niewiadomski/_index.md @@ -1,4 +1,5 @@ --- +title: "Wojciech Niewiadomski" name: "Wojciech Niewiadomski" identifier: wojciech.niewiadomski photo: "/authors/wojciech.niewiadomski.png" @@ -8,5 +9,5 @@ linkedin: "" github: "" --- -Junior embedded systems developer at 3mdeb. -Open source enthusiast currently focused on Linux embedded systems. +Junior embedded systems developer at 3mdeb. Open source enthusiast currently +focused on Linux embedded systems. diff --git a/blog/content/post/2012-01-06-flashrom-and-shuttle-av18e2.md b/blog/content/post/2012-01-06-flashrom-and-shuttle-av18e2.md index 6fa5e707..4fad5852 100644 --- a/blog/content/post/2012-01-06-flashrom-and-shuttle-av18e2.md +++ b/blog/content/post/2012-01-06-flashrom-and-shuttle-av18e2.md @@ -12,6 +12,7 @@ tags: categories: - Firmware --- + During Christmas break I found an old unused motherboard in my home, right away I thought that it maybe useful as learning environment for coreboot. First you need to do with this kind of board is to check if it is possible to flash its @@ -23,32 +24,40 @@ programmer or other memory chip for your board containing a working BIOS. For my [Shuttle board][4] I checked if the Winbond W49F002U chip on it is supported by flashrom. Fortunately it was. After that I read my BIOS by: - flashrom -Vr bios_bckp.bin +```bash +flashrom -Vr bios_bckp.bin +``` And write it by: - flashrom -Vw bios_bckp.bin +```bash +flashrom -Vw bios_bckp.bin +``` At the end I've got VERIFIED message but when I look carefully inside the log there was something like this: - Erasing and writing flash chip... Trying erase function 0... 0x000000-0x01ffff:S, 0x020000-0x037fff:S, - 0x038000-0x039fff:S, 0x03a000-0x03bfff:S, 0x03c000-0x03ffff:S Erase/write done. Verifying flash... VERIFIED. +```bash +Erasing and writing flash chip... Trying erase function 0... 0x000000-0x01ffff:S, 0x020000-0x037fff:S, +0x038000-0x039fff:S, 0x03a000-0x03bfff:S, 0x03c000-0x03ffff:S Erase/write done. Verifying flash... VERIFIED. +``` -This means that these addresses have not been overwritten but skipped, becuse +This means that these addresses have not been overwritten but skipped, because the fact that the data which were to be overridden were identical with what we wanted to write. So if we found such output to properly verify flashrom we need to clear our memory and write it again with BIOS backup. Correct output should look like this: - Erasing and writing flash chip... Trying erase function 0... 0x000000-0x01ffff:W, 0x020000-0x037fff:W, - 0x038000-0x039fff:W, 0x03a000-0x03bfff:W, 0x03c000-0x03ffff:W Erase/write done. Verifying flash... VERIFIED. +```bash +Erasing and writing flash chip... Trying erase function 0... 0x000000-0x01ffff:W, 0x020000-0x037fff:W, +0x038000-0x039fff:W, 0x03a000-0x03bfff:W, 0x03c000-0x03ffff:W Erase/write done. Verifying flash... VERIFIED. +``` Next post I will try to familiarize you with the process of debugging coreboot using [QEMU][5]. - [1]: http://www.flashrom.org/ - [2]: http://www.flashrom.org/Supported_hardware - [3]: http://www.flashrom.org/Board_Testing_HOWTO - [4]: http://www.shuttle.eu/_archive/older/de/av18.htm - [5]: http://wiki.qemu.org/Main_Page +[1]: http://www.flashrom.org/ +[2]: https://web.archive.org/web/20220717151028/https://www.flashrom.org/Supported_hardware +[3]: https://web.archive.org/web/20230512204152/https://www.flashrom.org/Board_Testing_HOWTO +[4]: http://www.shuttle.eu/_archive/older/de/av18.htm +[5]: http://wiki.qemu.org/Main_Page diff --git a/blog/content/post/2012-01-06-how-to-begin-with-coreboot.md b/blog/content/post/2012-01-06-how-to-begin-with-coreboot.md index f703b596..00a0eed8 100644 --- a/blog/content/post/2012-01-06-how-to-begin-with-coreboot.md +++ b/blog/content/post/2012-01-06-how-to-begin-with-coreboot.md @@ -12,6 +12,7 @@ tags: categories: - Firmware --- + About a month ago I started my adventure with coreboot. As [coreboot home][1] page says "coreboot is a Free Software project aimed at replacing the proprietary BIOS (firmware) found in most computers". Although I read the @@ -21,23 +22,23 @@ decided to write a series of posts described my actions associated with this interesting project. At the beginning I would recommend some interesting sources of information on coreboot: -*  - If you're impatient and want to start as - soon as possible -* [Coreboot videos][2] - One of the easiest ways to obtain general information - about the project -* [Start to understand][3] - I found this page by accident while googling - materials, thanks to its author I understood basics and found out what's next -* [Documentation][4] - Many different types of documents, a large proportion - of them are not applying to the latest version of coreboot v4, however, - still has a educational value. +-  - If you're impatient and want to start as soon + as possible +- [Coreboot videos][2] - One of the easiest ways to obtain general information + about the project +- [Start to understand][3] - I found this page by accident while googling + materials, thanks to its author I understood basics and found out what's next +- [Documentation][4] - Many different types of documents, a large proportion of + them are not applying to the latest version of coreboot v4, however, still has + a educational value. After reviewing the above materials, you should understand the basics of -coreboot. In the [next post][5] I will describe [flashrom][6] application and -my experience with one of the old motherboard. +coreboot. In the [next post][5] I will describe [flashrom][6] application and my +experience with one of the old motherboard. - [1]: http://www.coreboot.org/ - [2]: http://www.coreboot.org/Screenshots#Videos - [3]: http://lennartb.home.xs4all.nl/coreboot/coreboot.html - [4]: http://www.coreboot.org/Documentation - [5]: /2012/01/06/flashrom-and-shuttle-av18e2/ - [6]: http://flashrom.org/ +[1]: http://www.coreboot.org/ +[2]: http://www.coreboot.org/Screenshots#Videos +[3]: http://lennartb.home.xs4all.nl/coreboot/coreboot.html +[4]: http://www.coreboot.org/Documentation +[5]: /2012/01/06/flashrom-and-shuttle-av18e2/ +[6]: http://flashrom.org/ diff --git a/blog/content/post/2012-01-06-tmux-as-screen-replacement-and-productivity-accelerator.md b/blog/content/post/2012-01-06-tmux-as-screen-replacement-and-productivity-accelerator.md index b40bee6f..7b226805 100644 --- a/blog/content/post/2012-01-06-tmux-as-screen-replacement-and-productivity-accelerator.md +++ b/blog/content/post/2012-01-06-tmux-as-screen-replacement-and-productivity-accelerator.md @@ -14,6 +14,7 @@ tags: categories: - Miscellaneous --- + As I wrote in [previous post][1] I switched from GNU screen to [tmux][2]. I use it for a few moths and have to said that I'm really impressed by simplicity, performance and community support in this project. In this post I want to @@ -26,26 +27,28 @@ Debian contain `tmux` package but for stable and testing release it is pretty old version. Personally I use `unstable` version where `tmux` was delivered in `1.7~svn2819-1` version. - sudo apt-get install tmux +```bash +sudo apt-get install tmux +``` To start session simply type `tmux`. Tmux uses `C-b`/ `Ctrl-b` as a prefix for commands. If you switch from GNU screen then at the beginning you can experience some annoying situations but after few days everything should back to normal. Most used keybiddings: -* `C-b c` - create new window -* `C-b ,` - rename current window -* `C-b n` - next window -* `C-b p` - previous window -* `C-b l` - last window -* `C-b d` - disconnect -* `C-b k` - kill current window -* `C-b K` - kill tmux server -* `C-b [` - enter copy mode -* `C-b ]` - paste last copied buffer -* `C-b :` - tmux command line -* `C-b w` - windows list -* `C-b ?` - help +- `C-b c` - create new window +- `C-b ,` - rename current window +- `C-b n` - next window +- `C-b p` - previous window +- `C-b l` - last window +- `C-b d` - disconnect +- `C-b k` - kill current window +- `C-b K` - kill tmux server +- `C-b [` - enter copy mode +- `C-b ]` - paste last copied buffer +- `C-b :` - tmux command line +- `C-b w` - windows list +- `C-b ?` - help Full list can be found [here][3]. @@ -55,90 +58,96 @@ Tmux keeps its configuration in `$HOME/.tmux.conf`. My configuration mixes some tmux examples with code that I found in the net. This file can be found on my github repository [here][4]. First section contain some general configuration: - # confirm before killing a window or the server - bind-key k confirm kill-window - bind-key K confirm kill-server +```bash +# confirm before killing a window or the server +bind-key k confirm kill-window +bind-key K confirm kill-server - # toggle statusbar - bind-key b set-option status +# toggle statusbar +bind-key b set-option status - # ctrl+left/right cycles thru windows - bind-key -n C-right next - bind-key -n C-left prev +# ctrl+left/right cycles thru windows +bind-key -n C-right next +bind-key -n C-left prev - # scrollback buffer n lines - set -g history-limit 10000 +# scrollback buffer n lines +set -g history-limit 10000 - # listen for activity on all windows - set -g bell-action any +# listen for activity on all windows +set -g bell-action any - # on-screen time for display-panes in ms - set -g display-panes-time 2000 +# on-screen time for display-panes in ms +set -g display-panes-time 2000 - # start window indexing at one instead of zero - set -g base-index 1 +# start window indexing at one instead of zero +set -g base-index 1 - # enable wm window titles - set -g set-titles on +# enable wm window titles +set -g set-titles on - # wm window title string (uses statusbar variables) - set -g set-titles-string "tmux.#I.#W" +# wm window title string (uses statusbar variables) +set -g set-titles-string "tmux.#I.#W" - # statusbar - set -g display-time 2000 +# statusbar +set -g display-time 2000 +``` After that I have implemented [solarized][5] colors (dark theme): - ### COLOUR (Solarized dark) +```bash +### COLOUR (Solarized dark) - # default statusbar colors - set-option -g status-bg black #base02 - set-option -g status-fg yellow #yellow - set-option -g status-attr default +# default statusbar colors +set-option -g status-bg black #base02 +set-option -g status-fg yellow #yellow +set-option -g status-attr default - # default window title colors - set-window-option -g window-status-fg brightblue #base0 - set-window-option -g window-status-bg default - #set-window-option -g window-status-attr dim +# default window title colors +set-window-option -g window-status-fg brightblue #base0 +set-window-option -g window-status-bg default +#set-window-option -g window-status-attr dim - # active window title colors - set-window-option -g window-status-current-fg brightred #orange - set-window-option -g window-status-current-bg default - #set-window-option -g window-status-current-attr bright +# active window title colors +set-window-option -g window-status-current-fg brightred #orange +set-window-option -g window-status-current-bg default +#set-window-option -g window-status-current-attr bright - # use vi-like keys - setw -g mode-keys vi +# use vi-like keys +setw -g mode-keys vi - # pane border - set-option -g pane-border-fg black #base02 - set-option -g pane-active-border-fg brightgreen #base01 +# pane border +set-option -g pane-border-fg black #base02 +set-option -g pane-active-border-fg brightgreen #base01 - # message text - set-option -g message-bg black #base02 - set-option -g message-fg brightred #orange +# message text +set-option -g message-bg black #base02 +set-option -g message-fg brightred #orange - # pane number display - set-option -g display-panes-active-colour blue #blue - set-option -g display-panes-colour brightred #orange +# pane number display +set-option -g display-panes-active-colour blue #blue +set-option -g display-panes-colour brightred #orange +``` To make solarized colors work on my setup was quite challenging, because there are many things to set (vim, terminal, putty etc.). If you need any advice I can write something about this. Right now it is beyond the scope of this post. At the end of my tmux configuration I've some fancy status bar: - # clock - set-window-option -g clock-mode-colour green #green +```bash +# clock +set-window-option -g clock-mode-colour green #green - # center align the window list - set -g status-justify centre +# center align the window list +set -g status-justify centre - # show some useful stats but only when tmux is started - # outside of Xorg, otherwise dwm statusbar shows these already - set -g status-right "" - set -g status-left "" - if '[ -z "$DISPLAY" ]' 'set -g status-left "[#[fg=green] #H ][#[default]]"' - if '[ -z "$DISPLAY" ]' 'set -g status-right "[ #[fg=magenta]#(cat /proc/loadavg | cut -d " " -f 1,2,3)#[default] ][ #[fg=cyan,bright]%a %Y-%m-%d %H:%M #[default]]"' - if '[ -z "$DISPLAY" ]' 'set -g status-right-length 50' +# show some useful stats but only when tmux is started +# outside of Xorg, otherwise dwm statusbar shows these already +set -g status-right "" +set -g status-left "" +if '[ -z "$DISPLAY" ]' 'set -g status-left "[#[fg=green] #H ][#[default]]"' +if '[ -z "$DISPLAY" ]' 'set -g status-right "[ #[fg=magenta]#(cat /proc/loadavg | cut -d " " -f 1,2,3)#[default] ][ #[fg=cyan,bright]%a %Y-%m-%d %H:%M #[default]]"' +if '[ -z "$DISPLAY" ]' 'set -g status-right-length 50' +``` I think that mostly this is self explanatory. This how it look in work: @@ -150,8 +159,8 @@ I spend some time to realize what is the best way of managing windows and panes in tmux. Especially I was interested in setting some windows at tmux startup. Finally I found [tmuxinator][7] small but useful project delivered through `gem` system. Follow tmuxinator page to set it up correctly. If you want to see my -primitive configuration it is also available on my github in [werkspace -project][4]. +primitive configuration it is also available on my github in +[werkspace project][4]. ### Window logging @@ -160,7 +169,9 @@ to write a blog post :) ? There is a universal method for piping all console output to our program of choice. For example run command like this (command mode available under `C-b :`): - pipe-pane -o 'cat >> ~/tmuxcast.#h.#T' +```bash +pipe-pane -o 'cat >> ~/tmuxcast.#h.#T' +``` This will give you file with logged session output (all curses windows, editor windows and so on). Curses output can be unreadable because of control escape @@ -169,11 +180,11 @@ hope hints were useful. Please share this content if think its valuable. Comment if you think id needs improvements. Thank you for reading. P.S. I should probably create a footer with last paragraph :) - [1]: /2013/03/19/debian-switching-to-unstable - [2]: http://tmux.sourceforge.net - [3]: http://www.openbsd.org/cgi-bin/man.cgi?query=tmux&sektion=1#KEY+BINDINGS - [4]: https://github.com/pietrushnic/workspace/blob/master/dotfiles/tmux.conf - [5]: http://ethanschoonover.com/solarized - [6]: /img/tmux-screen.png - [7]: https://github.com/aziz/tmuxinator - [8]: http://0xfeedface.org/blog/lattera/2012-03-19/using-tmux-screencasting-tool +[1]: /2013/03/19/debian-switching-to-unstable +[2]: http://tmux.sourceforge.net +[3]: http://www.openbsd.org/cgi-bin/man.cgi?query=tmux&sektion=1#KEY+BINDINGS +[4]: https://github.com/pietrushnic/workspace/blob/master/dotfiles/tmux.conf +[5]: http://ethanschoonover.com/solarized +[6]: /img/tmux-screen.png +[7]: https://github.com/aziz/tmuxinator +[8]: http://0xfeedface.org/blog/lattera/2012-03-19/using-tmux-screencasting-tool diff --git a/blog/content/post/2012-01-15-uefi-from-linux-enthusiast-perspective.md b/blog/content/post/2012-01-15-uefi-from-linux-enthusiast-perspective.md index 90761dfe..c2c31d1b 100644 --- a/blog/content/post/2012-01-15-uefi-from-linux-enthusiast-perspective.md +++ b/blog/content/post/2012-01-15-uefi-from-linux-enthusiast-perspective.md @@ -12,6 +12,7 @@ tags: categories: - Miscellaneous --- + Another interesting topic with which I am dealing with recently is the [UEFI][1]. As we read on wikipedia: "The Unified Extensible Firmware Interface (UEFI) is a specification that defines a software interface between an operating @@ -25,10 +26,10 @@ an inappropriate manner. Therefore, I regularly read [LWN][3] RSS feeds, and it seems that on the horizon you can see already the first ideas on how to use UEFI to limit freedom. You can -read about it in this article: ["SFLC: Microsoft confirms UEFI fears, locks down -ARM devices"][4]. Personally, I really do not like it, because I believe that -everyone who buys the equipment has the right to exploit its capabilities in -such a manner it deems appropriate. +read about it in this article: +["SFLC: Microsoft confirms UEFI fears, locks down ARM devices"][4]. Personally, +I really do not like it, because I believe that everyone who buys the equipment +has the right to exploit its capabilities in such a manner it deems appropriate. Of course, as usual, I change the subject. I wanted to write about the project [TianoCore][5], which is an open source implementation of UEFI implemented by @@ -37,9 +38,9 @@ use the system to gather strength and resources, and then start fighting. So in the next post I will try to describe my first experience with [EDKII][6] in emulated environment of QEMU. - [1]: http://www.uefi.org/home/ - [2]: http://kerneltrap.org/node/6884 - [3]: http://lwn.net/ - [4]: http://lwn.net/Articles/475359/ - [5]: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Welcome - [6]: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2 +[1]: http://www.uefi.org/home/ +[2]: http://kerneltrap.org/node/6884 +[3]: http://lwn.net/ +[4]: http://lwn.net/Articles/475359/ +[5]: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=Welcome +[6]: http://sourceforge.net/apps/mediawiki/tianocore/index.php?title=EDK2 diff --git a/blog/content/post/2012-02-05-first-steps-to-improve-work-productivity-in-linux-environment.md b/blog/content/post/2012-02-05-first-steps-to-improve-work-productivity-in-linux-environment.md index abbb0ce8..0b10b6b6 100644 --- a/blog/content/post/2012-02-05-first-steps-to-improve-work-productivity-in-linux-environment.md +++ b/blog/content/post/2012-02-05-first-steps-to-improve-work-productivity-in-linux-environment.md @@ -12,17 +12,18 @@ tags: categories: - Miscellaneous --- + The problem encountered on several occasions over several months. Now it is time to deal with it. -How did this happen? As always, resources were not sufficient, -and if we can not increase the amount of resources we must strive to optimize -their use.In this case, it was about time. While reading my last acquisition, -once again I faced the problem of re-configure Linux account. Every time when I -need new account for some reasons I need to configure some things manually. Most -things are simple enough, we copy configuration files from the already existing -user directory, and voila. Of course Murphy's law works, and something goes -wrong. Sometimes we need to create a new account with just a few of the tools +How did this happen? As always, resources were not sufficient, and if we can not +increase the amount of resources we must strive to optimize their use.In this +case, it was about time. While reading my last acquisition, once again I faced +the problem of re-configure Linux account. Every time when I need new account +for some reasons I need to configure some things manually. Most things are +simple enough, we copy configuration files from the already existing user +directory, and voila. Of course Murphy's law works, and something goes wrong. +Sometimes we need to create a new account with just a few of the tools configured as in other existing accounts. So we have a problem, however, reflecting on the solution, my mind was deepened @@ -43,10 +44,10 @@ controlling of its flow, and this led me to [mind mapping][3] technique. AFAIK presentation. Below I attach my first mind map in FreeMind, this is of course beta version. -![][5] +![img][5] - [1]: https://github.com/ - [2]: https://github.com/ztlevi/dotty - [3]: http://en.wikipedia.org/wiki/Mind_map - [4]: http://freemind.sourceforge.net/wiki/index.php/Main_Page - [5]: /img/improve_productivity.png +[1]: https://github.com/ +[2]: https://github.com/ztlevi/dotty +[3]: http://en.wikipedia.org/wiki/Mind_map +[4]: http://freemind.sourceforge.net/wiki/index.php/Main_Page +[5]: /img/improve_productivity.png diff --git a/blog/content/post/2012-02-06-arbtt-as-productivity-improver-for-linux-enviroment.md b/blog/content/post/2012-02-06-arbtt-as-productivity-improver-for-linux-enviroment.md index 41aa13c4..05f44eff 100644 --- a/blog/content/post/2012-02-06-arbtt-as-productivity-improver-for-linux-enviroment.md +++ b/blog/content/post/2012-02-06-arbtt-as-productivity-improver-for-linux-enviroment.md @@ -1,6 +1,6 @@ --- ID: 62675 -title: arbtt as productivity improver for Linux enviroment +title: arbtt as productivity improver for Linux environment author: piotr.krol post_excerpt: "" layout: post @@ -18,9 +18,9 @@ As I mentioned in previous I work a lot on improving my productivity. After FreeMind it is time for [arbtt](http://darcs.nomeata.de/arbtt/doc/users_guide/). This is small tool which tracks active windows during your work. It is delivered with distro that -I'm currently using (Debian wheezy). So all I had to do was: +I'm currently using (Debian wheezy). So all I had to do was: -``` +```bash sudo apt-get install arbtt ``` @@ -32,35 +32,35 @@ In this way, I found the first problem, namely, it is hard to find a website, which correctly explains how to execute command during startup on Debian with GNOME environment. After few tries I realize that I should focus on GNOME autostart mechanism. This led me to create little file in -`$HOME/.config/autostart` which looks like that: +`$HOME/.config/autostart` which looks like that: -``` +```bash [Desktop Entry] Type=Application Encoding=UTF-8 Name=The Automatic Rule-Base Time Tracker Exec=arbtt-capture Terminal=false ``` So I had configured arbtt and it starts to capture data about my work. To display this data in friendly manner arbtt-stat should be used. Application complains if $HOME/.arbtt/categorize.cfg wasn't configured for it appropriate. -Detailed documentation about this file can be found on arbtt [configuration -page](http://darcs.nomeata.de/arbtt/doc/users_guide/configuration.html). The -process of writing this file should be iterative, starting point for me was: +Detailed documentation about this file can be found on arbtt +[configuration page](http://darcs.nomeata.de/arbtt/doc/users_guide/configuration.html). +The process of writing this file should be iterative, starting point for me was: -* This defines some aliases, to make the reports look nicer: +- This defines some aliases, to make the reports look nicer: -``` +```bash aliases ( "sun-awt-X11-XFramePeer" -> "java" ) ``` -* A rule that probably everybody wants. Being inactive for over a minute causes -this sample to be ignored by default. +- A rule that probably everybody wants. Being inactive for over a minute causes + this sample to be ignored by default. -``` +```bash $idle > 60 ==> tag inactive, current window $program == "sun-awt-X11-XFramePeer" && current window ($title =~ /(.+)\s-\sFreeMind/) ==> tag program:FreeMind-$1, current window $program == "gnome-terminal" && current window ($title =~ /(.+)/) ==> tag term:$1, ``` -* Simple rule that just tags the current program +- Simple rule that just tags the current program -``` +```bash tag program:$current.program, ``` @@ -68,7 +68,7 @@ I'd like to know what web pages in google-chrome I'm working in. So I do not tag necessarily by the active window title, but the title that contains the specific string. -``` +```bash current window $program == "google-chrome" && any window ($program == "google-chrome" && $title =~ /(.+)\s-\sGoogle\sChrome/) ==> tag www:$1, ``` @@ -77,9 +77,9 @@ correctly it was still a big problem to solve - how to combine arbtt with gnome-terminal and screen. The first one requires only a correctly set the window's name. Although the synchronization of the terminal window's name with a window inside the screen was not a trivial task (primarily on the mass of broken -tutorials that can be found on the web). Finally my .screenrc looks like that: +tutorials that can be found on the web). Finally my .screenrc looks like that: -``` +```bash termcapinfo xterm\* 'hs:ts=\E]0;:fs=\007:ds=\E]0;\007' defhstatus "[screen] ^Et" hardstatus off # Set the scrollback length: defscrollback 10000 @@ -88,14 +88,10 @@ startup\_message off # Display a caption string below, appearing like tabs and # displaying the window number and application name (by default). caption always caption string "%{= kG}[ %{G}%H %{g}][%= %{= kw}%?%-Lw%?%{r}(%{W}%n\*%f%t%?(%u)%?%{r})%{w}%?%+Lw%?%?%= %{g}][%{B} %m-%d %{W}%c %{g}]" #"%{= kb}[ %=%{w}%?%-Lw%?%{b}(%{W}%n\*%f %t%?(%u)%?%{b})%{w}%?%+Lw%?%?%= %{b}][%{B} %H %{W}%l %{b}][%{B} %d.%m.%Y %{W}%0c %{b}]" #"%{bw}[%H] [%?%-Lw%?%{wb}%n\*%f%t%{bw}%?%+Lw%?]%=%{bw} [%1`] [%c:%s] [%l]" # "%{kw}%-w%{wr}%n %t%{-}%+w" defhstatus ``` + set terminal title and caption keeps data about my open windows in screen. Every time I open new window or change current one terminal title is updated. For now that's all. In the future I wanted to write how to synchronize the title of the window in the screen with vim editor to include information about the currently edited file. - - - [1]: http://pietrushnic.blogspot.com/2012/02/first-steps-to-improve-work.html - [2]: http://darcs.nomeata.de/arbtt/doc/users_guide/ - [3]: http://darcs.nomeata.de/arbtt/doc/users_guide/configuration.html diff --git a/blog/content/post/2012-02-15-set-irssi-under-debian-to-use-freenode-server.md b/blog/content/post/2012-02-15-set-irssi-under-debian-to-use-freenode-server.md index 891a7d42..58a8403c 100644 --- a/blog/content/post/2012-02-15-set-irssi-under-debian-to-use-freenode-server.md +++ b/blog/content/post/2012-02-15-set-irssi-under-debian-to-use-freenode-server.md @@ -12,44 +12,64 @@ tags: categories: - Miscellaneous --- -Very short manual on how to set up irssi to work with freenode servers. -Fist, install irssi: - sudo apt-get install irssi +Very short manual on how to set up irssi to work with freenode servers. First, +install irssi: -Run: +```bash +sudo apt-get install irssi +``` - irssi +Run: -For freenode write: +```bash +irssi +``` - /connect holmes.freenode.net +For freenode write: -Send register command for your {nickname} and add information about your {e-mail}: +```bash +/connect holmes.freenode.net +``` - /msg nickserv register {nickname} {e-mail} +Send register command for your {nickname} and add information about your +{e-mail}: + +```bash +/msg nickserv register {nickname} {e-mail} +``` Copy and paste line, which you get from freenode registration server to your -mailbox, to irssi. After that add freenode network: +mailbox, to irssi. After that add freenode network: - /network add freenode +```bash +/network add freenode +``` -Add what should be automaticali send to server after connecting, remeber to +Add what should be automaticali send to server after connecting, remember to correctly write your {nickname} and {password}, password will be stored in plain -text: +text: - /network add -autosendcmd '^nick {nickname};/msg nickserv identify {password}' freenode +```bash +/network add -autosendcmd '^nick {nickname};/msg nickserv identify {password}' freenode +``` -Auto-connect everytime when irssi will be run: +Auto-connect every time when irssi will be run: - /server ADD -auto -network freenode holmes.freenode.net 6667 +```bash +/server ADD -auto -network freenode holmes.freenode.net 6667 +``` -Channel autologin: +Channel autologin: - /channel ADD -auto #debian freenode +```bash +/channel ADD -auto #debian freenode +``` -After all we should save settings: +After all we should save settings: - /save +```bash +/save +``` -That's all, enjoy! +That's all, enjoy! diff --git a/blog/content/post/2012-02-19-improve-productivity-by-tracking-work-environment-with-git-preparation.md b/blog/content/post/2012-02-19-improve-productivity-by-tracking-work-environment-with-git-preparation.md index ae106d81..f644e05f 100644 --- a/blog/content/post/2012-02-19-improve-productivity-by-tracking-work-environment-with-git-preparation.md +++ b/blog/content/post/2012-02-19-improve-productivity-by-tracking-work-environment-with-git-preparation.md @@ -13,32 +13,39 @@ tags: categories: - Miscellaneous --- + *Update*: My repository is available [here][1]. - Below is first post from series in which I want to describe my experience - gained in attempt to enhance my productivity by using git to control the - contents of some files in my home directory.  +Below is first post from series in which I want to describe my experience gained +in attempt to enhance my productivity by using git to control the contents of +some files in my home directory. - The first step to improve the productivity is good organization of working - environment. It happens very often that I work on multiple machines both - physical and virtual. Therefore I need a good mechanism to share knowledge, - experience, code, configuration and many other things. Configuration described - below is only an example that actually fits my way of working. First of all - simple concept of directory structure is needed. Let's start with: +The first step to improve the productivity is good organization of working +environment. It happens very often that I work on multiple machines both +physical and virtual. Therefore I need a good mechanism to share knowledge, +experience, code, configuration and many other things. Configuration described +below is only an example that actually fits my way of working. First of all +simple concept of directory structure is needed. Let's start with: - mkdir -p $HOME/workspace/blog;mkdir -p $HOME/workspace/dotfiles - cd workspace +```bash +mkdir -p $HOME/workspace/blog;mkdir -p $HOME/workspace/dotfiles +cd workspace +``` Write some files (i.e. for your blog) with your favourite editor, initialize repository and prepare first commit - git init - git add .;git commit -m "Initial commit for environment tracking" +```bash +git init +git add .;git commit -m "Initial commit for environment tracking" +``` To avoid information about untracked vim swp files add $HOME/workspace/.gitignore with following content: - .gitignore - *.swp +```bash +.gitignore +*.swp +``` - [1]: https://github.com/pietrushnic/workspace.git +[1]: https://github.com/pietrushnic/workspace.git diff --git a/blog/content/post/2012-02-20-hostname-generator.md b/blog/content/post/2012-02-20-hostname-generator.md index c72058b3..631e81dd 100644 --- a/blog/content/post/2012-02-20-hostname-generator.md +++ b/blog/content/post/2012-02-20-hostname-generator.md @@ -13,6 +13,7 @@ tags: categories: - Miscellaneous --- + Many times happened that I spend time, during the installation of the new system, whether it be a virtual physical machine, wondering about it's hostname. One day I asked myself the trouble searching for host name generator. @@ -23,4 +24,4 @@ fantasy is "Characters from Tolkien". Although the category name does not reflect the truth, because in addition also includes a set of known sites in middlearth and more. So I recommend: - + diff --git a/blog/content/post/2012-02-20-improve-productivity-by-tracking-work-environment-with-git-vim.md b/blog/content/post/2012-02-20-improve-productivity-by-tracking-work-environment-with-git-vim.md index 17110c83..839477b2 100644 --- a/blog/content/post/2012-02-20-improve-productivity-by-tracking-work-environment-with-git-vim.md +++ b/blog/content/post/2012-02-20-improve-productivity-by-tracking-work-environment-with-git-vim.md @@ -17,15 +17,17 @@ tags: categories: - Miscellaneous --- + In this post I try to describe my vim configuration procedure and how it is connected with git. The whole concept is based on keeping all the configuration files in a separate directory. These files are connected using symbolic links in -places where system or application requires it (eg `$HOME/.vimrc -> -/home/jdoe/workspace/dotfiles/vimrc`). So first let's create local directory for -vim: - - cd ~/workspace/dotfiles;mkdir vim +places where system or application requires it (eg +`$HOME/.vimrc -> /home/jdoe/workspace/dotfiles/vimrc`). So first let's create +local directory for vim: +```bash +cd ~/workspace/dotfiles;mkdir vim +``` ### Pathogen @@ -34,50 +36,63 @@ accessible through github. Pathogen is a vim script to manage all vim plugins with ease. Below line add pathogen as submodule to our workspace repository created in [previous post][1]: - git submodule add https://github.com/tpope/vim-pathogen.git dotfiles/vim/pathogen +```bash +git submodule add https://github.com/tpope/vim-pathogen.git dotfiles/vim/pathogen +``` Initialize repository and update it: - git submodule init && git submodule update +```bash +git submodule init && git submodule update +``` Create additional directories need to complete pathogen installation, change directory to autoload: - cd dotfiles/vim;mkdir {autoload,bundle};cd autoload +```bash +cd dotfiles/vim;mkdir {autoload,bundle};cd autoload +``` In autoload directory pathogen should be installed, bundle directory is a place for all plugins installed in future. Finally we need to link vim script from pathogen submodule to current directory ( `dotfiles/vim/autoload`): - ln -s ../pathogen/autoload/pathogen.vim . +```bash +ln -s ../pathogen/autoload/pathogen.vim . +``` Directory structure should look like below: - pietrushnic@eriador:~/workspace/dotfiles$ tree . - ??? vim - ??? autoload - ?   ??? pathogen.vim -> ../pathogen/autoload/pathogen.vim - ??? bundle - ??? pathogen - ??? autoload - ?   ??? pathogen.vim - ??? README.markdown +```bash +pietrushnic@eriador:~/workspace/dotfiles$ tree . +??? vim +??? autoload +?   ??? pathogen.vim -> ../pathogen/autoload/pathogen.vim +??? bundle +??? pathogen +??? autoload +?   ??? pathogen.vim +??? README.markdown +``` At the end of pathogen installation few lines to `$HOME/.vimrc` should be added. Of course following rules about dotfiles management `.vimrc` should be created as separate file in `~/workspace/dotfiles` and linked to `$HOME/.vimrc`. - touch vimrc;ln -s $PWD/vimrc $HOME/.vimrc +```bash +touch vimrc;ln -s $PWD/vimrc $HOME/.vimrc +``` Add below lines to `$HOME/.vimrc`: - call pathogen#infect() - call pathogen#runtime_append_all_bundles() - call pathogen#helptags() - syntax on - filetype plugin - indent on - +```bash +call pathogen#infect() +call pathogen#runtime_append_all_bundles() +call pathogen#helptags() +syntax on +filetype plugin +indent on +``` ### Fuzzyfinder @@ -85,22 +100,28 @@ This is second plugin without which I cannot work. It speeds up searching though files, directories and tags. Has multiple useful features. RTFM if you want knew them. I will be also added as a git submodule: - git submodule add https://github.com/vim-scripts/FuzzyFinder.git dotfiles/vim/bundle/fuzzyfinder +```bash +git submodule add https://github.com/vim-scripts/FuzzyFinder.git dotfiles/vim/bundle/fuzzyfinder +``` Additional plugin is needed to correctly install fuzzyfinder: - git submodule add https://github.com/vim-scripts/L9.git dotfiles/vim/bundle/l9 +```bash +git submodule add https://github.com/vim-scripts/L9.git dotfiles/vim/bundle/l9 +``` Initialize and update submodules: - git submodule init && git submodule update +```bash +git submodule init && git submodule update +``` Configuration I suggest to configure fuzzyfinder with accordance to example -provided in help.  +provided in help. -* Run vim and type :h fuf@en -* Choose tag fuf-vimrc-example and press Ctrl-].  -* Mark whole keybindings copy and paste to `~/.vimrc` +- Run vim and type :h fuf@en. +- Choose tag fuf-vimrc-example and press Ctrl-\]. +- Mark whole keybindings copy and paste to `~/.vimrc` Right now I think it is enough with vim configuration. Of course I use plenty of other plugins but I don't have to time to describe my them all (maybe in future @@ -110,18 +131,17 @@ try to use git add -p interface, suggesting after linux code style - each comm should contain separate logical part of the changes, personally I add prefix to my commits (eg . vim, git, etc.) to ease deal with git log. Notes: -* vim helpfiles generates tags files, which should be ignored by git, so I -recommend to create .gitignore in every module with blow content: +- vim helpfiles generates tags files, which should be ignored by git, so I + recommend to create .gitignore in every module with blow content: - .gitignore - tags* + .gitignore tags\* -* by default fuzzyfinder operate on unfriendly color palette espessicaly when -using it through putty, highlighted pattern could be changed by added below -lines to .vimrc (9 = black) +- by default fuzzyfinder operate on unfriendly color palette espessicaly when + using it through putty, highlighted pattern could be changed by added below + lines to .vimrc (9 = black) -``` +```bash " fuzzy-finder - fix colors highlight PmenuSel ctermbg=9 ``` - [1]: /2012/02/19/improve-productivity-by-tracking-work/ +[1]: /2012/02/19/improve-productivity-by-tracking-work/ diff --git a/blog/content/post/2012-03-12-debugging-coreboot-in-qemu-environment-part-1.md b/blog/content/post/2012-03-12-debugging-coreboot-in-qemu-environment-part-1.md index 4f403172..7f9395e2 100644 --- a/blog/content/post/2012-03-12-debugging-coreboot-in-qemu-environment-part-1.md +++ b/blog/content/post/2012-03-12-debugging-coreboot-in-qemu-environment-part-1.md @@ -13,30 +13,42 @@ tags: categories: - Firmware --- -First of all I use testing version of Debian - wheezy. Clone coreboot repository: - git clone http://review.coreboot.org/p/coreboot - cd coreboot; make menuconfig +First of all I use testing version of Debian - wheezy. Clone coreboot +repository: + +```bash +git clone http://review.coreboot.org/p/coreboot +cd coreboot; make menuconfig +``` Configure FILO as apayload and use its latest version: - Payload -> Add a payload -> FILO Payload -> FILO version -> HEAD +```bash +Payload -> Add a payload -> FILO Payload -> FILO version -> HEAD +``` Add verbose debugging messages: - Debugging -> Check PIRQ table consistency Debugging -> Output verbose malloc debug messages - Debugging -> Output verbose ACPI debug messages Debugging -> Enable debug messages for option ROM execution - Debugging -> Built-in low-level shell Debugging -> Trace function calls +```bash +Debugging -> Check PIRQ table consistency Debugging -> Output verbose malloc debug messages +Debugging -> Output verbose ACPI debug messages Debugging -> Enable debug messages for option ROM execution +Debugging -> Built-in low-level shell Debugging -> Trace function calls +``` Try to build: - make +```bash +make +``` If everything builds correctly you can process. Sometimes there is need to use cross compiler. To build one: - cd util/crossgcc - ./buildgcc +```bash +cd util/crossgcc +./buildgcc +``` To explore `coreboot` code effectively I suggest to create tags and cscope database for `coreboot`. In my personal workspace I've got process that I go @@ -44,11 +56,12 @@ through before I start work (if you use my workspace configuration which is available [@github][1] you can follow below steps directly, if not adjust to your environment): -1. run vim ;) -2. `:cd /path/to/code` -3. `s` (fuzzyfinder -> bookmark dir) -4. `si` (fuzzyfinder -> change dir) -5. `sr` (run ctags to generate tags and cscope to build symbol database - `ctags -R;cscope -R -q -b -v`) +1. run vim ;) +1. `:cd /path/to/code` +1. `s` (fuzzyfinder -> bookmark dir) +1. `si` (fuzzyfinder -> change dir) +1. `sr` (run ctags to generate tags and cscope to build symbol database - + `ctags -R;cscope -R -q -b -v`) After steps above we can start work with code. Run vim in `coreboot` directory. Type: `:e src/cpu/x86/16bit/reset16.inc` Put cursor over `protected_start` and @@ -56,4 +69,4 @@ press `Ctrl-]`. If everything goes ok you should jump to `build/mainboard/emulation/qemu-x86/bootblock.s` line 537. In second article we dive into first phase of `coreboot` execution in emulated environment. - [1]: https://github.com/pietrushnic/workspace +[1]: https://github.com/pietrushnic/workspace diff --git a/blog/content/post/2012-03-14-quick-build-of-arm-unknown-linux-gnueabi-with-crosstool-ng.md b/blog/content/post/2012-03-14-quick-build-of-arm-unknown-linux-gnueabi-with-crosstool-ng.md index 0b88dd65..f0a43d9c 100644 --- a/blog/content/post/2012-03-14-quick-build-of-arm-unknown-linux-gnueabi-with-crosstool-ng.md +++ b/blog/content/post/2012-03-14-quick-build-of-arm-unknown-linux-gnueabi-with-crosstool-ng.md @@ -16,6 +16,7 @@ categories: - OS Dev - App Dev --- + You might be surprised at how much you have to make to correctly build `arm-unknown-linux-gnueabi` config based toolchain with [crosstool-ng][1]. As you can see examples of many open source projects, the man's work is a rare @@ -25,20 +26,24 @@ operation you can come across many problems. Although I am not afraid of problems and effectively try to fight them and of course sharing the results of my work. My build system parameters: `Debian GNU/Linux wheezy/sid 3.2.0-2-amd64` -* Clone crosstools-ng (you need mercurial) +- Clone crosstools-ng (you need mercurial) -
    hg clone http://crosstool-ng.org/hg/crosstool-ng
-
    +```bash +hg clone http://crosstool-ng.org/hg/crosstool-ng +``` -* Create temporary directory and run +- Create temporary directory and run -
    ct-ng arm-unknown-linux-eabi #choose latest kernel (for me it was 3.2.9)
-
    +```bash +ct-ng arm-unknown-linux-eabi #choose latest kernel (for me it was 3.2.9) +``` -* We probably want to change directory to which all stuff will be build (default is `$HOME/x-tools`): +- We probably want to change directory to which all stuff will be build (default + is `$HOME/x-tools`): -
    ct-ng menuconfig
-
    +```bash +ct-ng menuconfig +``` And go to: @@ -46,24 +51,30 @@ And go to: Change it according to your needs. Exit end save configuration. -* Build (number after dot depend on how many command we want to run -simultaneously): `ct-ng build.4` It can take a lot of time. On my machine with -5k BogoMips it takes over 1h. +- Build (number after dot depend on how many command we want to run + simultaneously): `ct-ng build.4` It can take a lot of time. On my machine with + 5k BogoMips it takes over 1h. -### Problems that you can encounter: +### Problems that you can encounter -* `gcj` - latest changeset `2916:6f758ed4c0b9` have trouble finding `gcj` binary, which it show using following message: +- `gcj` - latest changeset `2916:6f758ed4c0b9` have trouble finding `gcj` + binary, which it show using following message: - [ERROR] Missing: 'x86_64-unknown-linux-gnu-gcj' or 'x86_64-unknown-linux-gnu-gcj' or 'gcj' : either needed! - To workaround this install + \[ERROR\] Missing: 'x86_64-unknown-linux-gnu-gcj' or + 'x86_64-unknown-linux-gnu-gcj' or 'gcj' : either needed! To workaround this + install `gcj` and link binary like this: - sudo ln -s /usr/bin/gcj-4.6 /usr/bin/gcj +```bash +sudo ln -s /usr/bin/gcj-4.6 /usr/bin/gcj +``` -* `duma` - mentioned changeset also has problem with url to D.U.M.A library, apply below changes to workaround problems: +- `duma` - mentioned changeset also has problem with url to D.U.M.A library, + apply below changes to workaround problems: -
    --- a/scripts/build/debug/200-duma.sh Mon Mar 12 21:19:26 2012 +0100
+```diff
+--- a/scripts/build/debug/200-duma.sh Mon Mar 12 21:19:26 2012 +0100
 +++ b/scripts/build/debug/200-duma.sh Wed Mar 14 20:02:22 2012 +0100
 @@ -4,7 +4,7 @@ # Downloading an non-existing file from sourceforge will give you an
  # HTML file containing an error message, instead of returning a 404.
@@ -72,23 +83,25 @@ simultaneously): `ct-ng build.4` It can take a lot of time. On my machine with
 + CT_GetFile "duma_${CT_DUMA_VERSION}" .tar.gz http://downloads.sourceforge.net/project/duma/duma/2.5.15
  # Downloading from sourceforge may leave garbage, cleanup
  CT_DoExecLog ALL rm -f "${CT_TARBALLS_DIR}/showfiles.php"* }
-
    +``` -* `mawk` - if mawk return syntax error like this: +- `mawk` - if mawk return syntax error like this: - mawk: scripts/gen-sorted.awk: line 19: regular expression compile failed (bad - class -- [], [^] or [) + mawk: scripts/gen-sorted.awk: line 19: regular expression compile failed (bad + class -- \[\], \[^\] or \[) It could be fixed in two ways. First is to change `line 19` in `/path/to/tmp/dir/.build/src/glibc-2.9/scripts/gen-sorted.awk` Is: - sub(//[^/]+$/, "", subdir); - Should be: +```bash +sub(//[^/]+$/, "", subdir); + Should be: - sub(//[^/]+$/, "", subdir); +sub(//[^/]+$/, "", subdir); +``` Or simply by installing gawk, reconfigure and recompile `crosstools-ng`. This -was my first post related to linux embedded enviroment. Hope it will be more. +was my first post related to linux embedded environment. Hope it will be more. Enjoy! - [1]: http://crosstool-ng.org/ +[1]: http://crosstool-ng.org/ diff --git a/blog/content/post/2012-03-14-splitting-my-personal-repository.md b/blog/content/post/2012-03-14-splitting-my-personal-repository.md index e25403b3..a6682400 100644 --- a/blog/content/post/2012-03-14-splitting-my-personal-repository.md +++ b/blog/content/post/2012-03-14-splitting-my-personal-repository.md @@ -12,6 +12,7 @@ tags: categories: - Miscellaneous --- + After writing a few posts in which my workspace scripts could be useful, I realized that I should split blog works from the scripts that can be useful to others. From now materials related to the blog I will track in a separate diff --git a/blog/content/post/2012-03-20-building-arm-toolchain-part-1-libs-and-binutils.md b/blog/content/post/2012-03-20-building-arm-toolchain-part-1-libs-and-binutils.md index e9eae6f0..7b5593c4 100644 --- a/blog/content/post/2012-03-20-building-arm-toolchain-part-1-libs-and-binutils.md +++ b/blog/content/post/2012-03-20-building-arm-toolchain-part-1-libs-and-binutils.md @@ -23,33 +23,33 @@ public license, and using them in as the newest version as it is possible. What is toolchain? (according to wikipedia): > In software, a toolchain is the set of programming tools that are used to -create a product (typically another computer program or system of programs). The -tools may be used in a chain, so that the output of each tool becomes the input -for the next, but the term is used widely to refer to any set of linked -development tools. +> create a product (typically another computer program or system of programs). +> The tools may be used in a chain, so that the output of each tool becomes the +> input for the next, but the term is used widely to refer to any set of linked +> development tools. ### Requirements -* Cross compiler, I create one using crosstool-ng and describe this process in  +- Cross compiler, I create one using crosstool-ng and describe this process in [previous post][1]. I will use `arm-unknown-linux-gnueabi` as entry point compiler. -* `$TARGET` is defined as my destination directory: +- `$TARGET` is defined as my destination directory: ```bash -export TARGET=/home/pietrushnic/sandbox/toolchain +export TARGET=/home/pietrushnic/sandbox/toolchain ``` ### Procedure #### Kernel header files -* Clone linux git repository +- Clone linux git repository ```bash git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ``` -* Install headers $TARGET is home of our toolchain +- Install headers $TARGET is home of our toolchain ```bash make ARCH=arm INSTALL_HDR_PATH=$TARGET/usr headers_install @@ -57,94 +57,112 @@ make ARCH=arm INSTALL_HDR_PATH=$TARGET/usr headers_install #### Libraries (gmp, mpfr, mpc) -* GMP (*GNU Multiple Precision Arithmetic Library*) - changeset used: +- GMP (_GNU Multiple Precision Arithmetic Library_) - changeset used: 14765:0acae62fa162 - - As I said before. I use "latest greatest" ;P version, and for gmp we can reach - it using: + - As I said before. I use "latest greatest" ;P version, and for gmp we can + reach it using: + ```bash hg clone http://gmplib.org:8000/gmp ``` - - create configuration files +- create configuration files + ```bash ./.bootstrap ``` - - configure +- configure + ```bash ./configure --prefix=$TARGET/arm-x-tools --enable-shared=n --enable-static ``` - - compile +- compile + ```bash make && make check && make install ``` +
    -* MPFR (*GNU Multiple Precision Floating-Point Reliably*) - version: r8103 +- MPFR (_GNU Multiple Precision Floating-Point Reliably_) - version: r8103 - get latest version + ```bash svn checkout svn://scm.gforge.inria.fr/svn/mpfr/trunk mpfr ``` - - create configuration file +- create configuration file + ```bash autoreconf -i ``` - - configure +- configure + ```bash ./configure --prefix=$TARGET/arm-x-tools --enable-thread-safe --with-gmp=$TARGET/arm-x-tools --disable-shared --enable-static ``` - - compile +- compile + ```bash make && make install ``` +
    -* MPC (*Multiple Precision Complex*)- version: r1146 +- MPC (_Multiple Precision Complex_)- version: r1146 - checkout svn + ```bash svn checkout svn://scm.gforge.inria.fr/svnroot/mpc/trunk mpc ``` - - create configuration file +- create configuration file + ```bash autoreconf -i ``` - - configure +- configure + ```bash ./configure --prefix=$TARGET/arm-x-tools --with-gmp=$TARGET/arm-x-tools --with-mpfr=$TARGET/arm-x-tools --disable-shared --enable-static ``` - - compile +- compile + ```bash make && make install ``` -* Binutils - collection of a GNU binary tools: +- Binutils - collection of a GNU binary tools: - checkout version from anonymous cvs + ```bash cvs -z 9 -d :pserver:anoncvs@sourceware.org:/cvs/src ``` - - login create directory for checkout +- login create directory for checkout + ```bash mkdir binutils ``` - - checkout sources +- checkout sources + ```bash cvs -z 9 -d :pserver:anoncvs@sourceware.org:/cvs/src co binutils ``` - - configure +- configure + ```bash LDFLAGS="-Wl,-rpath -Wl,$TARGET/arm-x-tools/lib" ./configure --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu @@ -154,7 +172,8 @@ LDFLAGS="-Wl,-rpath -Wl,$TARGET/arm-x-tools/lib" ./configure --with-mpc=$TARGET/arm-x-tools --with-sysroot=$TARGET ``` - - compile +- compile + ```bash make configure-host make diff --git a/blog/content/post/2012-04-06-how-to-download-videos-from-videos-linux-com.md b/blog/content/post/2012-04-06-how-to-download-videos-from-videos-linux-com.md index 1a9c9627..1d2061b7 100644 --- a/blog/content/post/2012-04-06-how-to-download-videos-from-videos-linux-com.md +++ b/blog/content/post/2012-04-06-how-to-download-videos-from-videos-linux-com.md @@ -19,17 +19,15 @@ network as on the Linux Foundation page. It is unfortunate that linux.com site does not have the possibility of direct downloading video files. But there is a workaround. Follow below tutorial: -* Go to page with video - for [example](http://video.linux.com/videos/to-provide-a-long-term-stable-linux-for-industry) -* Click play on the video and if you using Chrome browser right click on player -window and inspect this element. Result should look like that: +- Go to page with video - for + [example](https://web.archive.org/web/20160404115528/http://video.linux.com/videos/to-provide-a-long-term-stable-linux-for-industry) +- Click play on the video and if you using Chrome browser right click on player + window and inspect this element. Result should look like that: -![](/img/chrome-inspect1.png) +![img](/img/chrome-inspect1.png) -* Expand div tag marked in red on screenshot above. If video was start you -should see video tag which contain two links to video files mp4 and webm. Screen -shot below shows hot it should look like: - -![](http://3.bp.blogspot.com/-waLmSIB4LAI/T39VlAF5P7I/AAAAAAAAAEo/7 9bUg5p-sw/s400/Untitled1.png) +- Expand div tag marked in red on screenshot above. If video was start you + should see video tag which contain two links to video files mp4 and webm. These links are only temporary, so if you want to use them do it as soon as possible. The sad part of all is that the organization intended to promote one diff --git a/blog/content/post/2012-04-12-building-arm-toolchain-part-2-gcc-and-eglibc.md b/blog/content/post/2012-04-12-building-arm-toolchain-part-2-gcc-and-eglibc.md index aa72db84..601068f2 100644 --- a/blog/content/post/2012-04-12-building-arm-toolchain-part-2-gcc-and-eglibc.md +++ b/blog/content/post/2012-04-12-building-arm-toolchain-part-2-gcc-and-eglibc.md @@ -14,9 +14,8 @@ categories: - OS Dev - App Dev --- - Unfortunately after few tries of cross compiling eglibc using different source -for instructions I alway end with hard to solve issues. Luckily, in the sources +for instructions I always end with hard to solve issues. Luckily, in the sources of eglibc I noticed instructions for cross-compiling written long time ago by Jim Blandy(I know i should start [here][1]). Lot of thanks to him for it. Below I describe my experience which I gained during eglibc cross compilation for @@ -25,10 +24,10 @@ some constants that I used in previous works. See [this post.][2] Eglibc library and the compiler itself is built with many various parameters this post is not the place to explain their meaning, please RTFM. -Checkout eglibc from svn (as alwyas I try to use a latest sources possible). +Checkout eglibc from svn (as always I try to use a latest sources possible). Version used r17815: -``` +```bash svn co http://www.eglibc.org/svn/trunk eglibc ``` @@ -73,9 +72,9 @@ mkdir -p $TARGET/usr/lib make csu/subdir_lib cp csu/crt1.o csu/crti.o csu/crtn.o $TARGET/usr/lib ``` -To produce libgcc_s.so we need libc.so, but only need its dummy version -because we'll never use it. It doesn't matter what we will point as a libc.so -we use /dev/null as C file. +To produce libgcc_s.so we need libc.so, but only need its dummy version because +we'll never use it. It doesn't matter what we will point as a libc.so we use +/dev/null as C file. ```bash arm-unknown-linux-gnueabi-gcc -nostdlib -nostartfiles -shared -x c /dev/null -o @@ -184,7 +183,7 @@ arm-unknown-linux-gnueabi-strip --strip-debug $TARGET/lib/* $TARGET/usr/lib/* At the end simple test to find out if basic functionality works: -```c +```bashc cat > hello.c << EOF > #include > int @@ -202,7 +201,7 @@ Try to cross compile C file: $TARGET/arm-x-tools/bin/arm-unknown-linux-gnueabi-gcc -Wall hello.c -o hello ``` -```c++ +```bashc++ cat > c++-hello.cc < #include > int @@ -219,7 +218,8 @@ Try to cross compile C++ file: $TARGET/arm-x-tools/bin/arm-unknown-linux-gnueabi-g++ -Wall c++-hello.cc -o c++-hello ``` -Displays the information contained in the ELF header and in the file's segment headers: +Displays the information contained in the ELF header and in the file's segment +headers: ```bash $TARGET/arm-x-tools/bin/arm-unknown-linux-gnueabi-readelf -hl hello $TARGET/arm-x-tools/bin/arm-unknown-linux-gnueabi-readelf -hl c++-hello @@ -228,7 +228,8 @@ $TARGET/arm-x-tools/bin/arm-unknown-linux-gnueabi-readelf -hl hello $TARGET/arm- Result should look like that: ```bash -ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: ARM (...) Flags: 0x5000002, has entry point, Version5 EABI (...) Program Headers: (...) INTERP 0x000134 0x00008134 0x00008134 0x00013 0x00013 R 0x1 [Requesting program interpreter: /lib/ld-linux.so.3] LOAD 0x000000 0x00008000 0x00008000 0x004b8 0x004b8 R E 0x8000 (...) \``\` +ELF Header: Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 Class: ELF32 Data: 2's complement, little endian Version: 1 (current) OS/ABI: UNIX - System V ABI Version: 0 Type: EXEC (Executable file) Machine: ARM (...) Flags: 0x5000002, has entry point, Version5 EABI (...) Program Headers: (...) INTERP 0x000134 0x00008134 0x00008134 0x00013 0x00013 R 0x1 +[Requesting program interpreter: /lib/ld-linux.so.3] LOAD 0x000000 0x00008000 0x00008000 0x004b8 0x004b8 R E 0x8000 (...) \``\` ``` ```bash @@ -237,7 +238,7 @@ $TARGET/arm-x-tools/bin/arm-unknown-linux-gnueabi-readelf -d $TARGET/lib/libgcc_ Result should look like that: -``` +```bash (...) Tag Type Name/Value 0x00000001 (NEEDED) Shared library: [libc.so.6] @@ -248,6 +249,6 @@ Tag Type Name/Value I hope you find above manual useful. If you need more detailed descriptions it can be found [here][3]. - [1]: http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/EGLIBC.cross-building?revision=2037&view=markup - [2]: /2012/03/20/building-arm-toolchain-part-1-libs-and - [3]: http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/EGLIBC.cross-building?view=markup +[1]: http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/EGLIBC.cross-building?revision=2037&view=markup +[2]: /2012/03/20/building-arm-toolchain-part-1-libs-and +[3]: http://www.eglibc.org/cgi-bin/viewvc.cgi/trunk/libc/EGLIBC.cross-building?view=markup diff --git a/blog/content/post/2012-04-18-debugging-coreboot-in-qemu-environment-part-2.md b/blog/content/post/2012-04-18-debugging-coreboot-in-qemu-environment-part-2.md index 837bcefe..9faecae7 100644 --- a/blog/content/post/2012-04-18-debugging-coreboot-in-qemu-environment-part-2.md +++ b/blog/content/post/2012-04-18-debugging-coreboot-in-qemu-environment-part-2.md @@ -17,64 +17,66 @@ tags: categories: - Firmware --- + In [previous post][1] `coreboot` was configured and installed. Here we try to establish good debugging environment for it. To create a good emulated environment to debug, research and learn `coreboot` few tricks are required. First of all we need to know how to run our emulated environment (qemu). What I mean by that? -* load coreboot image (-bios option), -* freeze CPU at startup (-S), -* get appropriate feedback about virtual machine state (-d in_asm,cpu), -* set up remote gdb server to run qemu step by step (-s). So finally we get: +- load coreboot image (-bios option), +- freeze CPU at startup (-S), +- get appropriate feedback about virtual machine state (-d in_asm,cpu), +- set up remote gdb server to run qemu step by step (-s). So finally we get: -``` +```bash qemu -bios src/coreboot/build/coreboot.rom -s -S -d in_asm,cpu -nographic ``` We don't need graphics so it also could be disable (-nographic). Run above command and prepare debugging environment as described below. -* load bootblock file in gdb: +- load bootblock file in gdb: -``` +```bash file path/to/coreboot/build/bootblock.elf ``` -* use objdump to find out at what address .text, .bss and .data sections are: +- use objdump to find out at what address .text, .bss and .data sections are: -``` +```bash objdump -h src/coreboot/build/coreboot_ram|grep -E "text|bss|.data" ``` my output looks like that: -``` +```bash 0 .text 00010810 00100000 00100000 00001000 2**2 3 .data 000004d8 001174e8 001174e8 000184e8 2**2 4 .bss 0000080c 001179c0 001179c0 000189c0 2**3 ``` -* use above addresses to load symbols from `coreboot_ram` file in gdb: +- use above addresses to load symbols from `coreboot_ram` file in gdb: -``` +```bash add-symbol-file src/coreboot/build/coreboot_ram 0x00100000 -s .data 0x001174e8 -s .bss 0x001179c0 ``` -* In another terminal or screen window +- In another terminal or screen window -``` +```bash vim /tmp/qemu.log ``` (use :e to reload qemu.log file after every instruction), in this file we will get information about all registers of virtual machine -* target remote :1234 +- target remote :1234 -* Run next instruction (ni command in gdb) and refresh qemu.log, if you get something like: +- Run next instruction (ni command in gdb) and refresh qemu.log, if you get + something like: -``` +```bash EAX=00000000 EBX=00000000 ECX=00000000 EDX=00000633 ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000 EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0 @@ -95,4 +97,4 @@ get information about all registers of virtual machine it means that your debugging environment was set correctly. - [1]: /2012/03/12/debugging-coreboot-in-qemu-enviroment +[1]: /2012/03/12/debugging-coreboot-in-qemu-enviroment diff --git a/blog/content/post/2012-04-21-vim-as-a-blogger-editor.md b/blog/content/post/2012-04-21-vim-as-a-blogger-editor.md index da4ab613..a65690ef 100644 --- a/blog/content/post/2012-04-21-vim-as-a-blogger-editor.md +++ b/blog/content/post/2012-04-21-vim-as-a-blogger-editor.md @@ -18,43 +18,61 @@ interfacing with Google's Blogger. Below I will use my workspace git [repository](https://github.com/pietrushnic/workspace). To use this plugin we need pretty new ruby >= 1.9.2 and gems nokogiri and net-https-wrapper. Let's install latest possible ruby for Debian, before that make sure you have latest -updates: +updates: - sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade +```bash +sudo apt-get update sudo apt-get upgrade sudo apt-get dist-upgrade +``` -And ruby: +And ruby: - sudo apt-get install ruby1.9.3 +```bash +sudo apt-get install ruby1.9.3 +``` -Before we install gems , we need to resolve some dependencies: +Before we install gems , we need to resolve some dependencies: - sudo apt-get install libxml2-dev libxslt1-dev +```bash +sudo apt-get install libxml2-dev libxslt1-dev +``` -Latest nokogiri 1.5.2 have some issues, so we need to use 1.5.0 which is stable: +Latest nokogiri 1.5.2 have some issues, so we need to use 1.5.0 which is stable: - sudo gem install nokogiri --version 1.5.0 +```bash +sudo gem install nokogiri --version 1.5.0 +``` -And the wrapper for https: +And the wrapper for https: - sudo gem install net-https-wrapper +```bash +sudo gem install net-https-wrapper +``` -Finally also pandoc will be neded to display web pages in vim: +Finally also pandoc will be needed to display web pages in vim: - sudo apt-get install pandoc +```bash +sudo apt-get install pandoc +``` Right now we are able to run vim with blogger support. First we need to -configure vim, add below lines to your $HOME/.vimrc file: +configure vim, add below lines to your $HOME/.vimrc file: - let g:blogger\_blogid = 'your\_blogid\_here' let g:blogger\_email = 'your\_email\_here' let g:blogger\_pass = 'your\_blogger\_password\_here' +```bash +let g:blogger\_blogid = 'your\_blogid\_here' let g:blogger\_email = 'your\_email\_here' let g:blogger\_pass = 'your\_blogger\_password\_here' +``` -Run vim and try to list your blogger posts by typing: +Run vim and try to list your blogger posts by typing: - :e blogger:list +```bash +:e blogger:list +``` If list of you see all your posts than it seems that plugin works good. Finally -check writing feature. Create file with some text and type: +check writing feature. Create file with some text and type: - :w blogger:create +```bash +:w blogger:create +``` -Few things doesn't work as it should. Meybe I will find enough time to fix it. +Few things doesn't work as it should. Maybe I will find enough time to fix it. This article was created by using blogger.vim script. diff --git a/blog/content/post/2012-05-13-mutt-tutorial-part-1-setup-imap-account.md b/blog/content/post/2012-05-13-mutt-tutorial-part-1-setup-imap-account.md index 516c1ca4..e2bbf412 100644 --- a/blog/content/post/2012-05-13-mutt-tutorial-part-1-setup-imap-account.md +++ b/blog/content/post/2012-05-13-mutt-tutorial-part-1-setup-imap-account.md @@ -16,25 +16,25 @@ categories: Mutt is one of those programs that make people call you a linux geek, nerd or a snob. This is because using TUI or command line tools in world of fancy GUI for -most people is wierd. What's so great about mutt? I probably still have not +most people is weird. What's so great about mutt? I probably still have not found much of its advantages, but at first glance we can notice a few things. -First, it keeps Unix convention of small programs for specific task ["Make each -program to one thing well"][1] or [KISS][2]. This means that mutt is only -[MUA][3], which is used to retrieve e-mails and for other tasks you need to use -another application. However, due to the philosophy most applications are well -suited to each other and usually everything works good. So you can easily +First, it keeps Unix convention of small programs for specific task +["Make each program to one thing well"][1] or [KISS][2]. This means that mutt is +only [MUA][3], which is used to retrieve e-mails and for other tasks you need to +use another application. However, due to the philosophy most applications are +well suited to each other and usually everything works good. So you can easily combine it with Vim as the mail editor, abook as a address book, urlview as a browser launcher for html and graphics elements and so on. Third, it has support for IMAP which gives very nice usage model for most of e-mail account providers. -Fourth, is used by such notables as Greg Kroah-Hartman and as [kernel -documentation suggest][4] by other kernel developers. So lets start to discover -mutt. Below I will discuss some basic features that until now (few days of using -mutt) I found useful. +Fourth, is used by such notables as Greg Kroah-Hartman and as +[kernel documentation suggest][4] by other kernel developers. So lets start to +discover mutt. Below I will discuss some basic features that until now (few days +of using mutt) I found useful. -Big kudos to Shinobu for [this][5] post it helps me a lot. So first of all -we need support for multiple accounts. In my case I have 4 accounts. Three of -them got working IMAP access. 4th provider screw up something and access to IMAP +Big kudos to Shinobu for [this][5] post it helps me a lot. So first of all we +need support for multiple accounts. In my case I have 4 accounts. Three of them +got working IMAP access. 4th provider screw up something and access to IMAP server doesn't work so I need to workaround this with one of the Gmail features. At the beginning we create `$HOME/.muttrc` file: @@ -58,7 +58,7 @@ mailboxes = +INBOX = set spoolfile = +INBOX folder-hook imaps://@/ " set folder = imaps://@/ - spoolfile = +INBOX + spoolfile = +INBOX postponed = +[Gmail]/Drafts record = +[Gmail]/'Sent Mail' from = ' ' @@ -67,24 +67,24 @@ folder-hook imaps://@/ " smtp_pass = unset important variables ``` -* `` - for foo.bar@gmail.com it will be foo.bar -* `` - this information you can get from your e-mail +- `` - for it will be foo.bar +- `` - this information you can get from your e-mail provider help pages or from the settings of web e-mail client, for Gmail it is imap.gmail.com -* `` - your e-mail address -* `` - your e-mail password, later we will discuss how to store +- `` - your e-mail address +- `` - your e-mail password, later we will discuss how to store this more secure than plain text :) -* `` - any folder (for gmail account also filters) you have on you +- `` - any folder (for gmail account also filters) you have on you IMAP account, so for gmail account it could be Drafts, Starred, Important or others. -* `` - your real name or nick anything you want to show in from field -* `` - could be the same as `` -* `` - your SMTP server address, for gmail users it will be +- `` - your real name or nick anything you want to show in from field +- `` - could be the same as `` +- `` - your SMTP server address, for gmail users it will be smtp.gmail.com -If your e-mail provider have only pop3 access and you have gmail account you -can use one of gmail account features to make your pop3 account visible as a -IMAP folder. +If your e-mail provider have only pop3 access and you have gmail account you can +use one of gmail account features to make your pop3 account visible as a IMAP +folder. To do this got to Settings -> Accounts and Import and in the section "Check mail from other accounts" add your POP3 account. After that make sure to label your @@ -94,8 +94,8 @@ if your label in Label tab have "Show in IMAP" marked, if yes everything was set correctly. To use this label in mutt simply add another `` to mailboxes line. - [1]: http://www.faqs.org/docs/artu/ch01s06.html - [2]: http://en.wikipedia.org/wiki/KISS_principle - [3]: http://en.wikipedia.org/wiki/Mail_user_agent - [4]: http://www.mjmwired.net/kernel/Documentation/email-clients.txt - [5]: http://zuttobenkyou.wordpress.com/2010/11/05/mutt-multiple-gmail-imap-setup/ +[1]: http://www.faqs.org/docs/artu/ch01s06.html +[2]: http://en.wikipedia.org/wiki/KISS_principle +[3]: http://en.wikipedia.org/wiki/Mail_user_agent +[4]: http://www.mjmwired.net/kernel/Documentation/email-clients.txt +[5]: http://zuttobenkyou.wordpress.com/2010/11/05/mutt-multiple-gmail-imap-setup/ diff --git a/blog/content/post/2012-05-13-mutt-tutorial-part-2-secure-login.md b/blog/content/post/2012-05-13-mutt-tutorial-part-2-secure-login.md index 0c6c8988..c777320c 100644 --- a/blog/content/post/2012-05-13-mutt-tutorial-part-2-secure-login.md +++ b/blog/content/post/2012-05-13-mutt-tutorial-part-2-secure-login.md @@ -14,19 +14,22 @@ tags: categories: - Miscellaneous --- + This is second post of mutt tutorial series. As in the [previous post][1] for -below information I need to thank Kousik for posts about [gpg][2] and [using it -with mutt][3]. But probably the most important to simplify this method was Fau -comment [here][4]. So going to the point of secure login for mutt we need gpg. -First of all we need to install it by simply: +below information I need to thank Kousik for posts about [gpg][2] and +[using it with mutt][3]. But probably the most important to simplify this method +was Fau comment [here][4]. So going to the point of secure login for mutt we +need gpg. First of all we need to install it by simply: -
    sudo apt-get install gpg
-
    +```bash +sudo apt-get install gpg +``` After that we generate our keys by: -
    gpg --gen-key
-
    +```bash +gpg --gen-key +``` I choose all default answers. So first is key type: `'RSA and RSA'`. Second - `keysize: 2048`. Third - time for key expiration: `'0 = key does not expire'`. @@ -38,48 +41,53 @@ can encrypt file with passwords. Best way to do this is to write some script that will be sourced by mutt after decryption. For storing passwords I create directory in my `$HOME`: -
    mkdir $HOME/.passwd
-
    +```bash +mkdir $HOME/.passwd +``` Inside this directory I create text file with the script, which look like below: -
    vim $HOME/.passwd/mutt.txt
+```bash
+vim $HOME/.passwd/mutt.txt
 set my_isp1 = "password1"
 set my_isp2 = "password2"
 set my_isp3 = "password3"
-
    +``` This script of course mean to set value of variable name `my_isp{1,2,3}` to some password string. Remember to use `my_` prefix because this is the way that user variables should be defined in mutt scripts. After writing this file we need to encrypt it. -
    gpg -e -o mutt.gpg mutt.txt
-
    +```bash +gpg -e -o mutt.gpg mutt.txt +``` Now we should delete txt file. To use our newly created encrypted password script we need to add some lines to `$HOME/.muttrc`. So `vim $HOME/.muttrc`. Line that we need before sourcing encrypted scripts is declaration of variables in the script: -
    set my_isp1 = ""
+```bash
+set my_isp1 = ""
 set my_isp2 = ""
 set my_isp3 = ""
-
    +``` After this line we can source and decrypt out file with the passwords: -
    source "gpg --textmode -d ~/.passwd/mutt.gpg |"
-
    +```bash +source "gpg --textmode -d ~/.passwd/mutt.gpg |" +``` -At the end wee need to replace all out plain text passwords (`smtp_pass` and +At the end we need to replace all out plain text passwords (`smtp_pass` and `imap_pass` variables) with variables defined in out encrypted file. This settings will cause that mutt during start will run gpg to ask about password to decrypt password script file. In the [next post][5] I will discuss mutt with sidebar and how to open html files from inside mutt. - [1]: /2012/05/13/mutt-tutorial-part-1-setup-imap-account - [2]: http://nixtricks.wordpress.com/2009/10/04/introduction-to-encryption-of-files-using-gpg/ - [3]: http://nixtricks.wordpress.com/2010/05/05/mutt-configure-mutt-to-receive-email-via-imap-and-send-via-smtp/ - [4]: http://nixtricks.wordpress.com/2010/05/20/mutt-multiple-email-accounts-using-hooks/#comment-162 - [5]: /2012/05/13/mutt-tutorial-part-3-sidebar-urls-in-e/ +[1]: /2012/05/13/mutt-tutorial-part-1-setup-imap-account +[2]: http://nixtricks.wordpress.com/2009/10/04/introduction-to-encryption-of-files-using-gpg/ +[3]: http://nixtricks.wordpress.com/2010/05/05/mutt-configure-mutt-to-receive-email-via-imap-and-send-via-smtp/ +[4]: http://nixtricks.wordpress.com/2010/05/20/mutt-multiple-email-accounts-using-hooks/#comment-162 +[5]: /2012/05/13/mutt-tutorial-part-3-sidebar-urls-in-e/ diff --git a/blog/content/post/2012-05-13-mutt-tutorial-part-3-sidebar-urls-in-e-mails.md b/blog/content/post/2012-05-13-mutt-tutorial-part-3-sidebar-urls-in-e-mails.md index 573a48d9..de969265 100644 --- a/blog/content/post/2012-05-13-mutt-tutorial-part-3-sidebar-urls-in-e-mails.md +++ b/blog/content/post/2012-05-13-mutt-tutorial-part-3-sidebar-urls-in-e-mails.md @@ -14,6 +14,7 @@ tags: categories: - Miscellaneous --- + Information in this post came from [lunar linux page][1]. Kudos to its author. In this post I want to discuss two topics: sidebar and how to open urls form inside mutt. Sidebar is mutt feature delivered in mutt-patched package in @@ -22,17 +23,19 @@ find list of folders defined in the `$HOME/.muttrc` file, second window is a known old window with the list of posts. Mutt window with sidebar looks like on the picture below: -![][2] +![img][2] To use side bar we need to install mutt-patched packed in Debian: -
    sudo apt-get install mutt-patched
-
    +```bash +sudo apt-get install mutt-patched +``` To make side bar more accessible I use default settings from lunar linux page. Add below lines to `$HOME/.muttrc`: -
    set sidebar_width = 30
+```bash
+set sidebar_width = 30
 set sidebar_visible = yes
 color sidebar_new yellow default
 bind index CP sidebar-prev
@@ -41,7 +44,7 @@ bind index CO sidebar-open
 bind pager CP sidebar-prev
 bind pager CN sidebar-next
 bind pager CO sidebar-open
-
    +``` First line sets width of side bar it depends on how long are your folder names. Second line makes sidebar by default visible. Third makes folders with new @@ -50,24 +53,27 @@ C is not Ctrl but uppercase 'c' key. Second topic I want to discuss is how to open urls from inside e-mails. To do this we can use tip from [mutt site][3]. As it said we need urlview application: -
    sudo apt-get install urlview
-
    +```bash +sudo apt-get install urlview +``` To correctly configure this tool you need to create `$HOME/.urlview` file. So: -
    vim $HOME/.urlview
-
    +```bash +vim $HOME/.urlview +``` In this file we define two things. First will be regular expression which match urls and second will be command line to run when regexp was matched. File looks like below: -
    REGEXP (((https?|ftp|gopher)://|(mailto|file|news):)[^? "]+|(www|web|w3).[-a-z0-9.]+)[^? .,;":] COMMAND chromium %s
-
    +```bash +REGEXP (((https?|ftp|gopher)://|(mailto|file|news):)[^? "]+|(www|web|w3).[-a-z0-9.]+)[^? .,;":] COMMAND chromium %s +``` Chromium is my browser of choice but you can use firefox, lynx or anything you want. - [1]: http://www.lunar-linux.org/mutt-sidebar/ - [2]: /img/mutt-screenshot.png - [3]: http://www.mutt.org/doc/manual/#urlview \ No newline at end of file +[1]: http://www.lunar-linux.org/mutt-sidebar/ +[2]: /img/mutt-screenshot.png +[3]: http://www.mutt.org/doc/manual/#urlview diff --git a/blog/content/post/2012-05-13-mutt-tutorial-part-4-html-mails-address-book-and-other-useful-features.md b/blog/content/post/2012-05-13-mutt-tutorial-part-4-html-mails-address-book-and-other-useful-features.md index c45788cb..fc4f58cc 100644 --- a/blog/content/post/2012-05-13-mutt-tutorial-part-4-html-mails-address-book-and-other-useful-features.md +++ b/blog/content/post/2012-05-13-mutt-tutorial-part-4-html-mails-address-book-and-other-useful-features.md @@ -14,26 +14,36 @@ tags: categories: - Miscellaneous --- + How mutt can handle mails in html format ? Takling about html mail handling is -talking about handling any type of [Multipurpose Internet Mail Extensions](http://en.wikipedia.org/wiki/MIME). -Mutt supports handling for all MIME types in one place for all programs. This -place is `.mailcap` file. Googling a little bit I found below mailcap file -configuration (kudos to [Bart Nagel](http://trembits.blogspot.com/2011/12/viewing-html-in-mutt.html)). -``` +talking about handling any type of +[Multipurpose Internet Mail Extensions](http://en.wikipedia.org/wiki/MIME). Mutt +supports handling for all MIME types in one place for all programs. This place +is `.mailcap` file. Googling a little bit I found below mailcap file +configuration (kudos to +[Bart Nagel](http://trembits.blogspot.com/2011/12/viewing-html-in-mutt.html)). + +```bash text/html; pandoc -f html -t markdown; copiousoutput; description=HTML Text; test=type pandoc >/dev/null text/html;lynx -stdin -dump -force\_html -width 70; copiousoutput; description=HTML Text; test=type lynx >/dev/null text/html; w3m -dump -T text/html -cols 70; copiousoutput; description=HTML Text; test=type w3m >/dev/null text/html; html2text -width 70; copiousoutput; description=HTML Text; test=type html2text >/dev/null ``` + Of course we need to install all applications to make mailcap work correct: + ```bash sudo apt-get install pandoc lynx w3m html2text ``` + To bring address book functionality to mutt we need abook application: + ```bash sudo apt-get install abook ``` + Also few new line in `$HOME/.muttrc` will be needed: + ```bash # add alias file for addresses set alias_file=~/.mutt/alias source ~/.mutt/alias @@ -42,13 +52,14 @@ set query_command= "abook --mutt-query '%s'" macro index,pager A " abook --add-email-quiet" "add the sender address to abook" ``` + Adding new address simply create entry in alias file. During adding new alias abook asks about alias name, e-mail address, personal name and confirmation for -given data. Some this fields could be filled automatically by interaction +given data. Some this fields could be filled automatically by interaction between abook and mutt. Of course file `$HOME/.mutt/alias` have to exist before -running mutt: -touch `$HOME/.mutt/alias` To access saved aliases simply click button in -cc, to or bcc filed. There is few more options that I found useful. To find it -please go to my [workspace](https://github.com/pietrushnic/workspace) scripts at -github. Also if you have any issues with the configuration or comments please -let me know by commenting below the post. +running mutt: touch `$HOME/.mutt/alias` To access saved aliases simply click +button in cc, to or bcc filed. There is few more options that I found +useful. To find it please go to my +[workspace](https://github.com/pietrushnic/workspace) scripts at github. Also if +you have any issues with the configuration or comments please let me know by +commenting below the post. diff --git a/blog/content/post/2012-11-18-prepare-for-ruby-on-rails-on-debian-wheezy.md b/blog/content/post/2012-11-18-prepare-for-ruby-on-rails-on-debian-wheezy.md index 6c2fc9db..8c676fe5 100644 --- a/blog/content/post/2012-11-18-prepare-for-ruby-on-rails-on-debian-wheezy.md +++ b/blog/content/post/2012-11-18-prepare-for-ruby-on-rails-on-debian-wheezy.md @@ -13,23 +13,27 @@ tags: categories: - App Dev --- + I start to learn Ruby on Rails. As always when you learn new programming language toolchain is required. In this tutorial I will try to go through toolchain preparation for my Debian wheezy. Of course I based on Vim as my editor of choice. Second requirement will be using some parts of toolchain in -latest greatest version. +latest greatest version. -As a beginner point for learning Ruby on Rails I choose [this tutorial](http://ruby.railstutorial.org/ruby-on-rails-tutorial-book). -I will try to use their methods of setting environment adding my comments where -it is needed. Also will resolve Debian and Vim specific issues. So let's begin. +As a beginner point for learning Ruby on Rails I choose +[this tutorial](http://ruby.railstutorial.org/ruby-on-rails-tutorial-book). I +will try to use their methods of setting environment adding my comments where it +is needed. Also will resolve Debian and Vim specific issues. So let's begin. -After quick look at RoR tutorial I have to switch to [this site](http://blog.sudobits.com/2012/05/02/how-to-install-ruby-on-rails-in-ubuntu-12-04-lts/) +After quick look at RoR tutorial I have to switch to +[this site](http://blog.sudobits.com/2012/05/02/how-to-install-ruby-on-rails-in-ubuntu-12-04-lts/) for installation for Ubuntu 12.04 LTS. But instructions don't work as expected for my Debian. So after quick: ```bash sudo apt-get install git curl ``` + I realized that I need proxy for curl and not only temporary but permanent. I added below line to my `$HOME/.curlrc:` @@ -50,7 +54,8 @@ source ~/.rvm/scripts/rvm ``` Output which I get was: -``` + +```bash pietrushnic@lothlann:~/src/node$ rvm requirements Requirements for Linux "Debian GNU/Linux wheezy/sid" NOTE: 'ruby' represents Matz's Ruby Interpreter (MRI) (1.8.X, 1.9.X) @@ -90,17 +95,21 @@ subversion pkg-config Next thing we need is Node.js because this code of JavaScript runtime is under active development (latest version is 0.8.14 and Debian provided for sid 0.6.19) -we use its latest greatest version from git repository. +we use its latest greatest version from git repository. ```bash git clone https://github.com/joyent/node.git ``` + Following by: + ```bash cd node;./configure;make;make test ``` + In my configuration only one test failed test-tls-server-verify: -``` + +```bash Running 'Allow both authed and unauthed connections with CA1' throw new assert.AssertionError({ ^ @@ -114,13 +123,14 @@ Running 'Allow both authed and unauthed connections with CA1' ``` - This is known issue probably we have to wait for update of OpenSSL library in -wheezy. Ignore this problem and install node.js: +wheezy. Ignore this problem and install node.js: + ```bash sudo make install ``` -Because of RoR tutorial requirements we install version 1.9.3: + +Because of RoR tutorial requirements we install version 1.9.3: ```bash rvm get head && rvm reload rvm install 1.9.3 @@ -129,7 +139,7 @@ rvm get head && rvm reload rvm install 1.9.3 Next thing will be adding vim-ruby for our favorite editor Vim. I organize my dotfiles using git. I also use pathogen to control Vim plugins (as described [here](http://pietrushnic.blogspot.com/2012/02/improve-productivity-by-tracking-work_20.html)), -so : +so : ```bash cd workspace @@ -141,5 +151,5 @@ git commit -m "vim-rails submodule added" Finally we have ready to use Ruby on Rails development environment based on Vim. I suggest to take a look at this -[movie](https://www.youtube.com/watch?v=30P8DSNOZuU) and after that dive into +[movie](https://www.youtube.com/watch?v=30P8DSNOZuU) and after that dive into [tutorial](http://ruby.railstutorial.org/). diff --git a/blog/content/post/2012-11-18-sqlite3-gem-not-supported-on-heroku.md b/blog/content/post/2012-11-18-sqlite3-gem-not-supported-on-heroku.md index cac13903..34dd7881 100644 --- a/blog/content/post/2012-11-18-sqlite3-gem-not-supported-on-heroku.md +++ b/blog/content/post/2012-11-18-sqlite3-gem-not-supported-on-heroku.md @@ -13,39 +13,44 @@ tags: categories: - App Dev --- -When I tried to deploy second part of [RoR tutorial][1] to Heroku I get this error: - - An error occurred while installing sqlite3 (1.3.5), and Bundler cannot continue. - Make sure that `gem install sqlite3 -v '1.3.5'` succeeds before bundling. - ! - ! Failed to install gems via Bundler. - ! - ! Detected sqlite3 gem which is not supported on Heroku. - ! http://devcenter.heroku.com/articles/how-do-i-use-sqlite3-for-development - ! - ! Heroku push rejected, failed to compile Ruby/rails app - To git@heroku.com:thawing-beyond-7283.git - ! [remote rejected] master -> master (pre-receive hook declined) - error: failed to push some refs to 'git@heroku.com:thawing-beyond-7283.git' - -I searched a little bit about this error and find [this][2] stackoverflow post. + +When I tried to deploy second part of [RoR tutorial][1] to Heroku I get this +error: + +```bash +An error occurred while installing sqlite3 (1.3.5), and Bundler cannot continue. +Make sure that `gem install sqlite3 -v '1.3.5'` succeeds before bundling. +! +! Failed to install gems via Bundler. +! +! Detected sqlite3 gem which is not supported on Heroku. +! http://devcenter.heroku.com/articles/how-do-i-use-sqlite3-for-development +! +! Heroku push rejected, failed to compile Ruby/rails app +To git@heroku.com:thawing-beyond-7283.git +! [remote rejected] master -> master (pre-receive hook declined) +error: failed to push some refs to 'git@heroku.com:thawing-beyond-7283.git' +``` + +I searched a little bit about this error and find [this][2] stackoverflow post. But when I look more carefully on the Gemfile syntax I found a mistake. I used simply: -
    gem 'sqlite3', '1.3.5'
-
    +```bashruby +gem 'sqlite3', '1.3.5' +``` But I should have: -
    group :development do
+```bashrubygroup :development do
   gem 'sqlite3', '1.3.5'
 end
 group :production do
   gem 'pg', '0.12.2'
 end
-
    +``` As RoR tutorial states. - [1]: http://ruby.railstutorial.org/chapters/a-demo-app#top - [2]: http://stackoverflow.com/questions/3747002/heroku-rails-3-and-sqlite3 +[1]: https://web.archive.org/web/20130218224540/http://ruby.railstutorial.org/chapters/a-demo-app +[2]: http://stackoverflow.com/questions/3747002/heroku-rails-3-and-sqlite3 diff --git a/blog/content/post/2013-01-15-short-hint-for-all-those-who-use-vim-and-pathogen.md b/blog/content/post/2013-01-15-short-hint-for-all-those-who-use-vim-and-pathogen.md index 068e11ef..0c7278e5 100644 --- a/blog/content/post/2013-01-15-short-hint-for-all-those-who-use-vim-and-pathogen.md +++ b/blog/content/post/2013-01-15-short-hint-for-all-those-who-use-vim-and-pathogen.md @@ -17,26 +17,33 @@ tags: categories: - Miscellaneous --- -Today, after updating my workspace to latest version I encounter below error during vim running: - Error detected while processing function pathogen#runtime_append_all_bundles: - line 1: - E121: Undefined variable: source_path - E116: Invalid arguments for function string(source_path).') to pathogen#incubate('.string(source_path.'/{}').')') - E116: Invalid arguments for function 4_warn - Press ENTER or type command to continue +Today, after updating my workspace to latest version I encounter below error +during vim running: + +```bash +Error detected while processing function pathogen#runtime_append_all_bundles: +line 1: +E121: Undefined variable: source_path +E116: Invalid arguments for function string(source_path).') to pathogen#incubate('.string(source_path.'/{}').')') +E116: Invalid arguments for function 4_warn +Press ENTER or type command to continue +``` Quick look on pathogen runtime_append_all_bundles function and I found: -
    call s:warn('Change pathogen#runtime_append_all_bundles('.string(a:1).') to pathogen#incubate('.string(a:1.'/{}').')')
-
    +```bash +call s:warn('Change pathogen#runtime_append_all_bundles('.string(a:1).') to pathogen#incubate('.string(a:1.'/{}').')') +``` So simply replacing: -
    call pathogen#runtime_append_all_bundles()
-
    +```bash +call pathogen#runtime_append_all_bundles() +``` with: -
    call pathogen#incubate() in $HOME/.vimrc fix the problem.
-
    +```bash +call pathogen#incubate() in $HOME/.vimrc fix the problem. +``` diff --git a/blog/content/post/2013-03-19-tmux-multiplexer-and-vi-like-keys-in-copy-mode.md b/blog/content/post/2013-03-19-tmux-multiplexer-and-vi-like-keys-in-copy-mode.md index d6a8ab02..9d0018cd 100644 --- a/blog/content/post/2013-03-19-tmux-multiplexer-and-vi-like-keys-in-copy-mode.md +++ b/blog/content/post/2013-03-19-tmux-multiplexer-and-vi-like-keys-in-copy-mode.md @@ -13,6 +13,7 @@ tags: categories: - Miscellaneous --- + So I tried to write second post for my new blog but to effectively work using terminal I need terminal multiplexer. I switched to tmux from screen because I reach point that I can't do some things in it in easy way and performance was @@ -20,15 +21,16 @@ poor. Also activity of tmux developers is better than for gnu screen. I also experienced annoy buffer crashing especially after come back from lock mode or cmatrix much but after reading few articles about alternative for screen I switched to tmux. It seems that in wheezy(testing) version of tmux is outdated -(1.6.2). Last tag on tmux [sourceforge repo][1] is 1.7 and there is almost 300 +(1.6.2). Last tag on tmux [github repo][1] is 1.7 and there is almost 300 additional commits on top of the master branch. Debian unstable contain version 1.7.2 it is pretty new. Awesome thing in tmux is emacs/vi keybiding for copy-mode. It really helps with writing technical articles about linux stuff with this console outputs and logs excerpts. To enable copy-mode in vi like way put to `$HOME/.tmux.conf`: -
    # use vi-like keys
+```bash
+# use vi-like keys
 setw -g mode-keys vi
-
    +``` - [1]: http://sourceforge.net/p/tmux/tmux-code/?source=navbar +[1]: https://github.com/tmux/tmux diff --git a/blog/content/post/2013-03-30-music-for-programming.md b/blog/content/post/2013-03-30-music-for-programming.md index 6f439e81..b0a45b83 100644 --- a/blog/content/post/2013-03-30-music-for-programming.md +++ b/blog/content/post/2013-03-30-music-for-programming.md @@ -13,29 +13,59 @@ tags: categories: - Miscellaneous --- + Of course this is strongly associated with personal taste but I will write my experience. -1. - really great radio station, choose your genre or artist and it will lead you through all variety of this type. unfortunately if you are fan of Iron Maiden, Blind Guardian, prog rock or irish folk you will be bored after 2 hours or less. Sadly not available in Poland {% emoji disappointed %} - maybe some proxy will work but I wasn't able to find one. -2. [kohina/demo scene][1] - very good radio for long night coding sessions. I'm not big fan of demo scene but I appreciate what guys do and did. And somtimes you will hit Super Mario or Contra theme. -3. [post rock/math rock][2] - if you like any variety of prog rock you probably know [ProgArchives][3]. It is really hard to find good prog rock radio where classics are well mixed with newcomers. I really like to listen guys like [God Is An Astronaut][2], [Explosions In The Sky][4], [This Will Destroy You][5], [65daysofstatic][6], [Red Sparowes][7] or even [Mogwai][8] or [Sigur Ros][9]. Very good for programming if you drink cofee/tea {% emoji smile %} -4. movie soundtracks - This one I use when really need to concentrate especially when working daylight hours. What's best here most of people will agree that [Ennio Moricone][10], [Vangelis][11] and [Hans Zimmer][12] are famous one and most recognizable for my generation. -5. [breakbeat][13] - this one reminds me some stories about mythical cyberpunk hackers, its usually noisy and help me isolate from environment and concentrate on my work. I will said that if you like freaked electronics than you can try this. -6. [dnb][14] - if breakbeat is to hard for you try this {% emoji smile %}. This music tune me in channel of rhythmical work. -7. When googling this topic I found [this site][15] it was worth to check. Some links are broken. Most of those playlists have too low tempo for me. I can also suggest some Irish Folk influenced stuff if don't have "The End is near" wallpaper on your desktop {% emoji smile %} There was a time when I was listen a lot of psybient, but it is really hard to find good psychodelic ambient radio and this music is for me more like movie soundtracks I cannot listen it at night. Hope it will give some kind of direction. Let me know what you listen when coding. Maybe I will discover new universe. +1. - really great radio station, choose your genre or artist + and it will lead you through all variety of this type. unfortunately if you + are fan of Iron Maiden, Blind Guardian, prog rock or irish folk you will be + bored after 2 hours or less. Sadly not available in Poland {% emoji + disappointed %} + +- maybe some proxy will work but I wasn't able to find one. + +1. [kohina/demo scene][1] - very good radio for long night coding sessions. I'm + not big fan of demo scene but I appreciate what guys do and did. And + sometimes you will hit Super Mario or Contra theme. +1. [post rock/math rock][2] - if you like any variety of prog rock you probably + know [ProgArchives][3]. It is really hard to find good prog rock radio where + classics are well mixed with newcomers. I really like to listen guys like + [God Is An Astronaut][2], [Explosions In The Sky][4], + [This Will Destroy You][5], [65daysofstatic][6], [Red Sparowes][7] or even + [Mogwai][8] or [Sigur Ros][9]. Very good for programming if you drink + cofee/tea {% emoji smile %} +1. movie soundtracks - This one I use when really need to concentrate especially + when working daylight hours. What's best here most of people will agree that + [Ennio Moricone][10], [Vangelis][11] and [Hans Zimmer][12] are famous one and + most recognizable for my generation. +1. [breakbeat][13] - this one reminds me some stories about mythical cyberpunk + hackers, its usually noisy and help me isolate from environment and + concentrate on my work. I will said that if you like freaked electronics than + you can try this. +1. [dnb][14] - if breakbeat is to hard for you try this {% emoji smile %}. This + music tune me in channel of rhythmical work. +1. When googling this topic I found [this site][15] it was worth to check. Some + links are broken. Most of those playlists have too low tempo for me. I can + also suggest some Irish Folk influenced stuff if don't have "The End is near" + wallpaper on your desktop {% emoji smile %} There was a time when I was + listen a lot of psybient, but it is really hard to find good psychodelic + ambient radio and this music is for me more like movie soundtracks I cannot + listen it at night. Hope it will give some kind of direction. Let me know + what you listen when coding. Maybe I will discover new universe. - [1]: http://www.kohina.com/ - [2]: http://www.progarchives.com/subgenre.asp?style=32 - [3]: http://www.progarchives.com/ - [4]: http://www.explosionsinthesky.com/ - [5]: http://twdy.tumblr.com/ - [6]: http://www.65daysofstatic.com/ - [7]: http://www.redsparowes.com/News.aspx - [8]: http://mogwai.sandbag.uk.com/lesrevenants/ - [9]: http://www.sigur-ros.co.uk/ - [10]: https://www.enniomorricone.org/ - [11]: http://elsew.com/ - [12]: http://www.hans-zimmer.com/ - [13]: http://nsbradio.co.uk/content/ - [14]: http://www.shoutcast.com/Internet-Radio/drum%20and%20base - [15]: http://musicforprogramming.net/ +[1]: http://www.kohina.com/ +[2]: http://www.progarchives.com/subgenre.asp?style=32 +[3]: http://www.progarchives.com/ +[4]: http://www.explosionsinthesky.com/ +[5]: http://twdy.tumblr.com/ +[6]: http://www.65daysofstatic.com/ +[7]: https://web.archive.org/web/20120717094255/http://www.redsparowes.com/News.aspx +[8]: https://web.archive.org/web/20130716145845/http://mogwai.sandbag.uk.com/lesrevenants/ +[9]: http://www.sigur-ros.co.uk/ +[10]: https://www.enniomorricone.org/ +[11]: http://elsew.com/ +[12]: http://www.hans-zimmer.com/ +[13]: http://nsbradio.co.uk/content/ +[14]: http://www.shoutcast.com/Internet-Radio/drum%20and%20base +[15]: http://musicforprogramming.net/ diff --git a/blog/content/post/2013-04-03-yet-another-quick-build-of-arm-unknown-linux-gnueabi.md b/blog/content/post/2013-04-03-yet-another-quick-build-of-arm-unknown-linux-gnueabi.md index e8acce73..796306bf 100644 --- a/blog/content/post/2013-04-03-yet-another-quick-build-of-arm-unknown-linux-gnueabi.md +++ b/blog/content/post/2013-04-03-yet-another-quick-build-of-arm-unknown-linux-gnueabi.md @@ -16,20 +16,24 @@ categories: - OS Dev - App Dev --- -So I decide to check what is going on with [crosstool-ng][1] and refresh my [old -post][2] about building `arm-unknown-linux-gnueabi` toolchain. Last post was -pretty popular, so definitely this is direction I should follow :). I will not -repeat myself, so if you encounter any problems please check last post, section -with known problems in crosstool-ng `doc/` directory or RTFM. Let's begin: + +So I decide to check what is going on with [crosstool-ng][1] and refresh my +[old post][2] about building `arm-unknown-linux-gnueabi` toolchain. Last post +was pretty popular, so definitely this is direction I should follow :). I will +not repeat myself, so if you encounter any problems please check last post, +section with known problems in crosstool-ng `doc/` directory or RTFM. Let's +begin: ### Get the latest crosstool-ng As usual I'm trying to use latest version possible. Following the crosstool-ng page: - hg clone http://crosstool-ng.org/hg/crosstool-ng - cd crosstool-ng - ./bootstrap +```bash +hg clone http://crosstool-ng.org/hg/crosstool-ng +cd crosstool-ng +./bootstrap +``` At the time of writing this article my changeset was `3200:0fc56e62cecf` 16 Mar 2013, two weeks old. @@ -40,22 +44,27 @@ I prefer to use local directory for `ct-ng` in case it will change in feature I will not need to mess with `/usr` subsystem. Simply tryin' to keep it clean when I can. - mkdir $HOME/ct-ng - ./configure --prefix=$HOME/ct-ng - make - make install +```bash +mkdir $HOME/ct-ng +./configure --prefix=$HOME/ct-ng +make +make install +``` No problems on my up to date Debian wheezy. You will probably want to add `$HOME/ct-ng` to your `PATH` - export PATH="$HOME/ct-ng/bin:${PATH}" +```bash +export PATH="$HOME/ct-ng/bin:${PATH}" +``` Add bash completion as it is advised in message at the end of compilation process. My `.bashrc` automatically sources `$HOME/.bash_completion` so there is a place for local code completion. - cat ct-ng.comp >> $HOME/.bash_completion - +```bash +cat ct-ng.comp >> $HOME/.bash_completion +``` ### Build sample toolchain @@ -64,9 +73,11 @@ If `ct-ng` bash completion was correctly added, than you can explore it by `` or simply `ct-ng list-samples`. Let's try to build `arm-unknown-linux-gnueabi`: - mkdir -p $HOME/embedded/arm-unknown-linux-gnueabi - cd $HOME/embedded/arm-unknown-linux-gnueabi - ct-ng arm-unknown-linux-gnueabi +```bash +mkdir -p $HOME/embedded/arm-unknown-linux-gnueabi +cd $HOME/embedded/arm-unknown-linux-gnueabi +ct-ng arm-unknown-linux-gnueabi +``` Before you start build consider some debugging options to make build process easier to continue when problems encountered. @@ -77,24 +88,32 @@ crosstool-ng contain interesting mechanism of saving finished phases of toolchain. This helps when for some reason our build process failed. To enable this feature simply enter menuconfig: - ct-ng menuconfig +```bash +ct-ng menuconfig +``` -Mark option `Paths and mix options -> Debug crosstool-NG -> Save intermediate -steps` as enabled. If something goes wrong you can check what last state was by: +Mark option +`Paths and mix options -> Debug crosstool-NG -> Save intermediate steps` as +enabled. If something goes wrong you can check what last state was by: - ls -lt .build/arm-unknown-linux-gnueabi/state +```bash +ls -lt .build/arm-unknown-linux-gnueabi/state +``` Directory on top with the latest modification date is now your first state where you should restart after fail. To restart build in given point: - ct-ng + #assuming that is where we fail last time +```bash +ct-ng + #assuming that is where we fail last time +``` Ordered list of possible states can be retrieved by `ct-ng list-steps`. ### Start build - ct-ng build.4 - +```bash +ct-ng build.4 +``` `4` is the number of concurrent jobs and depends on your setup performance. Building process takes a while so make coffee or anything else to drink :). @@ -107,34 +126,37 @@ I encounter few different problems than during [previous building][2]. Signature looks like that: - [ERROR] configure: error: expat is missing or unusable - [ERROR] make[3]: *** [configure-gdb] Error 1 - [ERROR] make[2]: *** [all] Error 2 +```bash +[ERROR] configure: error: expat is missing or unusable +[ERROR] make[3]: *** [configure-gdb] Error 1 +[ERROR] make[2]: *** [all] Error 2 +``` Simply install `libexpat`: sudo apt-get install libexpat1-dev - #### gcj internal error Few times I encountered something like this: - [ERROR] gcj: internal compiler error: Killed (program jc1) - [ERROR] make[5]: *** [ecjx] Error 4 - [ERROR] make[4]: *** [all-recursive] Error 1 - [ERROR] make[3]: *** [all-target-libjava] Error 2 - [ERROR] make[2]: *** [all] Error 2 +```bash +[ERROR] gcj: internal compiler error: Killed (program jc1) +[ERROR] make[5]: *** [ecjx] Error 4 +[ERROR] make[4]: *** [all-recursive] Error 1 +[ERROR] make[3]: *** [all-target-libjava] Error 2 +[ERROR] make[2]: *** [all] Error 2 +``` The reason is that `oom_kiler` takes care about `gcj`. It means that you run out of memory during compilation Java related code. I experience that when trying to build toolchain with 512MB of RAM :) So this was short reminder. I work on new post about creating virtual embedded development environment based on [qemu][3]. I was inspired by [this article][4]. Hope this article was useful. If you have -any comments or difficulties please comment below. If think this post was useful - -share. +any comments or difficulties please comment below. If think this post was useful +\- share. - [1]: http://crosstool-ng.org - [2]: /2012/03/14/quick-build-of-arm-unknown-linux - [3]: http://wiki.qemu.org/Main_Page - [4]: http://www.elinux.org/Virtual_Development_Board +[1]: http://crosstool-ng.org +[2]: /2012/03/14/quick-build-of-arm-unknown-linux +[3]: http://wiki.qemu.org/Main_Page +[4]: http://www.elinux.org/Virtual_Development_Board diff --git a/blog/content/post/2013-05-15-thunderbird-to-mutt-migration-tips-tricks.md b/blog/content/post/2013-05-15-thunderbird-to-mutt-migration-tips-tricks.md index 5beb1c3f..053663d2 100644 --- a/blog/content/post/2013-05-15-thunderbird-to-mutt-migration-tips-tricks.md +++ b/blog/content/post/2013-05-15-thunderbird-to-mutt-migration-tips-tricks.md @@ -13,6 +13,7 @@ tags: categories: - Miscellaneous --- + ### Preface I migrate with my working environment to laptop. My workstation going older and @@ -23,24 +24,23 @@ changed OS to Ubuntu and mail client to Thunderbird. I have to admit that both choices were mistake and I want to came back to Debian and Mutt. This post is about throwing out Thunderbird and a logical continuation of Mutt -tutorial (part [1][1], [2][2], [3][3] and [4][4]). So what was wrong with -Thunderbrid? - -* Not clear configuration settings - for example I tried to wrap word at 80th -character, default value was set to 72 but it seems not work anyway. I try to -use few googled hints but nothing works. -* Setting up Thunderbird to work as a community developer tool was not so -obvious. -* Junk messages was marked but default filter show everything so for some IMAP -boxes I get lot of spam and had hard time to find anything out there. -* Conversation mode should be easily toggled. -* GUI slow switching between different modes. -* Lack of my editor of choice. If I decide to use GUI tool for some reason I -require from it to be intuitive and most of my options should be available at -few clicks. Probably most of my problems I could solve by giving enough effort -to google it but if I have to choose hard to configure MUA I will probably be in -favor of terminal tool like Mutt. So right now I'm back with Mutt and -determination to adjust Mutt to my work flow. +tutorial (part [1], [2], [3] and [4]). So what was wrong with Thunderbrid? + +- Not clear configuration settings - for example I tried to wrap word at 80th + character, default value was set to 72 but it seems not work anyway. I try to + use few googled hints but nothing works. +- Setting up Thunderbird to work as a community developer tool was not so + obvious. +- Junk messages was marked but default filter show everything so for some IMAP + boxes I get lot of spam and had hard time to find anything out there. +- Conversation mode should be easily toggled. +- GUI slow switching between different modes. +- Lack of my editor of choice. If I decide to use GUI tool for some reason I + require from it to be intuitive and most of my options should be available at + few clicks. Probably most of my problems I could solve by giving enough effort + to google it but if I have to choose hard to configure MUA I will probably be + in favor of terminal tool like Mutt. So right now I'm back with Mutt and + determination to adjust Mutt to my work flow. ### Git and undelete old configuration @@ -49,27 +49,27 @@ muttrc in my workspace git repository. So first goolge query returned what needed I found [this][5] stackoverflow post. I reverted muttrc and other related files deletion. -### Short informations +### Short information -* In Ubuntu there is no `gpg` package, to get encryption you can use `gpgsm`. -* If your e-mail account provider require user name with `@` (at sign), then -you can pass it in mutt using below pattern: +- In Ubuntu there is no `gpg` package, to get encryption you can use `gpgsm`. +- If your e-mail account provider require user name with `@` (at sign), then you + can pass it in mutt using below pattern: -``` +```bash set folder = imaps://[login]@[imap_server]/ # i.e. imaps://foo@bar.pl@imap.srv.pl/ ``` -* You can debug Mutt using `-d 5` parameter, this option creates -`$HOME/.muttdebug0` file with verbose output, debug option can be changed in -range 1-5. -* Use latest-greatest version compiled from source instead version provided by -distribution repository. It can help you get rid of problems like `tls_socket_read -(Decryption has failed.)`. -* Some accounts will not work with authenticating method presented in my -previous post about gpg ([mutt tutorial part 2][2]). To workaround this you can -use different format of folder variable: - -``` +- You can debug Mutt using `-d 5` parameter, this option creates + `$HOME/.muttdebug0` file with verbose output, debug option can be changed in + range 1-5. +- Use latest-greatest version compiled from source instead version provided by + distribution repository. It can help you get rid of problems like + `tls_socket_read (Decryption has failed.)`. +- Some accounts will not work with authenticating method presented in my + previous post about gpg ([mutt tutorial part 2][2]). To workaround this you + can use different format of folder variable: + +```bash set folder = imaps://[login]:[passwd_var]@[imap_server]/ # i.e. imaps://foo:$my_bar_passwd@bar.pl@imap.srv.pl/ ``` @@ -78,23 +78,28 @@ use different format of folder variable: If you looking for latest Mutt version consider compiling mutt by yourself. First, download sources: - hg clone http://dev.mutt.org/hg/mutt#HEAD - hg update -C HEAD - hg pull -u +```bash +hg clone http://dev.mutt.org/hg/mutt#HEAD +hg update -C HEAD +hg pull -u +``` There are lot of options to prepare Mutt compilation, but right now I can suggest this parameters: - cd mutt - ./prepare --with-ssl --enable-debug --enable-imap --enable-smtp --enable-pop - -enable-hcache --with-gss --with-gnutls --with-sasl - make && sudo make install +```bash +cd mutt +./prepare --with-ssl --enable-debug --enable-imap --enable-smtp --enable-pop +-enable-hcache --with-gss --with-gnutls --with-sasl +make && sudo make install +``` If make will complain about `gssapi/gssapi.h: No such file or directory` then you need to install `libkrb5-dev`: - sudo apt-get install libkrb5-dev - +```bash +sudo apt-get install libkrb5-dev +``` ### Summary @@ -102,8 +107,8 @@ That's all in this post but I'm sure that there will be next in this topic. I hope to improve my whole workflow and write few posts about improving productivity using open source tools. - [1]: /2012/05/13/mutt-tutorial-part-1-setup-imap-account - [2]: /2012/05/13/mutt-tutorial-part-2-secure-login - [3]: /2012/05/13/mutt-tutorial-part-3-sidebar-urls-in-e - [4]: /2012/05/13/mutt-tutorial-part-4-html-mails-address - [5]: http://stackoverflow.com/questions/953481/restore-a-deleted-file-in-a-git-repo +[1]: /2012/05/13/mutt-tutorial-part-1-setup-imap-account +[2]: /2012/05/13/mutt-tutorial-part-2-secure-login +[3]: /2012/05/13/mutt-tutorial-part-3-sidebar-urls-in-e +[4]: /2012/05/13/mutt-tutorial-part-4-html-mails-address +[5]: http://stackoverflow.com/questions/953481/restore-a-deleted-file-in-a-git-repo diff --git a/blog/content/post/2013-05-16-workflow-imporovement-with-open-source-tools-part-1.md b/blog/content/post/2013-05-16-workflow-imporovement-with-open-source-tools-part-1.md index 2df2f31a..854c0f26 100644 --- a/blog/content/post/2013-05-16-workflow-imporovement-with-open-source-tools-part-1.md +++ b/blog/content/post/2013-05-16-workflow-imporovement-with-open-source-tools-part-1.md @@ -1,6 +1,6 @@ --- ID: 62856 -title: 'Workflow imporovement with Open Source tools - part 1' +title: 'Workflow improvement with Open Source tools - part 1' author: piotr.krol post_excerpt: "" layout: post @@ -14,6 +14,7 @@ tags: categories: - Miscellaneous --- + ### Introduction I want to start a series of articles to describe how I improve my workflow with @@ -40,8 +41,9 @@ To enable solarized colorscheme in mutt simply download one of scheme files from `mutt-colors-solarized-dark-16.muttrc`. Copy this file for example to `$HOME/.mutt` and source it in muttrc file: - source $HOME/.mutt/mutt-colors-solarized-dark-16.muttrc - +```bash +source $HOME/.mutt/mutt-colors-solarized-dark-16.muttrc +``` #### Width of From column @@ -49,9 +51,10 @@ Usually from field in today's emails is longer than 19 characters. If this happens mutt by default will not display whole string. To change this behavior you can manipulate -`index_format` variable. I set mine to 30: {% raw %} - set index_format="%4C %Z %{%b %d} %-30.30L (%4l) %s" - {% endraw %} +```bash +`index_format` variable. I set mine to 30: {% raw %} set index_format="%4C %Z +%{%b %d} %-30.30L (%4l) %s" {% endraw %} +``` #### Sidebar @@ -65,85 +68,95 @@ This is probably best program to synchronize your emails with local storage. It also has feature that allow synchronization between different IMAP servers but I'm not using it. Few things are crucial when using `offlineimap`: -* probably easiest way to keep passwords secret is using python hooks for -gnome-keyring, detailed description how to integrate it with `offlineimap` is -[here][4]. Debian name of `gnome-python2-gnomekeyring` is different: `python-gnomekeyring`. -* Use meaningful `localfolders` because you will use it in `mutt` configuration +- probably easiest way to keep passwords secret is using python hooks for + gnome-keyring, detailed description how to integrate it with `offlineimap` is + [here][4]. Debian name of `gnome-python2-gnomekeyring` is different: + `python-gnomekeyring`. +- Use meaningful `localfolders` because you will use it in `mutt` configuration Typical configuration of `$HOME/.offlineimaprc`: - [mbnames] - enabled = yes - filename = ~/.mutt/muttrc.mailboxes - header = "mailboxes " - peritem = "+%(accountname)s/%(foldername)s" - sep = " " - footer = "n" - - [general] - metadata = ~/.offlineimap - maxsyncaccounts = 5 - maxconnections = 2 - accounts = account1, account2 - status_backend = sqlite - pythonfile = ~/.mutt/offlineimap.py - - [Account account1] - autorefresh = 3 - localrepository = acc1_local - remoterepository = acc1_remote - - [Repository acc1_local] - type = Maildir - localfolders = ~/.mail/account1 - - [Repository acc2_remote] - type = Gmail - remoteusereval = get_username("account1") - remotepasseval = get_password("account1") - sslcacertfile = /etc/ssl/certs/ca-certificates.crt - - [Account account2] - autorefresh = 3 - localrepository = acc2_local - remoterepository = acc2_remote - - [Repository acc2_local] - type = Maildir - localfolders = ~/.mail/account2 - - [Repository acc2_remote] - type = Gmail - remoteusereval = get_username("account2") - remotepasseval = get_password("account2") - sslcacertfile = /etc/ssl/certs/ca-certificates.crt +```bash +[mbnames] +enabled = yes +filename = ~/.mutt/muttrc.mailboxes +header = "mailboxes " +peritem = "+%(accountname)s/%(foldername)s" +sep = " " +footer = "n" + +[general] +metadata = ~/.offlineimap +maxsyncaccounts = 5 +maxconnections = 2 +accounts = account1, account2 +status_backend = sqlite +pythonfile = ~/.mutt/offlineimap.py + +[Account account1] +autorefresh = 3 +localrepository = acc1_local +remoterepository = acc1_remote + +[Repository acc1_local] +type = Maildir +localfolders = ~/.mail/account1 + +[Repository acc2_remote] +type = Gmail +remoteusereval = get_username("account1") +remotepasseval = get_password("account1") +sslcacertfile = /etc/ssl/certs/ca-certificates.crt + +[Account account2] +autorefresh = 3 +localrepository = acc2_local +remoterepository = acc2_remote + +[Repository acc2_local] +type = Maildir +localfolders = ~/.mail/account2 + +[Repository acc2_remote] +type = Gmail +remoteusereval = get_username("account2") +remotepasseval = get_password("account2") +sslcacertfile = /etc/ssl/certs/ca-certificates.crt +``` What this means by section: -* `[mbnames]` - automatically create mailboxes folders according to your configuration on IMAP server -* `[general]` - most important things here are self explanatory accounts variable and `max{syncaccounts,connections}`, first said how many accounts should be synchronized and second how many simultaneous connections should be used -* `[Account *]` - contain sync refresh time in minutes (`autorefresh`) and link to local and remote repository definitions (`localrepository` and `remoterepository`) -* `[Repository *]` - for local folder and its type and for remote gnome-keyring configuration +- `[mbnames]` - automatically create mailboxes folders according to your + configuration on IMAP server +- `[general]` - most important things here are self explanatory accounts + variable and `max{syncaccounts,connections}`, first said how many accounts + should be synchronized and second how many simultaneous connections should be + used +- `[Account *]` - contain sync refresh time in minutes (`autorefresh`) and link + to local and remote repository definitions (`localrepository` and + `remoterepository`) +- `[Repository *]` - for local folder and its type and for remote gnome-keyring + configuration #### Multiple account configuration To simplify multiple accounts configuration I added two things: -* separated account files configuration - in my case placed in `$HOME/.mutt/accounts` - - set postponed = +account1@server.com/Drafts - set spoolfile = +account1@server.com/INBOX - set record = +account1@server.com/Sent - set from = 'account1@server.com' - set realname = 'My Name' - set smtp_url = smtps://acc1@smtp.server.com:587 - set smtp_pass = $my_pass - set signature = "~/.mutt/signature.example" +- separated account files configuration - in my case placed in + `$HOME/.mutt/accounts` + ```bash + set postponed = <+account1@server.com>/Drafts set spoolfile = + <+account1@server.com>/INBOX set record = <+account1@server.com>/Sent set from + = '' set realname = 'My Name' set smtp_url = + smtps://acc1@smtp.server.com:587 set smtp_pass = $my_pass set signature = + "~/.mutt/signature.example" + ``` -* folder hooks for particular account - it cause automatic loading of configurations when folder was changed (in `$HOME/muttrc`): +- folder hooks for particular account - it cause automatic loading of + configurations when folder was changed (in `$HOME/muttrc`): - folder-hook 'account1@server.com' 'source $HOME/.mutt/accounts/account1' + folder-hook '' 'source $HOME/.mutt/accounts/account1' #### Separate mailing list file @@ -153,11 +166,11 @@ manually created IMAP folders and Gmail filters to move mails from mailing list to this folders. On the mutt side I use `subscribe` command to indicate that particular mail id is a mailing list. -### Personal informations +### Personal improvement -Some informations in my configuration files shouldn't be available for all. I +Some improvement in my configuration files shouldn't be available for all. I mean my email account configuration, my todo list, passwords and things like -that. To store this informations I use additional private git repository and use +that. To store this improvement I use additional private git repository and use it as a submodule for my workspace configuration. I wrote post about keeping configuration using git [here][5] and [here][6]. @@ -176,11 +189,11 @@ I have few ongoing projects like `blog`, `productivity` and `ideas`. In addition I use few flags like `ideas`, `finish`, `enhancement`, `fix` or `bug`. So when I connect project and flag I get few categories like: -* `blog ideas` for new articles ideas -* `blog finish` for articles that should be finished ASAP -* `blog bug/fix` for articles that have to be changed for some reason -* `productivity bug/fix` for productivity tools configuration improvements -* `productivity ideas` for new improvements +- `blog ideas` for new articles ideas +- `blog finish` for articles that should be finished ASAP +- `blog bug/fix` for articles that have to be changed for some reason +- `productivity bug/fix` for productivity tools configuration improvements +- `productivity ideas` for new improvements ### Summary @@ -188,9 +201,9 @@ I think this is enough for first post from this series. Hope it was helpful. If yes then please share, if no then comment what I should improve. Thanks for reading. - [1]: http://ethanschoonover.com/solarized - [2]: https://github.com/sigurdga/gnome-terminal-colors-solarized - [3]: https://github.com/altercation/mutt-colors-solarized - [4]: http://www.clasohm.com/blog/one-entry?entry_id=90957 - [5]: /2012/02/19/improve-productivity-by-tracking-work - [6]: /2012/02/20/improve-productivity-by-tracking-work_20 +[1]: http://ethanschoonover.com/solarized +[2]: https://github.com/sigurdga/gnome-terminal-colors-solarized +[3]: https://github.com/altercation/mutt-colors-solarized +[4]: https://web.archive.org/web/20110722113402/http://www.clasohm.com/blog/one-entry?entry_id=90957 +[5]: /2012/02/19/improve-productivity-by-tracking-work +[6]: /2012/02/20/improve-productivity-by-tracking-work_20 diff --git a/blog/content/post/2013-06-07-0x0-intro-to-virtual-development-board-building.md b/blog/content/post/2013-06-07-0x0-intro-to-virtual-development-board-building.md index a67fad1e..a9470632 100644 --- a/blog/content/post/2013-06-07-0x0-intro-to-virtual-development-board-building.md +++ b/blog/content/post/2013-06-07-0x0-intro-to-virtual-development-board-building.md @@ -15,12 +15,6 @@ tags: categories: - Firmware --- -* [Preface][1] -* [First question: How to start ?][2] -* [Virtual Development Board - table of contents][3] -* [Kudos][4] - - ### Preface @@ -32,7 +26,6 @@ only a gadgets :) ). This is all embedded. Another thing is that wages of experienced embedded developers are really high. This environment is very interesting. A lot to learn, a lot to do, so why not get your hands dirty? - ### First question: How to start? To do real embedded development, to learn the most, you simply buy hardware like @@ -48,39 +41,36 @@ environment based on virtualized/emulated solution, to check basic features, speed up testing, development and deployment. That's why we see so active development of software like Qemu/KVM. - ### Virtual Development Board - table of contents I realize that it is achievable and I will learn a lot trying to implement this -idea. Finally I was convinced reading [this][5] two years old article on -[eLinux.org][6]. I decide to divide this article on few parts because IMHO it +idea. Finally I was convinced reading [this][1] two years old article on +[eLinux.org][2]. I decide to divide this article on few parts because IMHO it was to big to read it at once. Also people interesting in particular topic won't have to scrolling `>2k` words post. List of all articles in this series: -1. [Qemu as an environment for embedded board emulation][7] -2. [Toolchain for Virtual Development Board][8] -3. [Embedded board bootloader][9] -4. [Linux kernel for embedded system][10] -5. [Qemu network configuration and tftp for Virtual Development Board][11] -6. [Root file system for embedded system][12] +1. [Qemu as an environment for embedded board emulation][3] +1. [Toolchain for Virtual Development Board][4] +1. [Embedded board bootloader][5] +1. [Linux kernel for embedded system][6] +1. [Qemu network configuration and tftp for Virtual Development Board][7] +1. [Root file system for embedded system][8] - ### Kudos -At the and of this intro I want to give big kudos to all those hackers without whom creating this article would not be possible. Thanks for sharing your knowledge. Every time when I use knowledge that found by googling I'm trying to stick link for further reading. +At the and of this intro I want to give big kudos to all those hackers without +whom creating this article would not be possible. Thanks for sharing your +knowledge. Every time when I use knowledge that found by googling I'm trying to +stick link for further reading. -####[*Enjoy!*][13]#### +#### [_Enjoy!_][9] - [1]: /2013/06/07/intro-to-virtual-development-board-building/#preface - [2]: /2013/06/07/intro-to-virtual-development-board-building/#first-question - [3]: /2013/06/07/intro-to-virtual-development-board-building/#virtual-development-board - [4]: /2013/06/07/intro-to-virtual-development-board-building/#kudos - [5]: http://www.elinux.org/Virtual_Development_Board - [6]: http://www.elinux.org - [7]: /2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/ - [8]: /2013/06/07/toolchain-for-virtual-development-board/ - [9]: /2013/06/07/embedded-board-bootloader/ - [10]: /2013/06/07/linux-kernel-for-embedded-system/ - [11]: /2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/ - [12]: /2013/06/07/root-file-system-for-embedded-system/ - [13]: /2013/06/07/qemu-as-an-environment-for-embedded-board-emulation +[1]: http://www.elinux.org/Virtual_Development_Board +[2]: http://www.elinux.org +[3]: /2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/ +[4]: /2013/06/07/toolchain-for-virtual-development-board/ +[5]: /2013/06/07/embedded-board-bootloader/ +[6]: /2013/06/07/linux-kernel-for-embedded-system/ +[7]: /2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/ +[8]: /2013/06/07/root-file-system-for-embedded-system/ +[9]: /2013/06/07/qemu-as-an-environment-for-embedded-board-emulation diff --git a/blog/content/post/2013-06-07-0x1-qemu-as-an-environment-for-embedded-board-emulation.md b/blog/content/post/2013-06-07-0x1-qemu-as-an-environment-for-embedded-board-emulation.md index 72b9777f..db7c7ad1 100644 --- a/blog/content/post/2013-06-07-0x1-qemu-as-an-environment-for-embedded-board-emulation.md +++ b/blog/content/post/2013-06-07-0x1-qemu-as-an-environment-for-embedded-board-emulation.md @@ -15,55 +15,63 @@ categories: - OS Dev - App Dev --- -## Table of contents ## -* [Introduction](/2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/#intro) -* [Compilation](/2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/#compilation) -* [Kudos](/2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/#kudos) +## Table of contents - -### Introduction ### +- [Introduction](/2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/#intro) +- [Compilation](/2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/#compilation) +- [Kudos](/2013/06/07/qemu-as-an-environment-for-embedded-board-emulation/#kudos) + +### Introduction QEMU is a CPU emulator using dynamic binary translation to convert guest CPU instructions into host CPU -instructions[[1]](http://infoscience.epfl.ch/record/149975/files/x86-llvm-translator-chipounov_2.pdf). +instructions[\[1\]](http://infoscience.epfl.ch/record/149975/files/x86-llvm-translator-chipounov_2.pdf). It supports many architectures from x86, through ARM and MIPS, to MicroBlaze. According to compilation configuration target list QEMU targets 26 different -softmmu types. Only for ARM it supports 33 machines (like ARM Versatile/PB +softmmu types. Only for ARM it supports 33 machines (like ARM Versatile/PB (ARM926EJ-S) or Samsung NURI board (Exynos4210)) and 28 CPUs (with cortex-a9 and pxa270). It gives access to network, storage, video, usb, serial and other peripheral, also user defined. It is developed under GNU GPL, so everybody are free to make modifications, improve and extend it. This properties makes QEMU very good candidate for virtual board emulator. - -### Compilation ### +### Compilation + Let's start creating our Virtual Development Board. As usually I will use latest greatest version from git: + ```bash git clone http://git.qemu.org/git/qemu.git ``` -Compile it and install. Right now I will use only `arm-softmmu` target because it -will emulate whole arm system for me. ARM right now dominated big part of + +Compile it and install. Right now I will use only `arm-softmmu` target because +it will emulate whole arm system for me. ARM right now dominated big part of embedded market but we will see if situation won't change in feature. + ```bash cd qemu ./configure --target-list=arm-softmmu make make install ``` -During configuration process you can encounter lack of `pixman`, just accept qemu -offer to initialize it as a submodule. -``` + +During configuration process you can encounter lack of `pixman`, just accept +qemu offer to initialize it as a submodule. + +```bash git submodule update --init pixman make # restart compilation process make install ``` + If compilation ends without problem than our first component is ready to use. Right now we can emulate our ARM based board with many types of CPUs. List of all available can be retrieved by running command `qemu-system-arm -cpu ?`, list -of emulated machines by `-M ?`. Now, let's talk about [toolchains](/2013/06/07/toolchain-for-virtual-development-board). +of emulated machines by `-M ?`. Now, let's talk about +[toolchains](/2013/06/07/toolchain-for-virtual-development-board). + +### Kudos - -### Kudos ### -[1] [Dynamically Translating x86 to LLVM using QEMU](http://infoscience.epfl.ch/record/149975/files/x86-llvm-translator-chipounov_2.pdf) +\[1\] +[Dynamically Translating x86 to LLVM using QEMU](http://infoscience.epfl.ch/record/149975/files/x86-llvm-translator-chipounov_2.pdf) diff --git a/blog/content/post/2013-06-07-0x2-toolchain-for-virtual-development-board.md b/blog/content/post/2013-06-07-0x2-toolchain-for-virtual-development-board.md index 01639774..7c2d6a38 100644 --- a/blog/content/post/2013-06-07-0x2-toolchain-for-virtual-development-board.md +++ b/blog/content/post/2013-06-07-0x2-toolchain-for-virtual-development-board.md @@ -16,72 +16,67 @@ categories: - OS Dev - App Dev --- -## Table of contents ## -* [Introduction](/2013/06/07/toolchain-for-virtual-development-board/#intro) -* [What is toolchain ?](/2013/06/07/toolchain-for-virtual-development-board/#what-is-toolchain) -* [Why we need cross-toolchain ?](/2013/06/07/toolchain-for-virtual-development-board/#why-we-need-cross-toolchain) -* [How to create toolchain ?](/2013/06/07/toolchain-for-virtual-development-board/#how-to-create-toolchain) -* [Emdebian path](/2013/06/07/toolchain-for-virtual-development-board/#emdebian-path) -* [Summary](/2013/06/07/toolchain-for-virtual-development-board/#summary) -* [Kudos](/2013/06/07/toolchain-for-virtual-development-board/#kudos) - - -### Introduction ### +### Introduction This is probably the most complicated topic of all related to embedded development but we need to deal with it at the beginning. I read a lot about toolchains but still don't know enough to explain details. I think that best -answers are in crosstool-ng [documentation](http://crosstool-ng.org/hg/crosstool-ng/file/0fc56e62cecf/docs). +answers are in crosstool-ng +[documentation](http://crosstool-ng.org/hg/crosstool-ng/file/0fc56e62cecf/docs). - -### What is toolchain ? ### +### What is toolchain ? _Toolchain_ as the name said is a set of tools chained together, so output of -one tool is the input for different tool. This is well known concept in -Linux (eg. pipes). In embedded environment toolchain is called cross-toolchain or +one tool is the input for different tool. This is well known concept in Linux +(eg. pipes). In embedded environment toolchain is called cross-toolchain or cross-compiler, because usually it compiles on one architecture and generate -code for another (eg. it compiles on x86 and generate code for arm)[[1]](http://elinux.org/Toolchains). +code for another +[eg. it compiles on x86 and generate code for arm](http://elinux.org/Toolchains). - -### Why we need cross-toolchain ? ### +### Why we need cross-toolchain ? -I suspect that your laptop/PC is not based on ARM processor, most probably it based on -x86 architecture so you cannot simply compile code and run it in our +I suspect that your laptop/PC is not based on ARM processor, most probably it +based on x86 architecture so you cannot simply compile code and run it in our virtual-arm-based environment. To prepare operating system and tools for it we need cross-toolchain. - -### How to create toolchain ? ### +### How to create toolchain ? Process of creating cross-toolchain from scratch is not easy and takes some time. There are few other ways to get toolchain, than creating it from scratch. -First we can use prebuilt toolchain providers like: `CodeSourcery`, `Linaro`, `DENX -EDLK` or `Emdebian`. Second we can create toolchain using special building system like: `Buildroot`, `Crosstool-NG` -or `Bitbake`. I will not deal with preparing toolchain in this series -because procedure for creating it takes pretty long. So we have two options: +First we can use prebuilt toolchain providers like: `CodeSourcery`, `Linaro`, +`DENX EDLK` or `Emdebian`. Second we can create toolchain using special building +system like: `Buildroot`, `Crosstool-NG` or `Bitbake`. I will not deal with +preparing toolchain in this series because procedure for creating it takes +pretty long. So we have two options: -* read my article about [Crosstool-NG arm-unknown-linux-gnueabi](/2013/04/03/yet-another-quick-build-of-arm-unknown-linux-gnueabi) -* or install toolchain ready to use like [Emdebian](http://www.emdebian.org/) +- read my article about + [Crosstool-NG arm-unknown-linux-gnueabi](/2013/04/03/yet-another-quick-build-of-arm-unknown-linux-gnueabi) +- or install toolchain ready to use like [Emdebian](http://www.emdebian.org/) - -#### Emdebian path #### +#### Emdebian path Add below lines to you `/etc/apt/sources.list`: + ```bash deb http://ftp.uk.debian.org/emdebian/toolchains unstable main ``` + Install Emdebian keys, update and install cross-compiler with all related packages: + ```bash sudo apt-get install emdebian-archive-keyring sudo apt-get update sudo apt-get install gcc-4.7-arm-linux-gnueabi ``` -##### Dependency problems during installation ##### +##### Dependency problems during installation + If above attempt to install cross-compiler ends with: -``` + +```bash pietrushnic@eglarest:~/src$ sudo apt-get install gcc-4.7-arm-linux-gnueabi Reading package lists... Done Building dependency tree @@ -97,57 +92,66 @@ The following packages have unmet dependencies: is not going to be installed E: Unable to correct problems, you have held broken packages. ``` + This means that Debian ustable cross-compiler is not available for you configuration. You can read more about that -[here](http://lists.debian.org/debian-embedded/2011/05/msg00029.html). -To fix that issue simply change emdebian toochain repository to testing in +[here](http://lists.debian.org/debian-embedded/2011/05/msg00029.html). To fix +that issue simply change emdebian toochain repository to testing in `/etc/apt/source.list`: -``` + +```bash deb http://ftp.uk.debian.org/emdebian/toolchains testing main ``` -##### Emdebian toolchain configuration ##### +##### Emdebian toolchain configuration + Check where `arm-linux-eabi-gcc-4.7` was installed: + ```bash whereis arm-linux-gnueabi-gcc-4.7 arm-linux-gnueabi-gcc-4: /usr/bin/arm-linux-gnueabi-gcc-4.7 /usr/bin/X11/arm-linux-gnueabi-gcc-4.7 ``` -It is not linked to `arm-linux-gnueabi-gcc`, so we cannot give its prefix as `CROSS_COMPILE` -variable value, which is needed for bootloader and kernel compilation. We have to link -it to `arm-linux-gnueabi-gcc`: + +It is not linked to `arm-linux-gnueabi-gcc`, so we cannot give its prefix as +`CROSS_COMPILE` variable value, which is needed for bootloader and kernel +compilation. We have to link it to `arm-linux-gnueabi-gcc`: + ```bash sudo ln -s /usr/bin/arm-linux-gnueabi-gcc-4.7 /usr/bin/arm-linux-gnueabi-gcc ``` Toolchain is ready to use. -_Note_: I tried `CodeSourcery` toolchain `arm-2012.09-64-arm-none-linux-gnueabi.bin`, -but it contain `binutils` defect that not allow correctly build kernel. If you see -something like this in log: -``` +_Note_: I tried `CodeSourcery` toolchain +`arm-2012.09-64-arm-none-linux-gnueabi.bin`, but it contain `binutils` defect +that not allow correctly build kernel. If you see something like this in log: + +```bash Error: selected processor does not support ARM mode `ldralt lr,[r1],#4' ``` -That means you experience same thing, please use `Emdebian` or `Crosstool-NG` toolchain. + +That means you experience same thing, please use `Emdebian` or `Crosstool-NG` +toolchain. _Note 2_: If you're `Ubuntu` user I have to suggest experiments with toolchain build by your own, because I get really hard times trying to go through this tutorial with Ubuntu/Linaro cross compiler provided in repository. Finally I -used [this](/2013/04/03/yet-another-quick-build-of-arm-unknown-linux-gnueabi) -to push things forward. U-boot compiled with Ubuntu/Linaro toolchain had problem +used [this](/2013/04/03/yet-another-quick-build-of-arm-unknown-linux-gnueabi) to +push things forward. U-boot compiled with Ubuntu/Linaro toolchain had problem with `__udivsi3` instruction. This cause loop in initialization process. - -### Summary ### +### Summary + If you take effort of creating toolchain using `Crosstool-NG` than -congratulations. But for simplifying whole [__Virtual Development Board__](/2013/06/07/intro-to-virtual-development-board-building) +congratulations. But for simplifying whole +[**Virtual Development Board**](/2013/06/07/intro-to-virtual-development-board-building) series I will use `Emdebian` toolchain in further posts. Of course you can use -your brand new `Crosstool-NG` toolchain by simply remember that tools prefixes are -different. `Emdebian` uses `arm-linux-gnueabi-` and `Crosstool-NG` was created with -`arm-unknown-linux-gnueabi-`. Replace one with another every time when needed. -In [next post](/2013/06/07/embedded-board-bootloader) we will deal with -bootloader. +your brand new `Crosstool-NG` toolchain by simply remember that tools prefixes +are different. `Emdebian` uses `arm-linux-gnueabi-` and `Crosstool-NG` was +created with `arm-unknown-linux-gnueabi-`. Replace one with another every time +when needed. In [next post](/2013/06/07/embedded-board-bootloader) we will deal +with bootloader. - -### Kudos ### +### Kudos -[1] [Toolchains](http://elinux.org/Toolchains) +- [Toolchains](http://elinux.org/Toolchains) diff --git a/blog/content/post/2013-06-07-0x3-embedded-board-bootloader.md b/blog/content/post/2013-06-07-0x3-embedded-board-bootloader.md index 5b297ff4..afcc6333 100644 --- a/blog/content/post/2013-06-07-0x3-embedded-board-bootloader.md +++ b/blog/content/post/2013-06-07-0x3-embedded-board-bootloader.md @@ -16,18 +16,9 @@ tags: categories: - Firmware --- -## Table of contents ## - -* [What is bootloader ?](/2013/06/07/embedded-board-bootloader/#what-is-bootloader) -* [Why we need bootloader ?](/2013/06/07/embedded-board-bootloader/#why-we-need-bootloader) -* [Which bootloader ?](/2013/06/07/embedded-board-bootloader/#which-bootloader) -* [What is versatilepb ?](/2013/06/07/embedded-board-bootloader/#what-is-versatilepb) -* [Compilation](/2013/06/07/embedded-board-bootloader/#compilation) -* [Where to go from here ?](/2013/06/07/embedded-board-bootloader/#where-to-go-from-here) -* [Kudos](/2013/06/07/embedded-board-bootloader/#kudos) - - -### What is bootloader ? ### + +### What is bootloader ? + It is a program written to bring up more complex code (eg. kernel). On very simple system it can even not exist. Bootloader should prepare all @@ -35,24 +26,27 @@ required hardware that kernel or different operating software will need at its start point. It is hard to create cross platform bootloader because of variety of system requirements. - -### Why we need bootloader ? ### +### Why we need bootloader ? + The true is that we don't :) because we can simply pass kernel and initramfs as -parameters to QEMU, but it is not common practice for real development environment. -Usually bootloader is stripped in production environment where boot time is -crucial. Second thing, bootloader is useful to learn how real development -environment for embedded system works. From other side using bootloader we can -create single binary file that contain bootable embedded system, so we can run -it without giving multiple arguments at QEMU startup. I will try to keep in mind -idea about being as close to real development environment as possible. - - -### Which bootloader ? ### +parameters to QEMU, but it is not common practice for real development +environment. Usually bootloader is stripped in production environment where boot +time is crucial. Second thing, bootloader is useful to learn how real +development environment for embedded system works. From other side using +bootloader we can create single binary file that contain bootable embedded +system, so we can run it without giving multiple arguments at QEMU startup. I +will try to keep in mind idea about being as close to real development +environment as possible. + +### Which bootloader ? + There are many approaches to this problem. The most popular today is -[U-Boot](http://www.denx.de/wiki/U-Boot) but there are alternatives like [The Barebox Bootloader](http://www.barebox.org/). -I will try to get to know them better in future. Right now I will use U-Boot as -Virtual Development Board bootloader to make the edit-compile-download-test cycle -similar to real world situation. So get the code: +[U-Boot](http://www.denx.de/wiki/U-Boot) but there are alternatives like +[The Barebox Bootloader](http://www.barebox.org/). I will try to get to know +them better in future. Right now I will use U-Boot as Virtual Development Board +bootloader to make the edit-compile-download-test cycle similar to real world +situation. So get the code: + ```bash git clone http://git.denx.de/u-boot.git ``` @@ -62,28 +56,29 @@ cpu will be some ARM but what exactly ? It depends on configuration we will use. In most scenarios presented in Internet the `versatilepb` was used. We can also think about running different boards. -What pros U-Boot gives us in the light of previous question `Why we need -bootloader ?`: +What pros U-Boot gives us in the light of previous question +`Why we need bootloader ?`: -* simplified process of porting kernel, because low level stuff is handled by -U-Boot -* simplified testing environment in easy way you can grab different version of +- simplified process of porting kernel, because low level stuff is handled by + U-Boot +- simplified testing environment in easy way you can grab different version of kernel with different version of initrd and test it +### What is versatilepb ? - -### What is versatilepb ? ### -According to [this page](http://www.arm.com/products/tools/development-boards/versatile/index.php) -versatile is highly modular, feature-rich range of development board. `pb` -means `Platform Baseboard` integrated, standalone development system with fixed -CPU. But this is only corporate babble :) +According to +[this page](http://www.arm.com/products/tools/development-boards/versatile/index.php) +versatile is highly modular, feature-rich range of development board. `pb` means +`Platform Baseboard` integrated, standalone development system with fixed CPU. +But this is only corporate babble :) QEMU shows `versatilepb` as Versatile/PB ([ARM926EJ-S](http://www.arm.com/products/processors/classic/arm9/arm926.php)). - -### Compilation ### +### Compilation + For `Emdebian` cross-toolchain: + ```bash cd u-boot make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- versatilepb_config @@ -91,22 +86,31 @@ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- ``` _Note_: If you wonder what is the convention for cross-toolchain prefix: -``` + +```bash [arch]-[vendor]-[os]-[abi] ``` + `Emdebian` striped vendor probably to keep name short, but for example -`Corsstool-NG` follow convetion and calls toolchain like +`Corsstool-NG` follow convention and calls toolchain like `arm-unknown-linux-gnueabi-`. - -### Where to go from here ? ### -[Next step](/2013/06/07/linux-kernel-for-embedded-system) will be kernel compilation for our virtual `versatilepb` board. +### Where to go from here ? + +[Next step](/2013/06/07/linux-kernel-for-embedded-system) will be kernel +compilation for our virtual `versatilepb` board. + +### Kudos + +\[1\] +[Introduction to Das U-Boot, the universal open source bootloader](http://www.linuxfordevices.com/c/a/Linux-For-Devices-Articles/Introduction-to-Das-UBoot-the-universal-open-source-bootloader/) + +\[2\] [U-Boot](http://www.denx.de/wiki/U-Boot) + +\[3\] +[U-boot for the multi-boot support](http://forum.xda-developers.com/showthread.php?t=2201146) - -### Kudos ### +\[4\] +[Booting Linux with U-Boot on QEMU ARM](http://balau82.wordpress.com/2010/04/12/booting-linux-with-u-boot-on-qemu-arm/) -[1] [Introduction to Das U-Boot, the universal open source bootloader](http://www.linuxfordevices.com/c/a/Linux-For-Devices-Articles/Introduction-to-Das-UBoot-the-universal-open-source-bootloader/)
    -[2] [U-Boot](http://www.denx.de/wiki/U-Boot)
    -[3] [U-boot for the multi-boot support](http://forum.xda-developers.com/showthread.php?t=2201146)
    -[4] [Booting Linux with U-Boot on QEMU ARM](http://balau82.wordpress.com/2010/04/12/booting-linux-with-u-boot-on-qemu-arm/)
    -[5] [Bootloader](http://wiki.osdev.org/Bootloader)
    +\[5\] [Bootloader](http://wiki.osdev.org/Bootloader) diff --git a/blog/content/post/2013-06-07-0x4-linux-kernel-for-embedded-system.md b/blog/content/post/2013-06-07-0x4-linux-kernel-for-embedded-system.md index a7935067..d5d9dd19 100644 --- a/blog/content/post/2013-06-07-0x4-linux-kernel-for-embedded-system.md +++ b/blog/content/post/2013-06-07-0x4-linux-kernel-for-embedded-system.md @@ -15,29 +15,24 @@ tags: categories: - OS Dev --- -## Table of contents ## -* [A little history](/2013/06/07/linux-kernel-for-embedded-system/#a-little-history) -* [Get linux and build it](/2013/06/07/linux-kernel-for-embedded-system/#get-linux-and-build-it) -* [Kudos](/2013/06/07/linux-kernel-for-embedded-system/#kudos) +### A little history - -### A little history ### -Thinking about embedded linux probably leads to first try of porting linux to +Thinking about embedded linux probably leads to first try of porting linux to different architecture. I did google research (I know I should probably read mailing list archive) and found that there were few attempt to port linux to different platform. There is no clear information about which port of linux was -first. This is probably because many hackers didn't report their effort. Arguably -earliest out-of-tree version was probably for Acron A5000 (arm), Motorola 68000 -(m68k) around Spring/Summer of 1994. I found also notes about SPARC port in -1993. Some sources also tells story about 1993 Amiga and Atari port. But first -port that get in to official linux tree was DEC Alpha.[[1]](http://digital-domain.net/lug/unix-linux-history.html)[[2]](http://www.arm.linux.org.uk/docs/history.php) +first. This is probably because many hackers didn't report their effort. +Arguably earliest out-of-tree version was probably for Acron A5000 (arm), +Motorola 68000 (m68k) around Spring/Summer of 1994. I found also notes about +SPARC port in 1993. Some sources also tells story about 1993 Amiga and Atari +port. But first port that get in to official linux tree was DEC +Alpha. So linux is already 22 years old and first port start when it was 2-3 years old, so we can assume it is mature enough to support most of non-x86 architectures. - -### Get linux and build it ### +### Get linux and build it To deal with our _embedded_ board we need operating system or some kind of software that will allow us to use board features. Right now to boot system we @@ -45,11 +40,14 @@ need at least kernel. So we have to prepare kernel for board of choice `versatilepb`. Let's start with cloning Linux repository: -``` + +```bash git clone https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git ``` + and configure kernel for `versatilepb`. -``` + +```bash cd linux make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- versatile_defconfig ``` @@ -58,63 +56,78 @@ It looks some feature is disabled in `versatile_defconfig`. I mean `CONFIG_AEABI`. It specifies file format, data types, register usage and other things. The main difference between EABI and ABI is that privileged instructions are allowed in application code. More about EABI -[here](http://en.wikipedia.org/wiki/Application_binary_interface#EABI). -To enable this option run: -``` +[here](http://en.wikipedia.org/wiki/Application_binary_interface#EABI). To +enable this option run: + +```bash make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- menuconfig ``` + and go to: -``` + +```bash Kernel Features -> Use the ARM EABI to compile the kernel ``` + We will also need DHCP and NFS support (CONFIG_IP_PNP_DHCP and CONFIG_ROOT_NFS). First is `IP: DHCP support` and can be found under: -``` + +```bash -> Networking support (NET [=y]) -> Networking options -> TCP/IP networking (INET [=y]) -> IP: kernel level autoconfiguration (IP_PNP [=y]) ``` + Second is : -``` + +```bash -> File systems - -> Network File Systems (NETWORK_FILESYSTEMS [=y]) + -> Network File Systems (NETWORK_FILESYSTEMS [=y]) ``` + let's build image with U-Boot support. -``` + +```bash make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- uImage ``` + We have kernel. How we can provide this kernel to our development environment ? -As I discuss in [previous post](/2013/06/07/embedded-board-bootloader) we -can use bare-metal qemu, but not with uImage kernel. This is special U-Boot -kernel, so easiest way will be using it with bootloader. We will figure out how -to do this in [next section](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board) +As I discuss in [previous post](/2013/06/07/embedded-board-bootloader) we can +use bare-metal qemu, but not with uImage kernel. This is special U-Boot kernel, +so easiest way will be using it with bootloader. We will figure out how to do +this in +[next section](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board) about tftp and qemu network configuration. -__TODO__: add picture of configuration in intro - vdb, link it here -Target configuration will consist on providing kernel through tftp server using U-Boot. Also -want to use NFS root filesystem to boot our small distro. As it is in real +**TODO**: add picture of configuration in intro - vdb, link it here Target +configuration will consist on providing kernel through tftp server using U-Boot. +Also want to use NFS root filesystem to boot our small distro. As it is in real development environment. _NOTE_: During compilation process you can encounter error like this: -``` + +```bash (...) UIMAGE arch/arm/boot/uImage "mkimage" command not found - U-Boot images will not be built make[1]: *** [arch/arm/boot/uImage] Error 1 make: *** [uImage] Error 2 ``` + Of course it means that we need mkimage to create U-Boot image, so: -``` + +```bash sudo apt-get install uboot-mkimage ``` + _Update_: in Debian jessie/sid this package was replaced by `u-boot-tools`. -We have to use uImage special build because load and execute address differes +We have to use uImage special build because load and execute address differs from board to board. If we will use vmlinux image then addresses should be manually modified. So using uImage is easiest - -### Kudos ### -[1] [UNIX/Linux History](http://digital-domain.net/lug/unix-linux-history.html)
    -[2] [The History of ARM Linux](http://www.arm.linux.org.uk/docs/history.php) +### Kudos + +* [UNIX/Linux History](http://digital-domain.net/lug/unix-linux-history.html) +* [The History of ARM Linux](http://www.arm.linux.org.uk/docs/history.php) diff --git a/blog/content/post/2013-06-07-0x5-qemu-network-configuration-and-tftp-for-virtual-development-board.md b/blog/content/post/2013-06-07-0x5-qemu-network-configuration-and-tftp-for-virtual-development-board.md index 3ca44852..d5b3ee1f 100644 --- a/blog/content/post/2013-06-07-0x5-qemu-network-configuration-and-tftp-for-virtual-development-board.md +++ b/blog/content/post/2013-06-07-0x5-qemu-network-configuration-and-tftp-for-virtual-development-board.md @@ -16,78 +16,84 @@ categories: - OS Dev - App Dev --- -## Table of contents ## -* [Introduction](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#intro) -* [Setup tftpd](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#setup-tftpd) -* [QEMU networking](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#qemu-networking) -* [Verify all components of Virtual Development Platform](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#verify-qemu-with-tftp) -* [What next ?](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#what-next) +### Introduction +This was not trivial task to me. As usual `google is your friend` and `RTFM` +works. First we will set tftp which we use to download modified kernel for +U-Boot. Second I will show how to setup bridged network for QEMU needs and +finally we will perform some basic test of our setup. Let's go. - -### Introduction ### -This was not trivial task to me. As usual `google is your friend` and `RTFM` works. -First we will set tftp which we use to download modified kernel for U-Boot. -Second I will show how to setup bridged network for QEMU needs and finally we -will perform some basic test of our setup. Let's go. +### Setup tftpd - -### Setup tftpd ### First install: + ```bash sudo apt-get install tftpd tftp ``` + Make sure that `/srv/tftp` is writable for your user. If directory doesn't exist create it and give needed privileges. If you want to change some server options -edit `/etc/inetd.conf`. Copy or link our kernel to tftp server -directory. +edit `/etc/inetd.conf`. Copy or link our kernel to tftp server directory. + ```bash cd /path/to/kernel/arch/arm/boot ln -s $PWD/uImage /srv/tftp/uImage ``` + Verify if everything works correctly: + ```bash cd # go to home or any other directory different than arch/arm/boot tftp 127.0.0.1 # connect to localhost tftp server get uImage # get kernel file q # quit tftp ``` + Check if kernel file is in current directory. If yes than you tftp server is configured correctly, if not then google or ask me a question in comments -section. -_Note_: For Ubuntu follow instructions from +section. _Note_: For Ubuntu follow instructions from [here](http://www.davidsudjiman.info/2006/03/27/installing-and-setting-tftpd-in-ubuntu/). - -### QEMU networking ### -_Update_: For Ubuntu users please read [this section](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#ubuntu-issues) +### QEMU networking + +_Update_: For Ubuntu users please read +[this section](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#ubuntu-issues) I mixed [this](http://toast.djw.org.uk/qemu.html) BKM and few other resources that I found in the net. Setting up network depend a lot on your configuration. I will briefly describe my situation. It is quite possible that this won't fit yours. -I've `eth0` with ip `10.0.2.15`. What I want to do is create another interface `tap0` and -bridge `br0` that will connect `eth0` and `tap0`. To do this I need few things: +I've `eth0` with ip `10.0.2.15`. What I want to do is create another interface +`tap0` and bridge `br0` that will connect `eth0` and `tap0`. To do this I need +few things: -* `brctl` is provided in Debian by `bridge-utils` -``` +- `brctl` is provided in Debian by `bridge-utils` + +```bash sudo apt-get install bridge-utils ``` -* check if TUN module was installed -``` + +- check if TUN module was installed + +```bash grep CONFIG_TUN= /boot/config-`uname -r` ``` + you should get `y` or `m`, if it is `m` than `modprobe tun`: -``` + +```bash sudo modprobe tun ``` -* create tun device -``` + +- create tun device + +```bash sudo mknod /dev/net/tun c 10 200 ``` -* update `/etc/network/interfaces`: + +- update `/etc/network/interfaces`: ```bash # This file describes the network interfaces available on your system @@ -110,7 +116,8 @@ bridge_stp off allow-hotplug eth0 # comment this iface eth0 inet dhcp # and this ``` -* use `/etc/qemu-ifup` script to bring up your network: + +- use `/etc/qemu-ifup` script to bring up your network: ```bash #!/bin/sh @@ -124,73 +131,91 @@ sleep 2 ``` Give executable permissions for this file: -``` + +```bash sudo chmod +x /etc/qemu-ifup ``` Restart networking services locally: -``` + +```bash sudo service networking restart ``` This should prepare you environment for tftp booting in qemu. - -#### Ubuntu issues #### +#### Ubuntu issues + I had experienced few problems with my Ubuntu 12.04. -* First thing was defect that cause looping u-boot during emulation in +- First thing was defect that cause looping u-boot during emulation in qemu-system-arm. I checked latest qemu and version delivered in distro repository but qemu wasn't issue. I tried debug problem with gdb and qemu `-s -S` switches and find out that u-boot crashes at `__udivsi3` instruction in `serial_init`. I tried to google this issue but found only one comment - about this on [Balau blog](http://balau82.wordpress.com/2010/04/12/booting-linux-with-u-boot-on-qemu-arm/): - {% blockquote [Grant Likely]%} - For anyone trying to reproduce this, at least on a recent Ubuntu host, you may need to pass “-cpu all” or “-cpu cortex-a8″ to qemu. The libgcc that gets linked to u-boot appears to be compiled with thumb2 instructions which are not implemented in the Versatile cpu. I don’t get any u-boot console output without this flag, and using gdb I can see that the cpu takes an exception during `__udivsi3()` called from serial_init(). - {% endblockquote %} - Problem is at least 2-years old and still occurs. Unfortunately Grant's tricks - didn't help. I move to toolchain built by my own and problem was fixed. So the - moral of the story is: DO NOT USE TOOLCHAIN PROVIDED BY UBUNTU at least in - 12.04. - -* Second thing also involve a lot of debugging time and when I found workaround + about this on + [Balau blog](http://balau82.wordpress.com/2010/04/12/booting-linux-with-u-boot-on-qemu-arm/): + {% blockquote \[Grant Likely\]%} For anyone trying to reproduce this, at least + on a recent Ubuntu host, you may need to pass “-cpu all” or “-cpu cortex-a8″ + to qemu. The libgcc that gets linked to u-boot appears to be compiled with + thumb2 instructions which are not implemented in the Versatile cpu. I don’t + get any u-boot console output without this flag, and using gdb I can see that + the cpu takes an exception during `__udivsi3()` called from serial_init(). {% + endblockquote %} Problem is at least 2-years old and still occurs. + Unfortunately Grant's tricks didn't help. I move to toolchain built by my own + and problem was fixed. So the moral of the story is: DO NOT USE TOOLCHAIN + PROVIDED BY UBUNTU at least in 12.04. + +- Second thing also involve a lot of debugging time and when I found workaround it was accidentally. I saw that using procedure correct for Debian on Ubuntu I was unable to obtain any packet inside U-Boot. Network traffic analysis show that U-Boot correctly send DHCP discovery and server reply with DHCP offer, - but bootloader behaves like no packet was received. Static configuration also + but bootloader behaves like no packet was received. Static configuration also didn't work. Finally I get to information how to capture traffic from inside of emulated setup (parameter `-net dump,file=/path/to/file.pcap` do the thing). Surprisingly for some reason adding dump param fix problem and U-Boot received DHCP Offer and ACK. I will try to narrow down this problem for - further reading please take a look [qemu](http://lists.nongnu.org/archive/html/qemu-discuss/2013-05/msg00013.html) - and [u-boot]() mailing list thread. + further reading please take a look + [qemu](http://lists.nongnu.org/archive/html/qemu-discuss/2013-05/msg00013.html) + and u-boot mailing list thread. - -#### Verify all components of Virtual Development Platform #### +#### Verify all components of Virtual Development Platform -So right now we should have built [kernel uImage](/2013/06/07/linux-kernel-for-embedded-system), [U-Boot image](/2013/06/07/embedded-board-bootloader), -[configured qemu network](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#qemu-networking) and [tftp server](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#setup-tftpd). With all this components we can -verify if our kernel booting on emulated `versatilepb`. +So right now we should have built +[kernel uImage](/2013/06/07/linux-kernel-for-embedded-system), +[U-Boot image](/2013/06/07/embedded-board-bootloader), +[configured qemu network](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#qemu-networking) +and +[tftp server](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#setup-tftpd). +With all this components we can verify if our kernel booting on emulated +`versatilepb`. Run your qemu with network using U-Boot image as a kernel. + ```bash sudo qemu-system-arm -kernel /path/to/u-boot/u-boot -net nic,vlan=0 -net tap,vlan=0,ifname=tap0,script=/etc/qemu-ifup -nographic -M versatilepb ``` + _NOTE_: We want to use u-boot file instead of u-boot.bin. First is ELF binary image and second is raw binary. Raw binary image can be used with `-bios` -parameter for qemu. If you try to give raw binary as a kernel parameter it will result with error: -``` +parameter for qemu. If you try to give raw binary as a kernel parameter it will +result with error: + +```bash qemu: fatal: Trying to execute code outside RAM or ROM at 0x08000000 ``` + _NOTE 2_: We have to specify `versatilepb` machine. If we forget it we will get error: -``` + +```bash qemu: hardware error: integratorcm_read: Unimplemented offset 0x1e0000 ``` Right now we have u-boot booted. Let's set ip addresses to boot uImage from our tftp server. For verification needs we don't want to `autoload` downloaded image, so we disable this through environment variable. + ```bash setenv autoload no dhcp @@ -198,12 +223,14 @@ setenv serverip 192.168.1.2 setenv bootfile uImage tftpboot ``` + Set addresses according to your configuration. For some reason I was unable to use u-boot `dhcp` feature. It assign me address that exist in the network. We can take a close look on out downloaded image with `iminfo` command. `tftpboot` and `iminfo` should looks like that: -``` + +```bash VersatilePB # tftpboot SMC91111: PHY auto-negotiate timed out SMC91111: MAC 52:54:00:12:34:56 @@ -241,11 +268,14 @@ filesystem. _NOTE 3_: If you want to see anything after booting this image with `bootm` you have to pass to kernel additional boot argument with serial device that should be used as a console. Before `bootm` set: -``` + +```bash setenv bootargs console=ttyAMA0 ``` + You should get something similar to below log: -``` + +```bash (...) eth0: SMC91C11xFD (rev 1) at c89c8000 IRQ 57 [nowait] eth0: Ethernet addr: 52:54:00:12:34:56 @@ -265,9 +295,10 @@ Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0) [] (kernel_init_freeable+0x168/0x1ac) from [] (kernel_init+0x8/0xe4) [] (kernel_init+0x8/0xe4) from [] (ret_from_fork+0x14/0x24) ``` + This is expected result. - -### What next ?### +### What next ? + We happily built basic virtual development, what we need right now is some [initial filesystem](/2013/06/07/root-file-system-for-embedded-system). diff --git a/blog/content/post/2013-06-07-0x6-root-file-system-for-embedded-system.md b/blog/content/post/2013-06-07-0x6-root-file-system-for-embedded-system.md index 2024153a..6893fdc5 100644 --- a/blog/content/post/2013-06-07-0x6-root-file-system-for-embedded-system.md +++ b/blog/content/post/2013-06-07-0x6-root-file-system-for-embedded-system.md @@ -14,87 +14,96 @@ tags: categories: - OS Dev --- -## Table of contents ## - -* [Introduction](/2013/06/07/root-file-system-for-embedded-system/#intro) -* [Get and build BusyBox](/2013/06/07/root-file-system-for-embedded-system/#get-bb) -* [Fast and simple](/2013/06/07/root-file-system-for-embedded-system/#fast-and-simple) -* [Setting up kernel through NFS](/2013/06/07/root-file-system-for-embedded-system/#setting-up-kernel-through-nfs) -* [Verify Configuration](/2013/06/07/root-file-system-for-embedded-system/#verify-configuration) -* [Embedded filesystem tuning](/2013/06/07/root-file-system-for-embedded-system/#embedded-filesystem-tuning) -* [Summary](/2013/06/07/root-file-system-for-embedded-system/#summary) - - -### Introduction ### + +### Introduction + To make our embedded linux work as virtual development platform we need some environment after booting. There is many approaches to get working root file -system but I will use the easiest one as an exercise. I don't want to create full -embedded distribution (this is good plan for future works). Right now I will be -happy with simple initramfs based on [BusyBox](http://busybox.net/). +system but I will use the easiest one as an exercise. I don't want to create +full embedded distribution (this is good plan for future works). Right now I +will be happy with simple initramfs based on [BusyBox](https://web.archive.org/web/20230722072606/https://busybox.net/). For all interested in creating own root filesystem there are few places where -you can find informations: +you can find information: + +- [Embedded Linux: Small Root Filesystems](http://lwn.net/Articles/210046/) +- [ramfs-rootfs-initramfs](https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt) +- [Creating a Root File System for Linux on OMAP35x](https://web.archive.org/web/20120225203705/http://processors.wiki.ti.com/index.php/Creating_a_Root_File_System_for_Linux_on_OMAP35x) -* [Embedded Linux: Small Root Filesystems](http://lwn.net/Articles/210046/) -* [ramfs-rootfs-initramfs](https://www.kernel.org/doc/Documentation/filesystems/ramfs-rootfs-initramfs.txt) -* [Creating a Root File System for Linux on OMAP35x](http://processors.wiki.ti.com/index.php/Creating_a_Root_File_System_for_Linux_on_OMAP35x) +### Get and build BusyBox - -### Get and build BusyBox ### Clone git repository: -``` + +```bash git clone git://git.busybox.net/busybox ``` - -### Fast and simple ### +### Fast and simple + Of course make sure to use correct toolchain. I made few notes about -Ubuntu/Linaro toolchain in [previous post](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#ubuntu-issues) -``` +Ubuntu/Linaro toolchain in +[previous post](/2013/06/07/qemu-network-configuration-and-tftp-for-virtual-development-board/#ubuntu-issues) + +```bash make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- menuconfig ``` -Mark `Busybox Settings -> Build Options -> Build BusyBox as a static binary (no -shared libs)` option. Exit and save. -``` + +Mark +`Busybox Settings -> Build Options -> Build BusyBox as a static binary` +option. Exit and save. + +```bash make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- install cd _install/ ``` - -### Setting up kernel through NFS ### + +### Setting up kernel through NFS + [Previously](/2013/06/07/linux-kernel-for-embedded-system) we prepared U-Boot -kenernel image with DHCP and rootfs which we want to expose over NFS. First lets start with NFS -configuration: -``` +kenernel image with DHCP and rootfs which we want to expose over NFS. First lets +start with NFS configuration: + +```bash sudo apt-get install nfs-kernel-server ``` + I use simple `/etc/exports` configuration: -``` + +```bash /srv/homes 192.168.1.0/255.255.255.0(rw,sync,no_subtree_check,no_root_squash) ``` + Make sure that `/srv/homes` exist, if no than create it. After editing nfs configuration file we have to restart NFS server: -``` + +```bash sudo service nfs-kernel-server restart ``` - -### Verify configuration ### -I assume that you go through all previous articles in this series. -To verify configuration we have to copy whole BusyBox `_install` directory to -known nfs location: -``` + +### Verify configuration + +I assume that you go through all previous articles in this series. To verify +configuration we have to copy whole BusyBox `_install` directory to known nfs +location: + +```bash mkdir /srv/homes/rootfs sudo chmod 777 /srv/homes/rootfs cd /srv/homes/rootfs cp -R /path/to/busybox/_install/* . ``` + Now we can try our Virtual Development Board: -``` + +```bash sudo qemu-system-arm -kernel src/u-boot/u-boot -net nic,vlan=0 -net \ tap,vlan=0,ifname=tap0,script=/etc/qemu-ifup -nographic -M versatilepb ``` + After U-Boot booting: -``` + +```bash VersatilePB # setenv autload no VersatilePB # dhcp MC91111: PHY auto-negotiate timed out @@ -105,8 +114,10 @@ VersatilePB # setenv serverip 192.168.1.24 VersatilePB # setenv bootfile uImage VersatilePB # tftp ``` + Note that `192.168.1.24` should be replaced with correct address of TFTP server. -``` + +```bash VersatilePB # tftp SMC91111: PHY auto-negotiate timed out SMC91111: MAC 52:54:00:12:34:56 @@ -124,30 +135,37 @@ Loading: ################################################################# done Bytes transferred = 1917944 (1d43f8 hex) ``` + Right now we will set boot arguments for our kernel: -``` + +```bash setenv bootargs 'root=/dev/nfs mem=128M ip=dhcp netdev=25,0,0xf1010000,0xf1010010,eth0 nfsroot=192.168.1.20:/srv/homes/rootfs console=ttyAMA0' ``` + What does it mean: -* `root=/dev/nfs` - following -[kernel.org](https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt): -{% blockquote %} -This is necessary to enable the pseudo-NFS-device. Note that it's not a real device but just a synonym to tell the kernel to use NFS instead of a real device. -{% endblockquote %} -* `mem=128M ip=dhcp` - self-explaining -* `netdev=25,0,0xf1010000,0xf1010010,eth0` - network device configuration -(`Format: ,,,,`), this was provided by -default `U-Boot` bootargs -* `nfsroot=192.168.1.20:/srv/homes/rootfs` - NFS server ip and path to rootfs -* `console=ttyAMA0` - very importanat if you want to see anything in `-nographic` mode +- `root=/dev/nfs` - following + [kernel.org](https://www.kernel.org/doc/Documentation/filesystems/nfs/nfsroot.txt): + {% blockquote %} This is necessary to enable the pseudo-NFS-device. Note that + it's not a real device but just a synonym to tell the kernel to use NFS + instead of a real device. {% endblockquote %} +- `mem=128M ip=dhcp` - self-explaining +- `netdev=25,0,0xf1010000,0xf1010010,eth0` - network device configuration + (`Format: ,,,,`), this was provided by + default `U-Boot` bootargs +- `nfsroot=192.168.1.20:/srv/homes/rootfs` - NFS server ip and path to rootfs +- `console=ttyAMA0` - very importanat if you want to see anything in + `-nographic` mode After setting bootargs we can boot our Virtual Development Board: -``` + +```bash bootm ``` + As you can see that's not all, our current configuration end with: -``` + +```bash (...) Sending DHCP requests .input: AT Raw Set 2 keyboard as /devices/fpga:06/serio0/input/input0 @@ -174,19 +192,23 @@ can't open /dev/tty4: No such file or directory can't open /dev/tty2: No such file or directory can't open /dev/tty3: No such file or directory ``` -try to open ttys loop. This is because of default behavior of `BusyBox` when `inittab` -was not found. - -### Embedded filesystem tuning ### +try to open ttys loop. This is because of default behavior of `BusyBox` when +`inittab` was not found. + +### Embedded filesystem tuning + To override above behavior we have to create `/etc/inittab` file: -``` + +```bash cd /srv/homes/rootfs mkdir etc vim etc/inittab ``` + Our `inittab` is very simple: -``` + +```bash ::sysinit:/etc/init.d/rcS ::askfirst:/bin/ash ::ctrlaltdel:/sbin/reboot @@ -194,22 +216,31 @@ Our `inittab` is very simple: ::shutdown:/bin/umount -a -r ::restart:/sbin/init ``` -If you want to learn more about inittab - `man inittab` .We need improve out filesystem with few directories: -``` + +If you want to learn more about inittab - `man inittab` .We need improve out +filesystem with few directories: + +```bash mkdir sys proc etc/init.d ``` + In `/etc/init.d/rcS` we will mount sysfs and procfs: + ```bash #! /bin/sh mount -t proc proc /proc mount -t sysfs sysfs /sys ``` + Give executable permission to `rcS` script: -``` + +```bash chmod +x etc/init.d/rcS ``` + We also have to create `dev` directory with `ttyAMA0` block device: -``` + +```bash mkdir dev sudo mknod dev/ttyAMA0 c 204 64 sudo mknod dev/null c 1 3 @@ -217,9 +248,8 @@ sudo mknod dev/console c 5 1 ``` Right now we should be able to boot our Virtual Development Board. Let's try -again: -{% raw %} -``` + +```bash pietrushnic@eglarest:~$ sudo qemu-system-arm -m 256M -kernel src/u-boot/u-boot -net nic,vlan=0 -net tap,vlan=0,ifname=tap0,script=/etc/qemu-ifup -nographic -M versatilepb -net dump,file=/tmp/dump.pcap Executing /etc/qemu-ifup Bringing up tap0 for bridged mode... @@ -254,12 +284,12 @@ TFTP from server 192.168.1.24; our IP address is 192.168.1.13 Filename 'uImage'. Load address: 0x7fc0 Loading: *############T ##################################################### - ################################################################# - ################################################################# - ################################################################# - ################################################################# - ################################################## - 0 Bytes/s + ################################################################# + ################################################################# + ################################################################# + ################################################################# + ################################################## + 0 Bytes/s done Bytes transferred = 1917944 (1d43f8 hex) VersatilePB # bootm @@ -368,14 +398,14 @@ Please press Enter to activate this console. /bin/ash: can't access tty; job control turned off / # ``` -{% endraw %} - -### Summary ### +### Summary + This setup need few minor tweaks like adding U-Boot environment variables -storage to not enter it every time or removing annoying message `can't access -tty(...)`. I'm done for now, its time to take care about other challenges. I -hope that I will back to this issues in near future. If you like this series -please share it, if somethings wrong please comment I will try to help if can. +storage to not enter it every time or removing annoying message +`can't access tty(...)`. I'm done for now, its time to take care about other +challenges. I hope that I will back to this issues in near future. If you like +this series please share it, if somethings wrong please comment I will try to +help if can. [How to set up a NFS root filesystem for embedded Linux development](http://bec-systems.com/site/418/how-to-set-up-a-nfs-rootfs) diff --git a/blog/content/post/2013-07-30-improve-productivity-with-goolge-history-using-bookmarks-and-chrome-extensions.md b/blog/content/post/2013-07-30-improve-productivity-with-goolge-history-using-bookmarks-and-chrome-extensions.md index 9a7092f6..99de6f18 100644 --- a/blog/content/post/2013-07-30-improve-productivity-with-goolge-history-using-bookmarks-and-chrome-extensions.md +++ b/blog/content/post/2013-07-30-improve-productivity-with-goolge-history-using-bookmarks-and-chrome-extensions.md @@ -10,25 +10,28 @@ tags: - productivity categories: - Miscellaneous + --- -

    + The idea of this post is very simple (as usually) and I wonder why I didn't thought about it earlier. The point is to use history of your Google queries to improve productivity. Most of things that we google can be replaced for example by browser -extensions, bookmarks or rss feeds. Thats how we can gain few additional free seconds on -each google-type-click cycle. -

    +extensions, bookmarks or rss feeds. That's how we can gain few additional free +seconds on each google-type-click cycle. ## Statistics Depending on different factors we spend a lot of time in browser. I cannot find -statistics for desktops but for mobile [Flurry](http://blog.flurry.com/bid/95723/Flurry-Five-Year-Report-It-s-an-App-World-The-Just-Web-Lives-in-It) -researches are probably relevant enough. Simplifying this statistics and assuming that desktop market -is similar (it is probably to big simplification for some of you but IMHO it is -good for reflections on this blog): +statistics for desktops but for mobile +[Flurry](https://web.archive.org/web/20130404111802/http://blog.flurry.com/bid/95723/Flurry-Five-Year-Report-It-s-an-App-World-The-Just-Web-Lives-in-It) +researches are probably relevant enough. Simplifying this statistics and +assuming that desktop market is similar (it is probably to big simplification +for some of you but IMHO it is good for reflections on this blog): - access Facebook, social networks (+18%, +6%) -- play some games ([lets say 30%](http://allthingsd.com/20130325/a-look-ahead-at-gdc-its-mobile-vs-consoles-in-fight-for-game-developers-attention/) of our 32% from Flurry report +13%) +- play some games + ([lets say 30%](http://allthingsd.com/20130325/a-look-ahead-at-gdc-its-mobile-vs-consoles-in-fight-for-game-developers-attention/) + of our 32% from Flurry report +13%) - web browsing time (+20%) - entertain - read news @@ -36,42 +39,48 @@ good for reflections on this blog): We have at least 60 percent of our time in web browser. That's explain Google's ideas about ChromOS and competition on browser market. Of course if take look a -this in short therm it look ridiculous but in long term it may be true. Even if this estimation -not match your behavior than ask yourself what percentage of time spent in -browser proves that improving productivity using google queries data does not -make sense ? Especially when doing this will not consume lot of your time. +this in short therm it look ridiculous but in long term it may be true. Even if +this estimation not match your behavior than ask yourself what percentage of +time spent in browser proves that improving productivity using google queries +data does not make sense ? Especially when doing this will not consume lot of +your time. **EDIT 07.2019**: Lately [BroadbandSearch.net](https://www.broadbandsearch.net) -did a really comprehensive piece analyzing [mobile vs. desktop usage](https://www.broadbandsearch.net/blog/mobile-desktop-internet-usage-statistics#post-navigation-1) +did a really comprehensive piece analyzing +[mobile vs. desktop usage](https://www.broadbandsearch.net/blog/mobile-desktop-internet-usage-statistics#post-navigation-1) in comparison to previous years. You should definitely check it out. ## Productivity improvements based on my google history + Below I will show how I improve my productivity using top queries and top sites from [google history](https://history.google.com/history/). These are my results that I found after choosing `Show more trends`: ### Top queries -1. `ztm gdańsk` - public transportation in my home town -2. `usdpln` - Polish Zloty to US Dollar rate -3. `rozkład jazdy pkp` - Polish state railways schedule -4. `intc` - Intel Corporation stocks rate -5. `radio polska stacja` - Polish Internet radio station +1. `ztm gdańsk` - public transportation in my home town +1. `usdpln` - Polish Zloty to US Dollar rate +1. `rozkład jazdy pkp` - Polish state railways schedule +1. `intc` - Intel Corporation stocks rate +1. `radio polska stacja` - Polish Internet radio station -First of all I was surprised that I googled these things so many times. Especially -for point 5 :). To improve my daily routine with these data I use following -applications: +First of all I was surprised that I googled these things so many times. +Especially for point 5 :). To improve my daily routine with these data I use +following applications: + +### Public transportation -### Public transporation I used well known Polish application for public transpiration in biggest cities + - [jakdojade.pl](http://jakdojade.pl/). If you register on their page they give -you possibility to save travel directions, so I used it to save my common -destinations. Of course I put it on my bookmark bar as it is one of the most -used links. + you possibility to save travel directions, so I used it to save my common + destinations. Of course I put it on my bookmark bar as it is one of the most + used links. ### Currency ratio -After thinking a while I realize that few requirements have to be met for me. -I need below fields: + +After thinking a while I realize that few requirements have to be met for me. I +need below fields: - USD/PLN rate - EUR/PLN rate @@ -80,19 +89,23 @@ I need below fields: Unfortunately I was unhappy with choice presented on Chrome extension site because I find that it is not easy to met my expectations - this is probably -market niche to explore. For today I choose [Currency Converter](https://chrome.google.com/webstore/detail/currency-converter/lncdobdbibdgoiohgnflmjajfphcnakg). +market niche to explore. For today I choose +[Currency Converter](https://chrome.google.com/webstore/detail/chrome-currency-converter/anbfhidldjknonaihbalghlebaijealk). It has pretty good rate 4.5 star/444 opinions. One thing I don't like is that I -cannot set every field as I wish. Ratio always relate to recent changed position. -I also cannot display stock rate. That's why I will have to use one another -extension. +cannot set every field as I wish. Ratio always relate to recent changed +position. I also cannot display stock rate. That's why I will have to use one +another extension. ### Railways schedule + Right now there is nothing I can do for this one than adding to bookmark bar as a recently visited site. ### Stocks ticker + There are plenty of extensions for Chrome and not a lot of really good one. I -found [Stock Tracker](https://chrome.google.com/webstore/detail/stock-tracker/gphdmnilpmjaioploikmbpgkjfbagidf) +found +[Stock Tracker](https://chrome.google.com/webstore/detail/finance-toolbar-real-time/cichbngoomgnobmmjpagmbkimbamigie) useful because it shows price in the icon on toolbar. But it is not free from small bugs, for example INTC price is 4 digit with dot (00.00) and inadequate font size selection causing that last digit is visible only in half, which cause @@ -100,34 +113,38 @@ it hard to read. Good thing is that after pushing extension button on toolbar I get stock chart and can see the trend. ### Top sites + 1. `stackoverflow.com` -2. `en.wikipedia.org` -3. `github.com` -4. `www.chessgames.com` -5. `pl.wikipedia.org` +1. `en.wikipedia.org` +1. `github.com` +1. `www.chessgames.com` +1. `pl.wikipedia.org` Probably most of this pages are well known for you. What we can do with this information ? For -[wiki](https://chrome.google.com/webstore/detail/lookup-companion-for-wiki/dhgpkiiipkgmckicafkhcihkcldbdeej) and [stackoverflow](https://chrome.google.com/webstore/detail/search-stackoverflow/gmdolelhfhbldobljhbhdgljbajhfilj) there are extensions that help get search engine of -those sites. I found that usually google +stockoverflow works better than this -extension but it is worth a try. Wiki works without any problem and only our -habits can stop us by using it. +[wiki](https://chrome-stats.com/d/dhgpkiiipkgmckicafkhcihkcldbdeej/download) +and +[stackoverflow](https://chrome.google.com/webstore/detail/stackoverflow-search-tool/hnjcboogacdbabimdiblilojlldfkhlm) +there are extensions that help get search engine of those sites. I found that +usually google +stockoverflow works better than this extension but it is worth a +try. Wiki works without any problem and only our habits can stop us by using it. I use a lot of [chess.com](http://www.chess.com) what I found useful with this -is [Chess.com Notifier](https://chrome.google.com/webstore/detail/chesscom-notifier/khihkgdcfbjdnfgalkjnimbmofnhhpho) -it change color when some pending move in my games. Unfortunately I get to -[www.chessgames.com](http://www.chessgames.com) though google looking for -particular position in game - right now I can't find easy way to improve this -other than paying for access to good database with defined interface or using my -own database. +is +Chess.com Notifier it change color when some pending move in my games. +Unfortunately I get to [www.chessgames.com](http://www.chessgames.com) though +google looking for particular position in game - right now I can't find easy +way to improve this other than paying for access to good database with defined +interface or using my own database. I'm sure that you have some clues how to improve your productivity using Google -history or you will find application for suggested plugins. Anyway, I whish you +history or you will find application for suggested plugins. Anyway, I wish you good luck. ## At the end - the hard thing + Switching our behaviors to something different is really hard thing. If we always go to google and type well know query and trying to switch to something new like replacing this behavior with clicking link or running extension could diff --git a/blog/content/post/2014-05-16-linux-debian-wheezy-on-lenovo-y510p.md b/blog/content/post/2014-05-16-linux-debian-wheezy-on-lenovo-y510p.md index 98d9b041..be0de230 100644 --- a/blog/content/post/2014-05-16-linux-debian-wheezy-on-lenovo-y510p.md +++ b/blog/content/post/2014-05-16-linux-debian-wheezy-on-lenovo-y510p.md @@ -13,20 +13,25 @@ tags: categories: - OS Dev --- -After long analysis I decide to buy new laptop. I had about $1000 -(or 3000PLN) and most important things to me were: -* i7 CPU - because of performance (of course at least 4700 series) -* SSD - again performance -* 17.3” - working space -* no OS/FreeDos/Linux - I will not pay additional fee to M$ for system that I won’t use -* Full HD resolution -* at least 8GB RAM -* non-glare display +After long analysis I decide to buy new laptop. I had about $1000 (or 3000PLN) +and most important things to me were: + +- i7 CPU - because of performance (of course at least 4700 series) +- SSD - again performance +- 17.3” - working space +- no OS/FreeDos/Linux - I will not pay additional fee to M$ for system that I + won’t use +- Full HD resolution +- at least 8GB RAM +- non-glare display First I realize that my budget is to small for such a hardware. Second as always -we have to deal with trade-offs, so you cannot have everything. In final round I had two candidates [Acer Aspire V7-772G](http://www.notebookcheck.net/Review-Acer-Aspire-V3-772G-747A321-Notebook.93916.0.html) -and [Lenovo IdeaPad y510p](http://www.notebookcheck.net/Review-Lenovo-IdeaPad-Y510p-Notebook.97470.0.html). +we have to deal with trade-offs, so you cannot have everything. In final round I +had two candidates +[Acer Aspire V7-772G](http://www.notebookcheck.net/Review-Acer-Aspire-V3-772G-747A321-Notebook.93916.0.html) +and +[Lenovo IdeaPad y510p](http://www.notebookcheck.net/Review-Lenovo-IdeaPad-Y510p-Notebook.97470.0.html). I resign from using 17.3" display because most of them in my budget range were glare and without Full HD support. After reading Newegg reviews about both @@ -34,6 +39,7 @@ laptops I choose Lenovo. It is better brand with better design (ie. metal lid), other parameters, except RAM expansion possibilities, are the same. ## First boot + Today I have it on my desk and trying to install Debian Wheezy. I put Debian netinst in drive and get wonderful UEFI message :) @@ -43,8 +49,8 @@ I figure out that I have to disable my last days favourite feature from M$ - namely Secure Boot. I was surprised when I realized that there is no hot key to enter UEFI Setup. Instead of hot key Lenovo decide to put small button (called Novo Button) on the side of laptop near power socket. Quite interesting idea -when taking into consideration that InsydeH20 Setup Utility doesn’t provide -much of functions, so we end with entering setup maybe dozen of times during laptop +when taking into consideration that InsydeH20 Setup Utility doesn’t provide much +of functions, so we end with entering setup maybe dozen of times during laptop lifetime. Also I think it can improve boot time a little bit because UEFI don’t have to poll for user input during hot key pushing time window. @@ -53,11 +59,12 @@ have to poll for user input during hot key pushing time window. So to disable this `feature-that-name-should-be-doomed` you have to enter Setup using Novo Button and switch to Security tab. At first glance you can find option called `Scure Boot` set to `[Enabled]`. Description of this option said -`Enabl or Disable Secure Boot support`. Don’t be naive this button won’t do -what you want. To disable this devil work you have to push enter on `Reset to Seupt Mode` -option, which cleans keys database. Don't panic your database of -vendor keys will not disappear you can restore it anytime you want using -`Restore Factory Keys`. BTW I didn't found any information about it in `User Manual`. +`Enabl or Disable Secure Boot support`. Don’t be naive this button won’t do what +you want. To disable this devil work you have to push enter on +`Reset to Seupt Mode` option, which cleans keys database. Don't panic your +database of vendor keys will not disappear you can restore it anytime you want +using `Restore Factory Keys`. BTW I didn't found any information about it in +`User Manual`. {% img center /assets/images/uefi-security.jpg 640 400 'image' 'images' %} @@ -70,22 +77,24 @@ on-board LAN card.So I installed my Debian over wireless Intel card. Wheezy use Atheros QCA8171. Note that there is possibility to load new driver from pendrive during -installation. But best way would using netinst with Jessie or Sid. You can get it [here](http://www.debian.org/devel/debian-installer/). -I with to knew that before I started to fight with stable version. +installation. But best way would using netinst with Jessie or Sid. You can get +it [here](http://www.debian.org/devel/debian-installer/). I with to knew that +before I started to fight with stable version. ## Xorg crash After all above I booted my favourite distro and it welcomes me with blinking cursor and Xorg crashed because of: -``` + +```bash (EE) VESA(0): V_BIOS address 0x0 out of range (EE) Screen(s) found, but none have a usable configuration ``` -During long an unequal battle, which was full of google hits. I figured out -that best way to improve awful situation in Debian stable for y510p is to -upgrade to Sid (unstable). Of course I messed up this because I tried move from -stable to unstable skipping testing. +During long an unequal battle, which was full of google hits. I figured out that +best way to improve awful situation in Debian stable for y510p is to upgrade to +Sid (unstable). Of course I messed up this because I tried move from stable to +unstable skipping testing. I found on Debian pages that upgrade to `unstable` should be performed through `testing` version. This mistake cost me time, because I have to install OS @@ -96,21 +105,21 @@ second time after breaking my Gnome installation. Upgrade to latest kernel version helps a lot but there are still many things to do. Right now I'm using Intel integrated graphics. It would be great to enable second card GT755M and try Optimus technology. Especially when I would like to -rest from coding and try to relax playing Heroes Of Newearth. I also think -about running CUDA on my setup. Next thing for me will be testing vitalization +rest from coding and try to relax playing Heroes Of Newearth. I also think about +running CUDA on my setup. Next thing for me will be testing vitalization performance. If I will find reliable method to enable GT 755M on Debian I will let you know. -I compiled edk2 and linux kernel. I see big difference in performance and -that's most important thing to me. +I compiled edk2 and linux kernel. I see big difference in performance and that's +most important thing to me. -Some of you will say that Linux is a piece of $!#@, but for me this is very -good opportunity to verify my skills and contribute to community. During my -research about y510p I found also complains from Windows users that not all -works smoothly (Optimus), so there are also cons on the other side. Finally if -you won't deal with problems simply use Mint or Ubuntu there is much better -support there. By the way I think that I'm immune to problems with my operating -system ;) +Some of you will say that Linux is a piece of $!#@, but for me this is very good +opportunity to verify my skills and contribute to community. During my research +about y510p I found also complains from Windows users that not all works +smoothly (Optimus), so there are also cons on the other side. Finally if you +won't deal with problems simply use Mint or Ubuntu there is much better support +there. By the way I think that I'm immune to problems with my operating system +;) {% img center /assets/images/lenovo-y510p.jpg 640 400 'image' 'images' %} diff --git a/blog/content/post/2014-08-07-coreboot-for-qemu-armv7-vexpress-a9-emulated-mainboard.md b/blog/content/post/2014-08-07-coreboot-for-qemu-armv7-vexpress-a9-emulated-mainboard.md index b44d5015..4db041bd 100644 --- a/blog/content/post/2014-08-07-coreboot-for-qemu-armv7-vexpress-a9-emulated-mainboard.md +++ b/blog/content/post/2014-08-07-coreboot-for-qemu-armv7-vexpress-a9-emulated-mainboard.md @@ -13,17 +13,19 @@ tags: categories: - Firmware --- + Recently I came back to look into coreboot. Mainly because low level is fun and skills related to firmware (even coreboot) starting get attention on freelance -portals ([first odesk job](http://bit.ly/1sBSybZ), [second odesk job](http://bit.ly/1sBSR6F)). - I was surprised that under the wings of Google -coreboot team start to support ARM (BTW ARM programming is IMHO next great -skill to learn). So I cloned latest, code compiled QEMU armv7 mainboard model and -tried to kick it in latest qemu-system-arm. Unfortunately it didn't boot. Below -you can find my TL;DR debugging story. +portals ([first odesk job](http://bit.ly/1sBSybZ), +[second odesk job](http://bit.ly/1sBSR6F)). I was surprised that under the wings +of Google coreboot team start to support ARM (BTW ARM programming is IMHO next +great skill to learn). So I cloned latest, code compiled QEMU armv7 mainboard +model and tried to kick it in latest qemu-system-arm. Unfortunately it didn't +boot. Below you can find my TL;DR debugging story. ## coreboot qemu-armv7 mainboard compilation - very quick steps -``` + +```bash git clone http://review.coreboot.org/p/coreboot cd coreboot git submodule update --init --checkout @@ -34,12 +36,14 @@ Set: `Mainboard -> Mainboard model -> QEMU armv7 (vexpress-a9)` NOTE: To prevent annoying warning about XML when running gdb from coreboot crossgcc utilities: -``` + +```bash warning: Can not parse XML target description; XML support was disabled at compile time ``` + `libexpat1-dev` should be installed. -``` +```bash sudo apt-get install libexpat1-dev cd util/crossgcc ./buildgcc -y -j 8 -p armv7 -G @@ -51,7 +55,8 @@ make will use 8 parallel jobs. ## qemu-system-arm compilation - very quick steps -``` + +```bash git clone git://git.qemu.org/qemu.git cd qemu git submodule update --init --checkout @@ -62,21 +67,24 @@ sudo make install ## Debugging hint Use good gdbinit, so with every instruction executed gdb will automatically -provide most useful informations. IMHO good choice is `fG!` gdbinit shared on +provide most useful information. IMHO good choice is `fG!` gdbinit shared on [github](https://github.com/gdbinit/Gdbinit). It contain support for ARM and x86. To switch to ARM mode inside gdb simple use `arm` command. Output looks pretty awesome: -![](/img/gdbinit.png) +![img](/img/gdbinit.png) ## Noob dead end Command for running qemu that I found in early qemu-armv7 commit log: -``` + +```bash qemu-system-arm -M vexpress-a9 -m 1024M -nographic -kernel build/coreboot.rom ``` + It ends with qemu error: -``` + +```bash qemu: fatal: Trying to execute code outside RAM or ROM at 0x04000000 R00=00000002 R01=00000000 R02=00000000 R03=00000000 @@ -88,11 +96,14 @@ PSR=600000d3 -ZC- A svc32 ``` At the beginning I thought that it is a mistake so I tried: -``` + +```bash qemu-system-arm -M vexpress-a9 -m 1024M -nographic -bios build/coreboot.rom ``` + What ends with: -``` + +```bash qemu: fatal: Trying to execute code outside RAM or ROM at 0xfffffffe R00=00000002 R01=ffffffff R02=ffffffff R03=ffffffff @@ -108,7 +119,7 @@ address of current instruction (like EIP in x86). Stepping through assembler instructions using cross-compiled debugger (`util/crossgcc/xgcc/bin/armv7-a-eabi-gdb`) points to: -``` +```bash 0x6001024f: ldmia.w sp!, {r2, r3, r4, r5, r6, r7, r9, r10, r11, pc} ``` @@ -116,7 +127,7 @@ Stepping through assembler instructions using cross-compiled debugger goes to 0x0 and then run instruction from zeroed memory, which in ARM instructions means: -``` +```bash andeq r0, r0, r0 ``` @@ -126,27 +137,29 @@ registers in coreboot and qemu code. ## Bisection -I knew that at some point qemu worked with coreboot. I tried few versions and -it leads me to some commit between `v2.1.0-rc1` and `v2.1.0-rc0`. For `-kernel` +I knew that at some point qemu worked with coreboot. I tried few versions and it +leads me to some commit between `v2.1.0-rc1` and `v2.1.0-rc0`. For `-kernel` switch I was able to narrow down problem to one commit that change `VE_NORFLASHALIAS` option for vexpress-a9 to 0 ([6ec1588](http://git.qemu.org/?p=qemu.git;a=commit;h=6ec1588e09770ac7e9c60194faff6101111fc7f0)). It looks like for vexpress-a9 qemu place kernel at 0x60000000 (vexpress.highmem), which is aliased to range 0x0-0x3ffffff. `VE_NORFLASHALIAS=0` cause mapping of vexpress.flash0 to the same region as -kernel and because flash (`-bios`) was not added we have empty space (all -zeros) what gives `andeq r0, r0, r0`. +kernel and because flash (`-bios`) was not added we have empty space (all zeros) +what gives `andeq r0, r0, r0`. Right now I have working version of coreboot but only with `-kernel` and `VE_NORFLASHALIAS=-1` set in hw/arm/vexpress.c. The main questions are: -* what is the correct memory map for qemu-armv7 and how coreboot should be mapped ? -* what's going on with coreboot or qemu that I can't go through bootblock ? +- what is the correct memory map for qemu-armv7 and how coreboot should be + mapped ? +- what's going on with coreboot or qemu that I can't go through bootblock ? ## Debugging I tried to debug coreboot executed from flash: -``` + +```bash qemu-system-arm -M vexpress-a9 -m 1024M -nographic -bios build/coreboot.rom -s -S ``` @@ -159,7 +172,7 @@ coreboot side we have bootblock, romstage, ramstage and payload. qemu-armv7 booting procedure start from `_rom` section which contain hardcoded jump to `reset` procedure. After that go through few methods like on below flow: -``` +```bash _rom |-> reset |-> init_stack_loop @@ -171,11 +184,11 @@ _rom |-> dcache_foreach ``` -At the end of `dcache_foreach` we experience failure because `ldmia` -instruction tries to restore registers from stack, which should be stored at -the beginning of `dcache_foreach`, by: +At the end of `dcache_foreach` we experience failure because `ldmia` instruction +tries to restore registers from stack, which should be stored at the beginning +of `dcache_foreach`, by: -``` +```bash stmdb sp!, {r0, r1, r4, r5, r6, r7, r9, sl, fp, lr} ``` @@ -184,15 +197,15 @@ Unfortunately for some reason stack doesn't contain any reasonable values (all ### Obvious things are not so obvious -As I point above everything seems to be related with memory map for -vexpress-a9. I wrote question to qemu developers mailing list describing all -the problems. You can read it +As I point above everything seems to be related with memory map for vexpress-a9. +I wrote question to qemu developers mailing list describing all the problems. +You can read it [here](http://lists.nongnu.org/archive/html/qemu-devel/2014-08/msg02599.html). -So the answer is that ARM Versatile Express boards in general have two -different memory maps. First is legacy with RAM in low memory and second is -modern with flash in low memory instead of RAM. Since qemu `v2.1.0` modern -memory map was used. That's why I saw change in behavior. Obviously flash in -qemu is read only, so no matter what pushing on stack didn't work. +So the answer is that ARM Versatile Express boards in general have two different +memory maps. First is legacy with RAM in low memory and second is modern with +flash in low memory instead of RAM. Since qemu `v2.1.0` modern memory map was +used. That's why I saw change in behavior. Obviously flash in qemu is read only, +so no matter what pushing on stack didn't work. ### coreboot stack location fix @@ -200,7 +213,7 @@ I though that fix would be easy. One thing that I have to do is change stack address. The question is where to place the stack ? So I took a look at qemu memory map: -``` +```bash (qemu) info mtree (...) 0000000040000000-0000000043ffffff (prio 0, R-): vexpress.flash0 @@ -214,19 +227,20 @@ memory map: SRAM is temporary storage where I decide to put stack. The change in coreboot looks like below: -```c src/mainboard/emulation/qemu-armv7/Kconfig +```bashc src/mainboard/emulation/qemu-armv7/Kconfig config STACK_TOP - hex - default 0x4803ff00 + hex + default 0x4803ff00 config STACK_BOTTOM - hex - default 0x48000000 + hex + default 0x48000000 config STACK_SIZE - hex - default 0x0003ff00 + hex + default 0x0003ff00 ``` + I changed STACK_TOP and STACK_BOTTOM. Unfortunately still I was unable to boot coreboot on vexpress-a9. Situation @@ -235,35 +249,35 @@ to/from, but next problem occurs in `init_default_cbfs_media`. ### init_default_cbfs_media problem -As CBFS specification explains: -{% blockquote Jordan Crouse http://review.coreboot.org/gitweb?p=coreboot.git;a=blob;f=documentation/cbfs.txt;h=7ecc9014a1cb2e0a86bbbf514e17f6b0360b9c0c;hb=HEAD %} -CBFS is a scheme for managing independent chunks of data in a system ROM. -{% endblockquote %} +As CBFS specification explains: {% blockquote Jordan Crouse + +%} CBFS is a scheme for managing independent chunks of data in a system ROM. {% +endblockquote %} Default CBFS media initialization for qemu-armv7 leads to `init_emu_rom_cbfs_media` that fills `cbfs_media` structures with function pointers that help to operate on CBFS. -```c src/mainboard/emulation/qemu-armv7/media.c +```bashc src/mainboard/emulation/qemu-armv7/media.c int init_emu_rom_cbfs_media(struct cbfs_media *media) { - media->open = emu_rom_open; - media->close = emu_rom_close; - media->map = emu_rom_map; - media->unmap = emu_rom_unmap; - media->read = emu_rom_read; - return 0; + media->open = emu_rom_open; + media->close = emu_rom_close; + media->map = emu_rom_map; + media->unmap = emu_rom_unmap; + media->read = emu_rom_read; + return 0; } ``` The problem was that pointers were relative to bootblock base address -`0x00010000` and `-bios` option maps coreboot.rom from address `0x0`. This -leads to change in bootblock base address to `0x0`: +`0x00010000` and `-bios` option maps coreboot.rom from address `0x0`. This leads +to change in bootblock base address to `0x0`: -```c src/mainboard/emulation/qemu-armv7/Kconfig +```bashc src/mainboard/emulation/qemu-armv7/Kconfig config BOOTBLOCK_BASE - hex - default 0x00000000 + hex + default 0x00000000 ``` This solve other issue not mentioned till now. I didn't know why I can't load @@ -271,19 +285,21 @@ symbols for bootblock using `add-symbol-file` in gdb. Of course reason was bootblock didn't start at 0x0 but at 0x10000. Since this moment I could debug bootblock using lines of C code, by simply: -```text +```bashtext gdb$ add-symbol-file build/cbfs/fallback/bootblock.debug 0x0 ``` It was not the end because another error popped up: -``` + +```bash Bad ram pointer 0x3b8 ``` ### memcpy during CBFS decompression Problem was with storing registers `stmia` during memcpy. Backtrace: -``` + +```bash #0 memcpy () at src/arch/armv7/memcpy.S:64 #1 0x000015b2 in cbfs_decompress (algo=, src=, dst=, len=0x3310) at src/lib/cbfs_core.c:227 #2 0x00001702 in cbfs_load_stage (media=media@entry=0x0 <_start>, name=name@entry=0x2260 "fallback/romstage") at src/lib/cbfs.c:137 @@ -296,10 +312,10 @@ Address is passed from upper layers - `cbfs_get_file_content`. During debugging I realize that this address means `ROMSTAGE_BASE`. So I changed `ROMSTAGE_BASE` to somewhere in SRAM. -```c src/mainboard/emulation/qemu-armv7/Kconfig +```bashc src/mainboard/emulation/qemu-armv7/Kconfig config ROMSTAGE_BASE - hex - default 0x48040000 + hex + default 0x48040000 ``` What I saw when trying to boot coreboot with this fix was wonderful log proved @@ -310,8 +326,8 @@ that coreboot boots without problems. Above debugging session was all about memory map. It was really fun to experience all those issues because I had to understand lot of ARM assembly instructions, track memory, read the spec, read coreboot and qemu code. It gave -me a lot of good experience. If you have any questions or comments please let -me know. And finally what is most important it was next thing done on my list. +me a lot of good experience. If you have any questions or comments please let me +know. And finally what is most important it was next thing done on my list. I think next challenge could be experiment with Linux kernel booting. Coreboot can boot kernel directly or through payload with bootloader. diff --git a/blog/content/post/2014-08-18-linux-rpi-and-usb-over-ip.md b/blog/content/post/2014-08-18-linux-rpi-and-usb-over-ip.md index ed13e89e..f90b401a 100644 --- a/blog/content/post/2014-08-18-linux-rpi-and-usb-over-ip.md +++ b/blog/content/post/2014-08-18-linux-rpi-and-usb-over-ip.md @@ -15,10 +15,12 @@ tags: categories: - Firmware --- -Trying to google 'USB over IP' doesn't give much except some business web pages that give -you it as a service. This brings some information about potential on the -market IMHO. Main idea is well presented on open source project page for [usbip](http://usbip.sourceforge.net/). -I really recommend to read [USB/IP - a Peripheral Bus Extension for Device Sharing over IP Network](https://www.usenix.org/legacy/events/usenix05/tech/freenix/hirofuchi.html) + +Trying to google 'USB over IP' doesn't give much except some business web pages +that give you it as a service. This brings some information about potential on +the market IMHO. Main idea is well presented on open source project page for +[usbip](http://usbip.sourceforge.net/). I really recommend to read +[USB/IP - a Peripheral Bus Extension for Device Sharing over IP Network](https://www.usenix.org/legacy/events/usenix05/tech/freenix/hirofuchi.html) technical paper it describe briefly technical details and capability. In short USB over IP is a sharing system aim to expose USB devices from server @@ -31,30 +33,31 @@ stubbed device on client side and also send and receive data to/from server. We can say that stub-VHCI pair working as intermediate layer in USB stack, giving ability to connect over the netowork. `usbip` project provided both Linux and Windows version. In mid of 2008 `usbip` was introduced to Linux kernel and -matured a while in staging directory. Few days ago I read -[this](http://thread.gmane.org/gmane.linux.kernel/1763771) were Greg KH mention -that if it will be possible he will include `usbip` in `3.17-rc2`. +matured a while in staging directory. Few days ago I read thread where +Greg KH mention that if it will be possible he will include `usbip` in +`3.17-rc2`. As you can expect the biggest problem with USB over IP is how to handle 480Mbit/s (USB2.0) or more over TCP/IP payload. The answer is it can't. Recommended use case for `usbip` is LAN environment with low latency. Of course you can try to use it over long distance but you will get best effort, which -varies according to device and application profile. Author of the idea -(Takahiro Hirofuchi) tested his solution and created some models for queue -management for different devices - you can read about it in technical paper. -Below I present Kingston USB stick test in function of delay. +varies according to device and application profile. Author of the idea (Takahiro +Hirofuchi) tested his solution and created some models for queue management for +different devices - you can read about it in technical paper. Below I present +Kingston USB stick test in function of delay. -## Seting up usbip +## Setting up usbip -What I tried to do was setting up my Rasberry Pi and connect it through my home -LAN to share USB device (Kingston DataTraveler). My configuration looks like that: +What I tried to do was setting up my Raspberry Pi and connect it through my home +LAN to share USB device (Kingston DataTraveler). My configuration looks like +that: -![](/img/usbip-rate.png) +![img](/img/usbip-rate.png) First I installed latest [Raspbian](http://www.raspberrypi.org/downloads/). Assuming SD card is `/dev/sdb`: -``` +```bash sudo dd bs=4M if=2014-06-20-wheezy-raspbian.img of=/dev/sdb ``` @@ -68,13 +71,13 @@ network inside RPi. learning purposes, `usbip-core.ko` and `usbip-host.ko` modules are not compiled in the kernel. What you can see when trying to run `usbipd`: -``` +```bash usbipd: error: please load usbip-core.ko and usbip-host.ko! ``` Let's see if support for USBIP is in kernel: -``` +```bash pi@raspberrypi /boot $ zcat /proc/config.gz |grep USBIP # CONFIG_USBIP_CORE is not set ``` @@ -84,7 +87,7 @@ like 5-6, 10 and even 22. It depends on many factors. But we should not bother and try to cross compile RPi on development machine. I will use my Y510P laptop with i7 4700MQ 2.4GHz (4 cores). -``` +```bash git clone https://github.com/raspberrypi/tools tools-rpi git clone --depth=1 https://github.com/raspberrypi/linux linux-rpi export PATH=${PWD}/tools-rpi/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin:${PATH} @@ -93,14 +96,15 @@ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- bcmrpi_defconfig make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- menuconfig ``` -I compiled kernel on `3.12.y` branch. Go to `Device Drivers -> Staging drivers -> -USB/IP support`. I choose to compile usbip-core as loadable module. `Device Drivers-> -Staging drivers -> USB/IP support -> Host driver` also is needed it -compiles usbip-host module. Optionally `Debug messages for USB/IP` can be set -if you want to see kernel debug messages from driver. After saving changes to -config file we can start compilation: +I compiled kernel on `3.12.y` branch. Go to +`Device Drivers -> Staging drivers -> USB/IP support`. I choose to compile +usbip-core as loadable module. +`Device Drivers-> Staging drivers -> USB/IP support -> Host driver` also is +needed it compiles usbip-host module. Optionally `Debug messages for USB/IP` can +be set if you want to see kernel debug messages from driver. After saving +changes to config file we can start compilation: -``` +```bash make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- -j8 ``` @@ -108,7 +112,7 @@ After finishing compilation we can move our image to SD card. First mount your SD card (it won't automatically) and run compile modules with correct install path. -``` +```bash make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=/media/sdb2 modules sudo make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=/media/sdb2 modules_install sudo cp /media/sdb1/kernel.img /media/sdb1/kernel-backup.img @@ -124,7 +128,7 @@ loaded. Now on RPi we can load modules needed for `usbipd` and run it: -``` +```bash sudo modprobe usbip-core sudo modprobe usbip-host sudo usbipd -D @@ -132,13 +136,13 @@ sudo usbipd -D To what USB devices are connected to our system we can use: -``` +```bash usbip list -l ``` This will show output similar to this: -``` +```bash Local USB devices ================= - busid 1-1 (0424:9514) @@ -155,7 +159,7 @@ Local USB devices busid is for device that you want to share compare device id and vendor id with output of `lsusb`. To bind device to `usbip-host.ko` we should use: -``` +```bash pi@raspberrypi ~ $ sudo usbip --debug bind -b 1-1.2 usbip: debug: /build/linux-tools-TqR1ks/linux-tools-3.2.17/drivers/staging/usbip/userspace/src/usbip.c:134:[run_command] running command: `bind' usbip: debug: /build/linux-tools-TqR1ks/linux-tools-3.2.17/drivers/staging/usbip/userspace/src/usbip_bind.c:162:[unbind_other] 1-1.2:1.0 -> usb-storage @@ -166,22 +170,22 @@ bind device on busid 1-1.2: complete As you can see communication to `usbip-host` module is through writing into sysfs file. -*NOTE* : if you will try to bind device without root privileges or when modules +_NOTE_ : if you will try to bind device without root privileges or when modules are not loaded you will get errors like below: -``` + +```bash pi@raspberrypi ~ $ usbip bind -b 1-1.2 usbip: error: could not unbind driver from device on busid 1-1.2 pi@raspberrypi ~ $ sudo usbip bind -b 1-1.2 usbip: error: unable to bind device on 1-1.2 ``` - ### usbip - client side -Our device should wait for communication. Let's go to client side of our LAN -and try to check if we can use our USB device. To check if device is available: +Our device should wait for communication. Let's go to client side of our LAN and +try to check if we can use our USB device. To check if device is available: -``` +```bash [22:29:37] pietrushnic:~ $ sudo usbip list -r 192.168.1.3 Exportable USB devices ====================== @@ -195,7 +199,7 @@ Exportable USB devices Where `192.168.1.3` is an IP of RPi. Everything seems to be ok. So let's try to attach it and do some test: -``` +```bash [22:31:11] pietrushnic:~ $ sudo usbip attach -r 192.168.1.3 -b 1-1.2 usbip: error: open vhci_driver usbip: error: query @@ -204,25 +208,29 @@ usbip: error: query Oops, looks like we don't have driver for client side. Let's see if it is compiled in my kernel as module: -``` +```bash grep USBIP /boot/config-`uname -r` CONFIG_USBIP_CORE=m CONFIG_USBIP_VHCI_HCD=m CONFIG_USBIP_HOST=m # CONFIG_USBIP_DEBUG is not set ``` + Great so we can load `vhci-hcd`: -``` +```bash sudo modprobe vhci-hcd ``` + And attach pendriver from RPi. What we have to use is IP address and bus id. -``` + +```bash sudo usbip attach -r 192.168.1.3 -b 1-1.2 ``` In dmesg we can find information about our device. -``` + +```bash [ 676.126820] usbip_core: module is from the staging directory, the quality is unknown, you have been warned. [ 676.127246] usbip_core: USB/IP Core v1.0.0 [ 676.127964] vhci_hcd: module is from the staging directory, the quality is unknown, you have been warned. @@ -267,7 +275,7 @@ In dmesg we can find information about our device. [ 695.941214] sd 6:0:0:0: [sdb] Attached SCSI removable disk ``` -Device show correct informations in `lsusb` output and `/proc/partitions`. +Device show correct information in `lsusb` output and `/proc/partitions`. ## Testing usbip @@ -276,18 +284,20 @@ important factor for `usbip` performance is latency. Simplest method to emulate WAN delays is `tc` from `iproute2` package. It is available by as default tool in Raspbian: -``` +```bash sudo tc qdisc add dev eth0 root netem delay 100ms #add device and set delay sudo tc qdisc change dev eth0 root netem delay 10ms #change delay ``` To test read speed I used `dd` by simply: -``` +```bash sudo dd if=/dev/sdb of=/dev/null bs=1M count=5 ``` + So I tried few values with my Kingston pendrive: -``` + +```bash 0ms : 1.7 MB/s 10ms : 968 kB/s 20ms : 652 kB/s @@ -304,25 +314,26 @@ So I tried few values with my Kingston pendrive: And something from `gnuplot` noob: -![](/img/usbip-rate.png) +![img](/img/usbip-rate.png) ### Cleanup Before we can disconnect device from RPi we have do few things. First detach port to which remote device was connected. Which port ? -``` +```bash sudo usbip port ``` Next detach device you want to disconnect: -``` +```bash sudo usbip detach -p 0 ``` Finally on RPi you can unbind device: -``` + +```bash sudo usbip unbind -b 1-1.2 ``` @@ -333,31 +344,32 @@ Now device can be removed. With various results I tried other devices. ### Android phone + I also tried to connect my Samsung GT-I9070. Unfortunately without luck: -``` +```bash hub 5-0:1.0: Cannot enable port 1. Maybe the USB cable is bad? hub 5-0:1.0: unable to enumerate USB device on port 1 ``` -I think it could be related with fact that my smartphone expose multiple -devices over one USB connection. What can be observed on `usbip` list: +I think it could be related with fact that my smartphone expose multiple devices +over one USB connection. What can be observed on `usbip` list: -``` +```bash - busid 1-1.2 (04e8:6860) 1-1.2:1.0 -> unknown 1-1.2:1.1 -> cdc_acm 1-1.2:1.2 -> cdc_acm ``` -I see this as opportunity to debug, understand -and fix the driver. + +I see this as opportunity to debug, understand and fix the driver. ### Arduino There was no problem with Arduino. I was even able to program it successfully. Unfortunately to big delay (in my case 300ms) cause software errors: -``` +```bash Binary sketch size: 1,056 bytes (of a 30,720 byte maximum) avrdude: stk500_getparm(): (a) protocol error, expect=0x14, resp=0x14 diff --git a/blog/content/post/2014-08-23-how-to-fix-backlight-issue-on-ideapad-y510p.md b/blog/content/post/2014-08-23-how-to-fix-backlight-issue-on-ideapad-y510p.md index 73b7babd..d056ebcf 100644 --- a/blog/content/post/2014-08-23-how-to-fix-backlight-issue-on-ideapad-y510p.md +++ b/blog/content/post/2014-08-23-how-to-fix-backlight-issue-on-ideapad-y510p.md @@ -13,16 +13,18 @@ tags: categories: - OS Dev --- + Today I decide to switch to latest kernel (`3.17-rc1`) on my IdeaPad y510p. I -hit only one annoying problem until now - after booting my main screen was dimmed. I -tried all instructions from top google hits for all possible configurations of -keywords `linux`, `y510p`, `backlight issue`, etc. +hit only one annoying problem until now - after booting my main screen was +dimmed. I tried all instructions from top google hits for all possible +configurations of keywords `linux`, `y510p`, `backlight issue`, etc. -Especially I tried all methods from [Arch Wiki](https://wiki.archlinux.org/index.php/Intel_graphics#Backlight_is_not_adjustable). +Especially I tried all methods from +[Arch Wiki](https://wiki.archlinux.org/index.php/Intel_graphics#Backlight_is_not_adjustable). Finally I found solution, by greping `modinfo` for my Intel graphics card: -``` +```bash [23:55:24] pietrushnic:~ $ sudo modinfo i915|grep backlight parm: invert_brightness:Invert backlight brightness (-1 force normal, \ 0 machine defaults, 1 force inversion), please report PCI device ID, subsystem \ @@ -33,7 +35,7 @@ machine needs it. It will then be included in an upcoming module version. (int) So simple modification in `/etc/default/grub` by adding kernel parameter to `GRUB_CMDLINE_LINUX_DEFAULT` fix the issue: -``` +```bash # If you change this file, run 'update-grub' afterwards to update # /boot/grub/grub.cfg. # For full documentation of the options in this file, see: @@ -49,7 +51,7 @@ GRUB_CMDLINE_LINUX="" After that: -``` +```bash sudo update-grub ``` diff --git a/blog/content/post/2014-09-20-virtualbox-dkms-fix-alloc_netdev-problems-when-compiling-with-3-17-0-rcx-headers.md b/blog/content/post/2014-09-20-virtualbox-dkms-fix-alloc_netdev-problems-when-compiling-with-3-17-0-rcx-headers.md index ef7b98b4..04fc604c 100644 --- a/blog/content/post/2014-09-20-virtualbox-dkms-fix-alloc_netdev-problems-when-compiling-with-3-17-0-rcx-headers.md +++ b/blog/content/post/2014-09-20-virtualbox-dkms-fix-alloc_netdev-problems-when-compiling-with-3-17-0-rcx-headers.md @@ -15,15 +15,16 @@ tags: categories: - App Dev --- -Intro ------ + +## Intro Because of my bug hunting approach of using latest kernel I experienced problem -with compiling VirtualBox modules with `3.17.0-rc5` version on my Debian Jessie. Issue is well -known and described for examples [here](https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1358157). +with compiling VirtualBox modules with `3.17.0-rc5` version on my Debian Jessie. +Issue is well known and described for examples +[here](https://bugs.launchpad.net/ubuntu/+source/virtualbox/+bug/1358157). Problem manifest itself with: -``` +```bash ------------------------------ Deleting module version: 4.3.14 completely from the DKMS tree. @@ -38,9 +39,10 @@ Job for virtualbox.service failed. See 'systemctl status virtualbox.service' and invoke-rc.d: initscript virtualbox, action "restart" failed. ``` -during `virtualbox-dkms` package installation or reconfiguration. In `make.log` you will find compilation error: +during `virtualbox-dkms` package installation or reconfiguration. In `make.log` +you will find compilation error: -``` +```bash CC [M] /var/lib/dkms/virtualbox/4.3.14/build/vboxnetadp/linux/VBoxNetAdp-linux.o /var/lib/dkms/virtualbox/4.3.14/build/vboxnetadp/linux/VBoxNetAdp-linux.c: In function ‘vboxNetAdpOsCreate’: /var/lib/dkms/virtualbox/4.3.14/build/vboxnetadp/linux/VBoxNetAdp-linux.c:186:48: error: macro "alloc_netdev" requires 4 arguments, but only 3 given @@ -66,20 +68,20 @@ make: Leaving directory '/usr/src/linux-headers-3.17.0-rc5+' For sure we have to wait for some time before new version of kernel and VirtualBox will catch up each other in Debian. -Fix source code of Debian package ----------------------------- +## Fix source code of Debian package Let's get get virtualbox package source, fix issues rebuild package and install -in the system. Patch to apply can be found [here](https://forums.virtualbox.org/viewtopic.php?p=296650#p296650). +in the system. Patch to apply can be found +[here](https://forums.virtualbox.org/viewtopic.php?p=296650#p296650). -``` +```bash apt-get source virtualbox-dkms cd virtualbox-4.3.14-dfsg ``` Now we can patch the sources with: -```diff +```bashdiff diff --git a/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c b/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c index c6b21a9cc199..9ccce6f32218 100644 --- a/src/VBox/HostDrivers/VBoxNetAdp/linux/VBoxNetAdp-linux.c @@ -133,28 +135,28 @@ index 21e124bda039..2a046a3b254a 100644 pHdrEx->pVmArea = pVmArea; ``` -Assuming you save above code in `my_patch` file and you are in `virtualbox` -dpkg source directory: +Assuming you save above code in `my_patch` file and you are in `virtualbox` dpkg +source directory: -```sh +```bashsh patch -p1 < my_patch ``` Install packages required to build: -``` +```bash sudo apt-get build-dep virtualbox ``` And build with: -```sh +```bashsh dpkg-buildpackage -uc -b ``` In result we should get all `virtualbox` packages. We need only `dkms`: -``` +```bash sudo dpkg -i ../virtualbox-dkms_4.3.14-dfsg-1_all.deb (Reading database ... 432638 files and directories currently installed.) diff --git a/blog/content/post/2014-10-15-raspberry-pi-kernel-repository-aggregating-patches-for-linux-mainline.md b/blog/content/post/2014-10-15-raspberry-pi-kernel-repository-aggregating-patches-for-linux-mainline.md index 1bb176b5..ec34e565 100644 --- a/blog/content/post/2014-10-15-raspberry-pi-kernel-repository-aggregating-patches-for-linux-mainline.md +++ b/blog/content/post/2014-10-15-raspberry-pi-kernel-repository-aggregating-patches-for-linux-mainline.md @@ -14,21 +14,21 @@ tags: categories: - OS Dev --- -Since several months I'm trying to find my way to embedded Linux programming. -My hardware set was very limited I had only one board that can be called -"embedded" and it was Raspberry Pi. Because I am more interested in firmware/OS -level then hardware I tried to figure out what is going on with RPi kernel. -After taking brief review of -[raspberrypi/linux](https://github.com/raspberrypi/linux) GitHub repository I -realized that close to my heart is upstreaming effort. So with noob attitude I -contacted RPi Upstreaming wiki page author ([notro](https://github.com/notro)) -and we started to create some foundation. - -_Disclaimer: These are for testing purposes and considered unstable. Use at your own risk._ -_Edit: 20/10/2014:_ minor typo, clone instructions moved to "How to use it ?" section - -What we have now ? ------------------- + +Since several months I'm trying to find my way to embedded Linux programming. My +hardware set was very limited I had only one board that can be called "embedded" +and it was Raspberry Pi. Because I am more interested in firmware/OS level then +hardware I tried to figure out what is going on with RPi kernel. After taking +brief review of [raspberrypi/linux](https://github.com/raspberrypi/linux) GitHub +repository I realized that close to my heart is upstreaming effort. So with noob +attitude I contacted RPi Upstreaming wiki page author +([notro](https://github.com/notro)) and we started to create some foundation. + +_Disclaimer: These are for testing purposes and considered unstable. Use at your +own risk._ _Edit: 20/10/2014:_ minor typo, clone instructions moved to "How to +use it ?" section + +## What we have now ? We created set of repositories to handle upstreaming process. @@ -36,44 +36,42 @@ First there is [rpi-dt-linux](https://github.com/pietrushnic/rpi-dt-linux.git) it is Linux kernel based on [linux-stable](https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/) with patches on top of every branch. This repository aims to aggregate all -patches required for Raspberry Pi support in upstream kernel. `rpi-dt-linux` -use `bcm2835_defconfig` with device tree support. We want to introduce every -driver that supports device tree. Right now a lot of stuff is missing, but I -will dive into it later. +patches required for Raspberry Pi support in upstream kernel. `rpi-dt-linux` use +`bcm2835_defconfig` with device tree support. We want to introduce every driver +that supports device tree. Right now a lot of stuff is missing, but I will dive +into it later. After consulting with [popcornmix](https://github.com/raspberrypi/linux/issues/698) we decide to -rebase all patches to keep them on top of every branch. This of course mean -that repository will be broken, but patches will be more visible in history. +rebase all patches to keep them on top of every branch. This of course mean that +repository will be broken, but patches will be more visible in history. -Second [rpi-dt-firmware](https://github.com/pietrushnic/rpi-dt-firmware) is ready -to use firmware files for Raspberry Pi with already built modules and kernel. -If you are familiar with [Hexxeh](https://github.com/Hexxeh) +Second [rpi-dt-firmware](https://github.com/pietrushnic/rpi-dt-firmware) is +ready to use firmware files for Raspberry Pi with already built modules and +kernel. If you are familiar with [Hexxeh](https://github.com/Hexxeh) [rpi-update](https://github.com/Hexxeh/rpi-update) and his repository [rpi-firmware](https://github.com/Hexxeh/rpi-firmware) this should not be anything new for you. -Third [rpi-bcm2835](https://github.com/notro/rpi-bcm2835) which simplifies -build and release process of `rpi-dt-linux`. +Third [rpi-bcm2835](https://github.com/notro/rpi-bcm2835) which simplifies build +and release process of `rpi-dt-linux`. -How to use it ? ---------------- +## How to use it ? ## User If you simply want to try new kernel on your RPi then install `rpi-update`, by: -``` +```bash sudo apt-get install rpi-update ``` on Raspbian or follow instruction from [Readme.md](https://github.com/Hexxeh/rpi-update) for other distributions. - To install latest release of `rpi-dt-firmware` use `rpi-update` on RPi: -``` +```bash sudo REPO_URI=https://github.com/pietrushnic/rpi-dt-firmware rpi-update ``` @@ -83,22 +81,21 @@ After update simply reboot your Pi and enjoy our upstream kernel :). If you want to play with the code I have few hints that can help. - First please clone `rpi-dt-linux` and `rpi-bcm2835` mentioned above. -``` +```bash git clone https://github.com/pietrushnic/rpi-dt-linux.git git clone https://github.com/notro/rpi-bcm2835.git ``` Then install [rpi-build](https://github.com/notro/rpi-build) following -instructions on [wiki](https://github.com/notro/rpi-build/wiki). Then you can -do few things: +instructions on [wiki](https://github.com/notro/rpi-build/wiki). Then you can do +few things: Build `rpi-dt-linux` locally. This will download latest snapshot of `rpi-dt-linux` and other dependencies like `u-boot` and cross-compiler. -``` +```bash cd path/to/rpi-bcm2835 rpi-build rpi-dt-linux clean build ``` @@ -106,44 +103,41 @@ rpi-build rpi-dt-linux clean build You can install already built kernel on your machine over ssh (replace `` with your Pi IP address): -``` +```bash rpi-build rpi-dt-linux install SSHIP= ``` If you want to use your own kernel repository just use `rpi-bcm2835` with local path: -``` +```bash RPI_DT_LINUX_LOCAL=../../rpi-dt-linux rpi-build rpi-dt-linux clean build ``` -NOTE: that additional level of `../` was added because rpi-build creates -workdir which is reference directory for it. +NOTE: that additional level of `../` was added because rpi-build creates workdir +which is reference directory for it. It is also possible to release your own firmware repository. To help with process there are two commands: -``` +```bash FW_REPO=/home/pietrushnic/src/rpi-dt-firmware FW_BRANCH=master rpi-build rpi-dt-linux commit FW_REPO=/home/pietrushnic/src/rpi-dt-firmware FW_BRANCH=master rpi-build rpi-dt-linux push ``` Obviously `FW_REPO` is a directory with firmware git repository. - -Changelog ---------- +## Changelog At the point of writing this post there were 3 releases of `rpi-dt-firmware`. We -applied v10 of [mailbox API](http://lwn.net/Articles/607424/) and Lubomir -Rintel `bcm2835-mbox`, `bcm2835-cpufreq` and `bcm2835-thermal` drivers from his +applied v10 of [mailbox API](http://lwn.net/Articles/607424/) and Lubomir Rintel +`bcm2835-mbox`, `bcm2835-cpufreq` and `bcm2835-thermal` drivers from his [repository](https://github.com/hackerspace/rpi-linux/commits/lr-raspberry-pi-new-mailbox). All updates are published in [README.md](https://github.com/pietrushnic/rpi-dt-firmware/blob/master/README.md) with every release. -Summary -------- +## Summary Of course we are happy with every contribution small and big, critique and process improvement hints. Let us know what you think about this effort. diff --git a/blog/content/post/2015-01-24-power-on-of-esp-12-esp8266.md b/blog/content/post/2015-01-24-power-on-of-esp-12-esp8266.md index e033db0f..da5cabc6 100644 --- a/blog/content/post/2015-01-24-power-on-of-esp-12-esp8266.md +++ b/blog/content/post/2015-01-24-power-on-of-esp-12-esp8266.md @@ -14,6 +14,7 @@ categories: - Firmware - IoT --- + ESP8266 is a SoC made by [Espressif](https://espressif.com). For last couple of months this chip is a rockstar of [HackADay](http://hackaday.com/) and makers community around the Internet. Mostly because of WiFi modules built based on it @@ -22,8 +23,8 @@ potential to be standalone MCU with WiFi capability for wide range of applications. In quantity you can get ESP-01 for $2.7 (for 1kpcs). Of course there is no free lunch. Documentation is weak (this is no TI), but [community](http://www.esp8266.com/) doing it's best to change this state. -Native interface of AT commands is also not the friendliest way of -communicating by beginners. But also for that market found solution - namely +Native interface of AT commands is also not the friendliest way of communicating +by beginners. But also for that market found solution - namely [NodeMCU](https://github.com/nodemcu/nodemcu-firmware). A while ago I bought ESP-01 and experiment a little bit with it. I quickly @@ -40,11 +41,11 @@ Because this board came in SMD package I found that [ElectroDragon](http://www.electrodragon.com/) provides also adapter to solder module and easily expose pins. -![](/img/esp-12-adapter.jpg) +![img](/img/esp-12-adapter.jpg) After applying my soldering-fu I get rewarding result. -![](/img/esp-12-soldered.jpg) +![img](/img/esp-12-soldered.jpg) ## Wiring @@ -53,15 +54,15 @@ ideally to prototype board. There is only one problem that adapter width put pins into first and last column of the standard 10 column (A-J) breadboard. Which give no ability to connect parallel wires, which was my initial idea. Because I didn't have u shape solderless jumpers to make connection clean I -splitted old Ethernet cable and get this: +split old Ethernet cable and get this: -![](/img/u-shape-jumpers.jpg) +![img](/img/u-shape-jumpers.jpg) -![](/img/esp-12-breadboard.jpg) +![img](/img/esp-12-breadboard.jpg) -Check connections couple of time to make sure that everything works fine. As -USB UART I used FT232RL based module. Current provided by USB UART module can -be insufficient that's why I used lab DC power supply. +Check connections couple of time to make sure that everything works fine. As USB +UART I used FT232RL based module. Current provided by USB UART module can be +insufficient that's why I used lab DC power supply. NOTE: Both ESP-12 and USB UART should be connected to the same GND. @@ -69,29 +70,28 @@ NOTE: Both ESP-12 and USB UART should be connected to the same GND. It wasn't simple. First I tried minicom with 115200 UART speed: -``` +```bash minicom -b 115200 -o -D /dev/ttyUSB0 ``` This module display bootloader messages at 115200. After booting it switches to -9600. If you booted and can't communicate but blue LED blinking when you type -this may indicate that you need reset try `AT+RST`. You -should get something like this: +9600\. If you booted and can't communicate but blue LED blinking when you type +this may indicate that you need reset try `AT+RST`. You should +get something like this: -![](/img/esp-12-minicom-1.png) +![img](/img/esp-12-minicom-1.png) There are lot of other commands like `AT+GMR` which give you firmware version. More commands you can find [here](http://wiki.iteadstudio.com/ESP8266_Serial_WIFI_Module#AT_Commands). Not -every firmware support all commands. To use more robust firmware you can -compile latest version of AT command or even modify it according to your needs. -Some instructions can be found -[here](https://github.com/esp8266/esp8266-wiki/wiki). +every firmware support all commands. To use more robust firmware you can compile +latest version of AT command or even modify it according to your needs. Some +instructions can be found [here](https://github.com/esp8266/esp8266-wiki/wiki). ## Summary -I think that ESP8266 has great potential to make pressure on market and -squeeze better solutions. There is a lot of interesting things going on around -ESP like MQTT implementation of firmware or recently released FreeRTOS SDK -from Espressif. I hope to write more about ESP-12 in future. If you think this -post was useful please leave a comment or share with friends. +I think that ESP8266 has great potential to make pressure on market and squeeze +better solutions. There is a lot of interesting things going on around ESP like +MQTT implementation of firmware or recently released FreeRTOS SDK from +Espressif. I hope to write more about ESP-12 in future. If you think this post +was useful please leave a comment or share with friends. diff --git a/blog/content/post/2015-01-25-esp-12-update-to-sdk-v0-9-5-and-at-v0-21-0-0-noobs-tutorial.md b/blog/content/post/2015-01-25-esp-12-update-to-sdk-v0-9-5-and-at-v0-21-0-0-noobs-tutorial.md index ed5adeaf..6143d62a 100644 --- a/blog/content/post/2015-01-25-esp-12-update-to-sdk-v0-9-5-and-at-v0-21-0-0-noobs-tutorial.md +++ b/blog/content/post/2015-01-25-esp-12-update-to-sdk-v0-9-5-and-at-v0-21-0-0-noobs-tutorial.md @@ -14,11 +14,13 @@ categories: - Firmware - IoT --- + January 23th Espressif published new ESP IOT SDK on their forum -[v0.9.5](http://bbs.espressif.com/viewtopic.php?f=5&t=154). My ESP-12 came with -with pretty old version so I decide to update it to latest one: +[v0.9.5](https://web.archive.org/web/20180103003322/http://bbs.espressif.com/viewtopic.php?f=5&t=154). +My ESP-12 came with with pretty old version so I decide to update it to +latest one: -``` +```bash AT+RST OK @@ -33,16 +35,17 @@ OK ## ESP-12 firmware update pin configuration -![](/img/esp-12-update.jpg) +![img](/img/esp-12-update.jpg) As picture presents in addition to normal operation we have to pull down GPIO0 and pull up GPIO2. ## Upgrade using binaries from Espressif -To upgrade you can use binaries that where delivered in zip packaged and python [esptool](). Run following commands: +To upgrade you can use binaries that where delivered in zip packaged and python +[esptool](https://github.com/espressif/esptool). Run following commands: -``` +```bash git clone git@github.com:themadinventor/esptool.git wget --content-disposition "http://bbs.espressif.com/download/file.php?id=189" unzip esp_iot_sdk_v0.9.5_15_01_23.zip @@ -55,7 +58,7 @@ from forum and finally we ran `esptool`. If you will get something like this: -``` +```bash Connecting... Traceback (most recent call last): File "../../esptool/esptool.py", line 408, in @@ -70,7 +73,7 @@ You can work around this by toggling power to the module right before executing Successful flashing looks like this: -``` +```bash [1:00:21] pietrushnic:bin $ ../../esptool/esptool.py write_flash 0x00000 boot_v1.2.bin 0x01000 at/user1.512.new.bin 0x3e000 blank.bin 0x7e000 blank.bin Connecting... Erasing flash... @@ -88,7 +91,7 @@ Leaving... After disconnecting GPIO0 and GPIO2 you can boot new firmware. Results should look like this: -``` +```bash AT+RST OK @@ -134,12 +137,13 @@ created by [ESP8266 Community Forum](http://www.esp8266.com/) published in `esp-open-sdk` at the moment of writing this post didn't support `v0.9.5` SDK, but adding this support was pretty straight forward and can be found on my -github for of the [repo](https://github.com/pietrushnic/esp-open-sdk.git). -There is also [pending PR](https://github.com/pfalcon/esp-open-sdk/pull/18) that hopefully will be merged. +github for of the [repo](https://github.com/pietrushnic/esp-open-sdk.git). There +is also [pending PR](https://github.com/pfalcon/esp-open-sdk/pull/18) that +hopefully will be merged. Procedure is straight forward to follow: -``` +```bash git clone git@github.com:pietrushnic/esp-open-sdk.git #or use https with https://github.com/pietrushnic/esp-open-sdk.git cd esp-open-sdk git co v0.9.5-support @@ -149,31 +153,32 @@ make `sed` command will cause using `0.9.5` string as `VENDOR_SDK` for default build. -On my i7-4700 single threaded compilation takes ~20min. BTW I'm trying to -figure out why I cannot use multiple jobs +On my i7-4700 single threaded compilation takes ~20min. BTW I'm trying to figure +out why I cannot use multiple jobs [here](https://github.com/pfalcon/esp-open-sdk/issues/19). Final message should contain something like: -``` +```bash export PATH=/home/pietrushnic/tmp/esp-open-sdk/xtensa-lx106-elf/bin:$PATH ``` Just execute this command in your shell. If you missed that message run `make` -again it should skip all already compiled parts and display final message -again. +again it should skip all already compiled parts and display final message again. ## Toolchain usage To use toolchain with example code from `v0.9.5` SDK you can simply: -``` +```bash cd esp_iot_sdk_v0.9.5 ``` -Use package like it was presented in "Upgrade using binaries from Espressif" section. Trying to compile exmaples in `esp-open-sdk` will give you error like this: +Use package like it was presented in "Upgrade using binaries from Espressif" +section. Trying to compile examples in `esp-open-sdk` will give you error like +this: -``` +```bash ../../Makefile:154: warning: overriding recipe for target 'clean' ../Makefile:258: warning: ignoring old recipe for target 'clean' You cloned without --recursive, fetching submodules for you. @@ -186,14 +191,15 @@ make: *** [crosstool-NG/ct-ng] Error 2 When inside `esp_iot_sdk_v0.9.5`: -``` +```bash cp -r examples/at . make COMPILE=gcc ``` -Ommiting `COMPILE=gcc` will result in error caused by using differen compiler name: +Omitting `COMPILE=gcc` will result in error caused by using different compiler +name: -``` +```bash make[1]: Entering directory '/home/pietrushnic/src/espressif/esp_iot_sdk_v0.9.5/at/user' DEPEND: xt-xcc -M -Os -g -O2 -Wpointer-arith -Wundef -Werror -Wl,-EL -fno-inline-functions -nostdlib -mlongcalls -mtext-section-literals -DICACHE_FLASH -I include -I ./ -I ../../include/ets -I ../include -I ../../include -I ../../include/eagle user_main.c /bin/sh: 2: xt-xcc: not found @@ -208,7 +214,7 @@ make: *** [.subdirs] Error 2 Correct output looks like this: -``` +```bash make[1]: Entering directory '/home/pietrushnic/src/espressif/esp_iot_sdk_v0.9.5/at/user' DEPEND: xtensa-lx106-elf-gcc -M -Os -g -O2 -Wpointer-arith -Wundef -Werror -Wl,-EL -fno-inline-functions -nostdlib -mlongcalls -mtext-section-literals -DICACHE_FLASH -I include -I ./ -I ../../include/ets -I ../include -I ../../include -I ../../include/eagle user_main.c xtensa-lx106-elf-gcc -Os -g -O2 -Wpointer-arith -Wundef -Werror -Wl,-EL -fno-inline-functions -nostdlib -mlongcalls -mtext-section-literals -DICACHE_FLASH -I include -I ./ -I ../../include/ets -I ../include -I ../../include -I ../../include/eagle -o .output/eagle/debug/obj/user_main.o -c user_main.c @@ -219,7 +225,7 @@ xtensa-lx106-elf-gcc -L../lib -nostdlib -T../ld/eagle.app.v6.ld -Wl,--no-check- !!! No boot needed. -Generate eagle.flash.bin and eagle.irom0text.bin successully in folder bin. +Generate eagle.flash.bin and eagle.irom0text.bin successfully in folder bin. eagle.flash.bin-------->0x00000 eagle.irom0text.bin---->0x40000 !!! @@ -228,7 +234,7 @@ eagle.irom0text.bin---->0x40000 Now `../bin` directory contain `eagle.flash.bin` and `eagle.irom0text.bin`, which you can use to flash your ESP8266 using `esptool`: -``` +```bash ../../esptool/esptool.py write_flash 0x00000 eagle.flash.bin 0x40000 eagle.irom0text.bin ``` diff --git a/blog/content/post/2015-09-01-setup-for-linux-kernel-development-on-cubietruck.md b/blog/content/post/2015-09-01-setup-for-linux-kernel-development-on-cubietruck.md index 80696f9a..7c29c4bc 100644 --- a/blog/content/post/2015-09-01-setup-for-linux-kernel-development-on-cubietruck.md +++ b/blog/content/post/2015-09-01-setup-for-linux-kernel-development-on-cubietruck.md @@ -14,58 +14,47 @@ tags: categories: - OS Dev --- + During last couple of months I see quite big interest in building products on [A20](http://linux-sunxi.org/A20) SoC. This chip can be bought for 6USD in quantity. Most important features are: -* Dual-Core ARM Cortex-A7 (ARMv7) -* Mali-400 MP2 -* HDMI, VGA and LCD -* MMC and NAND -* OTG and 2 Host ports +- Dual-Core ARM Cortex-A7 (ARMv7) +- Mali-400 MP2 +- HDMI, VGA and LCD +- MMC and NAND +- OTG and 2 Host ports Tracking media related to low-end mobile market IMHO the hottest SoCs are Allwinner A20 and Rockchip RK3288. -A20 ship with dozen development boards like Cubieboard or pcDuino series, -Banana Pi, MarsBoard or Hummingbird. About a year ago I choose to buy -Cubietruck and this led to couple interesting projects from porting +A20 ship with dozen development boards like Cubieboard or pcDuino series, Banana +Pi, MarsBoard or Hummingbird. About a year ago I choose to buy Cubietruck and +this led to couple interesting projects from porting [USBSniffer](http://elinux.org/BeagleBoard/GSoC/2010_Projects/USBSniffer) to writing bare-metal bootloader based on U-boot code. Below setup is not -complicated but contain many pieces and looking for correct procedure for each one -is headache. Especially I felt that when I did it once couple months ago and -was not able to recover my setup without over a day of googling. Because I -of that I decided to write this post and leave notes for me and -others who want bootstrap Cubietruck setup. - -Some configs and scripts can be found on [github repo](https://github.com/pietrushnic/ct-dev-setup). +complicated but contain many pieces and looking for correct procedure for each +one is headache. Especially I felt that when I did it once couple months ago and +was not able to recover my setup without over a day of googling. Because I of +that I decided to write this post and leave notes for me and others who want +bootstrap Cubietruck setup. -![](/img/ct-dev.jpg) +Some configs and scripts can be found on +[github repo](https://github.com/pietrushnic/ct-dev-setup). -## Table of contents - -* [General approach](#general) -* [Quick TFTP setup](#tftp) -* [Quick NFS setup](#nfs) -* [Toolchain](#toolchain) -* [U-Boot](#uboot) -* [Linux kernel](#linux) -* [Rootfs](#rootfs) -* [Let's put it all together](#sdcard) -* [Known issues](#issues) +![img](/img/ct-dev.jpg) ## Prerequisites -* Linux development workstation (I use Debian stretch/sid) -* USB to TTL serial adapter - best would be with original FT232RL, but Chinese +- Linux development workstation (I use Debian stretch/sid) +- USB to TTL serial adapter - best would be with original FT232RL, but Chinese substitutes also works -* microSD card -* Ethernet cable - to connect your CT to router -* good power supply 5V/2.5A - USB should also work when taking care about power +- microSD card +- Ethernet cable - to connect your CT to router +- good power supply 5V/2.5A - USB should also work when taking care about power budget of whole setup -* HDMI or VGA monitor - nice to have +- HDMI or VGA monitor - nice to have - ## General approach Bootloader (U-Boot) obtain IP address dynamically then using hard coded @@ -80,91 +69,89 @@ kernel I toggle config on tftp server. Below I put together various pieces spread across network to have it in one place. - ## Quick TFTP setup -``` +```bash sudo apt-get install tftpd-hpa ``` To check if TFTP listen: -``` +```bash [23:12:39] pietrushnic:~ $ netstat -an|grep :69 udp 0 0 0.0.0.0:69 0.0.0.0:* ``` -It would be useful to have separate directory if in future setup will be enhanced for other boards: +It would be useful to have separate directory if in future setup will be +enhanced for other boards: -``` +```bash sudo mkdir -p /srv/tftp/ct/{ml,sunxi} ``` - ## Quick NFS setup -``` +```bash sudo apt-get install nfs-kernel-server sudo mkdir /srv/nfs sudo vim /etc/exports ``` Add line like this: -``` + +```bash /srv/nfs *(rw,sync,no_root_squash,no_subtree_check) ``` Create direcrtory for root filesystems: -``` +```bash sudo mkdir -p /srv/nfs/ct ``` Restart NFS: -``` +```bash sudo service nfs-kernel-server restart ``` - ## Toolchain I'm using Linaro toolchain based on GCC4.9 you can download package [here](http://releases.linaro.org/components/toolchain/binaries/4.9-2016.02/arm-linux-gnueabihf/). -``` +```bash tar xf gcc-linaro-4.9-2015.05-x86_64_arm-linux-gnueabihf.tar.xz export PATH=${PATH}:${PWD}/gcc-linaro-4.9-2015.05-x86_64_arm-linux-gnueabihf/bin/ ``` To verify this step you can try: -``` -[23:24:01] pietrushnic:~ $ arm-linux-gnueabihf-gcc +```bash +[23:24:01] pietrushnic:~ $ arm-linux-gnueabihf-gcc arm-linux-gnueabihf-gcc: fatal error: no input files compilation terminated. ``` - ## U-Boot (2015.10-rc2) -``` +```bash git clone git://git.denx.de/u-boot.git cd u-boot make CROSS_COMPILE=arm-linux-gnueabihf- Cubietruck_defconfig make CROSS_COMPILE=arm-linux-gnueabihf- menuconfig ``` -To boot `sunxi-3.4` setting `ARM architecture -> Enable workarounds for booting -old kernels` is required. +To boot `sunxi-3.4` setting +`ARM architecture -> Enable workarounds for booting old kernels` is required. -``` +```bash make CROSS_COMPILE=arm-linux-gnueabihf- -j$(nproc) ``` Log like this: -``` +```bash [23:42:38] pietrushnic:u-boot git:(master) $ make CROSS_COMPILE=arm-linux-gnueabihf- -j8 make: arm-linux-gnueabihf-gcc: Command not found /bin/sh: 1: arm-linux-gnueabihf-gcc: not found @@ -188,14 +175,14 @@ scripts/Makefile.autoconf:75: recipe for target 'spl/include/autoconf.mk' failed make[1]: *** [spl/include/autoconf.mk] Error 1 make: *** No rule to make target 'include/config/auto.conf', needed by 'include/config/uboot.release'. Stop. ``` + means that you incorrectly set [toolchain](#toolchain). - ## Linux kernel ### sunxi-3.4 kernel -``` +```bash git clone -b sunxi-3.4 --depth 1 https://github.com/linux-sunxi/linux-sunxi.git cd linux-sunxi make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- sun7i_defconfig @@ -204,7 +191,7 @@ make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- sun7i_defconfig Ethernet driver have to be built-in, because when included as module do not start early enough to mount rootfs over NFS. -``` +```bash sed -i 's:CONFIG_SUNXI_GMAC=m:CONFIG_SUNXI_GMAC=y:g' .config make -j$(nproc) ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- uImage modules make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=output modules_install @@ -213,7 +200,7 @@ cd .. #### script.bin -``` +```bash git clone git://github.com/linux-sunxi/sunxi-tools.git git clone git://github.com/linux-sunxi/sunxi-boards.git cd sunxi-tools @@ -223,7 +210,7 @@ cd sunxi-boards vim sys_config/a20/cubietruck.fex ``` -``` +```bash diff --git a/sys_config/a20/cubietruck.fex b/sys_config/a20/cubietruck.fex index 7f8ec02911d6..d86dc5cb23a0 100644 --- a/sys_config/a20/cubietruck.fex @@ -236,35 +223,36 @@ index 7f8ec02911d6..d86dc5cb23a0 100644 +MAC = "FEEDDEADBEEF" ``` -To generate MAC you can use [this tool](http://www.miniwebtool.com/mac-address-generator/) or you can give your -Cubietruck MAC if you know it. One way to figure it out is flash only U-boot and run +To generate MAC you can use +[this tool](http://www.miniwebtool.com/mac-address-generator/) or you can give +your Cubietruck MAC if you know it. One way to figure it out is flash only +U-boot and run -``` +```bash printenv ethaddr ``` To generate `script.bin`: -``` +```bash ../sunxi-tools/fex2bin sys_config/a20/cubietruck.fex script.bin ``` ### Mainline kernel (sunxi-next 387a2c191af6 4.2.0-rc4) -``` +```bash git clone git://github.com/mripard/linux.git -b sunxi-next cd linux make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- sunxi_defconfig make -j$(nproc) ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- zImage dtbs make ARCH=arm CROSS_COMPILE=arm-linux-gnueabihf- INSTALL_MOD_PATH=output modules modules_install -``` - - +```bash ## Rootfs -Based on [Olimex guide](https://olimex.wordpress.com/2014/07/21/how-to-create-bare-minimum-debian-wheezy-rootfs-from-scratch/). +Based on +[Olimex guide](https://olimex.wordpress.com/2014/07/21/how-to-create-bare-minimum-debian-wheezy-rootfs-from-scratch/). -``` +```bash sudo apt-get install qemu-user-static targetdir=rootfs distro=wheezy @@ -288,7 +276,7 @@ dpkg-reconfigure locales In this place I prefer to use en_US.UTF-8 as a _lingua franca_ of Linux world. Next we will install couple of tools that are almost always useful. -``` +```bash apt-get install openssh-server ntpdate git vim passwd cat <> /etc/network/interfaces @@ -306,19 +294,17 @@ sudo rm $targetdir/usr/bin/qemu-arm-static At this point it is good to make a backup copy. Time consuming but with very small output: -``` +```bash sudo XZ_OPT=-9 tar cJf rootfs.tar.xz rootfs ``` - - ## Let's put it all together ### Prepare SD card Assuming your SD card is on `/dev/sdc` -``` +```bash sudo umount /dev/sdc1 #umount any automatically mounted partitions card=/dev/sdc sudo dd if=/dev/zero of=${card} bs=1M count=1 #clean partition table @@ -326,7 +312,7 @@ sudo dd if=/dev/zero of=${card} bs=1M count=1 #clean partition table Partitioning: -``` +```bash cat << EOT | sudo sfdisk ${card} 2048,1024,c EOT @@ -334,13 +320,13 @@ EOT Flash U-Boot image: -``` +```bash sudo dd if=u-boot-sunxi-with-spl.bin of=${card} bs=1024 seek=8 ``` Format and mount boot partition: -``` +```bash sudo mkfs.vfat ${card}1 sudo mount ${card}1 /mnt ``` @@ -349,7 +335,7 @@ Below script add flexibility to booting process by allowing user to replace on server `boot.scr`. This makes Cubietruck able to dual boot `sunxi-3.4` and `mainline` kernel. Please replace `` with your TFTP address. -``` +```bash cat < boot.cmd # this file should be placed on boot SD card partition setenv serverip @@ -362,7 +348,7 @@ EOT Make U-Boot readable image: -``` +```bash mkimage -C none -A arm -T script -d boot.cmd boot.scr sudo cp boot.scr /mnt sudo umount /mnt @@ -373,23 +359,23 @@ Now you can put your SD card into Cubietruck. ### Prepare NFS and TFTP content Copy kernel and files required to boot: -``` + +```bash sudo cp linux-sunxi/arch/arm/boot/zImage /srv/tftp/ct/sunxi sudo cp sunxi-boards/script.bin /srv/tftp/ct/sunxi sudo cp linux/arch/arm/boot/zImage /srv/tftp/ct/ml sudo cp linux/arch/arm/boot/dts/sun7i-a20-cubietruck.dtb /srv/tftp/ct/ml ``` - Copy filesystem to NFS server directory: -``` +```bash sudo cp -r rootfs /srv/nfs/ct ``` Copy modules: -``` +```bash sudo cp -r linux-sunxi/output/lib /srv/nfs/ct/rootfs sudo cp -r linux/output/lib /srv/nfs/ct/rootfs ``` @@ -397,7 +383,8 @@ sudo cp -r linux/output/lib /srv/nfs/ct/rootfs #### Create U-Boot scripts for sunxi and mainline Sunxi script will look like this: -``` + +```bash cat < boot.cmd.sunxi setenv bootm_boot_mode sec tftp 0x43000000 ct/sunxi/script.bin @@ -413,13 +400,14 @@ EOT Make U-Boot readable image: -``` +```bash mkimage -C none -A arm -T script -d boot.cmd.sunxi boot.scr.sunxi sudo cp boot.scr.sunxi /srv/tftp/ct/sunxi ``` Mainline script will look like this: -``` + +```bash cat < boot.cmd.ml tftp 0x46000000 ct/ml/zImage tftp 0x49000000 ct/ml/sun7i-a20-cubietruck.dtb @@ -433,20 +421,20 @@ EOT Make U-Boot readable image: -``` +```bash mkimage -C none -A arm -T script -d boot.cmd.ml boot.scr.ml sudo cp boot.scr.ml /srv/tftp/ct/ml ``` - ## Known issues ### TFTP error: 'Unsupported option(s) requested' (8) -This problem was discussed [here](http://lists.denx.de/pipermail/u-boot/2015-August/225129.html). -You can fix it by changing TFTP `TIMEOUT`: +This problem was discussed +[here](http://lists.denx.de/pipermail/u-boot/2015-August/225129.html). You can +fix it by changing TFTP `TIMEOUT`: -``` +```bash diff --git a/net/tftp.c b/net/tftp.c index 18ce84c20214..33fe4e47a616 100644 --- a/net/tftp.c @@ -468,13 +456,13 @@ Recompile U-boot and flash it on SD card again. You can boot to `sunxi-3.4` kernel by simply: -``` +```bash sudo cp /srv/tftp/ct/sunxi/boot.scr.sunxi /srv/tftp/ct/boot.scr ``` And switch to mainline kernel using: -``` +```bash sudo cp /srv/tftp/ct/ml/boot.scr.ml /srv/tftp/ct/boot.scr ``` diff --git a/blog/content/post/2015-09-16-building-android-4-2-livesuit-image-for-cubietruck-allwinner-a20.md b/blog/content/post/2015-09-16-building-android-4-2-livesuit-image-for-cubietruck-allwinner-a20.md index 0fa70be1..059f9f71 100644 --- a/blog/content/post/2015-09-16-building-android-4-2-livesuit-image-for-cubietruck-allwinner-a20.md +++ b/blog/content/post/2015-09-16-building-android-4-2-livesuit-image-for-cubietruck-allwinner-a20.md @@ -14,6 +14,7 @@ tags: categories: - OS Dev --- + Treating A20 boards like outdated piece of HW by vendors makes building Android for Cubietruck not trivial task. Finding documentation, mailing list or blog post that clearly describe steps is almost impossible. Most of links to SDK are @@ -30,19 +31,21 @@ cubietech sever. > Edit 19.06.2023: There is no possibility to download this repo nowadays. -Based on other [instruction](http://docs.cubieboard.org/tutorials/ct1/installation/cb3_a20-compiling_android_image_for_cubietruck) that I hit previously (but download link was broken) I run build process: +Based on other +[instruction](http://docs.cubieboard.org/tutorials/ct1/installation/cb3_a20-compiling_android_image_for_cubietruck) +that I hit previously (but download link was broken) I run build process: -``` +```bash cd lichee ./build.sh -p sun7i_android ``` ## Lichee compilation error -World would be too beautiful if everything would work right out of the box, so -I hit this very informative build error: +World would be too beautiful if everything would work right out of the box, so I +hit this very informative build error: -``` +```bash make: Entering directory '/home/pietrushnic/storage/wdc/projects/3mdeb/cubietruck/cubietruck_android/a20-android4.2_lichee/linux-3.4/modules/mali' /home/pietrushnic/projects/3mdeb/cubietruck/cubietruck_android/a20-android4.2_lichee/linux-3.4 make -C DX910-SW-99002-r3p2-01rel2/driver/src/devicedrv/ump CONFIG=ca8-virtex820-m400-1 BUILD=release KDIR=/home/pietrushnic/projects/3mdeb/cubietruck/cubietruck_android/a20-android4.2_lichee/linux-3.4 @@ -72,7 +75,7 @@ thinking much about fix I just changed incorrectly generated define to driver version string. This string will be presented in UMP modinfo. Patch which fix above looks like that: -``` +```bashdiff diff --git a/linux-3.4/modules/mali/DX910-SW-99002-r3p2-01rel2/driver/src/devicedrv/ump/Kbuild b/linux-3.4/modules/mali/DX910-SW-99002-r3p2-01rel2/driver/src/devicedrv/ump/Kbuild index 042745d0c757..608a7ba97f95 100755 --- a/linux-3.4/modules/mali/DX910-SW-99002-r3p2-01rel2/driver/src/devicedrv/ump/Kbuild @@ -95,7 +98,7 @@ index 042745d0c757..608a7ba97f95 100755 After above change repeated build command finish without errors. -``` +```bash ./build.sh -p sun7i_android ``` @@ -103,17 +106,16 @@ After above change repeated build command finish without errors. I assume you directory layout looks like this: -``` +```bash . ├── a20-android4.2_android └── lichee ``` -Go to Android directory and source environment setup script. Android do not -like shells other then bash, so change you shell if you using something -different: +Go to Android directory and source environment setup script. Android do not like +shells other then bash, so change you shell if you using something different: -``` +```bash cd a20-android4.2_android bash source build/envsetup.sh @@ -122,7 +124,7 @@ lunch You will get menu which will look like this: -``` +```bash You're building on Linux Lunch menu... pick a combo: @@ -152,7 +154,7 @@ Lunch menu... pick a combo: Of course our target is `sugar_cubietruck-eng`, so type `16`. Then copy kernel and modules using `extract-bsp` function and start build: -``` +```bash extract-bsp make -j$(nproc) ``` @@ -162,7 +164,7 @@ make -j$(nproc) Android expects make in version 3.81 or 3.82 and recent distros (like my Debian stretch/sid) have make>=4.0. Problem signature looks like this: -``` +```bash build/core/main.mk:45: ******************************************************************************** build/core/main.mk:46: * You are using version 4.0 of make. build/core/main.mk:47: * Android can only be built by versions 3.81 and 3.82. @@ -173,7 +175,7 @@ build/core/main.mk:50: *** stopping. Stop. You can workaround this problem using below patch: -``` +```bash diff --git a/build/core/main.mk b/build/core/main.mk index 87488f452a9d..ce366bee6ced 100644 --- a/build/core/main.mk @@ -194,14 +196,14 @@ index 87488f452a9d..ce366bee6ced 100644 endif -endif - # Absolute path of the present working direcotry. + # Absolute path of the present working directory. ``` ### Java SE 1.6 required If your distro is not prepared you can hit something like this: -``` +```bash ************************************************************ You are attempting to build with the incorrect version of java. @@ -216,21 +218,22 @@ Please follow the machine setup instructions at To fix this issues add this repo to your `/etc/apt/sources.list` -``` +```bash deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main deb-src http://ppa.launchpad.net/webupd8team/java/ubuntu precise main ``` Then update and install required Java SDK. -``` +```bash sudo apt-get update sudo apt-get install sun-java6-jdk ``` -You also may need to update alternatives if Java SE 1.6 was installed previously: +You also may need to update alternatives if Java SE 1.6 was installed +previously: -``` +```bash sudo update-alternatives --config java #correct is /usr/lib/jvm/java-6-oracle/jre/bin/java sudo update-alternatives --config javac #correct is /usr/lib/jvm/java-6-oracle/bin/javac ``` @@ -239,7 +242,7 @@ sudo update-alternatives --config javac #correct is /usr/lib/jvm/java-6-oracle/b If you will hit some weird compiler errors like this: -``` +```bash In file included from /usr/include/endian.h:60:0, from /home/pietrushnic/storage/wdc/projects/3mdeb/cubietruck/cubietruck_android/a20-android4.2_android/prebuilts/gcc/linux-x86/host/i686-linux-glibc2.7-4.6/bin/../sysroot/usr/include/sys/types.h:217, from cts/suite/audio_quality/lib/src/FileUtil.cpp:18: @@ -256,19 +259,20 @@ In file included from frameworks/native/include/utils/RefBase.h:24:0, This mean that you have missing dependencies. On Debian you can fix this with: -``` +```bash sudo apt-get install bison g++-multilib git gperf libxml2-utils make python-networkx zip xsltproc ``` After all above fixes running make again should build the image: -``` +```bash make -j$(nproc) ``` -It took some time, so you can go for coffee. Final messaged for passed build should look like this: +It took some time, so you can go for coffee. Final messaged for passed build +should look like this: -``` +```bash Running: simg2img out/target/product/sugar-cubietruck/obj/PACKAGING/systemimage_intermediates/system.img out/target/product/sugar-cubietruck/obj/PACKAGING/systemimage_intermediates/unsparse_system.img Running: e2fsck -f -n out/target/product/sugar-cubietruck/obj/PACKAGING/systemimage_intermediates/unsparse_system.img e2fsck 1.41.14 (22-Dec-2010) @@ -284,13 +288,13 @@ out/target/product/sugar-cubietruck/system.img+out/target/product/sugar-cubietru ### Pack image -``` +```bash pack ``` In output it will tell you where your image is: -``` +```bash ----------image is at---------- /home/pietrushnic/storage/wdc/projects/3mdeb/cubietruck/cubietruck_android/lichee/tools/pack/sun7i_android_sugar-cubietruck.img @@ -301,18 +305,19 @@ pack finish ## Image installation -Image can be installed using LiveSuit. Flashing instructions can be found on [sunxi wiki](http://linux-sunxi.org/LiveSuit). +Image can be installed using LiveSuit. Flashing instructions can be found on +[sunxi wiki](http://linux-sunxi.org/LiveSuit). ## Summary -![](/img/ct-android-1.jpg) +![img](/img/ct-android-1.jpg) -As you can see Android boots to initial screen and it looks like we have -working prcedure for building Cubietech Android SDK. This gives good ground for -future experimentation. +As you can see Android boots to initial screen and it looks like we have working +prcedure for building Cubietech Android SDK. This gives good ground for future +experimentation. Hopefully above instructions works for you and will not outdate soon. If you -found any problems/errors please let me know in comment. I you think content -can be useful to others please share. +found any problems/errors please let me know in comment. I you think content can +be useful to others please share. Thanks for reading. diff --git a/blog/content/post/2015-10-27-linux-rpi-and-usb-over-ip-updated.md b/blog/content/post/2015-10-27-linux-rpi-and-usb-over-ip-updated.md index d6636743..5af5972e 100644 --- a/blog/content/post/2015-10-27-linux-rpi-and-usb-over-ip-updated.md +++ b/blog/content/post/2015-10-27-linux-rpi-and-usb-over-ip-updated.md @@ -16,10 +16,11 @@ tags: categories: - OS Dev --- + Because of increasing interesting in USB over IP topic I decided to refresh my -[old post](2014/08/18/linux-rpi-and-usb-over-ip/). I will focus on doing the -same thing with more recent version of Raspabian. If you need more information -please read my previous post. +[old post](https://blog.3mdeb.com/2014/2014-08-18-linux-rpi-and-usb-over-ip/). +I will focus on doing the same thing with more recent version of Raspabian. +If you need more information please read my previous post. ## Setup SD card @@ -27,27 +28,27 @@ First get recent version of [Raspbian](https://www.raspberrypi.org/downloads/raspbian/), then unzip and dd it to SD card: -``` +```bash sudo dd bs=4M if=2015-09-24-raspbian-jessie.img of=/dev/sdc ``` -If you are impatient and want to know what happen in background you can use -this method of tracking dd progress: +If you are impatient and want to know what happen in background you can use this +method of tracking dd progress: -``` +```bash sudo sh -c "while true; do killall -USR1 dd; sleep 1; done" ``` Before removing card we have to be sure that all data were wrote to card: -``` +```bash sync ``` If this operation takes time you can watch progress work writeback and dirty kilobytes using: -``` +```bash watch grep -e Dirty: -e Writeback: /proc/meminfo ``` @@ -58,7 +59,7 @@ When sync will finish you can remove SD card and sanity check booting on RPi. After booting you should be able to ssh to your RPi and check if USBIP was compiled in your kernel. -``` +```bash pi@raspberrypi ~ $ sudo modprobe configs pi@raspberrypi ~ $ zcat /proc/config.gz |grep USBIP CONFIG_USBIP_CORE=m @@ -75,21 +76,21 @@ recent Raspbian. Unfortunately `usbip` user space tools are not available from scratch and have to be installed: -``` +```bash sudo apt-get install usbip ``` Then you can run server: -``` +```bash pi@raspberrypi ~ $ sudo modprobe usbip-core pi@raspberrypi ~ $ sudo modprobe usbip-host pi@raspberrypi ~ $ sudo usbipd -D ``` -Without connecting anything we get only internal Ethernet device when listing: +Without connecting anything we get only internal Ethernet device when listing: -``` +```bash pi@raspberrypi ~ $ usbip list -l - busid 1-1.1 (0424:ec00) Standard Microsystems Corp. : SMSC9512/9514 Fast Ethernet Adapter (0424:ec00) @@ -97,7 +98,7 @@ pi@raspberrypi ~ $ usbip list -l Let's put some memory stick and check again: -``` +```bash pi@raspberrypi ~ $ usbip list -l - busid 1-1.1 (0424:ec00) Standard Microsystems Corp. : SMSC9512/9514 Fast Ethernet Adapter (0424:ec00) @@ -108,7 +109,7 @@ pi@raspberrypi ~ $ usbip list -l Good `usbip` see our storage device. Let's try to bind it: -``` +```bash pi@raspberrypi ~ $ sudo usbip --debug bind -b 1-1.2 usbip: debug: /build/linux-tools-06nnfo/linux-tools-3.16/drivers/staging/usbip/userspace/src/usbip.c:141:[run_command] running command: `bind' usbip: info: bind device on busid 1-1.2: complete @@ -119,7 +120,7 @@ usbip: info: bind device on busid 1-1.2: complete Let's check if device was correctly exposed by server on RPi. Of course we need `usbip` package installed. -``` +```bash [13:28:50] pietrushnic:~ $ sudo usbip list -r 192.168.0.105 Exportable USB devices ====================== @@ -129,12 +130,12 @@ Exportable USB devices : (Defined at Interface level) (00/00/00) ``` -Information is even more accurate then on RPi. Of course `192.168.0.105` have -to be replaced with you IP address. +Information is even more accurate then on RPi. Of course `192.168.0.105` have to +be replaced with you IP address. Quickly check if client support correct modules: -``` +```bash [13:18:36] pietrushnic:~ $ grep USBIP /boot/config-`uname -r` CONFIG_USBIP_CORE=m CONFIG_USBIP_VHCI_HCD=m @@ -144,17 +145,17 @@ CONFIG_USBIP_HOST=m Everything looks ok. Let's load hos module: -``` +```bash sudo modprobe vhci-hcd ``` Now we can attach remote storage: -``` +```bash sudo usbip attach -r 192.168.0.105 -b 1-1.3 ``` -``` +```bash [13:29:15] pietrushnic:~ $ sudo fdisk -l /dev/sdd GPT PMBR size mismatch (13695 != 3911615) will be corrected by w(rite). Disk /dev/sdd: 1.9 GiB, 2002747392 bytes, 3911616 sectors @@ -173,7 +174,7 @@ EFI shellia32.efi shellx64.efi shellx64-refind-signed.efi Let's left some signs: -``` +```bash [13:30:55] pietrushnic:~ $ sudo sh -c "echo DEADBEEF > tmp/foobar" [13:31:08] pietrushnic:~ $ cat tmp/foobar DEADBEEF @@ -181,7 +182,7 @@ DEADBEEF Detach and see if we will see this file on server side: -``` +```bash [13:33:31] pietrushnic:~ $ sudo usbip port Imported USB devices ==================== @@ -194,14 +195,14 @@ Port 00: at High Speed(480Mbps) First let's unbind: -``` +```bash pi@raspberrypi ~ $ sudo usbip unbind -b 1-1.3 usbip: info: unbind device on busid 1-1.3: complete ``` Then mount partition on which we placed out test file: -``` +```bash pi@raspberrypi ~ $ sudo mount /dev/sda1 tmp/ pi@raspberrypi ~ $ cat tmp/foobar DEADBEEF @@ -217,8 +218,8 @@ topics: - passing frames for RS232 to USB converter using `usbip` - A20-OLinuXino-MICRO/Cubietruck and `usbip` -If you any other preference or topics that would like to see on this blog -please let me know in comments. If you think this post can be useful for others -please share. +If you any other preference or topics that would like to see on this blog please +let me know in comments. If you think this post can be useful for others please +share. Thanks for reading. diff --git a/blog/content/post/2015-11-21-uefi-application-development-in-ovmf.md b/blog/content/post/2015-11-21-uefi-application-development-in-ovmf.md index 842fe66b..baa167b1 100644 --- a/blog/content/post/2015-11-21-uefi-application-development-in-ovmf.md +++ b/blog/content/post/2015-11-21-uefi-application-development-in-ovmf.md @@ -13,28 +13,30 @@ tags: categories: - Firmware --- + OVMF (_Open Virtual Machine Firmware_) is a project that aim is to enable UEFI -support in various virutal machines. According to +support in various virtual machines. According to [whitepaper](http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt) -various projects have interest in supporting OVFM ie. VirtualBox, Xen, BHyVe -and of course QEMU. Why someone may be interested in OVMF ? +various projects have interest in supporting OVFM ie. VirtualBox, Xen, BHyVe and +of course QEMU. Why someone may be interested in OVMF ? -* IMHO the most important reason is that OVMF give ability to develop UEFI +- IMHO the most important reason is that OVMF give ability to develop UEFI applications without using real hardware. This speeds up development cycle by - giving ability to start before hardware prototype arrive. There are also - cases when hardware is available only remotely, dealing with remote setup is - usually annoying, so part of development can be performed locally. + giving ability to start before hardware prototype arrive. There are also cases + when hardware is available only remotely, dealing with remote setup is usually + annoying, so part of development can be performed locally. -* It also improve testing and debugging, because we have full control over +- It also improve testing and debugging, because we have full control over execution environment internals. Error injection and corner case analysis can be ineffective in real world. OVMF and qemu open debugging to new levels. -* It enables training and learning environment. Not every one can obtain UEFI - PC and mess with it when there is risk of destroying sth. +- It enables training and learning environment. Not every one can obtain UEFI PC + and mess with it when there is risk of destroying sth. -* Many other reason like ability to test/develop UEFI support for various OSes, +- Many other reason like ability to test/develop UEFI support for various OSes, simplified debugging, lack of dependencies on legacy address space and - devices. This and other interesting reasons can be found in [Laszlo Ersek whitepaper](http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt) + devices. This and other interesting reasons can be found in + [Laszlo Ersek whitepaper](http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt) What I want to show below is procedure for setting up development environment for UEFI applications and show how to compile and deploy `Hello World` @@ -44,7 +46,7 @@ application in that environment. Let's use upstream version of QEMU: -``` +```bash git clone https://github.com/qemu/qemu.git cd qemu git submodule init @@ -55,10 +57,10 @@ make -j$(nproc) ### Prepare application image -Of course size depends on you application requirements. Usually 128MB is way -too much. +Of course size depends on you application requirements. Usually 128MB is way too +much. -``` +```bash dd if=/dev/zero of=app.disk bs=1 count=1 seek=$(( (128 * 1024 * 1024) - 1)) sudo mkfs.vfat app.disk cd .. @@ -68,7 +70,7 @@ cd .. First build UEFI firmware with shell: -``` +```bash git clone https://github.com/tianocore/edk2.git cd edk2 nice OvmfPkg/build.sh -a X64 -n $(nproc) @@ -81,14 +83,14 @@ but let's start with classical `Hello World`. Source code can be found in `MdeModulePkg/Application/HelloWorld`. This module is built in `MdeModulePkg` because of that we can built it as follows: -``` +```bash source edksetup.sh build -a X64 -p MdeModulePkg/MdeModulePkg.dsc -t GCC49 -n$(nproc) ``` Let's put it into `app.disk`: -``` +```bash mkdir mnt_app cp ../qemu/app.disk . sudo mount app.disk mnt_app @@ -98,22 +100,23 @@ sudo umount mnt_app ## OVMF configuration -When we develop UEFI application best way would be to run OVMF to UEFI Shell -for test purposes. This is not default option. How to change boot order so we -every time will lend in shell ? +When we develop UEFI application best way would be to run OVMF to UEFI Shell for +test purposes. This is not default option. How to change boot order so we every +time will lend in shell ? On booting screen hit ``. -![](/img/tiano_boot.png) +![img](/img/tiano_boot.png) You should be in main menu of UEFI setup: -![](/img/uefi_setup.png) +![img](/img/uefi_setup.png) Go through `Boot Maintenance Manager -> Boot Options -> Change Boot Order`, -select `Change Boot Order` and hit ``. Then using `+/-` keys move `EFI Internal Shell` to the top. +select `Change Boot Order` and hit ``. Then using `+/-` keys move +`EFI Internal Shell` to the top. -![](/img/boot_order.png) +![img](/img/boot_order.png) Do not forget to save configuration with ``. @@ -124,27 +127,27 @@ To boot OVMF I'm using Laszlo's slightly modified script which can be found After booting to UEFI Shell we should look something like this: -![](/img/uefi_shell.png) +![img](/img/uefi_shell.png) Note `FS0:` in mapping table list - this is our `app.disk`. Type: -``` +```bash fs0: HelloWorld.efi ``` Result should look like this: -![](/img/hello_world.png) +![img](/img/hello_world.png) NOTE: If your result is different then make sure to check last lines of `app.ovmf.log` it can give you some hints. ## Summary -Hopefully at least part of above article was useful somehow. There are many -ways to extend this sample presentation. In example application delivery can be +Hopefully at least part of above article was useful somehow. There are many ways +to extend this sample presentation. In example application delivery can be achieved by network transfer. If you have any question or need UEFI support please do not bother to ping me in comments or using any other medium. diff --git a/blog/content/post/2015-12-08-using-platformio-with-ti-msp430-lunchpads.md b/blog/content/post/2015-12-08-using-platformio-with-ti-msp430-lunchpads.md index b5495700..26ee3f95 100644 --- a/blog/content/post/2015-12-08-using-platformio-with-ti-msp430-lunchpads.md +++ b/blog/content/post/2015-12-08-using-platformio-with-ti-msp430-lunchpads.md @@ -13,14 +13,16 @@ tags: categories: - Firmware - IoT + --- + [PlatformIO](http://platformio.org/) is very interesting project that aim to solve very important problem of configuring deployment environment for embedded systems. IMHO good approach is to focus on modularity (various IDE can be used, even Vim) and simplicity (in best case 2 command should be enough to deploy first code). -Recent years we have explosion of bootstraping applications (ie.vagrant, +Recent years we have explosion of bootstrapping applications (ie.vagrant, puppet). Most of them seems to follow git-like command line interface and getting a lot of attention from programmers community. PlatformIO is promising project for all Embedded Software developers who in the era of IoT came from @@ -30,7 +32,7 @@ It take some time to try PlatformIO using real hardware. Luckily on my desk there are 2 supported boards gathering dust, which I would like to try in this post. -![](/img/msp430.jpg) +![img](/img/msp430.jpg) `MSP-EXP430F5529LP` on the left and `MSP-EXP430FR5969` on the right. @@ -40,16 +42,17 @@ I highly recommend using [virtualenv](https://virtualenv.readthedocs.org/en/latest/) for any custom python application. -At the beginning I simply follow [Getting Started](http://platformio.org/#!/get-started) page. +At the beginning I simply follow +[Getting Started](http://platformio.org/#!/get-started) page. -``` +```bash pip install -U pip setuptools pip install -U platformio ``` What configuration I should use for my boards ? -``` +```bash [13:38:34] pietrushnic:msp430 $ platformio boards|grep 5969 lpmsp430fr5969 msp430fr5969 8Mhz 64Kb 1Kb TI LaunchPad w/ msp430fr5969 [13:38:41] pietrushnic:msp430 $ platformio boards|grep 5529 @@ -60,23 +63,24 @@ lpmsp430f5529_25 msp430f5529 25Mhz 128Kb 1Kb TI LaunchPad w/ ms So it looks like `5529` have 2 flavours. According to `Energia` 16MHz option is for backward compatibility. Let's use recent 25MHz config. -``` +```bash mkdir msp430 cd msp430 platformio init --board=lpmsp430fr5969 --board=lpmsp430f5529_25 ``` PlatformIO first ask if we want auto-uploading successfully built project, so I -answered y. Then inform about creating some directories and -`platformio.ini` file. After confirming toolchain, downloading starts. +answered y. Then inform about creating some directories and `platformio.ini` +file. After confirming toolchain, downloading starts. ## Problems with MSP430F5529LP ### Lack of main.cpp -If you run PlatformIO without any source code in `src` directory you will get error message like this: +If you run PlatformIO without any source code in `src` directory you will get +error message like this: -``` +```bash .pioenvs/lpmsp430f5529_25/libFrameworkEnergia.a(main.o): In function `main': /home/pietrushnic/projects/3mdeb/msp430/.pioenvs/lpmsp430f5529_25/FrameworkEnergia/main.cpp:7: undefined reference to `setup' /home/pietrushnic/projects/3mdeb/msp430/.pioenvs/lpmsp430f5529_25/FrameworkEnergia/main.cpp:10: undefined reference to `loop' @@ -84,7 +88,9 @@ collect2: ld returned 1 exit status scons: *** [.pioenvs/lpmsp430f5529_25/firmware.elf] Error 1 ``` -Of course adding main.cpp to src directory fix this issue. As sample code you may use [MSP430F55xx_1.c](http://dev.ti.com/tirex/api/download?file=mspware%2Fmspware__2.30.00.49%2Fexamples%2Fdevices%2FMSP430F5xx_6xx%2FMSP430F55xx_Code_Examples%2FC%2FMSP430F55xx_1.c&source=content) +Of course adding main.cpp to src directory fix this issue. As sample code you +may use +[MSP430F55xx_1.c](https://web.archive.org/web/20160406191606/http://dev.ti.com/tirex/api/download?file=mspware%2Fmspware__2.30.00.49%2Fexamples%2Fdevices%2FMSP430F5xx_6xx%2FMSP430F55xx_Code_Examples%2FC%2FMSP430F55xx_1.c&source=content) ### libmsp430.so: cannot open shared object file @@ -94,14 +100,14 @@ installed by PlatformIO in Running: -``` +```bash export LD_LIBRARY_PATH=$HOME/.platformio/packages/toolchain-timsp430/bin/ ``` before calling `platformio` fix problem. For some users even better would be to make `libmsp430.so` accessible system wide: -``` +```bash sudo cp $HOME/.platformio/packages/toolchain-timsp430/bin/libmsp430.so /usr/lib ``` @@ -109,7 +115,7 @@ sudo cp $HOME/.platformio/packages/toolchain-timsp430/bin/libmsp430.so /usr/lib If you didn't use your MSP430 for a while there can be problem like this: -``` +```bash $HOME/.platformio/packages/tool-mspdebug/mspdebug tilib --force-reset "prog .pioenvs/lpmsp430f5529_25/firmware.hex" MSPDebug version 0.20 - debugging tool for MSP430 MCUs Copyright (C) 2009-2012 Daniel Beer @@ -128,26 +134,27 @@ scons: *** [upload] Error 255 Fix for that according to error log should be like this: -``` +```bash $HOME/.platformio/packages/tool-mspdebug/mspdebug tilib --allow-fw-update ``` -But this can cause additional problems that I reported -[here](https://e2e.ti.com/support/development_tools/code_composer_studio/f/81/p/456610/1710377#1710377). -I finally managed to fix problem using hints from [Agla Blog](http://www.aglaglobal.com/content/recover-broken-fet-msp430f5529-launchpad-after-ccs-crashes-during-firmware-update). +But this can cause additional problems that I reported. +I finally managed to fix problem using hints from +[Agla Blog](https://web.archive.org/web/20160317070223/http://www.aglaglobal.com/content/recover-broken-fet-msp430f5529-launchpad-after-ccs-crashes-during-firmware-update). Because `gcc-msp430` was removed from Debian Sid we have to use compiler delivered by `platformio` to test blinky example from Agla blog: -``` +```bash $HOME/.platformio/packages/toolchain-timsp430/bin/msp430-gcc -mmcu=msp430f5529 -mdisable-watchdog blink.c ``` ## Problems with MSP430FR5969 -I experienced very similar problems with `FR5969`. Unfortunately above procedure led me to: +I experienced very similar problems with `FR5969`. Unfortunately above procedure +led me to: -``` +```bash MSPDebug version 0.23 - debugging tool for MSP430 MCUs Copyright (C) 2009-2015 Daniel Beer This is free software; see the source for copying conditions. There is NO @@ -172,7 +179,7 @@ This probably means that default `libmsp430.so`, downloaded probably from `Energia` project, doesn't support `FR5969`. So I tried build `libmsp430.so` by myself: -``` +```bash sudo apt-get install libboost-system-dev libboost-filesystem-dev git clone https://github.com/pietrushnic/MSPDebugStack_OS_Package.git -b libmsp430-fr5969 git clone https://github.com/signal11/hidapi.git @@ -189,7 +196,7 @@ sudo cp libmsp430.so /usr/lib This improved situation, but give: -``` +```bash MSPDebug version 0.23 - debugging tool for MSP430 MCUs Copyright (C) 2009-2015 Daniel Beer This is free software; see the source for copying conditions. There is NO @@ -237,10 +244,10 @@ debugger prompt, what means that process finished correctly and we can access ### MSP430F5529LP Please download -[MSP430F55xx_1.c](http://dev.ti.com/tirex/api/download?file=mspware%2Fmspware__2.30.00.49%2Fexamples%2Fdevices%2FMSP430F5xx_6xx%2FMSP430F55xx_Code_Examples%2FC%2FMSP430F55xx_1.c&source=content) +[MSP430F55xx_1.c](https://web.archive.org/web/20160711051506/http://dev.ti.com/tirex/api/download?file=mspware%2Fmspware__2.30.00.49%2Fexamples%2Fdevices%2FMSP430F5xx_6xx%2FMSP430F55xx_Code_Examples%2FC%2FMSP430F55xx_1.c&source=content) and save it as `src/main.c`. Then run: -``` +```bash platformio run -e lpmsp430f5529_25 ``` @@ -249,10 +256,10 @@ If you see blinking red `P1.0 LED1` then everything works as expected. ### MSP430FR5969 Please download -[msp430fr59xx_1.c](http://dev.ti.com/tirex/api/download?file=mspware%2Fmspware__2.30.00.49%2Fexamples%2Fdevices%2FMSP430FR5xx_6xx%2FMSP430FR596x_MSP430FR595x_MSP430FR594x_MSP430FR586x_MSP430FR585x_MSP430FR584x_Code_Examples%2FC%2Fmsp430fr59xx_1.c&source=content) +[msp430fr59xx_1.c](https://web.archive.org/web/20160712215420/http://dev.ti.com/tirex/api/download?file=mspware%2Fmspware__2.30.00.49%2Fexamples%2Fdevices%2FMSP430FR5xx_6xx%2FMSP430FR596x_MSP430FR595x_MSP430FR594x_MSP430FR586x_MSP430FR585x_MSP430FR584x_Code_Examples%2FC%2Fmsp430fr59xx_1.c&source=content) and save it as `src/main.c`. Then run: -``` +```bash platformio run -e lpmsp430fr5969 ``` diff --git a/blog/content/post/2015-12-30-emulate-rapberry-pi-2-in-qemu.md b/blog/content/post/2015-12-30-emulate-rapberry-pi-2-in-qemu.md index 9bbae35d..e5b8b79f 100644 --- a/blog/content/post/2015-12-30-emulate-rapberry-pi-2-in-qemu.md +++ b/blog/content/post/2015-12-30-emulate-rapberry-pi-2-in-qemu.md @@ -15,20 +15,24 @@ categories: - OS Dev - App Dev --- + In the process of planning system testing for one of my clients I found that -someone from Microsoft published patches with [BCM2836 support](https://lists.gnu.org/archive/html/qemu-arm/2015-12/msg00078.html) to -QEMU mailing list. I thought it is very interesting, because if it is possible -to setup emulated Raspberry Pi many use cases can be tested faster and in more -automatic way. For example checking how application behave when running on more -then one device at once, testing massive deployment process, stress testing and -finally speed up debug-fix-test process. +someone from Microsoft published patches with +[BCM2836 support](https://lists.gnu.org/archive/html/qemu-arm/2015-12/msg00078.html) +to QEMU mailing list. I thought it is very interesting, because if it is +possible to setup emulated Raspberry Pi many use cases can be tested faster and +in more automatic way. For example checking how application behave when running +on more then one device at once, testing massive deployment process, stress +testing and finally speed up debug-fix-test process. So it looks like making RPi 2 working in emulated environment can add a lot of -value to some products. In email Andrew mention [github repo](https://github.com/0xabu/qemu), which I would like to try in this post +value to some products. In email Andrew mention +[github repo](https://github.com/0xabu/qemu), which I would like to try in this +post ## Get QEMU and compile -``` +```bash git clone https://github.com/0xabu/qemu.git -b raspi git submodule update --init dtc ./configure @@ -43,7 +47,7 @@ that we have to extract those pieces from existing Raspbian image. ### Get kernel and device tree -``` +```bash wget http://downloads.raspberrypi.org/raspbian/images/raspbian-2015-11-24/2015-11-21-raspbian-jessie.zip unzip 2015-11-21-raspbian-jessie.zip [23:35:23] pietrushnic:rpi2_qemu $ sudo /sbin/fdisk -lu 2015-11-21-raspbian-jessie.img @@ -62,7 +66,7 @@ Device Boot Start End Sectors Size Id Type Check start of `W95 FAT32 (LBA)` partition. It is `8192`. Sector size is `512`. So calculate offset in bytes `8192 * 512 = 4194304`. -``` +```bash mkdir tmp sudo mount -o loop,offset=4194304 2015-11-21-raspbian-jessie.img tmp mkdir 2015-11-21-raspbian-boot @@ -72,7 +76,7 @@ cp tmp/bcm2709-rpi-2-b.dtb 2015-11-21-raspbian-boot Then if you try to boot `2015-11-21` Rapbian with `0xabu` code: -``` +```bash qemu-system-arm -M raspi2 -kernel 2015-11-21-raspbian-boot/kernel7.img \ -sd 2015-11-21-raspbian-jessie.img \ -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200 dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" \ @@ -81,7 +85,7 @@ qemu-system-arm -M raspi2 -kernel 2015-11-21-raspbian-boot/kernel7.img \ You will experience kernel crash: -``` +```bash (...) [ 6.021989] Freeing unused kernel memory: 420K (80779000 - 807e2000) [ 7.366232] random: systemd urandom read with 7 bits of entropy available @@ -106,32 +110,31 @@ To avoid this crash you have to comment `/etc/ld.so.preload`. ### Changing ld.so.preload -First calculate offset in bytes to Raspbian root filesystem partition. -According to fdisk output above partition starts with sector `131072`, so offset -would be `512*131072=67108864`. +First calculate offset in bytes to Raspbian root filesystem partition. According +to fdisk output above partition starts with sector `131072`, so offset would be +`512*131072=67108864`. -``` +```bash sudo mount -o loop,offset=67108864 2015-11-21-raspbian-jessie.img tmp ``` Use your favourite editor to change `tmp/etc/ld.so.preload`. Note that you have to edit as superuser. Content of file should looks like this: -``` +```bash #/usr/lib/arm-linux-gnueabihf/libarmmem.so ``` Sync and umount partition: -``` +```bash sync sudo umount tmp ``` ### Final booting - -``` +```bash qemu-system-arm -M raspi2 -kernel 2015-11-21-raspbian-boot/kernel7.img \ -sd 2015-11-21-raspbian-jessie.img \ -append "rw earlyprintk loglevel=8 console=ttyAMA0,115200 dwc_otg.lpm_enable=0 root=/dev/mmcblk0p2" \ diff --git a/blog/content/post/2016-03-12-netcat-how-to-transfer-files-without-scp-or-ftp.md b/blog/content/post/2016-03-12-netcat-how-to-transfer-files-without-scp-or-ftp.md index 36299c71..8eefc2d2 100644 --- a/blog/content/post/2016-03-12-netcat-how-to-transfer-files-without-scp-or-ftp.md +++ b/blog/content/post/2016-03-12-netcat-how-to-transfer-files-without-scp-or-ftp.md @@ -13,19 +13,20 @@ tags: categories: - App Dev --- + One of my recent customers provided me hardware with custom Linux system. Distribution used on this hardware was very limited there was no developers tools, file transfer applications (like scp, ftp or even tftp) or communication clients like ssh. I had to deploy some firmware files to the system without -modifying it. This was i386 machine. Of course I could compile something and -add this software using usb stick or other stoarge, but what if I would not -have direct access to hardware ? Also for development and testing purposes it -would be much easier to use network transfer, then running with usb stick. +modifying it. This was i386 machine. Of course I could compile something and add +this software using usb stick or other stoarge, but what if I would not have +direct access to hardware ? Also for development and testing purposes it would +be much easier to use network transfer, then running with usb stick. When looking for answer I found [this](http://stackoverflow.com/questions/17797758/using-nc-to-transfer-large-file). -I heard before about netcat, but more in context of debugging then using it as file -transfer application. Luckily `nc` as very small tool is in almost all +I heard before about netcat, but more in context of debugging then using it as +file transfer application. Luckily `nc` as very small tool is in almost all distributions and it was also available in my small custom distro. ## File transfer with netcat @@ -35,7 +36,7 @@ transfer files. What have to be done is setting receiving side ie.: -``` +```bash nc -l -p 2020 > my_file.bin ``` @@ -44,16 +45,16 @@ and redirect content of incoming packages to `my_file.bin`. On sender side we pipe `my_file.bin` to nc like that: -``` +```bash cat my_file.bin | nc 2020 ``` -Which cause `nc` to create TCP connection to `` on port `2020` -and send everything it gets on standard input. +Which cause `nc` to create TCP connection to `` on port `2020` and +send everything it gets on standard input. ## Known flaws From what I saw sometimes `nc` doesn't end at `EOF` and just hang waiting for next data, which never come. In that case I just break with `Ctrl-C` on both -ends. Then check if all stuff was transfered correctly by verifying MD5 sum on +ends. Then check if all stuff was transferred correctly by verifying MD5 sum on sender and receiver side. In most cases files pass this integrity test. diff --git a/blog/content/post/2016-03-12-pxe-server-with-raspberry-pi-1.md b/blog/content/post/2016-03-12-pxe-server-with-raspberry-pi-1.md index c80616b2..5bf6ee40 100644 --- a/blog/content/post/2016-03-12-pxe-server-with-raspberry-pi-1.md +++ b/blog/content/post/2016-03-12-pxe-server-with-raspberry-pi-1.md @@ -14,19 +14,20 @@ tags: categories: - App Dev --- -Recent days we get the announcement about releasing Raspberry Pi 3. Those of -you who play with embedded systems or just try to make things probably still -got good old Raspberry Pi (1). Because during time old platforms loose value as + +Recent days we get the announcement about releasing Raspberry Pi 3. Those of you +who play with embedded systems or just try to make things probably still got +good old Raspberry Pi (1). Because during time old platforms loose value as potential candidate for new projects I decided to sacrifice my old RPi and make test server from it. -One of my customer required testing his software against PXE server with -various configurations. I realized that using my home network with my TP-Link -router I have no way to create such configuration on server machine I usually -use. I would need to connect directly to server and with one Ethernet port this -was not the solution for me. My other platforms like A20 boards, Odroid or RPi2 -are occupied by some projects. I recall that I have old RPi that can be used -for that purpose. +One of my customer required testing his software against PXE server with various +configurations. I realized that using my home network with my TP-Link router I +have no way to create such configuration on server machine I usually use. I +would need to connect directly to server and with one Ethernet port this was not +the solution for me. My other platforms like A20 boards, Odroid or RPi2 are +occupied by some projects. I recall that I have old RPi that can be used for +that purpose. Configuration described below is very limited because it test just PXE booting, there is no outside world connection. This connection can be added by adding @@ -34,28 +35,27 @@ wifi dongle to Raspberry Pi and modifying iptables and routing. ## Prerequisites -* download recent Raspberry Pi +- download recent Raspberry Pi [image](https://www.raspberrypi.org/downloads/raspbian/) and flash it to SD card. I used Raspbian Jessie Lite. -* if you don't have free keyboard and HDMI monitor use UART to connect serial - console - you can use [this post](http://elinux.org/RPi_Serial_Connection), - if you don't konw how to connect it -* flash recent iPXE to your hardware or use what is already provided by vendor +- if you don't have free keyboard and HDMI monitor use UART to connect serial + console - you can use [this post](http://elinux.org/RPi_Serial_Connection), if + you don't know how to connect it +- flash recent iPXE to your hardware or use what is already provided by vendor ## Raspbian Jessie Lite - initial setup - ### Setup TFTP Install server TFTP: -``` +```bash sudo apt-get install tftpd-hpa ``` Change configuration according to your needs. My looks like that: -``` +```bash # /etc/default/tftpd-hpa TFTP_USERNAME="tftp" @@ -67,13 +67,13 @@ TFTP_OPTIONS="" Download netboot files for Debian, which we will use for testing purposes: -``` +```bash wget http://ftp.nl.debian.org/debian/dists/jessie/main/installer-i386/current/images/netboot/netboot.tar.gz ``` Unpack netboot package in `/srv/tftp`: -``` +```bash cd /srv/tftp sudo tar xvf /path/to/netboot.tar.gz ``` @@ -82,15 +82,14 @@ sudo tar xvf /path/to/netboot.tar.gz Install udhcpd and remove conflicting packages: -``` +```bash sudo apt-get install udhcpd sudo apt-get remove isc-dhcp-client ``` - At the end of `/etc/udhcpd.conf` add: -``` +```bash siaddr 192.168.0.1 boot_file /srv/tftp/pxelinux.0 opt dns 192.168.0.1 192.168.10.10 @@ -104,14 +103,14 @@ option lease 864000 You can also assign client MAC to given IP address by adding: -``` +```bash #static_lease 00:60:08:11:CE:4E 192.168.0.54 static_lease ``` Comment `DHCPD_ENABLE` in `/etc/default/udhcpd`: -``` +```bash # Comment the following line to enable # DHCPD_ENABLED="no" @@ -125,7 +124,7 @@ DHCPD_OPTS="-S" Change `eth0` configuration to static IP: -``` +```bash auto eth0 iface eth0 inet static address 192.168.0.1 @@ -138,11 +137,12 @@ Then reboot device and connect your PXE client device. ## Testing PXE server When device boot press `Ctrl-B` to enter iPXE shell. If you cannot enter shell -please replace iPXE with recent version using [this instructions](https://www.coreboot.org/IPXE). +please replace iPXE with recent version using +[this instructions](https://www.coreboot.org/IPXE). Entering iPXE you should see something like that: -``` +```bash iPXE (http://ipxe.org) 00:00.0 C100 PCI2.10 PnP PMMpmm call arg1=1 pmm call arg1=0 +DFF490B0pmm call arg1=1 @@ -157,12 +157,12 @@ iPXE initialising devices...ok iPXE 1.0.0+ (e303) -- Open Source Network Boot Firmware -- http://ipxe.org Features: DNS FTP HTTP HTTPS iSCSI NFS SLAM TFTP VLAN AoE ELF MBOOT NBI PXE SDI bzImage COMBOOT Menu PXEXT -iPXE> +iPXE> ``` First let's configure interface: -``` +```bash iPXE> ifconf net0 Configuring (net0 00:0d:b9:3f:9e:58)............... ok iPXE> dhcp net0 @@ -171,7 +171,7 @@ Configuring (net0 00:0d:b9:3f:9e:58)............... ok And boot Debian installer: -``` +```bash iPXE> autoboot net0: 00:0d:b9:3f:9e:58 using i210-2 on PCI01:00.0 (open) [Link:up, TX:20 TXE:0 RX:8 RXE:2] @@ -198,13 +198,13 @@ PXELINUX 6.03 PXE 20150819 Copyright (C) 1994-2014 H. Peter Anvin et al+-------- | | | | | | -+---------------------------------------+Press ENTER to boot or TAB to edit a menu entry ++---------------------------------------+Press ENTER to boot or TAB to edit a menu entry ``` ## Summary It took me some time to put this information together an correctly run this server, so for future reference and for those confused with udhcpd and other -tools configuration this post should be useful. Thanks for reading and as -always please share if you think this post is valuable. If anything is not -clear or I messed something please let me know in comments. +tools configuration this post should be useful. Thanks for reading and as always +please share if you think this post is valuable. If anything is not clear or I +messed something please let me know in comments. diff --git a/blog/content/post/2016-03-26-pc-engines-apu2-netboot-debian-installation.md b/blog/content/post/2016-03-26-pc-engines-apu2-netboot-debian-installation.md index 9cf65ea3..9f936121 100644 --- a/blog/content/post/2016-03-26-pc-engines-apu2-netboot-debian-installation.md +++ b/blog/content/post/2016-03-26-pc-engines-apu2-netboot-debian-installation.md @@ -18,19 +18,21 @@ tags: categories: - OS Dev --- -In [previous post](2016/03/12/pxe-server-with-raspberry-pi-1/) I described how -to setup PXE server and boot Debian installer using it. I mentioned that -provided setup is limited and some extensive configuration is needed to make it -useful for real world example. Since that time I learned that there is -[chain command](http://ipxe.org/cmd/chain) in iPXE, which give ability to use arbitrary TFTP server -as boot file source. + +In [previous post](https://blog.3mdeb.com/2016/2016-03-12-pxe-server-with-raspberry-pi-1/) +I described how to setup PXE server and boot Debian installer using it. +I mentioned that provided setup is limited and some extensive configuration +is needed to make it useful for real world example. Since that time I learned +that there is [chain command](http://ipxe.org/cmd/chain) in iPXE, which give +ability to use arbitrary TFTP server as boot file source. ## Using RPi PXE server -For example by changing my test network topology from [previous post](2016/03/12/pxe-server-with-raspberry-pi-1/) +For example by changing my test network topology from +[previous post](https://blog.3mdeb.com/2016/2016-03-12-pxe-server-with-raspberry-pi-1/) to something like that: -![](/img/pxe_srv_apu2.png) +![img](/img/pxe_srv_apu2.png) In short Raspberry Pi contain our PXE server configured in previous post. TL-MR3420 is our DHCP server and PC Engines APU2A4 is our target box where we @@ -39,14 +41,14 @@ want to install Debian. We need to change `eth0` configuration, so our PXE server will get IP automatically from DHCP: -``` +```bash auto eth0 iface eth0 inet dhcp ``` Also disable `udhcpd`: -``` +```bash sudo update-rc.d udhcpd disable ``` @@ -57,7 +59,7 @@ Then reboot PXE server. First enter iPXE on APU2 board by pressing `` during boot. You should see something like that: -``` +```bash iPXE (http://ipxe.org) 00:00.0 C100 PCI2.10 PnP PMMpmm call arg1=1 pmm call arg1=0 +DFF490B0pmm call arg1=1 @@ -77,14 +79,14 @@ iPXE> Then obtain DHCP address: -``` +```bash iPXE> dhcp net0 Configuring (net0 00:0d:b9:3f:9e:58)............... ok ``` Now we can boot over the network using RPi PXE server: -``` +```bash iPXE> set filename /srv/tftp/pxelinux.0 iPXE> set next-server 192.168.0.100 iPXE> chain tftp://${next-server}/${filename} @@ -93,12 +95,11 @@ iPXE> chain tftp://${next-server}/${filename} Note that `192.168.0.100` is RPi PXE server and `/srv/tftp/pxelinux.0` is path on RPi exposed through TFTP configuration. - ## Debian installer modification Hit `Tab` in the main installer window: -``` +```bash +---------------------------------------+ | Debian GNU/Linux installer boot menu | |---------------------------------------| @@ -121,13 +122,13 @@ Hit `Tab` in the main installer window: Change boot command line to print output to serial: -``` +```bash > debian-installer/i386/linux vga=788 initrd=debian-installer/i386/initrd.gz --- console=ttyS0,115200 earlyprint=serial,ttyS0,115200 ``` Then hit `Enter`. You will see complains about video mode like this: -``` +```bash Press to see video modes available, to continue, or wait 30 sec ``` @@ -137,8 +138,8 @@ running installer. ## Debian installation This is typical installation except it happen over serial. As a storage I used -16GB USB stick with guided partitioning. At the end I also installed GRUB on -USB stick MBR. +16GB USB stick with guided partitioning. At the end I also installed GRUB on USB +stick MBR. Be patient if serial console will be blank for some time it happen when installing over network. @@ -146,7 +147,7 @@ installing over network. After reboot you should be able to choose USB stick from boot menu (F10) and your Debian on APU2 should be ready: -``` +```bash Debian GNU/Linux 8 Maedhros ttyS0 Maedhros login: pietrushnic @@ -167,9 +168,9 @@ pietrushnic@Maedhros:~$ Now when you have Debian installed on your system you can think about various improvements. For example: -* Xen installation -* Putting together automated installation using PXE server -* Setup NFS and TFTP for Linux kernel development and testing +- Xen installation +- Putting together automated installation using PXE server +- Setup NFS and TFTP for Linux kernel development and testing I hope this post was useful. If you think that it can be improved please comment. Thanks for reading. diff --git a/blog/content/post/2016-05-19-powering-on-lemaker-hikey-armv8.md b/blog/content/post/2016-05-19-powering-on-lemaker-hikey-armv8.md index bceab962..1f4b6dab 100644 --- a/blog/content/post/2016-05-19-powering-on-lemaker-hikey-armv8.md +++ b/blog/content/post/2016-05-19-powering-on-lemaker-hikey-armv8.md @@ -15,6 +15,7 @@ tags: categories: - Firmware --- + Embedded Systems Consultants have chance to live in interesting times. ARM expansion touch server market and UEFI coming to non-x86 platforms. Firmware gaining its importance and because handling real development is harder and @@ -24,40 +25,42 @@ features in recent SoCs. Couple weeks ago I decided to recover my knowledge about UEFI and take a look how it is implemented for architecture that have its momentum - namely ARM in -its 8 version (ARMv8). Short review of technology reveal universe that should -be studied by every aspiring Embedded Systems adept. +its 8 version (ARMv8). Short review of technology reveal universe that should be +studied by every aspiring Embedded Systems adept. ## Choosing ARMv8 dev board First problem was to choose development board. Probably simpler solution is to -use platforms like [Raspberry Pi 3](https://www.raspberrypi.org/magpi/raspberry-pi-3-specs-benchmarks/) which -features Broadcom Cortex-A53 or very interesting alternative like -[PINE64](https://www.pine64.com/product#intro) with Allwinner flavour. +use platforms like +[Raspberry Pi 3](https://www.raspberrypi.org/magpi/raspberry-pi-3-specs-benchmarks/) +which features Broadcom Cortex-A53 or very interesting alternative like +[PINE64](https://www.pine64.com) with Allwinner flavour. Of course rush on this market bring other players like Amlogic with -[Odroic-C2](http://www.hardkernel.com/main/products/prdt_info.php?g_code=G145457216438). +[Odroic-C2](https://web.archive.org/web/20160310025120/http://www.hardkernel.com/main/products/prdt_info.php?g_code=G145457216438). It is worth to mention that adaptation of new architecture is very slow. It was announced in 2012. First real product was released by Apple (iPhone S5), but despite various commercial products, since 2012 not much appeared on low end -development board market, which is probably main area for makers and -prototyping shops. Things start to change last year. +development board market, which is probably main area for makers and prototyping +shops. Things start to change last year. -I have RPi3 on my desk but playing with its low level side is not encouraging because of -limitation Broadcom put on releasing any information about BCM2837. My goal was -to work on UEFI and [ARM trusted firmware](https://github.com/ARM-software/arm-trusted-firmware) -the only board except expensive ARM reference platforms that seems to work with -UEFI was LeMaker HiKey. +I have RPi3 on my desk but playing with its low level side is not encouraging +because of limitation Broadcom put on releasing any information about BCM2837. +My goal was to work on UEFI and +[ARM trusted firmware](https://github.com/ARM-software/arm-trusted-firmware) the +only board except expensive ARM reference platforms that seems to work with UEFI +was LeMaker HiKey. ### Why 96boards ? -* this is open specification - IIRC this is first of its kind and it is high +- this is open specification - IIRC this is first of its kind and it is high chance to be widely accepted -* its driven by Linaro, which in my opinion do a lot of great work for whole +- its driven by Linaro, which in my opinion do a lot of great work for whole community -* its standardized way with big players behind, so knowing it and having in +- its standardized way with big players behind, so knowing it and having in portfolio cannot damage Embedded Systems Consultant career -* IMO this approach in long term will have better return on investment, - then custom quick shots made by not-so-community-friendly vendors +- IMO this approach in long term will have better return on investment, then + custom quick shots made by not-so-community-friendly vendors ## Power supply @@ -66,30 +69,33 @@ voltage range, but this is for sure not standard in makers/hackers community. I have ton of 5V/2A power supplies in stock, also for 5V I can use my active USB hub or even PC port for not power hungry devices. -Reasoning behind this choice can be found [here](https://www.96boards.org/products/accessories/power/). +Reasoning behind this choice can be found +[here](https://www.96boards.org/products/accessories/power/). Finally to not add more USD to my ARMv8 development environment I used my Zhaoxin DC power supply and unused plug from universal power supply. ## 1.8V UART -My second surprise was that board use 1.8V level for UART. Cables for that -level are built with FT230XS or similar chips, which cost ~3USD. To my suprise -cable that work with 1.8V UART level cost 30USD. There are 2 separated UART -pins to connect on HiKey. One for low level bootloader development and one for -Linux kernel development. So I would need to cables. Board cost 75USD, so you -paying almost the same price for cables. It was not acceptable for me. +My second surprise was that board use 1.8V level for UART. Cables for that level +are built with FT230XS or similar chips, which cost ~3USD. To my surprise cable +that work with 1.8V UART level cost 30USD. There are 2 separated UART pins to +connect on HiKey. One for low level bootloader development and one for Linux +kernel development. So I would need to cables. Board cost 75USD, so you paying +almost the same price for cables. It was not acceptable for me. -Linaro developers seems to use [this](https://www.seeedstudio.com/96Boards-UART-p-2525.html) -which is out of stock for 5 months! +Linaro developers seems to use +[this](https://www.seeedstudio.com/96Boards-UART-p-2525.html) which is out of +stock for 5 months! -While searching for alternatives I found [this TI converter on SparkFun page](https://www.sparkfun.com/products/11771). +While searching for alternatives I found +[this TI converter on SparkFun page](https://www.sparkfun.com/products/11771). Luckily availability of various SparkFun distributors made delivery possible in less then 48h. After wiring up with TXB0104 everything seems to work ok. -![](/img/hikey_setup.jpg) +![img](/img/hikey_setup.jpg) Note that board use 2 UARTs. `UART0` for bootloader development. This is connector with not typical pitch (2.0mm) and `UART3` as debug port for Linux @@ -106,26 +112,25 @@ forward with that budget solution. Board is pre-installed with Debian, so +1 for choice. It boots smooth and you can also see bootloader logs. -![](/img/hikey_screen.png) +![img](/img/hikey_screen.png) On top there is bootloader on bottom booted Debian. Bootloader logs came from [OP-TEE Trusted OS](https://github.com/OP-TEE/optee_os), - ## Summary Setting up hardware to boot and having some debug output is initial step to start development. Once this point is passed I can start to deal with UEFI -and(or) ARM Trusted Firmware (ATF). It is important to note that documentation on -[GitHub](https://github.com/96boards/documentation) and in +and(or) ARM Trusted Firmware (ATF). It is important to note that documentation +on [GitHub](https://github.com/96boards/documentation) and in [Hardware User Manual](https://www.96boards.org/documentation/consumer/hikey/hikey620/hardware-docs/hardware-user-manual.md.html) is very good and huge kudos should go to Linaro people for putting so much effort into that. Things that I would like to write about in future posts: -* UEFI setup for HiKey -* UEFI capabilities and limitation -* ATF development +- UEFI setup for HiKey +- UEFI capabilities and limitation +- ATF development As always please share if you think content maybe valuable to other. diff --git a/blog/content/post/2016-07-05-directory-scheme-for-multiple-projects.md b/blog/content/post/2016-07-05-directory-scheme-for-multiple-projects.md index 3cfb5cf0..2b400ca4 100644 --- a/blog/content/post/2016-07-05-directory-scheme-for-multiple-projects.md +++ b/blog/content/post/2016-07-05-directory-scheme-for-multiple-projects.md @@ -12,32 +12,30 @@ tags: categories: - Miscellaneous --- -How to keep clean organization while working on multiple projects ? -------------------------------------------------------------------- + +## How to keep clean organization while working on multiple projects ? Answer to this question depends on workflow and nature of projects itself. -Below I would like to present my approach to manage sanity while having -multiple projects going simultaneously. This would be Embedded Systems -Consultant view and will mostly show directory organization, but I think it can -be adopted to other programmers workflow. +Below I would like to present my approach to manage sanity while having multiple +projects going simultaneously. This would be Embedded Systems Consultant view +and will mostly show directory organization, but I think it can be adopted to +other programmers workflow. -Directory organization ----------------------- +## Directory organization -Usually I have up to 10 projects from external customer running and ~3 -internal. Obviously better organization minimize overhead related to searching -and wondering where to put recently obtained file. During last 3 years I -collected over 60 projects for 45 customers. +Usually I have up to 10 projects from external customer running and ~3 internal. +Obviously better organization minimize overhead related to searching and +wondering where to put recently obtained file. During last 3 years I collected +over 60 projects for 45 customers. -Based on that experience I created directory structure that work pretty good -for above numbers. Scheme looks like this: +Based on that experience I created directory structure that work pretty good for +above numbers. Scheme looks like this: -``` +```bash ${HOME}/projects////{logs,images,releases,src} ``` - ## Customer/year order One flaw that this setup has is for project that last more then year. I don't @@ -67,31 +65,30 @@ Usually prototype projects doesn't have marketing name, but project can be called by SoC/CPU/dev board + main feature ie. `a20_camera`, `bbb_canbus_reader` etc. -What most embedded projects needs ? ------------------------------------ +## What most embedded projects needs ? After couple years I found that couple thing are typically needed: -* `logs` - this directory is used most of the times, I tend to run `minicom` in +- `logs` - this directory is used most of the times, I tend to run `minicom` in it with enabled logging, you never know when you will need information form this directory, naming convention for log files is something I still struggle -* `images` - this is directory for OS images, typically I have here SD card +- `images` - this is directory for OS images, typically I have here SD card images and ISO images of distros used in project, sometimes you may end up keeping multiple instance of the same OS in various projects, but with 1TB disc this should not be big concern, you can always search for duplicates, knowing where your OS is and avoiding downloading it again can save some time -* `releases` - this directory contain all releases, developers usually use work +- `releases` - this directory contain all releases, developers usually use work in progress code, but customer receive release version of deliverables and usually will report bugs against particular release version -* `src` - this directory keep all source code related to project, those are +- `src` - this directory keep all source code related to project, those are mostly git repositories cloned inside directory Sample directory structure may look like that: -``` +```bash . └── projects ├── 2015 @@ -120,8 +117,7 @@ Sample directory structure may look like that: └── src ``` -Summary -------- +## Summary I hope this concept is somehow useful for you. I want to keep above information for self reference, because I was asked couple times how to organize multiple diff --git a/blog/content/post/2016-07-25-fwts-on-armv8-platform-hikey-lemaker-version-from-scratch.md b/blog/content/post/2016-07-25-fwts-on-armv8-platform-hikey-lemaker-version-from-scratch.md index 267ce677..6f40d798 100644 --- a/blog/content/post/2016-07-25-fwts-on-armv8-platform-hikey-lemaker-version-from-scratch.md +++ b/blog/content/post/2016-07-25-fwts-on-armv8-platform-hikey-lemaker-version-from-scratch.md @@ -16,17 +16,21 @@ tags: categories: - Firmware --- + This is second post from series about LeMaker version of HiKey board from -96boards Customer Edition family. [Previous](2016/05/19/powering-on-96boards-compatible-lemaker-hikey-armv8-for-uefi-development/) +96boards Customer Edition family. +[Previous](https://blog.3mdeb.com/2016/2016-05-19-powering-on-lemaker-hikey-armv8/) post focused on describing hardware part. In this post I would like to show how to setup firmware development and testing environment. -This post highly rely on [96boards documentation](https://github.com/96boards/documentation/wiki/HiKeyUEFI), -so kudos to 96boards and LeMaker for providing lot of information for developers. +This post highly rely on +[96boards documentation](https://github.com/96boards/documentation/wiki/HiKeyUEFI), +so kudos to 96boards and LeMaker for providing lot of information for +developers. ## Obtain pre-compiled binaries -``` +```bash wget https://builds.96boards.org/snapshots/hikey/linaro/uefi/latest/l-loader.bin wget https://builds.96boards.org/snapshots/hikey/linaro/uefi/latest/fip.bin wget https://builds.96boards.org/snapshots/hikey/linaro/uefi/latest/ptable-linux-8g.img @@ -38,20 +42,21 @@ gunzip *.img.gz Clone eMMC flashing tool: -``` +```bash git clone https://github.com/96boards/burn-boot.git ``` -Follow [flashing instructions](https://github.com/96boards/documentation/wiki/HiKeyUEFI#flash-binaries-to-emmc-). +Follow +[flashing instructions](https://github.com/96boards/documentation/wiki/HiKeyUEFI#flash-binaries-to-emmc-). For Debian-based systems you may need: -``` +```bash sudo apt-get install python-serial android-tools-fastboot ``` On my Debian I see in `dmesg`: -``` +```bash [21174.122832] usb 3-2.2: USB disconnect, device number 15 [21343.166870] usb 3-2.1.1: new full-speed USB device number 17 using xhci_hcd [21343.268348] usb 3-2.1.1: New USB device found, idVendor=12d1, idProduct=3609 @@ -64,7 +69,7 @@ On my Debian I see in `dmesg`: Correct command and UART log should look similar to this: -``` +```bash [17:11:36] pietrushnic:images $ sudo python ../src/burn-boot/hisi-idt.py --img1=l-loader.bin -d /dev/ttyUSB2 +----------------------+ (' Serial: ', '/dev/ttyUSB2') @@ -76,7 +81,7 @@ Correct command and UART log should look similar to this: Done ``` -``` +```bash usb reset intr reset device done. start enum. @@ -109,7 +114,7 @@ If above steps finish without the problems, then you know working procedure for flashing all required components. Now let's proceed with fast boot and flashing remaining components: -``` +```bash sudo fastboot flash ptable ptable-linux-8g.img sudo fastboot flash fastboot fip.bin sudo fastboot flash nvme nvme.img @@ -119,7 +124,7 @@ sudo fastboot flash system hikey-jessie_developer_20160225-410.emmc.img Output should look like this: -``` +```bash $ sudo fastboot flash ptable ptable-linux-8g.img target reported max download size of 268435456 bytes sending 'ptable' (17 KB)... @@ -181,10 +186,11 @@ Remove Boot Select jumper (link 3-4) and power on platform. ### System configuration -Wireless network can be easily configured using [this instructions](https://github.com/96boards/documentation/wiki/HiKeyGettingStarted#wireless-network). +Wireless network can be easily configured using +[this instructions](https://github.com/96boards/documentation/wiki/HiKeyGettingStarted#wireless-network). It is also required to setup DNS in `/etc/resolv.conf` ie.: -``` +```bash nameserver 8.8.8.8 ``` @@ -192,16 +198,16 @@ nameserver 8.8.8.8 There was time when I asked myself what I can do ? Where to start ? Good way to analyze system compatibility (and find bugs) from firmware perspective is -[FirmwareTestSuit](https://wiki.ubuntu.com/FirmwareTestSuite/). It can be -cloned using: +[FirmwareTestSuit](https://wiki.ubuntu.com/FirmwareTestSuite/). It can be cloned +using: -``` +```bash git clone git://kernel.ubuntu.com/hwe/fwts.git ``` To compile: -``` +```bash apt-get update apt-get install autoconf automake libglib2.0-dev libtool libpcre3-dev libjson0-dev flex bison dkms autoreconf -ivf @@ -211,7 +217,7 @@ make -j$(nproc) To run: -``` +```bash ./src/fwts ``` @@ -219,7 +225,7 @@ At point of writing this post only 13 tests passed. Most of testes (243) were aborted since no support for given feature was detected. This results show that there is plenty to do before getting well-supported firmware on HiKey. -``` +```bash Test |Pass |Fail |Abort|Warn |Skip |Info | ---------------+-----+-----+-----+-----+-----+-----+ acpiinfo | | | | | | 2| @@ -293,12 +299,12 @@ Total: | 13| 2| 248| 0| 11| 5| ## Summary -As presented above HiKey developement process is not so simple. Using -precompiled binaries is very useful for presentation purposes, but adding -features to EDK2 will requires recompilation some of mentioned components. -Documentation is not easy to search as well as forum, key probablem is that it -needs more order, because various information (sometimes unrelated) are spread -actoss directories and repositories. +As presented above HiKey development process is not so simple. Using precompiled +binaries is very useful for presentation purposes, but adding features to EDK2 +will requires recompilation some of mentioned components. Documentation is not +easy to search as well as forum, key probablem is that it needs more order, +because various information (sometimes unrelated) are spread actoss directories +and repositories. Nevertheless hacking ARMv8 firmware may be fun and there huge undiscovered area to explore. Key question is what valid use cases may lead to extensive firmware diff --git a/blog/content/post/2016-10-20-samg55-oled1-xplained-pro-hello-world.md b/blog/content/post/2016-10-20-samg55-oled1-xplained-pro-hello-world.md index 4f1ebcbb..e09e3d44 100644 --- a/blog/content/post/2016-10-20-samg55-oled1-xplained-pro-hello-world.md +++ b/blog/content/post/2016-10-20-samg55-oled1-xplained-pro-hello-world.md @@ -15,61 +15,59 @@ categories: - Firmware - IoT --- -AMG55 - recognition in the field ---------------------------------- + +## AMG55 - recognition in the field If you are considering working on SAMG55 Xplained Pro board here you will find some basic know-how to quickly get you started. -#### What you will need? +### What you will need? In this example I will be using SAMG55 Xplained Pro with OLED1 extension board, -and Atmel Studio 7.0 with Data Visualizer addon, wich requires Windows to work. +and Atmel Studio 7.0 with Data Visualizer addon, which requires Windows to work. This however should be similar for other board with EDBG debugger. -![](https://3mdeb.com/wp-content/uploads/2017/07/IMG_0805.jpg) +![img](/img/sam_g55_xpro.png) -### Word of explanation +## Word of explanation Before we start taking any action: - * `EDBG` - on board debugger, that will simplify debugging process, - and allow us to easily program chip without any external tools. - * `ASF` - Atmel Studio Framework, used for downloading and installing - useful stuff, like libraries and APIs for specific extensions. +- `EDBG` - on board debugger, that will simplify debugging process, and allow us + to easily program chip without any external tools. +- `ASF` - Atmel Studio Framework, used for downloading and installing useful + stuff, like libraries and APIs for specific extensions. ### Getting started To get to know the code, and typical project setup check out example projects, you can find there samples for many boards, their extensions and their usages. -e.g. getting MAC address from WIPC1500 or finding avalaible AP using same -board. +e.g. getting MAC address from WIPC1500 or finding available AP using same board. -Adding Support for extensions ------------------------------ +## Adding Support for extensions Get some extension to work with your code may be tricky, and not always will work out of the box. Let's follow the process of enabling OLED1 Xplained Pro on -SAMG55 Xplained Pro, using ASF Wizard. As a starting point, im going to use -example project `Getting-Started Application on SAM - SAMG55` wich gives us +SAMG55 Xplained Pro, using ASF Wizard. As a starting point, im going to use +example project `Getting-Started Application on SAM - SAMG55` which gives us simple code that will blink on-board led (LED0). This action however can be disabled using on-board button (SW0). Our goal is to print on OLED1 display -whether function is currently on, or off. To do that, we will need to add -OLED1 libraries first. You could add them by hand, but there is a tool that -will do that for you. Open ASF Wizard, and find there +whether function is currently on, or off. To do that, we will need to add OLED1 +libraries first. You could add them by hand, but there is a tool that will do +that for you. Open ASF Wizard, and find there -``` +```bash SSD1306 OLED controller (component) ``` select it, and apply changes. -![](/img/Capture.png) +![img](/img/Capture.png) - Now your Solution Explorer got few more files. You may add simple chunk of -code in the main function: +Now your Solution Explorer got few more files. You may add simple chunk of code +in the main function: -``` +```bash ssd1306_init(); ssd1306_display_on(); ssd1306_clear(); @@ -78,11 +76,11 @@ ssd1306_set_page_address(2); ssd1306_write_text("Hello World"); ``` -But this will not work yet, you sill need to do some configuration. Both files +But this will not work yet, you sill need to do some configuration. Both files to change you can find in `config/` folder first one is `conf_board.h` In there you have to add these lines: -``` +```bash #define BOARD_FLEXCOM_SPI FLEXCOM5 #define CONF_BOARD_OLED_UG_2832HSWEG04 #define CONF_BOARD_SPI @@ -91,7 +89,7 @@ you have to add these lines: Second one is `conf_ssd1306.h` In which you have to change: -``` +```bash # define SSD1306_SPI SPI5 # define SSD1306_DC_PIN UG_2832HSWEG04_DATA_CMD_GPIO # define SSD1306_RES_PIN UG_2832HSWEG04_RESET_GPIO @@ -100,16 +98,16 @@ Second one is `conf_ssd1306.h` In which you have to change: Note, that these values are there twice, one time in `if`, that check whether your board is XMEGA_C3_XPLAINED or XMEGA_E5_XPLAINED, if it is, then change -these values. For every other board, values can be found at the end of the -file. In the same place you will find comment explaining their meaning. -comment. After these changes, all you have to do is connect the board, using -microUSB and connecting it to EDBG USB port, wait for Atmel Studio to find -board, select tool `EDBG`, interface `SWD` and program the chip. After short -amount of time, you will see "Hello World" on display, and blinking led. To -make it show whether function is active or inactive, change last while loop in -main.c to something like this - -``` +these values. For every other board, values can be found at the end of the file. +In the same place you will find comment explaining their meaning. comment. After +these changes, all you have to do is connect the board, using microUSB and +connecting it to EDBG USB port, wait for Atmel Studio to find board, select tool +`EDBG`, interface `SWD` and program the chip. After short amount of time, you +will see "Hello World" on display, and blinking led. To make it show whether +function is active or inactive, change last while loop in main.c to something +like this + +```bash while (1) { if (g_b_led0_active) { ioport_toggle_pin_level(LED0_GPIO); @@ -129,36 +127,34 @@ while (1) { ``` You might have noticed that `printf("1 ");`, and was wondering where you can -find it's output? Serial console can be opened using Data Visualizer wich is in -tools menu (if you have it installed), on the left side of it is -`configuration` option, that will open panel, with several options to chose -terminal can be opened selecting `External Connection` and `Serial Port`. -Before connecting, remember to change baudrate to `115200`. Now you are all -set up, and ready to code. +find it's output? Serial console can be opened using Data Visualizer which is in +tools menu (if you have it installed), on the left side of it is `configuration` +option, that will open panel, with several options to chose terminal can be +opened selecting `External Connection` and `Serial Port`. Before connecting, +remember to change baudrate to `115200`. Now you are all set up, and ready to +code. -Sources -------- +## Sources SAMG55 Xplained Pro documentation -* [Data Gateway Interface](http://www.atmel.com/Images/Atmel-32223-Data-Gateway-Interface_UserGuide.pdf) -* [DGILIB for DGI](http://www.atmel.com/Images/Atmel-42771-DGILib_UserGuide.pdf) -* [EDBG](http://www.atmel.com/Images/Atmel-42096-Microcontrollers-Embedded-Debugger_User-Guide.pdf) -* [SAMG55 Xplained Pro](http://www.atmel.com/Images/Atmel-42389-SAM-G55-Xplained-Pro_User-Guide.pdf) -* [SAMG55 Xplained Pro Datasheet](http://www.atmel.com/Images/Atmel-11289-32-bit-Cortex-M4-Microcontroller-SAM-G55_Datasheet.pdf) -* [SAMG55 Xplained Pro Datasheet summary](http://www.atmel.com/Images/Atmel-11289-32-bit-Cortex-M4-Microcontroller-SAM-G55_Summary-Datasheet.pdf) -* [All SAMG55 Documents](http://www.atmel.com/devices/ATSAMG55.aspx?tab=documents) +- [Data Gateway Interface](http://www.atmel.com/Images/Atmel-32223-Data-Gateway-Interface_UserGuide.pdf) +- [DGILIB for DGI](http://www.atmel.com/Images/Atmel-42771-DGILib_UserGuide.pdf) +- [EDBG](http://www.atmel.com/Images/Atmel-42096-Microcontrollers-Embedded-Debugger_User-Guide.pdf) +- [SAMG55 Xplained Pro](http://www.atmel.com/Images/Atmel-42389-SAM-G55-Xplained-Pro_User-Guide.pdf) +- [SAMG55 Xplained Pro Datasheet](http://www.atmel.com/Images/Atmel-11289-32-bit-Cortex-M4-Microcontroller-SAM-G55_Datasheet.pdf) +- [SAMG55 Xplained Pro Datasheet summary](http://www.atmel.com/Images/Atmel-11289-32-bit-Cortex-M4-Microcontroller-SAM-G55_Summary-Datasheet.pdf) +- [All SAMG55 Documents](http://www.atmel.com/devices/ATSAMG55.aspx?tab=documents) OLED1 Xplained Pro Documentation -* [OLED1 Xplained Pro](http://www.atmel.com/Images/Atmel-42077-OLED1-Xplained-Pro_User-Guide.pdf) -* [SSD1306 controller API](http://asf.atmel.com/docs/latest/samg/html/group__ssd1306__oled__controller__group.html) +- [OLED1 Xplained Pro](http://www.atmel.com/Images/Atmel-42077-OLED1-Xplained-Pro_User-Guide.pdf) +- [SSD1306 controller API](https://web.archive.org/web/20180826215225/http://asf.atmel.com/docs/latest/samg/html/group__ssd1306__oled__controller__group.html) -Summary -------- +## Summary -![](/img/helloworld_0.jpg) +![img](/img/helloworld_0.jpg) As you can see, starting with `Atmel SAMG55 Xplained Pro` can be easy. I hope -that provided information are easy to read, and useful. If they are not, -please leave a comment. Thanks for reading. +that provided information are easy to read, and useful. If they are not, please +leave a comment. Thanks for reading. diff --git a/blog/content/post/2016-11-01-chromium-gstreamer-backed-for-i-mx6-research.md b/blog/content/post/2016-11-01-chromium-gstreamer-backed-for-i-mx6-research.md index e6f59b0e..049e19f0 100644 --- a/blog/content/post/2016-11-01-chromium-gstreamer-backed-for-i-mx6-research.md +++ b/blog/content/post/2016-11-01-chromium-gstreamer-backed-for-i-mx6-research.md @@ -14,29 +14,29 @@ tags: categories: - App Dev --- -Recently I work on i.MX6 based project that requires video hardware -decoding in web browser (best case in [QtWebEngine](https://wiki.qt.io/QtWebEngine), which is entire Chromium -platform in Qt). + +Recently I work on i.MX6 based project that requires video hardware decoding in +web browser (best case in [QtWebEngine](https://wiki.qt.io/QtWebEngine), which +is entire Chromium platform in Qt). ### Chromium After some research it appears that Chromium is not interested in providing external support for GStreamer-backed video hardware decoding. Truly going -through all discussion related to this topic was very dissapointing. Typically +through all discussion related to this topic was very disappointing. Typically Chromium developers just close thread when discussion started to be noisy and -there mass of complaining people raised. If you want to go through that path -you can read: +there mass of complaining people raised. If you want to go through that path you +can read: -* [Enable VAVDA by default on Linux for VA-API-assisted HW video decode](https://bugs.chromium.org/p/chromium/issues/detail?id=137247) -* [Call vaInitialize() at PreSandbox stage](https://codereview.chromium.org/15955009/) -* [Remove additional protection of kDisableAcceleratedVideoDecode in bpf_gpu_policy_linux.cc. (Closed)](https://codereview.chromium.org/176883018/) -* [Use GStreamer as a media backend](https://bugs.chromium.org/p/chromium/issues/detail?id=32861) -* [Feature Request: Making Gstreamer and FFMPEG coexist in chromium.(atleast in chromium linux)](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/fV_v6fH8nwE) +- [Enable VAVDA by default on Linux for VA-API-assisted HW video decode](https://bugs.chromium.org/p/chromium/issues/detail?id=137247) +- [Call vaInitialize() at PreSandbox stage](https://codereview.chromium.org/15955009/) +- [Remove additional protection of kDisableAcceleratedVideoDecode in bpf_gpu_policy_linux.cc. (Closed)](https://codereview.chromium.org/176883018/) +- [Use GStreamer as a media backend](https://bugs.chromium.org/p/chromium/issues/detail?id=32861) +- [Feature Request: Making Gstreamer and FFMPEG coexist in chromium.(at least in chromium linux)](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-dev/fV_v6fH8nwE) -In short Chromium developers are concerned about security and portability -issues with their browser. Something more have to be behind the scenes, because -this explanation was proved to not be consistent across various Chromium -features. +In short Chromium developers are concerned about security and portability issues +with their browser. Something more have to be behind the scenes, because this +explanation was proved to not be consistent across various Chromium features. As side note for some x86/x86_64 platforms it is possible to enable video hardware decoding. I'm not sure where is the list of available platforms but @@ -49,25 +49,26 @@ show how to enable that experimental support. On my platform with GeForce GTX This lead me to check what is going on on Firefox side and results were better, but recently GStreamer backend was disabled because of bugs that it leads to. -* [(gstreamer) meta Gstreamer support has problems](https://bugzilla.mozilla.org/show_bug.cgi?id=GStreamer) -* [(Linux) Gstreamer support removed](http://forums.mozillazine.org/viewtopic.php?f=7&t=3003683) +- [(gstreamer) meta Gstreamer support has problems](https://bugzilla.mozilla.org/show_bug.cgi?id=GStreamer) +- [(Linux) Gstreamer support removed](http://forums.mozillazine.org/viewtopic.php?f=7&t=3003683) ### Chromium GStreamer backend Despite all above problems surprisingly Samsung came with solution (at least at -first glance). Company published [Chromium GStreamer Backend](https://github.com/Samsung/ChromiumGStreamerBackend) project, which -doesn't seem to have big community, but recent commits are from September, so -1.5 month old. There 2 main contributors both from Samsung. +first glance). Company published +[Chromium GStreamer Backend](https://github.com/Samsung/ChromiumGStreamerBackend) +project, which doesn't seem to have big community, but recent commits are from +September, so 1.5 month old. There 2 main contributors both from Samsung. ## How I gave up and pivot to other solution I tried to approach Chromium building from scratch as described in Samsung documentation. Unfortunately it consumed a lot of effort. Hardware requirements are ridiculous (>16GB RAM and 100GB storage). Then it happened that procedures -are for Ubuntu and do not align great with Debian (especially Sid). On the -other hand I broke my system so many time that I'm very resistant to any -additional system modification - at this point I'm really in favour of -separating environment using Docker. +are for Ubuntu and do not align great with Debian (especially Sid). On the other +hand I broke my system so many time that I'm very resistant to any additional +system modification - at this point I'm really in favour of separating +environment using Docker. So after realizing how complex Chromium is I reconsidered approach and decided that I have to focus on making GStreamer video hardware acceleration work diff --git a/blog/content/post/2016-11-23-starting-with-nucleo-f411re-and-mbed-os-for-command-line-enthusiasts.md b/blog/content/post/2016-11-23-starting-with-nucleo-f411re-and-mbed-os-for-command-line-enthusiasts.md index 30e0e283..6ae38cb1 100644 --- a/blog/content/post/2016-11-23-starting-with-nucleo-f411re-and-mbed-os-for-command-line-enthusiasts.md +++ b/blog/content/post/2016-11-23-starting-with-nucleo-f411re-and-mbed-os-for-command-line-enthusiasts.md @@ -15,39 +15,40 @@ categories: - Firmware - IoT --- + When I first time read about mbed OS I was really sceptical, especially idea of -having web browser as my IDE and compiler in the cloud seems to be very scary -to me. ARM engineers proved to provide high quality products, but this was not +having web browser as my IDE and compiler in the cloud seems to be very scary to +me. ARM engineers proved to provide high quality products, but this was not enough to me. Then I heard very good words about mbed OS IDE from Jack Ganssle, this was still not enough. Finally customers started to ask about this RTOS and I had to look deeper. There are other well known OSes, but most of them have issues: -* FreeRTOS - probably most popular, GPL license with exceptions and -restrictions, doesn't have drivers provided this is mostly filled by MCU vendor -in SDK. This can lead to problems ie. lack of well supported DTLS library or -specific communication protocol. It often happen that MCU vendors doesn't -maintain community, so code base grows internally and is not revealed. +- FreeRTOS - probably most popular, GPL license with exceptions and + restrictions, doesn't have drivers provided this is mostly filled by MCU + vendor in SDK. This can lead to problems ie. lack of well supported DTLS + library or specific communication protocol. It often happen that MCU vendors + doesn't maintain community, so code base grows internally and is not revealed. -* RIoT - well known and popular, LGPL 2.1 license what is typically problematic -when your work affect system core. Contain lot of features, but number of -supported platforms is limited. Targeted at academics and hobbyists. +- RIoT - well known and popular, LGPL 2.1 license what is typically problematic + when your work affect system core. Contain lot of features, but number of + supported platforms is limited. Targeted at academics and hobbyists. -* Zephyr - great initiative backed by Linaro, Linux Foundation, -Qualcomm/NXP/Freescale and Intel. License Apache 2.0, which IMO is much better -for embedded then (L)GPL. Unluckily this is brand new and support is very -limited. For sure porting new platform to Zephyr can be great fun and -principles are very good, but support is very limited and it will take time to -make it mature enough to seriously consider in commercial product. +- Zephyr - great initiative backed by Linaro, Linux Foundation, + Qualcomm/NXP/Freescale and Intel. License Apache 2.0, which IMO is much better + for embedded then (L)GPL. Unluckily this is brand new and support is very + limited. For sure porting new platform to Zephyr can be great fun and + principles are very good, but support is very limited and it will take time to + make it mature enough to seriously consider in commercial product. -* mbed OS - this one looks really great. Apache 2.0. Tons of drivers, clean -environment, huge, good-looking and well written documentation. Wide range of -hardware is already supported and it came from designed of most popular core in -the world. Community is big but it is still not so vibrant as ie. RIoT. +- mbed OS - this one looks really great. Apache 2.0. Tons of drivers, clean + environment, huge, good-looking and well written documentation. Wide range of + hardware is already supported and it came from designed of most popular core + in the world. Community is big but it is still not so vibrant as ie. RIoT. -Below I want to present Linux user experience from my first contact with mbed -OS on Nucleo-F411RE platform. +Below I want to present Linux user experience from my first contact with mbed OS +on Nucleo-F411RE platform. {% img center /assets/images/nucleo-F411RE.jpg 640 400 'image' 'images' %} @@ -55,32 +56,32 @@ OS on Nucleo-F411RE platform. I have to say that at first glance whole system is very well documented with great look and feel. [Main site](https://www.mbed.com/en/) requires 2 clicks to -be in correct place for Embedded System Engineer. In general we have 3 main -path when we choose developer tools: Online IDE, mbed CLI and 3rd party. Last -covers blasting variety of IDEs including Makefile and Eclipse CDT based GCC -support. +be in correct place for Embedded System Engineer. In general we have 3 main path +when we choose developer tools: Online IDE, mbed CLI and 3rd party. Last covers +blasting variety of IDEs including Makefile and Eclipse CDT based GCC support. Things that are annoying during first contact we web page: -* way to contribute documentation is not clear -* there is no description how to render documentation locally -* can't upload avatar on forum - no information what format and resolution is +- way to contribute documentation is not clear +- there is no description how to render documentation locally +- can't upload avatar on forum - no information what format and resolution is supported -But those are less interesting things. Going back to development environment -for me 2 options where interesting mbed CLI and plain Makefile. +But those are less interesting things. Going back to development environment for +me 2 options where interesting mbed CLI and plain Makefile. ## mbed CLI I already have setup vitrualenv for Python 2.7: -``` +```bash pip install mbed-cli ``` First thing to like in `mbed-cli` is that it was implemented in Python. Of course this is very subjective since I'm familiar with Python, but it good to -know that I can hack something that doesn't work for me. Is is [Open Source](https://github.com/ARMmbed/mbed-cli). +know that I can hack something that doesn't work for me. Is is +[Open Source](https://github.com/ARMmbed/mbed-cli). I also like the idea of mimicking git subcommands. More information about mbed CLI can be found in @@ -88,14 +89,14 @@ CLI can be found in It is also great that mbed CLI tries to manage whole program dependencies in structured way, so no more hassle with external libraries versioning and trying -to keep sanity when you have to clone your development workspace. Of course -this have to be checked on battlefield, since documentation promise may be not +to keep sanity when you have to clone your development workspace. Of course this +have to be checked on battlefield, since documentation promise may be not enough. So first thing that hit me when trying to move forward was this message: -``` -$ mbed new mbed-os-program +```bash +$ mbed new mbed-os-program [mbed] Creating new program "mbed-os-program" (git) [mbed] Adding library "mbed-os" from "https://github.com/ARMmbed/mbed-os" at branch latest [mbed] Updating reference "mbed-os" -> "https://github.com/ARMmbed/mbed-os/#d5de476f74dd4de27012eb74ede078f6330dfc3f" @@ -110,7 +111,7 @@ $ mbed new mbed-os-program This appeared to be some problem with my distro: -``` +```bash (...) ext/_yaml.c:4:20: fatal error: Python.h: No such file or directory #include "Python.h" @@ -121,30 +122,31 @@ This appeared to be some problem with my distro: This indicate lack of `python2.7-dev` package, so: -``` +```bash sudo aptitude update && sudo aptitude dist-upgrade sudo aptitude install python2.7-dev ``` -After verifying that you can create program, let's try to get well known -hello world for embedded: +After verifying that you can create program, let's try to get well known hello +world for embedded: -``` +```bash mbed import https://github.com/ARMmbed/mbed-os-example-blinky ``` ## Toolchain -To compile example we need toolchain. The easiest way would be to get distro package: +To compile example we need toolchain. The easiest way would be to get distro +package: -```console +```bash sudo apt-get install gcc-arm-none-eabi ``` Now you should set toolchain configuration, if you won't error like this may pop-up: -```console +```bash $ mbed compile -t GCC_ARM -m NUCLEO_F411RE Building project mbed-os-example-blinky (NUCLEO_F411RE, GCC_ARM) Scan: . @@ -176,14 +178,14 @@ compilation terminated. Toolchain configuration is needed: -```console +```bash mbed config --global GCC_ARM_PATH "/usr/bin" ``` But then we get another problem: -```console -$ mbed compile -t GCC_ARM -m NUCLEO_F411RE +```bash +$ mbed compile -t GCC_ARM -m NUCLEO_F411RE Building project mbed-os-example-blinky (NUCLEO_F411RE, GCC_ARM) Scan: . Scan: FEATURE_BLE @@ -216,22 +218,23 @@ compilation terminated. I'm not sure what is the reason but I expect lack of `g++-arm-none-eabi` but it is not provided by Debian at this point. So its time to switch to toolchain -downloaded directly from [GNU ARM Embedded Toolchain page](https://launchpad.net/gcc-arm-embedded). +downloaded directly from +[GNU ARM Embedded Toolchain page](https://launchpad.net/gcc-arm-embedded). -```console +```bash wget https://launchpadlibrarian.net/287101520/gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 tar xvf gcc-arm-none-eabi-5_4-2016q3-20160926-linux.tar.bz2 ``` Then change your global mbed configuration: -```console +```bash mbed config --global GCC_ARM_PATH "/path/to/gcc-arm-none-eabi-5_4-2016q3/bin" ``` Now compilation works without problems: -```console +```bash $ mbed compile -t GCC_ARM -m NUCLEO_F411RE Building project mbed-os-example-blinky (NUCLEO_F411RE, GCC_ARM) Scan: . @@ -292,11 +295,11 @@ So we have binary now we would like to deploy it to target. ## Test real hardware -To test build binary on Nucleo-F411RE the only thing is to connect board -through mini USB and copy build result to mounted directory. In my case it was -something like this: +To test build binary on Nucleo-F411RE the only thing is to connect board through +mini USB and copy build result to mounted directory. In my case it was something +like this: -```console +```bash cp BUILD/NUCLEO_F411RE/GCC_ARM/mbed-os-example-blinky.bin /media/pietrushnic/NODE_F411RE/ ``` @@ -306,7 +309,7 @@ This is pretty weird interface for programming, but simplified to the maximum. Modify your `main.cpp` with something like: -```c +```bashc #include "mbed.h" DigitalOut led1(LED1); @@ -326,10 +329,10 @@ int main() { } ``` -Recompile and copy result as it was described above. To connect to device -please check your dmesg: +Recompile and copy result as it was described above. To connect to device please +check your dmesg: -```console +```bash $ dmesg|grep tty [ 0.000000] console [tty0] enabled [ 0.935792] 00:05: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A @@ -342,16 +345,15 @@ $ dmesg|grep tty This means that your Nucleo registered `/dev/ttyAMA0` device and to connect you can use `minicom`: -```console +```bash minicom -b 9600 -o -D /dev/ttyACM0 ``` -Summary -------- +## Summary I hope this tutorial add something or help resolving some issue that you may struggle with. As you can see mbed is not perfect, but it looks like it may -serve as great replacement for previous environments ie. custom IDE from -various vendors. What would be useful to verify is for sure OpenOCD with STLink -to see if whole development stack is ready to use under Linux. In next post I -will try to start work with Atmel SAM G55 and mbed OS. +serve as great replacement for previous environments ie. custom IDE from various +vendors. What would be useful to verify is for sure OpenOCD with STLink to see +if whole development stack is ready to use under Linux. In next post I will try +to start work with Atmel SAM G55 and mbed OS. diff --git a/blog/content/post/2016-11-24-failure-of-ecc508a-crypto-coprocessor-initial-triage-with-sam-g55-xplained-pro-evaluation-kit.md b/blog/content/post/2016-11-24-failure-of-ecc508a-crypto-coprocessor-initial-triage-with-sam-g55-xplained-pro-evaluation-kit.md index 39141d67..df741ed5 100644 --- a/blog/content/post/2016-11-24-failure-of-ecc508a-crypto-coprocessor-initial-triage-with-sam-g55-xplained-pro-evaluation-kit.md +++ b/blog/content/post/2016-11-24-failure-of-ecc508a-crypto-coprocessor-initial-triage-with-sam-g55-xplained-pro-evaluation-kit.md @@ -16,6 +16,7 @@ categories: - Security - IoT --- + Some time ago (around August 2016) embedded community media were hit with hype around simplified flow for AWS IoT provisioning ([1](http://www.embedded.com/electronics-products/electronic-product-reviews/safety-and-security/4442551/Crypto-chip-simplifies-AWS-IoT-security), @@ -23,23 +24,23 @@ around simplified flow for AWS IoT provisioning [3](http://www.embedded.com/electronics-news/4423245/Microchip-goes-to-the-Cloud-for-IoT-design)). I'm personally very interested in all categories related to those news: -* IoT - is 3mdeb business core and despite this term was largely abused these +- IoT - is 3mdeb business core and despite this term was largely abused these days, we just love to build connected embedded devices. Building this kind of devices is inherently related with firmware deployment, provisioning and update problems. -* AWS - truly it is had to find similar level of quality and feature-richness - and because I was lucky to invest my time and work with grandfather of AWS - IoT (namely 2lemetry ThingFabric) I naturally try to follow this trend and - make sure 3mdeb customers use best in class product in IoT cloud segment. To +- AWS - truly it is had to find similar level of quality and feature-richness + and because I was lucky to invest my time and work with grandfather of AWS IoT + (namely 2lemetry ThingFabric) I naturally try to follow this trend and make + sure 3mdeb customers use best in class product in IoT cloud segment. To provide that service we try to be on track with all news related to AWS IoT. -* Security - there will be not so much work for Embedded System Consultants if +- Security - there will be not so much work for Embedded System Consultants if IoT will be rejected because of security issues. I'm sure I don't have to convince anyone about important of security. Key is to see typical flow that we face in technology (especially in security area): -``` +```bash mathematics -> proof of concept software -> mature software -> @@ -47,24 +48,25 @@ hardware acceleration -> hardware implementation ``` - AWS IoT cryptography is not trivial and doing it right is even more complex. - Using crypt chips like ECC508A should simplify whole workflow. +AWS IoT cryptography is not trivial and doing it right is even more complex. +Using crypt chips like ECC508A should simplify whole workflow. -Initial idea for this blog post was to triage ECC508A with some Linux or mbed -OS enabled platform. Atmel SAM G55 seem to have support in mbed OS +Initial idea for this blog post was to triage ECC508A with some Linux or mbed OS +enabled platform. Atmel SAM G55 seem to have support in mbed OS [here](https://github.com/ARMmbed/target-atmel-samg55j19-gcc), but diving into [CryptoAuthentication](http://www.atmel.com/products/security-ics/cryptoauthentication/default.aspx) with development stack that I'm not sure work fine is not best choice. That's -why I had to try stuff on Windows 10 and then after understanding things -better I move to something more convenient. +why I had to try stuff on Windows 10 and then after understanding things better +I move to something more convenient. -I mostly relied on [ATECC508A Node Authentication Example Using Asymmetric PKI](http://www.atmel.com/applications/iot/aws-zero-touch-secure-provisioning-platform/default.aspx?tab=documents) +I mostly relied on +[ATECC508A Node Authentication Example Using Asymmetric PKI](http://www.atmel.com/applications/iot/aws-zero-touch-secure-provisioning-platform/default.aspx?tab=documents) Application Note. What we need to start is: -* [Atmel Studio](http://www.atmel.com/tools/atmelstudio.aspx#download) -* [AT88CKECC-AWS-XSTK](http://www.atmel.com/tools/at88ckecc-aws-xstk.aspx) +- [Atmel Studio](http://www.atmel.com/tools/atmelstudio.aspx#download) +- [AT88CKECC-AWS-XSTK](http://www.atmel.com/tools/at88ckecc-aws-xstk.aspx) ## Atmel Studio @@ -96,19 +98,20 @@ Then you have window with info `Please select your project`, so choose work out of the box. One of problems that I faced was described -[here](http://asf.atmel.com/bugzilla/show_bug.cgi?id=3715) this is just -incorrect `OPTIMIZE_HIGH` macro. After fixing that both examples compile fine. +[here](https://web.archive.org/web/20170724192734/asf.atmel.com/bugzilla/show_bug.cgi?id=3715) +this is just incorrect `OPTIMIZE_HIGH` macro. After fixing that both examples +compile fine. I realized that Atmel Studio use older ASF (3.28.1) then what is available (3.32.0), but upgrading ASF leads to upgrading whole project and take time. After upgrade you get report if everything went fine for your 2k files. -The problem with `node-auth-basic` is that it is not prepared for SAM G55. -Whole code in `AT88CKECC-AWS-XSTK` documents target SAM D21. So you have to -change target device and this is possible only after update. To change device -enter `node-auth-basic` project properties and got to `Device` tab, then use -`Change Device` find `SAMG` family and use `SAMG55J19`. Please note that SAM -G55 devices are not visible if not change `Show devices` to `All Parts`. Result +The problem with `node-auth-basic` is that it is not prepared for SAM G55. Whole +code in `AT88CKECC-AWS-XSTK` documents target SAM D21. So you have to change +target device and this is possible only after update. To change device enter +`node-auth-basic` project properties and got to `Device` tab, then use +`Change Device` find `SAMG` family and use `SAMG55J19`. Please note that SAM G55 +devices are not visible if not change `Show devices` to `All Parts`. Result should look like this: {% img center /assets/images/atmel_studio_01.png 640 400 'image' 'images' %} @@ -118,14 +121,14 @@ Studio. Now we get more compilation errors: -``` +```bash Error sam/sleepmgr.h: No such file or directory node-auth-basic \ C:\(...)\cryptoauth-node-auth-basic\node-auth-basic\src\ASF\common\services\sleepmgr\sleepmgr.h 53 ``` -With above problem I started to think I'm getting really useless expertise. -The issue was pretty clear - we compile for SAMG not for SAMD and we need -different header. +With above problem I started to think I'm getting really useless expertise. The +issue was pretty clear - we compile for SAMG not for SAMD and we need different +header. ### ASF installation madness @@ -133,11 +136,11 @@ Moreover when I tried to reinstall ASF I had to register on Atmel page which complained on LastPass and identify my location as Russian Federation (despite I'm in Poland). Of course Atmel Studio open Edge to login me into their website. This whole IDE sucks and do a lot of damage to Atmel - how I can recommend them -after all that hassle ? Then after going through password/login Windows 10 detect -that something is wrong with Atmel Studio and decided that it have to be +after all that hassle ? Then after going through password/login Windows 10 +detect that something is wrong with Atmel Studio and decided that it have to be restarted. What I finally started installation I get this: -``` +```bash 2016-11-26 23:46:10 - Microsoft VSIX Installer 2016-11-26 23:46:10 - ------------------------------------------- 2016-11-26 23:46:10 - Initializing Install... @@ -176,28 +179,29 @@ restarted. What I finally started installation I get this: This should be enough to throw it away. Of course I have ~500MB on disk, but this is not enough. I assume that MS way in Windows 10 of providing information -to user is throwing exceptions or this was method of handling lack of free -space in Atmel Studio. +to user is throwing exceptions or this was method of handling lack of free space +in Atmel Studio. ## I gave up Couple more things that I found: -* There is no easy way to convert examples for ECC508A to make them work with - SAMG55 as those examples are mostly created for SAMD21. Clearly Atmel do a - lot noise about 250USD kit for which you don't have examples. -* CryptoAuthentication library doesn't have HAL for SAMG55 -* Atmel engagement in process of supporting community is poor, what can be - found here - [1](https://community.atmel.com/forum/provisioning-and-accessing-atecc508a),[2](https://community.atmel.com/forum/atecc508a-i2c-input-capacitance-ci) -* Full datasheet is available only under NDA +- There is no easy way to convert examples for ECC508A to make them work with + SAMG55 as those examples are mostly created for SAMD21. Clearly Atmel do a lot + noise about 250USD kit for which you don't have examples. +- CryptoAuthentication library doesn't have HAL for SAMG55 +- Atmel engagement in process of supporting community is poor, what can be found + here + [1](https://web.archive.org/web/20200812204110/https://community.atmel.com/forum/provisioning-and-accessing-atecc508a), + [2](https://web.archive.org/web/20200812213157/https://community.atmel.com/forum/atecc508a-i2c-input-capacitance-ci) +- Full datasheet is available only under NDA ## Summary I waste lot of time to figure out that evaluation of well advertised product is terribly difficult. I'm sure that lack of knowledge of Atmel ecosystem probably -added to my problems. I also didn't bother to contact community, which is -not fair to judge from my side. +added to my problems. I also didn't bother to contact community, which is not +fair to judge from my side. Key idea behind this triage was to check ECC508A in environment suggested by manufacturer. It happens that manufacturer didn't prepare infrastructure and @@ -207,6 +211,6 @@ board. Luckily during whole this process I found [cryptoauth-openssl-engine](https://github.com/AtmelCSO/cryptoauth-openssl-engine) Github repository. Which I will evaluate in next posts. -If you will struggle with similar problems and pass through some mentioned -above or you successfully triaged `ECC508A` on `AT88CKECC-AWS-XSTK` please let -me know. Other comments as always welcome. +If you will struggle with similar problems and pass through some mentioned above +or you successfully triaged `ECC508A` on `AT88CKECC-AWS-XSTK` please let me +know. Other comments as always welcome. diff --git a/blog/content/post/2017-01-14-zephyr-initial-triage-on-nucleo-64-stm32f411re.md b/blog/content/post/2017-01-14-zephyr-initial-triage-on-nucleo-64-stm32f411re.md index 01aaf49a..3384fe0b 100644 --- a/blog/content/post/2017-01-14-zephyr-initial-triage-on-nucleo-64-stm32f411re.md +++ b/blog/content/post/2017-01-14-zephyr-initial-triage-on-nucleo-64-stm32f411re.md @@ -17,7 +17,9 @@ categories: - Firmware - IoT --- -As I mention in [previous post](2016/11/23/starting-with-mdeb-os-for-linux-and-command-line-enthusiast) + +As I mention in +[previous post](https://blog.3mdeb.com/2016/2016-11-23-starting-with-nucleo-f411re-and-mbed-os-for-command-line-enthusiasts/) [Zephyr RTOS](https://www.zephyrproject.org/) is an interesting initiative started by Intel, NXP and couple other strong organizations. With so well founded background future for this RTOS should look bright and I think it will @@ -27,31 +29,33 @@ Because of that it is worth to dig little bit deeper in this RTOS and see what problems we faced when trying to develop for some well known development board. I choose STM32 F411RE mainly because it start to gather dust and some customers ask about it recently. As always I will present perspective of Linux enthusiast -trying to use Debian Linux and command line for development as I did for [mbed OS](2016/11/23/starting-with-mdeb-os-for-linux-and-command-line-enthusiast). +trying to use Debian Linux and command line for development as I did for +[mbed OS](https://blog.3mdeb.com/2016/2016-11-23-starting-with-nucleo-f411re-and-mbed-os-for-command-line-enthusiasts/). ## Let's start -To not repeat documentation here please first follow [Getting Started Guide](https://www.zephyrproject.org/doc/doc/getting_started/installation_linux.html). +To not repeat documentation here please first follow +[Getting Started Guide](https://docs.zephyrproject.org/latest/develop/getting_started/index.html). After setting up environment and running Hello World example we are good to go with trying Nucleo-64 STM32F411RE. This is pretty new thing, so you will need recent `arm` branch: -``` +```bash git fetch origin arm git checkout arm ``` Then `make help` should show `f411re`: -``` +```bash $ make help|grep f411 make BOARD=nucleo_f411re - Build for nucleo_f411re ``` Let's try to compile that (please note that I'm still in `hello_world` project): -``` +```bash $ make BOARD=nucleo_f411re (...) AR libzephyr.a @@ -64,7 +68,7 @@ $ make BOARD=nucleo_f411re To flash binaries OpenOCD was needed: -``` +```bash git clone git://git.code.sf.net/p/openocd/code openocd-code cd openocd-code ./bootstrap @@ -77,11 +81,11 @@ It would be great to have mbed way of flashing Nucleo-64 board. Using OpenOCD I get libusb access error: -``` +```bash $ make BOARD=nucleo_f411re flash -make[1]: Entering directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project' -make[2]: Entering directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' - Using /home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project as source for kernel +make[1]: Entering directory 'zephyr_support/src/zephyr-project' +make[2]: Entering directory 'zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' + Using zephyr_support/src/zephyr-project as source for kernel GEN ./Makefile CHK include/generated/version.h CHK misc/generated/configs.c @@ -93,7 +97,8 @@ Open On-Chip Debugger 0.9.0-dirty (2016-08-02-16:04) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html -Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD +Info : The selected transport took over low-level target control. + The results might differ compared to plain JTAG/SWD adapter speed: 2000 kHz adapter_nsrst_delay: 100 none separate @@ -111,23 +116,23 @@ Done flashing I added additional udev rules from OpenOCD project: -``` +```bash sudo cp contrib/99-openocd.rules /etc/udev/rules.d ``` And added my username to `plugdev` group: -``` +```bash sudo usermod -aG plugdev $USER ``` The result was: -``` +```bash [0:39:48] pietrushnic:hello_world git:(arm) $ make BOARD=nucleo_f411re flash -make[1]: Entering directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project' -make[2]: Entering directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' - Using /home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project as source for kernel +make[1]: Entering directory 'zephyr_support/src/zephyr-project' +make[2]: Entering directory 'zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' + Using zephyr_support/src/zephyr-project as source for kernel GEN ./Makefile CHK include/generated/version.h CHK misc/generated/configs.c @@ -139,7 +144,8 @@ Open On-Chip Debugger 0.9.0-dirty (2016-08-02-16:04) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html -Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD +Info : The selected transport took over low-level target control. + The results might differ compared to plain JTAG/SWD adapter speed: 2000 kHz adapter_nsrst_delay: 100 none separate @@ -163,27 +169,29 @@ Info : flash size = 512kbytes target state: halted target halted due to breakpoint, current mode: Thread xPSR: 0x61000000 pc: 0x20000042 msp: 0x20000750 -wrote 16384 bytes from file /home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re/zephyr.bin in 0.727563s (21.991 KiB/s) +wrote 16384 bytes from file zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re/zephyr.bin + in 0.727563s (21.991 KiB/s) target state: halted target halted due to debug-request, current mode: Thread xPSR: 0x01000000 pc: 0x0800203c msp: 0x20000750 verified 12876 bytes in 0.118510s (106.103 KiB/s) shutdown command invoked Done flashing -make[2]: Leaving directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' -make[1]: Leaving directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project' +make[2]: Leaving directory 'zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' +make[1]: Leaving directory 'zephyr_support/src/zephyr-project' ``` ## Hello world verification Unfortunately I was not able to verify if `hello_world` example works at first -time. I posted my experience on [mailing list](https://lists.zephyrproject.org/g/devel/message/4287) -and after couple days I received information that there was bug in clock -initialisation and fix was pushed to gerrit. +time. I posted my experience on +[mailing list](https://lists.zephyrproject.org/g/devel/message/4287) and after +couple days I received information that there was bug in clock initialisation +and fix was pushed to gerrit. So I tried one more time: -``` +```bash git checkout master git fetch origin git branch -D arm @@ -198,10 +206,10 @@ just pulling it cause lot of conflicts. After correctly building I flashed binary to board: -``` -make[1]: Entering directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project' -make[2]: Entering directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' - Using /home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project as source for kernel +```bash +make[1]: Entering directory 'zephyr_support/src/zephyr-project' +make[2]: Entering directory 'zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' + Using zephyr_support/src/zephyr-project as source for kernel GEN ./Makefile CHK include/generated/version.h CHK misc/generated/configs.c @@ -212,7 +220,8 @@ Open On-Chip Debugger 0.9.0-dirty (2016-08-02-16:04) Licensed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html -Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD +Info : The selected transport took over low-level target control. The results + might differ compared to plain JTAG/SWD adapter speed: 2000 kHz adapter_nsrst_delay: 100 none separate @@ -236,27 +245,29 @@ Info : flash size = 512kbytes target state: halted target halted due to breakpoint, current mode: Thread xPSR: 0x61000000 pc: 0x20000042 msp: 0x20000750 -wrote 16384 bytes from file /home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re/zephyr.bin in 0.663081s (24.130 KiB/s) +wrote 16384 bytes from file + zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re/zephyr.bin + in 0.663081s (24.130 KiB/s) target state: halted target halted due to debug-request, current mode: Thread xPSR: 0x01000000 pc: 0x08001c84 msp: 0x20000750 verified 11900 bytes in 0.109678s (105.956 KiB/s) shutdown command invoked Done flashing -make[2]: Leaving directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' -make[1]: Leaving directory '/home/pietrushnic/storage/wdc/projects/2016/acme/zephyr_support/src/zephyr-project' +make[2]: Leaving directory 'zephyr_support/src/zephyr-project/samples/hello_world/outdir/nucleo_f411re' +make[1]: Leaving directory 'zephyr_support/src/zephyr-project' ``` Log looks the same as previously, but this time on `/dev/ttyACM0` I found some output by using `minicom`: -``` +```bash minicom -b 115200 -o -D /dev/ttyACM0 ``` Result was: -``` +```bash ***** BOOTING ZEPHYR OS v1.6.99 - BUILD: Jan 14 2017 22:03:14 ***** Hello World! arm ``` @@ -265,9 +276,9 @@ The same method worked with `basic/blinky` example. ## Summary -This was short introduction, which took couple weeks to publish. I will -continue Zephyr research and as initial project I choose to add i2c driver for -F411RE development board. +This was short introduction, which took couple weeks to publish. I will continue +Zephyr research and as initial project I choose to add i2c driver for F411RE +development board. Overall Zephyr looks very promising with lot of documentation. Community could me more responsive, because at this point I think it is pushed more by diff --git a/blog/content/post/2017-01-22-nrf51822-programming-with-openocd-under-linux.md b/blog/content/post/2017-01-22-nrf51822-programming-with-openocd-under-linux.md index 9d0d8ca9..07985273 100644 --- a/blog/content/post/2017-01-22-nrf51822-programming-with-openocd-under-linux.md +++ b/blog/content/post/2017-01-22-nrf51822-programming-with-openocd-under-linux.md @@ -15,26 +15,27 @@ categories: - Firmware - IoT --- + Some time ago we bought [BLE400 from Waveshare] as probably one of the cheapest option to enter nRF51822 market. As our readers know, we prefer to use the Linux -environment for embedded systems development. Because of that, we're following the -guide for using Waveshare nRF51822 Eval Kit: [icarus-sensors]. -Kudos due to great post that helped us enter nRF51822 and mbed OS land under Linux. +environment for embedded systems development. Because of that, we're following +the guide for using Waveshare nRF51822 Eval Kit: [icarus-sensors]. Kudos due to +great post that helped us enter nRF51822 and mbed OS land under Linux. BLE400 is pretty cheap, because it hasn't got integrated debugger/programmer. -Key is to realize, that you can use BLE400 eval kit and STM32 development -board ie. Discovery or any Nucleo (only for its stlink integrated -debugger/programmer), which are also cheap. Of course other boards or -standalone ST-Link could be used. +Key is to realize, that you can use BLE400 eval kit and STM32 development board +ie. Discovery or any Nucleo (only for its stlink integrated +debugger/programmer), which are also cheap. Of course other boards or standalone +ST-Link could be used. ## Hardware connections -On the Nucleo board both jumpers from `CN2` connector should be removed. -Thanks to this ST-LINK could be used in stand-alone mode. +On the Nucleo board both jumpers from `CN2` connector should be removed. Thanks +to this ST-LINK could be used in stand-alone mode. Connection should be made this way: -``` +```bash Nucleo CN2 connector BLE400 SWD connector -----------------+ +------------------ VCC (pin 1) |-x | . @@ -46,7 +47,7 @@ SWO (pin 6) |-x | . -----------------+ +------------------ ``` -![][3] +![img][3] Both boards should be connected to host's USB ports. USB port on BLE400 is used for power supply and debug UART connection (`cp210x` converter should be @@ -57,12 +58,13 @@ detected and `ttyUSBx` exposed). No `stlink` tools are needed. Only OpenOCD. OpenOCD version we're using: -``` + +```bash $ openocd -v Open On-Chip Debugger 0.9.0 (2016-04-27-23:18) Licensed under GNU GPL v2 For bug reports, read - http://openocd.org/doc/doxygen/bugs.html + http://openocd.org/doc/doxygen/bugs.html ``` ### Enable user access to Debugger @@ -70,17 +72,16 @@ For bug reports, read First we need to check, that our debugger is detected. There should be line like this: -``` +```bash $ lsusb ... Bus 003 Device 015: ID 0483:3748 STMicroelectronics ST-LINK/V2 ... ``` -Note the `ID's: 0483:3748`. Create rule in -`/etc/udev/rules.d` (as `root`): +Note the `ID's: 0483:3748`. Create rule in `/etc/udev/rules.d` (as `root`): -``` +```bash $ cat > /etc/udev/rules.d/95-usb-stlink-v2.rules << EOF SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="3748", GROUP="users", MODE="0666" EOF @@ -88,26 +89,25 @@ EOF Reload `udev` rules (as `root`): -``` -$ udevadm control --reload -$ udevadm trigger +```bash +udevadm control --reload +udevadm trigger ``` Reconnect the st-link. After that, debugger should be accessible by user. ### Test the OpenOCD connection -Run this command to connect the debugger to the target system (attaching -example output). `cfg` files location depend on your setup, if you compiled -OpenOCD from source those files should be in -`/usr/local/share/openocd/scripts`: +Run this command to connect the debugger to the target system (attaching example +output). `cfg` files location depend on your setup, if you compiled OpenOCD from +source those files should be in `/usr/local/share/openocd/scripts`: -``` +```bash $ openocd -f interface/stlink-v2.cfg -f target/nrf51.cfg Open On-Chip Debugger 0.9.0 (2016-04-27-23:18) Licensed under GNU GPL v2 For bug reports, read - http://openocd.org/doc/doxygen/bugs.html + http://openocd.org/doc/doxygen/bugs.html Info : auto-selecting first available session transport "hla_swd". To override use 'transport select '. Info : The selected transport took over low-level target control. The results might differ compared to plain JTAG/SWD adapter speed: 1000 kHz @@ -122,7 +122,7 @@ Info : nrf51.cpu: hardware has 4 breakpoints, 2 watchpoints If you see error like this: -``` +```bash censed under GNU GPL v2 For bug reports, read http://openocd.org/doc/doxygen/bugs.html @@ -139,7 +139,7 @@ in procedure 'ocd_bouncer' This means you may have `STLink v2.1`, so your command should look like this: -``` +```bash $ openocd -f interface/stlink-v2-1.cfg -f target/nrf51.cfg Open On-Chip Debugger 0.10.0-dev-00395-g674141e8a7a6 (2016-10-20-15:01) Licensed under GNU GPL v2 @@ -158,10 +158,10 @@ Error: target voltage may be too low for reliable debugging Info : nrf51.cpu: hardware has 4 breakpoints, 2 watchpoints ``` -After that `OpenOCD` is waiting for incoming telnet connections on port *4444*. +After that `OpenOCD` is waiting for incoming telnet connections on port _4444_. This sample connection, to check everything is ok: -``` +```bash $ telnet 127.0.0.1 4444 Trying 127.0.0.1... Connected to 127.0.0.1. @@ -221,7 +221,7 @@ After downloading and uncompressing the SDK. We can find the `blinky` example in `examples/peripheral/blinky/hex/blinky_pca10028.hex`. Now we can try to program it: -``` +```bash $ telnet 127.0.0.1 4444 Trying 127.0.0.1... Connected to 127.0.0.1. @@ -252,7 +252,7 @@ Connection closed by foreign host. During that procedure you may face this problem: -``` +```bash > program /path/to/work/nrf51/sdk/examples/peripheral/blinky/hex/blinky_pca10028.hex nrf51.cpu: target state: halted target halted due to debug-request, current mode: Thread @@ -276,7 +276,7 @@ After that, `LED3` and `LED4` should start blinking on the target board. I've created this script to simplify the flashing operation: -``` +```bash #!/bin/bash if [ $# -lt 1 ]; then @@ -307,10 +307,9 @@ OpenOCD. Whole workflow can be scripted to match your needs. With this knowledge, we can start to deploy mbed OS and Zephyr, which both have great support for Linux through command line interface. -[BLE400 from Waveshare]: http://www.waveshare.com/nrf51822-eval-kit.htm +[3]: /img/nrf51822_stlink.jpg +[ble400 from waveshare]: http://www.waveshare.com/nrf51822-eval-kit.htm +[compatibility matrix]: http://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf51%2Fdita%2Fnrf51%2Fcompatibility_matrix%2FnRF51422_nRF51822_ic_rev_sdk_sd_comp_matrix.html&cp=3_0_4 [icarus-sensors]: http://icarus-sensors.github.io/general/starting-with-nRF51822.html [revision table]: http://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf51%2Fdita%2Fnrf51%2Fcompatibility_matrix%2FnRF51822_ic_revision_overview.html&cp=3_0_1 -[compatibility matrix]: http://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf51%2Fdita%2Fnrf51%2Fcompatibility_matrix%2FnRF51422_nRF51822_ic_rev_sdk_sd_comp_matrix.html&cp=3_0_4 -[SDK v.12.1.0]: https://developer.nordicsemi.com/nRF5_SDK/nRF5_SDK_v12.x.x/nRF5_SDK_12.1.0_0d23e2a.zip - - [3]: /img/nrf51822_stlink.jpg +[sdk v.12.1.0]: https://developer.nordicsemi.com/nRF5_SDK/nRF5_SDK_v12.x.x/nRF5_SDK_12.1.0_0d23e2a.zip diff --git a/blog/content/post/2017-03-10-nerves-project-triage-on-beaglebone-black.md b/blog/content/post/2017-03-10-nerves-project-triage-on-beaglebone-black.md index f2cea501..dc125a12 100644 --- a/blog/content/post/2017-03-10-nerves-project-triage-on-beaglebone-black.md +++ b/blog/content/post/2017-03-10-nerves-project-triage-on-beaglebone-black.md @@ -16,30 +16,32 @@ categories: - Firmware - OS Dev --- -Recently one of my customers brought to my attention [Nerves](http://nerves-project.org). -It aims to simplify use of Elixir (functional language leveraging Erlang VM) in -embedded systems. This system has couple interesting features that are worth of -research and blog post. + +Recently one of my customers brought to my attention +[Nerves](http://nerves-project.org). It aims to simplify use of Elixir +(functional language leveraging Erlang VM) in embedded systems. This system has +couple interesting features that are worth of research and blog post. First is booting directly to application which is running in BEAM (Erlang VM). -Nerves project replace systemd process with programming language virtual -machine running application code. Concept is very interesting and I wonder if -someone tried to use that with other VMs ie. JVM. +Nerves project replace systemd process with programming language virtual machine +running application code. Concept is very interesting and I wonder if someone +tried to use that with other VMs ie. JVM. Second Nerves seems to utilize dual image update procedure. In my opinion any development of modern embedded system should start with update system. Any design that you can to your system update arsenal will be useful. -Third, Nerves use Buildroot as build system, which will I'm familiar with. -Using popular build systems means simplified support for huge set of platforms -(at point of writing this article Buildroot have 142 config files). +Third, Nerves use Buildroot as build system, which will I'm familiar with. Using +popular build systems means simplified support for huge set of platforms (at +point of writing this article Buildroot have 142 config files). ## Let's start with documentation -If you don't want to go through all [installation steps](https://hexdocs.pm/nerves/installation.html) -and you use Debian testing, you can run: +If you don't want to go through all +[installation steps](https://hexdocs.pm/nerves/installation.html) and you use +Debian testing, you can run: -``` +```bash sudo apt-get install erlang elixir ssh-askpass squashfs-tools \ git g++ libssl-dev libncurses5-dev bc m4 make unzip cmake ``` @@ -48,7 +50,7 @@ git g++ libssl-dev libncurses5-dev bc m4 make unzip cmake Checking exact Erlang version for non Erlang developers is trivial: -``` +```bash $ erl -eval '{ok, Version} = file:read_file(filename:join([code:root_dir(), \ "releases", erlang:system_info(otp_release), "OTP_VERSION"])), \ io:fwrite(Version), halt().' -noshell @@ -59,7 +61,7 @@ io:fwrite(Version), halt().' -noshell Checking Elixir version: -``` +```bash $ elixir --version Erlang/OTP 19 [erts-8.2.1] [source] [64-bit] [smp:4:4] [async-threads:10] [kernel-poll:false] @@ -68,7 +70,7 @@ Elixir 1.3.3 Unfortunately Nerves Project requires at least `1.4.0`, what can be solved by: -``` +```bash sudo apt-get remove elixir wget https://packages.erlang-solutions.com/erlang/elixir/FLAVOUR_2_download/elixir_1.4.1-1\~debian\~jessie_all.deb sudo dpkg -i elixir_1.4.1-1~debian~jessie_all.deb @@ -79,9 +81,10 @@ Elixir 1.4.1 ``` ### fwup + `fwup` have to be installed from `deb` package: -``` +```bash wget https://github.com/fhunleth/fwup/releases/download/v0.13.0/fwup_0.13.0_amd64.deb sudo dpkg -i fwup_0.13.0_amd64.deb ``` @@ -95,7 +98,7 @@ Maybe it would be worth to consider comparison of `fwup` and `swupdate` ? ### nerves_bootstrap -``` +```bash mix local.hex mix local.rebar mix archive.install https://github.com/nerves-project/archives/raw/master/nerves_bootstrap.ez @@ -103,7 +106,7 @@ mix archive.install https://github.com/nerves-project/archives/raw/master/nerves ## hello_nerves for BeagleBone Black -``` +```bash mix nerves.new hello_nerves export MIX_TARGET=bbb cd hello_nerves @@ -113,13 +116,13 @@ mix firmware ### Flashing to SD card -``` +```bash mix firmware.burn -d /dev/sdX ``` ### booting -``` +```bash U-Boot SPL 2016.03 (Mar 07 2017 - 18:34:42) Trying to boot from MMC reading args @@ -182,58 +185,59 @@ continuously. It looks like developers configured Linux kernel `bootargs` used by U-Boot to run `elrinit` as init process. `erlinit` is relatively simple application that can parse configuration file and do some basic system initialization. Depending -on needs this may be considered quite weird approach. Of course adding -`systemd` is not best approach for all solutions. For sure having custom init -binary remove need for complex init system and makes updates much smaller. Also -this solution targets dedicated embedded systems that whole purpose is running -Elixir application. +on needs this may be considered quite weird approach. Of course adding `systemd` +is not best approach for all solutions. For sure having custom init binary +remove need for complex init system and makes updates much smaller. Also this +solution targets dedicated embedded systems that whole purpose is running Elixir +application. Using custom init binary also limit attack vector to small amount of code. In -typical build from Buildroot or Yocto final image contain quite a lot of -process run by default. Nerves limit that to one that is needed for very -specific use case that can be fully handled by Elixir application. Of course -still some hardware setup is needed. In that case only Linux kernel or Elixir -application can be attacked. +typical build from Buildroot or Yocto final image contain quite a lot of process +run by default. Nerves limit that to one that is needed for very specific use +case that can be fully handled by Elixir application. Of course still some +hardware setup is needed. In that case only Linux kernel or Elixir application +can be attacked. As one of my associate mention this is very similar approach to `Busybox` although here we replace shell with Elixir interpreter, but idea is similar to have one application that is entry point to the system. -From performance perspective this is also good solution since there a no -daemons working in background that consuming resources. Lack of additional -processes means that all server type of work have to be written in Elixir. +From performance perspective this is also good solution since there a no daemons +working in background that consuming resources. Lack of additional processes +means that all server type of work have to be written in Elixir. -It would be very interesting to see how this approach can work for other VMs -and if there are real world use cases for that. +It would be very interesting to see how this approach can work for other VMs and +if there are real world use cases for that. ## erlinit & erlexec `erlinit` is MIT licensed `/sbin/init` replacement. In general it: -* setup pseudo-filesystems like `/dev`, `/proc` and `/sys` -* setup serial console -* register signal hendlers (`SIGPWR`, `SIGUSR1`, `SIGTERM`, `SIGUSR2`) -* forks into cleanup process and new that start `erlexec` +- setup pseudo-filesystems like `/dev`, `/proc` and `/sys` +- setup serial console +- register signal hendlers (`SIGPWR`, `SIGUSR1`, `SIGTERM`, `SIGUSR2`) +- forks into cleanup process and new that start `erlexec` `elrexec` is mix of C++ and Erlang that aim to control OS processes from Erlang application. -Source code can be found on Github: [erlinit](https://github.com/nerves-project/erlinit) and [erlexec](https://github.com/saleyn/erlexec). - +Source code can be found on Github: +[erlinit](https://github.com/nerves-project/erlinit) and +[erlexec](https://github.com/saleyn/erlexec). ## Note about building natively Recently I'm huge fan of containers and way this technology can be utilized by -embedded software developers. Installing all dependencies in your environment -is painful and can cause problems if you do not pay attention. Containers give -you ability to separate tools for each project. In that way you create one +embedded software developers. Installing all dependencies in your environment is +painful and can cause problems if you do not pay attention. Containers give you +ability to separate tools for each project. In that way you create one `Dockerfile` for whole development environment and then share it with your peers. I believe Nerves Project shall share containers to build system images -instead of maintaining documentation explaining how to setup development -for lot of various environments. +instead of maintaining documentation explaining how to setup development for lot +of various environments. -For example steps for Debian required more of jumping between pages and -googling then it was worth since correct set of packages solve issue. +For example steps for Debian required more of jumping between pages and googling +then it was worth since correct set of packages solve issue. ## Summary diff --git a/blog/content/post/2017-03-18-openocd-and-development-environment-for-zephyr-on-nxp-frdm-k64f.md b/blog/content/post/2017-03-18-openocd-and-development-environment-for-zephyr-on-nxp-frdm-k64f.md index e673c70b..fb484013 100644 --- a/blog/content/post/2017-03-18-openocd-and-development-environment-for-zephyr-on-nxp-frdm-k64f.md +++ b/blog/content/post/2017-03-18-openocd-and-development-environment-for-zephyr-on-nxp-frdm-k64f.md @@ -16,6 +16,7 @@ categories: - Firmware - IoT --- + In this post I would like to describe process of setting up NXP FRDM-K64F development environment under Linux and start Zephyr development using it. @@ -26,21 +27,22 @@ about using 802.15.4 communication by attaching TI CC2520, which was presented Typical wireless stack starts with 802.15.4, then 6LoWPAN adaptation and then IPv6, which carries application protocols. 6LoWPAN compress IPv6 so it can fit BLE and 802.15.4 and it is dedicated for embedded systems with very limited -stack. Using IPv6 is very important for IoT market because scalability, -security and simplified application implementation in comparison to custom -stack also it can provide known protocols like UDP on transport layer. +stack. Using IPv6 is very important for IoT market because scalability, security +and simplified application implementation in comparison to custom stack also it +can provide known protocols like UDP on transport layer. -I tried to evaluate Zephyr networking stack for further use in customer applications. -But having even greatest idea for project requires development environment and -ability to debug your target platform that's why I wrote this tutorial. +I tried to evaluate Zephyr networking stack for further use in customer +applications. But having even greatest idea for project requires development +environment and ability to debug your target platform that's why I wrote this +tutorial. ## NXP FRDM-K64F setup -![](/img/frdm-k64f.jpg) +![img](/img/frdm-k64f.jpg) I started with initial triage if my NXP FRDM-K64F board works: -``` +```bash git clone https://gerrit.zephyrproject.org/r/zephyr && cd zephyr && git checkout tags/v1.7.0 cd zephyr git checkout net @@ -52,15 +54,15 @@ cp outdir/frdm_k64f/zephyr.bin /media/pietrushnic/MBED/ On `/dev/ttyACM0` I get: -``` +```bash **** BOOTING ZEPHYR OS v1.7.99 - BUILD: Mar 18 2017 14:14:37 ***** | -Hello World! arm +Hello World! arm ``` -So it works great out of the box. Unfortunately it is not possible to flash +So it works great out of the box. Unfortunately it is not possible to flash using typical Zephyr OS command: -``` +```bash [15:16:13] pietrushnic:hello_world git:(k64f-ethernet) $ make BOARD=frdm_k64f flash make[1]: Entering directory '/home/pietrushnic/storage/wdc/projects/2017/acme/src/zephyr' make[2]: Entering directory '/home/pietrushnic/storage/wdc/projects/2017/acme/src/zephyr/samples/hello_world/outdir/frdm_k64f' @@ -87,25 +89,26 @@ Error: unable to find CMSIS-DAP device Done flashing ``` -NXP FRDM-K64F have problems with debugger firmware and that's why OpenOCD -refuse to cooperate. Recent CMSIS-DAP firmware can be installed by using [this guide](https://developer.mbed.org/handbook/Firmware-FRDM-K64F) -although it has speed and debugging limitation about which you can read [here](https://mcuoneclipse.com/2014/04/27/segger-j-link-firmware-for-opensdav2/). +NXP FRDM-K64F have problems with debugger firmware and that's why OpenOCD refuse +to cooperate. Recent CMSIS-DAP firmware can be installed by using +[this guide](https://developer.mbed.org/handbook/Firmware-FRDM-K64F) although it +has speed and debugging limitation about which you can read +[here](https://mcuoneclipse.com/2014/04/27/segger-j-link-firmware-for-opensdav2/). -I followed [this post](http://jany.st/tag/frdm-k64f.html) to build recent -version of OpenOCD from source. +I followed [this post](https://web.archive.org/web/20161019220638/http://jany.st/tag/frdm-k64f.html) +to build recent version of OpenOCD from source. Custom OpenOCD can be provided to Zephyr `make` system, by using `OPENOCD` variable, so: -``` +```bash OPENOCD=/usr/local/bin/openocd make BOARD=frdm_k64f flash OPENOCD=/usr/local/bin/openocd make BOARD=frdm_k64f debug ``` -Both worked fine for me. I realized that I use `0.8.2` Zephyr SDK, so this -could be possible issue, but it happen not. Neither OpenOCD provided in `0.8.2` -nor `0.9` Zephyr SDK worked for me. - +Both worked fine for me. I realized that I use `0.8.2` Zephyr SDK, so this could +be possible issue, but it happen not. Neither OpenOCD provided in `0.8.2` nor +`0.9` Zephyr SDK worked for me. ### Zephyr SDK upgrade @@ -113,7 +116,7 @@ For those curious how to upgrade Zephyr SDK below commands should help. To get location of SDK: -``` +```bash $ source zephyr-env.sh $ echo $ZEPHYR_SDK_INSTALL_DIR /home/pietrushnic/projects/2016/acme/zephyr_support/src/sdk @@ -121,7 +124,7 @@ $ echo $ZEPHYR_SDK_INSTALL_DIR To upgrade: -``` +```bash $ wget https://nexus.zephyrproject.org/content/repositories/releases/org/zephyrproject/zephyr-sdk/0.9/zephyr-sdk-0.9-setup.run $ chmod +x zephyr-sdk-0.9-setup.run $ ./zephyr-sdk-0.9-setup.run @@ -148,17 +151,17 @@ Success installing SDK. SDK is ready to be used. Because SDK provided OpenOCD didn't worked for me I started to use one compiled by myself. -`zperf` is network traffic generator included in sample applications of -Zephyr. It supports K64F, so it was great place to start with networking. +`zperf` is network traffic generator included in sample applications of Zephyr. +It supports K64F, so it was great place to start with networking. -``` +```bash cd $ZEPHYR_BASE/samples/net/zperf OPENOCD=/usr/local/bin/openocd make BOARD=frdm_k64f flash ``` On terminal I saw: -``` +```bash zperf> [zperf_init] Setting IP address 2001:db8::1 [zperf_init] Setting destination IP address 2001:db8::2 @@ -166,15 +169,16 @@ zperf> [zperf_init] Setting destination IP address 192.0.2.2 ``` -Testing scenarios are described [here](https://www.zephyrproject.org/doc/samples/net/zperf/README.html?highlight=zperf). -Unfortunately basic test hangs, what could be great to those who want to help -in Zephyr development. I tried to debug that problem. +Testing scenarios are described +[here](https://www.zephyrproject.org/doc/samples/net/zperf/README.html?highlight=zperf). +Unfortunately basic test hangs, what could be great to those who want to help in +Zephyr development. I tried to debug that problem. ## Debugging problems To debug zpref application I used tui mode of gdb: -``` +```bash OPENOCD=/usr/local/bin/openocd TUI="--tui" make BOARD=frdm_k64f debug ``` @@ -183,11 +187,14 @@ Please note that before debugging you have to flash application to your target. Unfortunately debugging didn't worked for me out of the box. I struggle with various problems trying different configuration. My main goal was to have pure OpenOCD+GDB environment. It happen very problematic with breakpoints triggering -exception handlers and GDB initially stopping in weird location (ie. idle thread). +exception handlers and GDB initially stopping in weird location (ie. idle +thread). -I [asked](https://lists.zephyrproject.org/pipermail/zephyr-devel/2017-March/007352.html) +I +[asked](https://lists.zephyrproject.org/pipermail/zephyr-devel/2017-March/007352.html) on mailing list question about narrowing down this issue. Moving forward with -limited debugging functionality would be harder, but not impossible - `print is your friend`. +limited debugging functionality would be harder, but not impossible - +`print is your friend`. NXP employee replies on mailing list were far from being satisfying. Main suggestion was to use KDS IDE. @@ -196,7 +203,7 @@ suggestion was to use KDS IDE. In general there were two issues I faced: -``` +```bash Error: 123323 44739 target.c:2898 target_wait_state(): timed out (>40000) while waiting for target halted (...) Error: 123917 44934 armv7m.c:723 armv7m_checksum_memory(): error executing cortex_m crc algorithm (retval=-302) @@ -227,21 +234,22 @@ it a try. It is obvious that each vendor will force its solution. I don't like idea of bloated Eclipse-based IDEs forced on us by big guys. It looks like all of semiconductors go that way TI, STM, NXP - this is terrible for -industry. We loosing flexibility, features start to be hidden in hundreds of +industry. We losing flexibility, features start to be hidden in hundreds of menus and lot of Linux enthusiast have to deal memory consuming blobs. Not mention Atmel, which is even worst going Visual Studio path and making whole ecosystem terrible to work with. -Of course there is no way to validate such big ecosystem, so it have to be buggy. +Of course there is no way to validate such big ecosystem, so it have to be +buggy. I know they want to attract junior developers with "simple" and good looking -interface, but number of option hidden and quality of documentation lead -experts to rebel against this choice. Learning junior developers how custom, -vendor Eclipse works is useless for true skill set needed. It makes people -learn where options are in menu, but not how those options really work and what -is necessary to enable those. We wrapping everything to make its simple, but it -turns us into users that don't really know how system works and if anything -will happen different then usual we will have problems figuring out the way. +interface, but number of option hidden and quality of documentation lead experts +to rebel against this choice. Learning junior developers how custom, vendor +Eclipse works is useless for true skill set needed. It makes people learn where +options are in menu, but not how those options really work and what is necessary +to enable those. We wrapping everything to make its simple, but it turns us into +users that don't really know how system works and if anything will happen +different then usual we will have problems figuring out the way. Portability of projects created in Eclipse-based IDEs is far from being useful. Tracking configuration files to give working development environment to other @@ -249,16 +257,16 @@ team members is also impossible. Finally each developer have different configuration and if something doesn't work there is no easy way to figure out what is going on. Support is slow and configuration completely not portable. -Best choice for me would be well working command line tool and build system. -All those components should be wrapped in portable containers. We were -successful in building such development environment for embedded Linux using -either Poky or Buildroot. Why not to go mbedCLI way ? +Best choice for me would be well working command line tool and build system. All +those components should be wrapped in portable containers. We were successful in +building such development environment for embedded Linux using either Poky or +Buildroot. Why not to go mbedCLI way ? Luckily KDS is available in DEB package, but it couldn't be smaller then 691MB. -I have to allow this big bugged environment to hook into my system and I'm really -unhappy with that. +I have to allow this big bugged environment to hook into my system and I'm +really unhappy with that. -``` +```bash [1:31:54] pietrushnic:Downloads $ sudo dpkg -i kinetis-design-studio_3.2.0-1_amd64.deb [sudo] password for pietrushnic: Selecting previously unselected package kinetis-design-studio. @@ -284,7 +292,7 @@ Processing triggers for mime-support (3.60) ... Then this: -![](/img/kds_error.png) +![img](/img/kds_error.png) It was very clear information. Maybe adding path log would be also useful ? Finally problem was in lack of disk space. @@ -292,30 +300,33 @@ Finally problem was in lack of disk space. ### KDS OpenOCD Interestingly OpenOCD in KDS behave little bit different then upstream. There -were still problems with halt and crc errors. Unfortunately flashing is -terribly slow (0.900 KiB/s). NXP seems to use old OpenOCD `Open On-Chip Debugger 0.8.0-dev (2015-01-09-16:23)` It doesn't seem that OpenOCD and -CMSIS-DAP can provide reasonable experience for embedded systems developer. +were still problems with halt and crc errors. Unfortunately flashing is terribly +slow (0.900 KiB/s). NXP seems to use old OpenOCD +`Open On-Chip Debugger 0.8.0-dev (2015-01-09-16:23)` It doesn't seem that +OpenOCD and CMSIS-DAP can provide reasonable experience for embedded systems +developer. ## What works ? -After all above tests it happen that the only solution that seem to work -without weird errors is Segger Jlink V2 firmware with Segger software provided -in KDS. +After all above tests it happen that the only solution that seem to work without +weird errors is Segger Jlink V2 firmware with Segger software provided in KDS. To configure working configuration you need correct firmware which can be -downloaded on [OpenSDA bootloader and application](http://www.nxp.com/products/software-and-tools/run-time-software/kinetis-software-and-tools/ides-for-kinetis-mcus/opensda-serial-and-debug-adapter:OPENSDA?tid=vanOpenSDA#FRDM-K64F) +downloaded on +[OpenSDA bootloader and application](http://www.nxp.com/products/software-and-tools/run-time-software/kinetis-software-and-tools/ides-for-kinetis-mcus/opensda-serial-and-debug-adapter:OPENSDA?tid=vanOpenSDA#FRDM-K64F) website. After updating firmware you can follow with further steps. ### Flashing with Segger To flash you can use `JLinkExe` inside Zephyr application: -``` +```bash /opt/Freescale/KDS_v3/segger/JLinkExe -if swd -device MK64FN1M0VLL12 -speed 1000 -CommanderScript ~/tmp/zephyr.jlink ``` Where `~/tmp/zephyr.jlink` -``` + +```bash h loadbin outdir/frdm_k64f/zephyr.bin 0x0 q @@ -325,7 +336,7 @@ q Then you can use `JLinkGDBServer` for debugging purposes: -``` +```bash /opt/Freescale/KDS_v3/segger/JLinkGDBServer -if swd -device MK64FN1M0VLL12 \ -endian little -speed 1000 -port 2331 -swoport 2332 -telnetport 2333 -vd \ -ir -localhostonly 1 -singlerun -strict -timeout 0 @@ -333,7 +344,7 @@ Then you can use `JLinkGDBServer` for debugging purposes: Output should look like that: -``` +```bash SEGGER J-Link GDB Server V5.10n Command Line Version JLinkARM.dll V5.10n (DLL compiled Feb 19 2016 18:45:10) @@ -372,24 +383,24 @@ Connecting to target...Connected to target Waiting for GDB connection... ``` -To debug application you can use debugger provided wit Zephyr SDK that you used +To debug application you can use debugger provided with Zephyr SDK that you used to compile application. -``` +```bash cgdb -d $ZEPHYR_SDK_INSTALL_DIR/sysroots/x86_64-pokysdk-linux/usr/bin/arm-zephyr-eabi/arm-zephyr-eabi-gdb \ outdir/frdm_k64f/zephyr.elf ``` Then you have to connect to `JLinkGDBServer`: -``` +```bash target remote :2331 load ``` For `zperf` same application output should look like that: -``` +```bash GNU gdb (GDB) 7.11.0.20160511-git Copyright (C) 2016 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later @@ -427,26 +438,28 @@ Transfer rate: 25524 KB/sec, 2613 bytes/write. If you need to reset remote side use: -``` +```bash monitor reset ``` -It happens that `load` piece was also missing part for `CMSIS-DAP`. This -command gives GDB access to program symbols when using remote debugging. +It happens that `load` piece was also missing part for `CMSIS-DAP`. This command +gives GDB access to program symbols when using remote debugging. ## Summary In terms of speed there is no comparison between Segger and CMSIS-DAP. First gave me speed of ~50MB/s second ~2MB/s. Unfortunately Segger have to be externally installed with KDS or from binaries provided by Segger. Zephyr also -would require some modification to support that solution. CMSIS-DAP has a lot -of weird errors, which can confuse user. There is no information if those -errors affect firmware anyhow, but professional developers don't want to wonder -if their tools work correctly, because there is plenty of other tasks to worry +would require some modification to support that solution. CMSIS-DAP has a lot of +weird errors, which can confuse user. There is no information if those errors +affect firmware anyhow, but professional developers don't want to wonder if +their tools work correctly, because there is plenty of other tasks to worry about. CMSIS-DAP is very slow OpenOCD from KDS version is 20x slower then upstream OpenOCD, but advantage of this is that it works out of the box with Zephyr what can be good for people starting. -If you struggle with development on FRDM-K64F or have some issues with Zephyr -we would be glad help. You can easily contact us via [socialmedia](https://twitter.com/3mdeb_com) or through email -`contact3mdebcom`. Please share this post if you feel it has valuable information. +If you struggle with development on FRDM-K64F or have some issues with Zephyr we +would be glad help. You can easily contact us via +[socialmedia](https://twitter.com/3mdeb_com) or through email +`contact3mdebcom`. Please share this post if you feel it has valuable +information. diff --git a/blog/content/post/2017-05-12-installing-openwrt-on-apu3-platform.md b/blog/content/post/2017-05-12-installing-openwrt-on-apu3-platform.md index 5fda5c79..32c135ef 100644 --- a/blog/content/post/2017-05-12-installing-openwrt-on-apu3-platform.md +++ b/blog/content/post/2017-05-12-installing-openwrt-on-apu3-platform.md @@ -16,48 +16,48 @@ categories: - Firmware - OS Dev --- -This guide should be considered as a simple walk-through for using APU3 -platform in some generic use-cases. I'm trying to explain how to work with -the device and use it in a generic manner. There is a part about the coreboot -firmware, which could be used as a reference of how to start customizing it -for own purposes. + +This guide should be considered as a simple walk-through for using APU3 platform +in some generic use-cases. I'm trying to explain how to work with the device and +use it in a generic manner. There is a part about the coreboot firmware, which +could be used as a reference of how to start customizing it for own purposes. ## Configuring the hardware At first, let's figure out some basic requirements for our new device: 1. It will be wireless router with some advenced functionality provided by - OpenWRT. -2. In order for it to be wireless, we need to add WiFi network adapters. -3. I want it to be dual-band simultaneous connection, so we will need 2 separate - WiFi adapters. -4. Operating system will be placed on µSD card. -5. There will be an additional storage in the form of mSata disk. + OpenWRT. +1. In order for it to be wireless, we need to add WiFi network adapters. +1. I want it to be dual-band simultaneous connection, so we will need 2 separate + WiFi adapters. +1. Operating system will be placed on µSD card. +1. There will be an additional storage in the form of mSata disk. APU3 has 3 mPcie slots. Unfortunately it supports PCI express only on slot `mPCIe 1`, so WiFi card has to use it. For the second WiFi card, we could use `mPCIe 2` slot, but we would need USB only type, which are rare. Instead I'm -using some cheap Ralink RT5370 based USB dongle WiFi adapter. -`mPCIe 3` slot will be used for mSata drive. +using some cheap Ralink RT5370 based USB dongle WiFi adapter. `mPCIe 3` slot +will be used for mSata drive. -![][1] +![img][1] For the OS drive, I'll use some generic µSD card with adapter. -`mPCIe 2` slot could be used in future for GSM modem or some other kind of -USB device in the form of mPcie card. +`mPCIe 2` slot could be used in future for GSM modem or some other kind of USB +device in the form of mPcie card. ## Getting the sources We will use latest stable version which is Chaos Calmer, in order to be -compatible with upstream packages. Thanks to that we can just use the `opkg` -to download new version of packages from the main OpenWRT's repositories. +compatible with upstream packages. Thanks to that we can just use the `opkg` to +download new version of packages from the main OpenWRT's repositories. The sources we need are located on [github](https://github.com/openwrt/openwrt). Let's clone the needed version: -```sh +```bashsh $ git clone -b chaos_calmer https://github.com/openwrt/openwrt.git Cloning into 'openwrt'... remote: Counting objects: 360802, done. @@ -71,46 +71,46 @@ Resolving deltas: 100% (241401/241401), done. To build our first image we first need to configure the OpenWRT: -```sh -$ cd openwrt -$ make menuconfig +```bashsh +cd openwrt +make menuconfig ``` Our target is APU system, which has AMD x86_64 CPU. So let's use generic settings: -* Target System > x86 -* Subtarget > x86_64 +- Target System > x86 +- Subtarget > x86_64 ... and then `Exit` and `make`. -After compilation our image is in `bin/x86` dir. We need a SD card to burn -the image and boot the system on the target platform. On my host system, card -is present under the device file `/dev/sde`. +After compilation our image is in `bin/x86` dir. We need a SD card to burn the +image and boot the system on the target platform. On my host system, card is +present under the device file `/dev/sde`. > Warning! Carefully check the device the card is present on your system. This -> is potentially dangerous operation and can lead to lost data, when used -> wrong device! +> is potentially dangerous operation and can lead to lost data, when used wrong +> device! -```sh +```bashsh cd bin/x86 sudo dd if=openwrt-x86-64-combined-ext4.img of=/dev/sde bs=4M ``` ## First boot -> Default username after first boot is `root` and no password. -> Password should be set using `passwd`. +> Default username after first boot is `root` and no password. Password should +> be set using `passwd`. To make the first boot we need some kind of serial adapter (USB to RS232) and null-modem cable. There is a RS232 port on the back of the APU board. We need to connect it there. -To make the connection, I'm using `screen`, but other kind could be used -(e.g. `minicom`). Default parameters for COM port are 115200 8N1. This is the -command I'm using: +To make the connection, I'm using `screen`, but other kind could be used (e.g. +`minicom`). Default parameters for COM port are 115200 8N1. This is the command +I'm using: -```sh +```bashsh screen /dev/ttyUSB0 115200 ``` @@ -118,9 +118,9 @@ Immediately after powering the device, the coreboot welcome string should be seen and one could enter simple boot menu. Default configuration should be ok and SD card will have priority over different devices (it can be changed). -First OpenWRT boot will most propably hang on this string: +First OpenWRT boot will most probably hang on this string: -``` +```bash ... [ 2.424534] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this. [ 2.437154] 8021q: 802.1Q VLAN Support v1.8 @@ -136,7 +136,8 @@ First OpenWRT boot will most propably hang on this string: [ 2.950313] Switched to clocksource tsc ``` -Problem lies here: `[ 2.455798] Waiting for root device PARTUUID=6c097903-02...` +Problem lies here: +`[ 2.455798] Waiting for root device PARTUUID=6c097903-02...` ## SDHCI controller issue @@ -144,15 +145,16 @@ After short investigation it appears, that we don't have support for the SDHCI controller on APU board, so we need to enable it. We need to modify the kernel configuration, so we use this command: -```sh +```bashsh make kernel_menuconfig ``` + In the config we need to select those drivers: -* Device Drivers > MMC/SD/SDIO card support: - * MMC block device driver - * Secure Digital Host Controller Interface support - * SDHCI support on PCI bus +- Device Drivers > MMC/SD/SDIO card support: + - MMC block device driver + - Secure Digital Host Controller Interface support + - SDHCI support on PCI bus Now the system should boot without problems. @@ -163,19 +165,19 @@ nor wifi). When trying `ifconfig -a` we can see only the `lo` interface. Let's install some additional packages, which should help us investigate -* Base system > busybox > Customize busybox options > Linux System Utilities: - * lspci - * lsusb -* Base system > wireless-tools +- Base system > busybox > Customize busybox options > Linux System Utilities: + - lspci + - lsusb +- Base system > wireless-tools When the image is built and system is booted on target we can use `lspci -k` to -check which devices have kernel modules assigned to them and which don't. -This `lspci` flavour is pretty poor, compared to usual one, supplied with main -Linux distributions, but should be enough for our uses. +check which devices have kernel modules assigned to them and which don't. This +`lspci` flavour is pretty poor, compared to usual one, supplied with main Linux +distributions, but should be enough for our uses. Among others, we can find these devices (VID:DID), which look interesting: -``` +```bash 01:00.0 Class 0200: 8086:1539 02:00.0 Class 0200: 8086:1539 03:00.0 Class 0200: 8086:1539 @@ -185,47 +187,50 @@ Among others, we can find these devices (VID:DID), which look interesting: According to [this page](http://pci-ids.ucw.cz/read/PC/) we're looking for these devices: -* `8086:1539` - this is Intel Ethernet controller (I211 Gigabit Network Connection) -* `168c:003c` - this is Atheros QCA986x/988x 802.11ac Wireless Network Adapter +- `8086:1539` - this is Intel Ethernet controller (I211 Gigabit Network + Connection) +- `168c:003c` - this is Atheros QCA986x/988x 802.11ac Wireless Network Adapter We need to find drivers for those. It seems, that Intel is using `CONFIG_IGB` -kernel option for its driver. Module for Atheros card is in OpenWRT. -Let's deal first with ethernet controllers: +kernel option for its driver. Module for Atheros card is in OpenWRT. Let's deal +first with ethernet controllers: -```sh +```bashsh make kernel_menuconfig ``` Need to mark this driver: -* Device Drivers > Network device support > Ethernet driver support: - * Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support +- Device Drivers > Network device support > Ethernet driver support: + - Intel(R) 82575/82576 PCI-Express Gigabit Ethernet support As for the rest: -```sh +```bashsh make menuconfig ``` First let's mark the driver for our wireless card: -* Kernel modules > Wireless Drivers: - * kmod-ath10k + +- Kernel modules > Wireless Drivers: + - kmod-ath10k And also some packages we'll need to set up the access-point: -* Network: - * hostapd - * wpa_supplicant -Unfortunately, during my build I got and error. After rerunning `make V=s` -it appears that kernel hasn't got the full configuration it wants. I managed -get by this problem checking this option in `make kernel_menuconfig`: +- Network: + - hostapd + - wpa_supplicant -* Power management and ACPI options: - * ACPI (Advanced Configuration and Power Interface) Support +Unfortunately, during my build I got and error. After rerunning `make V=s` it +appears that kernel hasn't got the full configuration it wants. I managed get by +this problem checking this option in `make kernel_menuconfig`: + +- Power management and ACPI options: + - ACPI (Advanced Configuration and Power Interface) Support After successful build and boot. I got: -```sh +```bashsh root@OpenWrt:/# ifconfig -a br-lan Link encap:Ethernet HWaddr 00:0D:B9:44:11:B8 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 @@ -295,7 +300,7 @@ has static address, which happens to be the same as the default one in OpenWRT. Here's short example how to change it: -```sh +```bashsh root@OpenWrt:/# uci show network network.loopback=interface network.loopback.ifname='lo' @@ -324,7 +329,7 @@ root@OpenWrt:/# /etc/init.d/network restart We also want to enable the AP using the wifi adapter: -```sh +```bashsh root@OpenWrt:~# uci set wireless.radio0.disabled=0 root@OpenWrt:~# uci set wireless.@wifi-iface[0].encryption='psk2+aes' root@OpenWrt:~# uci set wireless.@wifi-iface[0].key='key123' @@ -338,22 +343,22 @@ After a while you can establish a connection with SSID `YourSSID` and password ## Second wireless interface -The second adapter is connected to the USB port on the back of the device. -It's some cheap Ralink RT5370 based chip, which are popular and in nice -form factor (small footprint and removable antenna). +The second adapter is connected to the USB port on the back of the device. It's +some cheap Ralink RT5370 based chip, which are popular and in nice form factor +(small footprint and removable antenna). -![][4] +![img][4] Using the `lsusb` it's detected like that: -``` +```bash Bus 001 Device 002: ID 148f:5370 ``` In order to enable it, we need additional kernel module, which is available in OpenWRT: -* Kernel modules > Wireless Drivers > kmod-rt2800-usb +- Kernel modules > Wireless Drivers > kmod-rt2800-usb After building and booting the new image, interface should be available by checking `ifconfig -a`. @@ -361,65 +366,65 @@ checking `ifconfig -a`. Unfortunately we don't have the new interface in OpenWRT's configuration system. Right now the `/etc/config/wireless` file looks like that: -``` +```bash config wifi-device 'radio0' - option type 'mac80211' - option hwmode '11a' - option path 'pci0000:00/0000:00:02.5/0000:04:00.0' - option htmode 'VHT80' - option disabled '0' - option channel '36' + option type 'mac80211' + option hwmode '11a' + option path 'pci0000:00/0000:00:02.5/0000:04:00.0' + option htmode 'VHT80' + option disabled '0' + option channel '36' config wifi-iface - option device 'radio0' - option network 'lan' - option mode 'ap' - option ssid 'YourSSID' - option encryption 'psk2+aes' - option key 'key123' + option device 'radio0' + option network 'lan' + option mode 'ap' + option ssid 'YourSSID' + option encryption 'psk2+aes' + option key 'key123' ``` In order to add new device, I found that it's easiest to generate generic one, -with all interfaces detected and add the new one to the file. We can do it -this way: +with all interfaces detected and add the new one to the file. We can do it this +way: -```sh +```bashsh root@OpenWrt:~# wifi detect config wifi-device radio0 - option type mac80211 - option channel 36 - option hwmode 11a - option path 'pci0000:00/0000:00:02.5/0000:04:00.0' - option htmode VHT80 - option disabled 1 + option type mac80211 + option channel 36 + option hwmode 11a + option path 'pci0000:00/0000:00:02.5/0000:04:00.0' + option htmode VHT80 + option disabled 1 config wifi-iface - option device radio0 - option network lan - option mode ap - option ssid OpenWrt - option encryption none + option device radio0 + option network lan + option mode ap + option ssid OpenWrt + option encryption none config wifi-device radio1 - option type mac80211 - option channel 11 - option hwmode 11g - option path 'pci0000:00/0000:00:10.0/usb1/1-2/1-2:1.0' - option htmode HT20 - option disabled 1 + option type mac80211 + option channel 11 + option hwmode 11g + option path 'pci0000:00/0000:00:10.0/usb1/1-2/1-2:1.0' + option htmode HT20 + option disabled 1 config wifi-iface - option device radio1 - option network lan - option mode ap - option ssid OpenWrt - option encryption none + option device radio1 + option network lan + option mode ap + option ssid OpenWrt + option encryption none ``` There is an additional section with the new adapter (`radio1` and `wifi-iface` -for `radio1`). We can copy this section to `/etc/config/wireless` and change -the options we need. After that, we can run `wifi` command to accept the -settings and enable all radios. +for `radio1`). We can copy this section to `/etc/config/wireless` and change the +options we need. After that, we can run `wifi` command to accept the settings +and enable all radios. ## Some bandwidth results @@ -429,7 +434,7 @@ Here are some results I've got when done some tests using `iperf3`. #### VHT80 mode -``` +```bash ----------------------------------------------------------- Server listening on 5201 ----------------------------------------------------------- @@ -455,7 +460,7 @@ Accepted connection from 192.168.1.121, port 60530 #### HT40 mode -``` +```bash ----------------------------------------------------------- Server listening on 5201 ----------------------------------------------------------- @@ -483,7 +488,7 @@ Accepted connection from 192.168.1.121, port 60220 #### HT20 mode -``` +```bash ----------------------------------------------------------- Server listening on 5201 ----------------------------------------------------------- @@ -509,7 +514,7 @@ Accepted connection from 192.168.1.121, port 60032 ## Completed setup -![][5] +![img][5] ## Summary @@ -520,8 +525,6 @@ you solve your issues. If you are in need of a professional support, we are always open for new challenges, so do not hesitate to drop us an email at `contact@3mdeb.com` - [1]: /img/apu3_overall.jpg - [2]: https://github.com/openwrt/openwrt - [3]: http://pci-ids.ucw.cz/read/PC/ - [4]: /img/apu3_wifi_adapter.jpg - [5]: /img/apu3_complete.jpg +[1]: /img/apu3_overall.jpg +[4]: /img/apu3_wifi_adapter.jpg +[5]: /img/apu3_complete.jpg diff --git a/blog/content/post/2017-05-21-swupdate-for-feature-rich-iot-applications.md b/blog/content/post/2017-05-21-swupdate-for-feature-rich-iot-applications.md index 30ff62b3..3c8901ed 100644 --- a/blog/content/post/2017-05-21-swupdate-for-feature-rich-iot-applications.md +++ b/blog/content/post/2017-05-21-swupdate-for-feature-rich-iot-applications.md @@ -13,15 +13,16 @@ tags: categories: - App Dev --- + When you work with embedded systems long enough, sooner or later you realize that some sort of update mechanism is required. This is especially true when more complex systems, running with an operating system, are taken into account. -Nowadays [Linux is being picked increasingly] as operating system for embedded +Nowadays [Linux is being picked increasingly] as operating system for embedded IoT devices. In following post we will focus on those in particular. In fact, from my experience update mechanism is vital part of many embedded -applications. When project is aimed to be maintained in a long run, it is one -of the first features being developed. +applications. When project is aimed to be maintained in a long run, it is one of +the first features being developed. ## Update IoT device vs update on desktop @@ -36,24 +37,24 @@ time consuming in a long term. ## Our vision of update system In most of our project where software is concerned, we are heading towards -[double copy] approach. The main idea is to have two separate rootfs -partitions, which always leaves us with at least one copy of correct software. -Core of developed update systems is usually similar to the one presented on the -graph below. +[double copy] approach. The main idea is to have two separate rootfs partitions, +which always leaves us with at least one copy of correct software. Core of +developed update systems is usually similar to the one presented on the graph +below. -![][3] +![img][3] ## What is SWUpdate? -[SWUpdate] is application designed for updating embedded Linux devices. -It is strongly focused on reliability of each update. Every update should be +[SWUpdate] is application designed for updating embedded Linux devices. It is +strongly focused on reliability of each update. Every update should be consistent and atomic. Major goal is to make it completely power-cut safe. Power-off in any phase of an update should not brick the device and we always should end up having fully-functional system. ## Purpose of this post -My goal is not to rewrite [SWUpdate documentation] here. Instead, I plan to +My goal is not to rewrite [SWUpdate documentation] here. Instead, I plan to point out it's interesting features and present the way how it is being used in `3mdeb`. This is why I will often leave a link to related chapter in [SWUpdate documentation] for more information. @@ -76,7 +77,7 @@ flags in each section. `SWUpdate` supports dual image approach by providing [software collections] in `sw-description` file. Such simple collection inside can be written as: -``` +```bash software = { version = "1.0.0"; @@ -105,32 +106,33 @@ software = ``` As you can see below, there are two software modes to choose from: -* `stable,mmcblk0p2` will install rootfs image into `/dev/mmcblk0p2` partition -* `stable,mmcblk0p3` will install rootfs image into `/dev/mmcblk0p3` partition + +- `stable,mmcblk0p2` will install rootfs image into `/dev/mmcblk0p2` partition +- `stable,mmcblk0p3` will install rootfs image into `/dev/mmcblk0p3` partition Selection of given mode is made by using `-e` command line switch, e.g.: -``` +```bash swupdate -e "stable,mmcblk0p2" -i example.swu-image.swu ``` In double copy approach we are using software collections mainly to point to -target partition on which update will be performed. File (image) name is -usually the same in both. +target partition on which update will be performed. File (image) name is usually +the same in both. ### Hardware compatibility -It can be used to exclude the risk of installing software on the wrong -platform. `sw-descrption` should contain list of compatible hardware revisions: +It can be used to exclude the risk of installing software on the wrong platform. +`sw-descrption` should contain list of compatible hardware revisions: -``` +```bash hardware-compatibility = [ "1.0.1", "1.0.0", "1.0.2" ]; ``` -Hardware revision is saved in file (by default `/etc/hwrevision`) -using following format: +Hardware revision is saved in file (by default `/etc/hwrevision`) using +following format: -``` +```bash board_name board_revision ``` @@ -153,36 +155,36 @@ images. Download support is provided by [curl] library. In current SWUpdate implementation it supports fetching from `http(s)` or `ftp`. However [curl] -supports many other protocols. In fact, at the moment we are using SWUpdate -with fetching from `sftp` server with no source code modification. In this -case, private key (`id_dsa`) must be located in `$HOME/.ssh` path as explained -in curl documentation regarding [CURLOPT_SSH_PUBLIC_KEYFILE]. This behavior -could be documented in SWUpdate documentation or even another command line -parameter added for key location. This could be in scope of further -contribution into the project. +supports many other protocols. In fact, at the moment we are using SWUpdate with +fetching from `sftp` server with no source code modification. In this case, +private key (`id_dsa`) must be located in `$HOME/.ssh` path as explained in curl +documentation regarding [CURLOPT_SSH_PUBLIC_KEYFILE]. This behavior could be +documented in SWUpdate documentation or even another command line parameter +added for key location. This could be in scope of further contribution into the +project. To download image from given URL, following command line parameters should be passed: -``` +```bash swupdate -d "-u http://example.com/mysoftware.swu" ``` > Note that there's been syntax change a while ago. In previous releases (for -> example in the one present in Yocto krogoth release, which is still in use) -> it was just: `swupdate -d http://example.com/mysoftware.swu` +> example in the one present in Yocto krogoth release, which is still in use) it +> was just: `swupdate -d http://example.com/mysoftware.swu` ### Compressed images One of the concerns while using whole rootfs image update approach may be the size of single update image. SWUpdate offers handling of [gzip] compressed -images as well. From my experience, size of such compressed images is not -grater than 50 - 100 MB, depending on complexity of given application. With -today's network speed is not that much as long as there is no serious -connection restrictions. When delivering compressed image, `copressed` flag -must be set in corresponding `sw-description` section. It may look like below: +images as well. From my experience, size of such compressed images is not grater +than 50 - 100 MB, depending on complexity of given application. With today's +network speed is not that much as long as there is no serious connection +restrictions. When delivering compressed image, `copressed` flag must be set in +corresponding `sw-description` section. It may look like below: -``` +```bash images: ( { filename = "rootfs-image-name.img.gz"; @@ -204,7 +206,7 @@ especially desired when RAM amount is not enough to store whole rootfs image. This can be enabled by setting `installed-directly` flag in given `image` section. In this case it would look like this: -``` +```bash images: ( { filename = "rootfs-image-name.img.gz"; @@ -215,20 +217,20 @@ images: ( ); ``` -By default, temporary copy is done by `SWUpdate` to check for image -correctness. I feel that with dual copy approach it is not really necessary as -if anything goes wrong we are always left with working software and ready to -perform update again. This is why we tend to use this feature pretty often. +By default, temporary copy is done by `SWUpdate` to check for image correctness. +I feel that with dual copy approach it is not really necessary as if anything +goes wrong we are always left with working software and ready to perform update +again. This is why we tend to use this feature pretty often. ### GRUB support -When developing application for embedded system there can be a problem with -not enough of hardware platforms for testing. Testing on host can also be -faster and more efficient. When using [Virtualbox], even update system could be -tested. The issue was that, it usually uses [GRUB] as a bootloader and -`SWUpdate` was supporting `U-Boot` only. With little effort we managed to add -basic support for GRUB environment update in `SWUpdate` project and this -feature [has been recently upstreamed]. +When developing application for embedded system there can be a problem with not +enough of hardware platforms for testing. Testing on host can also be faster and +more efficient. When using [Virtualbox], even update system could be tested. The +issue was that, it usually uses [GRUB] as a bootloader and `SWUpdate` was +supporting `U-Boot` only. With little effort we managed to add basic support for +GRUB environment update in `SWUpdate` project and this feature +[has been recently upstreamed]. ## Complete example @@ -239,7 +241,7 @@ projects) for actual update system. Below example fits for any embedded device running Linux with U-Boot as bootloader. In my case [Hummingboard] from Solidrun was used. -![][17] +![img][17] ### Rootfs image @@ -247,13 +249,13 @@ Of course you need a rootfs image to perform update with it. It can be prepared in may ways. For test purpose, you can even perform `dd` command to obtain raw image from SD card. An example command would be: -``` +```bash sudo dd if=/dev/mmcblk0 of=rootfs-image.img bs=16M ``` However, preferred method would be to use [Yocto] build system. Along with [meta-swupdate] it allows for automated building of rootfs image, as well as -`.swu` containter image in one run. In this case, `krogoth` revision of `Yocto` +`.swu` container image in one run. In this case, `krogoth` revision of `Yocto` was used. ### U-Boot boot script @@ -263,7 +265,7 @@ has finished successfully. In case of `U-Boot` we can tell which partition to use as rootfs when booting. With below script we will boot into newly updated software once. -``` +```bash # if fback is not defined yet, boot from 2 partition as default if test x${fback} != x; then boot_part=${fback} @@ -288,10 +290,10 @@ bootz 0x10800000 - 0x13000000 When booted into newly updated partition, some sort of sanity checks can be made. If passed, new software is marked as default by setting `fback` environment variable to point to this partition. We can modify bootloader -environment using SWU image with just `sw-description` file. Below is an -example of such: +environment using SWU image with just `sw-description` file. Below is an example +of such: -``` +```bash software = { version = "1.0.0"; @@ -325,7 +327,7 @@ software = Below is an example `sw-description` file including features mentioned above: -``` +```bash software = { version = "1.0.0"; @@ -382,17 +384,16 @@ software = #### Yocto based -* Follow with setup from [building with Yocto] section -* Create recipe for SWU image, e.g. `recipes-extended/images/test-swu-image.bb`. +- Follow with setup from [building with Yocto] section +- Create recipe for SWU image, e.g. `recipes-extended/images/test-swu-image.bb`. It could be based on [bbb-swu-image] recipe from `meta-swupdate` repository. `sw-desciption` file should end up in `images/test-swu-image` directory. If another files (such as scripts) should as well be part of compound SWU image, - they should also go there. - Assuming that `hummingboard` is our machine name in Yocto, such recipe could - look like below: + they should also go there. Assuming that `hummingboard` is our machine name in + Yocto, such recipe could look like below: -``` -# Copyright (C) 2015 Unknown User +```bash +# Copyright (C) 2015 Unknown User # Released under the MIT license (see COPYING.MIT for the terms) DESCRIPTION = "Example Compound image for Hummingboard" @@ -424,9 +425,9 @@ SWUPDATE_IMAGES_FSTYPES[core-image-full-cmdline] = ".ext4" COMPATIBLE = "hummingboard" ``` -* SWU image can be build with following command: +- SWU image can be build with following command: -``` +```bash bitbake test-swu-image ``` @@ -443,68 +444,62 @@ Refer to [building a single image] section from SWUpdate documentation. Assuming SWU image is already uploaded and current partition is `/dev/mmcblk0p2`: -``` +```bash swupdate -d http://example.com/mysoftware.swu -e "stable,mmcblk0p3" ``` ## Conclusion -I have only shortly described features that we commonly use. These are of -course not all that are available. You can find out more in the [list of -supported features]. Definitely worth to mention would be: +I have only shortly described features that we commonly use. These are of course +not all that are available. You can find out more in the +[list of supported features]. Definitely worth to mention would be: -* [suricatta daemon mode] with HawkBit backend -* [update from verified source] -* [encrypted images] -* [checking software version] +- [suricatta daemon mode] with HawkBit backend +- [update from verified source] +- [encrypted images] +- [checking software version] `SWUpdate` provides really powerful and reliable update mechanism. It's job is only to download and reliably perform update according to metadata written into `sw-description` file. The rest such as picking right software from collection, getting current and available partitions, preparing bootloader scripts etc. is -up to user. It may be overwhelming at first, but it is the reason why -`SWUpdate` can be so flexible. You can pick features from (still growing) list -to design update system that is perfect for your needs. `SWUpdate` will only -assure that it is safe and reliable. +up to user. It may be overwhelming at first, but it is the reason why `SWUpdate` +can be so flexible. You can pick features from (still growing) list to design +update system that is perfect for your needs. `SWUpdate` will only assure that +it is safe and reliable. ## Summary We hope that content of this blog post was entertaining and useful for you. If -you have any comments or questions do not bother to drop us a note below. If -you feel this blog post contains something useful please share with the others. -As 3mdeb we are always ready to give you professional support. Just let us know -by sending an email to `contact@3mdeb.com`. +you have any comments or questions do not bother to drop us a note below. If you +feel this blog post contains something useful please share with the others. As +3mdeb we are always ready to give you professional support. Just let us know by +sending an email to `contact@3mdeb.com`. -[Linux is being picked increasingly]: https://www.arrow.com/en/research-and-events/articles/iot-operating-systems -[SWUpdate]: https://github.com/sbabic/swupdate -[double copy]: https://sbabic.github.io/swupdate/overview.html#double-copy-with-fall-back -[SWUpdate documentation]: hhttps://sbabic.github.io/swupdate/swupdate.html#swupdate-software-update-for-embedded-system -[cpio]: https://en.wikipedia.org/wiki/Cpio -[sw-description]: https://sbabic.github.io/swupdate/sw-description.html#swupdate-syntax-and-tags-with-the-default-parser -[software collections]: https://sbabic.github.io/swupdate/swupdate.html?highlight=collection#software-collections -[hardware compatibility]: https://sbabic.github.io/swupdate/sw-description.html?highlight=compatibility#hardware-compatibility +[3]: /img/update_flow-1.png +[17]: /img/hb2_gate.jpg +[bbb-swu-image]: https://github.com/sbabic/meta-swupdate/blob/krogoth/recipes-extended/images/bbb-swu-image.bb [board specific settings]: https://sbabic.github.io/swupdate/sw-description.html?highlight=compatibility#board-specific-settings -[gzip]: http://www.gzip.org/ -[streaming feature]: https://sbabic.github.io/swupdate/swupdate.html#images-fully-streamed -[swupdate.cfg]: https://github.com/sbabic/swupdate/blob/master/examples/configuration/swupdate.cfg +[building a single image]: https://sbabic.github.io/swupdate/swupdate.html#building-a-single-image +[building with yocto]: https://sbabic.github.io/swupdate/swupdate.html#building-with-yocto +[checking software version]: https://sbabic.github.io/swupdate/sw-description.html#checking-version-of-installed-software [curl]: https://curl.haxx.se/ -[command line parameters]: https://sbabic.github.io/swupdate/swupdate.html#command-line-parameters -[CURLOPT_SSH_PUBLIC_KEYFILE]: https://curl.haxx.se/libcurl/c/CURLOPT_SSH_PUBLIC_KEYFILE.html -[2017.04 release]: https://groups.google.com/forum/#!topic/swupdate/R_R9yXzeGO4 -[GRUB]: https://www.gnu.org/software/grub/ -[Virtualbox]: https://www.virtualbox.org/ +[curlopt_ssh_public_keyfile]: https://curl.haxx.se/libcurl/c/CURLOPT_SSH_PUBLIC_KEYFILE.html +[double copy]: https://sbabic.github.io/swupdate/overview.html#double-copy-with-fall-back +[encrypted images]: https://sbabic.github.io/swupdate/encrypted_images.html#symmetrically-encrypted-update-images +[grub]: https://www.gnu.org/software/grub/ +[gzip]: http://www.gzip.org/ [has been recently upstreamed]: https://github.com/sbabic/swupdate/commit/830692a5e6ad40d6382557f2b9a4dcc74227afcc -[Hummingboard]: https://www.solid-run.com/freescale-imx6-family/hummingboard/ -[Yocto]: http://www.yoctoproject.org/docs/2.1/yocto-project-qs/yocto-project-qs.html -[meta-swupdate]: https://github.com/sbabic/meta-swupdate -[building a single image]: https://sbabic.github.io/swupdate/swupdate.html#building-a-single-image -[building with Yocto]: https://sbabic.github.io/swupdate/swupdate.html#building-with-yocto -[bbb-swu-image]: https://github.com/sbabic/meta-swupdate/blob/krogoth/recipes-extended/images/bbb-swu-image.bb +[hummingboard]: https://www.solid-run.com/freescale-imx6-family/hummingboard/ +[linux is being picked increasingly]: https://www.arrow.com/en/research-and-events/articles/iot-operating-systems [list of supported features]: https://sbabic.github.io/swupdate/swupdate.html#list-of-supported-features +[meta-swupdate]: https://github.com/sbabic/meta-swupdate +[software collections]: https://sbabic.github.io/swupdate/swupdate.html?highlight=collection#software-collections +[streaming feature]: https://sbabic.github.io/swupdate/swupdate.html#images-fully-streamed [suricatta daemon mode]: https://sbabic.github.io/swupdate/suricatta.html +[sw-description]: https://sbabic.github.io/swupdate/sw-description.html#swupdate-syntax-and-tags-with-the-default-parser +[swupdate]: https://github.com/sbabic/swupdate +[swupdate documentation]: hhttps://sbabic.github.io/swupdate/swupdate.html#swupdate-software-update-for-embedded-system [update from verified source]: https://sbabic.github.io/swupdate/signed_images.html#update-images-from-verified-source -[encrypted images]: https://sbabic.github.io/swupdate/encrypted_images.html#symmetrically-encrypted-update-images -[checking software version]: https://sbabic.github.io/swupdate/sw-description.html#checking-version-of-installed-software - - [3]: /img/update_flow-1.png - [17]: /img/hb2_gate.jpg +[virtualbox]: https://www.virtualbox.org/ +[yocto]: http://www.yoctoproject.org/docs/2.1/yocto-project-qs/yocto-project-qs.html diff --git a/blog/content/post/2017-06-14-how-to-use-ansible-via-python.md b/blog/content/post/2017-06-14-how-to-use-ansible-via-python.md index 6181d5b1..a006e102 100644 --- a/blog/content/post/2017-06-14-how-to-use-ansible-via-python.md +++ b/blog/content/post/2017-06-14-how-to-use-ansible-via-python.md @@ -14,7 +14,8 @@ categories: - App Dev --- -***Ansible is designed around the way people work and the way people work together*** +***Ansible is designed around the way people work and the way people work +together*** ## What is Ansible @@ -25,8 +26,8 @@ and many other IT operations. It is easy to deploy due to using no agents and no additional custom security infrastructure. We can define own configuration management in simple YAML language, which is named ansible-playbook. YAML is easier to read and write by humans than other common data formats like XML or -JSON. Futhermore, most programming languages contain libraries which operate and -work YAML. +JSON. Furthermore, most programming languages contain libraries which operate +and work YAML. ## Inventory @@ -37,7 +38,8 @@ important to specify a roster to keep For this example, the format is an `INI-like` and is saved in `/etc/ansible/hosts`. -
    mail.example.com
+```toml
+mail.example.com
 
 [webservers]
 foo.example.com
@@ -47,7 +49,7 @@ bar.example.com
 one.example.com
 two.example.com
 three.example.com
-
    +``` ## Ansible Playbook @@ -58,7 +60,8 @@ formatted in YAML language. Ansible playbook consists of `plays`, which contain `hosts` we would like to manage, and `tasks` we want to perform. -
    ---
+```yaml
+---
 - hosts: webservers
   vars:
     http_port: 80
@@ -76,17 +79,17 @@ perform.
   handlers:
     - name: restart apache
       service: name=httpd state=restarted
-
    +``` ### Ansible for Embedded Linux -> Note: This paragraph is relevant to Yocto build system There is possibility -to need build image with custom Linux-based system for embedded with Ansible, -using complete development environment, with tools, metadata and documentation, -named Yocto. In addition, we would like to run ansible-playbook via python. It -seems to be hard to implement. Nothing more simple! It is needed to add recipe -to image with ansible from [Python Ansible package][2] #### Additional -information For more information go to +> Note: This paragraph is relevant to Yocto build system There is possibility to +> need build image with custom Linux-based system for embedded with Ansible, +> using complete development environment, with tools, metadata and +> documentation, named Yocto. In addition, we would like to run ansible-playbook +> via python. It seems to be hard to implement. Nothing more simple! It is +> needed to add recipe to image with ansible from [Python Ansible package][2] +> \#### Additional information For more information go to [Ansible Documentation][3] @@ -97,17 +100,20 @@ python level, there is possibility to control nodes, write various plugins, extend Ansible to respond to various python events and plug in inventory data from external data sources. -> Note: There is a permament structure to build python program which operates -> ansible commands: First of all we have to import some modules needed to run +> Note: There is a permanent structure to build python program which operates +> ansible commands: First of all we have to import some modules needed to run > ansible in python. - -> * Let's describe some of them: - * `json` module to convert output to json format - * `ansible` module to manage e.g. inventory or plays - * `TaskQueueManager` is responsible for loading the play strategy plugin, which dispatches the Play's tasks to hosts - * `CallbackBase` module - base ansible callback class, that does nothing here, but new callbacks, which inherits from CallbackBase class and override methods, can execute custom actions - -
    import json
+>
+> - Let's describe some of them: \*`json` module to convert output to json
+>   format _`ansible` module to manage e.g. inventory or plays
+>   \*`TaskQueueManager` is responsible for loading the play strategy plugin,
+>   which dispatches the Play's tasks to hosts_ `CallbackBase` module - base
+>   ansible callback class, that does nothing here, but new callbacks, which
+>   inherits from CallbackBase class and override methods, can execute custom
+>   actions
+
+```python
+import json
 from collections import namedtuple
 from ansible.parsing.dataloader import DataLoader
 from ansible.vars import VariableManager
@@ -115,42 +121,53 @@ from ansible.inventory import Inventory
 from ansible.playbook.play import Play
 from ansible.executor.task_queue_manager import TaskQueueManager
 from ansible.plugins.callback import CallbackBase
-
    +``` -* ResultCallback which inherits from `CallbackBase` and manage the output of +- ResultCallback which inherits from `CallbackBase` and manage the output of ansible. We can create and modify own methods to regulate the behaviour of the ansbile in python controller. -
    class ResultCallback(CallbackBase):
+```python
+class ResultCallback(CallbackBase):
 
   def v2_runner_on_ok(self, result, **kwargs):
     host = result._host
     print json.dumps({host.name: result._result}, indent=4)
-
    +``` -> Note: we can override more methods. All specification can be found in [CallbackBase][4] +> Note: we can override more methods. All specification can be found in +> [CallbackBase][4] -* Next step is to initialize needed objects. Options class to replace Ansible OptParser. Since we're not calling it via CLI, we need something to provide options. +- Next step is to initialize needed objects. Options class to replace Ansible + OptParser. Since we're not calling it via CLI, we need something to provide + options. -
    Options = namedtuple('Options', ['connection', 'module_path', 'forks', 'become', 'become_method', 'become_user', 'check'])
+```python
+Options = namedtuple('Options', ['connection', 'module_path', 'forks', 'become', 'become_method', 'become_user', 'check'])
 variable_manager = VariableManager()
 loader = DataLoader()
 options = Options(connection='local', module_path='/path/to/mymodules', forks=100, become=None, become_method=None, become_user=None, check=False)
 passwords = dict(vault_pass='secret')
-
    +``` -* Instantiate our `ResultCallback` for handling results as they come in +- Instantiate our `ResultCallback` for handling results as they come in -
    results_callback = ResultCallback()
-
    +```python +results_callback = ResultCallback() +``` -* Then the script creates a VariableManager object, which is responsible for adding in all variables from the various sources, and keeping variable precedence consistent. Then create play with tasks - basic jobs we want to handle by ansible. +- Then the script creates a VariableManager object, which is responsible for + adding in all variables from the various sources, and keeping variable + precedence consistent. Then create play with tasks - basic jobs we want to + handle by ansible. -
    inventory = Inventory(loader=loader, variable_manager=variable_manager, host_list='localhost')
+```python
+inventory = Inventory(loader=loader, variable_manager=variable_manager, host_list='localhost')
 variable_manager.set_inventory(inventory)
-
    +``` -
    play_source =  dict(
+```python
+play_source =  dict(
         name = "Ansible Play",
         hosts = 'localhost',
         gather_facts = 'no',
@@ -160,11 +177,16 @@ variable_manager.set_inventory(inventory)
          ]
     )
 play = Play().load(play_source, variable_manager=variable_manager, loader=loader)
-
    +``` -* Actually run it, using the `Runner` object for collecting needed data and running the Ansible Playbook executor. The actual execution of the playbook is in a run method, so we can call it when we need to. The `__init__` method just sets everything up for us. This should run your roles against your hosts! It will still output the usual data to Stderr/Stdout. +- Actually run it, using the `Runner` object for collecting needed data and + running the Ansible Playbook executor. The actual execution of the playbook is + in a run method, so we can call it when we need to. The `__init__` method just + sets everything up for us. This should run your roles against your hosts! It + will still output the usual data to Stderr/Stdout. -
    tqm = None
+```python
+tqm = None
 try:
     tqm = TaskQueueManager(
               inventory=inventory,
@@ -178,7 +200,7 @@ try:
 finally:
     if tqm is not None:
         tqm.cleanup()
-
    +``` ## Conclusion @@ -195,7 +217,6 @@ parties. We are always open for leveraging Ansible and Python in IoT and embedded environment. If you have project that can benefit from those IT automation do not hesitate to drop us email `contact3mdeb.com`. - [1]: http://cub.nobleprog.com/sites/hitramx/files/styles/height50_scale/public/category_image/cursos-de-ansible-en-mexico.png?itok=xPUrGNrA - [2]: https://github.com/OverC/meta-overc/blob/2acca936fe1b4eb35c4c4aa7909160ff51b9213d/meta-cube/recipes-devtools/python/python3-ansible_2.3.1.0.bb - [3]: http://docs.ansible.com/ansible/ - [4]: https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/__init__.py +[2]: https://github.com/OverC/meta-overc/blob/2acca936fe1b4eb35c4c4aa7909160ff51b9213d/meta-cube/recipes-devtools/python/python3-ansible_2.3.1.0.bb +[3]: http://docs.ansible.com/ansible/ +[4]: https://github.com/ansible/ansible/blob/devel/lib/ansible/plugins/callback/__init__.py diff --git a/blog/content/post/2017-08-01-how-to-handle-a-dht22-sensor-using-arm-mbed-os.md b/blog/content/post/2017-08-01-how-to-handle-a-dht22-sensor-using-arm-mbed-os.md index 9b3a6017..a4fd7b6e 100644 --- a/blog/content/post/2017-08-01-how-to-handle-a-dht22-sensor-using-arm-mbed-os.md +++ b/blog/content/post/2017-08-01-how-to-handle-a-dht22-sensor-using-arm-mbed-os.md @@ -14,18 +14,18 @@ categories: - Firmware - IoT --- + Recently I have encountered with temperature and humidity measurements using DHT22 sensor. I was developing a driver source code in ARM mbed OS SDK on particular STM32 NUCLEO L432KC platform. Thorough analysis of DHT22 [documentation](https://cdn-shop.adafruit.com/datasheets/Digital+humidity+and+temperature+sensor+AM2302.pdf) led me to the following questions: - - Is it possible to accurately measure voltage-level durations during read -process? + process? - What duration time values should be considered as timeout or/and error? - Should I weaken the time restrictions in order to avoid random delays in -voltage level transitions be considered as failure? + voltage level transitions be considered as failure? For ARM mbed OS documentation please refer to [mbed API documentation](https://developer.mbed.org/users/screamer/code/mbed/docs/tip/) @@ -43,39 +43,40 @@ a timer is enabled to measure voltage level duration. The DHT22 sensor is connected as proposed in section 5 of DHT22 [documentation](https://cdn-shop.adafruit.com/datasheets/Digital+humidity+and+temperature+sensor+AM2302.pdf), -but I used a 4.7kOhm pull-up resistor between data line and VDD, because -10kOhm resistor was producing too much noise. I also added a 100nF capacitor -between GND and VDD for wave filtering. - +but I used a 4.7kOhm pull-up resistor between data line and VDD, because 10kOhm +resistor was producing too much noise. I also added a 100nF capacitor between +GND and VDD for wave filtering. ### Read process Each read operation can be divided into main 2 steps: + 1. Host start signal and sensor response -2. Pure data transfer +1. Pure data transfer #### Start signal and sensor response Initially the data line should be in high state (high voltage), in this particular case it is 3.3V. High state on the data line is considered as idle. To begin transmission the host must pull the data line down for at least 1 -milisecond, it is called a start signal. Then host should pull it up and wait +millisecond, it is called a start signal. Then host should pull it up and wait for sensor response. The response should be acquired after 20-40 microseconds. Procedure described above can be basically carried out like that: -```c +```bashc /* Define the data line pin first and a timer*/ DigitalInOut dht_data(DATA_PIN); Timer timer; -dht_data.output(); //sets the pin in output mode +dht_data.output(); //sets the pin in output mode dht_data.write(0); wait_ms(2); timer.reset(); dht_data.write(1); timer.start(); ``` + **Important** Notice that timer's state is set to 0 before the line is pulled up and then started. @@ -83,7 +84,7 @@ Now is the time for sensor's response. After 20-40 microseconds the sensor should pull the line down for 80 microseconds and then pull it up again for 80 microseconds. To detect it, a do-while loop can be used: -```c +```bashc do { n = timer.read_us(); @@ -132,6 +133,7 @@ if(n != 80) { return DHT_RESPONSE_ERROR; } ``` + At this point we can deliberate about the `TIMEOUT` value and the time restrictions provided in the `if` expressions. 100 microseconds seems to be reasonable value for `TIMEOUT`, because there is no voltage level duration @@ -148,7 +150,7 @@ monitor the sensor's data line. The result occurred to be little surprising. The data line waveform I captured is showed below. The sampling frequency was set to 12MHz. -![][3] +![img][3] The sensor pulled the line down after ca. 22 microseconds, which is appropriate. But then the voltage level durations differ slightly, they are 1.5 microseconds @@ -162,12 +164,13 @@ shorter wiring, voltage level durations were much more repeatable and closer to the sensor's read protocol. So the time restrictions should be provided as follows: -```c +```bashc if((n < 70) || (n > 100)) { timer.stop(); return DHT_RESPONSE_ERROR; } ``` + #### Data transfer After sent response, the sensor is transmitting 40 bits of data containing @@ -176,13 +179,13 @@ measured temperature, humidity and a checksum. Each bit transfer begins with a microseconds or 70 microseconds. The duration of high voltage level determines the bit value: -* 26-68 microseconds - logic '0' -* 70 microseconds - logic '1' +- 26-68 microseconds - logic '0' +- 70 microseconds - logic '1' -Most significant bit goes first. -Reading and storing entire data can be done like this: +Most significant bit goes first. Reading and storing entire data can be done +like this: -```c +```bashc for(int i = 0; i < N_BYTES; i++) { for (int b = 0; b < N_BITS; b++) { do { @@ -218,12 +221,13 @@ for(int i = 0; i < N_BYTES; i++) { } } ``` + As expected, the time restrictions provided in `if` expressions lead to returning `DHT_READ_BIT_ERROR`. The reason is the same as mentioned previously in [Start signal and sensor response](#start-signal-and-sensor-response). Checking the waveform of data line leads to following results: -![][5] +![img][5] Picture above shows a fragment of data bits transfer. The voltage level durations are clearly going beyond the acceptable scope. For example, the 64.42 @@ -235,9 +239,9 @@ high voltage duration lasts properly long - 26 microseconds. To ensure reading all bytes without returning an error, I have adjusted the time restrictions in `if` expressions with following values: -```c +```bashc if((n < 45) || (n > 70)) { - timer.stop(); + timer.stop(); return DHT_READ_BIT_ERROR; } @@ -253,14 +257,14 @@ if((n > 15) && (n < 35)) { ``` ->I also have included possible timer inaccuracy to ensure transmission without -error returning. +> I also have included possible timer inaccuracy to ensure transmission without +> error returning. After these changes I was finally able to gather correct measurements repeatedly without failure. To end the transmission, the data line should be pulled up by the host to leave it in an idle state. -```c +```bashc timer.stop(); dht_data.output(); // switch back to output mode dht_data.write(1); @@ -269,7 +273,6 @@ dht_data.write(1); It is also necessary to implement an interval mechanism to prevent polling the sensor sooner than 2 seconds since last poll. - ## Summary Above steps gave me ability to take temperature and humidity measurements by @@ -278,8 +281,8 @@ DHT22. This particular sensor has its pros as well as cons. Its advantage certainly is simplicity in hardware design. Only a pull up resistor, filtering capacitor and 3 wire connections are needed. -Its disadvantage is specially designed 1-Wire bus communication. It prevents -the usage of common Maxim/Dallas 1-Wire bus standard and forces the developer to +Its disadvantage is specially designed 1-Wire bus communication. It prevents the +usage of common Maxim/Dallas 1-Wire bus standard and forces the developer to implement software driver for handling data reading. Although it is not that difficult, many other problems can occur. As I proved, timing issues are the source of accidental misinterpretation of data and developer confusion. @@ -301,17 +304,13 @@ investigate these issues. Hope that this article will help further developers implementing DHT22 sensors in their projects. We are always open for discussion about issues you faced during embedded system -development, so please do not hesitate to leave comment below. DHT22 is just -one case where do-not-trust-datasheet and read-between-lines rules apply. +development, so please do not hesitate to leave comment below. DHT22 is just one +case where do-not-trust-datasheet and read-between-lines rules apply. Malfunction and unexpected behaviour is bread and butter for us. Small problem in prototype may be huge on mass market. If you think we provide valuable information please share this post, also if you are interested in commercial level support we are always open for new challenges. There are many ways to contact us, but easiest would be to drop us email `contact3mdebcom`. - - [1]: https://cdn-shop.adafruit.com/datasheets/Digital+humidity+and+temperature+sensor+AM2302.pdf - [2]: https://developer.mbed.org/users/screamer/code/mbed/docs/tip/ - [3]: /img/dht22-response.png - [4]: #start-signal-and-sensor-response - [5]: /img/dht22-datatransfer.png +[3]: /img/dht22-response.png +[5]: /img/dht22-datatransfer.png diff --git a/blog/content/post/2017-11-02-pc-engines-apu2-python-robot-framework-validation-automation.md b/blog/content/post/2017-11-02-pc-engines-apu2-python-robot-framework-validation-automation.md index 09751f5a..eb3249a4 100644 --- a/blog/content/post/2017-11-02-pc-engines-apu2-python-robot-framework-validation-automation.md +++ b/blog/content/post/2017-11-02-pc-engines-apu2-python-robot-framework-validation-automation.md @@ -15,6 +15,7 @@ tags: categories: - Firmware --- + Recently we attended [ECC2017][1] conference. One of topics that we considered was a system for development and validation automation. Unfortunately this talk was not accepted, but we present some research below and plan to provide more @@ -36,7 +37,8 @@ It gives ability to leverage enormous amount of Python libraries and has integrated most important ones. I decided to start with installation in virtualenv: -
    [23:00:11]
+```bash
+[23:00:11]
 pietrushnic:storage $ virtualenv robot-venv
 Running virtualenv with interpreter /usr/bin/python2
 New python executable in /home/pietrushnic/storage/robot-venv/bin/python2
@@ -53,43 +55,48 @@ Building wheels for collected packages: robotframework
 Successfully built robotframework
 Installing collected packages: robotframework
 Successfully installed robotframework-3.0.2
-
    +``` Verification: -
    (robot-venv) [23:00:46] pietrushnic:storage $ robot --version
+```bash
+(robot-venv) [23:00:46] pietrushnic:storage $ robot --version
 Robot Framework 3.0.2 (Python 2.7.13 on linux2)
-
    +``` ## Quick start guide - sudo apt-get install docutils - git clone https://github.com/robotframework/QuickStartGuide.git - cd QuickStartGuide - robot QuickStart.rst +```bash +sudo apt-get install docutils +git clone https://github.com/robotframework/QuickStartGuide.git +cd QuickStartGuide +robot QuickStart.rst +``` Output should look like this: - ============================================================================== - QuickStart - ============================================================================== - User can create an account and log in | PASS | - ------------------------------------------------------------------------------ - User cannot log in with bad password | PASS | - ------------------------------------------------------------------------------ - User can change password | PASS | - ------------------------------------------------------------------------------ - Invalid password | PASS | - ------------------------------------------------------------------------------ - User status is stored in database | PASS | - ------------------------------------------------------------------------------ - QuickStart | PASS | - 5 critical tests, 5 passed, 0 failed - 5 tests total, 5 passed, 0 failed - ============================================================================== - Output: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/QuickStartGuide/output.xml - Log: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/QuickStartGuide/log.html - Report: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/QuickStartGuide/report.html +```bash +============================================================================== +QuickStart +============================================================================== +User can create an account and log in | PASS | +------------------------------------------------------------------------------ +User cannot log in with bad password | PASS | +------------------------------------------------------------------------------ +User can change password | PASS | +------------------------------------------------------------------------------ +Invalid password | PASS | +------------------------------------------------------------------------------ +User status is stored in database | PASS | +------------------------------------------------------------------------------ +QuickStart | PASS | +5 critical tests, 5 passed, 0 failed +5 tests total, 5 passed, 0 failed +============================================================================== +Output: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/QuickStartGuide/output.xml +Log: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/QuickStartGuide/log.html +Report: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/QuickStartGuide/report.html +``` What is great about that? Output is clean and can be easily understood. In addition it generates log and report. Both generated files are clean and @@ -99,56 +106,63 @@ eye-catching. My typical output on minicom during boot was: - PC Engines apu2 - coreboot build 07/18/2017 - BIOS version - 4080 MB ECC DRAM +```bash +PC Engines apu2 +coreboot build 07/18/2017 +BIOS version +4080 MB ECC DRAM - SeaBIOS (version rel-1.10.2.1) - Press F10 key now for boot menu, N for PXE boot +SeaBIOS (version rel-1.10.2.1) +Press F10 key now for boot menu, N for PXE boot +``` After `N for PXE boot` show script should send `N` or `n` what should send me to `iPXE>` prompt. Initially I thought about using [robotframework-seriallibrary][2], but limitation led me to search for different solution. `robotframework-seriallibrary` was designed to handle single byte communication not serial output streams from operating system. For example -`read_until` function check for termination character, instead of matching +`read_until` function check for termination character, instead of matching string pattern, what was expected during iPXE testing. `ser2net` and `telnet` solution was suggested on [mailing list][3] and eventually was much better choice for my use case. - sudo apt-get install ser2net +```bash +sudo apt-get install ser2net +``` Quick test with config file `ser2net_apu.cfg` - 13542:telnet:600:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT +```bash +13542:telnet:600:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT +``` To prove that `ser2net` works correctly: - [0:19:39] pietrushnic:pcengines $ telnet localhost 13542 - Trying ::1... - Connected to localhost. - Escape character is '^]'. - PC Engines apu2 - coreboot build 07/18/2017 - BIOS version - 4080 MB ECC DRAM - +```bash +[0:19:39] pietrushnic:pcengines $ telnet localhost 13542 +Trying ::1... +Connected to localhost. +Escape character is '^]'. +PC Engines apu2 +coreboot build 07/18/2017 +BIOS version +4080 MB ECC DRAM - telnet> q - Connection closed. +telnet> q +Connection closed. +``` ### Telnet module for Robot Framework After playing some time I got to point when I can enter iPXE command prompt. My test looks pretty simple: -
    
-*** settings ***
+```bash
+***settings***
 Library    Telnet
 
-*** Test Cases ***
+***Test Cases***
 Enter PXE with 'n'
     Open Connection    localhost    port=13542
     Set Encoding    errors=strict
@@ -162,16 +176,17 @@ Enter PXE with 'n'
     Read Until    autoboot
     Write Bare    n
     Read Until    iPXE>
-
    +``` Most complex part was related to pushing arrow keys through terminal. Magic is in `x1b[A` what triggers escape sequence matching arrow up key on keyboard. Other keys are: - x1b[B - down key - x1b[C - right key - x1b[D - left key - +```bash +x1b[B - down key +x1b[C - right key +x1b[D - left key +``` ## Debugging pxelinux booting @@ -179,10 +194,11 @@ Serial console handling in Robot Framework is not trivial task. Especially, if You are doing it first time. What I learned is that below parameters are critical to correct understand what is going on behind the scene: -* enable debug log by using `-b ` parameter -* set debug level `-L ` Command for running framework should look like that: +- enable debug log by using `-b ` parameter +- set debug level `-L ` Command for running framework should look like + that: -``` +```bash robot -b debug.log -L TRACE ``` @@ -208,59 +224,63 @@ that I decided to create bigger booting menu, based on netboot package, for various systems so You can see little bit different structure in future. To setup PXE server easy way please follow: - git clone https://github.com/3mdeb/pxe-server.git - cd pxe-server - git clone https://github.com/3mdeb/netboot.git - NETBOOT_DIR=./netboot ./init.sh +```bash +git clone https://github.com/3mdeb/pxe-server.git +cd pxe-server +git clone https://github.com/3mdeb/netboot.git +NETBOOT_DIR=./netboot ./init.sh +``` At point of writing this blog post support was very limited and menu had just Debian i386 installer. ### Full Robot Framework script -Below is my full script. Please note that I'm using custom method `Write Bare -Slow`. This is because of flaw related to slow iPXE input. To use this code You -can utilize our fork of [robotframework][5]. - - *** settings *** - Library Telnet - - *** Test Cases *** - Enter iPXE shell - # provide ser2net port where serial was redirected - Open Connection localhost port=%{S2N_PORT} - Set Encoding errors=strict - Set Timeout 30 - # find string indicating network booting is enabled - Read Until N for PXE boot - # use n/N to enter network boot menu - Write Bare n - Read Until Booting from ROM - Read Until autoboot - # move arrow up to choose iPXE shell position - # https://github.com/pcengines/apu2-documentation/blob/master/ipxe/menu.ipxe - Write Bare x1b[A - Read Until autoboot - # press enter - Write Bare \n - # make sure we are inside iPXE shell - Read Until iPXE> x1b[?25h - - Download and boot pxelinux - # request IP address - Write Bare Slow dhcp net0n - Read Until ok - Read Until iPXE> - # provide pxelinux filename on PXE server - Write Bare Slow set filename pxelinux.0\n - Read Until iPXE> - # provide PXE server IP address - Write Bare Slow set next-server %{PXE_SRV_IP}\n - Read Until iPXE> - # download and boot pxelinux - Write Bare Slow chain tftp://${next-server}/${filename}\n - Read Until PXE server boot menu - Close Connection +Below is my full script. Please note that I'm using custom method +`Write Bare Slow`. This is because of flaw related to slow iPXE input. To use +this code You can utilize our fork of [robotframework][5]. + +```bash +***settings*** +Library Telnet + +***Test Cases*** +Enter iPXE shell + # provide ser2net port where serial was redirected + Open Connection localhost port=%{S2N_PORT} + Set Encoding errors=strict + Set Timeout 30 + # find string indicating network booting is enabled + Read Until N for PXE boot + # use n/N to enter network boot menu + Write Bare n + Read Until Booting from ROM + Read Until autoboot + # move arrow up to choose iPXE shell position + # https://github.com/pcengines/apu2-documentation/blob/master/ipxe/menu.ipxe + Write Bare x1b[A + Read Until autoboot + # press enter + Write Bare \n + # make sure we are inside iPXE shell + Read Until iPXE> x1b[?25h + +Download and boot pxelinux + # request IP address + Write Bare Slow dhcp net0n + Read Until ok + Read Until iPXE> + # provide pxelinux filename on PXE server + Write Bare Slow set filename pxelinux.0\n + Read Until iPXE> + # provide PXE server IP address + Write Bare Slow set next-server %{PXE_SRV_IP}\n + Read Until iPXE> + # download and boot pxelinux + Write Bare Slow chain tftp://${next-server}/${filename}\n + Read Until PXE server boot menu + Close Connection +``` Configuration for `ser2net` port and PXE server IP address are passed through environment variables. @@ -269,36 +289,45 @@ environment variables. Assuming Your PXE server works fine You can run: - git clone https://github.com/pcengines/apu-test-suite.git - cd apu-test-suite - sudo ser2net -c ser2net_apu.cfg +```bash +git clone https://github.com/pcengines/apu-test-suite.git +cd apu-test-suite +sudo ser2net -c ser2net_apu.cfg +``` Then please change port and IP address accordingly: - S2N_PORT=13542 PXE_SRV_IP= robot -b debug.log -L TRACE pxe_boot.robot +```bash +S2N_PORT=13542 PXE_SRV_IP= robot -b debug.log -L TRACE pxe_boot.robot +``` - Please note that port is hardcoded in ser2net_apu.cfg. Output in +\ Please note that port is hardcoded in ser2net_apu.cfg. Output in terminal should look like this: - ============================================================================== - Pxe Boot - ============================================================================== - Enter iPXE shell | PASS | - ------------------------------------------------------------------------------ - Download and boot pxelinux | PASS | - ------------------------------------------------------------------------------ - Pxe Boot | PASS | - 2 critical tests, 2 passed, 0 failed - 2 tests total, 2 passed, 0 failed - ============================================================================== - Debug: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/debug.log - Output: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/output.xml - Log: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/log.html - Report: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/report.html - -This means PXE boot menu is already in Your telnet, to connect to it simply type: - - telnet localhost 13542 +```bash +============================================================================== +Pxe Boot +============================================================================== +Enter iPXE shell | PASS | +------------------------------------------------------------------------------ +Download and boot pxelinux | PASS | +------------------------------------------------------------------------------ +Pxe Boot | PASS | +2 critical tests, 2 passed, 0 failed +2 tests total, 2 passed, 0 failed +============================================================================== +Debug: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/debug.log +Output: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/output.xml +Log: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/log.html +Report: /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/apu-test-suite/report.html +``` + +This means PXE boot menu is already in Your telnet, to connect to it simply +type: + +```bash +telnet localhost 13542 +``` After refreshing Your screen with `-L` You should see boot menu: @@ -329,10 +358,10 @@ If you are interested in further reading about Python, check out post which includes a series of questions on key features and capabilities of the Python language. - [1]: https://ecc2017.coreboot.org/ - [2]: https://github.com/whosaysni/robotframework-seriallibrary - [3]: https://groups.google.com/d/msg/robotframework-users/r0xvLtGNgno/TI0suLOlNL4J - [4]: https://groups.google.com/d/msg/robotframework-users/5Mf2rKns13s/XQbalZ_DAQAJ - [5]: https://github.com/3mdeb/robotframework - [6]: /img/pxe_server_menu.png - [7]: /img/ipxe_test_log.png +[1]: https://web.archive.org/web/20180411102847/https://ecc2017.coreboot.org/ +[2]: https://github.com/whosaysni/robotframework-seriallibrary +[3]: https://groups.google.com/d/msg/robotframework-users/r0xvLtGNgno/TI0suLOlNL4J +[4]: https://groups.google.com/d/msg/robotframework-users/5Mf2rKns13s/XQbalZ_DAQAJ +[5]: https://github.com/3mdeb/robotframework +[6]: /img/pxe_server_menu.png +[7]: /img/ipxe_test_log.png diff --git a/blog/content/post/2017-11-03-uefiedk-ii-corebootpayloadpkg-on-pc-engines-apu2.md b/blog/content/post/2017-11-03-uefiedk-ii-corebootpayloadpkg-on-pc-engines-apu2.md index 9605e2cd..334e32a7 100644 --- a/blog/content/post/2017-11-03-uefiedk-ii-corebootpayloadpkg-on-pc-engines-apu2.md +++ b/blog/content/post/2017-11-03-uefiedk-ii-corebootpayloadpkg-on-pc-engines-apu2.md @@ -15,30 +15,33 @@ tags: categories: - Firmware --- + Recently we were reached by person interested in running CoreOS on apu2. CoreOS is a very interesting system from security point of view. It was created to support containers and scalability out of the box. Unfortunately it requires firmware supporting GPT. At that point I was not sure if I can utilize GRUB GPT support on apu2, but this led to other questions: -* Is it possible to boot UEFI-aware OS on PC Engines apux boards? -* What level of security can I get with UEFI-aware OS in comparison to coreboot? +- Is it possible to boot UEFI-aware OS on PC Engines apux boards? +- What level of security can I get with UEFI-aware OS in comparison to coreboot? Those questions were much more interesting to firmware developer, because of that we decided to triage [coreboot UEFI payload][1] on PC Engines apu2 -platform. For interested ones in that topic I recommend to take look at [video -from coreboot conference 2016][2]. All my modifications of edk2 for the article -below can be found in [3mdeb edk2 fork][3] For those interested in UEFI-aware OS -booting this blog post can be useful, but I also plan to write something -straightforward that can be used and read by APUx platform users. +platform. For interested ones in that topic I recommend to take look at +[video from coreboot conference 2016][2]. All my modifications of edk2 for the +article below can be found in [3mdeb edk2 fork][3] For those interested in +UEFI-aware OS booting this blog post can be useful, but I also plan to write +something straightforward that can be used and read by APUx platform users. **NOTE**: this blog post wait so long for publishing that coreboot community provided and improved support for tianocore payload. It can be chosen from `menuconfig` and adds some coreboot specific patches that improve overall support. Please use option: -
    Payload -> Add a payload -> Tianocore
-coreboot payload package
    +```bash +Payload -> Add a payload -> Tianocore +coreboot payload package +``` Manual method still can be useful to try vanilla edk2 and hack with it. @@ -48,22 +51,30 @@ Let's start with building apu2 mainline. First follow [this instruction][4] and build mainline version of coreboot. Meanwhile you can take care of EDK2 CorebootPkg build: - git clone https://github.com/tianocore/edk2.git - cd edk2 - source edksetup.sh +```bash +git clone https://github.com/tianocore/edk2.git +cd edk2 +source edksetup.sh +``` -On my Debian testing I had to explicitly change compilers to `gcc-5` and `g++-5`: +On my Debian testing I had to explicitly change compilers to `gcc-5` and +`g++-5`: - sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 10 - sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 10 +```bash +sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-5 10 +sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 10 +``` Otherwise build fails. After that I was able to build `UEFIPAYLOAD.fd`: - make -c BaseTools - build -a IA32 -p CorebootPayloadPkg/CorebootPayloadPkgIa32.dsc -b DEBUG -t GCC5 +```bash +make -c BaseTools +build -a IA32 -p CorebootPayloadPkg/CorebootPayloadPkgIa32.dsc -b DEBUG -t GCC5 +``` -Build result is located in `Build/CorebootPayloadPkgIA32/DEBUG_GCC5/FV/UEFIPAYLOAD.fd`. -Following [build and integration instructions][5] I added build result as +Build result is located in +`Build/CorebootPayloadPkgIA32/DEBUG_GCC5/FV/UEFIPAYLOAD.fd`. Following +[build and integration instructions][5] I added build result as `An ELF executable payload`. ![uefi_payload][6] @@ -76,7 +87,8 @@ It is important to deselect secondary payloads like `memtest86+` and For all interested in EDK2 code development I strongly advise to follow [Laszlo's guide][7]. In case of apu2 useful script may be: -
    #!/bin/bash
+```bash
+#!/bin/bash
 build -a IA32 -p CorebootPayloadPkg/CorebootPayloadPkgIa32.dsc -b DEBUG -t GCC5
 cp Build/CorebootPayloadPkgIA32/DEBUG_GCC5/FV/UEFIPAYLOAD.fd ../apu2_fw_rel/apu2/coreboot/
 cd ../apu2_fw_rel
@@ -84,7 +96,7 @@ cd ../apu2_fw_rel
 read -n 1 -s -p "Press any key to continue with flashing recent build ..."
 ./apu2/apu2-documentation/scripts/apu2_fw_rel.sh flash-ml root@192.168.0.105
 cd ../edk2
-
    +``` ## Hacking UEFI payload to boot on apu2 @@ -93,16 +105,18 @@ cd ../edk2 First problem I faced was assert in `CbSupportDxe.c` related to adding 1MB memory for LAPIC. Reservation happens in CbSupportDxe entry point. - Loading driver at 0x000CFC25000 EntryPoint=0x000CFC2595B CbSupportDxe.efi - InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF CFC42190 - ProtectUefiImageCommon - 0xCFC42928 - - 0x00000000CFC25000 - 0x0000000000002580 - PROGRESS CODE: V03040002 I0 - Failed to add memory space :0xFEE00000 0x100000 +```bash +Loading driver at 0x000CFC25000 EntryPoint=0x000CFC2595B CbSupportDxe.efi +InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF CFC42190 +ProtectUefiImageCommon - 0xCFC42928 + - 0x00000000CFC25000 - 0x0000000000002580 +PROGRESS CODE: V03040002 I0 +Failed to add memory space :0xFEE00000 0x100000 - ASSERT_EFI_ERROR (Status = Access Denied) +ASSERT_EFI_ERROR (Status = Access Denied) - DXE_ASSERT!: [CbSupportDxe] /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/edk2/CorebootModulePkg/CbSupportDxe/CbSupportDxe.c (57): !EFI_ERROR (Status) +DXE_ASSERT!: [CbSupportDxe] /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/edk2/CorebootModulePkg/CbSupportDxe/CbSupportDxe.c (57): !EFI_ERROR (Status) +``` Interestingly CbSupportDxe seems to not have problem with finding GUID HOB, which is right after asserting reservation. It also passes installation of ACPI @@ -113,65 +127,69 @@ what will happen. Next problem happens during initialization of RTC: - Loading driver at 0x000CFE50000 EntryPoint=0x000CFE507DB PcRtc.efi - InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF CFC2AE90 - ProtectUefiImageCommon - 0xCFC2AB28 - - 0x00000000CFE50000 - 0x0000000000003980 - PROGRESS CODE: V03040002 I0 - ASSERT_EFI_ERROR (Status = Device Error) +```bash +Loading driver at 0x000CFE50000 EntryPoint=0x000CFE507DB PcRtc.efi +InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF CFC2AE90 +ProtectUefiImageCommon - 0xCFC2AB28 + - 0x00000000CFE50000 - 0x0000000000003980 + PROGRESS CODE: V03040002 I0 + ASSERT_EFI_ERROR (Status = Device Error) - DXE_ASSERT!: [PcRtc] /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/edk2/PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtcEntry.c (143): !EFI_ERROR (Status) + DXE_ASSERT!: [PcRtc] /home/pietrushnic/storage/wdc/projects/2017/pcengines/apu/src/edk2/PcAtChipsetPkg/PcatRealTimeClockRuntimeDxe/PcRtcEntry.c (143): !EFI_ERROR (Status) +``` Unfortunately Real Time Clock is required architecture protocol and cannot be -omitted. First problem with this code was an incorrect state of `Valid RAM and -Time` (`VRT`) bit in RTC Date Alarm register (aka Register D). By checking AMD -Bios and Kernel Developer's Guide (BKDG) I was not able to find issue with RTC. -Reading all registers was done correctly and register layout seemed to be -standardized for RTC devices. I faced one very strange situation after leaving -apu2 for a night. First boot passed through above assert and finished booting -much further (in BDS). This was very suspicious like timing or HW initialization -issue. Final log looked like that: - - [Bds]=============Begin Load Options Dumping ...============= - Driver Options: - SysPrep Options: - Boot Options: - Boot0000: UiApp 0x0109 - Boot0001: UEFI Shell 0x0001 - PlatformRecovery Options: - PlatformRecovery0000: Default PlatformRecovery 0x0001 - [Bds]=============End Load Options Dumping============= - [Bds]BdsWait ...Zzzzzzzzzzzz... - [Bds]BdsWait(3)..Zzzz... - [Bds]BdsWait(2)..Zzzz... - [Bds]BdsWait(1)..Zzzz... - [Bds]Exit the waiting! - PROGRESS CODE: V03051007 I0 - [Bds]Stop Hotkey Service! - [Bds]UnregisterKeyNotify: 000C/0000 Success - [Bds]UnregisterKeyNotify: 0002/0000 Success - [Bds]UnregisterKeyNotify: 0000/000D Success - Enable SCI bit at 0x804 before boot - PROGRESS CODE: V03051001 I0 - Memory Previous Current Next - Type Pages Pages Pages - ====== ======== ======== ======== - 09 00000008 00000000 00000008 - 0A 00000004 00000000 00000004 - 00 00000004 00000001 00000004 - 06 000000C0 0000002E 000000C0 - 05 00000080 0000001A 00000080 - [Bds]Booting UEFI Shell - [Bds] Expand MemoryMapped(0xB,0x830000,0xC0FFFF)/FvFile(C57AD6B7-0515-40A8-9D21-551652854E37) -> MemoryMapped(0xB,0x830000,0xC0FFFF)/FvFile(C57AD6B7-0515-40A8-9D21-551652854E37) - PROGRESS CODE: V03058000 I0 - InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B CF954D28 - Loading driver at 0x000CF6B8000 EntryPoint=0x000CF718BC1 - InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF CF96E590 - ProtectUefiImageCommon - 0xCF954D28 - - 0x00000000CF6B8000 - 0x00000000000A6FA0 - PROGRESS CODE: V03058001 I0 - InstallProtocolInterface: 47C7B221-C42A-11D2-8E57-00A0C969723B CF6BCA38 - InstallProtocolInterface: 47C7B223-C42A-11D2-8E57-00A0C969723B CF945410 +omitted. First problem with this code was an incorrect state of +`Valid RAM and Time` (`VRT`) bit in RTC Date Alarm register (aka Register D). By +checking AMD Bios and Kernel Developer's Guide (BKDG) I was not able to find +issue with RTC. Reading all registers was done correctly and register layout +seemed to be standardized for RTC devices. I faced one very strange situation +after leaving apu2 for a night. First boot passed through above assert and +finished booting much further (in BDS). This was very suspicious like timing or +HW initialization issue. Final log looked like that: + +```bash +[Bds]=============Begin Load Options Dumping ...============= + Driver Options: + SysPrep Options: + Boot Options: + Boot0000: UiApp 0x0109 + Boot0001: UEFI Shell 0x0001 + PlatformRecovery Options: + PlatformRecovery0000: Default PlatformRecovery 0x0001 +[Bds]=============End Load Options Dumping============= +[Bds]BdsWait ...Zzzzzzzzzzzz... +[Bds]BdsWait(3)..Zzzz... +[Bds]BdsWait(2)..Zzzz... +[Bds]BdsWait(1)..Zzzz... +[Bds]Exit the waiting! +PROGRESS CODE: V03051007 I0 +[Bds]Stop Hotkey Service! +[Bds]UnregisterKeyNotify: 000C/0000 Success +[Bds]UnregisterKeyNotify: 0002/0000 Success +[Bds]UnregisterKeyNotify: 0000/000D Success +Enable SCI bit at 0x804 before boot +PROGRESS CODE: V03051001 I0 +Memory Previous Current Next + Type Pages Pages Pages +====== ======== ======== ======== + 09 00000008 00000000 00000008 + 0A 00000004 00000000 00000004 + 00 00000004 00000001 00000004 + 06 000000C0 0000002E 000000C0 + 05 00000080 0000001A 00000080 +[Bds]Booting UEFI Shell +[Bds] Expand MemoryMapped(0xB,0x830000,0xC0FFFF)/FvFile(C57AD6B7-0515-40A8-9D21-551652854E37) -> MemoryMapped(0xB,0x830000,0xC0FFFF)/FvFile(C57AD6B7-0515-40A8-9D21-551652854E37) +PROGRESS CODE: V03058000 I0 +InstallProtocolInterface: 5B1B31A1-9562-11D2-8E3F-00A0C969723B CF954D28 +Loading driver at 0x000CF6B8000 EntryPoint=0x000CF718BC1 +InstallProtocolInterface: BC62157E-3E33-4FEC-9920-2D3B36D750DF CF96E590 +ProtectUefiImageCommon - 0xCF954D28 + - 0x00000000CF6B8000 - 0x00000000000A6FA0 +PROGRESS CODE: V03058001 I0 +InstallProtocolInterface: 47C7B221-C42A-11D2-8E57-00A0C969723B CF6BCA38 +InstallProtocolInterface: 47C7B223-C42A-11D2-8E57-00A0C969723B CF945410 +``` In debug logs there was nothing suspicious. Apparently register D of RTC returned correct value in `VRT` register. Finally it turned out that `VRT` was @@ -184,23 +202,26 @@ assert. I fixed that problem by removing initialization from `PcRtcInit`. One of other behaviors worth to note was unexpected coreboot reset after applying power: - PCEngines apu2 - coreboot build 06/30/2017 - BIOS version v4.5.8 - PCEngines apu2 - coreboot build 06/30/2017 - BIOS version v4.5.8 - 4080 MB ECC DRAM - - PROGRESS CODE: V03020003 I0 - Loading PEIM at 0x000008143C0 EntryPoint=0x00000814600 CbSupportPeim.efi - PROGRESS CODE: V03020002 I0 +```bash +PCEngines apu2 +coreboot build 06/30/2017 +BIOS version v4.5.8 +PCEngines apu2 +coreboot build 06/30/2017 +BIOS version v4.5.8 +4080 MB ECC DRAM +PROGRESS CODE: V03020003 I0 +Loading PEIM at 0x000008143C0 EntryPoint=0x00000814600 CbSupportPeim.efi +PROGRESS CODE: V03020002 I0 +``` -## Booting to UEFI Shell on apu2 I had "freeze" after: +## Booting to UEFI Shell on apu2 I had "freeze" after - InstallProtocolInterface: 47C7B221-C42A-11D2-8E57-00A0C969723B CF6BCA38 - InstallProtocolInterface: 47C7B223-C42A-11D2-8E57-00A0C969723B CF945410 +```bash +InstallProtocolInterface: 47C7B221-C42A-11D2-8E57-00A0C969723B CF6BCA38 +InstallProtocolInterface: 47C7B223-C42A-11D2-8E57-00A0C969723B CF945410 +``` First is `gEfiShellEnvironment2Guid` and second `gEfiShellInterfaceGuid`, so I decided to take a look where those GUIDs are used and hook there to see what may @@ -208,9 +229,11 @@ be wrong. After poking around I realized that those came from binary included in repository. What is included can be modified by changing `SHELL_TYPE` variable. When using `BUILD_SHELL` I see little bit different output: - InstallProtocolInterface: 387477C2-69C7-11D2-8E39-00A0C969723B CF8DEBA0 - InstallProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA CF8DDF98 - InstallProtocolInterface: 6302D008-7F9B-4F30-87AC-60C9FEF5DA4E CF5D9800 +```bash +InstallProtocolInterface: 387477C2-69C7-11D2-8E39-00A0C969723B CF8DEBA0 +InstallProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA CF8DDF98 +InstallProtocolInterface: 6302D008-7F9B-4F30-87AC-60C9FEF5DA4E CF5D9800 +``` Control is passed in BDS code by calling `StartImage`. For some reason I couldn't print my logs to `debug by printk`. I verified that I'm in correct code @@ -218,23 +241,27 @@ by placing assert, code was interrupted in correct place but not serial log. Trying to change `DebugLib` and provide correct `SerialIoLib` led to reboot. I fixed that by removing `DebugLib` from libraries section in Ia32X64 DSC: - diff --git a/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc b/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc - index 27aba9f59cc9..262ba2b345af 100644 - --- a/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc - +++ b/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc - @@ -565,7 +565,6 @@ [Components.X64] - #------------------------------ - - - - DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf - DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf - FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf - HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf +```bash +diff --git a/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc b/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc +index 27aba9f59cc9..262ba2b345af 100644 +--- a/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc ++++ b/CorebootPayloadPkg/CorebootPayloadPkgIa32X64.dsc +@@ -565,7 +565,6 @@ [Components.X64] + #------------------------------ + + +- DebugLib|MdePkg/Library/UefiDebugLibConOut/UefiDebugLibConOut.inf + DevicePathLib|MdePkg/Library/UefiDevicePathLib/UefiDevicePathLib.inf + FileHandleLib|MdePkg/Library/UefiFileHandleLib/UefiFileHandleLib.inf + HandleParsingLib|ShellPkg/Library/UefiHandleParsingLib/UefiHandleParsingLib.inf +``` However this showed me hang in `DoShellPrompt` on function code: - ShellInfoObject.NewEfiShellProtocol->ReadFile(...) - I could not see the prompt and type any input commands. +```bash +ShellInfoObject.NewEfiShellProtocol->ReadFile(...) + I could not see the prompt and type any input commands. +``` ### Explaining ConIn, ConOut and ErrOut @@ -250,10 +277,10 @@ available during boot phase before firmware calls ExitBootServices and after that during system runtime. Those variables can be changed, but change takes effect after boot. -So in short those variables define where we can find input, -output and std error device. As described in [mailing thread][8] serial port can -be reached through `SerialPortLib` API and it worked for me during boot phase. -Precisely what worked for me was `BaseSerialPortLib16550`. +So in short those variables define where we can find input, output and std error +device. As described in mailing thread serial port can be reached through +`SerialPortLib` API and it worked for me during boot phase. Precisely what +worked for me was `BaseSerialPortLib16550`. I assume methods in this library are not available in runtime and that's why switching to Shell caused no output. Second method is through @@ -261,11 +288,12 @@ switching to Shell caused no output. Second method is through but in short it is required to add device path of UART to mentioned global variables so those can be used. My understanding of stack is: - |- ShellPkg/Application/Shell/Shell.inf - |- MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf - |- MdeModulePkg/Universal/SerialDxe/SerialDxe.inf - |->SerialPortLib|CorebootModulePkg/Library/BaseSerialPortLib16550/BaseSerialPortLib16550.inf - +```bash +|- ShellPkg/Application/Shell/Shell.inf +|- MdeModulePkg/Universal/Console/TerminalDxe/TerminalDxe.inf +|- MdeModulePkg/Universal/SerialDxe/SerialDxe.inf +|->SerialPortLib|CorebootModulePkg/Library/BaseSerialPortLib16550/BaseSerialPortLib16550.inf +``` `BaseSerialPortLib16550` works on I/O and MMIO level to initialize and provide read/write capability for 16550 compatible UART device. This lib is utilized by @@ -300,11 +328,10 @@ you are interested in enabling UEFI-aware operating system on your platform that already support coreboot do not hesitate to contact us. If you have any other questions or comments post those below. - [1]: https://github.com/tianocore/tianocore.github.io/wiki/Coreboot_UEFI_payload - [2]: https://youtu.be/I08NHJLu6Us?list=PLiWdJ1SEk1_AfMNC6nD_BvUVCIsHq6f0u - [3]: https://github.com/3mdeb/edk2/tree/apu2-uefi - [4]: https://github.com/pcengines/release_manifests - [5]: https://raw.githubusercontent.com/tianocore/edk2/master/CorebootPayloadPkg/BuildAndIntegrationInstructions.txt - [6]: /img/uefi_payload.jpeg - [7]: https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers - [8]: https://lists.01.org/pipermail/edk2-devel/2017-July/012352.html +[1]: https://github.com/tianocore/tianocore.github.io/wiki/Coreboot_UEFI_payload +[2]: https://youtu.be/I08NHJLu6Us?list=PLiWdJ1SEk1_AfMNC6nD_BvUVCIsHq6f0u +[3]: https://github.com/3mdeb/edk2/tree/apu2-uefi +[4]: https://github.com/pcengines/release_manifests +[5]: https://github.com/tianocore/edk2/blob/master/UefiPayloadPkg/BuildAndIntegrationInstructions.txt +[6]: /img/uefi_payload.jpeg +[7]: https://github.com/tianocore/tianocore.github.io/wiki/Laszlo's-unkempt-git-guide-for-edk2-contributors-and-maintainers diff --git a/blog/content/post/2017-11-20-flashing-minnowboard-turbot-with-raspberry-pi-zero-w.md b/blog/content/post/2017-11-20-flashing-minnowboard-turbot-with-raspberry-pi-zero-w.md index efc9ad1d..3b666b1b 100644 --- a/blog/content/post/2017-11-20-flashing-minnowboard-turbot-with-raspberry-pi-zero-w.md +++ b/blog/content/post/2017-11-20-flashing-minnowboard-turbot-with-raspberry-pi-zero-w.md @@ -15,22 +15,24 @@ tags: - BayTrail categories: - Firmware + --- + Recently we started preparation of coreboot training for one of our customers. Our platform of choice for that training is MinnowBoard Turbot. There are couple reasons for that: -* During training we can show recent firmware trends - despite we don't like -blobs (FSP, AGESA, PSP, ME etc.) and bloated designs (UEFI) we cannot escape -reality and have to show customers how to deal with those components. -MinnowBoard Turbot use couple of them, but also supports coreboot. -* We can present recent Intel SoC features - MinnowBoard Turbot Dual-Core has -Intel Atom E3826 which has support for VT-x, TXE, PCU (Platform Control Unit), -JTAG and other features that can be very interesting from firmware engineer -point of view. -* We can use the platform which is used as a reference design for various -products - it looks like market for BayTrail (and newer Intel platforms) is -quite big and there are many companies that develop solutions based on it. +- During training we can show recent firmware trends - despite we don't like + blobs (FSP, AGESA, PSP, ME etc.) and bloated designs (UEFI) we cannot escape + reality and have to show customers how to deal with those components. + MinnowBoard Turbot use couple of them, but also supports coreboot. +- We can present recent Intel SoC features - MinnowBoard Turbot Dual-Core has + Intel Atom E3826 which has support for VT-x, TXE, PCU (Platform Control Unit), + JTAG and other features that can be very interesting from firmware engineer + point of view. +- We can use the platform which is used as a reference design for various + products - it looks like market for BayTrail (and newer Intel platforms) is + quite big and there are many companies that develop solutions based on it. MinnowBoard was also used in UEFI security related trainings in which we are really interested in. Key problem with presentation and workshop preparation was @@ -55,25 +57,31 @@ card and boot system. I am using USB to TTY converter so serial console configuration was needed. To do that modify `config.txt` on boot partition of Raspbian with below entry and the end of file: - # Enable UART - enable_uart=1 +```bash +# Enable UART +enable_uart=1 +``` Next you have to setup WiFi. Easiest way is through modification of [wpa_supplicant.conf][2]. Please note that `wpa_supplicant` is not started automatically without additional configuration, so it is good to add below configuration to `/etc/network/interfaces`: - allow-hotplug wlan0 - iface wlan0 inet dhcp - wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf - iface default inet dhcp +```bash +allow-hotplug wlan0 +iface wlan0 inet dhcp +wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf +iface default inet dhcp +``` After reboot your WiFi should be connected. ## Flashrom installation - sudo apt update - sudo apt install flashrom +```bash +sudo apt update +sudo apt install flashrom +``` ## Electrical considerations @@ -83,12 +91,12 @@ MinnowBoard Turbot B uses `Winbond Electronics W25Q64BVSSIG` flash chip. This chip requires power supply voltage range 2.7V - 3.6V. The energy needed to power this memory may come from the internal power circuit of MinnowBoard Turbot B or by connecting the voltage to the pin 1 of J1 MinnowBoard header. In each of -these cases the current flowing from the power source flows through the `NXP -Semiconductors BAT754C` Schottky barrier diode, which causes 0.6V voltage drop. -Therefore, it is necessary to supply a voltage of at least 3.3V to properly -supply the memory chip. `Winbond Electronics W25Q64BVSSIG` has `WP` and `HOLD` -input pins. The first of them activates write protect state. The second one -pauses device even if it is selected by SPI `CS` pin. `WP` and `HOLD` are +these cases the current flowing from the power source flows through the +`NXP Semiconductors BAT754C` Schottky barrier diode, which causes 0.6V voltage +drop. Therefore, it is necessary to supply a voltage of at least 3.3V to +properly supply the memory chip. `Winbond Electronics W25Q64BVSSIG` has `WP` and +`HOLD` input pins. The first of them activates write protect state. The second +one pauses device even if it is selected by SPI `CS` pin. `WP` and `HOLD` are activated by a low logical state. Both inputs are pulled-up to the power line. Therefore, when 3.3V is applied to the 1 pin of J1 header write protect and pause states are disabled due to the presence of a high logical state on `WP` @@ -97,17 +105,17 @@ bus using external device. If J1 header pin 1 not connected, voltage present on power supply line may be floating. It may cause problems to read and write data to the `W25Q64BVSSIG` memory chip. MinnowBoard Turbot B external SPI bus operates on voltages in the range 0V - 3.3V, although the SOC used in Turbot B -requires a voltage not exceeding 1.8 V. It happens because `NXP Semiconductors -NTB0104` dual supply translating transceiver mediates between the SPI buses. -This device changes voltage levels to the right values for each bus. `NTB0104` -chip has `OE` input, which corresponds to whether the signals are transmitted on -the 1.8 V side. For a high logical state signals are transmitted, for a low -logical state not. `OE` input is connected to J1 header 8 pin of MinnowBoard -Turbot B and it is pulled up to 1.8V power supply line. Therefore, when we want -to make sure that the bus is isolated from SOC, it is advisable to short pin 8 -with ground. Then we communicate on SPI bus only with the `Winbond Electronics -W25Q64BVSSIG` memory chip. During tests we figured out that this is not -necessary to get correct results. +requires a voltage not exceeding 1.8 V. It happens because +`NXP Semiconductors NTB0104` dual supply translating transceiver mediates +between the SPI buses. This device changes voltage levels to the right values +for each bus. `NTB0104` chip has `OE` input, which corresponds to whether the +signals are transmitted on the 1.8 V side. For a high logical state signals are +transmitted, for a low logical state not. `OE` input is connected to J1 header 8 +pin of MinnowBoard Turbot B and it is pulled up to 1.8V power supply line. +Therefore, when we want to make sure that the bus is isolated from SOC, it is +advisable to short pin 8 with ground. Then we communicate on SPI bus only with +the `Winbond Electronics W25Q64BVSSIG` memory chip. During tests we figured out +that this is not necessary to get correct results. ## Wiring @@ -125,73 +133,82 @@ table and above picture: | Pin 21 - SPI MISO | Pin 5 - DDP_MISO | orange | | Pin 19 - SPI MOSI | Pin 6 - DDP_MOSI | yellow | -# Running flashrom read +## Running flashrom read - flashrom -p linux_spi:dev=/dev/spidev0.0 -r mb.rom +```bash +flashrom -p linux_spi:dev=/dev/spidev0.0 -r mb.rom +``` It is good practice to read couple times and confirm that we reading the same binary. We faced some problems when `HOLD#` and `WP#` were not pulled-up. After reading, `binwalk` can be used to look inside binary: - sudo apt-get install binwalk - binwalk mb.rom - DECIMAL HEXADECIMAL DESCRIPTION - -------------------------------------------------------------------------------- - 5308536 0x510078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 8974464 bytes - 7471424 0x720140 Microsoft executable, portable (PE) - 7502023 0x7278C7 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit - 7510080 0x729840 Microsoft executable, portable (PE) - 7517504 0x72B540 Microsoft executable, portable (PE) - 7526432 0x72D820 Microsoft executable, portable (PE) - 7549216 0x733120 Microsoft executable, portable (PE) - 7559072 0x7357A0 Microsoft executable, portable (PE) - 7565216 0x736FA0 Microsoft executable, portable (PE) - 7570208 0x738320 Microsoft executable, portable (PE) - 7584832 0x73BC40 Microsoft executable, portable (PE) - 7594656 0x73E2A0 Microsoft executable, portable (PE) - 7600832 0x73FAC0 Microsoft executable, portable (PE) - 7607552 0x741500 Microsoft executable, portable (PE) - 7625128 0x7459A8 SHA256 hash constants, little endian - 7626944 0x7460C0 Microsoft executable, portable (PE) - 7649728 0x74B9C0 Microsoft executable, portable (PE) - 7930144 0x790120 Microsoft executable, portable (PE) - 7956000 0x796620 Microsoft executable, portable (PE) - 7966183 0x798DE7 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit - 7966624 0x798FA0 Microsoft executable, portable (PE) - 7972640 0x79A720 Microsoft executable, portable (PE) - 7982592 0x79CE00 Microsoft executable, portable (PE) - 7995808 0x7A01A0 Microsoft executable, portable (PE) - 8008992 0x7A3520 Microsoft executable, portable (PE) - 8016288 0x7A51A0 Microsoft executable, portable (PE) - 8021920 0x7A67A0 Microsoft executable, portable (PE) - 8029472 0x7A8520 Microsoft executable, portable (PE) - 8042016 0x7AB620 Microsoft executable, portable (PE) - 8060320 0x7AFDA0 Microsoft executable, portable (PE) - 8075424 0x7B38A0 Microsoft executable, portable (PE) - 8135476 0x7C2334 Microsoft executable, portable (PE) - 8382584 0x7FE878 Microsoft executable, portable (PE) - -If you want to get back to recent MinnowBoard firmware you can find it [here][5]. +```bash +sudo apt-get install binwalk +binwalk mb.rom +DECIMAL HEXADECIMAL DESCRIPTION +-------------------------------------------------------------------------------- +5308536 0x510078 LZMA compressed data, properties: 0x5D, dictionary size: 16777216 bytes, uncompressed size: 8974464 bytes +7471424 0x720140 Microsoft executable, portable (PE) +7502023 0x7278C7 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit +7510080 0x729840 Microsoft executable, portable (PE) +7517504 0x72B540 Microsoft executable, portable (PE) +7526432 0x72D820 Microsoft executable, portable (PE) +7549216 0x733120 Microsoft executable, portable (PE) +7559072 0x7357A0 Microsoft executable, portable (PE) +7565216 0x736FA0 Microsoft executable, portable (PE) +7570208 0x738320 Microsoft executable, portable (PE) +7584832 0x73BC40 Microsoft executable, portable (PE) +7594656 0x73E2A0 Microsoft executable, portable (PE) +7600832 0x73FAC0 Microsoft executable, portable (PE) +7607552 0x741500 Microsoft executable, portable (PE) +7625128 0x7459A8 SHA256 hash constants, little endian +7626944 0x7460C0 Microsoft executable, portable (PE) +7649728 0x74B9C0 Microsoft executable, portable (PE) +7930144 0x790120 Microsoft executable, portable (PE) +7956000 0x796620 Microsoft executable, portable (PE) +7966183 0x798DE7 mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit +7966624 0x798FA0 Microsoft executable, portable (PE) +7972640 0x79A720 Microsoft executable, portable (PE) +7982592 0x79CE00 Microsoft executable, portable (PE) +7995808 0x7A01A0 Microsoft executable, portable (PE) +8008992 0x7A3520 Microsoft executable, portable (PE) +8016288 0x7A51A0 Microsoft executable, portable (PE) +8021920 0x7A67A0 Microsoft executable, portable (PE) +8029472 0x7A8520 Microsoft executable, portable (PE) +8042016 0x7AB620 Microsoft executable, portable (PE) +8060320 0x7AFDA0 Microsoft executable, portable (PE) +8075424 0x7B38A0 Microsoft executable, portable (PE) +8135476 0x7C2334 Microsoft executable, portable (PE) +8382584 0x7FE878 Microsoft executable, portable (PE) +``` + +If you want to get back to recent MinnowBoard firmware you can find it +[here][5]. ## Flashing coreboot binary Easy way to bake coreboot binary on your workstation is using our `coreboot-trainings-sdk` container: - docker pull 3mdeb/coreboot-trainings-sdk:1.50 - git clone https://review.coreboot.org/coreboot - cd coreboot - git submodule update --init --checkout - cd .. - docker run --rm -it -v $PWD/coreboot:/home/coreboot/coreboot - coreboot/coreboot-sdk:1.50 /bin/bash - cd ~/coreboot - make menuconfig +```bash +docker pull 3mdeb/coreboot-trainings-sdk:1.50 +git clone https://review.coreboot.org/coreboot +cd coreboot +git submodule update --init --checkout +cd .. +docker run --rm -it -v $PWD/coreboot:/home/coreboot/coreboot +coreboot/coreboot-sdk:1.50 /bin/bash +cd ~/coreboot +make menuconfig +``` Choose mainboard vendor (Intel) and model (Minnow Max), then go to Chipset and choose `Use Intel Firmware Support Pakcage`. - make -j$(nproc) +```bash +make -j$(nproc) +``` ### Get flash layout @@ -200,16 +217,18 @@ GbE. Those binaries should be already flashed on SPI. To avoid overwriting those parameters you should use flashrom feature and point it to area you want to replace. - $ cd util/ifdtool - $ make - $ ./ifdtool -f layout path/to/mb.rom - File /home/pietrushnic/tmp/mb.rom is 8388608 bytes - Wrote layout to layout - $ cat layout - 00000000:00000fff fd - 00400000:007fffff bios - 00001000:003fffff me - 00000000:00000fff gbe +```bash +$ cd util/ifdtool +$ make +$ ./ifdtool -f layout path/to/mb.rom +File /home/pietrushnic/tmp/mb.rom is 8388608 bytes +Wrote layout to layout +$ cat layout +00000000:00000fff fd +00400000:007fffff bios +00001000:003fffff me +00000000:00000fff gbe +``` From above we know that bios region, in which `coreboot.rom` should be flashed, has range `00400000:007fffff`. @@ -218,41 +237,44 @@ has range `00400000:007fffff`. Then copy `coreboot/build/coreboot.rom` to Raspberry Pi and flash: - echo 00400000:007fffff cb > 8mb.layout - flashrom -p linux_spi:dev=/dev/spidev0.0 -l 8mb.layout -i cb -w coreboot.rom +```bash +echo 00400000:007fffff cb > 8mb.layout +flashrom -p linux_spi:dev=/dev/spidev0.0 -l 8mb.layout -i cb -w coreboot.rom +``` Disconnect wires after flashing. After powering on MinnowBoard Turbot you should see serial output: - (...) - Searching bootorder for: /pci@i0cf8/pci-bridge@1c,2/*@0 - - Press ESC for boot menu. - - Searching bootorder for: HALT - Space available for UMB: c1000-ee800, f6940-f70d0 - Returned 262144 bytes of ZoneHigh - e820 map has 17 items: - 0: 0000000000000000 - 000000000009fc00 = 1 RAM - 1: 000000000009fc00 - 00000000000a0000 = 2 RESERVED - 2: 00000000000f0000 - 0000000000100000 = 2 RESERVED - 3: 0000000000100000 - 0000000020000000 = 1 RAM - 4: 0000000020000000 - 0000000020100000 = 2 RESERVED - 5: 0000000020100000 - 000000007ad9e000 = 1 RAM - 6: 000000007ad9e000 - 0000000080000000 = 2 RESERVED - 7: 00000000e0000000 - 00000000f0000000 = 2 RESERVED - 8: 00000000feb00000 - 00000000fec01000 = 2 RESERVED - 9: 00000000fed01000 - 00000000fed02000 = 2 RESERVED - 10: 00000000fed03000 - 00000000fed04000 = 2 RESERVED - 11: 00000000fed05000 - 00000000fed06000 = 2 RESERVED - 12: 00000000fed08000 - 00000000fed09000 = 2 RESERVED - 13: 00000000fed0c000 - 00000000fed10000 = 2 RESERVED - 14: 00000000fed1c000 - 00000000fed1d000 = 2 RESERVED - 15: 00000000fee00000 - 00000000fee01000 = 2 RESERVED - 16: 00000000fef00000 - 00000000ff000000 = 2 RESERVED - enter handle_19: - NULL - +```bash +(...) +Searching bootorder for: /pci@i0cf8/pci-bridge@1c,2/*@0 + +Press ESC for boot menu. + +Searching bootorder for: HALT +Space available for UMB: c1000-ee800, f6940-f70d0 +Returned 262144 bytes of ZoneHigh +e820 map has 17 items: + 0: 0000000000000000 - 000000000009fc00 = 1 RAM + 1: 000000000009fc00 - 00000000000a0000 = 2 RESERVED + 2: 00000000000f0000 - 0000000000100000 = 2 RESERVED + 3: 0000000000100000 - 0000000020000000 = 1 RAM + 4: 0000000020000000 - 0000000020100000 = 2 RESERVED + 5: 0000000020100000 - 000000007ad9e000 = 1 RAM + 6: 000000007ad9e000 - 0000000080000000 = 2 RESERVED + 7: 00000000e0000000 - 00000000f0000000 = 2 RESERVED + 8: 00000000feb00000 - 00000000fec01000 = 2 RESERVED + 9: 00000000fed01000 - 00000000fed02000 = 2 RESERVED + 10: 00000000fed03000 - 00000000fed04000 = 2 RESERVED + 11: 00000000fed05000 - 00000000fed06000 = 2 RESERVED + 12: 00000000fed08000 - 00000000fed09000 = 2 RESERVED + 13: 00000000fed0c000 - 00000000fed10000 = 2 RESERVED + 14: 00000000fed1c000 - 00000000fed1d000 = 2 RESERVED + 15: 00000000fee00000 - 00000000fee01000 = 2 RESERVED + 16: 00000000fef00000 - 00000000ff000000 = 2 RESERVED +enter handle_19: + NULL +``` ## Speed up flashing procedure @@ -262,24 +284,27 @@ Typical flashing time without that parameter is ~6min and it seems that default SPI speed is set to 512kHz, so changing it matters a lot. From my experiments 32MHz works without problems. - $ time flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32000 - -l 8mb.layout -i cb -w coreboot.rom +```bash +$ time flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32000 +-l 8mb.layout -i cb -w coreboot.rom - flashrom v0.9.9-r1954 on Linux 4.9.41+ (armv6l) - flashrom is free software, get the source code at https://flashrom.org +flashrom v0.9.9-r1954 on Linux 4.9.41+ (armv6l) +flashrom is free software, get the source code at https://flashrom.org - Using region: "cb". - Calibrating delay loop... OK. - Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) on linux_spi. - Reading old flash chip contents... done. - Erasing and writing flash chip... Erase/write done. - Verifying flash... VERIFIED. +Using region: "cb". +Calibrating delay loop... OK. +Found Winbond flash chip "W25Q64.V" (8192 kB, SPI) on linux_spi. +Reading old flash chip contents... done. +Erasing and writing flash chip... Erase/write done. +Verifying flash... VERIFIED. - real 0m22.940s - user 0m8.090s - sys 0m6.470s +real 0m22.940s +user 0m8.090s +sys 0m6.470s +``` -This is impressive improvement and knowledge about this feature is not so common. +This is impressive improvement and knowledge about this feature is not so +common. ## Recovery procedure @@ -287,9 +312,10 @@ If for some reason you will overwrite different regions then needed and you end up with not bootable platform you can write stock firmware and reflash coreboot again. For example: - $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32000 -w MNW2MAX1.X64.0097.D01.1709211100.bin - $ flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32000 -l 8mb.layout -i cb -w coreboot.rom - +```bash +flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32000 -w MNW2MAX1.X64.0097.D01.1709211100.bin +flashrom -p linux_spi:dev=/dev/spidev0.0,spispeed=32000 -l 8mb.layout -i cb -w coreboot.rom +``` ## Stability issues @@ -306,8 +332,8 @@ needed that post to refresh knowledge for beginners as well as for internal usage. It's good to have all instructions in one place. If you have any comments please feel free to contact us. - [1]: https://www.raspberrypi.org/downloads/raspbian/ - [2]: https://core-electronics.com.au/tutorials/raspberry-pi-zerow-headless-wifi-setup.html - [3]: /img/mb_spi_schem.png - [4]: /img/rpizw_mb_wiring.jpg - [5]: https://firmware.intel.com/projects/minnowboard-max +[1]: https://www.raspberrypi.org/downloads/raspbian/ +[2]: https://core-electronics.com.au/tutorials/raspberry-pi-zerow-headless-wifi-setup.html +[3]: /img/mb_spi_schem.png +[4]: /img/rpizw_mb_wiring.jpg +[5]: https://firmware.intel.com/projects/minnowboard-max diff --git a/blog/content/post/2017-12-05-ssh-reverse-tunnel-for-pxe-nfs-and-dhcp-setup-on-qubesos.md b/blog/content/post/2017-12-05-ssh-reverse-tunnel-for-pxe-nfs-and-dhcp-setup-on-qubesos.md index 311b105e..e27392f4 100644 --- a/blog/content/post/2017-12-05-ssh-reverse-tunnel-for-pxe-nfs-and-dhcp-setup-on-qubesos.md +++ b/blog/content/post/2017-12-05-ssh-reverse-tunnel-for-pxe-nfs-and-dhcp-setup-on-qubesos.md @@ -13,6 +13,7 @@ tags: - QubesOS categories: - OS Dev + --- At some point I stuck in the forest with WiFi connection and no physical access @@ -39,140 +40,157 @@ alternative with `proxychains`, which I will describe later in this article. Let's start with putting together DHCP server: - git clone https://github.com/3mdeb/dhcp-server.git - cd dhcp-server - Please change your network interface in +```bash +git clone https://github.com/3mdeb/dhcp-server.git +cd dhcp-server + Please change your network interface in +``` `start.sh` it doesn't match. Currently set is `eno1` what may be good for Ubuntu users. The only port that we have to forward for DHCP is 67. -### sys-net setup My routing table look like that: - - default via 192.168.8.1 dev wls6 proto static metric 600 - 10.137.0.6 dev vif27.0 scope link metric 32725 - 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown - 192.168.8.0/24 dev wls6 proto kernel scope link src 192.168.8.111 metric 600 +### sys-net setup My routing table look like that +```bash +default via 192.168.8.1 dev wls6 proto static metric 600 +10.137.0.6 dev vif27.0 scope link metric 32725 +172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown +192.168.8.0/24 dev wls6 proto kernel scope link src 192.168.8.111 metric 600 +``` `wls6` is my wireless interface. apu2 is connected over Ethernet cable using `ens5` interface. Let's assign static IP to it: - sudo ip addr add 192.168.42.1/24 dev ens5 - Routing was added automatically: +```bash +sudo ip addr add 192.168.42.1/24 dev ens5 + Routing was added automatically: - default via 192.168.8.1 dev wls6 proto static metric 600 - 10.137.0.6 dev vif27.0 scope link metric 32725 - 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown - 192.168.8.0/24 dev wls6 proto kernel scope link src 192.168.8.111 metric 600 - 192.168.42.0/24 dev ens5 proto kernel scope link src 192.168.42.1 +default via 192.168.8.1 dev wls6 proto static metric 600 +10.137.0.6 dev vif27.0 scope link metric 32725 +172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown +192.168.8.0/24 dev wls6 proto kernel scope link src 192.168.8.111 metric 600 +192.168.42.0/24 dev ens5 proto kernel scope link src 192.168.42.1 +``` After trying to correctly setup `iptables` in Qubes OS to forward traffic to vm where DHCP and PXE/NFS containers were started I decided to give up. It would be much easier to correctly setup `sys-net` for my development needs then spending hours on figuring out what is wrong with my IP tables. - git clone https://github.com/3mdeb/dhcp-server.git - cd dhcp-server - Adjust your +```bash +git clone https://github.com/3mdeb/dhcp-server.git +cd dhcp-server + Adjust your +``` `dhcp.conf` and `start.sh` to network configuration. In my case it was modified like below: - diff --git a/start.sh b/start.sh - index fb257be..6de7283 100755 - --- a/start.sh - +++ b/start.sh - @@ -14,6 +14,6 @@ docker run --rm --name dhcpserver --privileged --net=host - -p 67:67/udp -p 67:67/tcp - -v ${PWD}/data:/data - -t -i 3mdeb/dhcp-server /bin/bash -c - - "bash /entrypoint.sh eno1;/bin/bash" - + "bash /entrypoint.sh ens5;/bin/bash" - and - - diff --git a/data/dhcpd.conf b/data/dhcpd.conf - index 961aef58068d..788d80577c1d 100644 - --- a/data/dhcpd.conf - +++ b/data/dhcpd.conf - @@ -1,4 +1,4 @@ - -subnet 192.168.0.0 netmask 255.255.255.0 { - +subnet 192.168.42.0 netmask 255.255.255.0 { - - allow booting; - allow bootp; - @@ -7,29 +7,33 @@ subnet 192.168.0.0 netmask 255.255.255.0 { - - option domain-name "3mdeb.com"; - option subnet-mask 255.255.255.0; - - option broadcast-address 192.168.0.255; - + option broadcast-address 192.168.42.255; - option domain-name-servers 0.0.0.0; - - option routers 192.168.0.1; - + option routers 192.168.42.1; - - # Group the PXE bootable hosts together - group { - # PXE-specific configuration directives... - - next-server 192.168.0.109; - - filename "pxelinux.0"; - - option root-path "/srv/nfs/freebsd"; - + # next-server 192.168.42.109; - + # filename "pxelinux.0"; - + # option root-path "/srv/nfs/freebsd"; - # You need an entry like this for every host - # unless you're using dynamic addresses - host router { - hardware ethernet 00:02:72:41:35:87; - - fixed-address 192.168.0.1; - + fixed-address 192.168.42.1; - } - host pxeserver { - hardware ethernet B8:CA:3A:A2:1B:3E; - - fixed-address 192.168.0.109; - + fixed-address 192.168.42.109; - } - host apu2 { - hardware ethernet 00:0D:B9:43:3F:BC; - - fixed-address 192.168.0.101; - + fixed-address 192.168.42.101; - + } - + host dhcp-server { - + hardware ethernet C8:5B:76:D0:FD:62; - + fixed-address 192.168.42.1; - } - } - } +```bash +diff --git a/start.sh b/start.sh +index fb257be..6de7283 100755 +--- a/start.sh ++++ b/start.sh +@@ -14,6 +14,6 @@ docker run --rm --name dhcpserver --privileged --net=host + -p 67:67/udp -p 67:67/tcp + -v ${PWD}/data:/data + -t -i 3mdeb/dhcp-server /bin/bash -c +- "bash /entrypoint.sh eno1;/bin/bash" ++ "bash /entrypoint.sh ens5;/bin/bash" + and + +diff --git a/data/dhcpd.conf b/data/dhcpd.conf +index 961aef58068d..788d80577c1d 100644 +--- a/data/dhcpd.conf ++++ b/data/dhcpd.conf +@@ -1,4 +1,4 @@ +-subnet 192.168.0.0 netmask 255.255.255.0 { ++subnet 192.168.42.0 netmask 255.255.255.0 { + + allow booting; + allow bootp; +@@ -7,29 +7,33 @@ subnet 192.168.0.0 netmask 255.255.255.0 { + + option domain-name "3mdeb.com"; + option subnet-mask 255.255.255.0; +- option broadcast-address 192.168.0.255; ++ option broadcast-address 192.168.42.255; + option domain-name-servers 0.0.0.0; +- option routers 192.168.0.1; ++ option routers 192.168.42.1; + + # Group the PXE bootable hosts together + group { + # PXE-specific configuration directives... +- next-server 192.168.0.109; +- filename "pxelinux.0"; +- option root-path "/srv/nfs/freebsd"; ++ # next-server 192.168.42.109; ++ # filename "pxelinux.0"; ++ # option root-path "/srv/nfs/freebsd"; + # You need an entry like this for every host + # unless you're using dynamic addresses + host router { + hardware ethernet 00:02:72:41:35:87; +- fixed-address 192.168.0.1; ++ fixed-address 192.168.42.1; + } + host pxeserver { + hardware ethernet B8:CA:3A:A2:1B:3E; +- fixed-address 192.168.0.109; ++ fixed-address 192.168.42.109; + } + host apu2 { + hardware ethernet 00:0D:B9:43:3F:BC; +- fixed-address 192.168.0.101; ++ fixed-address 192.168.42.101; ++ } ++ host dhcp-server { ++ hardware ethernet C8:5B:76:D0:FD:62; ++ fixed-address 192.168.42.1; + } + } + } +``` On apu2 I booted to iPXE. I'm using `v4.6.3`. - iPXE> dhcp net0 - Configuring (net0 00:0d:b9:43:3f:bc).................. ok - PXE> show net0/ip - net0.dhcp/ip:ipv4 = 192.168.42.101 +```bash +iPXE> dhcp net0 +Configuring (net0 00:0d:b9:43:3f:bc).................. ok +PXE> show net0/ip +net0.dhcp/ip:ipv4 = 192.168.42.101 +``` Please note that MAC of my apu2 was already added to `dhcp.conf`. From that place I can go to run my PXE and NFS container. ## PXE and NFS server - git clone https://github.com/3mdeb/pxe-server.git - cd pxe-server - NFS_SRV_IP=192.168.42.1 ./init.sh - ./start.sh +```bash +git clone https://github.com/3mdeb/pxe-server.git +cd pxe-server +NFS_SRV_IP=192.168.42.1 ./init.sh +./start.sh +``` On iPXE side: - chain https://192.168.42.1:8000/menu.ipxe +```bash +chain https://192.168.42.1:8000/menu.ipxe +``` This gives couple options during boot: - ---------------- iPXE boot menu ---------------- - ipxe shell - Debian stable netboot - TODO:Debian stable netinst - TODO:Debian testing netinst - TODO:Debian testing netinst (UEFI-aware) - TODO:Voyage +```bash +---------------- iPXE boot menu ---------------- +ipxe shell +Debian stable netboot +TODO:Debian stable netinst +TODO:Debian testing netinst +TODO:Debian testing netinst (UEFI-aware) +TODO:Voyage +``` Probably more will be available overtime. @@ -190,27 +208,33 @@ from apu2. The solution came with this [stackoverflow answer][2]. What we doing here is setting up SOCKS proxy and reverse SSH tunnel for apu2 traffic. On sys-net I did: - sudo passwd user #provide password - ssh -f -N -D 54321 localhost - ssh root@192.168.42.101 -R 6666:localhost:54321 +```bash +sudo passwd user #provide password +ssh -f -N -D 54321 localhost +ssh root@192.168.42.101 -R 6666:localhost:54321 +``` Then on apu2: - root@apu2:~# proxychains apt-get update - ProxyChains-3.1 (http://proxychains.sf.net) - 0% [Working]|DNS-request| ftp.pl.debian.org - |S-chain|-<>-127.0.0.1:6666-<><>-4.2.2.2:53-<><>-OK - |DNS-response| ftp.pl.debian.org is 153.19.251.221 - |S-chain|-<>-127.0.0.1:6666-<><>-153.19.251.221:80-<><>-OK - Ign:1 http://ftp.pl.debian.org/debian stable InRelease - Hit:2 http://ftp.pl.debian.org/debian stable Release - Reading package lists... Done +```bash +root@apu2:~# proxychains apt-get update +ProxyChains-3.1 (http://proxychains.sf.net) +0% [Working]|DNS-request| ftp.pl.debian.org +|S-chain|-<>-127.0.0.1:6666-<><>-4.2.2.2:53-<><>-OK +|DNS-response| ftp.pl.debian.org is 153.19.251.221 +|S-chain|-<>-127.0.0.1:6666-<><>-153.19.251.221:80-<><>-OK +Ign:1 http://ftp.pl.debian.org/debian stable InRelease +Hit:2 http://ftp.pl.debian.org/debian stable Release +Reading package lists... Done +``` Please note that if, for some reason connection on sys-net will break then you will have problem resolving DNS. To fix that you have to remove incorrect default gateway. This have to be automated somehow on sys-net: - sudo ip r del default via 192.168.42.1 +```bash +sudo ip r del default via 192.168.42.1 +``` ## What we can do now? @@ -226,5 +250,5 @@ enabling support or you are interested in freeing your hardware setup, please do not hesitate to contact us. If you know how to reliably setup `iptables` in above situation we would be glad to test it. - [1]: /img/qubes-apu2-setup.png - [2]: https://serverfault.com/a/361806/68013 +[1]: /img/qubes-apu2-setup.png +[2]: https://serverfault.com/a/361806/68013 diff --git a/blog/content/post/2018-01-18-robot-framework-using-request-library-for-control-rpi-gpios.md b/blog/content/post/2018-01-18-robot-framework-using-request-library-for-control-rpi-gpios.md index 43c182da..dc7af4ec 100644 --- a/blog/content/post/2018-01-18-robot-framework-using-request-library-for-control-rpi-gpios.md +++ b/blog/content/post/2018-01-18-robot-framework-using-request-library-for-control-rpi-gpios.md @@ -9,9 +9,13 @@ published: true date: 2018-01-18 14:31:00 archives: "2018" --- -Requests library is one of the most popular libraries implemented for Robot Framework. It is very important for testing distributed applications, so this is the first library I got to know in the Robot Framework. -To test `Request` library we can install Pi-GPIO-Server on Raspberry Pi. The server is able to control the state of input and output of GPIOs using REST API. +Requests library is one of the most popular libraries implemented for Robot +Framework. It is very important for testing distributed applications, so this is +the first library I got to know in the Robot Framework. + +To test `Request` library we can install Pi-GPIO-Server on Raspberry Pi. The +server is able to control the state of input and output of GPIOs using REST API. The project is available on the link: [Project weekend - GPIO Server][1] @@ -24,36 +28,45 @@ In the REST API we used following methods: - Put - Patch -To control GPIOs on the RPI we need only `Get` and `Patch` methods, other methods are used in the same way - `Options` is used for exceptions. +To control GPIOs on the RPI we need only `Get` and `Patch` methods, other +methods are used in the same way - `Options` is used for exceptions. -I assume you have already installed Robot Framework. If the response is "NO", I would encourage you to read the [Installation paragraph][2] It is official documentation for Robot Framework. Next, we can install requests libraries. `Collections` library is a standard built-in library. Use below commands to install libs. +I assume you have already installed Robot Framework. If the response is "NO", I +would encourage you to read the [Installation paragraph][2] It is official +documentation for Robot Framework. Next, we can install requests libraries. +`Collections` library is a standard built-in library. Use below commands to +install libs. -``` +```bash apt-get install python-pip pip install -U requests pip install -U robotframework-requests Now we can prepare RPI image. Install ``` -`RASPBIAN STRETCH WITH DESKTOP` from [download link][3]. It is a very good solution because we can control also GPIOs using buttons. +`RASPBIAN STRETCH WITH DESKTOP` from [download link][3]. It is a very good +solution because we can control also GPIOs using buttons. -![](/img/web_browser_control.png) +![img](/img/web_browser_control.png) -I hope that instruction of installation process is sufficient, so I will not duplicate the description. Take a few minutes to prepare the pin configuration and restart gpio server: +I hope that instruction of installation process is sufficient, so I will not +duplicate the description. Take a few minutes to prepare the pin configuration +and restart gpio server: -``` +```bash sudo service gpio-server restart ``` For running server go to Pi-GPIO-Server and type: -``` +```bash python pi_gpio_server.py ``` -Now, we can start writing code for GPIO control using REST API and Robot Framework. +Now, we can start writing code for GPIO control using REST API and Robot +Framework. -``` +```bash *** Settings *** *** Variables *** @@ -63,32 +76,40 @@ Now, we can start writing code for GPIO control using REST API and Robot Framewo *** Keywords *** ``` -Run RPi and check for its IP address. We will use IP for connection with API server. My RPI has IP: 192.168.0.46. The documentation says that server runs on `5000` port. So we can prepare URL variable. On `Variables` section type: +Run RPi and check for its IP address. We will use IP for connection with API +server. My RPI has IP: 192.168.0.46. The documentation says that server runs on +`5000` port. So we can prepare URL variable. On `Variables` section type: -``` +```bash ${URL} http://192.168.0.46:5000 ``` Let's run the first test -`Get signals`. Firstly we should create a session for request control in Robot Framework. To create the session we use the keyword `Create session` with parameters `alias`, `URL` and optional `verify`. [How to create session][5] +`Get signals`. Firstly we should create a session for request control in Robot +Framework. To create the session we use the keyword `Create session` with +parameters `alias`, `URL` and optional `verify`. [How to create session][5] -``` +```bash *** Test Cases *** Get signal Create Session gpio_server ${URL} verify=True ``` -We will use `alias` for all keywords which work on URL. All sessions should be closed using the keyword `Delete All Sessions`. Next, we need a header, which should be sent with the request. One of the methods for creating header looks like: +We will use `alias` for all keywords which work on URL. All sessions should be +closed using the keyword `Delete All Sessions`. Next, we need a header, which +should be sent with the request. One of the methods for creating header looks +like: -``` +```bash Create Dictionary Content-Type=application/json Accept=application/json ``` -A good trick is assigning headers to the variable. To check the value of GPIO, special GET method is prepared. [Documentation][6] tells: +A good trick is assigning headers to the variable. To check the value of GPIO, +special GET method is prepared. [Documentation][6] tells: -``` +```bash Read a single pin GET: /api/v1/pin/:num @@ -96,15 +117,17 @@ GET: /api/v1/pin/:num Let's implement it in another way: -``` +```bash ${pin}= Get Request gpio_server /api/v1/pin/18 ${headers} ``` -As I said, `alias` is very important because it defines on which session we send requests. For observing results Robot Framework has special keyword. Its name is `Log`. +As I said, `alias` is very important because it defines on which session we send +requests. For observing results Robot Framework has special keyword. Its name is +`Log`. Whole test look like this: -``` +```bash *** Settings *** Library RequestsLibrary Library Collections @@ -126,7 +149,7 @@ Delete All Sessions To get all signals you can only type hyperlink without the pin number. Example: -``` +```bash Get signals Create Session gpio_server ${URL} verify=True ${headers}= Create Dictionary Content-Type=application/json Accept=application/json @@ -136,15 +159,16 @@ Log ${pinout.json()} That was the easier part of our script. -To set a high or low state for GPIOs you should use `patch` method. The first step is creating a dictionary with value to send. It is not difficult: +To set a high or low state for GPIOs you should use `patch` method. The first +step is creating a dictionary with value to send. It is not difficult: -``` +```bash ${message}= Create Dictionary value 0 ``` `Patch` request requires message data to send. -``` +```bash Set 0 signals Create Session gpio_server ${URL} verify=True ${headers}= Create Dictionary Content-Type=application/json Accept=application/json @@ -154,11 +178,12 @@ Log ${pin.json()} Delete All Sessions ``` -We can use the same test to set the high state on GPIO. As an indicator, I used LED diodes and resistors in series connection. +We can use the same test to set the high state on GPIO. As an indicator, I used +LED diodes and resistors in series connection. The full version of my code: -``` +```bash *** Settings *** Library RequestsLibrary Library Collections @@ -197,17 +222,22 @@ ${pinout}= Get Request gpio_server /api/v1/pin ${headers} Log ${pinout.json()} ``` -This code is not in perfect form, but it's not the subject of this article. So polishing is left to the reader. RF generates very readable reports after all tests are done. +This code is not in perfect form, but it's not the subject of this article. So +polishing is left to the reader. RF generates very readable reports after all +tests are done. Reports look like this: +![img](/img/report.png) -![](/img/report.png) - -You can see that Robot Framework is very easy to use environment for testing REST API. All methods (e.g. POST and Patch) are the same in use. If you need help with implementing tests you can ask me or chat with users on Slack -`requests` channel on the robot-framework group. I help new users, whenever I can, and also sometimes I'm the one looking for help. +You can see that Robot Framework is very easy to use environment for testing +REST API. All methods (e.g. POST and Patch) are the same in use. If you need +help with implementing tests you can ask me or chat with users on Slack +-`requests` channel on the robot-framework group. I help new users, whenever I +can, and also sometimes I'm the one looking for help. - [1]: https://github.com/projectweekend/Pi-GPIO-Server - [2]: http://robotframework.org/robotframework/latest/RobotFrameworkUserGuide.html#installation-instructions - [3]: https://www.raspberrypi.org/downloads/ - [5]: https://marketsquare.github.io/robotframework-requests/doc/RequestsLibrary.html#Create%20Custom%20Session - [6]: https://github.com/projectweekend/Pi-GPIO-Server#read-a-single-pin +[1]: https://github.com/projectweekend/Pi-GPIO-Server +[2]: http://robotframework.org/robotframework/latest/RobotFrameworkUserGuide.html#installation-instructions +[3]: https://www.raspberrypi.org/downloads/ +[5]: https://marketsquare.github.io/robotframework-requests/doc/RequestsLibrary.html#Create%20Custom%20Session +[6]: https://github.com/projectweekend/Pi-GPIO-Server#read-a-single-pin diff --git a/blog/content/post/2018-03-20-flashing-emmc-on-hummingboard-edge-using-fastboot-part-1.md b/blog/content/post/2018-03-20-flashing-emmc-on-hummingboard-edge-using-fastboot-part-1.md index 7ff24b94..8f1c3d24 100644 --- a/blog/content/post/2018-03-20-flashing-emmc-on-hummingboard-edge-using-fastboot-part-1.md +++ b/blog/content/post/2018-03-20-flashing-emmc-on-hummingboard-edge-using-fastboot-part-1.md @@ -17,7 +17,8 @@ categories: - Firmware - App Dev --- -# Introduction + +## Introduction Flashing an eMMC of produced board is one of the crucial manufacturing procedures. This post series presents how one can take advantage of i.MX6 @@ -27,7 +28,7 @@ to use process. Target reference platform is [Hummingboard Edge](https://www.digikey.ch/htmldatasheets/production/1923179/0/0/1/srmx6sowt1d512e008e00ch.html). -# General concept +## General concept The general concept is inspired by [this great bootlin (former FreeElectrons) post:](https://bootlin.com/blog/factory-flashing-with-u-boot-and-fastboot-on-freescale-i-mx6/) @@ -36,13 +37,13 @@ Edge, so decided to share my experience. The general flow looks like: -* Load `U-Boot` to DDR using Serial Download Protocol -* `U-Boot` enters fastboot mode -* Pull in the image via fastboot protocol +- Load `U-Boot` to DDR using Serial Download Protocol +- `U-Boot` enters fastboot mode +- Pull in the image via fastboot protocol In the first post, we will focus on loading `U-Boot` to DDR using SDP. -# Hardware preparation +## Hardware preparation Before we start, we need to prepare hardware first. HB Edge has USBOTG signals connected to the upper back USB-A connector: @@ -52,17 +53,16 @@ connected to the upper back USB-A connector: To utilize it we should prepare cable as suggested by the [SolidRun wiki](https://wiki.solid-run.com/doku.php?id=products:imx6:microsom:imx6-fuse) -They suggest cutting two USB cables in half to create USB-A male-male cable. -To make things easier we can buy one of those directly. An example of such is +They suggest cutting two USB cables in half to create USB-A male-male cable. To +make things easier we can buy one of those directly. An example of such is [this one](https://www.amazon.com/UGREEN-Transfer-Enclosures-Printers-Cameras/dp/B00P0E394U/ref=sr_1_1?s=pc&ie=UTF8&qid=1516106592&sr=1-1&refinements=p_n_feature_eight_browse-bin%3A15562492011) We still need one more rework: -* Remove the main insulation from the middle of the cable, -* Cut the power wire (usually the read one), -* Solder it back with additional series resistance. SolidRun suggest to use - 1-10 Ohms. I am using 2x10 Ohm resistors in parallel which gives me around 5 - Ohms. +- Remove the main insulation from the middle of the cable, +- Cut the power wire (usually the read one), +- Solder it back with additional series resistance. SolidRun suggest to use 1-10 + Ohms. I am using 2x10 Ohm resistors in parallel which gives me around 5 Ohms. Resistors soldered on prototype board: @@ -78,26 +78,26 @@ on HB Edge board). Now we should check whether the cable was prepared correctly. If it is, the USB device should be detected as Freescale SoC in Recovery Mode: -``` +```bash Bus 002 Device 002: ID 15a2:0061 Freescale Semiconductor, Inc. i.MX 6Solo/6DualLite SystemOnChip in RecoveryMode ``` It may be convenient to set up an `udev` rule right away, so we can have access to device as a user later: -``` +```bash echo 'SUBSYSTEM =="usb", ATTRS{idVendor}=="15a2", ATTRS{idProduct}=="0061" , MODE="0666"' | sudo tee /etc/udev/rules.d/51-fsl-flashing.rules ``` -# imx-usb-loader +## imx-usb-loader This is an open-source alternative to NXP `mfgtool`, which allows sending binaries over UART or USB. Getting `imx_usb_loader`: -``` +```bash sudo apt-get install libusb-dev libusb-1.0 git clone git@github.com:boundarydevices/imx_usb_loader.git cd imx_usb_loader @@ -119,7 +119,7 @@ release. I'm using the most recent v2018.01. Following additional configuration options have to be selected to enable SDP support in U-Boot: -``` +```bash CONFIG_SPL_USB_HOST_SUPPORT=y CONFIG_SPL_USB_GADGET_SUPPORT=y CONFIG_SPL_USB_SDP_SUPPORT=y @@ -128,18 +128,19 @@ CONFIG_USB_GADGET_DOWNLOAD=y CONFIG_USB_FUNCTION_SDP=y ``` -## Load SPL and u-boot.img separately +### Load SPL and u-boot.img separately -* Copy `SPL` and `u-boot.img` output files to the root directory of the -`imx_usb_loader` tool -* Send `SPL` via USB: -``` +- Copy `SPL` and `u-boot.img` output files to the root directory of the + `imx_usb_loader` tool +- Send `SPL` via USB: + +```bash ./imx_usb SPL ``` output: -``` +```bash config file <.//imx_usb.conf> vid=0x066f pid=0x3780 file_name=mx23_usb_work.conf vid=0x15a2 pid=0x004f file_name=mx28_usb_work.conf @@ -183,9 +184,9 @@ succeeded (status 0x88888888) jumping to 0x00907400 ``` -* HB serial console output will show: +- HB serial console output will show: -``` +```bash U-Boot SPL 2018.01-00001-gceb4ce4f78fb-dirty (Jan 16 2018 - 15:04:11) Trying to boot from USB SDP SDP: initialize... @@ -197,26 +198,26 @@ the USB device seen by host PC will change. In my case it changed from: -``` +```bash Bus 003 Device 013: ID 15a2:0061 Freescale Semiconductor, Inc. i.MX 6Solo/6DualLite SystemOnChip in RecoveryMode ``` to: -``` +```bash Bus 003 Device 014: ID 0000:0fff ``` -It does not look like a proper USB device VID / PID pair. -Even if we set those in `imx_usb.conf`: +It does not look like a proper USB device VID / PID pair. Even if we set those +in `imx_usb.conf`: -``` +```bash echo '0x0000:0x0fff, mx6_usb_sdp_spl.conf' >> imx_usb.conf ``` We are getting following error message from the tool: -``` +```bash vid/pid cannot be 0: mx6_usb_sdp_spl.conf [0x0000:0x0fff, mx6_usb_sdp_spl.conf ] @@ -228,14 +229,14 @@ The states that those values should be set by configuration options: `CONFIG_G_DNL_(VENDOR|PRODUCT)_NUM` and it should default to: -``` +```bash 0x1b67:0x4fff, mx6_usb_sdp_spl.conf ``` -Grepping `U-Boot` sources shows only a few of those options in some of the -board config files: +Grepping `U-Boot` sources shows only a few of those options in some of the board +config files: -``` +```bash ./configs/chromebook_minnie_defconfig:CONFIG_G_DNL_VENDOR_NUM=0x2207 ./configs/fennec-rk3288_defconfig:CONFIG_G_DNL_VENDOR_NUM=0x2207 ./configs/rock2_defconfig:CONFIG_G_DNL_VENDOR_NUM=0x2207 @@ -253,22 +254,22 @@ board config files: Quick search through configuration options shows that gadget USB VID / PID is set through following options: -``` +```bash config USB_GADGET_VENDOR_NUM - hex "Vendor ID of the USB device" - default 0x1f3a if ARCH_SUNXI - default 0x0 - help - Vendor ID of the USB device emulated, reported to the host device. - This is usually the board or SoC vendor's, unless you've registered - for one. + hex "Vendor ID of the USB device" + default 0x1f3a if ARCH_SUNXI + default 0x0 + help + Vendor ID of the USB device emulated, reported to the host device. + This is usually the board or SoC vendor's, unless you've registered + for one. config USB_GADGET_PRODUCT_NUM - hex "Product ID of the USB device" - default 0x1010 if ARCH_SUNXI - default 0x0 - help - Product ID of the USB device emulated, reported to the host device. + hex "Product ID of the USB device" + default 0x1010 if ARCH_SUNXI + default 0x0 + help + Product ID of the USB device emulated, reported to the host device. ``` The strange thing to me is that PID defaults to 0x0, while in my case it is @@ -276,15 +277,16 @@ detected as `0x0000:0x0fff`. Setting those to the ones as described in the documentation: -``` +```bash CONFIG_USB_GADGET_VENDOR_NUM=0x1b67 CONFIG_USB_GADGET_PRODUCT_NUM=0x4fff ``` Gives us following results: -* `lsusb` output gives following output: -``` +- `lsusb` output gives following output: + +```bash Bus 003 Device 010: ID 1b67:5ffe ``` @@ -297,22 +299,22 @@ and above information applies there as well. In this case, we are able to flash `u-boot.img` via SDP. -On more thing to do before flashing `u-boot.img` is to add VID / PID pair -to `imx_usb` config: +On more thing to do before flashing `u-boot.img` is to add VID / PID pair to +`imx_usb` config: -``` +```bash echo '0x1b67:0x5ffe, mx6_usb_sdp_spl.conf' >> imx_usb.conf ``` Now we can download `SPL` and `u-boot.img` with command below: -``` +```bash ./imx_usb SPL && sleep 1 && ./imx_usb u-boot.img ``` output of `u-boot.img` booting: -``` +```bash U-Boot SPL 2018.01-00272-g0434429f989d (Jan 18 2018 - 12:56:59) Trying to boot from USB SDP SDP: initialize... @@ -368,7 +370,7 @@ FEC Waiting for PHY auto negotiation to complete. The interesting thing is that whenever we enter `U-Boot` prompt and enter `SDP` mode: -``` +```bash => sdp sdp - Serial Downloader Protocol @@ -383,28 +385,28 @@ SDP: handle requests... The USB PID seen by my host PC changes to the one set in the configuration: -``` +```bash Bus 003 Device 025: ID 1b67:4fff ``` -## Load SPL and u-boot.img in one run +### Load SPL and u-boot.img in one run It is possible to download both `SPL` and `u-boot.img` with one `imx_usb` command execution. To do that, we need to create configuration files with following content: -* `imx_usb.conf`: +- `imx_usb.conf`: -``` +```bash cat << EOF > imx_usb.conf #vid:pid, config_file 0x15a2:0x0061, mx6_usb_rom.conf, 0x1b67:0x5ffe, mx6_usb_sdp_spl.conf EOF ``` -* `mx6_usb_rom.conf` +- `mx6_usb_rom.conf` -``` +```bash cat << EOF > mx6_usb_rom.conf mx6_qsb hid,1024,0x910000,0x10000000,1G,0x00900000,0x40000 @@ -412,9 +414,9 @@ SPL:jump header2 EOF ``` -* `mx6_usb_sdp_spl.conf`: +- `mx6_usb_sdp_spl.conf`: -``` +```bash cat << EOF > mx6_usb_sdp_spl.conf mx6_spl_sdp hid,uboot_header,1024,0x10000000,1G,0x00907000,0x31000 @@ -427,7 +429,7 @@ Above configuration files are also present in With such configuration in place, calling `./imx_usb` gives following output: -``` +```bash config file <.//imx_usb.conf> vid=0x15a2 pid=0x0061 file_name=mx6_usb_rom.conf -> vid=0x1b67 pid=0x5ffe file_name=mx6_usb_sdp_spl.conf @@ -479,15 +481,15 @@ and the board boots with `U-Boot` as shown previously. ## Summary -* `imx_usb_loader` is really handy tool for downloading binaries (especially - the bootloader) directly into memory. -* I've run into some strange behavior of `U-Boot` USB Gadget device `PID`. I +- `imx_usb_loader` is really handy tool for downloading binaries (especially the + bootloader) directly into memory. +- I've run into some strange behavior of `U-Boot` USB Gadget device `PID`. I will try to track down what really happens in the code there. -* I've run into some outdated `U-Boot` documentation. I can try updating it. -* Configuration files for `imx_usb_loader` can be found at +- I've run into some outdated `U-Boot` documentation. I can try updating it. +- Configuration files for `imx_usb_loader` can be found at [3mdeb fork](https://github.com/3mdeb/imx_usb_loader/commit/f720ad599c2b1f4e7d90f7e5c5378e97172db185) -* Final configuration of `U-Boot` target for Hummingboard Edge which adds `SDP` +- Final configuration of `U-Boot` target for Hummingboard Edge which adds `SDP` support can be found on [3mdeb fork](https://github.com/3mdeb/u-boot/commit/5f34b679439978f7eeb29a2f52b9c81a68766b82) -* I am going to present next steps towards our goal in an upcoming post from +- I am going to present next steps towards our goal in an upcoming post from this series. diff --git a/blog/content/post/2018-03-23-minnowboard-turbot-remote-firmware-flashing-with-remote-testing-environment.md b/blog/content/post/2018-03-23-minnowboard-turbot-remote-firmware-flashing-with-remote-testing-environment.md index eebe7c2b..cc88c630 100644 --- a/blog/content/post/2018-03-23-minnowboard-turbot-remote-firmware-flashing-with-remote-testing-environment.md +++ b/blog/content/post/2018-03-23-minnowboard-turbot-remote-firmware-flashing-with-remote-testing-environment.md @@ -18,45 +18,43 @@ categories: --- -# Minnowboard Turbot remote firmware flashing with RTE (Remote Testing Environment) +## Minnowboard Turbot remote firmware flashing with RTE (Remote Testing Environment) ## Introduction Work related to a hardware carries some restrictions which don't occur when -working only with a software. One of them is a limited number of devices. -This one may cause a problem with a accessibility to the platform. The limited -number of users could slow development and testing. What is more work with -a hardware requires a minimal knowledge of the theory of circuits and signals -to eliminate platform damage by a user. Hardware can be expensive too. - -Remote Testing Environment project was made to resolve mentioned problems. -The result of work is shown below: -![](/img/rte1-1.jpg) -![](/img/rte2-1.jpg) - -That platform makes possible to work on a hardware remotely. -RTE connected to the tested device can provide some more advantages like: - -* Possibility to built testing system only once and place it in separated -and secure place. -* Advantage described above allows to keep order and eliminate time wasting -for items search and connect. -* Reduced number of hardware requirements for the user. Now he needs only a -computer with a network connection and installed tools. +working only with a software. One of them is a limited number of devices. This +one may cause a problem with a accessibility to the platform. The limited number +of users could slow development and testing. What is more work with a hardware +requires a minimal knowledge of the theory of circuits and signals to eliminate +platform damage by a user. Hardware can be expensive too. + +Remote Testing Environment project was made to resolve mentioned problems. The +result of work is shown below: ![img](/img/rte1-1.jpg) ![img](/img/rte2-1.jpg) + +That platform makes possible to work on a hardware remotely. RTE connected to +the tested device can provide some more advantages like: + +- Possibility to built testing system only once and place it in separated and + secure place. +- Advantage described above allows to keep order and eliminate time wasting for + items search and connect. +- Reduced number of hardware requirements for the user. Now he needs only a + computer with a network connection and installed tools. Selected RTE functionality: -* SPI with a header, -* I2C with a header, -* RS232, -* OC buffer outputs header, -* GPIO, -* USB, -* built-in relay with DC Jack 2.5/5.5 mm connectors to DUT power supply control. +- SPI with a header, +- I2C with a header, +- RS232, +- OC buffer outputs header, +- GPIO, +- USB, +- built-in relay with DC Jack 2.5/5.5 mm connectors to DUT power supply control. Remote Testing Environment is open source hardware project based on the CERN -license. You can download schematic files from [here](https://github.com/3mdeb/rte-schematics) -and use it for your own. Enjoy! +license. You can download schematic files from +[here](https://github.com/3mdeb/rte-schematics) and use it for your own. Enjoy! ## RTE + Minnowboard Turbot @@ -65,16 +63,16 @@ the RTE. ### Connection -![](/img/rte-mwb-1.jpg) +![img](/img/rte-mwb-1.jpg) -* Power supply +- Power supply 5 V power supply for Minnowboard Turbot was connected to the RTE `J12` -connector. Then, DC Jack - DC Jack wire was connected to the `J13` of RTE and -to the `J9` of Minnowboard. That configuration allows controlling power supply +connector. Then, DC Jack - DC Jack wire was connected to the `J13` of RTE and to +the `J9` of Minnowboard. That configuration allows controlling power supply remotely. -* SPI +- SPI | Minnowboard J1 | Color | RTE | |:--------------:|:-------------:|:------------------------:| @@ -87,7 +85,7 @@ remotely. | 7 | - | NC | | 8 | - | NC | -* UART debug +- UART debug | Minnowboard J4 | Color | UART-USB converter | |:--------------:|:-------------:|:------------------:| @@ -98,28 +96,26 @@ remotely. | 5 | yellow | RX | | 6 | - | NC | - There was one but important problem with the built system. Memory flashing was realized correctly, but Minnowboard doesn't boot. The source of the problem was `CS#` signal. It was set to `0`, so memory was always enabled, but it was not enough. Minnowboard still doesn't boot. So I decided to use an oscilloscope. That analysis showed me that Minnowboard Turbot doesn't set memory chip's `CS#` -input to `0` all the time. It changes over the time. Mostly `CS#` is set -to `0`, but periodically it's being set to `1`. +input to `0` all the time. It changes over the time. Mostly `CS#` is set to `0`, +but periodically it's being set to `1`. Time analysis of the `CS#` states seemed to be too time-consuming and trying -correct control of the `CS#` lines too inflexible in the event of changes. -I needed to reduce the impact of the `CS#` RTE output to make it a Minnowboard -Turbot took precedence in choosing the state of the `CS#` line. -I decided to use 1.2 kΩ resistor between RTE `CS#` output and Minnowboard -Turbot `CS#` input and this was a good idea. +correct control of the `CS#` lines too inflexible in the event of changes. I +needed to reduce the impact of the `CS#` RTE output to make it a Minnowboard +Turbot took precedence in choosing the state of the `CS#` line. I decided to use +1.2 kΩ resistor between RTE `CS#` output and Minnowboard Turbot `CS#` input and +this was a good idea. -After resolving `CS#` problem, flashing procedure is very simple. -It amounts to: +After resolving `CS#` problem, flashing procedure is very simple. It amounts to: 1. Turn off the Minnowboard platform power supply. -2. Flash Minnowboard ROM memory via SPI. -3. Turn on Minnowboard platform power supply. +1. Flash Minnowboard ROM memory via SPI. +1. Turn on Minnowboard platform power supply. And it's that all. @@ -131,9 +127,9 @@ I used 2 version of firmware to test presented Remote Testing Environment: [MNW2MAX1.X64.0097.D01.1709211100.bin](https://firmware.intel.com/sites/default/files/MinnowBoard_MAX-Rel_0_97-Firmware.Images.zip). - Code of flashing script (`flash_mw.sh`): -```sh + +```bashsh #!/bin/bash # turn off Minnowboard platform power supply @@ -150,9 +146,10 @@ sleep 1 echo 1 > /sys/class/gpio/gpio199/value ``` -To verify correctness of firmware flashing executed by RTE I saved -UEFI Shell logs received before flashing process: -``` +To verify correctness of firmware flashing executed by RTE I saved UEFI Shell +logs received before flashing process: + +```bash UEFI Interactive Shell v2.187477C2-69C7-11D2-8E39-00A0C969723B 767BCCA0 EDK IIlProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA 767BDC58 UEFI v2.50 (EDK II, 0x00010000)008-7F9B-4F30-87AC-60C9FEF5DA4E 77D637C0 @@ -161,19 +158,22 @@ Press ESC in 1 seconds to skip startup.nsh or any other key to continue.MnpSyncS Shell> ``` -Then I saved flashing in RTE `/root/` directory and executed it. -Syntax is following: -```sh +Then I saved flashing in RTE `/root/` directory and executed it. Syntax is +following: + +```bashsh ./flash_mw.sh ``` -```sh +```bashsh sudo chmod a+x flash_mw.sh ./flash_mw.sh MNW2MAX1.X64.0097.D01.1709211100.bin ``` -Minnowboard Turbot was turned off, flashed and later turned on. -UEFI Shell prompt which I received after Minnowboard Turbot firmware flash: -``` + +Minnowboard Turbot was turned off, flashed and later turned on. UEFI Shell +prompt which I received after Minnowboard Turbot firmware flash: + +```bash UEFI Interactive Shell v2.287477C2-69C7-11D2-8E39-00A0C969723B 76D720A0 EDK IIlProtocolInterface: 752F3136-4E16-4FDC-A22A-E5F46812F4CA 76D71F18 UEFI v2.60 (EDK II, 0x00010000)008-7F9B-4F30-87AC-60C9FEF5DA4E 7823DCE0 @@ -183,62 +183,68 @@ Shell> ``` As you can see, firmware flashing process carried out by RTE finished -successfully. Minnowboard Turbot boots correctly to the UEFI Shell. -Firmware version was updated. Before flashing was `UEFI v2.50 ` after -is `UEFI v2.60`. +successfully. Minnowboard Turbot boots correctly to the UEFI Shell. Firmware +version was updated. Before flashing was `UEFI v2.50` after is `UEFI v2.60`. ## Firmware flashing tests After successfully Minnowboard Turbot firmware flashing and correctly platform booting I decided to go one step ahead and write flashing and booting tests -using Robot Framework. RTE can be controlled using SSH and has redirected -serial port via telnet, so tests can be launched on any computer with installed +using Robot Framework. RTE can be controlled using SSH and has redirected serial +port via telnet, so tests can be launched on any computer with installed required software. The test which I wrote, copies the firmware file to RTE and flashes Minnowboard Turbot via SPI using `flashrom`. Robot Framework ensures logs what is really useful in the validation process. Test start script syntax: -```sh + +```bashsh ./start.sh ``` + IP of RTE which I used: -``` + +```bash = 192.168.3.156 ``` The entire test launch procedure is shown below. Create and run virtual environment for test: -```sh + +```bashsh virtualenv robot-venv cd robot-venv source local/bin/activate ``` Install Robot Framework in the virtual environment: -```sh + +```bashsh pip install robotframework pip install --upgrade robotframework-sshlibrary ``` Get test files from our repository: -```sh + +```bashsh git clone https://github.com/3mdeb/minnowboard-rte.git ``` And launch test. Remember to give the correct directory to ROM file which you want to use: -```sh + +```bashsh cd minnowboard-rte ./start.sh 192.168.3.156 MNW2MAX1.X64.0097.D01.1709211100.bin ``` ### Results -``` +```bash (robot-venv) acihy@acihy:~/projects/rte/robot-venv/minnowboard-rte$ ./start.sh 192.168.3.156 MNW2MAX1.X64.0097.D01.1709211100.bin ============================================================================== -Rom Flash +Rom Flash ============================================================================== FLASH1.1 Minnowboard ROM flash test | PASS | ------------------------------------------------------------------------------ @@ -253,39 +259,38 @@ Output: /home/acihy/projects/rte/robot-venv/minnowboard-rte/output.xml Log: /home/acihy/projects/rte/robot-venv/minnowboard-rte/log.html Report: /home/acihy/projects/rte/robot-venv/minnowboard-rte/report.html ``` -Test logs in HTML file: -![](/img/test-rte-mwb-log.png) + +Test logs in HTML file: ![img](/img/test-rte-mwb-log.png) It means that Minnowboard Turbot firmware flashing process ran correctly and -then platform booted to the UEFI Shell. Test finished with a success, -everything works. +then platform booted to the UEFI Shell. Test finished with a success, everything +works. ## Other platforms -Minnowboard Turbot is not the only platform which we connected with RTE. -We built a remote testing system with PC Engines APU platforms too. -That solution resolved a problem with constantly moving platforms. -Before RTE usage, every activity related to PC Engines APUs was linked -with platform and power supply searching, connecting wires, finding a place -on a table for a system under test. After we connected PC Engines platforms -with RTE there is not necessary to do that anymore. We placed every -RTE + PC Engines APU system in our laboratory. Now we can develop firmware -and test platforms without constantly leaving the computer. Trust me, it's -very comfortable. +Minnowboard Turbot is not the only platform which we connected with RTE. We +built a remote testing system with PC Engines APU platforms too. That solution +resolved a problem with constantly moving platforms. Before RTE usage, every +activity related to PC Engines APUs was linked with platform and power supply +searching, connecting wires, finding a place on a table for a system under test. +After we connected PC Engines platforms with RTE there is not necessary to do +that anymore. We placed every RTE + PC Engines APU system in our laboratory. Now +we can develop firmware and test platforms without constantly leaving the +computer. Trust me, it's very comfortable. ## Conclusion Remote work with hardware could be just as comfortable as work with only -software without losing most of the functionality. All you have to do is -to build earlier a system for a platform which you want to test. Our RTE proved +software without losing most of the functionality. All you have to do is to +build earlier a system for a platform which you want to test. Our RTE proved that it is possible. I hope that the solution presented in this article convinced you too. -This solution allows to work remotely but it isn't the only advantage. -The next one is to automatize tasks performed by humans. Tedious and repetitive -activities can be done by machine e.g. RTE. Automation can save employees time. -Every saved time is valuable and can help to increase profits. +This solution allows to work remotely but it isn't the only advantage. The next +one is to automate tasks performed by humans. Tedious and repetitive activities +can be done by machine e.g. RTE. Automation can save employees time. Every saved +time is valuable and can help to increase profits. -The number of platforms connected to RTE in our laboratory still increases. -I am convinced that this will not change in the near future. I will write it -again, it's comfortable. +The number of platforms connected to RTE in our laboratory still increases. I am +convinced that this will not change in the near future. I will write it again, +it's comfortable. diff --git a/blog/content/post/2018-04-03-EDK2-based-firmware-on-MinnowBoard.md b/blog/content/post/2018-04-03-EDK2-based-firmware-on-MinnowBoard.md index 4d0af30c..6c4b1e74 100644 --- a/blog/content/post/2018-04-03-EDK2-based-firmware-on-MinnowBoard.md +++ b/blog/content/post/2018-04-03-EDK2-based-firmware-on-MinnowBoard.md @@ -11,30 +11,29 @@ tags: - minnowboard categories: - firmware + --- -Building EDK2 based firmware for MinnowBoard -============================================ +## Building EDK2 based firmware for MinnowBoard -There are some options to build firmware for MinnowBoard, a Bay Trail based -SBC (Single Board Computer) from Intel. We prefer usually coreboot as simplest -and fastest, open source solution, but sometimes we want to have UEFI -interface. +There are some options to build firmware for MinnowBoard, a Bay Trail based SBC +(Single Board Computer) from Intel. We prefer usually coreboot as simplest and +fastest, open source solution, but sometimes we want to have UEFI interface. UEFI itself doesn't cover whole boot procedure, so its open source reference -implementation, EDK2 is not enough to build firmware for hardware plafrorm, -we need to provide PI (Platform Initialization) phase implementation. In EDK2 +implementation, EDK2 is not enough to build firmware for hardware plafrorm, we +need to provide PI (Platform Initialization) phase implementation. In EDK2 repository we can find only implementation for virtualization (OVMF), this -option is covered in [this article](https://3mdeb.com/firmware/uefi-application-development-in-ovmf/#.WsOfOkuxVuE). +option is covered in +[this article](https://3mdeb.com/firmware/uefi-application-development-in-ovmf/#.WsOfOkuxVuE). coreboot could be used to provide PI phase, but this procedure is mostly covered -in [article on building coreboot for MinnowBoard](#Umiescic_link_tutaj), only we -need to choose Tianocore payload. In this article we cover building UEFI +in [article on building coreboot for MinnowBoard](/2018/2018-04-17-building-coreboot-on-minnowboard-turbot/), +only we need to choose Tianocore payload. In this article we cover building UEFI firmware using binary objects from Intel. Whole procedure can be done using following script: - -``` +```bash #!/bin/sh -xe if [[ "$1" == "init" ]]; then @@ -58,14 +57,14 @@ docker run --rm -it -w /home/edk2 -v $PWD/edk2:/home/edk2/edk2 \ in edk2-platforms repository we find open-source part of PI for various platforms including MinnowBoard. However we need also some closed code from -Intel's site, which contains IP (Intelectual Property). Finaly we have to -fetch OpenSSL, which is another dependecy. +Intel's site, which contains IP (Intellectual Property). Finally we have to +fetch OpenSSL, which is another dependency. When all those components are ready, we can build. We use dedicated docker images to avoid toolchain compatibility problems. So running docker we mount `edk2` (main repository), `edk2-platforms` and cache directory to respective -mount points in the image (build script assume that they are all located in -the same directory). So we enter `edk2-platforms/Vlv2TbltDevicePkg/` and run +mount points in the image (build script assume that they are all located in the +same directory). So we enter `edk2-platforms/Vlv2TbltDevicePkg/` and run `source Build_IFWI.sh MNW2 Debug` (for DEBUG version). If build is successfully complete, we can find the image in `edk2-platforms/Vlv2TbltDevicePkg/Stitch/MNW2MAX_X64_D_0097_01_GCC.bin`. diff --git a/blog/content/post/2018-04-17-building-coreboot-on-minnowboard-turbot.md b/blog/content/post/2018-04-17-building-coreboot-on-minnowboard-turbot.md index 978ce17f..08ed5c12 100644 --- a/blog/content/post/2018-04-17-building-coreboot-on-minnowboard-turbot.md +++ b/blog/content/post/2018-04-17-building-coreboot-on-minnowboard-turbot.md @@ -14,25 +14,23 @@ categories: - firmware --- - Building coreboot on well supported platform such as Bay Trail is quite -straightforward task, however we need to remember about some things in -order to have coreboot working. First of all we need to provide up-to-date -microcode and FSP (Firmware Support Package), which are not included in -coreboot source tree and coreboot build system won't complain about it. -Second thing is that Bay Trail has TXE firmware on the same ROM as boot firmware -so we have to make sure that we won't corrupt it because it would brick the -platform. Except those we have standard procedure, we need to get a toolchain. - -Microcode ---------- - -Newest microcode can be found on https://cloud.3mdeb.com/index.php/s/0z5R4zMp605s7WK/download -We have to provide it because it's a condition for warranty for CPU. -It is provided as Intel-syntax assembly file with microcode as though -it was ordinary data: - -```asm +straightforward task, however we need to remember about some things in order to +have coreboot working. First of all we need to provide up-to-date microcode and +FSP (Firmware Support Package), which are not included in coreboot source tree +and coreboot build system won't complain about it. Second thing is that Bay +Trail has TXE firmware on the same ROM as boot firmware so we have to make sure +that we won't corrupt it because it would brick the platform. Except those we +have standard procedure, we need to get a toolchain. + +## Microcode + +Newest microcode can be found on + We have to +provide it because it's a condition for warranty for CPU. It is provided as +Intel-syntax assembly file with microcode as though it was ordinary data: + +```bashasm dd 000000001h ; Header Version dd 000000321h ; Patch ID dd 001142014h ; DATE @@ -54,7 +52,7 @@ dd 000000321h details of it's structure are confidential. However for coreboot we need to provide it as comma separated list of values in C-style format, like this: -```C +```bashC 0x000000001, 0x00000021d, 0x008122013, @@ -71,7 +69,7 @@ provide it as comma separated list of values in C-style format, like this: 0x0000000a1, ``` -We can easly download and convert it using simple script: +We can easily download and convert it using simple script: ```bash wget 'http://intel.ly/2yStb2e' -O MM-firmware.zip @@ -85,42 +83,40 @@ done cp *.h ../../../ ``` -FSP (Firmware Support Package) ---- +## FSP (Firmware Support Package) FSP is binary package from Intel dedicated to firmware developers containing most important platform initialization (including IP). However there is non-FSP version of coreboot for Bay Trail however it won't work without MRC (Memory -Reference Code) which is confidential (available for trusted vendors) so we won't -cover this option. +Reference Code) which is confidential (available for trusted vendors) so we +won't cover this option. -Intel sites redirect to https://github.com/IntelFsp/FSP (branch BayTrail) where -you can find it. We are interested mostly in BayTrailFspBinPkg/FspBin/BayTrailFSP.fd -which is file we have to provide to coreboot. FSP can be configured using BCT -(Binary Configuration Tools), which is optional — needed to enable Secure boot -and FastBoot. The tool is available only as Windows application, but works well -using Wine too. +Intel sites redirect to (branch BayTrail) +where you can find it. We are interested mostly in +BayTrailFspBinPkg/FspBin/BayTrailFSP.fd which is file we have to provide to +coreboot. FSP can be configured using BCT (Binary Configuration Tools), which is +optional — needed to enable Secure boot and FastBoot. The tool is available only +as Windows application, but works well using Wine too. In the same package you can find VgaBIOS which can be used too if you want to use graphic card: BayTrailFspBinPkg/Vbios/Vga.dat -ME region ---------- +## ME region Despite the name, ME region contains TXE firmware, as mentioned, we must not -corrupt it. The simplest way to avoid that is to read ROM layout from -original firmware image. In `utils/ifdtool` of coreboot source tree we can -find program for reading layout from ROM image. The image can be taken from -firmware package or read using flashrom, using SPI interface: +corrupt it. The simplest way to avoid that is to read ROM layout from original +firmware image. In `utils/ifdtool` of coreboot source tree we can find program +for reading layout from ROM image. The image can be taken from firmware package +or read using flashrom, using SPI interface: -```sh +```bashsh sudo flashrom -p dediprog -r minnow.rom ``` Note that you may need to adjust `-p` option according to used SPI programmer. Use `-p internal` if you use MinnowBoard's internal programmer. -```sh +```bashsh ~/code/coreboot> cd util/ifdtool/ ~/code/coreboot/util/ifdtool> make ~/code/coreboot/util/ifdtool> ./ifdtool -f ../../mb.layout minnow.rom @@ -135,73 +131,72 @@ Wrote layout to ../../mb.layout While flashing coreboot we should inform flashrom only to write `bios` region -```sh +```bashsh sudo flashrom -l mb.layout -i bios -p dediprog -w build/coreboot.rom ``` Be careful because this layout may vary between versions, so we should check it -for each version separately. For mass reproduction it could be usefull to read +for each version separately. For mass reproduction it could be useful to read original firmware, apply coreboot on that image and flash it as a whole on each device. In case of using wrong layout resulting in bricked platform flash stock firmware (or backup), reread layout and flash coreboot again. -Toolchain ---------- +## Toolchain coreboot needs specific versions of toolchain components, we have to take care of this. Makefile has rule for building toolchain: -```sh +```bashsh # make sure, we have all dependencies: apt-get install git build-essential gnat flex bison libncurses5-dev wget zlib1g-dev make crossgcc-i386 ``` -Despite the fact that that we usualy want to boot 64-bit OS, coreboot code is -compiled for 32-bit. Moreover we have noticed that there's problem with libpayload -on 64-bit toolchain. +Despite the fact that that we usually want to boot 64-bit OS, coreboot code is +compiled for 32-bit. Moreover we have noticed that there's problem with +libpayload on 64-bit toolchain. -However this procedure may be problematic. It may take much time on older machine -and compilation may fail on some GCC versions. It's much easier to use docker, -there is dedicated docker image with toolchain for coreboot: +However this procedure may be problematic. It may take much time on older +machine and compilation may fail on some GCC versions. It's much easier to use +docker, there is dedicated docker image with toolchain for coreboot: -``` +```bash sudo docker pull coreboot/coreboot-sdk:1.50 ``` -If you don't have intalled docker, please folow official guide: -https://docs.docker.com/install/ +If you don't have installed docker, please follow official guide: + There is also our image with additional FSP package (under default path): `3mdeb/coreboot-trainings-sdk:latest`. To run shell in docker environment: -```sh +```bashsh docker run -u root -it -v $PWD:/home/coreboot/coreboot --rm \ coreboot/coreboot-sdk:1.50 /bin/bash ``` -NOTE: remember that it works as root, so you may want to change owner of new files -after build. This command must be ran in coreboot direcotory (there is `$PWD` in -mount parameter `-v`). -Configuration -------------- +NOTE: remember that it works as root, so you may want to change owner of new +files after build. This command must be ran in coreboot directory (there is +`$PWD` in mount parameter `-v`). + +## Configuration coreboot is configured using `make menuconfig` similar to Linux Kernel (needs ncurses library). First in `Mainboard` menu we set platform: -``` +```bash Mainboard vendor (Intel) ---> Mainboard model (Minnow Max) ---> ``` Except of this we have to configure microcode and enable FSP in `Chipset` menu: -``` +```bash Include CPU microcode in CBFS (Include external microcode header files) ---> (M0130673321.h M0130679901.h M023067221D.h) List of space separated microcode header @@ -211,7 +206,7 @@ Include CPU microcode in CBFS (Include external microcode header files) ---> If we want to use VgaBIOS, we can configure it in `Devices`: -``` +```bash [*] Add a VGA BIOS image (../intel/cpu/baytrail/vbios/Vga.dat) VGA BIOS path and filename (NEW) ``` @@ -220,26 +215,24 @@ On x86 by default, coreboot chooses `SeaBIOS` as a payload so that it provides legacy BIOS interface. You may want to use one of other options: GRUB (well known, robust Open Source boot loader), Tianocore (UEFI), etc. -This is minimal configuration for MinnowBoard. However you probably want -to decrease log level (defualt 8:SPEW is much too verbose) in `Console` -menu: +This is minimal configuration for MinnowBoard. However you probably want to +decrease log level (default 8:SPEW is much too verbose) in `Console` menu: -``` +```bash Default console log level (5: NOTICE) ---> ``` -Build & Flash -------------- +## Build & Flash When configuration is complete, we can save it and run: -``` +```bash make ``` If everything goes well, output should end like this: -``` +```bash CBFSPRINT coreboot.rom Name Offset Type Size Comp @@ -265,40 +258,37 @@ Built intel/minnowmax (Minnow Max) So we can flash it. If you are using docker image, remember that it doesn't contain `flashrom` so you have to do that outside container: -``` +```bash sudo flashrom -l mb.layout -i bios -p dediprog -w build/coreboot.rom ``` -Conclusion ----------- +## Conclusion This procedure is pretty straightforward, but in practice turns out to cause -much trouble at first time. It also covers only most basic options. We are -open to help if you have problem with that. Also if you don't want to do that -we provide such a service. +much trouble at first time. It also covers only most basic options. We are open +to help if you have problem with that. Also if you don't want to do that we +provide such a service. -Building EDK2 based firmware for MinnowBoard -============================================ +## Building EDK2 based firmware for MinnowBoard -There are some options to build firmware for MinnowBoard, a Bay-Trail-based -SBC (Single Board Computer) from Intel. We usually prefer coreboot as simplest -and fastest, open source solution, but sometimes we want to have UEFI -interface. +There are some options to build firmware for MinnowBoard, a Bay-Trail-based SBC +(Single Board Computer) from Intel. We usually prefer coreboot as simplest and +fastest, open source solution, but sometimes we want to have UEFI interface. UEFI itself doesn't cover whole boot procedure, so its open source reference implementation, EDK2 is not enough to build firmware for hardware plafrorms so we need to provide PI (Platform Initialization) phase implementation. In EDK2 repository we can find only implementation for virtualization (OVMF), this -option is covered in [this article](https://3mdeb.com/firmware/uefi-application-development-in-ovmf/#.WsOfOkuxVuE). +option is covered in +[this article](https://3mdeb.com/firmware/uefi-application-development-in-ovmf/#.WsOfOkuxVuE). coreboot could be used to provide PI phase, but this procedure is mostly covered -in [the article on building coreboot for MinnowBoard](#Umiescic_link_tutaj), but we -need to choose Tianocore payload. In this article we cover building UEFI +in the article on building coreboot for MinnowBoard, but +we need to choose Tianocore payload. In this article we cover building UEFI firmware using binary objects from Intel. Whole procedure can be done using following script: - -``` +```bash #!/bin/sh -xe if [[ "$1" == "init" ]]; then @@ -322,14 +312,14 @@ docker run --rm -it -w /home/edk2 -v $PWD/edk2:/home/edk2/edk2 \ in edk2-platforms repository we find open-source part of PI for various platforms including MinnowBoard. However, we need also some closed code from -Intel's site, which contains IP (Intelectual Property). Finally we have to -fetch OpenSSL, which is another dependecy. +Intel's site, which contains IP (Intellectual Property). Finally we have to +fetch OpenSSL, which is another dependency. When all those components are ready, we can build. We use dedicated docker images to avoid toolchain compatibility problems. So running docker we mount `edk2` (main repository), `edk2-platforms` and cache directory to respective -mount points in the image (build script assume that they are all located in -the same directory). So we enter `edk2-platforms/Vlv2TbltDevicePkg/` and run -`source Build_IFWI.sh MNW2 Debug` (for DEBUG version). If the build is successfully -complete, we can find the image in +mount points in the image (build script assume that they are all located in the +same directory). So we enter `edk2-platforms/Vlv2TbltDevicePkg/` and run +`source Build_IFWI.sh MNW2 Debug` (for DEBUG version). If the build is +successfully complete, we can find the image in `edk2-platforms/Vlv2TbltDevicePkg/Stitch/MNW2MAX_X64_D_0097_01_GCC.bin`. diff --git a/blog/content/post/2018-04-27-the-art-of-disassembly.md b/blog/content/post/2018-04-27-the-art-of-disassembly.md index 7b8e9388..97ac88dc 100644 --- a/blog/content/post/2018-04-27-the-art-of-disassembly.md +++ b/blog/content/post/2018-04-27-the-art-of-disassembly.md @@ -13,174 +13,141 @@ categories: - programming --- -Probably there was never a programming language that would -fascinate me as much as assembly. In fact, it was my second -"real language" (after Pascal/Delphi and DOS batch) and the -first one I would really understand. Of course, the internals of -protected mode initialization was too much for 15-year-old -and I finally moved to C and *nix shell. Anyway, I always -liked the feeling that I know what I'm really doing but more -complex languages are needed nowadays. - -Having tried almost any popular language out there I enjoy -getting to very foundations of software and working with -disassembly every now and then. Reverse engineering and low -level debugging are pretty obvious applications for -disassembly, but having worked with it a little bit more -I came to the conclusion that power of working on that level is -much more. - -# What can we get? - -I've noticed that with good knowledge of environment we are -working with and right tools assembly code might be much -handier than getting through spaghetti code. There are -two reasons for that. - -The first reason is that when we've got binary, we've got -everything explicitly specified inconsistent address space. -While working with multi-platform code (like coreboot, Linux -kernel or EDK2) it's sometimes hard to tell which -implementation of the same function would be actually used, -because it's decided inbuilt system, based on distributed -configuration. In disassembly, we usually have only code -actually used and every reference is quite clear. - -Of course, in most cases, we have some sort of external code — -dynamic libraries, system calls, UEFI services. They are -external for a reason though. Also, their meaning is clearly -specified so we may treat those calls as the black box. Another -time we may use it to reason where data come in and out. - -The second reason is that assembly language is very simple. That's -why it's very hard to code in, but also very easy to interpret -automatically. One line per instruction. Most of the instructions -follow the same pattern — one operand read-only, the other -is modified according to it. It took me some 350 LOC in AWK -to take disassembly and tell for a jumpless piece of code how -data in registers and memory changes. Where possible, actual -values appear, where value depends on initial value, the complete -transformation is recorded. Of course, it's only prototype and -more advanced instructions are not yet supported, but it's -already promising. With proper jump support, we could reduce -multiple control switches into a minimal set of transformations -for given goal, even separate it from the rest of code. -However far it would go, doing a similar thing with higher -level language seems many times more complex. +Probably there was never a programming language that would fascinate me as much +as assembly. In fact, it was my second "real language" (after Pascal/Delphi and +DOS batch) and the first one I would really understand. Of course, the internals +of protected mode initialization was too much for 15-year-old and I finally +moved to C and \*nix shell. Anyway, I always liked the feeling that I know what +I'm really doing but more complex languages are needed nowadays. + +Having tried almost any popular language out there I enjoy getting to very +foundations of software and working with disassembly every now and then. Reverse +engineering and low level debugging are pretty obvious applications for +disassembly, but having worked with it a little bit more I came to the +conclusion that power of working on that level is much more. + +## What can we get? + +I've noticed that with good knowledge of environment we are working with and +right tools assembly code might be much handier than getting through spaghetti +code. There are two reasons for that. + +The first reason is that when we've got binary, we've got everything explicitly +specified inconsistent address space. While working with multi-platform code +(like coreboot, Linux kernel or EDK2) it's sometimes hard to tell which +implementation of the same function would be actually used, because it's decided +inbuilt system, based on distributed configuration. In disassembly, we usually +have only code actually used and every reference is quite clear. + +Of course, in most cases, we have some sort of external code — dynamic +libraries, system calls, UEFI services. They are external for a reason though. +Also, their meaning is clearly specified so we may treat those calls as the +black box. Another time we may use it to reason where data come in and out. + +The second reason is that assembly language is very simple. That's why it's very +hard to code in, but also very easy to interpret automatically. One line per +instruction. Most of the instructions follow the same pattern — one operand +read-only, the other is modified according to it. It took me some 350 LOC in AWK +to take disassembly and tell for a jumpless piece of code how data in registers +and memory changes. Where possible, actual values appear, where value depends on +initial value, the complete transformation is recorded. Of course, it's only +prototype and more advanced instructions are not yet supported, but it's already +promising. With proper jump support, we could reduce multiple control switches +into a minimal set of transformations for given goal, even separate it from the +rest of code. However far it would go, doing a similar thing with higher level +language seems many times more complex. For fuller and more reliable and efficient implementation -Capstone-Keystone-Unicorn tools could be used. We may also -consider QEMU (which allows us to dump all ongoing operations -and changing state) and GDB integration. When something -simpler is needed we may consider `mprotect()` Linux call -for runtime code rebuilding and analysis. Recently I have -found another very interesting project: [The Witchcraft -Compiler Collection](https://github.com/endrazine/wcc). - -Before you continue, you should know very basics of x86 assembly -language, which you can find in [another blog post](TODO:address here). - -# Binary organization - -Machine code is usually packed in some sort of file type. -In old times `COM` files used to contained raw machine code -and the only assumption was that the code would be placed at -0x100. However, nowadays we use more sophisticated formats -because modern CPUs offer access rights for memory regions -so that we can disable write access for code and constants -and execution for data regions. Another reason is that often -we want to load shared libraries — the code that can be -shared between processes. Of course, it's possible to load -them using dedicated system calls, but it's much more -convenient to let executable loader do it for us. Except -that, we want to attach debugging symbols for convenient -execution analysis. Moreover, modern executable formats -contain information about target architecture, checksums -and other information about the code. - -Except that, producing binaries directly from source code -would be very impractical and inefficient for big projects. -That's why in modern systems we have at least 4 file types -for code: - - 1. Object files — usually generated per module, - containing functions with their data. At this point, no - function dependencies are checked so that we may take - care of later. Thanks to this we can separate compilation - process from resolving dependencies. Extension *.o in - *nix and *.obj in Windows. - 2. Static libraries — set of functions to be incorporated - into executable. Unlike object files, they must contain - all dependencies. Extension *.a in *nix and *.lib in - Windows. - 3. Dynamic libraries — a special type of library which is - suitable to be loaded once for many programs at the same - time. In such case, no their code is incorporated into - binary but only references to them. Such code doesn't have - to be duplicated in RAM too. However, each process has - separate space for data. Unlike static libraries, they - have also initialization code that is run when the library is - loaded. They may be loaded at the same time as whole - binary or during runtime using the system call. The second - option is often used to deploy plugins. However this - approach is convenient, it may cause problems with - dependencies because of many versions of the same library. - That's why many (especially closed source) are - distributed with libraries incorporated into the binary - (ie. statically linked). Extension *.so in Linux, *.dll - in Windows, *.dylib in *BSD (including Mac). In *nix - systems they are usually stored in /lib /usr/lib (this - can be reconfigured per system or per binary). Windows - usually store them in Windows and Windows\System32 - directory, but the directory with binary is checked by - default. - 4. Executables — binaries intended to be run as - standalone programs. They usually accept command line - parameters and environment variables as an input. In - *nix system they usually have no extension, in Windows - *.exe. - -![shared_vs_static](/img/static-vs-shared.jpg) -graphics from [here](https://medium.com/@romalms10/why-dynamic-libraries-bbaa55b199db) - -Very often, for RELEASE builds debug symbols are built in -a separate file (*.debug). If you load it you can debug your -program as though it had debug symbols. You can also -disassemble it and examine as normal binary. Another use -case for them is remote debugging. When you enable GDB -server in QEMU or expose one from the embedded device (e.g. via -serial port) you must have a local copy of the debugged code. - -In modern PC platforms, we have 2 most common executable -formats: PE (Windows, UEFI) and ELF (*nix, coreboot). -Raw executable code still can be found in legacy BIOS boot -records (MBR). PE and ELF are different but share most -important concepts. For instance, they both divide contents -into sections. Generally, both formats can be examined in - a very similar way (but tools differ a little bit). -Among others, PE files can be examined using pev package -(available also for *nix systems), for ELF objdump from -binutils is probably the most popular choice. In Reverse -Engineering IDA is kind of the standard, but it's much more -complex solution. - -# Binary examination - -Usually, we start by examining how binary is organized, -that is sections and entry point (for executables). As this -is very similar for both formats, so I'll focus on ELF. - -Executable may have only one section with code (usually -called .text), but it's rare that there are no .data -(initialized data section), .rodata (initialized read-only -data) or .bss (zero-initialized data). Still, such a -minimalistic layout is typical for programs coded in -assembly language. GCC usually create about 20 of them, -however the most interesting for us would be .plt or .got -which contains references to dynamically linked libraries. -Typical C program loads at least standard library this way. +Capstone-Keystone-Unicorn tools could be used. We may also consider QEMU (which +allows us to dump all ongoing operations and changing state) and GDB +integration. When something simpler is needed we may consider `mprotect()` Linux +call for runtime code rebuilding and analysis. Recently I have found another +very interesting project: +[The Witchcraft Compiler Collection](https://github.com/endrazine/wcc). + +Before you continue, you should know very basics of x86 assembly language, which +you can find in \[another blog post\](TODO:address here). + +## Binary organization + +Machine code is usually packed in some sort of file type. In old times `COM` +files used to contained raw machine code and the only assumption was that the +code would be placed at 0x100. However, nowadays we use more sophisticated +formats because modern CPUs offer access rights for memory regions so that we +can disable write access for code and constants and execution for data regions. +Another reason is that often we want to load shared libraries — the code that +can be shared between processes. Of course, it's possible to load them using +dedicated system calls, but it's much more convenient to let executable loader +do it for us. Except that, we want to attach debugging symbols for convenient +execution analysis. Moreover, modern executable formats contain information +about target architecture, checksums and other information about the code. + +Except that, producing binaries directly from source code would be very +impractical and inefficient for big projects. That's why in modern systems we +have at least 4 file types for code: + +1. Object files — usually generated per module, containing functions with their + data. At this point, no function dependencies are checked so that we may take + care of later. Thanks to this we can separate compilation process from + resolving dependencies. Extension \*.o in \*nix and \*.obj in Windows. +1. Static libraries — set of functions to be incorporated into executable. + Unlike object files, they must contain all dependencies. Extension *.a in*nix + and \*.lib in Windows. +1. Dynamic libraries — a special type of library which is suitable to be loaded + once for many programs at the same time. In such case, no their code is + incorporated into binary but only references to them. Such code doesn't have + to be duplicated in RAM too. However, each process has separate space for + data. Unlike static libraries, they have also initialization code that is run + when the library is loaded. They may be loaded at the same time as whole + binary or during runtime using the system call. The second option is often + used to deploy plugins. However this approach is convenient, it may cause + problems with dependencies because of many versions of the same library. + That's why many (especially closed source) are distributed with libraries + incorporated into the binary (ie. statically linked). Extension _.so in + Linux,_.dll in Windows, *.dylib in*BSD (including Mac). In \*nix systems they + are usually stored in /lib /usr/lib (this can be reconfigured per system or + per binary). Windows usually store them in Windows and Windows\\System32 + directory, but the directory with binary is checked by default. +1. Executables — binaries intended to be run as standalone programs. They + usually accept command line parameters and environment variables as an input. + In \*nix system they usually have no extension, in Windows \*.exe. + +![shared_vs_static](/img/static-vs-shared.jpg) graphics from +[here](https://medium.com/@romalms10/why-dynamic-libraries-bbaa55b199db) + +Very often, for RELEASE builds debug symbols are built in a separate file +(\*.debug). If you load it you can debug your program as though it had debug +symbols. You can also disassemble it and examine as normal binary. Another use +case for them is remote debugging. When you enable GDB server in QEMU or expose +one from the embedded device (e.g. via serial port) you must have a local copy +of the debugged code. + +In modern PC platforms, we have 2 most common executable formats: PE (Windows, +UEFI) and ELF (*nix, coreboot). Raw executable code still can be found in legacy +BIOS boot records (MBR). PE and ELF are different but share most important +concepts. For instance, they both divide contents into sections. Generally, both +formats can be examined in a very similar way (but tools differ a little bit). +Among others, PE files can be examined using pev package (available also for*nix +systems), for ELF objdump from binutils is probably the most popular choice. In +Reverse Engineering IDA is kind of the standard, but it's much more complex +solution. + +## Binary examination + +Usually, we start by examining how binary is organized, that is sections and +entry point (for executables). As this is very similar for both formats, so I'll +focus on ELF. + +Executable may have only one section with code (usually called .text), but it's +rare that there are no .data (initialized data section), .rodata (initialized +read-only data) or .bss (zero-initialized data). Still, such a minimalistic +layout is typical for programs coded in assembly language. GCC usually create +about 20 of them, however the most interesting for us would be .plt or .got +which contains references to dynamically linked libraries. Typical C program +loads at least standard library this way. We can find entry point using: + ```assembly $ objdump -f /tmp/x @@ -190,9 +157,9 @@ HAS_SYMS, DYNAMIC, D_PAGED start address 0x00000000000004f0 ``` -The start address is so-called RVA — Relative Virtual Address, -so it's offset from the place in memory, where binary would -be placed. To list sections we can call: +The start address is so-called RVA — Relative Virtual Address, so it's offset +from the place in memory, where binary would be placed. To list sections we can +call: ```assembly objdump -h /tmp/x @@ -249,26 +216,22 @@ Idx Name Size VMA LMA File off Algn CONTENTS, READONLY ``` -The most important for us is of course name, VMA (base -address), size and offset in the file. LMA is rarely different -than VMA so usually not relevant. As we see, names are -arbitrary and the flags are defining section features, but -it's rather relevant in security analysis. In most cases, -initialized data sections are the most interesting to us here, -so that we can translate pre-initialized data RVA to the location -in the file so that we can peek in (e.g. using hexdump). That's -because for each address based instruction some meaningful -name would be printed (usually label + offset, for calls -to dynamic libraries the name of call and library name). -Note that all addresses here are noted in hexadecimal. - -Calling `objdump -d` will print disassembly of whole binary -So it's better to limit output. You may use -`--start-address=offset` parameter or `less` and start from -looking for function name (function labels are usually -included even in RELEASE binaries). For debug binaries, you -may consider `-s` option to mix disassembly with source -code. +The most important for us is of course name, VMA (base address), size and offset +in the file. LMA is rarely different than VMA so usually not relevant. As we +see, names are arbitrary and the flags are defining section features, but it's +rather relevant in security analysis. In most cases, initialized data sections +are the most interesting to us here, so that we can translate pre-initialized +data RVA to the location in the file so that we can peek in (e.g. using +hexdump). That's because for each address based instruction some meaningful name +would be printed (usually label + offset, for calls to dynamic libraries the +name of call and library name). Note that all addresses here are noted in +hexadecimal. + +Calling `objdump -d` will print disassembly of whole binary So it's better to +limit output. You may use `--start-address=offset` parameter or `less` and start +from looking for function name (function labels are usually included even in +RELEASE binaries). For debug binaries, you may consider `-s` option to mix +disassembly with source code. ```assembly # excerpt of some disassembly using objdump @@ -288,36 +251,31 @@ code. 10a03: 48 8d 35 9b 74 07 00 lea 0x7749b(%rip),%rsi # 87ea5 <_IO_stdin_used@@Base+0x5a5> ``` -As you see we have complete disassembly with RVA and hex -representation of machine code for each instruction. As you -see, most addresses are relative to RSP or RIP, but as the second -one is given, there is also RVA and label given. - -Note that if you prefer Intel syntax it can be changed, just -as in pev you can switch from default Intel to AT&T. - -# Initial state - -The last thing we must be aware of is the initial state of -the process and this is platform dependent, but surely some -details are common. Most likely we get fully initialized -address space with all dynamically linked libraries already -loaded (except those loaded in the code of course), RSP in -the right location, etc. Command parameters are likely -to be placed on the stack, however, it's arrangement may differ. - -For example in 64-bit Linux RSP would initially point at -parameters count, and then 8 bytes pointer to each argument -starting from an executable name. This may be little confusing -as it's not what you see in `main()` function which conforms -to C's parameter format. The trick is that `main()` is not -the entry point even if it seems so when you run `gcc -S`. -The entry point is usually referred as `_start` and for C program -it is automatically added in linking process. _start calls -special libc call which loads main from given address. - -This is a typical _start function. It looks the same for -C programs. +As you see we have complete disassembly with RVA and hex representation of +machine code for each instruction. As you see, most addresses are relative to +RSP or RIP, but as the second one is given, there is also RVA and label given. + +Note that if you prefer Intel syntax it can be changed, just as in pev you can +switch from default Intel to AT&T. + +## Initial state + +The last thing we must be aware of is the initial state of the process and this +is platform dependent, but surely some details are common. Most likely we get +fully initialized address space with all dynamically linked libraries already +loaded (except those loaded in the code of course), RSP in the right location, +etc. Command parameters are likely to be placed on the stack, however, it's +arrangement may differ. + +For example in 64-bit Linux RSP would initially point at parameters count, and +then 8 bytes pointer to each argument starting from an executable name. This may +be little confusing as it's not what you see in `main()` function which conforms +to C's parameter format. The trick is that `main()` is not the entry point even +if it seems so when you run `gcc -S`. The entry point is usually referred as +`_start` and for C program it is automatically added in linking process. \_start +calls special libc call which loads main from given address. + +This is a typical \_start function. It looks the same for C programs. ```assembly 0000000000013050 <_start@@Base>: @@ -335,19 +293,15 @@ C programs. 1307a: f4 hlt ``` -# Further steps - -That's all you need to know in the beginning. As you see -it's not complex at all. The problem here is the amount of code -to get through, but each instruction itself is not complex. -Provided interface separate us from most of CPU and OS -magic. Of course, interface of presented tools are -not very good for more sophisticated analysis, but its -output is very regular so it's easy to transform it so that -your favourite language can understand it and process. - -Meaning of most instructions is trivial. We can consider -library calls as the points where the program communicate -with outside world. So we can decide, which of -those points seem relevant to us so that we eliminate -information noise. +## Further steps + +That's all you need to know in the beginning. As you see it's not complex at +all. The problem here is the amount of code to get through, but each instruction +itself is not complex. Provided interface separate us from most of CPU and OS +magic. Of course, interface of presented tools are not very good for more +sophisticated analysis, but its output is very regular so it's easy to transform +it so that your favourite language can understand it and process. + +Meaning of most instructions is trivial. We can consider library calls as the +points where the program communicate with outside world. So we can decide, which +of those points seem relevant to us so that we eliminate information noise. diff --git a/blog/content/post/2018-05-17-basics-of-x86-assembly.md b/blog/content/post/2018-05-17-basics-of-x86-assembly.md index 8f6a12b3..c4de9879 100644 --- a/blog/content/post/2018-05-17-basics-of-x86-assembly.md +++ b/blog/content/post/2018-05-17-basics-of-x86-assembly.md @@ -15,33 +15,31 @@ categories: - programming --- -Nowadays, application of programming in assembly language is -very small. Writing production code in assembly may be found -in the most demanding tasks in embedded. Even in modern firmware -(coreboot, EDK2) most of the code is written in C. Honesly, -that's quite undestandable, assembly code isn't easy to read -nor write and some state that it's no longer needed to be known. -In my opinion, that's far from the truth. - -Not only it's heavily used in reverse engineering, very important -especially in software/firmware security, its design impact more -or less code in virtualy any programming language. Let's set an -example. Consider those two lines of C code: - -```c +Nowadays, application of programming in assembly language is very small. Writing +production code in assembly may be found in the most demanding tasks in +embedded. Even in modern firmware (coreboot, EDK2) most of the code is written +in C. Honesly, that's quite undestandable, assembly code isn't easy to read nor +write and some state that it's no longer needed to be known. In my opinion, +that's far from the truth. + +Not only it's heavily used in reverse engineering, very important especially in +software/firmware security, its design impact more or less code in virtually any +programming language. Let's set an example. Consider those two lines of C code: + +```bashc char buffer[size]; // Since C99, we can do that with variable!!! char *buffer2 = malloc(size); ``` -Even C's syntax (considered low-level nowadays) create an impression -that they are more or less the same, except that `buffer` is `const char*` -and `buffer2` is `char*` and the range: `buffer` is freed automatically at -the and of current block. However, someone with some knowledge of internls -know that first line has virtually no overhead (because all local variables -may be allocated and freed at the same time, it takes 2 instructions), while -second one involves kernel activity to map needed space, needs to update heap -structures, etc. Except that `malloc()` often happen to introduce memory leaks, -on the other hand, the first method may cause stack overflow in some cases. +Even C's syntax (considered low-level nowadays) create an impression that they +are more or less the same, except that `buffer` is `const char*` and `buffer2` +is `char*` and the range: `buffer` is freed automatically at the and of current +block. However, someone with some knowledge of internls know that first line has +virtually no overhead (because all local variables may be allocated and freed at +the same time, it takes 2 instructions), while second one involves kernel +activity to map needed space, needs to update heap structures, etc. Except that +`malloc()` often happen to introduce memory leaks, on the other hand, the first +method may cause stack overflow in some cases. This is just one of many examples where low-level details (assembly, network stack, devices, etc.) condition higher level code execution. That's why every @@ -51,105 +49,97 @@ Enineering. This article is meant to preasent the most important ideas behind x86 assembly just to show how does it work and what are its limitations. If you want to code -in assembly or read disassembly, I recommend to look at [x86 instruction set] -(https://c9x.me/x86/) and tutorials [like this](https://www.nayuki.io/page/a-fundamental-introduction-to-x86-assembly-programming). -If you are interested in advanced optimization you'd have to dive into CPU -model specific documentation. +in assembly or read disassembly, I recommend to look at \[x86 instruction set\] +() and tutorials +[like this](https://www.nayuki.io/page/a-fundamental-introduction-to-x86-assembly-programming). +If you are interested in advanced optimization you'd have to dive into CPU model +specific documentation. -Basics of x86 CPU ------------------ +## Basics of x86 CPU -We have CPU — computation unit and RAM for temporary data -storage. We are usually separated from all other devices but -we use OS interface, which reuses concepts we use for -those two. Generally speaking, everything that happens in -a computer is series of passing data between components and -transforming them in between. +We have CPU — computation unit and RAM for temporary data storage. We are +usually separated from all other devices but we use OS interface, which reuses +concepts we use for those two. Generally speaking, everything that happens in a +computer is series of passing data between components and transforming them in +between. For example, when we display a web page we can think of it: 1. we have given an address in memory. -2. transform it into request conforming standard. -3. pass a request to the networking device -4. accept response -5. transform text into an image -6. pass the image to the graphic card - -The job of application is just to transform the data and -inform OS where is the product, what it is and where to pass -it. RAM is a medium for that exchange as well as storage for -middle products. RAM also store instructions how to perform -those transformations. Assembly language is a textual -representation of codes understood by CPU. +1. transform it into request conforming standard. +1. pass a request to the networking device +1. accept response +1. transform text into an image +1. pass the image to the graphic card + +The job of application is just to transform the data and inform OS where is the +product, what it is and where to pass it. RAM is a medium for that exchange as +well as storage for middle products. RAM also store instructions how to perform +those transformations. Assembly language is a textual representation of codes +understood by CPU. ## Memory -We can think of RAM as a function. Every byte in memory has -its ordinal number. We use it to read or change its value. -Bytes are usually accessed in groups of 4(32bit) or 8(64-bit). - -X86 CPU never uses two memory locations at the same time. That's -why it has own memory called registers. In modern x86 -architecture, there are 16 64-bit general purpose registers -called: RAX, RBX, RCX, RDX, RDI (destination index), RSI -(source index), RBP (base pointer), RSP (stack pointer), -R8-R15. Despite meaningful names of some, only RSP preserved special -meaning. This naming was important when it was usual to code directly -in assembly). "R" letter in beginning denote its 64-bits as -during 40 years of x86 evolution registers have grown from 16-bit -(AX, BX, etc), to 32-bit (EAX, EBX, etc). Among special -registers, we have RIP (instruction pointer) stores pointer -(ordinal number in memory) of the next instruction to run and -EFLAGS which register special situations (like zeroing -register or overflow while adding). Those special registers -are never accessed directly. - -To move data between registers and memory we use `MOV` instruction. -Example: - -```assembly - mov $0xff, %rax +We can think of RAM as a function. Every byte in memory has its ordinal number. +We use it to read or change its value. Bytes are usually accessed in groups of +4(32bit) or 8(64-bit). + +X86 CPU never uses two memory locations at the same time. That's why it has own +memory called registers. In modern x86 architecture, there are 16 64-bit general +purpose registers called: RAX, RBX, RCX, RDX, RDI (destination index), RSI +(source index), RBP (base pointer), RSP (stack pointer), R8-R15. Despite +meaningful names of some, only RSP preserved special meaning. This naming was +important when it was usual to code directly in assembly). "R" letter in +beginning denote its 64-bits as during 40 years of x86 evolution registers have +grown from 16-bit (AX, BX, etc), to 32-bit (EAX, EBX, etc). Among special +registers, we have RIP (instruction pointer) stores pointer (ordinal number in +memory) of the next instruction to run and EFLAGS which register special +situations (like zeroing register or overflow while adding). Those special +registers are never accessed directly. + +To move data between registers and memory we use `MOV` instruction. Example: + +```bashassembly + mov $0xff, %rax ``` -which loads constant value 0xff to RAX register. This form of -assembly language is called AT&T and mainly widespread in -GNU world. Other popular is Intel Syntax. The most important -difference is argument order and lack of sigils: +which loads constant value 0xff to RAX register. This form of assembly language +is called AT&T and mainly widespread in GNU world. Other popular is Intel +Syntax. The most important difference is argument order and lack of sigils: -```assembly - mov rax, 0xff +```bashassembly + mov rax, 0xff ``` In this document, I use AT&T syntax. Other variants are: -```assembly - mov %rax, %rbx # RAX -> RBX - mov %rbx, (%rax) # RBX -> memory pointed in RAX - mov 3(%rcx), %rax # RAX <- memory pointed in RCX+3 - movb $0xde, (%rdx) # 0xde-> memory pointed in RDX - movq $0xde, (%rdx) # same, but zeroes other 7 bytes - mov %ax, my_val # 16-bit from AX to labeled memory - mov my_val, %ebx # 32-bits from my_val to EBX - move 0xfffe, (%rax, %rbx) # 0xfffe - RAX+RBX mem +```bashassembly + mov %rax, %rbx # RAX -> RBX + mov %rbx, (%rax) # RBX -> memory pointed in RAX + mov 3(%rcx), %rax # RAX <- memory pointed in RCX+3 + movb $0xde, (%rdx) # 0xde-> memory pointed in RDX + movq $0xde, (%rdx) # same, but zeroes other 7 bytes + mov %ax, my_val # 16-bit from AX to labeled memory + mov my_val, %ebx # 32-bits from my_val to EBX + move 0xfffe, (%rax, %rbx) # 0xfffe - RAX+RBX mem ``` -Note that labels in the machine code are just constants. Labels -are for programmers convenience. Remembering addresses for -every little thing would be hard, but it's not the only -reason. In modern OS controlled code must not access any -address without OSs permission. Labels mark places allocated -at program loading. It has initial value: +Note that labels in the machine code are just constants. Labels are for +programmers convenience. Remembering addresses for every little thing would be +hard, but it's not the only reason. In modern OS controlled code must not access +any address without OSs permission. Labels mark places allocated at program +loading. It has initial value: -```assembly +```bashassembly my_val: .asciz "Hello World!" # C-like string another: .ascii "What's up?" # without '\0' ending .comm buff, 64 # 64-byte 0-initialized buffer ``` -For pointer loading, there is other set instruction: `LEA` -(Load Effective Address): +For pointer loading, there is other set instruction: `LEA` (Load Effective +Address): -```assembly +```bashassembly lea my_val, %rax # myval -> RAX lea 5(%rbx), %rax # RBX+5 -> RAX lea (%rax,%rsi), %rcx # RAX+RSI -> RCX @@ -157,10 +147,9 @@ For pointer loading, there is other set instruction: `LEA` ## Transformations -There are many instructions for data transformations. -Among the most popular: +There are many instructions for data transformations. Among the most popular: -```assembly +```bashassembly add $5, %rax # RAX = RAX + 5 add (%rbx), %rdi # RDI = mem(RBX) + RDI sub 2(%rax), %rbp # RBP = RBP - mem(RAX+2) @@ -169,81 +158,74 @@ Among the most popular: xor %rax, %rax # optimized RAX = 0 ``` -There are many more of them, but most common of them follow -the same pattern. That's why it's quite easy to automatically -trace value changes. Some instructions have implicit -parameters, however still, we need just encode exception. -Example: +There are many more of them, but most common of them follow the same pattern. +That's why it's quite easy to automatically trace value changes. Some +instructions have implicit parameters, however still, we need just encode +exception. Example: -```assembly - mul %rcx # RDX:RAX = RAX * RCX - div %rbx # RAX = RDX:RAX / RCX# RDX = reminder +```bashassembly + mul %rcx # RDX:RAX = RAX * RCX + div %rbx # RAX = RDX:RAX / RCX# RDX = reminder ``` -`RDX:RAX` means 128-bit value with higher 64-bits in `RDX` -and other in `RAX`. Such a solution let us never lose data -due to overflow. On the other hand, cause a pitfall of `DIV` -instruction — if the operand is not enough to make result 64-bit -or operand is 0 — CPU exception is issued (mentioned later). +`RDX:RAX` means 128-bit value with higher 64-bits in `RDX` and other in `RAX`. +Such a solution let us never lose data due to overflow. On the other hand, cause +a pitfall of `DIV` instruction — if the operand is not enough to make result +64-bit or operand is 0 — CPU exception is issued (mentioned later). -There are also special instructions and registers for floating -point arithmetics, for matrix operations, and some reserved -ones only for OS/firmware code, among others to communicate -with other devices. And configure protection mechanisms. +There are also special instructions and registers for floating point arithmetic, +for matrix operations, and some reserved ones only for OS/firmware code, among +others to communicate with other devices. And configure protection mechanisms. ## Jumps -Of course, we can execute an instruction not in an order using -jumps. +Of course, we can execute an instruction not in an order using jumps. -```assembly - jmp foo # RIP = foo (label position) - jmp (%rax) # RIP = RAX +```bashassembly + jmp foo # RIP = foo (label position) + jmp (%rax) # RIP = RAX ``` -Most of the jumps are relative to current RIP position. Thanks -to this OS can load our program at any point in memory. -Similarly, once compiled function can be placed at any point -of program binary. +Most of the jumps are relative to current RIP position. Thanks to this OS can +load our program at any point in memory. Similarly, once compiled function can +be placed at any point of program binary. -```assembly +```bashassembly loop: - add $5, %rax - jmp loop # while(1) RAX+=5 + add $5, %rax + jmp loop # while(1) RAX+=5 ``` will disassemble as: -```assembly - 40007b: 48 83 c0 05 add $0x5,%rax - 40007f: eb fa jmp 40007b +```bashassembly + 40007b: 48 83 c0 05 add $0x5,%rax + 40007f: eb fa jmp 40007b ``` -Disassembly shows whole address, but when we look at the machine -codes, jump takes only two bytes so it can't be absolute -address. 0xEB encodes relative jump and another byte is 8-bit -signed offset coded so that highest bit means -0x81 instead -of 0x80 so 0xfa = -0x80 + 0x8a = -0x06, which is length of -both instructions. +Disassembly shows whole address, but when we look at the machine codes, jump +takes only two bytes so it can't be absolute address. 0xEB encodes relative jump +and another byte is 8-bit signed offset coded so that highest bit means -0x81 +instead of 0x80 so 0xfa = -0x80 + 0x8a = -0x06, which is length of both +instructions. ## Conditionals -We can also make conditional jumps. `EFLAGS` register is -used for that. For example, if we call +We can also make conditional jumps. `EFLAGS` register is used for that. For +example, if we call -```assembly - sub $5, %rax +```bashassembly + sub $5, %rax ``` -except for substracting `RAX`, specific bit of `EFLAGS` will -be set to 1 if %rax will become 0 (ie. was 5 in the first -place) and other if it becomes negative. There are -instructions that make jump according to `EFLAGS` bits -and special `CMP` instruction which sets `EFLAGS` like `SUB` -but doesn't store the result. Similarly, `TEST` does `AND` -without storing the result (usually used for bit fields). +except for subtracting `RAX`, specific bit of `EFLAGS` will be set to 1 if %rax +will become 0 (ie. was 5 in the first place) and other if it becomes negative. +There are instructions that make jump according to `EFLAGS` bits and special +`CMP` instruction which sets `EFLAGS` like `SUB` but doesn't store the result. +Similarly, `TEST` does `AND` without storing the result (usually used for bit +fields). -```assembly +```bashassembly cmp $5, %rax je equals # jmp equals if RAX == 5 jl lower # jmp lower if (signed)RAX < 5 @@ -254,165 +236,145 @@ jz zero # jmp zero if RAX == 0 je never # WARNING: JE & JZ is the same instruction ``` -Note that, it's totally valid to put many conditional jumps -one by one, because they don't affect `EFLAGS` register. +Note that, it's totally valid to put many conditional jumps one by one, because +they don't affect `EFLAGS` register. ## Stack -![stack_frame](/img/stack.png) -graphic from [here](http://rxwen.blogspot.com/2009/04/detect-stack-corruption.html) +![stack_frame](/img/stack.png) graphic from +[here](http://rxwen.blogspot.com/2009/04/detect-stack-corruption.html) -For very temporary storage of values, there is special memory -range that implements stack structure. `RSP` register points -at last pushed value. There are two special instructions for -that: +For very temporary storage of values, there is special memory range that +implements stack structure. `RSP` register points at last pushed value. There +are two special instructions for that: -```assembly - push %rax # %rsp -= 8; (%rsp) = %rax - push (%rax) # %rsp -= 8; (%rsp) = (%rax) - push 5 # %rsp -= 8; (%rsp) = 5 - pop %rax # %rax = (%rsp); %rsp += 8 +```bashassembly + push %rax # %rsp -= 8; (%rsp) = %rax + push (%rax) # %rsp -= 8; (%rsp) = (%rax) + push 5 # %rsp -= 8; (%rsp) = 5 + pop %rax # %rax = (%rsp); %rsp += 8 ``` -There is no popping in memory. Of course, they are faster and -smaller than add/sub + mov combination. As you can see, the stack -is growing backwards. There is no standard way to determine -boundaries for the stack. - -As RSP is general purpose register, there's nothing wrong -with using it in normal operations. In fact, it's how local -variables are compiled in C (unless they are in register). - -```assembly - sub $0x10, %rsp # allocate two local variables - mov $0xf0, (%rsp) # set one of them to 0xf0 - mov %rax, 8(%rsp) # put RAX value to the other - add $0x10, %rsp # not freeing it will crash program - # in most cases +There is no popping in memory. Of course, they are faster and smaller than +add/sub + mov combination. As you can see, the stack is growing backwards. There +is no standard way to determine boundaries for the stack. + +As RSP is general purpose register, there's nothing wrong with using it in +normal operations. In fact, it's how local variables are compiled in C (unless +they are in register). + +```bashassembly + sub $0x10, %rsp # allocate two local variables + mov $0xf0, (%rsp) # set one of them to 0xf0 + mov %rax, 8(%rsp) # put RAX value to the other + add $0x10, %rsp # not freeing it will crash program + # in most cases ``` -BTW. stack overflow is a kind of attack that exploits stack -so that stack overlaps with other variable. Originally it -could overwrite code too, but modern OSs prevent writing code -section and executing data section. Note that on 32-bit OSs -stack cells are only 4-bytes long. +BTW. stack overflow is a kind of attack that exploits stack so that stack +overlaps with other variable. Originally it could overwrite code too, but modern +OSs prevent writing code section and executing data section. Note that on 32-bit +OSs stack cells are only 4-bytes long. ## Calls For calling functions there are 2 other commands: -```assembly - call my_fun - #... +```bashassembly + call my_fun + #... my_fun: - #... - ret + #... + ret ``` -`CALL` works just like `JMP`, but pushes `RIP` first. At the -end of the function we put `RET` which simply pops that value -back, so that execution continues after last `CALL`. Of course, -if you don't change `RSP` value to the initial value, `RET` -takes `(%rsp)` anyway, so in most cases, it would cause a crash. - -The stack is also used to pass function parameters. In 32-bit -architecture all of them are put on the stack (the first argument -pushed as last). Depending on convention caller al callee -was responsible for freeing parameters. That's why there is -such variant of `RET` with a parameter which indicates how much -would be added to `RSP` after popping to `RIP`. - -The original purpose of `EBP` was to store `ESP` value before -allocating local variables. So that you can allocate -variables in the middle of function not caring how much -because you would use `EBP`, that's why Base Pointer. In the -end, you would just reset `ESP` to `RBP` before `RET`. There -were (and still are) instructions for that: `ENTER` and -`LEAVE`. However as those are clearly coding oriented features -it's no longer convention in 64-bit architecture, but still -may be found. For instance, `gcc` without optimization still -does it: - -```assembly +`CALL` works just like `JMP`, but pushes `RIP` first. At the end of the function +we put `RET` which simply pops that value back, so that execution continues +after last `CALL`. Of course, if you don't change `RSP` value to the initial +value, `RET` takes `(%rsp)` anyway, so in most cases, it would cause a crash. + +The stack is also used to pass function parameters. In 32-bit architecture all +of them are put on the stack (the first argument pushed as last). Depending on +convention caller al callee was responsible for freeing parameters. That's why +there is such variant of `RET` with a parameter which indicates how much would +be added to `RSP` after popping to `RIP`. + +The original purpose of `EBP` was to store `ESP` value before allocating local +variables. So that you can allocate variables in the middle of function not +caring how much because you would use `EBP`, that's why Base Pointer. In the +end, you would just reset `ESP` to `RBP` before `RET`. There were (and still +are) instructions for that: `ENTER` and `LEAVE`. However as those are clearly +coding oriented features it's no longer convention in 64-bit architecture, but +still may be found. For instance, `gcc` without optimization still does it: + +```bashassembly $ echo 'int main(void) { return 5; }' > /tmp/x.c $ gcc -S /tmp/x.c -o /tmp/x.s $ grep -vP '^\s*\.' /tmp/x.s main: - pushq %rbp - movq %rsp, %rbp - movl $5, %eax - popq %rbp - ret + pushq %rbp + movq %rsp, %rbp + movl $5, %eax + popq %rbp + ret ``` -The reason why I grep out lines starting with a dot is -additional directives which are information for compiler -rather than actual instructions. 'l' and 'q' at the end of -instructions marks operand size. It is required only one -constant->mem write is performed (because there's no way to -deduce it). - -In 64-bit architecture convention changed a little because -first 5 parameters (except structures bigger than 8 bytes) -are passed through registers: `RDI`, `RSI`, `RDX`, `RCX`, -`R8` and `R9`. As you can see on above code, the return value is put -into %rax register (unless it's too big), but as the main return +The reason why I grep out lines starting with a dot is additional directives +which are information for compiler rather than actual instructions. 'l' and 'q' +at the end of instructions marks operand size. It is required only one +constant->mem write is performed (because there's no way to deduce it). + +In 64-bit architecture convention changed a little because first 5 parameters +(except structures bigger than 8 bytes) are passed through registers: `RDI`, +`RSI`, `RDX`, `RCX`, `R8` and `R9`. As you can see on above code, the return +value is put into %rax register (unless it's too big), but as the main return 32-bit value, `EAX` register is actually used. -RBX, RBP, and R12-R15 are considered callee-save, which -means, that all functions should provide that their values -will be the same after returning. +RBX, RBP, and R12-R15 are considered callee-save, which means, that all +functions should provide that their values will be the same after returning. ## Interrupts and syscalls -Very similar thing are interrupts — they are also kind of -functions implemented by OS or boot firmware, but they are -usually called by hardware. When CPU get such interrupt, -normal execution is stopped and restored when the interrupt is -handled. Also, CPU itself can generate the interrupt, that's how -CPU exceptions work (they are issued when some illegal -instruction is called). There is also `INT` instruction to -generate the interrupt. - -For a long time, this feature was used to provide runtime -services in BIOS and DOS. In *nix 32-bit OSs (Linux, *BSD) -it's still used: `int 0x80`. EAX (or it's part) was -typically specifying system function and other registers -contained parameters. In 64-bit architecture, there is -`syscall` instruction instead, which works very similar. -For example for `read()` function: - -```assembly - xor %rax, %rax #sys_read - xor %rdi, %rdi #fd = stdin - lea .buff, %rsi #buffer - mov $0xff, %rdi #bytes to read - syscall +Very similar thing are interrupts — they are also kind of functions implemented +by OS or boot firmware, but they are usually called by hardware. When CPU get +such interrupt, normal execution is stopped and restored when the interrupt is +handled. Also, CPU itself can generate the interrupt, that's how CPU exceptions +work (they are issued when some illegal instruction is called). There is also +`INT` instruction to generate the interrupt. + +For a long time, this feature was used to provide runtime services in BIOS and +DOS. In \*nix 32-bit OSs (Linux,\*BSD) it's still used: `int 0x80`. EAX (or it's +part) was typically specifying system function and other registers contained +parameters. In 64-bit architecture, there is `syscall` instruction instead, +which works very similar. For example for `read()` function: + +```bashassembly + xor %rax, %rax #sys_read + xor %rdi, %rdi #fd = stdin + lea .buff, %rsi #buffer + mov $0xff, %rdi #bytes to read + syscall ``` -However, those calls are usually called using C wrapper calls -so the most likely place to find them are shared libraries. - -Conclusion ----------- - -This brief explanation is probably not enough to code in -assembly language but will let you understand most of -the disassembly of userspace programs. As modern programs make -much use of shared libraries, those calls used most of the -time. The good thing is that unless you deal with -OS/firmware calls you don't need to care about multitasking, -caching etc. You will probably face strange constructs -like `call (%rip)`, which doesn't any make functional sense but -turns out to help CPU execute code faster. Another good news -is that userspace program is written as though it was only -processed running on the machine which simplifies it a lot. - -Anyway this should give you a good start to understand most of -assembly code (assuming that you use instruction reference). -If you deal with obfuscated code, you will proabably need some -help from dedicated software like IDA. - -We are open to help you if some of presented information is -unclear or you are interested in more detail. Please let us know. +However, those calls are usually called using C wrapper calls so the most likely +place to find them are shared libraries. + +## Conclusion + +This brief explanation is probably not enough to code in assembly language but +will let you understand most of the disassembly of userspace programs. As modern +programs make much use of shared libraries, those calls used most of the time. +The good thing is that unless you deal with OS/firmware calls you don't need to +care about multitasking, caching etc. You will probably face strange constructs +like `call (%rip)`, which doesn't any make functional sense but turns out to +help CPU execute code faster. Another good news is that userspace program is +written as though it was only processed running on the machine which simplifies +it a lot. + +Anyway this should give you a good start to understand most of assembly code +(assuming that you use instruction reference). If you deal with obfuscated code, +you will proabably need some help from dedicated software like IDA. + +We are open to help you if some of presented information is unclear or you are +interested in more detail. Please let us know. diff --git a/blog/content/post/2018-07-18-how-to-boot-Xen-over-PXE-and-NFS-on-PC-Engines-apu2.md b/blog/content/post/2018-07-18-how-to-boot-Xen-over-PXE-and-NFS-on-PC-Engines-apu2.md index 91b8d885..42341300 100644 --- a/blog/content/post/2018-07-18-how-to-boot-Xen-over-PXE-and-NFS-on-PC-Engines-apu2.md +++ b/blog/content/post/2018-07-18-how-to-boot-Xen-over-PXE-and-NFS-on-PC-Engines-apu2.md @@ -16,12 +16,13 @@ categories: --- From time to time we face requests to correctly enable support for various Xen -features on PC Engines apu2 platform. Doing that requires firmware -modification, which 3mdeb is responsible for. +features on PC Engines apu2 platform. Doing that requires firmware modification, +which 3mdeb is responsible for. Xen have very interesting requirements from firmware development perspective. Modern x86 have a bunch of features that support virtualization in hardware. -Those features were described in [Xen FAQ](https://wiki.xenproject.org/wiki/Xen_Common_Problems#What_are_the_names_of_different_hardware_features_related_to_virtualization_and_Xen.3F). +Those features were described in +[Xen FAQ](https://wiki.xenproject.org/wiki/Xen_Common_Problems#What_are_the_names_of_different_hardware_features_related_to_virtualization_and_Xen.3F). It happens that most requesting were IOMMU and SR-IOV. First, give the ability to dedicate PCI device to given VM and second enables so-called Virtual @@ -35,19 +36,20 @@ to change that. To start any work in that area we need a reliable setup. I had a plan to build something pretty simple using our automated testing infrastructure. -Unfortunately, this has to wait a little bit since when I started this work I had -to play with a [different configuration](https://3mdeb.com/os-dev/ssh-reverse-tunnel-for-pxe-nfs-and-dhcp-setup-on-qubesos/). +Unfortunately, this has to wait a little bit since when I started this work I +had to play with a +[different configuration](https://3mdeb.com/os-dev/ssh-reverse-tunnel-for-pxe-nfs-and-dhcp-setup-on-qubesos/). -If you don't have PXE, DHCP (if needed) and NFS set up I recommend to read -above blog post or just use [pxe-server](https://github.com/3mdeb/pxe-server) -and [dhcp-server](https://github.com/3mdeb/dhcp-server). +If you don't have PXE, DHCP (if needed) and NFS set up I recommend to read above +blog post or just use [pxe-server](https://github.com/3mdeb/pxe-server) and +[dhcp-server](https://github.com/3mdeb/dhcp-server). -## Xen installation in Debian stable +### Xen installation in Debian stable I assume you have PXE+NFS boot of our Debian stable. To netboot simply enter iPXE: -``` +```bash iPXE> dhcp net0 Configuring (net0 00:0d:b9:43:3f:bc).................. ok iPXE> chain http://192.168.42.1:8000/menu.ipxe @@ -55,7 +57,7 @@ iPXE> chain http://192.168.42.1:8000/menu.ipxe And choose `Debian stable netboot 4.14.y`: -``` +```bash ---------------- iPXE boot menu ---------------- ipxe shell Xen @@ -75,7 +77,7 @@ Core 6.4 After boot, you can log in with presented credentials `[root:debian]`: -``` +```bash Debian GNU/Linux 9 apu2 ttyS0 [root:debian] apu2 login: root @@ -96,18 +98,18 @@ Xen installation in Debian is quite easy and there is [community website](https://vidigest.com/2020/11/17/installing-xen-project-hypervisor-on-debian-10/) describing the process, but to quickly dive in: -``` +```bash apt-get update apt-get install xen-system-amd64 xen-tools xen-linux-system-amd64 ``` -# xencall error +## xencall error I took a break from Xen debugging and found that after upgrading kernel and rootfs I'm getting below error message: -``` -root@apu2:~# xl dmesg +```bash +root@apu2:~## xl dmesg xencall: error: Could not obtain handle on privileged command interface: No such file or directory libxl: error: libxl.c:108:libxl_ctx_alloc: cannot open libxc handle: No such file or directory cannot init xl context @@ -116,7 +118,7 @@ cannot init xl context I'm not a Xen developer and it looked pretty cryptic to me. It happens that `xen.service` also fails to run: -``` +```bash ● xen.service - LSB: Xen daemons Loaded: loaded (/etc/init.d/xen; generated; vendor preset: enabled) Active: failed (Result: exit-code) since Wed 2018-05-02 11:20:00 UTC; 33s ago @@ -134,14 +136,14 @@ May 02 11:20:00 apu2 systemd[1]: xen.service: Failed with result 'exit-code'. It happen that during upgrading of my rootfs I forget to install all required packages to Xen rootfs directory. So, now you should not face this problem when using `pxe-server`, but if you see something similar please make sure you have -all modules correctly loaded or compiled in. You can check my working [kernel config](https://github.com/pcengines/apu2-documentation/blob/master/configs/config-4.14.50) - +all modules correctly loaded or compiled in. You can check my working +[kernel config](https://github.com/pcengines/apu2-documentation/blob/master/configs/config-4.14.50) -# Xen boot log +## Xen boot log Below boot log analysis was performed on `v4.6.9` release candidate. -``` +```bash (XEN) Xen version 4.8.3 (Debian 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5) (ijackson@chiark.greenend.org.uk) (gcc (Debian 6.3.0-18) 6.3.0 20170516) debug=n Fri Mar 2 16:10:09 UTC 2018 (XEN) Bootloader: iPXE 1.0.0+ (fd6d1) (XEN) Command line: dom0_mem=512M loglvl=all guest_loglvl=all com1=115200,8n1 console=com1 @@ -290,7 +292,7 @@ Below boot log analysis was performed on `v4.6.9` release candidate. The thing that we are concerned about and want to fix is -``` +```bash (XEN) AMD-Vi: IOMMU not found! ``` @@ -298,7 +300,7 @@ There are some patches pending to enable IOMMU. Of course, enabling this features open new universe with various advanced virtualization features which we hope to discuss in further blog posts. -## Trying Xen boot params +### Trying Xen boot params I tried to use `iommu=on amd_iommu=on` which doesn't change anything with firmware not-IOMMU capable. @@ -309,5 +311,5 @@ In further posts, I would like to get through IOMMU enabling by leveraging great community work from Kyosti and Timothy. Also, I would like to exercise and prove various virtualization features of PC Engines apu2. If you are interested in commercial enablement of advanced SoC features feel free to let us know at -`contact@3mdeb.com`. Also feel free to contribute to pxe-server mini-project -as well as comment below. +`contact@3mdeb.com`. Also feel free to contribute to pxe-server mini-project as +well as comment below. diff --git a/blog/content/post/2018-07-27-Our-first-look-at-debos-new-Debian-images-generator.md b/blog/content/post/2018-07-27-Our-first-look-at-debos-new-Debian-images-generator.md index c5956372..1659209a 100644 --- a/blog/content/post/2018-07-27-Our-first-look-at-debos-new-Debian-images-generator.md +++ b/blog/content/post/2018-07-27-Our-first-look-at-debos-new-Debian-images-generator.md @@ -19,11 +19,11 @@ categories: ## What is debos -`debos` is quite a new tool allowing easier Debian images generation. It -seems to be following current trends - it is written in `Go`, using `YAML` as -an input format. The idea of taking away `debootstrap` shell scripts and -replacing it with a single, simple `YAML` file looks tempting enough to give it -a try. Full feature description can be found in +`debos` is quite a new tool allowing easier Debian images generation. It seems +to be following current trends - it is written in `Go`, using `YAML` as an input +format. The idea of taking away `debootstrap` shell scripts and replacing it +with a single, simple `YAML` file looks tempting enough to give it a try. Full +feature description can be found in [this introductory post](https://www.collabora.com/news-and-blog/blog/2018/06/27/introducing-debos/) on Collabora's blog. @@ -37,9 +37,10 @@ The installation commands are for `Debian` but I thought it will work just fine (as usual) on my fresh `Ubuntu 18.04` laptop. Well, not quite. So the installation looks like: -> I have decided to skip the GOPATH export and stick to the default `GOPATH=~/go` +> I have decided to skip the GOPATH export and stick to the default +> `GOPATH=~/go` -``` +```bash sudo apt install golang sudo apt install libglib2.0-dev libostree-dev go get -u github.com/go-debos/debos/cmd/debos @@ -47,47 +48,49 @@ go get -u github.com/go-debos/debos/cmd/debos I thought that the first sanity test would be to build the example recipe: -``` +```bash ~/go/bin/debos ~/go/src/go-debos/debos/doc/examples/example.yaml ``` The first problem appears in the beginning: -``` -2018/07/17 18:02:17 open failed: /lib/modules/4.15.0-24-generic/kernel/drivers/char/virtio_console.ko - open /lib/modules/4.15.0-24-generic/kernel/drivers/char/virtio_console.ko: no such file or directory +```bash +2018/07/17 18:02:17 open failed: + /lib/modules/4.15.0-24-generic/kernel/drivers/char/virtio_console.ko - + open /lib/modules/4.15.0-24-generic/kernel/drivers/char/virtio_console.ko: + no such file or directory ``` -I have `virtio_console` driver compiled in the kernel, so the error message seems -really confusing: +I have `virtio_console` driver compiled in the kernel, so the error message +seems really confusing: -``` +```bash cat /boot/config-4.15.0-24-generic | grep VIRTIO_CONSOLE CONFIG_VIRTIO_CONSOLE=y ``` It seems to be known issue, which is described in [one of the fakemachine's github issues](https://github.com/go-debos/fakemachine/issues/12). -[fakemachine](https://github.com/go-debos/fakemachine) is another module -written in `Go`, which is a dependency of `debos`. It seems to be a wrapper for +[fakemachine](https://github.com/go-debos/fakemachine) is another module written +in `Go`, which is a dependency of `debos`. It seems to be a wrapper for `qemu-system` in order to allow for running image building phases as an -unprivileged user. It may not be obvious at first, as this thing does not -even have a single README. +unprivileged user. It may not be obvious at first, as this thing does not even +have a single README. So, it seems that it just won't work on the `Ubuntu`? Running on any other distro is also questionable. It seems that there are -[more unsolved issues](https://github.com/go-debos/fakemachine/issues/13) -when running on distros other than Debian. And those issues were open back in -Nov 2017, so it is definitely not a priority to make it work properly on -distros other than `Debian`. +[more unsolved issues](https://github.com/go-debos/fakemachine/issues/13) when +running on distros other than Debian. And those issues were open back in Nov +2017, so it is definitely not a priority to make it work properly on distros +other than `Debian`. ## Second approach - Debian VirtualBox -I decided to give it another chance and try running inside `VirtualBox`. -I went with a fresh Debian 9.3 Strech box +I decided to give it another chance and try running inside `VirtualBox`. I went +with a fresh Debian 9.3 Stretch box [from osboxes](https://www.osboxes.org/debian/). - -``` +```bash sudo apt install golang sudo apt install libglib2.0-dev libostree-dev mkdir ~/go @@ -97,34 +100,40 @@ go get -u github.com/go-debos/debos/cmd/debos `git` was another dependency for installation: -``` +```bash sudo apt install git ``` -``` +```bash ~/go/bin/debos ~/go/src/github.com/go-debos/debos/doc/examples/example.yaml ``` Output from the first run: -``` +```bash 2018/07/26 13:13:09 fakemachine not supported, running on the host! 2018/07/26 13:13:09 ==== debootstrap ==== -2018/07/26 13:13:09 debootstrap.log | cat: /home/osboxes/.debos-873708939/root/debootstrap/debootstrap.log: No such file or directory -2018/07/26 13:13:09 Action `debootstrap` failed at stage Run, error: exec: "debootstrap": executable file not found in $PATH +2018/07/26 13:13:09 debootstrap.log | cat: + /home/osboxes/.debos-873708939/root/debootstrap/debootstrap.log: + No such file or directory +2018/07/26 13:13:09 Action `debootstrap` failed at stage Run, error: exec: + "debootstrap": executable file not found in $PATH ``` -``` +```bash sudo apt install debootstrap ``` Still no luck after second try: -``` +```bash 2018/07/26 13:17:25 fakemachine not supported, running on the host! 2018/07/26 13:17:25 ==== debootstrap ==== -2018/07/26 13:17:25 debootstrap.log | cat: /home/osboxes/.debos-909422932/root/debootstrap/debootstrap.log: No such file or directory -2018/07/26 13:17:25 Action `debootstrap` failed at stage Run, error: exec: "debootstrap": executable file not found in $PATH +2018/07/26 13:17:25 debootstrap.log | cat: + /home/osboxes/.debos-909422932/root/debootstrap/debootstrap.log: + No such file or directory +2018/07/26 13:17:25 Action `debootstrap` failed at stage Run, error: + exec: "debootstrap": executable file not found in $PATH ``` The first message (`fakemachine not supported`) from log above appears @@ -134,92 +143,109 @@ Although, I'm not sure if this is a strict requirement in order to run `qemu`. It seems `debootstrap` is at `/usr/sbin/debootstrap` - so not in user's default `PATH`: -``` +```bash export PATH=$PATH:/usr/sbin ``` Another try: -``` +```bash 2018/07/26 13:54:37 fakemachine not supported, running on the host! 2018/07/26 13:54:37 ==== debootstrap ==== 2018/07/26 13:54:37 Debootstrap | E: debootstrap can only run as root -2018/07/26 13:54:37 debootstrap.log | cat: /home/osboxes/.debos-418422200/root/debootstrap/debootstrap.log: No such file or directory -2018/07/26 13:54:37 Action `debootstrap` failed at stage Run, error: exit status 1 +2018/07/26 13:54:37 debootstrap.log | cat: + /home/osboxes/.debos-418422200/root/debootstrap/debootstrap.log: + No such file or directory +2018/07/26 13:54:37 Action `debootstrap` failed at stage Run, error: + exit status 1 ``` Of course. I don't mind running as `root` to see how far can we go this time (we are in `VirtualBox` after all): -``` +```bash sudo ~/go/bin/debos ~/go/src/github.com/go-debos/debos/doc/examples/example.yaml ``` The privileged run failed at: -``` -2018/07/26 13:36:38 Debootstrap (stage 2) | chroot: failed to run command ‘/debootstrap/debootstrap’: Exec format error -2018/07/26 13:36:38 debootstrap.log | gpgv: Signature made Thu Jul 26 10:21:51 2018 EDT -2018/07/26 13:36:38 debootstrap.log | gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 -2018/07/26 13:36:38 debootstrap.log | gpgv: Good signature from "Debian Archive Automatic Signing Key (7.0/wheezy) " -2018/07/26 13:36:38 debootstrap.log | gpgv: Signature made Thu Jul 26 10:21:51 2018 EDT -2018/07/26 13:36:38 debootstrap.log | gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 -2018/07/26 13:36:38 debootstrap.log | gpgv: Good signature from "Debian Archive Automatic Signing Key (8/jessie) " -2018/07/26 13:36:38 debootstrap.log | gpgv: Signature made Thu Jul 26 10:21:51 2018 EDT -2018/07/26 13:36:38 debootstrap.log | gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC -2018/07/26 13:36:38 debootstrap.log | gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) " -2018/07/26 13:36:38 Action `debootstrap` failed at stage Run, error: exit status 126 -``` - -It seems to me that no correct `qemu-static` is called in order to run -`arm64` binary. - -When building for the host archtiecture: - -``` -sudo ~/go/bin/debos -t architecture:"amd64" ~/go/src/github.com/go-debos/debos/doc/examples/example.yaml +```bash +2018/07/26 13:36:38 Debootstrap (stage 2) | chroot: failed to run command + ‘/debootstrap/debootstrap’: Exec format error +2018/07/26 13:36:38 debootstrap.log | gpgv: Signature made + Thu Jul 26 10:21:51 2018 EDT +2018/07/26 13:36:38 debootstrap.log | gpgv: using RSA key + A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 +2018/07/26 13:36:38 debootstrap.log | gpgv: Good signature from "Debian Archive + Automatic Signing Key (7.0/wheezy) " +2018/07/26 13:36:38 debootstrap.log | gpgv: Signature made + Thu Jul 26 10:21:51 2018 EDT +2018/07/26 13:36:38 debootstrap.log | gpgv: using RSA key + 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 +2018/07/26 13:36:38 debootstrap.log | gpgv: Good signature from "Debian Archive + Automatic Signing Key (8/jessie) " +2018/07/26 13:36:38 debootstrap.log | gpgv: Signature made + Thu Jul 26 10:21:51 2018 EDT +2018/07/26 13:36:38 debootstrap.log | gpgv: using RSA key + 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC +2018/07/26 13:36:38 debootstrap.log | gpgv: Good signature from "Debian Archive + Automatic Signing Key (9/stretch) " +2018/07/26 13:36:38 Action `debootstrap` failed at stage Run, + error: exit status 126 +``` + +It seems to me that no correct `qemu-static` is called in order to run `arm64` +binary. + +When building for the host architecture: + +```bash +sudo ~/go/bin/debos -t architecture:"amd64" + ~/go/src/github.com/go-debos/debos/doc/examples/example.yaml ``` After a while, **almost** success: -``` +```bash 2018/07/26 14:00:39 Debootstrap | I: Base system installed successfully. -2018/07/26 14:00:39 Action `debootstrap` failed at stage Run, error: exec: "systemd-nspawn": executable file not found in $PATH +2018/07/26 14:00:39 Action `debootstrap` failed at stage Run, error: + exec: "systemd-nspawn": executable file not found in $PATH ``` Another package missing, namely `systemd-container`: -``` +```bash sudo apt install systemd-container ``` And finally, we have our image: -``` +```bash 2018/07/26 14:11:45 ==== overlay ==== -Overlaying /home/osboxes/go/src/github.com/go-debos/debos/doc/examples/overlays/sudo on /home/osboxes/.debos-414397177/root +Overlaying + /home/osboxes/go/src/github.com/go-debos/debos/doc/examples/overlays/sudo + on /home/osboxes/.debos-414397177/root 2018/07/26 14:11:45 ==== run ==== 2018/07/26 14:11:45 ==== pack ==== 2018/07/26 14:11:45 Compression to /home/osboxes/debian-stretch-amd64.tgz 2018/07/26 14:11:56 ==== Recipe done ``` -``` +```bash 88M debian-stretch-amd64.tgz ``` ## Third approach - docker container -With above problems in mind, it seems like mandatory to package all those -things in a portable, easy-to-use container. In fact, this is one of the items -from the +With above problems in mind, it seems like mandatory to package all those things +in a portable, easy-to-use container. In fact, this is one of the items from the [project's TODO list](https://github.com/go-debos/debos/blob/master/TODO#L12). -Thanks to the `VirtualBox` triage I am already armed with a list of -dependencies and potential issues to come. +Thanks to the `VirtualBox` triage I am already armed with a list of dependencies +and potential issues to come. I've noticed that `fakemachine` already has a -[Dockerfile](https://github.com/go-debos/fakemachine/blob/master/Dockerfile), -so I had something to take a look at. However, it seems to be used to build +[Dockerfile](https://github.com/go-debos/fakemachine/blob/master/Dockerfile), so +I had something to take a look at. However, it seems to be used to build `fakemachine` at container runtime, which is not exactly our target if we want to push the functional `debos` image to the `Docker Hub`. @@ -231,38 +257,50 @@ image, only the runtime ones). I ended up with [the following Dockerfile](https://github.com/3mdeb/debos/blob/add-dockerfile/docker/Dockerfile). -``` +```bash ./docker/run.sh -t architecture:"amd64" doc/examples/example.yaml ``` -``` -2018/07/26 18:36:39 Debootstrap (stage 2) | chroot: failed to run command '/debootstrap/debootstrap': Exec format error -2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made Thu Jul 26 14:21:51 2018 UTC -2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 -2018/07/26 18:36:39 debootstrap.log | gpgv: Good signature from "Debian Archive Automatic Signing Key (7.0/wheezy) " -2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made Thu Jul 26 14:21:51 2018 UTC -2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 -2018/07/26 18:36:39 debootstrap.log | gpgv: Good signature from "Debian Archive Automatic Signing Key (8/jessie) " -2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made Thu Jul 26 14:21:51 2018 UTC -2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC -2018/07/26 18:36:39 debootstrap.log | gpgv: Good signature from "Debian Archive Automatic Signing Key (9/stretch) " -2018/07/26 18:36:39 Action `debootstrap` failed at stage Run, error: exit status 126 +```bash +2018/07/26 18:36:39 Debootstrap (stage 2) | chroot: failed to run command + '/debootstrap/debootstrap': Exec format error +2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made + Thu Jul 26 14:21:51 2018 UTC +2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key + A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 +2018/07/26 18:36:39 debootstrap.log | gpgv: Good signature from "Debian Archive + Automatic Signing Key (7.0/wheezy) " +2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made + Thu Jul 26 14:21:51 2018 UTC +2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key + 126C0D24BD8A2942CC7DF8AC7638D0442B90D010 +2018/07/26 18:36:39 debootstrap.log | gpgv: Good signature from "Debian + Archive Automatic Signing Key (8/jessie) " +2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made + Thu Jul 26 14:21:51 2018 UTC +2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key + 16E90B3FDF65EDE3AA7F323C04EE7237B7D453EC +2018/07/26 18:36:39 debootstrap.log | gpgv: Good signature from "Debian Archive + Automatic Signing Key (9/stretch) " +2018/07/26 18:36:39 Action `debootstrap` failed at stage Run, error: + exit status 126 Powering off. ``` And the build for host architecture: -``` +```bash ./docker/run.sh -t architecture:"amd64" doc/examples/example.yaml ``` Finished just fine: -``` +```bash 2018/07/26 19:20:30 ==== overlay ==== Overlaying /root/doc/examples/overlays/sudo on /scratch/root 2018/07/26 19:20:30 ==== run ==== -2018/07/26 19:20:30 echo debian > /etc/hostname | host's /etc/localtime is not a symlink, not updating container timezone. +2018/07/26 19:20:30 echo debian > /etc/hostname | host's /etc/localtime is not + a symlink, not updating container timezone. 2018/07/26 19:20:30 ==== pack ==== 2018/07/26 19:20:30 Compression to /root/debian-stretch-amd64.tgz Powering off. @@ -281,8 +319,8 @@ least I have not found any). `debos` seems like a really cool tool for Debian images building without tinkering with `debootrap` and `chroot` script that much. Unfortunately, I was unable to build an image for `arm` or `arm64` so far (which is my main -interest). Maybe on the native installed `Debian` it would just work perfectly -I did not have the opportunity to try it this way. I think that having a docker +interest). Maybe on the native installed `Debian` it would just work perfectly I +did not have the opportunity to try it this way. I think that having a docker container with `debos` tool fits perfectly into this case and would allow many more people to benefit from using it. I will try to push my work upstream and start a discussion, so the cross-building issues will be hopefully resolved. diff --git a/blog/content/post/2018-08-16-pfsense-as-hvm-on-pc-engines-apu2.md b/blog/content/post/2018-08-16-pfsense-as-hvm-on-pc-engines-apu2.md index dde1da0f..557b6d9b 100644 --- a/blog/content/post/2018-08-16-pfsense-as-hvm-on-pc-engines-apu2.md +++ b/blog/content/post/2018-08-16-pfsense-as-hvm-on-pc-engines-apu2.md @@ -15,20 +15,20 @@ categories: - Firmware - OS Dev --- - -Continuing blog post series around Xen and IOMMU enabling in coreboot we -are reaching a point in which some features seem to work correctly on top of [recent patch series in firmware](https://review.coreboot.org/#/c/coreboot/+/27602/). +Continuing blog post series around Xen and IOMMU enabling in coreboot we are +reaching a point in which some features seem to work correctly on top of +[recent patch series in firmware](https://review.coreboot.org/#/c/coreboot/+/27602/). What we can do at this point is PCI passthrough to guest VMs. Previously trying that on Xen caused problems: -* random hangs -* firmware cause Linux kernel booting issues (hang during boot) -* IOMMU disabled - unable to use PCI passthrough +- random hangs +- firmware cause Linux kernel booting issues (hang during boot) +- IOMMU disabled - unable to use PCI passthrough Now we can see something like that in dom0: -``` +```bash modprobe xen-pciback root@apu2:~# xl pci-assignable-add 02:00.0 [ 136.778839] igb 0000:02:00.0: removed PHC on enp2s0 @@ -38,53 +38,54 @@ root@apu2:~# xl pci-assignable-list 0000:02:00.0 ``` -Of course, after above operation, we can't access `enp2s0` in dom0. Having -the ability to set pass through we can think about creating pfSense HVM and -having isolation between various roles on our PC Engines apu2 router. +Of course, after above operation, we can't access `enp2s0` in dom0. Having the +ability to set pass through we can think about creating pfSense HVM and having +isolation between various roles on our PC Engines apu2 router. What are the pros of that solution: -* price - this is DIY solution where you just pay price of apu2 and spent some +- price - this is DIY solution where you just pay price of apu2 and spent some time with setup, of course, you can also pay for that to companies like 3mdeb, what should be still cheaper than other commercial solutions - this makes it attractive to SOHO -* scalability - you can decide how much resources of your router you want to +- scalability - you can decide how much resources of your router you want to give to the firewall; the remaining pool can be used for other purposes this - saves you a couple of cents on the energy bill -* security - even if attacker get access to pfSense (very unlikely), escaping - VM and gaining full control and persistence on hardware is not possible - without serious Xen bug, on the other hand, bugs in on the other VMs (e.g. - network storage, web application, 3rd party software) cannot be leveraged to - gain control over the router -* virtual machine - VMs by itself have a bunch of advantages, somewhere + saves you a couple of cents on the energy bill +- security - even if attacker get access to pfSense (very unlikely), escaping VM + and gaining full control and persistence on hardware is not possible without + serious Xen bug, on the other hand, bugs in on the other VMs (e.g. network + storage, web application, 3rd party software) cannot be leveraged to gain + control over the router +- virtual machine - VMs by itself have a bunch of advantages, somewhere mentioned above, but other are easier migration, lower cost to introduce in existing network -# Required components +## Required components -* PC Engines apu2c4 -* `pxe-server` - or other means of booting Debian based Dom0 with Xen 4.8 and - Linux 4.14.59 (or any other modern kernel which has correct support enabled - as in [this kernel config](https://github.com/pcengines/apu2-documentation/blob/6b6dc7d1a52f0550aa237746fc236ba07ba9c747/configs/config-4.14.59)) -* 2 connected Ethernet ports -* some storage (min 10GB) +- PC Engines apu2c4 +- `pxe-server` - or other means of booting Debian based Dom0 with Xen 4.8 and + Linux 4.14.59 (or any other modern kernel which has correct support enabled as + in + [this kernel config](https://github.com/pcengines/apu2-documentation/blob/6b6dc7d1a52f0550aa237746fc236ba07ba9c747/configs/config-4.14.59)) +- 2 connected Ethernet ports +- some storage (min 10GB) -# Prepare Xen +## Prepare Xen I'm using `apic=verbose,debug iommu=verbose,debug` for better visibility of Xen configuration. More to that we need some preparation in Dom0: -## Storage +### Storage -``` +```bash pvcreate /dev/sda1 vgcreate vg0 /dev/sda1 lvcreate -npfsense -L10G vg0 ``` -## PCI passthrough +### PCI passthrough -``` +```bash modprobe xen-pciback xl pci-assignable-add 02:00.0 ``` @@ -92,7 +93,7 @@ xl pci-assignable-add 02:00.0 After above commands `02:00.0` should be listed in `xl pci-assignable-list` output: -``` +```bash root@apu2:~# xl pci-assignable-list 0000:02:00.0 ``` @@ -100,11 +101,11 @@ root@apu2:~# xl pci-assignable-list `xl` allows assigning devices even if IOMMU is not present, but it will issue an error during VM creation. -# Xen pfsense.cfg +## Xen pfsense.cfg First let's create -``` +```bash me = "pfSense-2.4.3" builder = "hvm" vcpus = 2 @@ -117,7 +118,7 @@ disk=[ '/root/pfSense-CE-memstick-serial-2.4.3-RELEASE-amd64.img,,hda,rw', '/dev Then you can create VM: -``` +```bash root@apu2:~# xl create pfsense.cfg Parsing config from pfsense.cfg root@apu2:~# xl list @@ -126,17 +127,17 @@ Domain-0 0 512 4 r----- 448.3 pfSense-2.4.3 8 2048 2 r----- 29.5 ``` -# Install pfSense +## Install pfSense After running VM you can attach to console: -``` +```bash xl console 8 ``` You should see pfSense installer boot log: -``` +```bash Booting... KDB: debugger backends: ddb KDB: current backend: ddb @@ -349,11 +350,12 @@ Console type [vt100]: Unfortunately, pfSense had problem getting DHCP offer and didn't configure IP address - we tried to figure out what is wrong but my BSD-fu is low. We also -checked static IP configuration, but there is no result either. This leads us to [ask on the forum](https://forum.netgate.com/topic/133697/pfsense-2-4-3-hvm-with-pci-passthrough-no-packets-received). +checked static IP configuration, but there is no result either. This leads us to +[ask on the forum](https://forum.netgate.com/topic/133697/pfsense-2-4-3-hvm-with-pci-passthrough-no-packets-received). -# Xen debian.cfg +## Xen debian.cfg -``` +```bash name = "debian-9.5.0" builder = "hvm" vcpus = 2 @@ -365,31 +367,31 @@ vnclisten='apu2_ip_addr' boot='d' ``` -Of course, you have to replace `apu2_ip_addr` with correct IP. After `xl create -debian.cfg` you can run VNC (tightvnc worked for me) and proceed with the -installation. +Of course, you have to replace `apu2_ip_addr` with correct IP. After +`xl create debian.cfg` you can run VNC (tightvnc worked for me) and proceed with +the installation. -## PCI passthrough in Debian +### PCI passthrough in Debian -Below screenshot show device `02:00.0`, which is apu2 middle NIC, -passed-through to VM. +Below screenshot show device `02:00.0`, which is apu2 middle NIC, passed-through +to VM. ![Debian lspci](/img/debian-9.5.0-hvm-pci-passthrough.png) PCI passthrough on Debian worked without any issue DHCP offer was received correctly and I could proceed with performance checks. -# Speedtest +## Speedtest -Simplest possible test is comparison of throughput between eth0 and eth1. -The first is connected directly to our company switch and the second connects +Simplest possible test is comparison of throughput between eth0 and eth1. The +first is connected directly to our company switch and the second connects pfSense HVM using PCI passthrough. I used `speedtest-cli v2.0.2`. Results for apu2 Dom0: -``` +```bash (speedtest-venv) root@apu2:~# speedtest-cli Retrieving speedtest.net configuration... Testing from Vectra Broadband (109.241.231.46)... @@ -406,11 +408,11 @@ Results for Debian HVM with NIC PCI passthrough: ![Debian HVM speedtest-cli](/img/speedtest-cli-debian-hvm.png) -# iperf +## iperf Below results are for very simple LAN connection `apu3 -> switch -> apu2`: -``` +```bash (speedtest-venv) root@apu2:~# iperf -s -B 192.168.3.101 ------------------------------------------------------------ Server listening on TCP port 5001 @@ -435,7 +437,7 @@ conclude that PCI passthrough works and there is no overhead when using IOMMU. Below log show results from Debian PV and prove how virtualized drivers lead to performance overhead. -``` +```bash root@debian-pv:~# iperf -c 192.168.3.128 ------------------------------------------------------------ Client connecting to 192.168.3.128, TCP port 5001 @@ -446,121 +448,121 @@ TCP window size: 85.0 KByte (default) [ 3 ] 0.0-10.0 sec 746 MBytes 625 Mbits/sec ``` -# Possible problems +## Possible problems -## xen-pciback not loaded +### xen-pciback not loaded -``` -root@apu2:~# xl create pfsense.cfg +```bash +root@apu2:~## xl create pfsense.cfg Parsing config from pfsense.cfg libxl: error: libxl_pci.c:409:libxl_device_pci_assignable_list: Looks like pciback driver not loaded libxl: error: libxl_pci.c:1225:libxl__device_pci_add: PCI device 0:2:0.0 is not assignable libxl: error: libxl_pci.c:1304:libxl__add_pcidevs: libxl_device_pci_add failed: -3 libxl: error: libxl_create.c:1461:domcreate_attach_devices: unable to add pci devices -libxl: error: libxl.c:1575:libxl__destroy_domid: non-existant domain 1 +libxl: error: libxl.c:1575:libxl__destroy_domid: non-existent domain 1 libxl: error: libxl.c:1534:domain_destroy_callback: unable to destroy guest with domid 1 libxl: error: libxl.c:1463:domain_destroy_cb: destruction of domain 1 failed ``` Solution: -``` +```bash modprobe xen-pciback ``` -## PCI device not assignable +### PCI device not assignable -``` +```bash libxl: error: libxl_pci.c:1225:libxl__device_pci_add: PCI device 0:2:0.0 is not assignable libxl: error: libxl_pci.c:1304:libxl__add_pcidevs: libxl_device_pci_add failed: -3 libxl: error: libxl_create.c:1461:domcreate_attach_devices: unable to add pci devices -libxl: error: libxl.c:1575:libxl__destroy_domid: non-existant domain 2 +libxl: error: libxl.c:1575:libxl__destroy_domid: non-existent domain 2 libxl: error: libxl.c:1534:domain_destroy_callback: unable to destroy guest with domid 2 libxl: error: libxl.c:1463:domain_destroy_cb: destruction of domain 2 failed ``` Assign PCI device using `xl pci-assignable-add`. -## No IOMMU +### No IOMMU -``` -root@apu2:~# xl create pfsense.cfg +```bash +root@apu2:~## xl create pfsense.cfg Parsing config from pfsense.cfg libxl: error: libxl_pci.c:1209:libxl__device_pci_add: PCI device 0000:02:00.0 cannot be assigned - no IOMMU? libxl: error: libxl_pci.c:1304:libxl__add_pcidevs: libxl_device_pci_add failed: -1 libxl: error: libxl_create.c:1461:domcreate_attach_devices: unable to add pci devices -libxl: error: libxl.c:1575:libxl__destroy_domid: non-existant domain 9 +libxl: error: libxl.c:1575:libxl__destroy_domid: non-existent domain 9 libxl: error: libxl.c:1534:domain_destroy_callback: unable to destroy guest with domid 9 libxl: error: libxl.c:1463:domain_destroy_cb: destruction of domain 9 failed ``` -This error means you don't have IOMMU correctly enabled. For AMD platforms `xl -dmesg` contain: +This error means you don't have IOMMU correctly enabled. For AMD platforms +`xl dmesg` contain: -``` -root@apu2:~# xl dmesg|grep -i iommu +```bash +root@apu2:~## xl dmesg|grep -i iommu (XEN) AMD-Vi: IOMMU not found! ``` -## Lack of block backend +### Lack of block backend `xen-blkback` should be loaded or compiled in otherwise blow error pop-up. -``` -root@apu2:~# xl create pfsense.cfg +```bash +root@apu2:~## xl create pfsense.cfg Parsing config from pfsense.cfg libxl: error: libxl_device.c:1086:device_backend_callback: unable to add device with path /local/domain/0/backend/vbd/1/51712 libxl: error: libxl_create.c:1255:domcreate_launch_dm: unable to add disk devices libxl: error: libxl_device.c:1086:device_backend_callback: unable to remove device with path /local/domain/0/backend/vbd/1/51712 libxl: error: libxl.c:1647:devices_destroy_cb: libxl__devices_destroy failed for 1 -libxl: error: libxl.c:1575:libxl__destroy_domid: non-existant domain 1 +libxl: error: libxl.c:1575:libxl__destroy_domid: non-existent domain 1 libxl: error: libxl.c:1534:domain_destroy_callback: unable to destroy guest with domid 1 libxl: error: libxl.c:1463:domain_destroy_cb: destruction of domain 1 failed ``` -## Crash after couple tries +### Crash after couple tries After a couple tries of creating pfSense VM I faced below error: -``` -root@apu2:~# xl create pfsense.cfg +```bash +root@apu2:~## xl create pfsense.cfg Parsing config from pfsense.cfg libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: /etc/xen/scripts/block add [490] exited with error status 1 libxl: error: libxl_device.c:1237:device_hotplug_child_death_cb: script: Failed to find an unused loop device libxl: error: libxl_create.c:1255:domcreate_launch_dm: unable to add disk devices libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: /etc/xen/scripts/block remove [604] exited with error status 1 libxl: error: libxl_device.c:1237:device_hotplug_child_death_cb: script: /etc/xen/scripts/block failed; error detected. -libxl: error: libxl.c:1575:libxl__destroy_domid: non-existant domain 1 +libxl: error: libxl.c:1575:libxl__destroy_domid: non-existent domain 1 libxl: error: libxl.c:1534:domain_destroy_callback: unable to destroy guest with domid 1 libxl: error: libxl.c:1463:domain_destroy_cb: destruction of domain 1 failed ``` Solution: recompile kernel with `BLK_DEV_LOOP` -## Read-only not supported +### Read-only not supported -``` -root@apu2:~# xl create pfsense.cfg +```bash +root@apu2:~## xl create pfsense.cfg Parsing config from pfsense.cfg libxl: error: libxl_dm.c:1433:libxl__build_device_model_args_new: qemu-xen doesn't support read-only IDE disk drivers libxl: error: libxl_dm.c:2182:device_model_spawn_outcome: (null): spawn failed (rc=-6) libxl: error: libxl_create.c:1504:domcreate_devmodel_started: device model did not start: -6 -libxl: error: libxl.c:1575:libxl__destroy_domid: non-existant domain 1 +libxl: error: libxl.c:1575:libxl__destroy_domid: non-existent domain 1 libxl: error: libxl.c:1534:domain_destroy_callback: unable to destroy guest with domid 1 libxl: error: libxl.c:1463:domain_destroy_cb: destruction of domain 1 failed ``` Solution: change pfsense.cfg by adding `rw` to img file. -# References +## References -* [Install pfSense 2.1 RC0 amd64 on Xen 4.3 as PV HVM](https://forum.netgate.com/topic/58662/howto-install-pfsense-2-1-rc0-amd64-on-xen-4-3-as-pv-hvm) -* [Virtual firewall](https://en.wikipedia.org/wiki/Virtual_firewall) -* [xl.cfg manual for Xen 4.8](https://xenbits.xen.org/docs/4.8-testing/man/xl.cfg.5.html) -* [Unanswered question about DMA attacks](https://security.stackexchange.com/questions/176503/dma-attacks-despite-iommu-isolation) -* [Google blog post about fuzzying PCIe](https://cloudplatform.googleblog.com/2017/02/fuzzing-PCI-Express-security-in-plaintext.html) +- [Install pfSense 2.1 RC0 amd64 on Xen 4.3 as PV HVM](https://forum.netgate.com/topic/58662/howto-install-pfsense-2-1-rc0-amd64-on-xen-4-3-as-pv-hvm) +- [Virtual firewall](https://en.wikipedia.org/wiki/Virtual_firewall) +- [xl.cfg manual for Xen 4.8](https://xenbits.xen.org/docs/4.8-testing/man/xl.cfg.5.html) +- [Unanswered question about DMA attacks](https://security.stackexchange.com/questions/176503/dma-attacks-despite-iommu-isolation) +- [Google blog post about fuzzying PCIe](https://cloudplatform.googleblog.com/2017/02/fuzzing-PCI-Express-security-in-plaintext.html) -# Summary +## Summary I hope this post was useful for you. Please feel free to share your opinion and if you think there is value, then share with friends. @@ -568,9 +570,9 @@ if you think there is value, then share with friends. We plan to present above results during OSFC 2018 feel free to catch us there and ask questions. -We believe there are still many devices with VT-d or AMD-Vi advertised in -specs, but not enabled because of buggy or not-fully-featured firmware. We are -always open to support vendors who want to boot hardware by extending and -improving their firmware. If you are user or vendor struggling with hardware -which cannot be fully utilized because of firmware, feel free to contact us +We believe there are still many devices with VT-d or AMD-Vi advertised in specs, +but not enabled because of buggy or not-fully-featured firmware. We are always +open to support vendors who want to boot hardware by extending and improving +their firmware. If you are user or vendor struggling with hardware which cannot +be fully utilized because of firmware, feel free to contact us `contact3mdebcom`. diff --git a/blog/content/post/2018-08-23-debos-in-docker-the-second-attempt.md b/blog/content/post/2018-08-23-debos-in-docker-the-second-attempt.md index 5ee73452..d1ea12be 100644 --- a/blog/content/post/2018-08-23-debos-in-docker-the-second-attempt.md +++ b/blog/content/post/2018-08-23-debos-in-docker-the-second-attempt.md @@ -27,7 +27,7 @@ response, I've decided to try to move forward by myself. Just to remind - I was stuck at the following error (when building for `arm64`): -``` +```bash 2018/07/26 18:36:39 Debootstrap (stage 2) | chroot: failed to run command '/debootstrap/debootstrap': Exec format error 2018/07/26 18:36:39 debootstrap.log | gpgv: Signature made Thu Jul 26 14:21:51 2018 UTC 2018/07/26 18:36:39 debootstrap.log | gpgv: using RSA key A1BD8E9D78F7FE5C3E65D8AF8B48AD6246925553 @@ -48,16 +48,16 @@ After some research, it seemed like the [binfmt_misc](https://en.wikipedia.org/wiki/Binfmt_misc) support might be missing in my setup. Links with similar issues which were useful: -* [lack of binfmt_misc module during Raspbian building](https://github.com/RPi-Distro/pi-gen/issues/133) -* [similar error on the multiarch-docker-image-generation](https://github.com/osrf/multiarch-docker-image-generation/issues/6#issuecomment-282943316) -* [QemuUser page on the Debian wiki](https://wiki.debian.org/QemuUserEmulation) +- [lack of binfmt_misc module during Raspbian building](https://github.com/RPi-Distro/pi-gen/issues/133) +- [similar error on the multiarch-docker-image-generation](https://github.com/osrf/multiarch-docker-image-generation/issues/6#issuecomment-282943316) +- [QemuUser page on the Debian wiki](https://wiki.debian.org/QemuUserEmulation) -At first, it seemed to be necessary to install `binfmt-support` into the `docker` -image. It is necessary to note, that `binfmt_misc` module on the host must be -loaded (which is not always the case). With those modifications in place, my -`debos` build inside `docker` container failed at: +At first, it seemed to be necessary to install `binfmt-support` into the +`docker` image. It is necessary to note, that `binfmt_misc` module on the host +must be loaded (which is not always the case). With those modifications in +place, my `debos` build inside `docker` container failed at: -``` +```bash 2018/08/21 19:17:06 Debootstrap (stage 2) | W: Failure trying to run: mount -t proc proc /proc 2018/08/21 19:17:06 Debootstrap (stage 2) | W: See //debootstrap/debootstrap.log for details 2018/08/21 19:17:06 debootstrap.log | gpgv: Signature made Tue Aug 21 14:20:20 2018 UTC @@ -73,19 +73,18 @@ loaded (which is not always the case). With those modifications in place, my 2018/08/21 19:17:06 Action `debootstrap` failed at stage Run, error: exit status 1 ``` -To overcome this `/proc` access issue I have decided to run the container in -the +To overcome this `/proc` access issue I have decided to run the container in the [privileged mode](https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities). -Generally, I try to avoid doing that whenever not strictly required. Scoping -the actual access requirements and reducing the container access to the host -system might be another task to look at. For now, I'm sticking with the -`privileged` mode enabled without much deeper analysis. +Generally, I try to avoid doing that whenever not strictly required. Scoping the +actual access requirements and reducing the container access to the host system +might be another task to look at. For now, I'm sticking with the `privileged` +mode enabled without much deeper analysis. ## One more issue One more issue to solve was: -``` +```bash 2018/08/21 14:17:53 debootstrap.log | Processing triggers for libc-bin (2.27-5) ... 2018/08/21 14:17:53 debootstrap.log | /debootstrap/debootstrap: 1363: /debootstrap/debootstrap: cannot open //var/lib/apt/lists/debootstrap.invalid_dists_buster_main|contrib|no n-free_binary-arm64_Packages: No such file @@ -97,11 +96,11 @@ It appears that there is a [debootstrap bug report](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=806780) hanging in the `Debian` bug tracker since the `Dec 2015`. The issue [was resolved](https://salsa.debian.org/installer-team/debootstrap/commit/792ab830a892ccfaaca156eace00172d3432023a) -in the `debootstrap` `1.0.96`. Unfortunately, the `debootstrap` version shipped +in the `debootstrap` `1.0.96`. Unfortunately, the `debootstrap` version shipped in my `Debian Stretch` container is `1.0.89`. As a quick solution, I decided to provide the patch manually: -``` +```bash COPY files/0001-Fix-multiple-components-usage-for-foreign.patch /usr/share/debootstrap RUN cd /usr/share/debootstrap && \ patch < 0001-Fix-multiple-components-usage-for-foreign.patch && \ @@ -114,7 +113,7 @@ A much cleaner solution would be to install `debootstrap` from [stretch-backports](https://packages.debian.org/stretch-backports/debootstrap), which bumps the version to `1.0.100`: -``` +```bash RUN printf "deb http://httpredir.debian.org/debian stretch-backports main non-free\ndeb-src http://httpredir.debian.org/debian stretch-backports main non-free" > /etc/apt/sources.list.d/backports.list && \ apt-get update && \ apt-get -t stretch-backports install -y debootstrap && \ @@ -126,7 +125,7 @@ RUN printf "deb http://httpredir.debian.org/debian stretch-backports main non-fr Finally, the `debos` build for `arm64` inside the `docker` container finishes successfully: -``` +```bash 2018/08/21 19:22:48 ==== overlay ==== Overlaying /root/doc/examples/overlays/sudo on /scratch/root 2018/08/21 19:22:48 ==== run ==== diff --git a/blog/content/post/2018-09-13-apu2-validation-with-rte.md b/blog/content/post/2018-09-13-apu2-validation-with-rte.md index 822d0976..195af101 100644 --- a/blog/content/post/2018-09-13-apu2-validation-with-rte.md +++ b/blog/content/post/2018-09-13-apu2-validation-with-rte.md @@ -36,23 +36,24 @@ focus on SPI, RS232 and GPIO interfaces. Our setup requires: -* RTE HAT, -* Orange Pi Zero with compatible OS installed on microSD card, +- RTE HAT, +- Orange Pi Zero with compatible OS installed on microSD card, -> make sure that chosen system has devicetree modificated specially for OrangePi, - e.g. Armbian or Yocto OS +> make sure that chosen system has devicetree modificated specially for +> OrangePi, e.g. Armbian or Yocto OS -* APU2 computer platform, -* 5V/2A micro USB power supply for RTE, -* 12V/2A DC 5.5/2.5 mm power supply for APU2, -* 1 x DC Jack to DC Jack 5.5/2.5 mm, -* 2 x Ethernet cable, -* RS232 null modem cable or 3(5) connection wires depending on the chosen option, -* IDC 2x4 pin cable or 5 connection wires for SPI. +- APU2 computer platform, +- 5V/2A micro USB power supply for RTE, +- 12V/2A DC 5.5/2.5 mm power supply for APU2, +- 1 x DC Jack to DC Jack 5.5/2.5 mm, +- 2 x Ethernet cable, +- RS232 null modem cable or 3(5) connection wires depending on the chosen + option, +- IDC 2x4 pin cable or 5 connection wires for SPI. ![All required items](/img/rte-apu-all-items.jpg) -#### Preparations +### Preparations Plug microSD card to Orange Pi Zero slot and then connect RTE HAT with OPi header. @@ -86,8 +87,8 @@ Alternatively, SPI connection can be realized with IDC 8 pin wire, but 7th and #### Serial Serial connection can be established by RS232 D-Sub - D-Sub null modem cable. -Connect RTE J14 DB9 connector with APU2. In case if you don't have this kind -of equipment, short RS232 connector pins in the following way: +Connect RTE J14 DB9 connector with APU2. In case if you don't have this kind of +equipment, short RS232 connector pins in the following way: Without hardware flow control: @@ -137,12 +138,12 @@ Full setup with all required connections is shown below: ## Theory of Operation -Remote work assumes an active network connection, therefore the IP -address of the RTE device should be checked beforehand. By default it's -configured by DHCP, but I'm using RTE with static IP set to `192.168.3.105`. To -establish a connection, type: +Remote work assumes an active network connection, therefore the IP address of +the RTE device should be checked beforehand. By default it's configured by DHCP, +but I'm using RTE with static IP set to `192.168.3.105`. To establish a +connection, type: -``` +```bash ssh root@192.168.3.105 ``` @@ -150,7 +151,7 @@ and login as root user - in this example I'm suggesting to use Armbian OS, but another viable choice is Yocto RTE meta layer. Next open telnet connection to enable APU2 console preview. Check if ser2net redirection is configured: -``` +```bash root@orange-pi-zero:~# cat /etc/ser2net.conf 13541:telnet:600:/dev/ttyS1:115200 8DATABITS NONE 1STOPBIT 13542:telnet:600:/dev/ttyUSB0:115200 8DATABITS NONE 1STOPBIT @@ -158,9 +159,10 @@ root@orange-pi-zero:~# cat /etc/ser2net.conf Open a new terminal or use `tmux` for split screen view and type: -``` +```bash telnet 192.168.3.105 13541 ``` + > we are using DB9 connector which is mapped to `/dev/ttyS1` Now, we have the ability to control Device Under Test from our personal computer @@ -171,14 +173,14 @@ procedure. I will use mainline release v4.8.0.2 from PC Engines [github](https://pcengines.github.io/) site. Generally, it's an easy task. First, power on DUT by typing: -``` +```bash root@orange-pi-zero:~# echo 1 > /sys/class/gpio/gpio199/value ``` -Save the APU2 console boot log for firmware version validation. In my example -it is: +Save the APU2 console boot log for firmware version validation. In my example it +is: -``` +```bash PC Engines apu2 coreboot build 20180608 BIOS version v4.8.0.1 @@ -187,13 +189,13 @@ BIOS version v4.8.0.1 Send target firmware image via ssh, e.g. -``` +```bash scp apu2_v4.8.0.2.rom root@192.168.3.105:/tmp/coreboot.rom ``` Run commands manually or create a shell script: -```sh +```bashsh #!/bin/bash # power on APU2 platform with relay @@ -216,7 +218,7 @@ echo 0 > /sys/class/gpio/gpio410/value Example flashrom output after flash verification: -``` +```bash flashrom v0.9.9-r1955 on Linux 4.17.2 (armv7l) flashrom is free software, get the source code at https://flashrom.org @@ -229,7 +231,7 @@ Verifying flash... VERIFIED. New APU2 console boot log: -``` +```bash PC Engines apu2 coreboot build 20180705 BIOS version v4.8.0.2 diff --git a/blog/content/post/2018-09-27-optimize-performance-in-docker.md b/blog/content/post/2018-09-27-optimize-performance-in-docker.md index 364edb48..e1a9585f 100644 --- a/blog/content/post/2018-09-27-optimize-performance-in-docker.md +++ b/blog/content/post/2018-09-27-optimize-performance-in-docker.md @@ -17,39 +17,40 @@ categories: In 3mdeb we use Docker heavily. Main tasks that we perform using it are: -* firmware and embedded software building - each software in Embedded System +- firmware and embedded software building - each software in Embedded System requires little bit different building environment, configuring those - development environments on your host may quickly make a mess in your system for - daily use, because of that we created various containers which I enumerate + development environments on your host may quickly make a mess in your system + for daily use, because of that we created various containers which I enumerate below -* trainings/workshops - when we perform trainings we don't want to waste time +- trainings/workshops - when we perform trainings we don't want to waste time for users to reconfigure the environment. In general, we have 2 choices: VM or containers. Since we use containers for building and development we prefer containers or containers in VMs while performing trainings. -* rootfs building for infrastructure deployment - we maintain [pxe-server](https://github.com/3mdeb/pxe-server) - project which helps us in firmware testing and development. In that project we - have a need for custom rootfs and kernels, we decided to combine Docker and - Ansible for a reliable building of that infrastructure +- rootfs building for infrastructure deployment - we maintain + [pxe-server](https://github.com/3mdeb/pxe-server) project which helps us in + firmware testing and development. In that project we have a need for custom + rootfs and kernels, we decided to combine Docker and Ansible for a reliable + building of that infrastructure To list some of our repositories: -* [yocto-docker](https://github.com/3mdeb/yocto-docker) - container for - building Yocto -* [edk2-docker](https://github.com/3mdeb/edk2-docker) - container for building +- [yocto-docker](https://github.com/3mdeb/yocto-docker) - container for building + Yocto +- [edk2-docker](https://github.com/3mdeb/edk2-docker) - container for building edk2 UEFI specification open source implementation -* [xen-docker](https://github.com/3mdeb/xen-docker) - container for building - Xen hypervisor -* [debian-rootfs-builder](https://github.com/3mdeb/debian-rootfs-builder) - +- [xen-docker](https://github.com/3mdeb/xen-docker) - container for building Xen + hypervisor +- [debian-rootfs-builder](https://github.com/3mdeb/debian-rootfs-builder) - container for building Debian rootfs and Linux kernels -* [armbian-docker](https://github.com/3mdeb/armbian-docker) - docker for +- [armbian-docker](https://github.com/3mdeb/armbian-docker) - docker for building Armbian Debian distribution for various ARM platforms -* [zephyr-docker](https://github.com/3mdeb/zephyr-docker) - container for +- [zephyr-docker](https://github.com/3mdeb/zephyr-docker) - container for building Zephyr RTOS -* [esp-open-sdk-docker](https://github.com/3mdeb/esp-open-sdk-docker) - - container for bulding ESP Open SDK Espressify Open RTOS -* [docker-mbed-cli](https://github.com/3mdeb/docker-mbed-cli) - container for +- [esp-open-sdk-docker](https://github.com/3mdeb/esp-open-sdk-docker) - + container for building ESP Open SDK Espressify Open RTOS +- [docker-mbed-cli](https://github.com/3mdeb/docker-mbed-cli) - container for building and running CLI of mbedOS -* [arch-pkg-builder](https://github.com/3mdeb/arch-pkg-builder) - container for +- [arch-pkg-builder](https://github.com/3mdeb/arch-pkg-builder) - container for building Arch packages Some are actively maintained, some are not, some came from other projects, some @@ -60,27 +61,29 @@ Those solutions are great but we think it is very important in all those use cases to optimize performance. To clarify we have to distinguish the most time-consuming tasks in above containers: -* code compilation - there are books about that topic, but since we use mostly +- code compilation - there are books about that topic, but since we use mostly Linux, we think that key factor is to have support for [ccache](https://ccache.samba.org/) and this is our first goal in this post -* packages installation - even when you are using `httpredir` for `apt` you +- packages installation - even when you are using `httpredir` for `apt` you still will spent a significant amount of time installing and downloading, because of that it is very important to have locally or on server in LAN `apt` caching proxy like `apt-cacher-ng`, we will show how to use it with Docker on build and runtime -# ccache +## ccache Following example will show `ccache` usage with `xen-docker`. Great post about -that topic was published by Tim Potter [here](http://web.archive.org/web/20190216233955/http://frungy.org/docker/using-ccache-with-docker). +that topic was published by Tim Potter +[here](http://web.archive.org/web/20190216233955/http://frungy.org/docker/using-ccache-with-docker). Of course, to use `ccache` in our container we need it installed, so make sure -your `Dockerfile` contains that package. You can take a look at [xen-docker Dockerfile](https://github.com/3mdeb/xen-docker/blob/master/Dockerfile#L15). +your `Dockerfile` contains that package. You can take a look at +[xen-docker Dockerfile](https://github.com/3mdeb/xen-docker/blob/master/Dockerfile#L15). I installed `ccache` on my host to control its content: -``` +```bash cache directory /home/pietrushnic/.ccache primary config /home/pietrushnic/.ccache/ccache.conf secondary config (readonly) /etc/ccache.conf @@ -94,37 +97,33 @@ cache size 0.0 kB max cache size 5.0 GB ``` -Moreover it is important to pay attention to directory structure and -volumes, because we can easy end up with not working `ccache`. Of course clear -indication that `ccache` works is that it show some statistics. Configuration -of `ccache` in Docker files should look like this: +Moreover it is important to pay attention to directory structure and volumes, +because we can easy end up with not working `ccache`. Of course clear indication +that `ccache` works is that it show some statistics. Configuration of `ccache` +in Docker files should look like this: -``` +```bash ENV PATH="/usr/lib/ccache:${PATH}" RUN mkdir /home/xen/.ccache && \ - chown xen:xen /home/xen/.ccache + chown xen:xen /home/xen/.ccache ``` Then to run container with `ccache` we can pass our `~/.ccache` as volume. For single-threaded compilation assuming you checked out correct code and called -`./configure`: - -``` +`./configure`. -``` - -Before we start testing performance we also have to mention terminology little -bit, below we use terms `cold cache` and `hot cache`, this was greatly -explained on [StackOverflow](https://stackoverflow.com/questions/22756092/what-does-it-mean-by-cold-cache-and-warm-cache-concept) +Before we start testing performance we also have to mention terminology little +bit, below we use terms `cold cache` and `hot cache`, this was greatly explained +on +[StackOverflow](https://stackoverflow.com/questions/22756092/what-does-it-mean-by-cold-cache-and-warm-cache-concept) so I will not repeat myself. In short cold means empty and hot means that there are some values from previous runs. - ## Performance measures No `ccache` single-threaded: -``` +```bash docker run --rm -it -v $PWD:/home/xen -w /home/xen 3mdeb/xen-docker \ make debball| ts -s '[%.T]' (...) @@ -133,7 +132,7 @@ make debball| ts -s '[%.T]' No `ccache` multi-threaded: -``` +```bash docker run --rm -it -v $PWD:/home/xen -w /home/xen 3mdeb/xen-docker \ make -j$(nproc) debball| ts -s '[%.T]' (...) @@ -142,7 +141,7 @@ make -j$(nproc) debball| ts -s '[%.T]' Let's make sure ccache is empty -``` +```bash [22:52:57] pietrushnic:~ $ ccache -zcC Statistics cleared Cleaned cache @@ -151,7 +150,7 @@ Cleared cache Cold cache: -``` +```bash docker run --rm -it -e CCACHE_DIR=/home/xen/.ccache -v $PWD:/home/xen \ -v $HOME/.ccache:/home/xen/.ccache -w /home/xen 3mdeb/xen-docker make -j$(nproc) \ @@ -162,7 +161,7 @@ debball | ts -s '[%.T]' And the stats of `ccache`: -``` +```bash cache directory /home/pietrushnic/.ccache primary config /home/pietrushnic/.ccache/ccache.conf secondary config (readonly) /etc/ccache.conf @@ -190,7 +189,7 @@ max cache size 5.0 GB Hot cache: -``` +```bash docker run --rm -it -e CCACHE_DIR=/home/xen/.ccache -v $PWD:/home/xen \ -v $HOME/.ccache:/home/xen/.ccache -w /home/xen 3mdeb/xen-docker make -j$(nproc) \ debball | ts -s '[%.T]' @@ -200,7 +199,7 @@ debball | ts -s '[%.T]' And the stats of `ccache`: -``` +```bash cache directory /home/pietrushnic/.ccache primary config /home/pietrushnic/.ccache/ccache.conf secondary config (readonly) /etc/ccache.conf @@ -233,22 +232,22 @@ To conclude, we can gain even 30% with hot cache. Biggest gain we have when using multithreading, but this highly depends on CPU, in my case I had 8 jobs run simultaneously and gain was 40% in compilation time. -# apt-cacher-ng +## apt-cacher-ng -There 2 use case for `apt-cacher-ng` in our workflows. One is Docker build -time, which can be time-consuming since all packages and its dependencies are +There 2 use case for `apt-cacher-ng` in our workflows. One is Docker build time, +which can be time-consuming since all packages and its dependencies are installed in the base image. Second is runtime, when you need some package that may have extensive dependencies e.g. `xen-systema-amd64`. First, let's setup `apt-cacher-ng`. Some guide may be found in -[Docker documentation](https://hub.docker.com/r/sameersbn/apt-cacher-ng), -but we will modify it a little bit. +[Docker documentation](https://hub.docker.com/r/sameersbn/apt-cacher-ng), but we +will modify it a little bit. Ideally, we would like to use `docker compose` to set up `apt-cacher-ng` container whenever it is not set, or have dedicated VM which serves this purpose. In this post, we consider local cache. Dockerfile may look like this: -``` +```bash FROM ubuntu RUN apt-get update && apt-get install -y apt-cacher-ng @@ -259,7 +258,7 @@ CMD chmod 777 /var/cache/apt-cacher-ng && /etc/init.d/apt-cacher-ng start && Build and run: -``` +```bash docker build -t apt-cacher . docker run -d -p 3142:3142 -v $PWD/apt_cache:/var/cache/apt-cacher-ng --name cacher-container apt-cacher docker logs -f cacher-container @@ -267,7 +266,7 @@ docker logs -f cacher-container The output should look like this: -``` +```bash * Starting apt-cacher-ng apt-cacher-ng WARNING: No configuration was read from file:sfnet_mirrors ...done. @@ -278,20 +277,20 @@ WARNING: No configuration was read from file:sfnet_mirrors We should also see that cacher listens on port `3142`: -``` +```bash [16:40:01] pietrushnic:~ $ netstat -an |grep 3142 tcp6 0 0 :::3142 :::* LISTEN ``` Dockerfile should contain following environment variable: -``` +```bash ENV http_proxy ${http_proxy} ``` Now we can run docker building with appropriate parameters: -``` +```bash docker build --build-arg http_proxy=http://:3142/ -t 3mdeb/xen-docker .| ts -s '[%.T]' ``` @@ -302,7 +301,7 @@ on during container build we are using `ts` from `moreutils` package. Without cacher: -``` +```bash docker build -t 3mdeb/xen-docker .| ts -s '[%.S]' (...) [00:07:13.723282] Successfully tagged 3mdeb/xen-docker:latest @@ -310,7 +309,7 @@ docker build -t 3mdeb/xen-docker .| ts -s '[%.S]' With cold cache: -``` +```bash docker build --build-arg http_proxy=http://:3142/ -t 3mdeb/xen-docker .| ts -s '[%.T]' (...) [00:06:55.051968] Successfully tagged 3mdeb/xen-docker:latest @@ -318,7 +317,7 @@ docker build --build-arg http_proxy=http://:3142/ -t 3mdeb/xen-docker With hot cache: -``` +```bash docker build --build-arg http_proxy=http://:3142/ -t 3mdeb/xen-docker .| ts -s '[%.T]' (...) [00:05:50.237480] Successfully tagged 3mdeb/xen-docker:latest @@ -327,14 +326,14 @@ docker build --build-arg http_proxy=http://:3142/ -t 3mdeb/xen-docker Assuming that the network conditions did not change between runs to extent of 30s delay we can conclude: -* using cacher even with cold cache is better than nothing, it gives the - speedup of about 5% -* using hot cache can spare ~20% of normal container build time, if significant +- using cacher even with cold cache is better than nothing, it gives the speedup + of about 5% +- using hot cache can spare ~20% of normal container build time, if significant amount of that time is package installation Of course, those numbers should be confirmed statistically. -# Let's try something more complex +## Let's try something more complex Finally we can try to run much more sophisticated stuff like our [debian-rootfs-builder](https://github.com/3mdeb/debian-rootfs-builder). This @@ -342,7 +341,7 @@ code contain mostly compilation and package installation through `apt-get`. Initial build statistics were quite bad: -``` +```bash Tuesday 21 August 2018 16:01:58 +0000 (0:00:51.188) 0:42:09.618 ******** =============================================================================== linux-kernel --------------------------------------------------------- 1341.78s @@ -380,7 +379,7 @@ Playbook run took 0 days, 0 hours, 42 minutes, 9 seconds After adding `apt-cacher` this improved a lot - 37%!: -``` +```bash Tuesday 21 August 2018 22:48:46 +0000 (0:00:53.340) 0:26:40.226 ******** =============================================================================== linux-kernel --------------------------------------------------------- 1272.91s @@ -418,7 +417,7 @@ After adding `ccache` with hot cache: `ccache` stats: -``` +```bash cache directory /home/pietrushnic/.ccache primary config /home/pietrushnic/.ccache/ccache.conf secondary config (readonly) /etc/ccache.conf @@ -438,8 +437,7 @@ cache size 1.5 GB max cache size 5.0 GB ``` - -``` +```bash Thursday 23 August 2018 00:41:15 +0000 (0:02:02.608) 0:23:19.962 ******* =============================================================================== linux-kernel ---------------------------------------------------------- 701.42s @@ -480,11 +478,11 @@ This is not significant but we gain another 13% and now build time is reasonable. Still most time-consuming tasks belong to compilation and package installation bucket. -# Summary +## Summary -If you have any other ideas about optimizing code compilation or container -build time please feel free to comment. If this post will gain popularity we -would probably reiterate it with best advices from our readers. +If you have any other ideas about optimizing code compilation or container build +time please feel free to comment. If this post will gain popularity we would +probably reiterate it with best advices from our readers. If you looking for Embedded Systems DevOps, who will optimize your firmware or embedded software build environment, look no more and contact us diff --git a/blog/content/post/2018-10-03-RTE-for-automated-kernel-deployment-and-everyday-use.md b/blog/content/post/2018-10-03-RTE-for-automated-kernel-deployment-and-everyday-use.md index 6c26897a..cffff469 100644 --- a/blog/content/post/2018-10-03-RTE-for-automated-kernel-deployment-and-everyday-use.md +++ b/blog/content/post/2018-10-03-RTE-for-automated-kernel-deployment-and-everyday-use.md @@ -26,32 +26,35 @@ enabling various features in Debian-based dom0. We would like: -* update Linux kernel which is exposed over HTTP server -* update rootfs provided through NFS +- update Linux kernel which is exposed over HTTP server +- update rootfs provided through NFS I will use following components: -* [PC Engines apu2c](http://pcengines.ch/apu2c2.htm) -* [RTE](https://3mdeb.com/rte) -* [pxe-server](https://github.com/3mdeb/pxe-server) - our dockerized HTTP and +- [PC Engines apu2c](http://pcengines.ch/apu2c2.htm) +- [RTE](https://3mdeb.com/rte) +- [pxe-server](https://github.com/3mdeb/pxe-server) - our dockerized HTTP and NFS server -* Xen 4.8 -* Linux kernel 4.14.y +- Xen 4.8 +- Linux kernel 4.14.y My workstation environment is QubesOS 4.0 with Debian stretch VMs, but it should not make any difference. I had to workaround one obstacle related to our environment, which is behind VPN, but I also wanted to access outside world in -my fw-dev VM. More information about there can be found [here](https://groups.google.com/d/msg/qubes-users/UakrAG9Frpc/MP9r6XjtAwAJ) +my fw-dev VM. More information about there can be found +[here](https://groups.google.com/d/msg/qubes-users/UakrAG9Frpc/MP9r6XjtAwAJ) -First, I assume that you have working `pxe-server` and [RTE connected to apu2](https://3mdeb.com/firmware/pc-engines-apu2-platform-validation-with-rte/). +First, I assume that you have working `pxe-server` and +[RTE connected to apu2](https://3mdeb.com/firmware/pc-engines-apu2-platform-validation-with-rte/). We will start with automation of Linux kernel deployment since this is crucial while debugging. -Initially this blog post was motivated with [coreboot development effort to enable IOMMU](https://review.coreboot.org/#/c/coreboot/+/26116/). +Initially this blog post was motivated with +[coreboot development effort to enable IOMMU](https://review.coreboot.org/#/c/coreboot/+/26116/). And error I get with 4.14.50 kernel and mentioned coreboot patches: -``` +```bash [ 0.176137] Translation was enabled for IOMMU:0 but we are not in kdump mode [ 0.184000] AMD-Vi: Command buffer timeout [ 0.184000] AMD-Vi: Command buffer timeout @@ -62,9 +65,9 @@ And error I get with 4.14.50 kernel and mentioned coreboot patches: [ 0.184000] AMD-Vi: Command buffer timeout ``` -# Building kernel with Xen support for apu2 +## Building kernel with Xen support for apu2 -```shell +```bash git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git cd linux-stable git checkout linux-4.14.y @@ -74,21 +77,21 @@ make menuconfig make -j$(nproc) bzImage deb-pkg ``` -Config fetched from github has couple features enabled that make it work as -dom0 e.g. `CONFIG_XEN_DOM0`. +Config fetched from github has couple features enabled that make it work as dom0 +e.g. `CONFIG_XEN_DOM0`. Options that are worth enabling when debugging IOMMU support in Linux kernel is `Enable IOMMU debugging` aka `CONFIG_IOMMU_DEBUG`. -# Ansible for Linux kernel development +## Ansible for Linux kernel development Typically manual procedure of deploying new kernel and rootfs to pxe-server and NFS would look like below: 1. Compile new kernel as described above -2. Update rootfs using `*.deb` packages from point 1 -3. Update kernel using `bzImage` from point 1 -4. Boot new system over iPXE +1. Update rootfs using `*.deb` packages from point 1 +1. Update kernel using `bzImage` from point 1 +1. Boot new system over iPXE `*.deb` packages and `bzImage` packages have to be deployed to NFS server and installed inside rootfs what typically mean `chroot`. Installation with system @@ -96,32 +99,32 @@ booted over NFS is way slower. We assume that server we working with is dedicated for developers. In our infrastructure we have 2 VMs one with production `pxe-server` and one with -development `pxe-server-dev`. After exercising configuration on -`pxe-server-dev` we applying them to production. +development `pxe-server-dev`. After exercising configuration on `pxe-server-dev` +we applying them to production. -## Flat ansible playbook +### Flat ansible playbook -I'm not familiar with Ansible design patters so I made it for now flat +I'm not familiar with Ansible design patterns so I made it for now flat playbook. Rough steps of what was done in below scripts are like this: 1. Copy all `*.deb` files mentioned in command line to pxe-server -2. Mount required subsystems into Debian Dom0 rootfs -3. create script that would be executed in chroot (upgrade and kernel installation) -4. Umount subsystems from point 2 -5. Copy `bzImage` to `/var/netboot/kernels/vmlinuz-dev` -6. Force to update netboot to revision that has support for `*-dev` menu - options +1. Mount required subsystems into Debian Dom0 rootfs +1. create script that would be executed in chroot (upgrade and kernel + installation) +1. Umount subsystems from point 2 +1. Copy `bzImage` to `/var/netboot/kernels/vmlinuz-dev` +1. Force to update netboot to revision that has support for `*-dev` menu options Things left out: -* automatic selection of `*.deb` packages that were created by build process -* previous kernels cleanup in rootfs -* modification of `menu.ipxe` - we rely now on branch in `netboot` repository, +- automatic selection of `*.deb` packages that were created by build process +- previous kernels cleanup in rootfs +- modification of `menu.ipxe` - we rely now on branch in `netboot` repository, this not the best solution, because all modifications go through repository My Xen rootfs looks like that: -```ansible +```bashansible --- - hosts: my_host user: debian @@ -130,7 +133,7 @@ My Xen rootfs looks like that: become_method: su tasks: - # first copy all *.deb files to remote machine + ## first copy all *.deb files to remote machine - name: copy headres copy: src: "{{ headers }}" @@ -155,7 +158,7 @@ My Xen rootfs looks like that: dest: /var/xen/libc.deb group: debian owner: debian - # let's mount required subsystems before chroot + ## let's mount required subsystems before chroot - name: mount /proc mount: src: /proc @@ -177,7 +180,7 @@ My Xen rootfs looks like that: opts: bind fstype: devpts state: mounted - # let's create chroot script + ## let's create chroot script - name: create script for chroot copy: content: | @@ -191,7 +194,7 @@ My Xen rootfs looks like that: mode: "0755" - name: execute script in chroot command: "chroot /var/xen /update_rootfs.sh" - # unmount previously mounted subsystems + ## unmount previously mounted subsystems - name: mount /proc mount: src: /proc @@ -213,22 +216,22 @@ My Xen rootfs looks like that: opts: bind fstype: devtmpfs state: unmounted - # let's add our development kernel and required entry to menu.ipxe + ## let's add our development kernel and required entry to menu.ipxe - name: copy bzImage copy: src: "{{ bzImage }}" dest: /var/netboot/kernels/vmlinuz-dev group: debian owner: debian - # force changed version of netboot repo to provide - # necessary menu.ipxe modifications + ## force changed version of netboot repo to provide + ## necessary menu.ipxe modifications - name: Get netboot repository git: repo: https://github.com/3mdeb/netboot.git version: 5ee81ad561d7898c59ceb422ef19b32b4bcfea56 dest: /var/netboot force: yes - # replace IP in netboot/menu.ipxe + ## replace IP in netboot/menu.ipxe - name: Set NFS server IP in netboot/menu.ipxe replace: path: /var/netboot/menu.ipxe @@ -238,7 +241,7 @@ My Xen rootfs looks like that: Running above code with command similar to: -``` +```bash ansible-playbook -b --ask-become-pass xen-rootfs-update.yml --extra-vars \ " \ headers=/mnt/projects/2018/pcengines/apu/src/linux-headers-4.14.56+_4.14.56+-14_amd64.deb \ @@ -255,20 +258,20 @@ didn't manage to figure out better solution. This script should update rootfs and add required kernel. Now we would like to test what we did with RTE. -# Run Xen Linux dev with RTE +## Run Xen Linux dev with RTE Internally we developed extensive infrastructure that can leverage various features of RTE for example: -* reserve device under test so no one else will intercept test execution - this +- reserve device under test so no one else will intercept test execution - this is great in shared environment -* check hardware configuration if it makes sense to run this test -* automatically support all OSes exposed by `pxe-server` +- check hardware configuration if it makes sense to run this test +- automatically support all OSes exposed by `pxe-server` -To verify our new kernel we would like to use last feature. Simplest `dev.robot` may -look like that: +To verify our new kernel we would like to use last feature. Simplest `dev.robot` +may look like that: -``` +```bash *** Settings *** Library SSHLibrary timeout=20 seconds Library Telnet timeout=20 seconds @@ -296,69 +299,73 @@ DEV1.1 Boot Xen Linux dev There are couple interesting things to explain here: -* we use `rtectrl-rest-api/rtectrl-rest-api.robot` - this library provide - control over GPIO, it is quite easy to implement your own if you have RTE since - it is just interaction with `sysfs` -* `Run iPXE shell`, `iPXE menu`, `iPXE boot entry` came from our iPXE library, +- we use `rtectrl-rest-api/rtectrl-rest-api.robot` - this library provide + control over GPIO, it is quite easy to implement your own if you have RTE + since it is just interaction with `sysfs` +- `Run iPXE shell`, `iPXE menu`, `iPXE boot entry` came from our iPXE library, which just parse PC Engines apu2 serial, it works only with `pxe-server` and - firmware released by 3mdeb at [pcengines.github.io](https://pcengines.github.io/). -* `Serial root login Linux` is just login prompt wrapper with password as + firmware released by 3mdeb at + [pcengines.github.io](https://pcengines.github.io/). +- `Serial root login Linux` is just login prompt wrapper with password as parameter -Also to run above test you need modified Robot Framework which you can find [here](https://github.com/3mdeb/robotframework/tree/get_line_number_containing_string). +Also to run above test you need modified Robot Framework which you can find +[here](https://github.com/3mdeb/robotframework/tree/get_line_number_containing_string). If you are interested in RTE usage please feel free to contact us. Having RTE you can achieve the same goal using various other methods (without our RF scripts). We plan to provide some working examples of RTE and Robot Framework during our -[workshop session](https://osfc.io/talks/remote-testing-environment-rte-workshop) on [Open Source Firmware Conference](https://osfc.io/). +[workshop session](https://www.osfc.io/2018/talks/remote-testing-environment-rte-workshop/) +on [Open Source Firmware Conference](https://osfc.io/). -# How RTE-supported development workflow look like? +## How RTE-supported development workflow look like? Typically you work on your kernel modification and want to run it on hardware, so you point above ansible to deploy code to pxe-server. -You may ask: _why use some external pxe-server and not just install everything locally?_ -This implies couple problems: +You may ask: _why use some external pxe-server and not just install everything +locally?_ This implies couple problems: -* target hardware have to be connected to your local network -* every time you reboot computer you have some additional steps to finish setup -* you can start container automatically, but still it consume resources on your +- target hardware have to be connected to your local network +- every time you reboot computer you have some additional steps to finish setup +- you can start container automatically, but still it consume resources on your local machine which you may use for other purposes (e.g. compilation) -RTE is first about __remote__ and second about __automation__. Of course RTE -and `pxe-server` should always be behind VPN. +RTE is first about **remote** and second about **automation**. Of course RTE and +`pxe-server` should always be behind VPN. Getting back to workflow. It may look like that: -* build custom kernel as described above - time highly depends on your - hardware -* deploy kernel to pxe-server - time: 1min15s -* run test - e.g. booting Xen Linux dev over iPXE RTE time: 1min40s -* rebuild firmware - assuming you use [pce-fw-builder](https://github.com/pcengines/pce-fw-builder) RTE time: ~5min -* firmware flashing and verification - RTE time: 2min (depends how many SPI blocks are different) -* firmware flashing without verification - RTE time: 27s +- build custom kernel as described above - time highly depends on your hardware +- deploy kernel to pxe-server - time: 1min15s +- run test - e.g. booting Xen Linux dev over iPXE RTE time: 1min40s +- rebuild firmware - assuming you use + [pce-fw-builder](https://github.com/pcengines/pce-fw-builder) RTE time: ~5min +- firmware flashing and verification - RTE time: 2min (depends how many SPI + blocks are different) +- firmware flashing without verification - RTE time: 27s Please note that: -* rebuilding firmware is not just building coreboot, but putting together all +- rebuilding firmware is not just building coreboot, but putting together all components (memtest, SeaBIOS, sortbootorder, iPXE) to make sure we didn't - messed something `pce-fw-builder` preform `distclean` every time, we plan to + messed something `pce-fw-builder` perform `distclean` every time, we plan to change that so optionally it will reuse cached repositories, please track [this issue](https://github.com/pcengines/pce-fw-builder/issues/16) -* verification means booting over iPXE to OS and check if flashed version is - the same as version exposed by provided binary +- verification means booting over iPXE to OS and check if flashed version is the + same as version exposed by provided binary -Then you can run `dev.robot` to see -how boot log look like. In my case mentioned at the begging I wanted initially -to get better logs from kernel to continue investigation of repeating: +Then you can run `dev.robot` to see how boot log look like. In my case mentioned +at the begging I wanted initially to get better logs from kernel to continue +investigation of repeating: -``` +```bash AMD-Vi: Command buffer timeout ``` -# Summary +## Summary We strongly believe in automation in firmware and embedded systems development. We think there is not enough validation in coming IoT era. Security requires diff --git a/blog/content/post/2018-10-10-debos-image-for-hummingboard-edge.md b/blog/content/post/2018-10-10-debos-image-for-hummingboard-edge.md index b61f344f..3106ffac 100644 --- a/blog/content/post/2018-10-10-debos-image-for-hummingboard-edge.md +++ b/blog/content/post/2018-10-10-debos-image-for-hummingboard-edge.md @@ -14,6 +14,7 @@ tags: - docker categories: - OS Dev + --- ## Intro @@ -22,19 +23,19 @@ In my previous posts I have shared [my first experience with debos](https://3mdeb.com/os-dev/our-first-look-at-debos-new-debian-images-generator) and [how to run debos in a container](https://3mdeb.com/os-dev/debos-in-docker-the-second-attempt). -In today's post, I'd like to present how can we use all of that to -generate base Debian image for an ARM board. My board of choice for this -particular example will be the +In today's post, I'd like to present how can we use all of that to generate base +Debian image for an ARM board. My board of choice for this particular example +will be the [HummingBoard Edge](https://www.digikey.ch/htmldatasheets/production/1923179/0/0/1/srmx6sowt1d512e008e00ch.html). -The post is inspired by the feedback from the new users -(such as [this one](https://github.com/go-debos/debos/issues/114)) that there -are no end-to-end examples how to quickly start using this tool. +The post is inspired by the feedback from the new users (such as +[this one](https://github.com/go-debos/debos/issues/114)) that there are no +end-to-end examples how to quickly start using this tool. ## HummingBoard Edge upstream support The `Hummingboard Edge` is described in the Linux by the -[hummingboard2 devicetree](https://github.com/torvalds/linux/blob/master/arch/arm/boot/dts/imx6dl-hummingboard2.dts). +[hummingboard2 devicetree](https://github.com/torvalds/linux/blob/v5.19-rc3/arch/arm/boot/dts/imx6q-hummingboard2.dts). It is supported [since the 4.16 Linux release](https://www.phoronix.com/scan.php?page=news_item&px=Linux-4.16-New-ARM-Hardware). I have decided to use the `sid` flavor of `Debian` in order to get quite recent @@ -49,13 +50,13 @@ at the moment of writing). I wanted to create a really base system image, just to try out that it boots properly. I took the -[existing RPI3 recipe](https://github.com/go-debos/debos-recipes/blob/master/debian/arm64/image-rpi3/debimage-rpi3.yaml) +[existing RPI3 recipe](https://github.com/go-debos/debos-recipes/blob/sjoerd/wip/debian/arm64/image-rpi3/debimage-rpi3.yaml) as a starting point. As stated in the previous paragraph, the `sid` flavor of Debian will be used, hence following action in the recipe file appears: -``` +```bash - action: debootstrap suite: "sid" components: @@ -66,9 +67,9 @@ hence following action in the recipe file appears: Some of the following actions are: -* setting the hostname with a `run` action: +- setting the hostname with a `run` action: -``` +```bash - action: run description: Set hostname chroot: true @@ -76,12 +77,13 @@ Some of the following actions are: ``` > note that we can decide with the - [chroot flag](https://godoc.org/github.com/go-debos/debos/actions#hdr-Run_Action) - whether the command shall be executed on the host or in the chrooted environment +> [chroot flag](https://godoc.org/github.com/go-debos/debos/actions#hdr-Run_Action) +> whether the command shall be executed on the host or in the chrooted +> environment -* copying over `extlinux` config files with an `overlay` action: +- copying over `extlinux` config files with an `overlay` action: -``` +```bash - action: overlay description: Install U-boot extlinux menu file source: u-boot @@ -93,9 +95,9 @@ Some of the following actions are: > for root partition etc.), but is perfectly enough for the purpose of this > demonstration. -* installation of the `Linux` and `U-Boot` packages: +- installation of the `Linux` and `U-Boot` packages: -``` +```bash - action: apt description: Install Linux and U-Boot packages recommends: false @@ -109,7 +111,7 @@ final image size, partitions to be created as well as their mount points. Note that the `/etc/fstab` entries will be automatically added for created partitions. -``` +```bash # leave 4MB offset at the image start for U-Boot installation - action: image-partition description: Create partitioned image @@ -135,15 +137,15 @@ As shown in the [mx6cuboxi README](https://github.com/u-boot/u-boot/blob/master/board/solidrun/mx6cuboxi/README), `SPL U-Boot` shall be installed into the device as follows: -``` +```bash sudo dd if=SPL of=/dev/mmcblk0 bs=1k seek=1; sync sudo dd if=u-boot.img of=/dev/mmcblk0 bs=1k seek=69; sync ``` -In `debos`, we can use the `raw` action and use build-in `sector` keyword to +In `debos`, we can use the `raw` action and use built-in `sector` keyword to install binaries at required offsets: -``` +```bash # 'filesystem' origin points to the target root filesystem # 2 sectors = 1K # bs=1K seek=1 @@ -162,18 +164,18 @@ install binaries at required offsets: ``` Note that we can use `filesystem` as an argument for the `origin` in order to -gain access to files located in the filesystem we have generated in the -previous steps. This feature does not seem to be documented somewhere, but I -found such map +gain access to files located in the filesystem we have generated in the previous +steps. This feature does not seem to be documented somewhere, but I found such +map [in the code](https://github.com/go-debos/debos/blob/master/cmd/debos/debos.go#L110). Other useful arguments might be: `artifacts` or `recipe`. -The final actions include deploying filesystem to image and compressing -the final image. Optionally, the +The final actions include deploying filesystem to image and compressing the +final image. Optionally, the [bmap file](https://source.tizen.org/documentation/reference/bmaptool/introduction) can be generated. -``` +```bash - action: filesystem-deploy description: Deploy filesystem to the image @@ -195,13 +197,13 @@ perform `debos` build. I chose to save the [run script](https://github.com/3mdeb/debos-docker/blob/master/run.sh) in my `PATH` for easy execution: -``` +```bash debos-docker debimage-hb2.yaml ``` The end result looks like: -``` +```bash < truncated > 2018/09/19 19:07:19 ==== Install SPL to the image ==== 2018/09/19 19:07:19 ==== Install U-Boot to the image ==== @@ -216,7 +218,7 @@ Powering off. And we should have a final image file: -``` +```bash -rw-r--r-- 1 maciej root 143M wrz 21 11:51 debian-hb2.img.gz ``` @@ -226,26 +228,26 @@ And we should have a final image file: No explanation needed for the `dd` command: -``` +```bash gzip -cdk debian-hb2.img.gz | sudo dd of=/dev/mmcblk0 bs=16M status=progress ``` ### The fancy way -Thanks to the `bmap` file we created, we can use `bmaptools` to flash the -image. Explanation of this tool could be itself a story for another post. More -details can be found in the +Thanks to the `bmap` file we created, we can use `bmaptools` to flash the image. +Explanation of this tool could be itself a story for another post. More details +can be found in the [bmaptool documentation](https://source.tizen.org/documentation/reference/bmaptool/introduction). We might need to install the tool first: -``` +```bash sudo apt install bmap-tools ``` Image can be flashed with following command: -``` +```bash bmaptool copy --bmap debian-hb2.img.img.bmap debian-hb2.img.gz /dev/mmcblk0 ``` @@ -253,9 +255,9 @@ bmaptool copy --bmap debian-hb2.img.img.bmap debian-hb2.img.gz /dev/mmcblk0 It is a good opportunity to show a quick comparison between those two: -* `dd` - 1 minute 18 seconds +- `dd` - 1 minute 18 seconds -``` +```bash time sh -c 'gzip -cdk debian-hb2.img.gz | sudo dd of=/dev/mmcblk0 bs=16M status=progress && sync' 1000000000 bytes (1,0 GB, 954 MiB) copied, 32 s, 31,2 MB/s 0+27202 records in @@ -264,9 +266,9 @@ time sh -c 'gzip -cdk debian-hb2.img.gz | sudo dd of=/dev/mmcblk0 bs=16M status= sh -c 6,62s user 1,27s system 10% cpu 1:18,73 total ``` -* `bmaptool` - 38 seconds +- `bmaptool` - 38 seconds -``` +```bash time sudo sh -c 'bmaptool copy --bmap debian-hb2.img.img.bmap debian-hb2.img.gz /dev/mmcblk0 && sync' bmaptool: info: block map format version 2.0 bmaptool: info: 244141 blocks of size 4096 (953.7 MiB), mapped 110274 blocks (430.8 MiB or 45.2%) @@ -281,7 +283,7 @@ sudo sh -c 8,48s user 1,26s system 25% cpu 38,209 total The boot log: -``` +```bash U-Boot SPL 2018.05+dfsg-1 (May 10 2018 - 20:24:57 +0000) Trying to boot from MMC1 @@ -331,7 +333,7 @@ Starting kernel ... [ 0.000000] Linux version 4.18.0-1-armmp (debian-kernel@lists.debian.org) (gcc version 7.3.0 (Debian 7.3.0-29)) #1 SMP Debian 4.18.6-1 (2018-09-06) [ 0.000000] CPU: ARMv7 Processor [412fc09a] revision 10 (ARMv7), cr=10c5387d -< trucated > +< truncated > Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. @@ -347,9 +349,9 @@ Linux HummingBoard2 4.18.0-1-armmp #1 SMP Debian 4.18.6-1 (2018-09-06) armv7l ## Conclusion As I have shown in this post, `debos` can be quite easily used for building -`Debian` image for an `ARM` platform. This is especially true if such board -has good mainline support and the `Linux` and `U-Boot` packages for it are -already available in the `Debian` package feed. I hope that my post can be -helpful for new `debos` users and that my recipe gets merged into the +`Debian` image for an `ARM` platform. This is especially true if such board has +good mainline support and the `Linux` and `U-Boot` packages for it are already +available in the `Debian` package feed. I hope that my post can be helpful for +new `debos` users and that my recipe gets merged into the [debos-recipes](https://github.com/go-debos/debos-recipes), so it can be easily accessible. diff --git a/blog/content/post/2018-10-16-enabling-ecc-on-pc-engines-apu2.md b/blog/content/post/2018-10-16-enabling-ecc-on-pc-engines-apu2.md index 3f9eeebb..cb2c469f 100644 --- a/blog/content/post/2018-10-16-enabling-ecc-on-pc-engines-apu2.md +++ b/blog/content/post/2018-10-16-enabling-ecc-on-pc-engines-apu2.md @@ -24,7 +24,8 @@ works or not using MemTest86. Sometimes a bit in RAM changes its value spontaneously due to electrical or magnetic interference. It can be caused by background radiation, cosmic rays or -recently [attacks](https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) +recently +[attacks](https://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html) using [row hammering](https://en.wikipedia.org/wiki/Row_hammer). [Error-correcting code (ECC) memory](https://en.wikipedia.org/wiki/ECC_memory) helps with mitigation of this problem by adding more data storage for storing @@ -34,16 +35,17 @@ controller scans whole ECC enabled memory, reading every piece of data, checking process is called memory scrubbing. As ECC can correct only limited number of flipped bits scrubbing has to be done periodically, before multiple errors within one ECC word can occur - time between scrubs isn't fixed, and according -to [BKDG, 52740 Rev 3.06](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf): +to +[BKDG, 52740 Rev 3.06](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf): > There are many factors which influence scrub rates. Among these are: - -> * The size of memory or cache to be scrubbed -> * Resistance to upsets -> * Geographic location and altitude -> * Alpha particle contribution of packaging -> * Performance sensitivity -> * Risk aversion +> +> - The size of memory or cache to be scrubbed +> - Resistance to upsets +> - Geographic location and altitude +> - Alpha particle contribution of packaging +> - Performance sensitivity +> - Risk aversion Usually, ECC can fix only single bit, and detect two changed bits in ECC word, but with AMD Embedded G series GX-412TC SoC included in PC Engines apu2 platform @@ -73,9 +75,9 @@ visible only for a fraction of second is acceptable. To be sure that ECC works one must notice a corrected ECC error. There are few problems to this: -* ECC has to be available and properly configured -* ECC error reporting must be enabled -* there must be a correctable ECC error +- ECC has to be available and properly configured +- ECC error reporting must be enabled +- there must be a correctable ECC error First two points are something that can and has to be done in firmware as long as a hardware is compatible, so enabling it takes some work and a whole lot of @@ -84,15 +86,15 @@ research, but is definitely possible. The last issue is actually the hardest one. It is impossible to reliably simulate e.g. a cosmic ray, and row hammering takes a lot of time and requires specific knowledge of the internal structure of a memory bank. To help with -testing vendors of memory controllers (and SoCs) provide ways of introducing -an error for test and debug purposes. This feature enables tools like [MemTest86](https://www.memtest86.com/) -to inject ECC errors when running tests - keep in mind that ECC injection is -available only in paid versions of MemTest86 run from UEFI (so coreboot built -with tianocore payload was used for testing in my research) and needs to be -enabled either from the menu or in the configuration file. The most important -settings in this file are: - -``` +testing vendors of memory controllers (and SoCs) provide ways of introducing an +error for test and debug purposes. This feature enables tools like +[MemTest86](https://www.memtest86.com/) to inject ECC errors when running tests +\- keep in mind that ECC injection is available only in paid versions of +MemTest86 run from UEFI (so coreboot built with tianocore payload was used for +testing in my research) and needs to be enabled either from the menu or in the +configuration file. The most important settings in this file are: + +```bash DISABLEMP=1 # support for multiprocessor in tianocore payload is buggy, disable ECCPOLL=1 # poll for ECC errors after each test ECCINJECT=1 # inject ECC errors before each test @@ -101,7 +103,7 @@ ECCINJECT=1 # inject ECC errors before each test Running this test on unmodified coreboot resulted in something like the following lines in log file: -``` +```bash (...) 2018-09-25 14:01:31 - Finished searching PCI for SMBus Controller 2018-09-25 14:01:31 - Getting SMBIOS Memory Device info... @@ -172,19 +174,21 @@ As you can see, MemTest86 injects ECC errors (or at least tries to) in lines starting with `inject_amd64`, but these errors are not reported - according to [MemTest86 troubleshooting page](https://www.memtest86.com/troubleshooting.htm#eccerrors) a line with either memory address or the DRAM rank/bank/row/column should be -printed here, as well as in the generated report, as shown in [this sample](https://www.memtest86.com/MemTest86-Report-Sample.html). -This means that something is wrong. There is a lot of relevant debug -information included, but names differ slightly between log and register names -in BKDG. More information about reported values and their impact on the issue -will be revealed in the next sections. +printed here, as well as in the generated report, as shown in +[this sample](https://www.memtest86.com/MemTest86-Report-Sample.html). This +means that something is wrong. There is a lot of relevant debug information +included, but names differ slightly between log and register names in BKDG. More +information about reported values and their impact on the issue will be revealed +in the next sections. ## Issues with ECC enabling -According to previous work on this issue, ECC error injection fails due to -a range of memory that is used by APUs integrated graphics being excluded from -ECC support, which means that it is impossible to test in a reliable way whether -ECC works. This feature is controlled by a couple of registers, one of them is -D18F5x240, which has bit EccExclEn (see page 496 of [BKDG](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf)). +According to previous work on this issue, ECC error injection fails due to a +range of memory that is used by APUs integrated graphics being excluded from ECC +support, which means that it is impossible to test in a reliable way whether ECC +works. This feature is controlled by a couple of registers, one of them is +D18F5x240, which has bit EccExclEn (see page 496 of +[BKDG](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf)). This bit is set by [AGESA](https://en.wikipedia.org/wiki/AGESA) as 1 soon after memory training and excluded range is incorrectly set as a whole memory for systems without integrated graphics. @@ -197,17 +201,15 @@ workarounds were needed. [AGESA specification](https://support.amd.com/TechDocs/44065_Arch2008.pdf) mentions a build time option: ->BLDCFG_UMA_ALLOCATION_MODE -> Supply the UMA memory allocation mode build time customization, if any. -> The default mode is Auto. - -> * UMA_NONE — no UMA memory will be allocated. -> * UMA_SPECIFIED — up to the requested UMA memory will be allocated. -> * UMA_AUTO — allocate the optimum UMA memory size for the platform. -> -> For APUs with integrated graphics, this will provide the optimum -> UMA allocation for the platform and for other platforms will be the -> same as NONE +> BLDCFG_UMA_ALLOCATION_MODE Supply the UMA memory allocation mode build time +> customization, if any. The default mode is Auto. +> +> - UMA_NONE — no UMA memory will be allocated. +> - UMA_SPECIFIED — up to the requested UMA memory will be allocated. +> - UMA_AUTO — allocate the optimum UMA memory size for the platform. +> +> For APUs with integrated graphics, this will provide the optimum UMA +> allocation for the platform and for other platforms will be the same as NONE There is also a runtime option `UmaMode` in `MemConfig`, which is a parameter for `AmdInitPost`, but it isn't clear if AGESA uses data received from host or @@ -217,32 +219,33 @@ value of `UmaMode` already is `UMA_NONE`, and neither changing it before calling Clearing bit EccExclEn in register D18F5x240 from coreboot after it gets set by AGESA seemed to work on a tested platform (apu2). Description of this register -in [BKDG](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf) +in +[BKDG](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf) informs that ->BIOS must quiesce all other forms of DRAM traffic when configuring this range. ->See MSRC001_001F[DisDramScrub]. +> BIOS must quiesce all other forms of DRAM traffic when configuring this range. +> See MSRC001_001F\[DisDramScrub\]. Although it did work without disabling scrubbing (perhaps because of all memory -was excluded from ECC anyway) we followed the process described in BKDG just -to be safe. +was excluded from ECC anyway) we followed the process described in BKDG just to +be safe. ## Additional required fixes Somewhere between memory training and setting UMA I receive -`WARNING Event: 04012200 Data: 0, 0, 0, 0`. -According to AGESA specification `04012200` corresponds to: +`WARNING Event: 04012200 Data: 0, 0, 0, 0`. According to AGESA specification +`04012200` corresponds to: > MEM_WARNING_BANK_INTERLEAVING_NOT_ENABLED I don't know if this is connected in any way to problems with ECC enabling. -Later test on different platforms gave some additional findings. Implemented -fix did work on apu2 and apu4, but not on apu3 or apu5. Luckily MemTest86 leaves -enough data to find out what's wrong, it was only a question of interpreting -log files. First, part of log from apu4 where this fix worked: +Later test on different platforms gave some additional findings. Implemented fix +did work on apu2 and apu4, but not on apu3 or apu5. Luckily MemTest86 leaves +enough data to find out what's wrong, it was only a question of interpreting log +files. First, part of log from apu4 where this fix worked: -``` +```bash (...) 2018-09-31 01:01:01 - Running test #3 (Test 3 [Moving inversions, ones & zeroes]) 2018-09-31 01:01:01 - MtSupportRunAllTests - Injecting ECC error @@ -286,7 +289,7 @@ address was performed. This is output from apu5, where forementioned fix didn't work, with important lines marked with `->`: -``` +```bash (...) 2018-09-31 01:02:46 - Running test #3 (Test 3 [Moving inversions, ones & zeroes]) 2018-09-31 01:02:46 - MtSupportRunAllTests - Injecting ECC error @@ -312,13 +315,13 @@ lines marked with `->`: (...) ``` -As you can see, none of injection attempts succeded so reported value of +As you can see, none of injection attempts succeeded so reported value of `MCA NB Status High` was `00000000`. Also value of `nb_arr_add` (aka `D18F3xB8 NB Array Address` in BKDG) differs, so next logical step was clearing this register's value in coreboot as well. After doing so ECC errors were reported: -``` +```bash (...) 2018-10-01 01:01:16 - Running test #3 (Test 3 [Moving inversions, ones & zeroes]) 2018-10-01 01:01:16 - MtSupportRunAllTests - Injecting ECC error @@ -360,17 +363,19 @@ reports should look like this: Every corrected ECC error has the same syndrome - F2DF. It is caused by MemTest86 setting D18F3xBC_x8 (DRAM ECC) to `0012000F`. More info about the -meaning of these is available in [BKDG](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf) +meaning of these is available in +[BKDG](https://www.amd.com/system/files/TechDocs/52740_16h_Models_30h-3Fh_BKDG.pdf) on pages 172-174 (ECC syndromes) and 456 (DRAM ECC register, NB Array Address). Another thing is that sometimes more than one ECC error for a test is injected. It is caused by internal work of injection - only bits inside a cache line can be chosen, but an error is injected on next non-cached operation at accessed -address, which can change or not between any of three attempts to inject -an error. - -Changes in code can be found [here](https://github.com/pcengines/coreboot/pull/207/files), -we're also planning to push it upstream soon. We would also think about adding -an option to disable ECC injection if the community decides that it is needed, -as even [some of the MemTest86 developers](https://www.passmark.com/forum/memtest86/5984-how-do-you-verify-ecc-error-injection-working?p=32922#post32922) +address, which can change or not between any of three attempts to inject an +error. + +Changes in code can be found +[here](https://github.com/pcengines/coreboot/pull/207/files), we're also +planning to push it upstream soon. We would also think about adding an option to +disable ECC injection if the community decides that it is needed, as even +[some of the MemTest86 developers](https://www.passmark.com/forum/memtest86/5984-how-do-you-verify-ecc-error-injection-working?p=32922#post32922) believe that injection should be enabled for debug purposes only. diff --git a/blog/content/post/2019-02-07-kas.md b/blog/content/post/2019-02-07-kas.md index 32843564..8f41db08 100644 --- a/blog/content/post/2019-02-07-kas.md +++ b/blog/content/post/2019-02-07-kas.md @@ -26,10 +26,9 @@ If you are using the [Yocto Project], you certainly have encountered the hassle of managing multiple [layers] and tracking their revisions. I've been using the [Yocto Project] for nearly 3 years by now and have mostly -been using the tool -for this purpose. While I'm not a huge fan of it, it is relatively simple to -use and gets the job of fetching layers and controlling their revisions done -properly. +been using the tool for this purpose. While I'm not a huge fan of it, it is +relatively simple to use and gets the job of fetching layers and controlling +their revisions done properly. The only alternative I knew so far was the [combo-layer](https://wiki.yoctoproject.org/wiki/Combo-layer), although it's @@ -38,24 +37,24 @@ feature set was not enough for me to give up on [repo] and switch over. ## Using kas with Yocto Project According to the -[git history](https://github.com/siemens/kas/releases/tag/0.9.0), -the first public release of the project was at the Jun 14, 2017. I haven't -heard much about it. From my perspective, it gained some traction a couple of -months ago - I've been seeing some mentions of the [kas] tool here and there on -the various [Yocto Project] related mailing lists since then. +[git history](https://github.com/siemens/kas/releases/tag/0.9.0), the first +public release of the project was at the Jun 14, 2017. I haven't heard much +about it. From my perspective, it gained some traction a couple of months ago - +I've been seeing some mentions of the [kas] tool here and there on the various +[Yocto Project] related mailing lists since then. It seems to be a little bit more than just a tool for fetching and checking out a set of layers to given revisions. The feature set covers: -* clone and checkout `bitbake` layers, -* create default `bitbake` settings (machine, distro etc.), -* launch minimal build environment, reducing the risk of host contamination +- clone and checkout `bitbake` layers, +- create default `bitbake` settings (machine, distro etc.), +- launch minimal build environment, reducing the risk of host contamination (`docker` container), -* initiate `bitbake` build process. +- initiate `bitbake` build process. So far, we've mostly been doing the above with a mixture of the [repo], our -[yocto-docker] container and a set of shell scripts to automate things. It -seems most of it can already be achieved using [kas], as it has been developed +[yocto-docker] container and a set of shell scripts to automate things. It seems +most of it can already be achieved using [kas], as it has been developed specifically for managing and configuring the `bitbake` based projects. ![Yocto BSP management comparison](/img/Yocto_BSP_management.png) @@ -69,8 +68,8 @@ the latter whenever possible, so I'm going to start with this one. There are actually [two containers available](https://hub.docker.com/u/kasproject): -* [kasproject/kas] - for standard [Yocto Project] builds, -* [kasproject/kas-isar] - for [isar] builds. +- [kasproject/kas] - for standard [Yocto Project] builds, +- [kasproject/kas-isar] - for [isar] builds. Although in this case we are interested in the [kasproject/kas] container, I am happy to see the [kasproject/kas-isar] to be present, as we already have some @@ -78,21 +77,20 @@ use-cases for the [isar] project as well. Although not mentioned in the [usage documentation](https://kas.readthedocs.io/en/0.19.0/userguide.html#usage), -[it is advised](https://github.com/siemens/kas/pull/6#issuecomment-448166242) -to use the `kas` via the -[kas-docker](https://github.com/siemens/kas/blob/master/kas-docker) script. -For convenience, I'm placing it in my `~/bin` directory, so it is available in -the `PATH`: +[it is advised](https://github.com/siemens/kas/pull/6#issuecomment-448166242) to +use the `kas` via the +[kas-docker](https://github.com/siemens/kas/blob/master/kas-docker) script. For +convenience, I'm placing it in my `~/bin` directory, so it is available in the +`PATH`: -``` +```bash ln -s /storage/projects/kas/kas-docker ~/bin/kas-docker ``` ## kas configuration The `kas` file syntax and the project configuration process is nicely described -int the -[kas project configuration documentation]. +int the [kas project configuration documentation]. An even better way of understanding it may be to take a look at some real examples. I can advise taking a look at the @@ -110,7 +108,7 @@ configurations. In the case of [kas], all of it can be included in a single The [repo] manifest contains a list of layers to fetch and their revisions. For example: -``` +```bash L1 Cache: 32K 21699 MB/s (~54% change) L2 Cache: 2048K 5015 MB/s ---> L2 Cache: 2048K 6980 MB/s (~39% change) Memory : 4078M 1434 MB/s ---> Memory : 4078M 1992 MB/s (~39% change) @@ -307,11 +307,11 @@ Memory : 4078M 1434 MB/s ---> Memory : 4078M 1992 MB/s (~39% change) The lowest performance gain from CPB is 40%, which is quite significant. -#### UnixBench benchmark +#### UnixBench benchmark - CBP enabled -Running the benchamrk with boost enabled: +Running the benchmark with boost enabled: -``` +```bash ======================================================================== BYTE UNIX Benchmarks (Version 5.1.3) @@ -398,15 +398,15 @@ System Benchmarks Index Score 689.8 We clearly see that the overall score has increased: -* for 1 parallel copy of tests score increased from 258.7 to 310.2 (20% change) -* for 4 parallel copy of tests score increased from 688.9 to 689.8 (~0% change) +- for 1 parallel copy of tests score increased from 258.7 to 310.2 (20% change) +- for 4 parallel copy of tests score increased from 688.9 to 689.8 (~0% change) -# Summary +## Summary -Enabling the CPB feature resulted in the performance increase and my -experiments show, that it is true. Although some methods did not report any -change, it is still software which may not report it correctly. `stress` and -`stress-ng` seems not to be the right tools to measure the performance. +Enabling the CPB feature resulted in the performance increase and my experiments +show, that it is true. Although some methods did not report any change, it is +still software which may not report it correctly. `stress` and `stress-ng` seems +not to be the right tools to measure the performance. Another reason of wrong reports is that the core performance states (P-states) in boosted mode are not described in ACPI (Advanced Configuration and Power @@ -414,13 +414,12 @@ Interface) system (and they shouldn't be as AMD BIOS and Kernel Developer Guide states). As a result operating system does not know about the fact of processor's transition to the state with higher, boosted performance. -CPB feature increases frequency only of one single core if the rest of the -cores is not stressed. The overall boost result is 20%, which implies the -frequency increase from 1000MHz to 1200MHz. However, the processor -specification states, that the frequency should be 1400MHz. A similar result -has been achieved with memtest86+ (approximately 40% memory speed gain). The -benchamrk result is also biased by the background operations that OS must do -besides the tests. +CPB feature increases frequency only of one single core if the rest of the cores +is not stressed. The overall boost result is 20%, which implies the frequency +increase from 1000MHz to 1200MHz. However, the processor specification states, +that the frequency should be 1400MHz. A similar result has been achieved with +memtest86+ (approximately 40% memory speed gain). The benchmark result is also +biased by the background operations that OS must do besides the tests. The feature will be introduced in v4.9.0.2 firmware release for PC Engines. @@ -428,7 +427,8 @@ I hope this post was useful for you. Please try it out yourselves and feel free to share your results. If you think we can help in improving the performance of your platform or you -looking for someone who can boot your product by leveraging advanced features -of used hardware platform, feel free to [boot a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. Are You interested in similar -content? Feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +looking for someone who can boot your product by leveraging advanced features of +used hardware platform, feel free to +[boot a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. Are You interested in similar +content? Feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-02-22-3mdeb-at-embedded-world-2019.md b/blog/content/post/2019-02-22-3mdeb-at-embedded-world-2019.md index 18fba2db..83a5cd83 100644 --- a/blog/content/post/2019-02-22-3mdeb-at-embedded-world-2019.md +++ b/blog/content/post/2019-02-22-3mdeb-at-embedded-world-2019.md @@ -23,54 +23,55 @@ categories: ![ew2019-logo](/img/3mdeb-at-ew2019.jpg) We are excited to inform You that 3mdeb will take part in embedded world -Exhibition & Conference - [**Embedded World 2019**](https://www.embedded-world.de/en/ausstellerprodukte/embwld19/exhibitor-43765140/3mdeb-embedded-systems-consulting-piotr-krol) +Exhibition & Conference - +[**Embedded World 2019**](https://www.embedded-world.de/en) next week! In place full of enthusiasts You can meet us personally between 26.02-28.02 in Nuremberg, Germany. Come and talk with us about amazing world of embedded systems. We will tell You not only about our work and innovations, but also share our knowledge, help and present to You our products and demos: -* [Remote Testing Environment](https://cloud.3mdeb.com/index.php/s/Jt6PEtos7iznQkf) - -Hat designed for Orange Pi Zero board which runs -specially crafted Linux distribution using the Yocto Project. -* [TPM2.0](https://cloud.3mdeb.com/index.php/s/jKgCHCtTSQYejTa) - -a Trusted Platform Module is a specialized chip on an endpoint device that stores -RSA encryption keys specific to the host system for hardware -authentication. -* [MuxPi](https://cloud.3mdeb.com/index.php/s/WgpRzGYitfEYfBN) - -a product mainly for developers and testers with the -need of automating everyday tasks. It comes with help -providing ease of use, distribution and connectivity. -* [Bay Trail FastBoot](https://cloud.3mdeb.com/index.php/s/n2A3268kssiHJ96) - -the demo is presenting alternative open source firmware - -coreboot - in comparison to UEFI implementation on the example -of BayTrail platform - MinnowBoard Turbot. Additionally, we -present how fast can embedded platform boot with open source -firmware compared to official firmware. The platforms are running -the same operating system (in UEFI and legacy mode) in multi-user -target. The chosen distro is lightweight Solus OS. Using common -Linux and coreboot tools, boot times are presented of both -firmware implementations. -* [Bare Metal Hypervisor](https://cloud.3mdeb.com/index.php/s/QZPnMfXTsipQeES) - -the demo is presenting one of the features that bare metal -hypervisor gives. It is run in edk2 UEFI implementation on -MinnowBoard Turbot platform. Hypervisor was written with -Bareflank - an open source hypervisor SDK. Depending on the -implementation, it can provide an interface for underlying software -to control hypervisor's operation or be completely transparent. This -kind of hypervisors use Intel's VMX (Virtual Machine eXtensions). +- [Remote Testing Environment](https://shop.3mdeb.com/shop/open-source-hardware/rte/) + \- Hat designed for Orange Pi Zero board which runs specially crafted Linux + distribution using the Yocto Project. +- [TPM2.0](https://shop.3mdeb.com/shop/modules/tpm-2-0/) - a Trusted + Platform Module is a specialized chip on an endpoint device that stores RSA + encryption keys specific to the host system for hardware authentication. +- [MuxPi](https://shop.3mdeb.com/shop/open-source-hardware/muxpi/) - a product + mainly for developers and testers with the need of automating everyday tasks. + It comes with help providing ease of use, distribution and connectivity. +- [Bay Trail FastBoot](https://cloud.3mdeb.com/index.php/s/kQdWQDX7gk88aWo) - + the demo is presenting alternative open source firmware - coreboot - in + comparison to UEFI implementation on the example of BayTrail platform - + MinnowBoard Turbot. Additionally, we present how fast can embedded platform + boot with open source firmware compared to official firmware. The platforms + are running the same operating system (in UEFI and legacy mode) in multi-user + target. The chosen distro is lightweight Solus OS. Using common Linux and + coreboot tools, boot times are presented of both firmware implementations. +- [Bare Metal Hypervisor](https://cloud.3mdeb.com/index.php/s/mfFbiSnCPkzd25d) - + the demo is presenting one of the features that bare metal hypervisor gives. + It is run in edk2 UEFI implementation on MinnowBoard Turbot platform. + Hypervisor was written with Bareflank - an open source hypervisor SDK. + Depending on the implementation, it can provide an interface for underlying + software to control hypervisor's operation or be completely transparent. This + kind of hypervisors use Intel's VMX (Virtual Machine eXtensions). ![flyers](/img/ew2019-fliers.png) You can see the samples of what we have to present here: -* [What will happen if your hypervisor ROT13 whole Ubuntu VM output](https://asciinema.org/a/228858) -* [Embedded World 2019 - Bareflank demo ](https://asciinema.org/a/228849) +- [What will happen if your hypervisor ROT13 whole Ubuntu VM output](https://asciinema.org/a/228858) +- [Embedded World 2019 - Bareflank demo](https://asciinema.org/a/228849) -Do you feel interested? Then… You can leave us a message or request Your appointment -during the exhibition [HERE](https://www.embedded-world.de/en/ausstellerprodukte/embwld19/exhibitor-43765140/3mdeb-embedded-systems-consulting-piotr-krol#exhibitorcontact). +Do you feel interested? Then… You can leave us a message or request Your +appointment during the exhibition [HERE](contact@3mdeb.com). Can’t wait to see You there! Look for us in Hall 3 / 3-563. ![map](/img/ew2019-booth.png) -Check out our [official site](https://3mdeb.com/), [blog](https://3mdeb.com/news-ideas/) and social media: [Twitter](https://twitter.com/3mdeb_com), -[Facebook](https://www.facebook.com/3mdeb), [LinkedIn](https://www.linkedin.com/company/3mdeb), [GitHub](https://github.com/3mdeb), [stackoverflow](https://stackoverflow.com/users/587395/piotr-kr%C3%B3l). +Check out our [official site](https://3mdeb.com/), +[blog](https://3mdeb.com/news-ideas/) and social media: +[Twitter](https://twitter.com/3mdeb_com), +[Facebook](https://www.facebook.com/3mdeb), +[LinkedIn](https://www.linkedin.com/company/3mdeb), +[GitHub](https://github.com/3mdeb), +[stackoverflow](https://stackoverflow.com/users/587395/piotr-kr%C3%B3l). diff --git a/blog/content/post/2019-03-08-Flashing-emmc-on-hummingboard-edge-using-fastboot-part-2.md b/blog/content/post/2019-03-08-Flashing-emmc-on-hummingboard-edge-using-fastboot-part-2.md index bb14ee21..52c90fae 100644 --- a/blog/content/post/2019-03-08-Flashing-emmc-on-hummingboard-edge-using-fastboot-part-2.md +++ b/blog/content/post/2019-03-08-Flashing-emmc-on-hummingboard-edge-using-fastboot-part-2.md @@ -18,37 +18,38 @@ tags: categories: - Firmware - App Dev + --- -# fastboot +## fastboot [FastBoot protocol](https://android.googlesource.com/platform/system/core/+/2ec418a4c98f6e8f95395456e1ad4c2956cac007/fastboot/fastboot_protocol.txt) -is a tool developed for Android, which allows for communicating with -bootloaders over USB or Ethernet. +is a tool developed for Android, which allows for communicating with bootloaders +over USB or Ethernet. -## U-Boot configuration +### U-Boot configuration [U-Boot fastboot documentation](https://github.com/u-boot/u-boot/blob/master/doc/android/fastboot.rst#client-installation) suggests to set `CONFIG_USB_GADGET_(VENDOR_NUM|PRODUCT_NUM|MANUFACTURER)`. > Note that `USB_GADGET_VENDOR_NUM` and `USB_GADGET_PRODUCT_NUM` is not related -> to your actual board, rather it is some dummy id of device which is -> compatible with fastboot. In this case it is +> to your actual board, rather it is some dummy id of device which is compatible +> with fastboot. In this case it is > [CelkonA88 device from Google](https://www.phonearena.com/phones/Celkon-A88_id7307). -## Fastboot client +### Fastboot client Install fastboot: On Debian-based distros: - ``` - sudo apt install fastboot - ``` +```bash +sudo apt install fastboot +``` Installation for other popular distros should be straightforward as well. -## First test - U-Boot from SD card +### First test - U-Boot from SD card The purpose is to confirm that `fastboot` command is there and that we can establish a connection with fastboot client. @@ -57,15 +58,15 @@ establish a connection with fastboot client. suggests that we only need to execute `fastboot` command in U-Boot prompt. Notice that now this command requires a parameter: - ``` - => fastboot - Command failed, result=-1 - fastboot - use USB Fastboot protocol +```bash +=> fastboot +Command failed, result=-1 +fastboot - use USB Fastboot protocol - Usage: - fastboot - - run as a fastboot usb device - ``` +Usage: +fastboot + - run as a fastboot usb device +``` `USB_controller` parameter is not that well documented, but it looks like that it is USB controller number. @@ -73,65 +74,64 @@ it is USB controller number. What is odd is that providing any character as this parameter results in no error message and allows to establish successful connection: - ``` - fastboot 0 - fastboot 1 - fastboot - - fastboot qwerty - etc. - ``` +```bash +fastboot 0 +fastboot 1 +fastboot - +fastboot qwerty +etc. +``` -After running fastboot on HB, you should see new USB device enumerated on -host: +After running fastboot on HB, you should see new USB device enumerated on host: - ``` - Bus 003 Device 075: ID 18d1:0d02 Google Inc. Celkon A88 - ``` +```bash +Bus 003 Device 075: ID 18d1:0d02 Google Inc. Celkon A88 +``` We can add another `udev` rule at this point in order to use `fastboot` command without the need of root privileges: - ``` - echo 'SUBSYSTEM =="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="0d02" , MODE="0666"' | sudo tee -a /etc/udev/rules.d/51-fsl-flashing.rules - ``` +```bash +echo 'SUBSYSTEM =="usb", ATTRS{idVendor}=="18d1", ATTRS{idProduct}=="0d02" , MODE="0666"' | sudo tee -a /etc/udev/rules.d/51-fsl-flashing.rules +``` Following command should return available fastboot devices: - ``` - fastboot devices - ``` +```bash +fastboot devices +``` output: - ``` - ???????????? fastboot - ``` +```bash +???????????? fastboot +``` This one should return bootloader version: - ``` - fastboot getvar bootloader-version - ``` +```bash +fastboot getvar bootloader-version +``` output: - ``` - bootloader-version: U-Boot 2018.01-00272-g0434429f989d-dirty - finished. total time: 0.000s - ``` +```bash +bootloader-version: U-Boot 2018.01-00272-g0434429f989d-dirty +finished. total time: 0.000s +``` -## Second test - U-Boot from DRAM +### Second test - U-Boot from DRAM -In order to enable `fastboot` support I needed to change USB_GADGET VID / PID -in `U-boot` configuration. It means that our `imx_usb_loader` configuration -files needs an adjustment. +In order to enable `fastboot` support I needed to change USB_GADGET VID / PID in +`U-boot` configuration. It means that our `imx_usb_loader` configuration files +needs an adjustment. `imx_usb.conf` file needs following content: - ``` - #vid:pid, config_file - 0x15a2:0x0061, mx6_usb_rom.conf, 0x18d1:0x1d01, mx6_usb_sdp_spl.conf - ``` +```bash +#vid:pid, config_file +0x15a2:0x0061, mx6_usb_rom.conf, 0x18d1:0x1d01, mx6_usb_sdp_spl.conf +``` Above change is introduced in [this commit](https://github.com/3mdeb/imx_usb_loader/commit/76f0b35911474a3bb1989f2fa03ea8bb61ae29c4). @@ -144,24 +144,25 @@ the configuration. However, once `U-boot` gets loaded and we enter `fastboot 0` in prompt, it gets back to the correct one: - ``` - Bus 003 Device 040: ID 18d1:0d02 Google Inc. Celkon A88 - ``` +```bash +Bus 003 Device 040: ID 18d1:0d02 Google Inc. Celkon A88 +``` -Let's try if communication over fastboot protocol is working in this case as well: +Let's try if communication over fastboot protocol is working in this case as +well: - ``` - fastboot getvar bootloader-version - ``` +```bash +fastboot getvar bootloader-version +``` output: - ``` - bootloader-version: U-Boot 2018.01-00272-g0434429f989d-dirty - finished. total time: 0.000s - ``` +```bash +bootloader-version: U-Boot 2018.01-00272-g0434429f989d-dirty +finished. total time: 0.000s +``` -## Enter fastboot mode by default +### Enter fastboot mode by default To automate things, we should force `U-Boot` to enter fastboot mode automatically on boot. @@ -169,7 +170,7 @@ automatically on boot. At first, fast and easy way that came to mind mind was to edit `distro_bootcmd` variable content: -``` +```bash diff --git a/include/config_distro_bootcmd.h b/include/config_distro_bootcmd.h index 5c469a23fa70..4dde1cf18967 100644 --- a/include/config_distro_bootcmd.h @@ -189,18 +190,18 @@ index 5c469a23fa70..4dde1cf18967 100644 A more elegant way would be to set `BOOTCOMMAND` config options in `configs/mx6cuboxi_fastboot_defconfig` instead: - ``` - CONFIG_BOOTCOMMAND="fastboot 0" - ``` +```bash +CONFIG_BOOTCOMMAND="fastboot 0" +``` To speed things up, it is worth to reduce boot delay to 0 by setting configuration option: - ``` - CONFIG_BOOTDELAY=0 - ``` +```bash +CONFIG_BOOTDELAY=0 +``` -## Using `fastboot flash` command +### Using `fastboot flash` command By default `fastboot` uses GPT partition name as a parameter. Antoine from Bootlin in @@ -210,69 +211,70 @@ provides an which allows to pass eMMC offset address instead. It's been a while since it was published and it no longer applies due to the -changes in `U-Boot` source code. I have decided to update it and it can be -found in the +changes in `U-Boot` source code. I have decided to update it and it can be found +in the [3mdeb fork of U-Boot](https://github.com/3mdeb/u-boot/commit/13e621b09bfeea05e51079a80cb85f1027de657f). -## Summary +### Summary - U-Boot from DRAM -* I've also run into some inconsistencies in `U-Boot` code vs documentation. I +- I've also run into some inconsistencies in `U-Boot` code vs documentation. I will try to see what's going in the code and update the doc if possible. -* `U-Boot` target configuration for Hummingboard Edge with fastboot support as +- `U-Boot` target configuration for Hummingboard Edge with fastboot support as described above is available in [3mdeb fork of U-Boot](https://github.com/3mdeb/u-boot/commit/517c2b14b89cec42e5bfb42dd2cfddb04629d96c). -# Booting from eMMC +## Booting from eMMC -## eFUSE settings +### eFUSE settings Note that, in order to boot from eMMC, you need either unfused SoM or fused to -boot from eMMC. Jumper settings for boot selection can be found at `Edge/Gate -Boot Jumpers` section of +boot from eMMC. Jumper settings for boot selection can be found at +`Edge/Gate Boot Jumpers` section of [SolidRun Hummingboard wiki page](https://wiki.solid-run.com/doku.php?id=products:imx6:hummingboard). -Fusing instructions to boot from eMMC can be found at `Blowing fuses to from -eMMC (HummingBoard2 eMMC or MicroSOM rev 1.5 on-SOM eMMC)` section of +Fusing instructions to boot from eMMC can be found at +`Blowing fuses to from eMMC (HummingBoard2 eMMC or MicroSOM rev 1.5 on-SOM eMMC)` +section of [SolidRun wiki eFuses page](https://wiki.solid-run.com/doku.php?id=products:imx6:microsom:imx6-fuse-developers). You can check fusing settings with: - ``` - HummingBoard2 U-Boot > fuse read 0 5 - Reading bank 0: +```bash +HummingBoard2 U-Boot > fuse read 0 5 +Reading bank 0: - Word 0x00000005: 00002840 +Word 0x00000005: 00002840 - HummingBoard2 U-Boot > fuse read 0 6 - Reading bank 0: +HummingBoard2 U-Boot > fuse read 0 6 +Reading bank 0: - Word 0x00000006: 00000010 - ``` +Word 0x00000006: 00000010 +``` In above example, it is fused to boot from uSD card, and cannot be overwritten by GPIO settings. It means that this particular SoM cannot be set to boot from eMMC anymore. -In my case SoM on HummingBoard2 is fused to boot from uSD card, so I will not -be able to present booting from eMMC on HummingBoard2 at the moment, but we -have [Vitro Crystal](https://shop.3mdeb.com/product/vitrobian-crystal/) +In my case SoM on HummingBoard2 is fused to boot from uSD card, so I will not be +able to present booting from eMMC on HummingBoard2 at the moment, but we have +[Vitro Crystal](https://web.archive.org/web/20200928183812/https://shop.3mdeb.com/product/vitrobian-crystal/) boards, which is based on the same SoC. It's not fused, so I will continue with -this board, but process is the same on HummingBoard2. As I said, this board is -not fused and below values confirms it. +this board, but process is the same on HummingBoard2. As I said, this board +is not fused and below values confirms it. - ``` - => fuse read 0 5 - Reading bank 0: +```bash +=> fuse read 0 5 +Reading bank 0: - Word 0x00000005: 00000000 - => fuse read 0 6 - Reading bank 0: +Word 0x00000005: 00000000 +=> fuse read 0 6 +Reading bank 0: - Word 0x00000006: 00000000 - ``` +Word 0x00000006: 00000000 +``` -## Image flashing +### Image flashing I'm mostly using `Yocto` for the builds. Thanks to [wic](http://www.yoctoproject.org/docs/current/dev-manual/dev-manual.html#creating-partitioned-images-using-wic) @@ -280,70 +282,71 @@ I can get one output image file with already created desired partition layout. We should also keep in mind that a single file send via `fastboot` protocol cannot be larger that the buffer size. Size of the buffer is set via -`CONFIG_FASTBOOT_BUF_SIZE` `U-Boot` configuration option. In our case it was -set to 512 MB. Of course it needs to fit into device's memory. +`CONFIG_FASTBOOT_BUF_SIZE` `U-Boot` configuration option. In our case it was set +to 512 MB. Of course it needs to fit into device's memory. -Regarding that we have modified `fastboot` to take eMMC offset as an argument, -I can see two potential ways of flashing an image. +Regarding that we have modified `fastboot` to take eMMC offset as an argument, I +can see two potential ways of flashing an image. -### Image decomposition +#### Image decomposition We can send each of the components one by one. An example could look like: -* MBR sector, -* bootloader, -* boot partition, -* rootfs 1, -* data partition. + +- MBR sector, +- bootloader, +- boot partition, +- rootfs 1, +- data partition. We can extract MBR from image file: - ``` - gzip -cdk core-image-minimal.rootfs.wic.gz | sudo dd of=mbr.img bs=512 count=1 - ``` +```bash +gzip -cdk core-image-minimal.rootfs.wic.gz | sudo dd of=mbr.img bs=512 count=1 +``` We can verify it's MBR by looking at it's hexdump: - ``` - hexdump mbr.img - ``` +```bash +hexdump mbr.img +``` dump output: - ``` - 0000000 b8fa 1000 d08e 00bc b8b0 0000 d88e c08e - 0000010 befb 7c00 00bf b906 0200 a4f3 21ea 0006 - 0000020 be00 07be 0438 0b75 c683 8110 fefe 7507 - 0000030 ebf3 b416 b002 bb01 7c00 80b2 748a 8b01 - 0000040 024c 13cd 00ea 007c eb00 00fe 0000 0000 - 0000050 0000 0000 0000 0000 0000 0000 0000 0000 - * - 00001b0 0000 0000 0000 0000 5c4e 60a8 0000 0080 - 00001c0 1001 030c 0f60 0800 0000 8000 0000 0000 - 00001d0 1041 0383 ffe0 8800 0000 d9c4 0011 0000 - 00001e0 0000 0000 0000 0000 0000 0000 0000 0000 - 00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 - ``` +```bash +0000000 b8fa 1000 d08e 00bc b8b0 0000 d88e c08e +0000010 befb 7c00 00bf b906 0200 a4f3 21ea 0006 +0000020 be00 07be 0438 0b75 c683 8110 fefe 7507 +0000030 ebf3 b416 b002 bb01 7c00 80b2 748a 8b01 +0000040 024c 13cd 00ea 007c eb00 00fe 0000 0000 +0000050 0000 0000 0000 0000 0000 0000 0000 0000 +* +00001b0 0000 0000 0000 0000 5c4e 60a8 0000 0080 +00001c0 1001 030c 0f60 0800 0000 8000 0000 0000 +00001d0 1041 0383 ffe0 8800 0000 d9c4 0011 0000 +00001e0 0000 0000 0000 0000 0000 0000 0000 0000 +00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 +``` For example, in this case the fist partition is marked as boot partition (`0x80` as first byte of partition description): - ``` - 00001b0 0000 0000 0000 0000 5c4e 60a8 0000 0080 - ``` +```bash +00001b0 0000 0000 0000 0000 5c4e 60a8 0000 0080 +``` The others are not (`0x00` instead). Each MBR should also end with two bytes (`0x55AA`): - ``` - 00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 - ``` +```bash +00001f0 0000 0000 0000 0000 0000 0000 0000 aa55 +``` Let's check the partition table on the eMMC by booting from uSD card before flashing the `mbr.img`: -``` -root@vitroTV:~# fdisk -l /dev/mmcblk1 +```bash +root@vitroTV:~## fdisk -l /dev/mmcblk1 Disk /dev/mmcblk1: 7.3 GiB, 7818182656 bytes, 15269888 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes @@ -353,226 +356,226 @@ I/O size (minimum/optimal): 512 bytes / 512 bytes Like you can see above, there are no partitions yet. Let's flash `mbr.img` on eMMC using `fastboot`: - ``` - fastboot flash 0x0 mbr.img - ``` +```bash +fastboot flash 0x0 mbr.img +``` host output: - ``` - target reported max download size of 536870912 bytes - sending '0x0' (0 KB)... - OKAY [ 0.003s] - writing '0x0'... - OKAY [ 0.050s] - finished. total time: 0.054s - ``` +```bash +target reported max download size of 536870912 bytes +sending '0x0' (0 KB)... +OKAY [ 0.003s] +writing '0x0'... +OKAY [ 0.050s] +finished. total time: 0.054s +``` target output: - ``` - Starting download of 512 bytes - - downloading of 512 bytes finished - GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 - part_get_info_efi: *** ERROR: Invalid GPT *** - GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 - part_get_info_efi: *** ERROR: Invalid Backup GPT *** - bad MBR sector signature 0x0000 - Flashing Raw Image - ........ wrote 512 bytes to 0x0 - ``` +```bash +Starting download of 512 bytes + +downloading of 512 bytes finished +GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 +part_get_info_efi: *** ERROR: Invalid GPT *** +GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 +part_get_info_efi: *** ERROR: Invalid Backup GPT *** +bad MBR sector signature 0x0000 +Flashing Raw Image +........ wrote 512 bytes to 0x0 +``` Now let's verify the partition table on the eMMC again: - ``` - root@vitroTV:~# fdisk -l /dev/mmcblk1 - ``` +```bash +root@vitroTV:~## fdisk -l /dev/mmcblk1 +``` We can see that `MBR` was flashed correctly to eMMC: - ``` - root@vitroTV:~# fdisk -l /dev/mmcblk1 - Disk /dev/mmcblk1: 7.3 GiB, 7818182656 bytes, 15269888 sectors - Units: sectors of 1 * 512 = 512 bytes - Sector size (logical/physical): 512 bytes / 512 bytes - I/O size (minimum/optimal): 512 bytes / 512 bytes - Disklabel type: dos - Disk identifier: 0x60a85c4e - - Device Boot Start End Sectors Size Id Type - /dev/mmcblk1p1 * 2048 34815 32768 16M c W95 FAT32 (LBA) - /dev/mmcblk1p2 34816 1204675 1169860 571.2M 83 Linux - ``` +```bash +root@vitroTV:~## fdisk -l /dev/mmcblk1 +Disk /dev/mmcblk1: 7.3 GiB, 7818182656 bytes, 15269888 sectors +Units: sectors of 1 * 512 = 512 bytes +Sector size (logical/physical): 512 bytes / 512 bytes +I/O size (minimum/optimal): 512 bytes / 512 bytes +Disklabel type: dos +Disk identifier: 0x60a85c4e + +Device Boot Start End Sectors Size Id Type +/dev/mmcblk1p1 * 2048 34815 32768 16M c W95 FAT32 (LBA) +/dev/mmcblk1p2 34816 1204675 1169860 571.2M 83 Linux +``` Now we should continue with flashing `U-Boot` and partitions. The drawbacks I can see are: -* We would need to decompose disk image which is already assembled by the build +- We would need to decompose disk image which is already assembled by the build system. -* We would need to compute offset of each component to pass as a `fastboot` +- We would need to compute offset of each component to pass as a `fastboot` command argument. They may change over time. -* Partitions size may be grater than possible buffer size. +- Partitions size may be grater than possible buffer size. -### Image splitting and flashing +#### Image splitting and flashing The other idea is to split whole image file into data chunks of size not grater than the fastboot buffer size. This way we can keep all the image layout information exclusively in the build system. We can use `split` tool for this: - ``` - split -b 512M -d core-image-minimal.wic image_split_dir/image. - ``` +```bash +split -b 512M -d core-image-minimal.wic image_split_dir/image. +``` In this case, size of core-image-minimal.wic is about 620M, so there will be two chunks only: `image.00` and `image.01` - flash first chunk: - ``` + ```bash fastboot flash 0x0 image.00 ``` target output: - ``` - WARNING: unknown variable: partition-type:0x0 - Starting download of 536870912 bytes - downloading of 536870912 bytes finished - GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 - part_get_info_efi: *** ERROR: Invalid GPT *** - GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 - part_get_info_efi: *** ERROR: Invalid Backup GPT *** - bad MBR sector signature 0x0000 - Flashing Raw Image - ........ wrote 536870912 bytes to 0x0 - ``` +```bash +WARNING: unknown variable: partition-type:0x0 +Starting download of 536870912 bytes +downloading of 536870912 bytes finished +GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 +part_get_info_efi: *** ERROR: Invalid GPT *** +GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 +part_get_info_efi: *** ERROR: Invalid Backup GPT *** +bad MBR sector signature 0x0000 +Flashing Raw Image +........ wrote 536870912 bytes to 0x0 +``` host output: - ``` - target reported max download size of 536870912 bytes - sending '0x0' (524288 KB)... - OKAY [ 28.703s] - writing '0x0'... - OKAY [ 15.578s] - finished. total time: 44.282s - ``` +```bash +target reported max download size of 536870912 bytes +sending '0x0' (524288 KB)... +OKAY [ 28.703s] +writing '0x0'... +OKAY [ 15.578s] +finished. total time: 44.282s +``` - flash second chunk: - ``` + ```bash fastboot flash 0x20000000 image.01 ``` target output: - ``` - WARNING: unknown variable: partition-type:0x20000000 - Starting download of 79923200 bytes - downloading of 79923200 bytes finished - GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 - part_get_info_efi: *** ERROR: Invalid GPT *** - GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 - part_get_info_efi: *** ERROR: Invalid Backup GPT *** - Flashing Raw Image - ........ wrote 79923200 bytes to 0x20000000 - ``` +```bash +WARNING: unknown variable: partition-type:0x20000000 +Starting download of 79923200 bytes +downloading of 79923200 bytes finished +GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 +part_get_info_efi: *** ERROR: Invalid GPT *** +GUID Partition Table Header signature is wrong: 0x0 != 0x5452415020494645 +part_get_info_efi: *** ERROR: Invalid Backup GPT *** +Flashing Raw Image +........ wrote 79923200 bytes to 0x20000000 +``` host output: - ``` - target reported max download size of 536870912 bytes - sending '0x20000000' (78050 KB)... - OKAY [ 4.233s] - writing '0x20000000'... - OKAY [ 2.346s] - finished. total time: 6.579s - ``` +```bash +target reported max download size of 536870912 bytes +sending '0x20000000' (78050 KB)... +OKAY [ 4.233s] +writing '0x20000000'... +OKAY [ 2.346s] +finished. total time: 6.579s +``` -### System booting from eMMC +#### System booting from eMMC -Booting from eMMC has been successfully completed :) Like you can see below -root filesystem is mounted on /dev/mmcblk1p2: +Booting from eMMC has been successfully completed :) Like you can see below root +filesystem is mounted on /dev/mmcblk1p2: -``` -root@vitroTV:~# mount +```bash +root@vitroTV:~## mount /dev/mmcblk1p2 on / type ext4 (rw,relatime,data=ordered) ``` The flashing and booting output log you can see below: -https://asciinema.org/a/oLztFyKymiTEMn57d2nhEvcRk + -## Issues +### Issues -I've run into following error a few times during downloading `U-Boot` over -SDP. Power cycle of the board solved the issue. +I've run into following error a few times during downloading `U-Boot` over SDP. +Power cycle of the board solved the issue. host log: - ``` - loading binary file(SPL-fastboot) to 00907400, skip=0, fsize=dc00 type=aa - - <<<56320, 56320 bytes>>> - succeeded (status 0x88888888) - jumping to 0x00907400 - config file <.//mx6_usb_sdp_spl.conf> - parse .//mx6_usb_sdp_spl.conf - Trying to open device vid=0x18d1 pid=0x1d01. - Interface 0 claimed - HAB security state: development mode (0x56787856) - == work item - filename u-boot-fastboot.img - load_size 0 bytes - load_addr 0x03f00001 - dcd 0 - clear_dcd 0 - plug 0 - jump_mode 3 - jump_addr 0x00000000 - == end work item - - loading binary file(u-boot-fastboot.img) to 177fffc0, skip=0, fsize=575f8 type=aa - - <<<357880, 358400 bytes>>> - report 3 in err=-7, last_trans=0 00 00 00 00 - report 4 in err=-7, last_trans=0 00 00 00 00 - failed (status 0x00000000) - jumping to 0x177fffc0 - ``` +```bash +loading binary file(SPL-fastboot) to 00907400, skip=0, fsize=dc00 type=aa + +<<<56320, 56320 bytes>>> +succeeded (status 0x88888888) +jumping to 0x00907400 +config file <.//mx6_usb_sdp_spl.conf> +parse .//mx6_usb_sdp_spl.conf +Trying to open device vid=0x18d1 pid=0x1d01. +Interface 0 claimed +HAB security state: development mode (0x56787856) +== work item +filename u-boot-fastboot.img +load_size 0 bytes +load_addr 0x03f00001 +dcd 0 +clear_dcd 0 +plug 0 +jump_mode 3 +jump_addr 0x00000000 +== end work item + +loading binary file(u-boot-fastboot.img) to 177fffc0, skip=0, fsize=575f8 type=aa + +<<<357880, 358400 bytes>>> +report 3 in err=-7, last_trans=0 00 00 00 00 +report 4 in err=-7, last_trans=0 00 00 00 00 +failed (status 0x00000000) +jumping to 0x177fffc0 +``` target log: - ``` - U-Boot SPL 2018.01-00273-gb7859c51bb57-dirty (Jan 22 2018 - 11:37:03) - Trying to boot from USB SDP - SDP: initialize... - SDP: handle requests... - Downloading file of size 357880 to 0x177fffc0... EP0/in FAIL info=48080 pg0=18300840 - EP0/out FAIL info=4018080 pg0=18300840 - Unexpected report 4EP0/out FAIL info=4018080 pg0=18300840 - Unexpected report 40Jumping to header at 0x177fffc0 - Header Tag is not an IMX image - ``` +```bash +U-Boot SPL 2018.01-00273-gb7859c51bb57-dirty (Jan 22 2018 - 11:37:03) +Trying to boot from USB SDP +SDP: initialize... +SDP: handle requests... +Downloading file of size 357880 to 0x177fffc0... EP0/in FAIL info=48080 pg0=18300840 +EP0/out FAIL info=4018080 pg0=18300840 +Unexpected report 4EP0/out FAIL info=4018080 pg0=18300840 +Unexpected report 40Jumping to header at 0x177fffc0 +Header Tag is not an IMX image +``` -## Summary +## Summary - System booting from eMMC -* eMMC flashing with imx_usb_loader required some work, but -finally ended successfully +- eMMC flashing with imx_usb_loader required some work, but finally ended + successfully If you need support in U-Boot, fastboot or eMMC feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email `contact@3mdeb.com`. If you enjoying this type of content feel -free to [sign up to our newsletter](http://eepurl.com/doF8GX)! +free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6)! -# Leave a comment! +## Leave a comment -Did you like this post? Do you have any questions? Please leave a comment and -if you find the article valuable - share it with your friends 🙂 It would be -nice if more people read it. See you on our social media: +Did you like this post? Do you have any questions? Please leave a comment and if +you find the article valuable - share it with your friends 🙂 It would be nice if +more people read it. See you on our social media: [facebook](https://www.facebook.com/3mdeb/) [twitter](https://twitter.com/3mdeb_com) diff --git a/blog/content/post/2019-03-13-yocto-meta-rte-migrate-to-github.md b/blog/content/post/2019-03-13-yocto-meta-rte-migrate-to-github.md index 2db2439b..7b36bf2d 100644 --- a/blog/content/post/2019-03-13-yocto-meta-rte-migrate-to-github.md +++ b/blog/content/post/2019-03-13-yocto-meta-rte-migrate-to-github.md @@ -1,104 +1,109 @@ ---- -title: Yocto meta-rte is now open for everyone -cover: /img/YoctoProject_Logo_RGB.jpg -author: marta.szelecka -layout: post -published: true -date: 2019-03-13 -archives: "2019" - -tags: - - Yocto - - linux - - rte -categories: - - OS Dev ---- - -## Yocto meta-rte is now open for everyone - -![yocto-logo](/img/YoctoProject_Logo_RGB.jpg) - -We are happy to announce that our 3mdeb’s Yocto `meta-rte` is now available on -our [GitHub](https://github.com/3mdeb/meta-rte). But let's say briefly what the -Yocto Project is and why we decided to work with it. - -First of all, like everything that we love the most, Yocto Project is open -sourced. The project is hosted by the Linux Foundation and gives you templates, -methods, and set of interoperable tools for creating OS images for embedded -Linux systems. Secondly, the Yocto project is used by many mainstream embedded -Linux providers and offers thousands of packages which are available through -layers. What are they? - -Yocto project can be used by itself or be extended by meta layers, which are -repositories with instructions (recipes) telling the build system what it should -do. By separating the instructions into layers we can reuse them and share for -other users (our 3mdeb’s `meta-rte` is exactly that kind of layer). Thirdly, -with Yocto Project you can bring to life exactly the Linux you want and need. -The project lets you choose your CPU architecture, select footprint size and -remove and/or add components to get the features you want. - -In addition, it is important to stress that Yocto project is developed by -programming enthusiasts and because we consider ourselves as one of them we -created and now we share `meta-rte`. `meta-rte` is created for our -[RTE](https://shop.3mdeb.com/product/rte/) (remote testing environment - a hat -designed for Orange Pi Zero board, a tool which makes easier work with firmware -debugging tasks). So let's now present some raw data about it: - -## Hardware support: - -The Orange Pi Zero default config does not enable all of its interfaces. -Following interfaces were enabled in the `meta-rte` -(as devicetree patches and kernel configuration changes) to support the -features of the RTE extension boards: - -* UART (uart2) interface - for RS-232 -* I2C (i2c1) interface - for mcp2301 GPIO expander -* SPI (spi1) interface - for flashing external boards' SPI flash chips -* USB (ehci/ohci 2 and 3) interfaces - for additonal on-board USB connector - -## System features: - -* minimal image with full support for the target hardware, -* [RteCtrl](https://github.com/3mdeb/RteCtrl) utility - controlling the RTE via - REST API calls, -* dual-image OTA upgrades based on the SWUpdate: https://sbabic.github.io/swupdate/swupdate.html -* systemd as init manager -* standard useful system utilities such as: - * tmux, - * minicom, - * openssh-server, - * full python3, - * bash shell, - * etc. -* Utilities for controlling the platform under test via RTE: - * ser2net - redirecting platform's serial via Ethernet over telnet - * flashrom - flashing platform's SPI chip, - * fastboot and imx-usb-loader - for i.MX6 boards flashing, - * stlink and openocd for STM32 microcontrollers flashing - * ifdtools, cbftools - utilites useful for coreboot testing - -![API](/img/REST-API.png) - -Here we have our dev version API. It starts automatically and thanks to that you -can start your remote work without any additional configurations. - -We all know that using Linux for embedded devices is complicated, but thanks to -Yocto Project bringing embedded devices to market becomes easier, cheaper and -faster. And it doesn't even matter what kind of device it is. In our case, it's -3mdeb's [RTE](https://shop.3mdeb.com/product/rte/). If you have any questions -about rte, `meta-rte` or you are just interested in embedded systems you can -email us at: contact@3mdeb.com. The confirmation of our competence is our -presence on the [Embedded Linux Expert List](https://elinux.org/Experts#The_List) -and [Yocto Project Consultants List](https://www.yoctoproject.org/community/consultants/). - -You should also know that anyone can build a system based on `meta-rte`. To do -this you will need a tool named `kas`. Interested? Check our another article: -[Quick start guide to kas - best tool for setting up the Yocto projects](https://3mdeb.com/os-dev/get-started-kas-yocto/). - -You can also find us on our [official site](https://3mdeb.com/), [blog](https://3mdeb.com/news-ideas/) -and on social media: [Twitter](https://twitter.com/3mdeb_com), -[Facebook](https://www.facebook.com/3mdeb), [LinkedIn](https://www.linkedin.com/company/3mdeb), -[GitHub](https://github.com/3mdeb), -[stackoverflow](https://stackoverflow.com/users/587395/piotr-kr%C3%B3l). +--- +title: Yocto meta-rte is now open for everyone +cover: /img/YoctoProject_Logo_RGB.jpg +author: marta.szelecka +layout: post +published: true +date: 2019-03-13 +archives: "2019" + +tags: + - Yocto + - linux + - rte +categories: + - OS Dev +--- + +## Yocto meta-rte is now open for everyone + +![yocto-logo](/img/YoctoProject_Logo_RGB.jpg) + +We are happy to announce that our 3mdeb’s Yocto `meta-rte` is now available on +our [GitHub](https://github.com/3mdeb/meta-rte). But let's say briefly what the +Yocto Project is and why we decided to work with it. + +First of all, like everything that we love the most, Yocto Project is open +sourced. The project is hosted by the Linux Foundation and gives you templates, +methods, and set of interoperable tools for creating OS images for embedded +Linux systems. Secondly, the Yocto project is used by many mainstream embedded +Linux providers and offers thousands of packages which are available through +layers. What are they? + +Yocto project can be used by itself or be extended by meta layers, which are +repositories with instructions (recipes) telling the build system what it should +do. By separating the instructions into layers we can reuse them and share for +other users (our 3mdeb’s `meta-rte` is exactly that kind of layer). Thirdly, +with Yocto Project you can bring to life exactly the Linux you want and need. +The project lets you choose your CPU architecture, select footprint size and +remove and/or add components to get the features you want. + +In addition, it is important to stress that Yocto project is developed by +programming enthusiasts and because we consider ourselves as one of them we +created and now we share `meta-rte`. `meta-rte` is created for our +[RTE](https://shop.3mdeb.com/product/rte/) (remote testing environment - a hat +designed for Orange Pi Zero board, a tool which makes easier work with firmware +debugging tasks). So let's now present some raw data about it: + +## Hardware support + +The Orange Pi Zero default config does not enable all of its interfaces. +Following interfaces were enabled in the `meta-rte` (as devicetree patches and +kernel configuration changes) to support the features of the RTE extension +boards: + +- UART (uart2) interface - for RS-232 +- I2C (i2c1) interface - for mcp2301 GPIO expander +- SPI (spi1) interface - for flashing external boards' SPI flash chips +- USB (ehci/ohci 2 and 3) interfaces - for additional on-board USB connector + +## System features + +- minimal image with full support for the target hardware, +- [RteCtrl](https://github.com/3mdeb/RteCtrl) utility - controlling the RTE via + REST API calls, +- dual-image OTA upgrades based on the SWUpdate: + +- systemd as init manager +- standard useful system utilities such as: + - tmux, + - minicom, + - openssh-server, + - full python3, + - bash shell, + - etc. +- Utilities for controlling the platform under test via RTE: + - ser2net - redirecting platform's serial via Ethernet over telnet + - flashrom - flashing platform's SPI chip, + - fastboot and imx-usb-loader + for i.MX6 boards + flashing, + - stlink and openocd for STM32 microcontrollers flashing + - ifdtools, cbftools - utilities useful for coreboot testing + +![API](/img/REST-API.png) + +Here we have our dev version API. It starts automatically and thanks to that you +can start your remote work without any additional configurations. + +We all know that using Linux for embedded devices is complicated, but thanks to +Yocto Project bringing embedded devices to market becomes easier, cheaper and +faster. And it doesn't even matter what kind of device it is. In our case, it's +3mdeb's [RTE](https://shop.3mdeb.com/product/rte/). If you have any questions +about rte, `meta-rte` or you are just interested in embedded systems you can +email us at: . The confirmation of our competence is our +presence on the +[Embedded Linux Expert List](https://elinux.org/Experts#The_List) and +[Yocto Project Consultants List](https://www.yoctoproject.org/community/consultants/). + +You should also know that anyone can build a system based on `meta-rte`. To do +this you will need a tool named `kas`. Interested? Check our another article: +[Quick start guide to kas - best tool for setting up the Yocto projects](https://3mdeb.com/os-dev/get-started-kas-yocto/). + +You can also find us on our [official site](https://3mdeb.com/), +[blog](https://3mdeb.com/news-ideas/) and on social media: +[Twitter](https://twitter.com/3mdeb_com), +[Facebook](https://www.facebook.com/3mdeb), +[LinkedIn](https://www.linkedin.com/company/3mdeb), +[GitHub](https://github.com/3mdeb), +[stackoverflow](https://stackoverflow.com/users/587395/piotr-kr%C3%B3l). diff --git a/blog/content/post/2019-03-14-meltdown-and-spectre-vulnerabilities.md b/blog/content/post/2019-03-14-meltdown-and-spectre-vulnerabilities.md index 5540380c..9f9d7944 100644 --- a/blog/content/post/2019-03-14-meltdown-and-spectre-vulnerabilities.md +++ b/blog/content/post/2019-03-14-meltdown-and-spectre-vulnerabilities.md @@ -13,7 +13,6 @@ categories: - Security --- - ## Meltdown and Spectre At the turn of the year 2017 and 2018, the world of security and computing has @@ -30,25 +29,25 @@ what they are and how they are threatening the users of modern machines. Meltdown and Spectre refer to the vulnerabilities which break the isolation between different applications. In other words, it allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. -Basically, they are divided into few variants: +Basically, they are divided into few variants: -* [CVE-2017-5753] **Spectre Variant 1** - bounds check bypass. -* [CVE-2017-5715] **Spectre Variant 2** - branch target injection -* [CVE-2017-5754] **Variant 3, Meltdown** - rogue data cache load -* [CVE-2018-3640] **Variant 3a** - rogue system register read -* [CVE-2018-3639] **Variant 4** - speculative store bypass +- \[CVE-2017-5753\] **Spectre Variant 1** - bounds check bypass. +- \[CVE-2017-5715\] **Spectre Variant 2** - branch target injection +- \[CVE-2017-5754\] **Variant 3, Meltdown** - rogue data cache load +- \[CVE-2018-3640\] **Variant 3a** - rogue system register read +- \[CVE-2018-3639\] **Variant 4** - speculative store bypass ### Spectre Variant 1 - bounds check bypass Variant 1 relies on misleading the processor to do illegal actions (premature). How was it achieved? -Firstly, on the initial phase of the attack, the processor is trained with -valid inputs in an arbitrary attack program. To clarify, we prepare the -processor to be "cheated". For example, let's say it is an IF statement which -during training phase evaluates to true: +Firstly, on the initial phase of the attack, the processor is trained with valid +inputs in an arbitrary attack program. To clarify, we prepare the processor to +be "cheated". For example, let's say it is an IF statement which during training +phase evaluates to true: -``` +```bash if (x &lt; array1_size) y = array2[array1[x] * 4096]; ``` @@ -56,11 +55,11 @@ if (x &lt; array1_size) Next, during the exploit phase, the attacker invokes the code with a value of `x` outside the bounds of `array1`. What happens now? -Due to the training phase, which task was to teach the branch predictor that -the IF statement will be true, the processor will mispredict the next -instruction. That is to say, the processor will think that the IF statement -still will be true (what?!), thus executing wrong instruction. This is the -source of spectre vulnerability. +Due to the training phase, which task was to teach the branch predictor that the +IF statement will be true, the processor will mispredict the next instruction. +That is to say, the processor will think that the IF statement still will be +true (what?!), thus executing wrong instruction. This is the source of spectre +vulnerability. > To clarify, the branch means execution flow. If we have an IF statement, we > divide the execution flow into two branches: when the condition is true or @@ -69,13 +68,12 @@ source of spectre vulnerability. In short, that is how speculative execution works. Rather than waiting for determination of the branch result, the CPU guesses that the bounds check will -be true. Given that, processor already speculatively executes instructions -that evaluate `array2[array1[x]*4096]` using the malicious `x`. In other words, -the process accesses data it is not permitted to. `x` is chosen by the attacker -and the read from `array2` is dependent on `array1[x]`. Even if the CPU -discovers its error and reverts the changes, the secret data still exists in -the cache. The data can be then retrieved by analyzing the cache by an -attacker. +be true. Given that, processor already speculatively executes instructions that +evaluate `array2[array1[x]*4096]` using the malicious `x`. In other words, the +process accesses data it is not permitted to. `x` is chosen by the attacker and +the read from `array2` is dependent on `array1[x]`. Even if the CPU discovers +its error and reverts the changes, the secret data still exists in the cache. +The data can be then retrieved by analyzing the cache by an attacker. ### Spectre Variant 2 - branch target injection @@ -83,9 +81,9 @@ Variant 2 is very similar to the first variant. In the previous example, the malicious code resided in attackers address space. While in the second variant, the attacker chooses a specific "gadget" from the victim's address space. Similarly, the processor is trained to mispredict a branch and to execute the -"gadget" lying in the victim's address space. As a result, information -revealed by the "gadget" remains in the cache. Again, the attacker can analyze -it to retrieve the information. +"gadget" lying in the victim's address space. As a result, information revealed +by the "gadget" remains in the cache. Again, the attacker can analyze it to +retrieve the information. ### Variant 3 - Meltdown, rogue data cache load @@ -102,17 +100,17 @@ further down the instruction stream of a program to be executed in parallel with, and sometimes before, preceding instructions. How does it apply to meltdown attacks? -Meltdown attack focuses on memory protection bypassing. For example, when -trying to access kernel memory space from user-space a trap is caused. But -before the trap occurs the out-of-order execution takes place. As a result, -instructions that follow the illegal access (causing the trap) are executed -before being terminated. As a result, these instructions leak the contents of -the accessed memory to the cache. The rest of the story is already known. +Meltdown attack focuses on memory protection bypassing. For example, when trying +to access kernel memory space from user-space a trap is caused. But before the +trap occurs the out-of-order execution takes place. As a result, instructions +that follow the illegal access (causing the trap) are executed before being +terminated. As a result, these instructions leak the contents of the accessed +memory to the cache. The rest of the story is already known. ### Variant 3a - rogue system register read -This variant is also very similar to variant 3, but the target is different. -On the contrary of the variant 3, when attacker wanted to obtain kernel memory +This variant is also very similar to variant 3, but the target is different. On +the contrary of the variant 3, when attacker wanted to obtain kernel memory space, variant3a focuses on hardware registers access by a normal user. Typically, accessing hardware registers is restricted to root or even kernel itself. In other words, it is not possible to read some registers by a normal @@ -123,20 +121,20 @@ user access. ### Variant 4 - speculative store bypass Variant 4, when exploited, allows an attacker to read older memory values in a -processor's stack or other memory locations. The trick is to make the storing -of a value dependent on the results of previous instructions. To clarify, this +processor's stack or other memory locations. The trick is to make the storing of +a value dependent on the results of previous instructions. To clarify, this means that the processor has to wait before it knows where to store the value. The second step (the value load), is, in contrast, constructed in such a way that the address can be determined quickly, without waiting. In this situation, the processor's speculative execution will "ignore" or "bypass" the store. Because it doesn't yet know where the value is actually being stored. It will -make an assumption that the data currently held at the memory location is -valid (but it's not!). +make an assumption that the data currently held at the memory location is valid +(but it's not!). -The processor will figure out its error, discard the results and perform -correct calculations. But at this point, the microarchitectural state of the -processor has already been changed. These changes can be detected, and an -attacker can use those changes to figure out which value was read. +The processor will figure out its error, discard the results and perform correct +calculations. But at this point, the microarchitectural state of the processor +has already been changed. These changes can be detected, and an attacker can use +those changes to figure out which value was read. ## Summary @@ -145,15 +143,16 @@ Performance advancement has been achieved not only by the frequency itself but also by introducing speculative execution. Rather than wasting clock cycles to access memory or determine a value, CPU tries to predict the execution flow or value and executes instruction prematurely. This gave birth to Meltdown and -Spectre. If the instruction prediction is correct, the performance is -increased. Otherwise, the CPU has to revert all changes to the last checkpoint -(before incorrect execution) resulting in a performance drop. +Spectre. If the instruction prediction is correct, the performance is increased. +Otherwise, the CPU has to revert all changes to the last checkpoint (before +incorrect execution) resulting in a performance drop. In the next post, I will show You whether Meltdown and Spectre vulnerabilities are exploitable on PC Engines apu2 platform and how to mitigate. So stay tuned. If you think we can help in improving the security of your firmware or you -looking for someone who can boot your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in -similar content feel free to [sign up to our newsletter.](http://eepurl.com/doF8GX) +looking for someone who can boot your product by leveraging advanced features of +used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up to our newsletter.](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-04-17-roca.md b/blog/content/post/2019-04-17-roca.md index 8c18eefd..3f1bfaf5 100644 --- a/blog/content/post/2019-04-17-roca.md +++ b/blog/content/post/2019-04-17-roca.md @@ -21,14 +21,15 @@ discovered (October 2017) in a software library, RSALib, provided by Infineon Technologies. That library is also used in TPM modules. When this vulnerability is present, a pair of prime numbers used for generating RSA keys is chosen from a small subset of all available prime numbers. This results in a great loss of -entropy. Details and exact numbers can be found [here](https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf). +entropy. Details and exact numbers can be found +[here](https://crocs.fi.muni.cz/_media/public/papers/nemec_roca_ccs17_preprint.pdf). **UPDATE 2021-10-20**: provided new link for TPM firmware updates (old one was no longer working), added info about patch for openssl-1.1.0 being applied upstream. -**UPDATE 2021-11-18**: updated second link referring to the TPM firmware -updates (it was not fixed in the **UPDATE 2021-10-20**). +**UPDATE 2021-11-18**: updated second link referring to the TPM firmware updates +(it was not fixed in the **UPDATE 2021-10-20**). ## Discovering whether TPM is vulnerable @@ -41,21 +42,22 @@ is a possibility of a false positive result. For the version of detection tool we will use it is 2^-154 - consider yourself very lucky if you manage to get a false positive. -#### Generating RSA key pairs with TPM +### Generating RSA key pairs with TPM ![TPM2](/covers/tpm2.png) -RSA keys can be generated with [tpm2-tools](https://github.com/tpm2-software/tpm2-tools). -SLB 9665 used in TPM module doesn't support 512-bit RSA, so either 1024 or -2048-bit keys must be used. Because of that, it is impossible to factorize the -private part in reasonable time for testing purposes, but that time (around 3 -months of CPU time according to the paper mentioned earlier) is very low when -it comes to the security of keys and, moreover, data and identities protected -by them. Even worse, this time scales linearly with the number of cores. +RSA keys can be generated with +[tpm2-tools](https://github.com/tpm2-software/tpm2-tools). SLB 9665 used in TPM +module doesn't support 512-bit RSA, so either 1024 or 2048-bit keys must be +used. Because of that, it is impossible to factorize the private part in +reasonable time for testing purposes, but that time (around 3 months of CPU time +according to the paper mentioned earlier) is very low when it comes to the +security of keys and, moreover, data and identities protected by them. Even +worse, this time scales linearly with the number of cores. Context is used for key generation, so it must be generated first: -``` +```bash tpm2_createprimary -g 'sha1' -G 'rsa1024:null:aes128cfb' -o tpm.ctx tpm2_create -C tpm.ctx -Grsa1024 -u key.pub -r key.priv ``` @@ -67,14 +69,15 @@ chances for false positives are extremely low, but not zero. TPM has a limited amount of the internal RAM and runs out of memory after 3 operations with error: -``` +```bash ERROR: Tss2_Sys_CreatePrimary(0x902) - tpm:warn(2.0): out of memory for object contexts ``` -In this case either rebooting or [flushing open handles manually](https://github.com/tpm2-software/tpm2-tools/issues/303#issuecomment-455309118) +In this case either rebooting or +[flushing open handles manually](https://github.com/tpm2-software/tpm2-tools/issues/303#issuecomment-455309118) helps. Only `handles-transient` need to be flushed: -``` +```bash $ tpm2_getcap -c handles-transient - 0x80000000 - 0x80000001 @@ -88,10 +91,10 @@ $ tpm2_flushcontext -c 0x80000002 File `key.pub` is a binary file with a TPM-specific header. It is not supported by the tool for checking for ROCA vulnerability, so the key needs to be -extracted and saved in one of the supported formats, e.g. hex coded number. -This can be done with the following script: +extracted and saved in one of the supported formats, e.g. hex coded number. This +can be done with the following script: -``` +```bash #!/bin/bash rm -f keys.txt @@ -109,16 +112,17 @@ its size - it is needed only for keys in memory. #### Testing for ROCA vulnerability -A tool for checking for ROCA TPM vulnerability can be found [here](https://github.com/crocs-muni/roca). -The easiest way is to install it with `pip`: +A tool for checking for ROCA TPM vulnerability can be found +[here](https://github.com/crocs-muni/roca). The easiest way is to install it +with `pip`: -``` +```bash pip install roca-detect ``` All parsed keys can be checked using just one command: -``` +```bash roca-detect keys.txt ``` @@ -134,7 +138,7 @@ numbers used. It does not generate private keys. This is output from test run on 2 different modules, with both 1024 and 2048-bit keys generated on each of them: -``` +```bash 2019-03-25 18:31:17 [11915] WARNING Fingerprint found in modulus keys.txt idx 0 {"type": "mod-hex", "fname": "keys.txt", "idx": 0, "aux": null, "n": "0x94b79a35a5d47040df1503670080a7714ae1ee751aeb32071b3db388b3bf80b11f661c4b8819ebd1c716239c9ec5a202b08a2aa3c17ad6cd17075ba49fcd005d8b8fa50c29433db35c1421727472deddd77bced7e6438db4d447008b11cdb018139bfef2e06c4b4a3e672543a7e9333040fd881815e14b1f1338e90180fd0865", @@ -170,13 +174,14 @@ Tools for updating Infineon TPM firmware can be easily found, unfortunately, most of them are either UEFI or Windows applications. A Linux port of them can be found [here](https://github.com/iavael/infineon-firmware-updater). ~~It requires openssl-1.0 (both developer files and runtime library), but it can be -updated to 1.1.0 version using [this patch](https://github.com/pcengines/apu2-documentation/blob/master/docs/research/openssl_1_1_0.patch).~~ +updated to 1.1.0 version using +[this patch](https://github.com/pcengines/apu2-documentation/blob/master/docs/research/openssl_1_1_0.patch).~~ EDIT: Patch has already been committed to main branch. First, check if `TPMFactoryUpd` was built successfully and TPM is detected properly: -``` +```bash $ ./TPMFactoryUpd -info ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * @@ -195,18 +200,19 @@ Remember the current firmware version number, it will be needed later. Also, note what is the value of `TPM platformAuth` - it must be `Empty Buffer` in order to perform an update. To do this, build and flash coreboot with TPM disabled in the config menu, or use an older version of BIOS - none of the -v4.8.0.* versions have TPM support enabled. SeaBIOS doesn't need any +v4.8.0.\* versions have TPM support enabled. SeaBIOS doesn't need any modifications, it will not initialize TPM unless coreboot does. BIOS from other vendors might include an option to turn TPM off - keep in mind that doing so will probably mess up things like a Secure Boot or HDD encryption. TPM firmwares are available with some of the UEFI and Windows images, like [these](https://www.supermicro.com/wdl/driver/TPM/9665FW%20update%20package_1.5.zip). -Only `9665FW update package_1.5/Firmware/TPM20__to_TPM20_5.63.3144.0.BIN` +Only +`9665FW update package_1.5/Firmware/TPM20__to_TPM20_5.63.3144.0.BIN` file is required. Extract this file to the same directory as the `TPMFactoryUpd` and run: -``` +```bash $ ./TPMFactoryUpd -update tpm20-emptyplatformauth -firmware TPM20__to_TPM20_5.63.3144.0.BIN ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * @@ -236,7 +242,7 @@ $ ./TPMFactoryUpd -update tpm20-emptyplatformauth -firmware TPM20__ This can take 3-5 minutes, depending on the firmware update size. After it completes, TPM is not useful until the next reboot: -``` +```bash $ ./TPMFactoryUpd -info ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * @@ -251,11 +257,10 @@ $ ./TPMFactoryUpd -info Remaining updates : N/A - System restart required ``` -Reboot platform immediately. Using TPM functions in this state isn't safe. -After successful reboot and flashing original coreboot firmware the result -should be: +Reboot platform immediately. Using TPM functions in this state isn't safe. After +successful reboot and flashing original coreboot firmware the result should be: -``` +```bash $ ./TPMFactoryUpd -info ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * @@ -270,14 +275,15 @@ $ ./TPMFactoryUpd -info Remaining updates : 63 ``` -#### Updating TPM firmware - automatic version detection +### Updating TPM firmware - automatic version detection Assuming that a whole `Firmware` directory was extracted to the directory -containing `TPMFactoryUpd` from the [update package](https://www.supermicro.com/wdl/driver/TPM/), -one can use a single command to do the update. Appropriate file is chosen -automatically, depending on the old version. The command is: +containing `TPMFactoryUpd` from the +[update package](https://www.supermicro.com/wdl/driver/TPM/), one can use a +single command to do the update. Appropriate file is chosen automatically, +depending on the old version. The command is: -``` +```bash $ ./TPMFactoryUpd -update config-file -config Firmware/TPM20_latest.cfg ********************************************************************** * Infineon Technologies AG TPMFactoryUpd Ver 01.01.2459.00 * @@ -315,7 +321,7 @@ afterwards. Repeating all steps from generating TPM context to using `roca-detect` shows that the vulnerability is **no longer present**: -``` +```bash 2019-03-26 18:40:42 [4325] INFO ### SUMMARY #################### 2019-03-26 18:40:42 [4325] INFO Records tested: 8 2019-03-26 18:40:42 [4325] INFO .. PEM certs: . . . 0 @@ -333,13 +339,14 @@ that the vulnerability is **no longer present**: 2019-03-26 18:40:42 [4325] INFO ################################ ``` -We will check every TPM module [we sell](https://shop.3mdeb.com/) and, if +We will check every TPM module [we sell](https://shop.3mdeb.com/shop/) and, if necessary, update the firmware before sending them to the customers. If you ordered such module earlier or you are not sure if it is vulnerable, feel free to test them for yourself. If you think we can help in improving the security of your firmware or you are -looking for someone who can boot your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +looking for someone who can boot your product by leveraging advanced features of +used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-04-24-USB-sniffing-with-OpenVizsla.md b/blog/content/post/2019-04-24-USB-sniffing-with-OpenVizsla.md index f06fb068..26b44b6a 100644 --- a/blog/content/post/2019-04-24-USB-sniffing-with-OpenVizsla.md +++ b/blog/content/post/2019-04-24-USB-sniffing-with-OpenVizsla.md @@ -26,53 +26,55 @@ categories: **"OpenVizsla is a project to design a device that will allow the capture and inspection of USB traffic that will help with the reverse engineering and debugging of proprietary USB devices, and will also be an invaluable tool for -developers working with USB and especially those who are using USB in -embedded designs."** - -This is the first sentence of a Kickstarter project which was funded in 2010. -It was donated with over 80.000 USD (what was much more then it was expected) -(and what turned out to be less than really was needed) in a month. -A pair of enthusiasts (bushing and pytey) with their friends put a lot of effort -to create small, cheap and open sourced USB sniffer. - -After over two years of struggle, while no working prototype was ready, -people over the Internet were really nervous. Many of them were calling -project maintainers to give them back their money. One of the founders -(pytey) wanted to support local businesses in Hungary, and he said he could get -them a good deal on assembly there. He took most of the parts, and after he -left the US it was more and more difficult to contact him. - -After two months without any sign of life from pytey, bushing realized, that -he was left alone. With no parts left enough to assembly working boards for -people who donated their money. With not enough money to buy missing parts. -And not enough money to give it back to donators. He rearranged the design, -using entirely parts that he could buy off-the-shelf with the money he had -access to. +developers working with USB and especially those who are using USB in embedded +designs."** + +This is the first sentence of a Kickstarter project which was funded in 2010. It +was donated with over 80.000 USD (what was much more then it was expected) (and +what turned out to be less than really was needed) in a month. A pair of +enthusiasts (bushing and pytey) with their friends put a lot of effort to create +small, cheap and open sourced USB sniffer. + +After over two years of struggle, while no working prototype was ready, people +over the Internet were really nervous. Many of them were calling project +maintainers to give them back their money. One of the founders (pytey) wanted to +support local businesses in Hungary, and he said he could get them a good deal +on assembly there. He took most of the parts, and after he left the US it was +more and more difficult to contact him. + +After two months without any sign of life from pytey, bushing realized, that he +was left alone. With no parts left enough to assembly working boards for people +who donated their money. With not enough money to buy missing parts. And not +enough money to give it back to donators. He rearranged the design, using +entirely parts that he could buy off-the-shelf with the money he had access to. At the beginning of 2014 first working boards were sent to premium donators. People who donated less received bare PCB's with parts to assemble it on their -own a few months later. Kickstarter project was closed on Aug 27 2014. Every -man who donated money on it received what was agreed. +own a few months later. Kickstarter project was closed on Aug 27 2014. Every man +who donated money on it received what was agreed. Ben “bushing” Byer died Feb 8 2016. -![OpenVizsla v3.2 board](https://cloud.3mdeb.com/index.php/s/GwjaeJQWyHPKxpD/preview) +![OpenVizsla v3.2 board](https://cloud.3mdeb.com/index.php/s/bJDGsrNkk8k4ZpP) ### A Brief Description Since there is no (affordable, at least) silicon that out-of-the-box provides -USB sniffing features, the heart of the OpenVizsla is an [FPGA](https://en.wikipedia.org/wiki/Field-programmable_gate_array), Xilinx Spartan 6 LX FPGA to be exact. -Board has Micron MT48LC16M16A2P-xx SDRAM (256MB), FTDI FT2232H High-Speed USB -converter with FIFO interface, and SMSC USB3343 ULPI PHY Hi-Speed USB 2.0 -transceiver. +USB sniffing features, the heart of the OpenVizsla is an +[FPGA](https://en.wikipedia.org/wiki/Field-programmable_gate_array), Xilinx +Spartan 6 LX FPGA to be exact. Board has Micron MT48LC16M16A2P-xx SDRAM (256MB), +FTDI FT2232H High-Speed USB converter with FIFO interface, and SMSC USB3343 ULPI +PHY Hi-Speed USB 2.0 transceiver. It has two USB 2.0 B ports (for a host and for a server) and one USB 2.0 A port for a target device, which is going to be analyzed. It provides no USB 3.0 -support. As there was very little support last few years, there are a lot -of known [limitations](https://github.com/openvizsla/ov_ftdi/wiki/limitations). +support. As there was very little support last few years, there are a lot of +known [limitations](https://github.com/openvizsla/ov_ftdi/wiki/limitations). -The device itself is Open Source Hardware, all the [schematics](http://openvizsla.org/images/ov_3.2_schematics_BOM.pdf) are open, -and anyone is free to build it on his own. [Firmware](https://github.com/openvizsla/ov_ftdi/wiki/building) is also free. +The device itself is Open Source Hardware, all the +[schematics](http://openvizsla.org/images/ov_3.2_schematics_BOM.pdf) are open, +and anyone is free to build it on his own. +[Firmware](https://github.com/openvizsla/ov_ftdi/wiki/building) is also free. ### Sniffing USB devices @@ -80,34 +82,37 @@ OpenVizsla is a sniffer and analyzer. It allows you to **passively** monitor the communication between a USB host and USB peripheral. It supports USB low-speed, full-speed and high-speed. To show that it works we started with something simple. Low-speed USB devices are i.e. keyboards and mouses. For the first test -we used a keyboard, because it is easy to [interpret](https://wiki.osdev.org/USB_Human_Input_Devices#USB_keyboard). +we used a keyboard, because it is easy to +[interpret](https://wiki.osdev.org/USB_Human_Input_Devices#USB_keyboard). - [![Keyboard test](https://asciinema.org/a/3dgnIPRaGmyLHAOWZOHI08YBz.svg)](https://asciinema.org/a/3dgnIPRaGmyLHAOWZOHI08YBz?speed=1) +[![Keyboard test](https://asciinema.org/a/3dgnIPRaGmyLHAOWZOHI08YBz.svg)](https://asciinema.org/a/3dgnIPRaGmyLHAOWZOHI08YBz?speed=1) As we can see, though there are a lot of frames going, most of them are -basically empty. USB protocol throws frames even if there is no info to -send. Some times there can be some information detected, like i.e.: - -``` -[ ] 3.899367 d= 0.002974 [ .0 +3899367.117] [ 3] IN : 21.1 -[ ] 3.901367 d= 0.002000 [ .0 +3901367.117] [ 3] IN : 4.1 -[ ] 3.903368 d= 0.002001 [ .0 +3903367.783] [ 3] IN : 27.1 -[ ] 3.903393 d= 0.000025 [ .0 +3903393.117] [ 1] NAK -[ ] 3.907368 d= 0.003975 [ .0 +3907367.783] [ 3] IN : 21.1 -[ ] 3.909368 d= 0.002001 [ .0 +3909368.450] [ 3] IN : 4.1 -[ ] 3.911368 d= 0.002000 [ .0 +3911368.450] [ 3] IN : 27.1 -[ ] 3.911394 d= 0.000025 [ .0 +3911393.783] [ 11] DATA1: 00 00 1e 00 00 00 00 00 29 88 -[ ] 3.911462 d= 0.000069 [ .0 +3911462.450] [ 1] ACK -[ ] 3.915368 d= 0.003906 [ .0 +3915368.450] [ 3] IN : 21.1 -[ ] 3.917369 d= 0.002001 [ .0 +3917369.117] [ 3] IN : 4.1 -[ ] 3.919369 d= 0.002000 [ .0 +3919369.117] [ 3] IN : 27.1 -[ ] 3.919395 d= 0.000026 [ .0 +3919395.117] [ 1] NAK +basically empty. USB protocol throws frames even if there is no info to send. +Some times there can be some information detected, like i.e.: + +```bash +[ ] 3.899367 d= 0.002974 [ .0 +3899367.117] [ 3] IN : 21.1 +[ ] 3.901367 d= 0.002000 [ .0 +3901367.117] [ 3] IN : 4.1 +[ ] 3.903368 d= 0.002001 [ .0 +3903367.783] [ 3] IN : 27.1 +[ ] 3.903393 d= 0.000025 [ .0 +3903393.117] [ 1] NAK +[ ] 3.907368 d= 0.003975 [ .0 +3907367.783] [ 3] IN : 21.1 +[ ] 3.909368 d= 0.002001 [ .0 +3909368.450] [ 3] IN : 4.1 +[ ] 3.911368 d= 0.002000 [ .0 +3911368.450] [ 3] IN : 27.1 +[ ] 3.911394 d= 0.000025 [ .0 +3911393.783] [ 11] DATA1: 00 00 1e 00 00 00 + 00 00 29 88 +[ ] 3.911462 d= 0.000069 [ .0 +3911462.450] [ 1] ACK +[ ] 3.915368 d= 0.003906 [ .0 +3915368.450] [ 3] IN : 21.1 +[ ] 3.917369 d= 0.002001 [ .0 +3917369.117] [ 3] IN : 4.1 +[ ] 3.919369 d= 0.002000 [ .0 +3919369.117] [ 3] IN : 27.1 +[ ] 3.919395 d= 0.000026 [ .0 +3919395.117] [ 1] NAK ``` -In `DATA1: 00 00 1e 00 00 00 00 00 29 88` we've got something to read. -According to USB keyword specification, the 3rd byte of a report applies to -the first button pressed. And `1e` is hexadecimal representation of [keycode](https://www.win.tue.nl/~aeb/linux/kbd/scancodes-14.html) -of '1'. (Which actually has been pressed). +In `DATA1: 00 00 1e 00 00 00 00 00 29 88` we've got something to read. According +to USB keyword specification, the 3rd byte of a report applies to the first +button pressed. And `1e` is hexadecimal representation of +[keycode](https://www.win.tue.nl/~aeb/linux/kbd/scancodes-14.html) of '1'. +(Which actually has been pressed). Let's try an USB mouse instead. @@ -116,44 +121,44 @@ Let's try an USB mouse instead. After the sniffing started for a while we did nothing. Then, we started to move the mouse in random directions. Stopped. And started again. -``` -[ ] 5.570812 d= 0.000027 [ .0 +5570812.050] [ 7] DATA1: 00 01 ff 00 ef eb -[ ] 5.570861 d= 0.000049 [ .0 +5570861.383] [ 1] ACK -[ ] 5.575785 d= 0.004924 [ .0 +5575785.383] [ 3] IN : 21.1 -[ ] 5.577785 d= 0.002000 [ .0 +5577785.383] [ 3] IN : 4.1 -[ ] 5.578785 d= 0.001000 [ .0 +5578785.383] [ 3] IN : 26.1 -[ ] 5.578813 d= 0.000027 [ .0 +5578812.717] [ 7] DATA0: 00 f9 fe 00 6f 8a -[ ] 5.578862 d= 0.000049 [ .0 +5578862.050] [ 1] ACK -[ ] 5.583786 d= 0.004924 [ .0 +5583786.050] [ 3] IN : 21.1 -[ ] 5.585786 d= 0.002000 [ .0 +5585786.050] [ 3] IN : 4.1 -[ ] 5.586787 d= 0.001001 [ .0 +5586786.717] [ 3] IN : 26.1 -[ ] 5.586813 d= 0.000027 [ .0 +5586813.383] [ 7] DATA1: 00 f8 fe 00 3e 4a -[ ] 5.586863 d= 0.000049 [ .0 +5586862.717] [ 1] ACK -[ ] 5.591787 d= 0.004924 [ .0 +5591786.717] [ 3] IN : 21.1 -[ ] 5.593787 d= 0.002001 [ .0 +5593787.383] [ 3] IN : 4.1 -[ ] 5.594787 d= 0.001000 [ .0 +5594787.383] [ 3] IN : 26.1 -[ ] 5.594815 d= 0.000027 [ .0 +5594814.717] [ 7] DATA0: 00 fb 00 00 8e 2a +```bash +[ ] 5.570812 d= 0.000027 [ .0 +5570812.050] [ 7] DATA1: 00 01 ff 00 ef eb +[ ] 5.570861 d= 0.000049 [ .0 +5570861.383] [ 1] ACK +[ ] 5.575785 d= 0.004924 [ .0 +5575785.383] [ 3] IN : 21.1 +[ ] 5.577785 d= 0.002000 [ .0 +5577785.383] [ 3] IN : 4.1 +[ ] 5.578785 d= 0.001000 [ .0 +5578785.383] [ 3] IN : 26.1 +[ ] 5.578813 d= 0.000027 [ .0 +5578812.717] [ 7] DATA0: 00 f9 fe 00 6f 8a +[ ] 5.578862 d= 0.000049 [ .0 +5578862.050] [ 1] ACK +[ ] 5.583786 d= 0.004924 [ .0 +5583786.050] [ 3] IN : 21.1 +[ ] 5.585786 d= 0.002000 [ .0 +5585786.050] [ 3] IN : 4.1 +[ ] 5.586787 d= 0.001001 [ .0 +5586786.717] [ 3] IN : 26.1 +[ ] 5.586813 d= 0.000027 [ .0 +5586813.383] [ 7] DATA1: 00 f8 fe 00 3e 4a +[ ] 5.586863 d= 0.000049 [ .0 +5586862.717] [ 1] ACK +[ ] 5.591787 d= 0.004924 [ .0 +5591786.717] [ 3] IN : 21.1 +[ ] 5.593787 d= 0.002001 [ .0 +5593787.383] [ 3] IN : 4.1 +[ ] 5.594787 d= 0.001000 [ .0 +5594787.383] [ 3] IN : 26.1 +[ ] 5.594815 d= 0.000027 [ .0 +5594814.717] [ 7] DATA0: 00 fb 00 00 8e 2a ``` The second and the third byte represents movement in consequently X and Y axis. The first (it should be properly called '0') byte represents mouse buttons status. -Ok, that's fun, may be nice to check once or even twice if it works as -described in a specification. But is that what this device is designed for? -Well, maybe. If You are a USB peripherals engineer. +Ok, that's fun, may be nice to check once or even twice if it works as described +in a specification. But is that what this device is designed for? Well, maybe. +If You are a USB peripherals engineer. **Let's do something more interesting.** In examples above we showed how intense is low-speed communication over USB. Signals flew so quickly, that it was hard to notice a single data frame. And that was low-speed. Devices like USB memory sticks run on a high-speed. -Unfortunately, this is so fast, that in the real time the amount of -information makes it totally unreadable for a man. +Unfortunately, this is so fast, that in the real time the amount of information +makes it totally unreadable for a man. Instead of showing a movie, we'll show a set of frozen frames from the output. -``` +```bash [ ] 37.224731 d= 0.000022 [ 15.1 + 0.583] [ 3] IN : 4.1 [ ] 37.224740 d= 0.000009 [ 15.1 + 9.667] [ 3] IN : 4.1 [ ] 37.224742 d= 0.000003 [ 15.1 + 12.317] [ 3] IN : 4.1 @@ -163,42 +168,74 @@ Instead of showing a movie, we'll show a set of frozen frames from the output. [ ] 37.224773 d= 0.000017 [ 15.1 + 42.683] [ 3] IN : 4.1 ``` -These are frames from a connected USB stick, that does absolutely nothing. -The last square bracket represents a number of bytes send, after that you can -read a packet identifier. `IN` means a `TOKEN` `IN` signal. -`ACK` is a `handshake` signal, which you can observe in examples above. +These are frames from a connected USB stick, that does absolutely nothing. The +last square bracket represents a number of bytes send, after that you can read a +packet identifier. `IN` means a `TOKEN` `IN` signal. `ACK` is a `handshake` +signal, which you can observe in examples above. Now, let's connect to OpenVisla some real thing. Our choice was a stick with live system, which should try to be recognized by the PC. After a second we've had: -``` -[ ] 1.836409 d= 0.000000 [135.1 + 39.783] [ 16] DATA0: 55 53 42 53 60 00 00 00 00 00 00 00 00 f1 b0 -[ ] 1.836634 d= 0.000000 [135.3 + 14.400] [ 34] DATA0: 55 53 42 43 61 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa 90 -[ ] 1.836790 d= 0.000000 [135.4 + 45.050] [ 16] DATA1: 55 53 42 53 61 00 00 00 00 00 00 00 00 fc 20 -[ ] 1.836985 d= 0.000000 [135.5 +114.817] [ 34] DATA1: 55 53 42 43 62 00 00 00 00 10 00 00 80 00 0a 28 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 49 3f -[ ] 1.837871 d= 0.000000 [136.5 + 1.033] [515] DATA0: eb 3c 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 12 00 02 00 00 00 00 00 00 00 00 00 00 16 1f 66 6a 00 51 50 06 53 31 c0 88 f0 50 6a 10 89 e5 e8 c0 00 8d 66 10 cb fc 31 c9 8e c1 8e d9 8e d1 bc 00 7c 89 e6 bf 00 07 fe c5 f3 a5 be ee 7d 80 fa 80 72 2c b6 01 e8 60 00 b9 01 00 be be 8d b6 01 80 7c 04 a5 75 07 e3 19 f6 04 80 75 14 83 c6 10 fe c6 80 fe 05 72 e9 49 e3 e1 be a2 7d eb 4b 31 d2 89 16 00 09 b6 10 e8 2e 00 bb 00 90 8b 77 0a 01 de bf 00 c0 b9 00 ae 29 f1 f3 a4 fa 49 74 14 e4 64 a8 02 75 f7 b0 d1 e6 64 e4 64 a8 02 75 fa b0 df e6 60 fb e9 50 13 bb 00 8c 8b 44 08 8b 4c 0a 0e e8 5a ff 73 2a be 9d 7d e8 1c 00 be a7 7d e8 16 00 30 e4 cd 16 c7 06 72 04 34 12 ea f0 ff 00 f0 bb 07 00 b4 0e cd 10 ac 84 c0 75 f4 b4 01 f9 c3 2e f6 06 b0 08 80 74 22 80 fa 80 72 1d bb aa 55 52 b4 41 cd 13 5a 72 12 81 fb 55 aa 75 0c f6 c1 01 74 07 89 ee b4 42 cd 13 c3 52 b4 08 cd 13 88 f5 5a 72 cb 80 e1 3f 74 c3 fa 66 8b 46 08 52 66 0f b6 d9 66 31 d2 66 f7 f3 88 eb 88 d5 43 30 d2 66 f7 f3 88 d7 5a 66 3d ff 03 00 00 fb 77 9d 86 c4 c0 c8 02 08 e8 40 91 88 fe 28 e0 8a 66 02 38 e0 72 02 b0 01 bf 05 00 c4 5e 04 50 b4 02 cd 13 5b 73 0a 4f 74 1c 30 e4 cd 13 93 eb eb 0f b6 c3 01 46 08 73 03 ff 46 0a d0 e3 00 5e 05 28 46 02 77 88 c3 52 65 61 64 00 42 6f 6f 74 00 20 65 72 72 6f 72 0d 0a 00 80 90 90 90 90 90 90 90 90 90 90 90 90 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 01 00 a5 fe ff ff 00 00 00 00 50 c3 00 00 55 aa b8 c4 +```bash +[ ] 1.836409 d= 0.000000 [135.1 + 39.783] [ 16] DATA0: 55 53 42 53 + 60 00 00 00 00 00 00 00 00 f1 b0 +[ ] 1.836634 d= 0.000000 [135.3 + 14.400] [ 34] DATA0: 55 53 42 43 + 61 00 00 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 aa 90 +[ ] 1.836790 d= 0.000000 [135.4 + 45.050] [ 16] DATA1: 55 53 42 53 + 61 00 00 00 00 00 00 00 00 fc 20 +[ ] 1.836985 d= 0.000000 [135.5 +114.817] [ 34] DATA1: 55 53 42 43 + 62 00 00 00 00 10 00 00 80 00 0a 28 00 00 00 00 00 00 00 08 00 00 00 00 00 + 00 00 49 3f +[ ] 1.837871 d= 0.000000 [136.5 + 1.033] [515] DATA0: eb 3c 00 00 + 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 12 00 02 00 00 + 00 00 00 00 00 00 00 00 16 1f 66 6a 00 51 50 06 53 31 c0 88 f0 50 6a 10 89 + e5 e8 c0 00 8d 66 10 cb fc 31 c9 8e c1 8e d9 8e d1 bc 00 7c 89 e6 bf 00 07 + fe c5 f3 a5 be ee 7d 80 fa 80 72 2c b6 01 e8 60 00 b9 01 00 be be 8d b6 01 + 80 7c 04 a5 75 07 e3 19 f6 04 80 75 14 83 c6 10 fe c6 80 fe 05 72 e9 49 e3 + e1 be a2 7d eb 4b 31 d2 89 16 00 09 b6 10 e8 2e 00 bb 00 90 8b 77 0a 01 de + bf 00 c0 b9 00 ae 29 f1 f3 a4 fa 49 74 14 e4 64 a8 02 75 f7 b0 d1 e6 64 e4 + 64 a8 02 75 fa b0 df e6 60 fb e9 50 13 bb 00 8c 8b 44 08 8b 4c 0a 0e e8 5a + ff 73 2a be 9d 7d e8 1c 00 be a7 7d e8 16 00 30 e4 cd 16 c7 06 72 04 34 12 + ea f0 ff 00 f0 bb 07 00 b4 0e cd 10 ac 84 c0 75 f4 b4 01 f9 c3 2e f6 06 b0 + 08 80 74 22 80 fa 80 72 1d bb aa 55 52 b4 41 cd 13 5a 72 12 81 fb 55 aa 75 + 0c f6 c1 01 74 07 89 ee b4 42 cd 13 c3 52 b4 08 cd 13 88 f5 5a 72 cb 80 e1 + 3f 74 c3 fa 66 8b 46 08 52 66 0f b6 d9 66 31 d2 66 f7 f3 88 eb 88 d5 43 30 + d2 66 f7 f3 88 d7 5a 66 3d ff 03 00 00 fb 77 9d 86 c4 c0 c8 02 08 e8 40 91 + 88 fe 28 e0 8a 66 02 38 e0 72 02 b0 01 bf 05 00 c4 5e 04 50 b4 02 cd 13 5b + 73 0a 4f 74 1c 30 e4 cd 13 93 eb eb 0f b6 c3 01 46 08 73 03 ff 46 0a d0 e3 + 00 5e 05 28 46 02 77 88 c3 52 65 61 64 00 42 6f 6f 74 00 20 65 72 72 6f 72 + 0d 0a 00 80 90 90 90 90 90 90 90 90 90 90 90 90 90 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 01 00 a5 fe ff ff 00 00 + 00 00 50 c3 00 00 55 aa b8 c4 ``` What we can convert from hexadecimal to ASCII and obtain: -``` -USBS`� +```bash +USBS`��������� -USBCa�� +USBCa��������������������������� -USBSa� +USBSa��������� -USBCb� -(I? +USBCb�������� +(��������������I? -�<fjQPS1���Pj�����f��1Ɏ��َѼ|������}���r,��`������|�u���u���ƀ�r�I�ᾢ}�K1҉ ��.���w -޿���)���It�d�u����d�d�u����`��P���D�L -�Z�s*��}���}�0���r4���������u����.���t"���r��UR�A�Zr��U�u ��t��B��R����Zrˀ�?t��f�FRf��f1�f����C0�f���Zf=��w������@���(��f8�r���^P��[s +�<��������������������������������fj�QPS1���Pj������f +��1Ɏ��َѼ�|�������}���r,��`��������|�u���u���ƀ� +r�I�ᾢ}�K1҉� ��.�����w +޿�����)���It�d�u����d�d�u����`��P����D�L +�Z�s*��}����}��0���r4�����������u����.���t"���r +��UR�A�Zr��U�u ��t��B��R����Zrˀ�?t��f�FRf��f1�f����C0�f���Zf= +����w������@���(��f8�r����^P��[s Ot0�������Fs�F -��^(Fw��ReadBoot error -�������������������P�U��� +���^(Fw��Read�Boot� error +������������������������������������������������������ +��������������������P���U��� ``` This is only an example, chosen arbitrarily from many, many signals we received. @@ -206,8 +243,8 @@ This is only an example, chosen arbitrarily from many, many signals we received. Speed of data transfer with all the logged information was such, that the log the file we wanted to be created (plain text) was 200MB in a few seconds. -We had to interrupt it, but all the computer memory was busy making logs. -The only way to stop it was to disconnect the USB device manually. +We had to interrupt it, but all the computer memory was busy making logs. The +only way to stop it was to disconnect the USB device manually. ## Summary @@ -219,6 +256,7 @@ show what this small and relatively cheap board is capable of. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sing up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sing up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-04-30-5-terms-every-hypervisor-developer-should-know.md b/blog/content/post/2019-04-30-5-terms-every-hypervisor-developer-should-know.md index 614b2bae..57c3ad93 100644 --- a/blog/content/post/2019-04-30-5-terms-every-hypervisor-developer-should-know.md +++ b/blog/content/post/2019-04-30-5-terms-every-hypervisor-developer-should-know.md @@ -23,15 +23,15 @@ categories: --- This is the first post of a series about developing type-1 hypervisors, also -known as *native* or *bare-metal* hypervisors. It introduces to Intel's VMX -technology, describes interactions between a virtual machine and a hypervisor -as well as gives some insight on the control structures required. This post -should give some theoretical knowledge base required for the next ones, in -which we will implement a basic hypervisor using [Bareflank](https://github.com/Bareflank/hypervisor). -It assumes that you have some knowledge about IA-32 architecture. There will be -more than 5 terms actually, but the most important are those in headers. The -following posts will assume that the reader knows what they are for and what is -their scope. +known as _native_ or _bare-metal_ hypervisors. It introduces to Intel's VMX +technology, describes interactions between a virtual machine and a hypervisor as +well as gives some insight on the control structures required. This post should +give some theoretical knowledge base required for the next ones, in which we +will implement a basic hypervisor using +[Bareflank](https://github.com/Bareflank/hypervisor). It assumes that you have +some knowledge about IA-32 architecture. There will be more than 5 terms +actually, but the most important are those in headers. The following posts will +assume that the reader knows what they are for and what is their scope. ## Introduction to VMX @@ -60,22 +60,25 @@ will see later in the series. Hypervisors can be classified as one of two types: -* type-1 (bare-metal, native) hypervisors. A hypervisor is run directly on the +- type-1 (bare-metal, native) hypervisors. A hypervisor is run directly on the hardware and is not managed by an operating system. Examples of this type are [Xen](https://xenproject.org/), [Hyper-V](http://www.microsoft.com/hyper-v) - and [Oracle VM Server](https://www.oracle.com/virtualization/vm-server-for-x86/). + and + [Oracle VM Server](https://www.oracle.com/virtualization/vm-server-for-x86/). The first hypervisors, developed by IBM in the 1960s, were also of this type. -* type-2 (hosted) hypervisors. In this case, each virtual machine, as well as +- type-2 (hosted) hypervisors. In this case, each virtual machine, as well as the hypervisor itself, are just other processes running on top of the - operating system. Examples are [VMware Workstation](https://www.vmware.com/products/workstation-pro.html), + operating system. Examples are + [VMware Workstation](https://www.vmware.com/products/workstation-pro.html), [VMware Player](https://www.vmware.com/products/workstation-player/workstation-player-evaluation.html), [VirtualBox](https://www.virtualbox.org/) and [QEMU](https://www.qemu.org/). Note that there is no clear distinction between those two, there are some -hypervisors that are somewhere in between. [KVM](https://www.linux-kvm.org/page/Main_Page) -for example is a kernel module that converts a whole OS to a type-1 hypervisor, -but because Linux still is an operating system it has to control access to -resources between processes, as type-2 hypervisor does. +hypervisors that are somewhere in between. +[KVM](https://www.linux-kvm.org/page/Main_Page) for example is a kernel module +that converts a whole OS to a type-1 hypervisor, but because Linux still is an +operating system it has to control access to resources between processes, as +type-2 hypervisor does. ## VMM @@ -101,9 +104,9 @@ VMM's memory is inaccessible from virtual machines. Such protection is possible with the help of EPT (extended page-table), but this mechanism is worthy of another post so I won't describe it further right now. -Intel's *Software Developer’s Manual* calls this `host`, while most of the world -leave this name for something else - I'll mention it later in this post. As -with other multi-processor environments, we can develop symmetric and asymmetric +Intel's _Software Developer’s Manual_ calls this `host`, while most of the world +leave this name for something else - I'll mention it later in this post. As with +other multi-processor environments, we can develop symmetric and asymmetric VMMs. In this series, I will assume that a VMM on one core is a separate entity from another core, even on symmetrical systems. Hopefully, this will better show all nuances and possibilities of virtualization. @@ -125,16 +128,16 @@ multi-processor execution. Again, I will restrict VM to one core. Here it makes even more sense because VMM can implement a scheduler and run multiple VMs on one physical core, in turn. For most people that were using only type-2 hypervisors one VM probably means one HDD, couple GBs of RAM and a multicore -CPU, as it meant to me not so long ago. So, let's call one virtual PC a *virtual -environment* and everything seen by one core (general purpose registers, MSRs, -APIC, memory etc.) is a *virtual machine*. This definition of VM is more or less +CPU, as it meant to me not so long ago. So, let's call one virtual PC a _virtual +environment_ and everything seen by one core (general purpose registers, MSRs, +APIC, memory etc.) is a _virtual machine_. This definition of VM is more or less consistent with how they are managed under the hood. I'll try to stick to these names, but bear with me if I make a mistake at some point :) All VMs work in VMX non-root operation, they are called `guest` in SDM as well as by everyone else, but... -#### Host-VM +### Host-VM There is one special VM that was created as first VM, it is a virtualized version of the operating system or firmware that hypervisor was started with. @@ -160,41 +163,41 @@ the time. VM exit is a transition from VM to VMM, or non-root to root operation Multiple checks are performed both on entries and exits. When an error occurred during VM entry it is possible to just not get into VM or return as soon as error on VM side happens. Error on VM exit is worse - they happen only when -there is no valid VMM to get back to, which leads to VMX abort, after which -the processor is put into a shutdown state. +there is no valid VMM to get back to, which leads to VMX abort, after which the +processor is put into a shutdown state. Old state is saved and a new one is loaded from VMCS (virtual machine control structure, described later) or structures that VMCS points to. There is a field for MSRs table, so VMM can fill in the ones that it intends to change and they will be saved/restored as a part of the transition. -#### VM entries +### VM entries VM entries happen as a result of VMLAUNCH or VMRESUME. Steps are done in order: 1. Basic checks are performed to ensure that VM entry can commence (valid VMM state, valid VMCS). -2. The control and host-state areas of the VMCS are checked to ensure that they +1. The control and host-state areas of the VMCS are checked to ensure that they are proper for supporting VMX non-root operation and that the VMCS is correctly configured to support the next VM exit. -3. The guest-state area of the VMCS is checked to ensure that, after the VM +1. The guest-state area of the VMCS is checked to ensure that, after the VM entry completes, the state of the logical processor is legal. -4. MSRs are loaded from the VM-entry MSR-load area. -5. If VMLAUNCH is being executed, the launch state of the VMCS is set to +1. MSRs are loaded from the VM-entry MSR-load area. +1. If VMLAUNCH is being executed, the launch state of the VMCS is set to "launched". -6. An event may be injected in the guest context. +1. An event may be injected in the guest context. -#### VM exits +### VM exits There are many possible reasons for the VM exit. 1. Information about the cause of the VM exit is recorded in the VM-exit information fields and VM-entry control fields are modified. -2. Processor state is saved in the guest-state area. -3. MSRs may be saved in the VM-exit MSR-store area. -4. Processor state is loaded based in part on the host-state area and some +1. Processor state is saved in the guest-state area. +1. MSRs may be saved in the VM-exit MSR-store area. +1. Processor state is loaded based in part on the host-state area and some VM-exit controls. Address-range monitoring is cleared. -5. MSRs may be loaded from the VM-exit MSR-load area. +1. MSRs may be loaded from the VM-exit MSR-load area. As you can see, there is no explicit error checking performed - it doesn't make sense to return back to VM anyway in this case. An error can happen when for any @@ -215,30 +218,31 @@ developer's point of view. There is always one VMCS per VM, even on symmetric implementations, because some of its fields describe CPU state at the time of the transition between VM and VMM so they cannot be shared by multiple cores. -The exact layout of this structure, as well as its size, is implementation -specific. For this reason, as well as because it can be internally cached by -CPU for better performance, fields of VMCS should not be accessed directly. -Special instructions defined by VMX should be used instead (VMCLEAR, VMREAD and +The exact layout of this structure, as well as its size, is implementation +specific. For this reason, as well as because it can be internally cached by CPU +for better performance, fields of VMCS should not be accessed directly. Special +instructions defined by VMX should be used instead (VMCLEAR, VMREAD and VMWRITE). The VMCS data is organized into six logical groups: -* **Guest-state area** - processor state is saved into the guest-state area on +- **Guest-state area** - processor state is saved into the guest-state area on VM exits and loaded from there on VM entries. -* **Host-state area** - processor state is loaded from the host-state area on - VM exits. It is usually saved only once when creating VMCS. -* **VM-execution control fields** - these fields control processor behaviour in +- **Host-state area** - processor state is loaded from the host-state area on VM + exits. It is usually saved only once when creating VMCS. +- **VM-execution control fields** - these fields control processor behaviour in VMX non-root operation. They determine in part the causes of VM exits. -* **VM-exit control fields** - these fields control VM exits. -* **VM-entry control fields** - these fields control VM entries. -* **VM-exit information fields** - these fields receive information on VM exits +- **VM-exit control fields** - these fields control VM exits. +- **VM-entry control fields** - these fields control VM entries. +- **VM-exit information fields** - these fields receive information on VM exits and describe the cause and the nature of VM exits. On some processors, these fields are read-only. The VM-execution control fields, the VM-exit control fields, and the VM-entry control fields are sometimes referred to collectively as VMX controls. -An overview of fields available in VMCS is available [here](https://github.com/LordNoteworthy/cpu-internals/raw/master/VMCS.pdf). +An overview of fields available in VMCS is available +[here](https://github.com/LordNoteworthy/cpu-internals/blob/master/VMCS-Layout.pdf). Note that not all of those fields are available on all processors, also new ones can be added in the future. @@ -248,14 +252,14 @@ VMCS-related instruction called: ![VMCS states](/img/vmcs_states.png) VM can migrate between cores; in this case, VMCS can be reused on another core, -but only after it was brought out of *launched* state and flushed to memory. +but only after it was brought out of _launched_ state and flushed to memory. VMCLEAR instruction does exactly that. Despite its name, it does not clear any fields, except for changing VMCS's state, but this field isn't accessible anyway. Size of VMCS is limited to 4 kB, but it can have pointers to other structures. -These pointers contain physical addresses because some of them are needed -before CR3 can be loaded. All of that memory should remain hidden from VMs. +These pointers contain physical addresses because some of them are needed before +CR3 can be loaded. All of that memory should remain hidden from VMs. ## Summary @@ -264,12 +268,13 @@ hardware) point of view. VM entry and VM exit are closely related to VMCS, it's difficult to explain them separately. All important fields of VMCS will be described at the time when they will be used. -Next post will show how to build Bareflank without any special treatment of -VM exits. We will also start OS from it and show that it is still usable, and -what is different than it was on real hardware. +Next post will show how to build Bareflank without any special treatment of VM +exits. We will also start OS from it and show that it is still usable, and what +is different than it was on real hardware. If you think we can help in improving the security of your firmware or you are -looking for someone who can boot your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +looking for someone who can boot your product by leveraging advanced features of +used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-05-08-bit-bang-theory-with-rte.md b/blog/content/post/2019-05-08-bit-bang-theory-with-rte.md index 912546b4..a6e59283 100644 --- a/blog/content/post/2019-05-08-bit-bang-theory-with-rte.md +++ b/blog/content/post/2019-05-08-bit-bang-theory-with-rte.md @@ -21,6 +21,7 @@ categories: - Manufacturing --- + ## Why? When you are working with firmware and embedded systems usually you flash some @@ -36,12 +37,12 @@ flash microchip. This technique is called **The Bit Banging**. So, let's assume, that we have some board with a chip, i.e. STM32 series, which -is very popular, and a binary image, which will be used for firmware upgrade. -To do it, at the very beginning we need some software that provides us a way to +is very popular, and a binary image, which will be used for firmware upgrade. To +do it, at the very beginning we need some software that provides us a way to manipulate the state of RTE pins as if they were pins of a programmer. As we prefer open source we used OpenOCD (Open-On-Chip-Debbuger). This is a -well-developed tool for such jobs, but, unfortunately, it doesn't support -Orange Pi Zero. And this is our microcomputer attached to RTE. +well-developed tool for such jobs, but, unfortunately, it doesn't support Orange +Pi Zero. And this is our microcomputer attached to RTE. It doesn't support it YET. @@ -49,27 +50,26 @@ It doesn't support it YET. After compiling OpenOCD and all the required libraries on Orange Pi Zero we've compared pinout of it with the pinout of Raspberry Pi 1, which on the first -sight has been similar. It was the same similarity as between a dolphin and -a shark, as we get close to it appeared to be much different. The only thing -the same was a number of pins. +sight has been similar. It was the same similarity as between a dolphin and a +shark, as we get close to it appeared to be much different. The only thing the +same was a number of pins. After studying of RTE and Orange Pi Zero pins usage and accessibility we've -chosen three sets of pins, that we considered being our candidates. -SWD interface requires three connected routes (SWDIO - data in and out, SWCLK - +chosen three sets of pins, that we considered being our candidates. SWD +interface requires three connected routes (SWDIO - data in and out, SWCLK - clock synchronization and NRST - reset signal) and ground connection. Our pins -had to be connected directly with Orange Pi pins and shouldn't be used for -any other important purposes. Next step was to create a configuration file to -translate OpenOCD which pins we want to be used and in what purpose. It also -had to be described what OpenOCD should try to pretend to be (it can emulate -many interfaces). - -We tested RTE expander pin header, which turned out to be too slow, next was -OC buffer pin header pins 1-3, which doesn't support such action at all. -Finally, it appeared, that header responsible originally for reading a device -under test Power LED value, though it was directed **in** by default, -fits our needs. - -``` +had to be connected directly with Orange Pi pins and shouldn't be used for any +other important purposes. Next step was to create a configuration file to +translate OpenOCD which pins we want to be used and in what purpose. It also had +to be described what OpenOCD should try to pretend to be (it can emulate many +interfaces). + +We tested RTE expander pin header, which turned out to be too slow, next was OC +buffer pin header pins 1-3, which doesn't support such action at all. Finally, +it appeared, that header responsible originally for reading a device under test +Power LED value, though it was directed **in** by default, fits our needs. + +```bash interface sysfsgpio reset_config srst_only srst_push_pull sysfsgpio_swd_nums 11 12 @@ -84,7 +84,7 @@ But it was still required to create a file for configuring flashing action After creating directory `~/bootloader` and copying there an example binary image, we created file `openocd.cfg` which was filled with: -``` +```bash source [find interface/orangepi.cfg] transport select swd set CHIPNAME STM32L432KC @@ -102,50 +102,51 @@ shutdown Which means : -* Take interface config file for Orange Pi -* use swd to communicate -* set a name for chip -* take chip config file -* set reset properties -* set speed -* start -* find suitable connected chip -* stop that chip -* flash with file (which is in our directory `~/bootloader/`) starting at -0x8000000 address, then verify if flashig was successful -* reset device -* close bit banging procedure +- Take interface config file for Orange Pi +- use swd to communicate +- set a name for chip +- take chip config file +- set reset properties +- set speed +- start +- find suitable connected chip +- stop that chip +- flash with file (which is in our directory `~/bootloader/`) starting at + 0x8000000 address, then verify if flashing was successful +- reset device +- close bit banging procedure Then we typed `openocd` in bootloader directory. There is no need to add any more, everything is in the config file we created. ![Flashing MC using Bit Banging](https://asciinema.org/a/zOmYCl5EIMkepDEvXhiubPLGT) -## But there were some errors... +## But there were some errors Yes, sometimes there are some errors thrown: -``` +```bash Error: Translation from khz to jtag_speed not implemented embedded:startup.tcl:244: Error: in procedure 'ocd_process_reset' in procedure 'ocd_process_reset_inner' called at file "embedded:startup.tcl", line 244 - ``` +``` -But in OpenOCD documentation, this is described as more or less irrelevant. -All in all our microchip has been flashed, and this action has been verified. +But in OpenOCD documentation, this is described as more or less irrelevant. All +in all our microchip has been flashed, and this action has been verified. ## Summary Bit Banging method means emulating some hardware interfaces using software -operations on other interfaces. Popular software in this matter is OpenOCD. -This article shows an example of how to do it with an Orange Pi Zero, that is -not currently supported by OpenOCD. And, in consequence, how to become -a better person. +operations on other interfaces. Popular software in this matter is OpenOCD. This +article shows an example of how to do it with an Orange Pi Zero, that is not +currently supported by OpenOCD. And, in consequence, how to become a better +person. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-05-15-building-bareflank.md b/blog/content/post/2019-05-15-building-bareflank.md index 8299321b..6085e30c 100644 --- a/blog/content/post/2019-05-15-building-bareflank.md +++ b/blog/content/post/2019-05-15-building-bareflank.md @@ -20,8 +20,8 @@ categories: --- In this second post of a series, we will build and start our first hypervisor. -It won't do much just yet, but it is good to get known with its build system. -We will be using [Bareflank](https://github.com/Bareflank/hypervisor). +It won't do much just yet, but it is good to get known with its build system. We +will be using [Bareflank](https://github.com/Bareflank/hypervisor). An introduction to the VMX (Virtual Machine eXtensions) can be found in the [previous post](https://blog.3mdeb.com/2019/2019-04-30-5-terms-every-hypervisor-developer-should-know/), @@ -29,19 +29,23 @@ but it isn't really necessary here. ## What is Bareflank? -Keep in mind that Bareflank isn't a full hypervisor as such, it is more like -an SDK for building our own hypervisors with it. In its basic implementation, -most of the handlers are simple pass-through to the underlying hardware. This -has some implications, they will be mentioned later. +Keep in mind that Bareflank isn't a full hypervisor as such, it is more like an +SDK for building our own hypervisors with it. In its basic implementation, most +of the handlers are simple pass-through to the underlying hardware. This has +some implications, they will be mentioned later. -There are more open source hypervisors available, such as [SimpleVisor](https://ionescu007.github.io/SimpleVisor/), -[HyperPlatform](https://github.com/tandasat/HyperPlatform), [ACRN](https://projectacrn.org/) -or even [Xen](https://xenproject.org/). Bareflank was chosen for this series -because it is a relatively simple project, providing a friendly API for custom -handlers, with low hardware and software requirements. +There are more open source hypervisors available, such as +[SimpleVisor](https://ionescu007.github.io/SimpleVisor/), +[HyperPlatform](https://github.com/tandasat/HyperPlatform), +[ACRN](https://projectacrn.org/) or even [Xen](https://xenproject.org/). +Bareflank was chosen for this series because it is a relatively simple project, +providing a friendly API for custom handlers, with low hardware and software +requirements. -We will be running this hypervisor on [MinnowBoard Turbot](https://minnowboard.org/minnowboard-turbot/) -board, but it should work on most UEFI platforms with VMX and [EPT-capable CPU](https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_ExtendedPageTables=True). +We will be running this hypervisor on +[MinnowBoard Turbot](https://minnowboard.org/minnowboard-turbot/) board, but it +should work on most UEFI platforms with VMX and +[EPT-capable CPU](https://ark.intel.com/content/www/us/en/ark/search/featurefilter.html?productType=873&0_ExtendedPageTables=True). ## Getting the source code @@ -53,7 +57,8 @@ project of its own. This made it difficult to maintain coherent interfaces between those two, usually one version of hypervisor was not compatible with some versions of extended APIs. -As we really want to use extended APIs, in these series we will use [commit](https://github.com/Bareflank/hypervisor/commit/ba613e2c687f7042bac6886858cf6da3132a61d6) +As we really want to use extended APIs, in these series we will use +[commit](https://github.com/Bareflank/hypervisor/commit/ba613e2c687f7042bac6886858cf6da3132a61d6) `Merge pull request #733 from rianquinn/eapis_merge`. It was the latest commit that worked for UEFI platforms at the time of writing this article - code on `master` branch is not always working for all platforms; this is what tags are @@ -62,7 +67,7 @@ hypervisor repository in later commits, earlier they were separate projects, just like the extended APIs. This ensures that they use the latest API, too. Perhaps we will look at them later in these series. -``` +```bash git clone https://github.com/Bareflank/hypervisor.git cd hypervisor git co ba613e2c687f7042bac6886858cf6da3132a61d6 @@ -71,13 +76,13 @@ mkdir build cp hypervisor/scripts/cmake/config/example_config.cmake config.cmake ``` -This file needs to be changed in order to build Bareflank as a UEFI -application. `config.cmake` is modified with almost every change, so it must be -copied and set again if a different commit is used (also, clear `build` -directory after such a change). Open this file in [your favourite editor](https://thomer.com/vi/vi.html) -and change the following three lines: +This file needs to be changed in order to build Bareflank as a UEFI application. +`config.cmake` is modified with almost every change, so it must be copied and +set again if a different commit is used (also, clear `build` directory after +such a change). Open this file in your favourite editor and change the following +three lines: -``` +```bash set(ENABLE_BUILD_EFI OFF) (...) # set(OVERRIDE_VMM ) @@ -86,27 +91,27 @@ set(ENABLE_BUILD_EFI OFF) into this (note the lack of hashtags): -``` +```bash set(ENABLE_BUILD_EFI ON) (...) set(OVERRIDE_VMM integration_intel_x64_efi_test_efi) set(OVERRIDE_VMM_TARGET integration) ``` -#### Fixing serial newline +### Fixing serial newline All Bareflank debug output is sent to the serial port (I/O port 0x3F8). Without -heavy reverse engineering of OS it is impossible to print to the screen from -VMM level. Only lines printed by UEFI entry point (either running at VM level -or before entering VMX) to the hypervisor are visible also on the screen. +heavy reverse engineering of OS it is impossible to print to the screen from VMM +level. Only lines printed by UEFI entry point (either running at VM level or +before entering VMX) to the hypervisor are visible also on the screen. Most clients for capturing data from UART assume that every line ends with -`\r\n`, but Bareflank sends only '\n'. As a result, the cursor goes to the next +`\r\n`, but Bareflank sends only '\\n'. As a result, the cursor goes to the next line, but it does not return to the first column. This can be fixed with just one line added at the very beginning of the `write()` method in [serial_ns16550a.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/debug/serial/serial_ns16550a.cpp#L234): -```diff +```bashdiff --- a/bfvmm/src/debug/serial/serial_ns16550a.cpp +++ b/bfvmm/src/debug/serial/serial_ns16550a.cpp @@ -233,6 +233,8 @@ serial_ns16550a::is_transmit_empty() const noexcept @@ -124,22 +129,21 @@ one line added at the very beginning of the `write()` method in There are some dependencies required for building Bareflank. All of them are fulfilled in the [Docker container](https://github.com/3mdeb/bareflank-docker) -that we prepared for playing with this hypervisor SDK. This makes it possible -to get reproducible builds. It also saves time and patience required for -manually installing and/or building all dependencies - some of them may not be -available as a package in your OS distribution. This is especially true for LTS -releases. +that we prepared for playing with this hypervisor SDK. This makes it possible to +get reproducible builds. It also saves time and patience required for manually +installing and/or building all dependencies - some of them may not be available +as a package in your OS distribution. This is especially true for LTS releases. To download and start the container run the following instruction in the directory with `config.cmake`, `build` and `hypervisor`: -``` +```bash docker run --rm -it -v $PWD:/home/bareflank/bareflank -w /home/bareflank/bareflank 3mdeb/bareflank-docker /bin/bash ``` To build the hypervisor, run: -``` +```bash cd build cmake ../hypervisor make -j<# cores + 1> @@ -151,10 +155,10 @@ required for providing standard C/C++ environment on the bare metal. There is also `gnuefi` for compiling the hypervisor as a UEFI application. `make` takes some time. In our experience this build system is pretty robust, -so, unless changes are made to the `config.cmake` (or any other Cmake file) -and `cmake` must be re-run, there is no need for clearing the contents of -`build`. Successive executions of `make` should successfully build all of the -changed files only, which can save a lot of time. +so, unless changes are made to the `config.cmake` (or any other Cmake file) and +`cmake` must be re-run, there is no need for clearing the contents of `build`. +Successive executions of `make` should successfully build all of the changed +files only, which can save a lot of time. Final Bareflank executable is located in `build/efi/x86_64-efi-pe/build`. It should be a 1.2 MB `bareflank.efi` file. @@ -163,12 +167,13 @@ While we're at it, we may take a look at other files created in the build process. Arguably the most important file is `vmm` - the VMM part of our hypervisor, i.e. everything except UEFI entry point and other platform-specific functions (platform memory management, running code on different cores, virtual -to physical address translation). There is also C include file `vmm.h`, which -is the same file in the form of table of bytes - this saves all the work with +to physical address translation). There is also C include file `vmm.h`, which is +the same file in the form of table of bytes - this saves all the work with finding and opening file, which may not be trivial with some of the UEFI -implementations. Both files are created in `hypervisor/bfdriver/src/platform/efi/CMakeLists.txt`: +implementations. Both files are created in +`hypervisor/bfdriver/src/platform/efi/CMakeLists.txt`: -``` +```bash add_custom_command( OUTPUT ${CMAKE_BINARY_DIR}/vmm.h COMMAND ${CMAKE_COMMAND} @@ -192,69 +197,70 @@ For testing purposes, a live USB image of Ubuntu was used. If you are interested in its UEFI boot process read on, otherwise go straight to the [TL;DR](#tldr) section. -#### A few words on UEFI, GRUB and Secure Boot +### A few words on UEFI, GRUB and Secure Boot Ubuntu, like many other Linux distributions, used GRUB as its main bootloader -for quite some time already. The current version is GRUB2, which can be built -as a UEFI application. - -Secure Boot is a technology preventing bootkits from being installed and run. -It is a part of a chain of trust, where every part of the software (the root of -trust should be in the hardware) validates the next one before allowing it -to execute. The validation includes checking the hash of the image that is -being loaded and its signature - image must be signed with a key that is known -to the previous stage. - -Most UEFI vendors implement only Microsoft keys for Secure Boot (*if it works -with Windows, it works*), so other developers must ask Microsoft to sign their +for quite some time already. The current version is GRUB2, which can be built as +a UEFI application. + +Secure Boot is a technology preventing bootkits from being installed and run. It +is a part of a chain of trust, where every part of the software (the root of +trust should be in the hardware) validates the next one before allowing it to +execute. The validation includes checking the hash of the image that is being +loaded and its signature - image must be signed with a key that is known to the +previous stage. + +Most UEFI vendors implement only Microsoft keys for Secure Boot (_if it works +with Windows, it works_), so other developers must ask Microsoft to sign their software (or ask the users to turn off Secure Boot). However, [Microsoft UEFI CA Signing policy](https://techcommunity.microsoft.com/t5/Windows-Hardware-Certification/Microsoft-UEFI-CA-Signing-policy-updates/ba-p/364828) puts restrictions on what can be signed by Microsoft. One of these restrictions -is that `code submitted for UEFI signing must not be subject to GPLv3`, so -GRUB2 can't be signed, even though it may be aware of Secure Boot and continue -the chain of trust. - -To deal with this problem, an additional signed stage must be added before -GRUB2 (a bootloader for bootloaders). An example of such might be [PreLoader](https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/) -or [shim](https://github.com/rhboot/shim). The latter is [used by Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot). - -This shim is included in live images, otherwise the users would be welcomed by -a verification error printed by UEFI, with no pointers on how to start the -system. The error message most definitely wouldn't ask them to turn the Secure -Boot option off. - -All these problems result in an additional file in `\EFI\BOOT\` directory. -There is an application signed by Microsoft in `bootx64.efi` (shim) and another -one, `grubx64.efi` (GRUB2). GRUB is verified by the shim - shim was build with -GRUB's certificate. With Secure Boot turned off `grubx64.efi` can be started -directly. +is that `code submitted for UEFI signing must not be subject to GPLv3`, so GRUB2 +can't be signed, even though it may be aware of Secure Boot and continue the +chain of trust. + +To deal with this problem, an additional signed stage must be added before GRUB2 +(a bootloader for bootloaders). An example of such might be +[PreLoader](https://blog.hansenpartnership.com/linux-foundation-secure-boot-system-released/) +or [shim](https://github.com/rhboot/shim). The latter is +[used by Ubuntu](https://wiki.ubuntu.com/UEFI/SecureBoot). + +This shim is included in live images, otherwise the users would be welcomed by a +verification error printed by UEFI, with no pointers on how to start the system. +The error message most definitely wouldn't ask them to turn the Secure Boot +option off. + +All these problems result in an additional file in `\EFI\BOOT\` directory. There +is an application signed by Microsoft in `bootx64.efi` (shim) and another one, +`grubx64.efi` (GRUB2). GRUB is verified by the shim - shim was build with GRUB's +certificate. With Secure Boot turned off `grubx64.efi` can be started directly. A similar approach should be possible with Bareflank, but for testing and fooling around it is easier to just turn the Secure Boot off. #### TL;DR -Disable Secure Boot. Download and prepare a live USB drive of [Ubuntu](https://www.ubuntu.com/download/desktop). -Optionally edit `boot/grub/grub.cfg` to enable serial output - add -`console=ttyS0,115200` to the end of `linux /casper/vmlinuz ...` line, after -the three dashes in the `Try Ubuntu without installing` section. +Disable Secure Boot. Download and prepare a live USB drive of +[Ubuntu](https://www.ubuntu.com/download/desktop). Optionally edit +`boot/grub/grub.cfg` to enable serial output - add `console=ttyS0,115200` to the +end of `linux /casper/vmlinuz ...` line, after the three dashes in the +`Try Ubuntu without installing` section. By default, `bareflank.efi` tries to run `\EFI\BOOT\bootx64.efi` file. The same file is searched for in standard UEFI search for bootloaders. Because of that, it is difficult to start Bareflank and then the real bootloader automatically. -There are basically 3 options for starting Bareflank. All files mentioned -below (except `bareflank.efi`) are located in `\EFI\BOOT\` directory on the USB -drive. +There are basically 3 options for starting Bareflank. All files mentioned below +(except `bareflank.efi`) are located in `\EFI\BOOT\` directory on the USB drive. -###### 1st option +##### 1st option -Unless UEFI Shell can be forced to start despite a valid `bootx64.efi` file, -the most automatic option is to modify the Bareflank source to start a different +Unless UEFI Shell can be forced to start despite a valid `bootx64.efi` file, the +most automatic option is to modify the Bareflank source to start a different file. The line responsible for that is located in `load_start_vm()`, in `hypervisor/bfdriver/src/platform/efi/entry.c`. Change it to point to `grubx64.efi` to start GRUB directly and copy `bareflank.efi` to `bootx64.efi`: -```diff +```bashdiff --- a/bfdriver/src/platform/efi/entry.c +++ b/bfdriver/src/platform/efi/entry.c @@ -188,7 +188,7 @@ load_start_vm(EFI_HANDLE ParentImage) @@ -278,7 +284,8 @@ It will fail to load `bootx64.efi` and return to the shell, where the ###### 3rd option -The third option is to replace the original `bootx64.efi` with [UEFI Shell](https://github.com/tianocore/edk2/tree/master/ShellBinPkg/UefiShell/X64). +The third option is to replace the original `bootx64.efi` with +[UEFI Shell](https://github.com/tianocore/edk2/tree/UDK2018/ShellBinPkg/UefiShell/X64). This option is useful when there is no built-in shell available, as is the case with most PC firmwares. In this case Bareflank will start another instance of UEFI Shell, but it's OK, the shell memory is not reserved and can be reused @@ -292,23 +299,24 @@ this post I'll be showing output as it is visible with option 2. ![Bareflank startup](/img/bareflank_start.png) Bareflank even can print strings in colours (like, all 8 of them!), as long as -the client handles [ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code). -The `DEBUG: host os is now in a vm` lines are visible only on the serial output. +the client handles +[ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code). The +`DEBUG: host os is now in a vm` lines are visible only on the serial output. UEFI overwrites Bareflank output on the attached image because it is not aware that something else is printing through UART. As expected, the Bareflank entry point failed to start a bootloader. It didn't -stop the VMX operation, so the UEFI is now running in VMX non-root mode, as -will be the OS that we are going to start now: +stop the VMX operation, so the UEFI is now running in VMX non-root mode, as will +be the OS that we are going to start now: -``` +```bash FS0:\> EFI\BOOT\grubx64.efi ``` Remember to use backslashes, tab-completion is somewhat buggy otherwise. GRUB may not be printed on the serial output, but the OS should start automatically -after 5 seconds, plus some more before Ubuntu starts printing anything. After -it loads you can log in using default user `ubuntu`, or you can just use this +after 5 seconds, plus some more before Ubuntu starts printing anything. After it +loads you can log in using default user `ubuntu`, or you can just use this system with GUI. It should behave more or less just like it does without any hypervisor. @@ -316,26 +324,27 @@ hypervisor. All modern CPUs use microcode to translate CISC x86 instructions to smaller, RISC-like micro-operations. Microcode can be patched by the operating system or -BIOS firmware to workaround bugs found in the CPU after release. This allows -for fixes on the user site without product recalls, which are expensive and +BIOS firmware to workaround bugs found in the CPU after release. This allows for +fixes on the user site without product recalls, which are expensive and problematic both for vendors as well as for customers. Usually BIOS does its update, but then OS can update microcode to even later version - this is done for a) inexperienced users b) lazy users c) lazy BIOS vendors. OS often has some kind of automatic upgrades, while BIOS does not. Sometimes workarounds are developed before new microcode is available (e.g. -retpolines were available before IBRS in the case of [Spectre](https://spectreattack.com/)). +retpolines were available before IBRS in the case of +[Spectre](https://spectreattack.com/)). -For VMs these microcode updates should be turned off - imagine a situation -where one VM updates microcode after another checked CPU for its bugs and -applied OS-level workarounds. Those, in the best case, would slow down code -execution, but in some cases it could result in unexpected behaviour or wrong -results of some instructions. Ideally, firmware should always have the latest -microcode patches available. +For VMs these microcode updates should be turned off - imagine a situation where +one VM updates microcode after another checked CPU for its bugs and applied +OS-level workarounds. Those, in the best case, would slow down code execution, +but in some cases it could result in unexpected behaviour or wrong results of +some instructions. Ideally, firmware should always have the latest microcode +patches available. In our case this can be checked by doing: -``` +```bash ubuntu@ubuntu:~$ dmesg | grep microcode [ 15.316071] microcode: sig=0x30679, pf=0x1, revision=0xffffffff [ 15.316724] microcode: Microcode Update Driver: v2.2. @@ -343,30 +352,31 @@ ubuntu@ubuntu:~$ dmesg | grep microcode The same command when Ubuntu is started outside of VM: -``` +```bash ubuntu@ubuntu:~$ dmesg | grep microcode [ 15.296789] microcode: sig=0x30679, pf=0x1, revision=0x906 [ 15.297636] microcode: Microcode Update Driver: v2.2. ``` -Note the `revision` field. This is set in [microcode.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/microcode.cpp#L63) +Note the `revision` field. This is set in +[microcode.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/microcode.cpp#L63) and effectively turns the OS microcode updates off. Another issue is that Bareflank does not have (at least in the version we are working with) built-in support for handling CPU exceptions in VMM, other than printing some debug info and halting CPU in the VMX root operation. Some operations are intercepted by VMM, which would normally run and cause CPU -exception that OS could handle. In this case exception should be injected to -the VM, but it is up to hypervisor developer to implement this feature. After -all, Bareflank is not a hypervisor, so its handlers are pretty bare (pun -intended). +exception that OS could handle. In this case exception should be injected to the +VM, but it is up to hypervisor developer to implement this feature. After all, +Bareflank is not a hypervisor, so its handlers are pretty bare (pun intended). This could be shown by reading non-existing MSRs, but MSRs are no longer intercepted because of MSR bitmaps, which by default do not cause VM exits on MSR access. It was not the case in earlier versions of Bareflank, where all accesses were handled by the VMM, which in turn resulted in CPU hang. This happened on the VMM side, so only a hardware reset could fix this issue. There -is a note about this issue in [rdmsr.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit/rdmsr.cpp#L107). +is a note about this issue in +[rdmsr.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit/rdmsr.cpp#L107). ## Summary @@ -381,12 +391,13 @@ theoretical background, so the next builds shouldn't take as much time. Only `make` and a way of starting the application on the platform are really necessary unless something breaks along the way. -Next post will be about VMX exit reasons and their handlers. We will take a -look on some handlers that are implemented out-of-the-box, we will also modify -MSR bitmaps to show the problem described [earlier](#quirks-and-issues). +Next post will be about VMX exit reasons and their handlers. We will take a look +on some handlers that are implemented out-of-the-box, we will also modify MSR +bitmaps to show the problem described [earlier](#quirks-and-issues). If you think we can help in improving the security of your firmware or you are -looking for someone who can boot your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +looking for someone who can boot your product by leveraging advanced features of +used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-05-22-reproducible-builds.md b/blog/content/post/2019-05-22-reproducible-builds.md index c20180e3..15eda750 100644 --- a/blog/content/post/2019-05-22-reproducible-builds.md +++ b/blog/content/post/2019-05-22-reproducible-builds.md @@ -27,10 +27,10 @@ this should be important to firmware developers. A build process is reproducible if it produces exactly the same image every time it is built. This means that it **cannot**: -* include the time of compilation in resulting image or application -* use data obtained from build environment, like a host or user name -* use random input data -* point to any non-static points in a source tree (e.g. head of a branch) +- include the time of compilation in resulting image or application +- use data obtained from build environment, like a host or user name +- use random input data +- point to any non-static points in a source tree (e.g. head of a branch) ## Why? @@ -39,9 +39,9 @@ images, users would like to have a way of confirming whether those images are what they are expected to be. The easiest way is to build an image from the source and compare its hash with the hash of the pre-built binary. -Reproducibility is also important in most security features, where one stage -of a firmware calculates a checksum of the next one. The new stage starts only -if the checksum has a value known to the current stage. +Reproducibility is also important in most security features, where one stage of +a firmware calculates a checksum of the next one. The new stage starts only if +the checksum has a value known to the current stage. The image read from a platform can also be compared to known images. It makes it possible to check whether platform firmware was tampered with. @@ -60,7 +60,8 @@ reproducible. We discovered that it was not the only issue - images still had different checksums with every build. The next step was to find which part of CBFS -changes. It was iPXE, because of [this line](https://git.ipxe.org/ipxe.git/blob/fd6d1f4660a37d75acba1c64e2e5f137307bbc31:/src/Makefile.housekeeping#l1144). +changes. It was iPXE, because of +[this line](https://git.ipxe.org/ipxe.git/blob/fd6d1f4660a37d75acba1c64e2e5f137307bbc31:/src/Makefile.housekeeping#l1144). This variable can be overwritten when executing `make`. After that, all consecutive builds resulted in identical images, but these were @@ -68,18 +69,21 @@ not reproducible yet. Some payloads were still built from the `master` branch, so the image would be different as soon as new commits appear. The last change left to do was to use stable commits in all payloads used. -All mentioned changes can be found in pull requests: [241](https://github.com/pcengines/coreboot/pull/241), -[242](https://github.com/pcengines/coreboot/pull/242), [269](https://github.com/pcengines/coreboot/pull/269) -and [270](https://github.com/pcengines/coreboot/pull/270). +All mentioned changes can be found in pull requests: +[241](https://github.com/pcengines/coreboot/pull/241), +[242](https://github.com/pcengines/coreboot/pull/242), +[269](https://github.com/pcengines/coreboot/pull/269) and +[270](https://github.com/pcengines/coreboot/pull/270). ## Summary From now on, the coreboot images for PC Engines by 3mdeb will be built in a -reproducible manner. It means that a couple of years from now it should still -be possible to build the versions released recently. +reproducible manner. It means that a couple of years from now it should still be +possible to build the versions released recently. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-05-29-spectre-and-meltdown-on-apu2.md b/blog/content/post/2019-05-29-spectre-and-meltdown-on-apu2.md index 6ece9a71..d9016e8a 100644 --- a/blog/content/post/2019-05-29-spectre-and-meltdown-on-apu2.md +++ b/blog/content/post/2019-05-29-spectre-and-meltdown-on-apu2.md @@ -23,29 +23,31 @@ categories: --- -# Meltdown and Spectre +## Meltdown and Spectre -In the [previous post](https://blog.3mdeb.com/2019/2019-03-14-meltdown-and-spectre-vulnerabilities/) +In the +[previous post](https://blog.3mdeb.com/2019/2019-03-14-meltdown-and-spectre-vulnerabilities/) I have introduced the Meltdown and Spectre vulnerabilities of modern x86 -processors and what threat do they pose to security and safety of the data. As -a continuation of the last post, I will demonstrate the state of Meltdown and +processors and what threat do they pose to security and safety of the data. As a +continuation of the last post, I will demonstrate the state of Meltdown and Spectre vulnerabilities on PC Engines apu2 platforms. Some time ago we have added a microcode update feature to PC Engines firmware so I will show how microcode update improves mitigation and present results using public tools, proof of concepts known to exploit the vulnerability. -# State of Meltdown and Spectre on apu2 +## State of Meltdown and Spectre on apu2 -Let's take v4.9.0.1 firmware release as a reference for initial testing. In -this post I will use Debian stable release installed on mSATA SSD: +Let's take v4.9.0.1 firmware release as a reference for initial testing. In this +post I will use Debian stable release installed on mSATA SSD: -```shell +```bash uname -a Linux apu2 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux ``` Firstly let's check the state of the vulnerabilities on the system. I will use -the [spectre meltdown checker](https://github.com/speed47/spectre-meltdown-checker) +the +[spectre meltdown checker](https://github.com/speed47/spectre-meltdown-checker) and [Spectre PoC by Ryan Crosby](https://github.com/crozone/SpectrePoC) which was proven to work on AMD GX-412TC SoC (apu2 platforms processor). For details see [README Tweaking section.](https://github.com/crozone/SpectrePoC#tweaking) @@ -54,14 +56,14 @@ see [README Tweaking section.](https://github.com/crozone/SpectrePoC#tweaking) Let's start with spectre meltdown checker: -```shell +```bash git clone https://github.com/speed47/spectre-meltdown-checker.git cd spectre-meltdown-checker ``` Or: -```shell +```bash wget https://meltdown.ovh -O spectre-meltdown-checker.sh ``` @@ -70,7 +72,7 @@ wget https://meltdown.ovh -O spectre-meltdown-checker.sh Now load `msr` module, give execution permission to the script and run it: -```shell +```bash chmod +x spectre-meltdown-checker.sh sudo modprobe msr sudo ./spectre-meltdown-checker.sh @@ -79,17 +81,15 @@ sudo ./spectre-meltdown-checker.sh The result is as follows 1. Hardware support for mitigation techniques: + ![Hardware support (CPU microcode) for mitigation techniques](/img/spectre_hw.png) -![Hardware support (CPU microcode) for mitigation techniques](/img/spectre_hw.png) +1. Spectre variants mitigation checks: + ![Spectre variants mitigation checks](/img/spectre_variants.png) -2. Spectre variants mitigation checks: +What is worth noticing here is that script reports that system is not vulnerable +due to mitigation presence, however: -![Spectre variants mitigation checks](/img/spectre_variants.png) - -What is worth noticing here is that script reports that system is not -vulnerable due to mitigation presence, however: - -``` +```bash * CPU microcode is the latest known available version: NO (latest version is 0x7030106 dated 2018/02/09 according to builtin MCExtractor DB v84 - 2018/09/27) ... @@ -111,16 +111,16 @@ One can see that mitigation can still be improved by microcode updates. > One can check current microcode patch level in dmesg: > -> ``` +> ```bash > microcode: CPU0: patch_level=0x07030105 > microcode: CPU1: patch_level=0x07030105 > microcode: CPU2: patch_level=0x07030105 > microcode: CPU3: patch_level=0x07030105 -> ``` +> ```bash > > Be sure to use recent kernels with implemented mitigation (dmesg output): > -> ``` +> ```bash > Spectre V2 : Mitigation: Full AMD retpoline > Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context > switch @@ -133,7 +133,7 @@ One can see that mitigation can still be improved by microcode updates. In order to prove that the script wrongly reports that the platform is not vulnerable, we will perform proof of concept with the usage of Spectre PoC: -```shell +```bash git clone https://github.com/crozone/SpectrePoC.git cd SpectrePoC make @@ -141,7 +141,7 @@ make I have run the executable with two different parameters. -``` +```bash ./spectre.out 20 Version: commit 856f80f2937f2bb812cab68d45c149272a1783d5 Using a cache hit threshold of 20. @@ -163,7 +163,7 @@ Reading at malicious_x = 0xffffffffffdfeedf... Success: 0xFF=’?’ score=0 > One can see that the secret string was not disclosed (0xFF=? everywhere). > Let's increase the cache hit threshold. -``` +```bash ./spectre.out 70 Version: commit 856f80f2937f2bb812cab68d45c149272a1783d5 Using a cache hit threshold of 70. @@ -187,8 +187,9 @@ Reading at malicious_x = 0xffffffffffdfeedf... Success: 0xFF=’?’ score=0 ``` One can see that positive results are obtained with a larger value of cache hit -threshold (with 70 some characters have not been obtained - score 0, 100 is sufficient -to get whole string - score 2 everywhere). It is related to CPU performance. +threshold (with 70 some characters have not been obtained - score 0, 100 is +sufficient to get whole string - score 2 everywhere). It is related to CPU +performance. > For those more interested in details of the attack, please refer to > [Spectre Attacks](https://spectreattack.com/spectre.pdf) or to my @@ -197,42 +198,44 @@ to get whole string - score 2 everywhere). It is related to CPU performance. Let's also check out the kernel mitigation. Rebuild the PoC with: -```shell +```bash make clean CFLAGS=-DLINUX_KERNEL_MITIGATION make ``` -After trying to run the PoC with 20/70/100 the string is not disclosed. But -what if the kernel we use does not have the mitigation? The answer is firmware -and microcode for full hardware mitigation. +After trying to run the PoC with 20/70/100 the string is not disclosed. But what +if the kernel we use does not have the mitigation? The answer is firmware and +microcode for full hardware mitigation. -# Microcode update and spectre +## Microcode update and spectre To present results of Spectre vulnerability without kernel mitigation, we will need the microcode update. For details how to build PC Engines apu2 coreboot -firmware with microcode update, please refer to this [guide](https://github.com/pcengines/apu2-documentation/blob/master/docs/microcode_patching.md) +firmware with microcode update, please refer to this +[guide](https://github.com/pcengines/apu2-documentation/blob/master/docs/microcode_patching.md) Building the firmware is pretty easy and the guide shows step by step solution to obtain binary. You may also watch how to build coreboot with microcode update for apu2: - +[![asciicast](https://asciinema.org/a/222252.svg)](https://asciinema.org/a/222252?speed=10) Flashing coreboot is possible with flashrom: -```shell +```bash flashrom -p internal -w apu2_v4.9.0.1_microcode.rom ``` > Watch out! Flashing the SPI ROM carelessly may lead to hardware damage. Also -> be sure You have a recovery method available, for example [SPI1a](https://www.pcengines.ch/spi1a.htm) -> Be sure to do a full power cycle (with power supply detaching) after firmware -> update, simple reboot is not advised. +> be sure You have a recovery method available, for example +> [SPI1a](https://www.pcengines.ch/spi1a.htm) Be sure to do a full power cycle +> (with power supply detaching) after firmware update, simple reboot is not +> advised. `dmesg` should now report new patch level: -``` +```bash microcode: CPU0: patch_level=0x07030106 microcode: CPU1: patch_level=0x07030106 microcode: CPU2: patch_level=0x07030106 @@ -248,7 +251,7 @@ without microcode: Before microcode patching: -``` +```bash * PRED_CMD MSR is available: NO * CPU indicates IBPB capability: NO ... @@ -257,7 +260,7 @@ Before microcode patching: After microcode patching: -``` +```bash * PRED_CMD MSR is available: YES * CPU indicates IBPB capability: YES (IBPB_SUPPORT feature bit) ... @@ -275,7 +278,7 @@ update: > Try various cache hit thresholds like before 20/70/100 and even more. > Unfortunately, the secret is still revealed without kernel mitigation. -``` +```bash ./spectre.out 100 Version: commit 856f80f2937f2bb812cab68d45c149272a1783d5 Using a cache hit threshold of 100. @@ -296,9 +299,9 @@ Reading at malicious_x = 0xffffffffffdfeedf... Success: 0x2E=’.’ score=2 ``` But let's check another[tool](https://github.com/opsxcq/exploit-cve-2017-5715) -aimed to exploit `CVE-2017-5715`. Following the REAMDE: +aimed to exploit `CVE-2017-5715`. Following the README: -```shell +```bash git clone https://github.com/opsxcq/exploit-cve-2017-5715 cd exploit-cve-2017-5715 taskset -c 1 ./exploit @@ -309,7 +312,7 @@ taskset -c 1 ./exploit Result without microcode update: -``` +```bash [+] Testing for Spectre [+] Dumping memory from 0xffffffffffdfeea8 to 0xffffffffffdfeec2 [+] Dumped bytes match the expected value @@ -318,7 +321,7 @@ Result without microcode update: Result with updated microcode: -``` +```bash [+] Testing for Spectre [+] Dumping memory from 0xffffffffffdfeea8 to 0xffffffffffdfeec2 [+] Dumped bytes match the expected value @@ -328,7 +331,7 @@ Result with updated microcode: The `exploit-cve-2017-5715` does not seem to use the kernel mitigation thus we obtain the same result as with Spectre PoC without compiled mitigation. -# Summary +## Summary In the light of my experiments, it looks like microcode does not fully mitigate the Meltdown and Spectre vulnerabilities. It seems to enable @@ -339,14 +342,16 @@ Most of the protection is achieved by using the kernel with proper mitigation. Although some of the mitigation look to be inactive due to lack of hardware support (`Indirect Branch Restricted Speculation`). -Used scripts and tools give only overall insight into the status of the -Meltdown and Spectre. They are not official tools proving system vulnerability, -they were designed to give information on present mitigation (spectre meltdown -checker) or to try exploiting the vulnerabilities based on an [article](https://spectreattack.com/spectre.pdf). +Used scripts and tools give only overall insight into the status of the Meltdown +and Spectre. They are not official tools proving system vulnerability, they were +designed to give information on present mitigation (spectre meltdown checker) or +to try exploiting the vulnerabilities based on an +[article](https://spectreattack.com/spectre.pdf). It has to be noted that AMD and Intel processors are affected differently. AMD processors are "marked" to not be vulnerable for some variants. AMD has even -released a [statement regarding the speculative execution.](https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf) +released a +[statement regarding the speculative execution.](https://developer.amd.com/wp-content/resources/Managing-Speculation-on-AMD-Processors.pdf) During experiments, different results have been obtained. It proves that only combined mitigation in firmware/microcode and kernel give the best protection. @@ -357,7 +362,8 @@ I hope this post was useful for you. Please feel free to share your opinion and if you think there is value, then share with friends. If you think we can help in improving the security of your firmware or you -looking for someone who can boot your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in -similar content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +looking for someone who can boot your product by leveraging advanced features of +used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-06-07-muxpi-validation-kit.md b/blog/content/post/2019-06-07-muxpi-validation-kit.md index 8c30c160..beb0de4b 100644 --- a/blog/content/post/2019-06-07-muxpi-validation-kit.md +++ b/blog/content/post/2019-06-07-muxpi-validation-kit.md @@ -19,12 +19,11 @@ categories: - Manufacturing --- - ## What is MuxPi? -[MuxPi][muxpi] is a next open hardware device, after [RTE][rte] shield, that -serves for developers and testers with the need of automating everyday tasks. It -comes with help providing ease of use, distribution and connectivity. +[MuxPi] is a next open hardware device, after [RTE] shield, that serves for +developers and testers with the need of automating everyday tasks. It comes with +help providing ease of use, distribution and connectivity. The name `MuxPi` comes from the connection of "SD-mux", which is the previous version of this project indicating one of the main features of the board and the @@ -32,11 +31,11 @@ very popular SBC computers with the "Pi" suffix. MuxPi consists of two main parts: -* Mainboard -* NanoPi NEO +- Mainboard +- NanoPi NEO -It might be considered as some kind of mainboard for NanoPi NEO SBC but it -can operate without NanoPi NEO. However, in such a scenario its functionality is +It might be considered as some kind of mainboard for NanoPi NEO SBC but it can +operate without NanoPi NEO. However, in such a scenario its functionality is heavily reduced. ![muxPi board](/covers/muxpi.jpg) @@ -48,7 +47,7 @@ muxPi very versatile testing board. ## Key features -#### Compatibility with NanoPi NEO +### Compatibility with NanoPi NEO MuxPi is fully compatible with the budget (~13$) Single Board Computer platform called [NanoPi NEO][nanopi]. It connects through three NanoPi headers, fully @@ -56,23 +55,23 @@ inheriting the capabilities of the little platform. From the moment of putting together the two elements, NanoPi becomes the "heart" of the muxPi validation kit. -#### Providing a DUT connection to a remote location over Ethernet +### Providing a DUT connection to a remote location over Ethernet Connectivity with the MuxPi can be achieved through: -* serial connection debug UART0 (addon header) -* serial connection debug UART0 (micro USB connector) -* network connection (Ethernet port from NanoPi NEO board) +- serial connection debug UART0 (addon header) +- serial connection debug UART0 (micro USB connector) +- network connection (Ethernet port from NanoPi NEO board) From the moment of a successful connection with NanoPi, opens up multiple options for setting communication between muxPi and Device Under Test: -* Ethernet (onboard USB-ETH converter) -* USB OTG (NanoPi built-in port) -* USB Host (up to 3 onboard USB host connectors) -* Serial interface (UART header with an adjustable voltage level) +- Ethernet (onboard USB-ETH converter) +- USB OTG (NanoPi built-in port) +- USB Host (up to 3 onboard USB host connectors) +- Serial interface (UART header with an adjustable voltage level) -#### Remote control over power supply for a DUT +### Remote control over power supply for a DUT Similar to RTE, muxPi controls the power of a DUT using an electromagnetic relay, with the difference of managing the state of the relay - MuxPi sets the @@ -86,11 +85,11 @@ the current consumption of a Device Under Test. It evaluates the current draw using HAL effect current sensor which gives galvanic isolation from the control logic elements. -#### SD card multiplexing +### SD card multiplexing One of the most anticipated muxPi's feature is switching or flashing a microSD card without the need of ejecting the card itself. For this purpose, it is -required to use special IDC <-> microSD adapter cable that is available in our +required to use special IDC \<-> microSD adapter cable that is available in our [shop][sd-adapter]. ![muxpi-sd-adapter](/img/muxpi-sd-adapter.jpg) @@ -101,20 +100,20 @@ connect the card either to SD-READER or a Device Under Test. Controlling system data of DUT or directly flashing the SD card never been easier - there is no need for manually ejecting and inserting the card back to the device anymore. -#### Flashing and controlling Samsung mobile devices +### Flashing and controlling Samsung mobile devices Thanks to derived USB-M header that has controllable by MuxPi `Vbus` and `ID` pins, it is possible to handle connected mobile devices. This connector is an endpoint of a larger entity which enables: -* ID switching (ID can be connected to ground through a potentiometer or left +- ID switching (ID can be connected to ground through a potentiometer or left open), -* power switching on and off with `Vbus` line (it is mandatory for entering e.g. +- power switching on and off with `Vbus` line (it is mandatory for entering e.g. "download mode"), -* redirecting mobile’s USB data lines either to NanoPi’s USB or to MuxPi’s DUT +- redirecting mobile’s USB data lines either to NanoPi’s USB or to MuxPi’s DUT UART. -#### Writing EDID to a DUT over HDMI connection +### Writing EDID to a DUT over HDMI connection **E**xtended **D**isplay **I**dentification **D**ata is a metadata format for display devices and in simple words, it describes the monitor's capabilities @@ -124,7 +123,7 @@ MuxPi is capable of injecting full EDID descriptor into DUT HDMI output through full sized HDMI connector with connected only DDC channel wires, hot plugpin, `VCC` and `GND` pins, all controllable by STM32 Cortex-M0 microcontroller. -#### DyPers +### DyPers DyPer is an abbreviation for "Dynamic jumPer" and is a small, electromagnetic relay which is controllable by software. The muxPi board consists of 2 DyPers @@ -142,10 +141,10 @@ stable work without any unwanted environmental influences. MuxPi has many built-in, interactive user interface elements such as: -* monochrome LEDs indicating power presence, serial/network/SD card reader +- monochrome LEDs indicating power presence, serial/network/SD card reader activity and two general purpose LEDs connected directly to NanoPi, -* two general purpose RGB LEDs, -* 128x32 yellow OLED display fully controllable via STM32 Cortex-M0. +- two general purpose RGB LEDs, +- 128x32 yellow OLED display fully controllable via STM32 Cortex-M0. The general purpose elements can be used in countless solutions. In **3mdeb's lab**, where we have board farm consists of many testing devices, the use-case @@ -170,28 +169,29 @@ capabilities. The short explanation of commands shown in the recording: -* `gpio mode 3 out` - sets NanoPi gpio responsible for powering up Cortex-M0 to +- `gpio mode 3 out` - sets NanoPi gpio responsible for powering up Cortex-M0 to output mode, -* `gpio write 3 1` - powers up the microcontroller, -* `screen /dev/ttyS2 115200,cs8,ixon,ixoff` - opens serial connection with UART2, - which is a channel for communication between NanoPi and the STM32 unit. +- `gpio write 3 1` - powers up the microcontroller, +- `screen /dev/ttyS2 115200,cs8,ixon,ixoff` - opens serial connection with + UART2, which is a channel for communication between NanoPi and the STM32 unit. ## Summary Are you trying to flash your mobile phone or test DUT's video with various graphics settings? Or maybe you are a firmware/software developer with the desire to work remotely on various platforms? MuxPi validation board ensures -that all the above problems are no longer scary - simply check our [product -site][muxpi] or order the board now at [shop.3mdeb.com][shop-muxpi]! +that all the above problems are no longer scary - simply check our +[product site][muxpi] or order the board now at [shop.3mdeb.com][shop-muxpi]! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). -[rte]: https://3mdeb.com/products/open-source-hardware/rte/ [muxpi]: https://3mdeb.com/products/open-source-hardware/muxpi/ [nanopi]: https://www.friendlyelec.com/index.php?route=product/product&product_id=132 +[rte]: https://3mdeb.com/products/open-source-hardware/rte/ [sd-adapter]: https://shop.3mdeb.com/product/muxsd-adapter/ [shop-muxpi]: https://shop.3mdeb.com/product/muxpi/ diff --git a/blog/content/post/2019-06-12-Hummingboard-Pulse-first-impression.md b/blog/content/post/2019-06-12-Hummingboard-Pulse-first-impression.md index eb472d79..9c4afa01 100644 --- a/blog/content/post/2019-06-12-Hummingboard-Pulse-first-impression.md +++ b/blog/content/post/2019-06-12-Hummingboard-Pulse-first-impression.md @@ -22,9 +22,9 @@ categories: ### Introduction -SolidRun is a global leading developer of embedded systems and provides -a lot of powerful products. One of them I want to describe in this post -is the HummingBoard Pulse. You can see it in the picture below. +SolidRun is a global leading developer of embedded systems and provides a lot of +powerful products. One of them I want to describe in this post is the +HummingBoard Pulse. You can see it in the picture below. ![HummingBoardPulse picture](/img/hummboard.jpg) @@ -33,35 +33,36 @@ processor (up to 1.5 GHz) with ARM M4. The i.MX8M family of processors provides industry-leading audio, voice and video processing for applications that scale from consumer home audio to industrial building automation and mobile computers. More information can be found at the official website of the producer of these -processors [there](https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-8-processors/i.mx-8m-family-armcortex-a53-cortex-m4-audio-voice-video:i.MX8M). +processors +[there](https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-8-processors/i.mx-8m-family-armcortex-a53-cortex-m4-audio-voice-video:i.MX8M). The HummingBoard Pulse provides a lot of hardware interfaces from which I can mention: -* USB type C -* Micro USB -* RJ45 Ethernet -* 2x USB 3.0 -* HDMI 2.0 -* Audio Headset -* MicroSD +- USB type C +- Micro USB +- RJ45 Ethernet +- 2x USB 3.0 +- HDMI 2.0 +- Audio Headset +- MicroSD -All of them are nicely shown on the pictures which can be found -on [this](https://developer.solid-run.com/knowledge-base/hummingboard-pulse-getting-started/) +All of them are nicely shown on the pictures which can be found on +[this](https://developer.solid-run.com/knowledge-base/hummingboard-pulse-getting-started/) website. -### Getting started with the board. +### Getting started with the board To start using the HummingBoard Pulse you will need a couple of things: -* Linux or Windows PC (it will be easier if you'll have Linux PC), -* 16GB Micro SD card, -* 12V Power adapter (the board has wide range input of 7V-36V but 12V is +- Linux or Windows PC (it will be easier if you'll have Linux PC), +- 16GB Micro SD card, +- 12V Power adapter (the board has wide range input of 7V-36V but 12V is recommended), -* MicroUSB to USB for the console because the HummingBoard Pulse has an onboard +- MicroUSB to USB for the console because the HummingBoard Pulse has an onboard FTDI chip, which means that there is no need to use external UART/USB converter, -* and of course the HummingBoard Pulse with SOM. +- and of course the HummingBoard Pulse with SOM. OK, assuming you have everything that's needed, now it's time to flash our SD card with U-Boot and Debian. Let me help you with that. As I mentioned earlier, @@ -71,12 +72,13 @@ given for users of Linux. #### Building ARM Trusted Firmware and U-Boot Let's start with a toolchain. You can download a ready-to-use-toolchain. When -writing this post following toolchain was used: http://releases.linaro.org/components/toolchain/binaries/7.4-2019.02/aarch64-linux-gnu/gcc-linaro-7.4.1-2019.02-x86_64_aarch64-linux-gnu.tar.xz. +writing this post following toolchain was used: +. After you download and extract your, just type commands which are shown below in the terminal. Just remember that CROSS_COMPILE environment variables need to be set to the path of the toolchain prefix. -```shell +```bash export ARCH=arm64 export CROSS_COMPILE=$PWD/toolchain/gcc-linaro-7.4.1-2019.02-x86_64_aarch64-linux-gnu.tar.xz/bin/aarch64-linux-gnu ``` @@ -84,7 +86,7 @@ export CROSS_COMPILE=$PWD/toolchain/gcc-linaro-7.4.1-2019.02-x86_64_aarch64-linu Source and firmware can be downloaded from the GitHub repos and sites listed below. You can copy and execute those commands in your terminal. -```shell +```bash git clone https://github.com/SolidRun/arm-trusted-firmware.git -b imx-atf-v1.6 git clone https://github.com/SolidRun/u-boot.git -b v2018.11-solidrun wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-imx-7.9.bin @@ -92,7 +94,7 @@ wget https://www.nxp.com/lgfiles/NMG/MAD/YOCTO/firmware-imx-7.9.bin Building ATF is as follows. -```shell +```bash cd arm-trusted-firmware make PLAT=imx8mq bl31 cp build/imx8mq/release/bl31.bin ../u-boot/ @@ -100,7 +102,7 @@ cp build/imx8mq/release/bl31.bin ../u-boot/ After you extract NXP firmware you will need to accept the end user agreement. -```shell +```bash chmod +x firmware-imx-7.9.bin ./firmware-imx-7.9.bin cp firmware-imx-7.9/firmware/hdmi/cadence/signed_hdmi_imx8m.bin u-boot/ @@ -110,7 +112,7 @@ cp firmware-imx-7.9/firmware-imx-7.9/firmware/ddr/synopsys/lpddr4*.bin u-boot/ OK, so now you can change directory to the U-Boot directory, then build U-Boot and generate the image. -```shell +```bash make imx8mq_hb_defconfig make flash.bin ``` @@ -118,7 +120,7 @@ make flash.bin Doing that you may need to install two programs named bison and flex. In this case, you just need to type those commands in your terminal. -```shell +```bash sudo apt-get install bison sudo apt-get install flex ``` @@ -127,36 +129,37 @@ After all of that, you can flash U-Boot on to your SD card. Firstly, after you plug-in your sd card to PC, you need to unmount it using: -```shell +```bash umount /dev/sd[x] ``` Then you can easily flash your SD card with u-boot simply typing: -```shell +```bash sudo dd if=flash.bin of=/dev/sd[x] bs=1024 seek=33 ``` -Where [x] stands for your SD card attached to PC. For me it was sdb. +Where \[x\] stands for your SD card attached to PC. For me it was sdb. From now you will have working U-Boot on your SD card. If you want to check how it looks on HummingBoard Pulse you need to connect your PC with the board using MicroUSB to USB cable and minicom on the terminal. Just type: -```shell +```bash sudo minicom -b 115200 -D /dev/ttyUSB[x] ``` -This time [x] stands for the USB port you use to communicate. For me, it was 0. +This time \[x\] stands for the USB port you use to communicate. For me, it was +0\. You should receive something like this: -```shell +```bash -Boot SPL 2018.11-00078-g0dd51748c2a (Dec 16 2018 - 18:35:18 +0100) PMIC: PFUZE100 ID=0x10 Normal Boot Trying to boot from MMC2 -NOTICE: Configureing TZASC380 +NOTICE: Configuring TZASC380 NOTICE: BL31: v1.6(release):v1.6-110-g0eb2df45 NOTICE: BL31: Built : 13:56:07, Nov 29 2018 NOTICE: sip svc init @@ -190,15 +193,15 @@ there is another way to run Linux on the HummingBoard Pulse. SolidRun gives instructions on how to install Debian on HummingBoard Pulse. Debian is well-documented GNU/Linux distribution and images of it are easily -available at https://images.solid-build.xyz/IMX8/Debian/. When you will be -choosing one for you please check the log of changes at the bottom. You will -read there that only versions released after 07.12.2018 supports booting from SD -card. +available at . +When you will be choosing one for you please check the log of changes at the +bottom. You will read there that only versions released after 07.12.2018 +supports booting from SD card. After you download and extract an image of Debian you need to flash it on SD card. -```Shell +```bash dd bs=4k conv=fsync if=.img of=/dev/sdb ``` @@ -209,15 +212,18 @@ it using asciinema. ## Summary -This post describes the HummingBoard Pulse and attempts of booting a Linux on it. -If you are looking for more detailed information about the board you are welcome -to check [this](https://developer.solid-run.com/products/hummingboard-pulse/) or -[that](https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-8-processors/i.mx-8m-family-armcortex-a53-cortex-m4-audio-voice-video:i.MX8M). We hope to work with this platform much more and write many more -posts about i.MX8 series. Please let us know which i.MX8 features you like the -most and what kind of content would you expect in the next posts. +This post describes the HummingBoard Pulse and attempts of booting a Linux on +it. If you are looking for more detailed information about the board you are +welcome to check +[this](https://developer.solid-run.com/products/hummingboard-pulse/) or +[that](https://www.nxp.com/products/processors-and-microcontrollers/arm-based-processors-and-mcus/i.mx-applications-processors/i.mx-8-processors/i.mx-8m-family-armcortex-a53-cortex-m4-audio-voice-video:i.MX8M). +We hope to work with this platform much more and write many more posts about +i.MX8 series. Please let us know which i.MX8 features you like the most and what +kind of content would you expect in the next posts. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-06-21-rte-new-version-and-kit.md b/blog/content/post/2019-06-21-rte-new-version-and-kit.md index df2cce9b..9f91145b 100644 --- a/blog/content/post/2019-06-21-rte-new-version-and-kit.md +++ b/blog/content/post/2019-06-21-rte-new-version-and-kit.md @@ -38,24 +38,24 @@ platforms. Brand new RTE (previously `v1.0.0`) has been improved mostly from the hardware perspective: -* SPI `Vcc` pin has been populated - power is now supplied to the SPI `Vcc` +- SPI `Vcc` pin has been populated - power is now supplied to the SPI `Vcc` connector -* RTE is now compatible with 1.8V logic levels -* user can enable/disable SPI `Vcc` on demand: +- RTE is now compatible with 1.8V logic levels +- user can enable/disable SPI `Vcc` on demand: | GPIO406 (OC_OUT1) state | SPI Vcc | |:-----------------------:|:---------------------:| | 0 - low | disabled (by default) | | 1 - high | enabled | -* user can choose the voltage level for `Vcc` SPI - either 1.8 or 3.3 V: +- user can choose the voltage level for `Vcc` SPI - either 1.8 or 3.3 V: | GPIO405 (OC_OUT2) state | SPI Vcc voltage level | |:-----------------------:|:---------------------:| | 0 - low | 1.8 V (by default) | | 1 - high | 3.3 V | -* user can enable/disable SPI lines (some platforms have problems when booting +- user can enable/disable SPI lines (some platforms have problems when booting with SPI wires connected): | GPIO404 (OC_OUT3) state | SPI lines (MOSI/MISO/CS/SCLK) | @@ -63,11 +63,11 @@ perspective: | 0 - low | disabled (by default) | | 1 - high | enabled | -* OC buffers GPIO header (J11) is reduced from 12 to 9 pin. accordingly to the +- OC buffers GPIO header (J11) is reduced from 12 to 9 pin. accordingly to the `GPIO404-406` new control feature, -* new UART header (J18) has been added - USB/UART external converters are not +- new UART header (J18) has been added - USB/UART external converters are not required anymore! -* user can choose whether RS232 DB9 port (J14) or UART header (J18) is enabled +- user can choose whether RS232 DB9 port (J14) or UART header (J18) is enabled for serial communication by setting jumpers on `UART OUTPUT SELECT` header (J16): @@ -78,14 +78,14 @@ perspective: ![uart-header](/img/rte-uart-header.jpg) -* eliminated issue with J6 USB port (unreliable detection of USB devices) -* smaller capacitors were applied near MAX3232 SOIC -* added LED indicator (D5) for relay state information -* added easy accessible reset button (SW1) for resetting the RTE board +- eliminated issue with J6 USB port (unreliable detection of USB devices) +- smaller capacitors were applied near MAX3232 SOIC +- added LED indicator (D5) for relay state information +- added easy accessible reset button (SW1) for resetting the RTE board ![reset-button](/img/rte-reset-btn.jpg) -* added `Open hardware` icon on PCB board +- added `Open hardware` icon on PCB board ![open-hardware-pcb](/covers/rte-new-revision.jpg) @@ -116,14 +116,15 @@ To sum up, full kit costs now 93€ and includes: ## Summary -Don't hesitate and check out our **RTE** product on the [3mdeb-shop](https://shop.3mdeb.com/product/rte/) -where you can find more information about Orange Pi Zero shield or read about -products related to platform security such as **Trusted Platform** modules. +Don't hesitate and check out our **RTE** product on the +[3mdeb-shop](https://shop.3mdeb.com/product/rte/) where you can find more +information about Orange Pi Zero shield or read about products related to +platform security such as **Trusted Platform** modules. If you think that RTE is the product that You are looking for, but missing something crucial for your project or that we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to -[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX). +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2019-06-26-smallest-embedded-system-yocto-vs-buildroot.md b/blog/content/post/2019-06-26-smallest-embedded-system-yocto-vs-buildroot.md index 5a5f4959..b1301265 100644 --- a/blog/content/post/2019-06-26-smallest-embedded-system-yocto-vs-buildroot.md +++ b/blog/content/post/2019-06-26-smallest-embedded-system-yocto-vs-buildroot.md @@ -24,20 +24,21 @@ categories: Recently we had the need to build a really little system image (kernel + rootfs) for x86 architecture, which will be able to **boot from RAM memory**. We decided that it would be a good idea to build it with -[**Yocto**](https://www.yoctoproject.org/) and [**Buildroot**](https://buildroot.org/) +[**Yocto**](https://www.yoctoproject.org/) and +[**Buildroot**](https://web.archive.org/web/20230726112200/https://buildroot.org/) and compare the results. ![yocto-vs-buildroot](/covers/yocto-vs-buildroot.png) -In order for the results to be as reliable as possible, -the presented information refer to the **minimal images** build with -**default configurations** without any additional packages and changes in the -system. In both cases, the image was built for **QEMU x86**. +In order for the results to be as reliable as possible, the presented +information refer to the **minimal images** build with **default +configurations** without any additional packages and changes in the system. In +both cases, the image was built for **QEMU x86**. ## Minimal image with Yocto -To build the image we have used the latest stable version of -**Yocto - 2.7 (Warrior)**. +To build the image we have used the latest stable version of **Yocto - 2.7 +(Warrior)**. ![yocto-logo](/img/YoctoProject_Logo_RGB.jpg) @@ -47,27 +48,27 @@ the initramfs. Secondly, the size of rootfs and kernel significantly exceeded the acceptable value. The next most reasonable step was to try the build of core-image-minimal with **Poky-Tiny**. The results were very satisfying: -``` -2,8M bzImage.bin -864K rootfs.cpio.gz -3,6M total +```bash +2,8M bzImage.bin +864K rootfs.cpio.gz +3,6M total ``` **The most important information about the built system (default settings):** -* **C standard library** is the musl libc, -* **Linux** version is 5.0.7, -* **BusyBox** version is 1.30.1. +- **C standard library** is the musl libc, +- **Linux** version is 5.0.7, +- **BusyBox** version is 1.30.1. The **elements of the rootfs that use the most of the space** are shown below (size of files / directories after decompression): -``` -904K /usr/lib/opkg/alternatives -704K /bin/busybox.nosuid -660K /usr/lib/libc.so -168K /etc -56K /bin/busybox.suid +```bash +904K /usr/lib/opkg/alternatives +704K /bin/busybox.nosuid +660K /usr/lib/libc.so +168K /etc +56K /bin/busybox.suid ``` As expected, a very large part of the file system is **BusyBox** and **LibC**, @@ -84,15 +85,15 @@ To build the image we have used the latest long term support version of ![buildroot-logo](/img/buildroot_logo.jpg) As a base we used the **qemu_x86_defconfig** and added only the necessary -changes. Firstly, we enabled the build of **cpio root filesystem** and -**gzip compression** of output file (as a default ext2 rootfs is built). -Secondly, we set properly TTY port for getty. In this case, the results also met -our expectations: - -``` -720K rootfs.cpio.gz -4,1M bzImage -4,8M total +changes. Firstly, we enabled the build of **cpio root filesystem** and **gzip +compression** of output file (as a default ext2 rootfs is built). Secondly, we +set properly TTY port for getty. In this case, the results also met our +expectations: + +```bash +720K rootfs.cpio.gz +4,1M bzImage +4,8M total ``` The total size of **Linux + initramfs** is a bit bigger than in case of Yocto, @@ -104,18 +105,18 @@ with Yocto and it worked without a problem. **The most important information about the built system (default settings):** -* **C standard library** is the uClibc-ng, -* **Linux** version is 4.19.16, -* **BusyBox** version is 1.29.3. +- **C standard library** is the uClibc-ng, +- **Linux** version is 4.19.16, +- **BusyBox** version is 1.29.3. -The **elements of the rootfs that use the most of the space** are shown below (size -of files / directories after decompression): +The **elements of the rootfs that use the most of the space** are shown below +(size of files / directories after decompression): -``` -592K ./bin/busybox -488K ./lib/libuClibc-1.0.31.so -240K ./lib/modules/4.19.16 -128K ./etc +```bash +592K ./bin/busybox +488K ./lib/libuClibc-1.0.31.so +240K ./lib/modules/4.19.16 +128K ./etc ``` In this case, the **BusyBox** and **LibC** are **smaller**. A lot of space is @@ -128,10 +129,10 @@ Out of curiosity, we decided to change the C standard library to musl libc. ## Results submit We'll need to add several packages to our target image and possibly in that form -it will exceed the acceptable size value, but as we described -**there are a few things which can be removed**. If that will not be enough, -**we can minimize the busybox utilities** or try to **match the compiler flags** -in order to reduce the size. +it will exceed the acceptable size value, but as we described **there are a few +things which can be removed**. If that will not be enough, **we can minimize the +busybox utilities** or try to **match the compiler flags** in order to reduce +the size. ## Yocto or Buildroot - which one to choose? @@ -142,8 +143,8 @@ needs more time to build the image, requires more disk space (in this case about system, which gives more possibilities and Yocto Layers are definitely better to maintain. Depending on the specific needs, a specific tool should be chosen. **The most important** information from our experiment is that in this case, the -resulting system from **Yocto and Buildroot meet the set requirements** and -**we are able to achieve the intended effect with both of them**. +resulting system from **Yocto and Buildroot meet the set requirements** and **we +are able to achieve the intended effect with both of them**. ## Summary @@ -151,4 +152,4 @@ If you need a support in **Yocto/Buildroot** or looking for someone who can boost your product by leveraging advanced features feel free to [**book a call with us**](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [**sign up to our newsletter**](http://eepurl.com/doF8GX). +content feel free to [**sign up to our newsletter**](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2019-07-11-how-to-safely-and-easily-update-your-firmware.md b/blog/content/post/2019-07-11-how-to-safely-and-easily-update-your-firmware.md index 2f81a491..84294e0f 100644 --- a/blog/content/post/2019-07-11-how-to-safely-and-easily-update-your-firmware.md +++ b/blog/content/post/2019-07-11-how-to-safely-and-easily-update-your-firmware.md @@ -52,11 +52,12 @@ which is consistent with the [Microsoft Update][req] requirements. Archives specially prepared by authorized vendors are the key to the whole update process. Metadata from the LVFS brings the details about available updates to the user together with patch notes description. The XML file needs to -meet the structure and content standards which can be found in the LVFS examples. +meet the structure and content standards which can be found in the LVFS +examples. Example of v4.9.0.1 coreboot release for Libretrend LT1000: -```xml +```bashxml @@ -137,8 +138,8 @@ binaries with release notes of each [fixes and changes][release-notes]. ![release-notes-example](/img/lvfs-release-notes-v4.9.0.1.png) After making sure that platform is supported by fwupd/LVFS, users have a wide -choice of `fwupdmgr` options to run - all of them are listed with `fwupdmgr ---help`: +choice of `fwupdmgr` options to run - all of them are listed with +`fwupdmgr --help`: ```bash fwupdmgr [OPTION?] @@ -216,10 +217,10 @@ Update the stored metadata with current ROM contents Typical firmware updating process using Linux terminal looks like this: 1. Login to your system. -2. Refresh LVFS metadata from the remote server: `fwupdmgr refresh` -3. Check available updates: `fwupdmgr get-updates` -4. Update firmware to the newest version: `fwupdmgr update` -5. Reboot your system and check installation result: `fwupdmgr get-results` +1. Refresh LVFS metadata from the remote server: `fwupdmgr refresh` +1. Check available updates: `fwupdmgr get-updates` +1. Update firmware to the newest version: `fwupdmgr update` +1. Reboot your system and check installation result: `fwupdmgr get-results` See for Yourself the fwupd capabilities in the quick asciinema demo: @@ -250,7 +251,7 @@ In the help from fwupd developers, we (3mdeb) have integrated libflashrom API creating a new way of running `flashrom` plugin relaying on always up-to-date flashrom library, rather than simply calling subprocess with hardcoded full command. More information about flashrom plugin capabilities and upstreaming -process can be tracked in this [PR][pr]. +process can be tracked in this [PR]. ## The conclusion @@ -266,13 +267,14 @@ contribute your priceless code which enables new, needful plugins? Check the If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +[dl]: https://fwupd.org/lvfs/devicelist [lvfs]: https://fwupd.org/ +[pr]: https://github.com/hughsie/fwupd/pull/897 +[release-notes]: https://web.archive.org/web/20191004005352/https://fwupd.org/lvfs/device/com.Libretrend.LT1000.firmware [req]: https://docs.microsoft.com/pl-pl/windows-hardware/drivers/bringup/authoring-an-update-driver-package [vl]: https://fwupd.org/lvfs/vendorlist -[dl]: https://fwupd.org/lvfs/devicelist -[release-notes]: https://fwupd.org/lvfs/device/com.Libretrend.LT1000.firmware -[pr]: https://github.com/hughsie/fwupd/pull/897 diff --git a/blog/content/post/2019-07-24-esp8266-quick-guide-for-embedded-c-developers.md b/blog/content/post/2019-07-24-esp8266-quick-guide-for-embedded-c-developers.md index 241b0690..c3dae897 100644 --- a/blog/content/post/2019-07-24-esp8266-quick-guide-for-embedded-c-developers.md +++ b/blog/content/post/2019-07-24-esp8266-quick-guide-for-embedded-c-developers.md @@ -27,22 +27,21 @@ great potential and is cheap, which makes it a **great module** to start the ESP8266 has many dedicated firmwares and frameworks. It can be programmed straight from the Arduino IDE, using micropython, Lua scripts, JavaScript and many more. None of them interested us too much. A good alternative for us was to -**develop the firmware in C using the SDKs released by Espressif** -(ESP's vendor). At the beginning we were a bit skeptical about this chip, but +**develop the firmware in C using the SDKs released by Espressif** (ESP's +vendor). At the beginning we were a bit skeptical about this chip, but eventually **we managed to build several stable IoT products** based on it, that, for example, cooperate with **AWS IoT services**. When you start working with this chip, the number of frameworks, tools or hardware versions is overwhelming. Official site and documentation doesn't -really help with that... That's why we decided to gather here -**the most important information** and prepare instructions -**how to easy get started**. +really help with that... That's why we decided to gather here **the most +important information** and prepare instructions **how to easy get started**. ## Hardware -There are many versions of ESP8266 chips. All of them are based on -**32-bit Tensilica L106 processor**, which can be clocked with **160MHz** -(80MHz default). With [**some hacks**](https://github.com/cnlohr/nosdk8266) it's +There are many versions of ESP8266 chips. All of them are based on **32-bit +Tensilica L106 processor**, which can be clocked with **160MHz** (80MHz +default). With [**some hacks**](https://github.com/cnlohr/nosdk8266) it's possible to **get even 346 MHz**! Different versions of chips may differ in the number of gpios, pinout, memory @@ -57,65 +56,67 @@ is no need for any soldering. It's a really convenient solution. Espressif provides two types of SDK: -* **RTOS SDK** - based on FreeRTOS, +- **RTOS SDK** - based on FreeRTOS, -* **Non-OS SDK** - based on timers and callbacks. +- **Non-OS SDK** - based on timers and callbacks. More details about those SDKs you can find in Chapter **1.3. ESP8266 SDK** of [**ESP8266 SDK - Getting Started Guide**](https://www.espressif.com/sites/default/files/documentation/2a-esp8266-sdk_getting_started_guide_en.pdf). Good alternative for **Espressif RTOS SDK** is [**ESP-Open-RTOS**](https://github.com/SuperHouse/esp-open-rtos). In this post, -however, we will focus on the Non-OS SDK. If you are interested in -the RTOS SDK please let us know. We will try to prepare a post on this topic as -well. +however, we will focus on the Non-OS SDK. If you are interested in the RTOS SDK +please let us know. We will try to prepare a post on this topic as well. ### Preparing the environment -Before we go to the code example we have to prepare environment for work. -Things we need are: +Before we go to the code example we have to prepare environment for work. Things +we need are: -* Xtensa lx106 architecture toolchain, -* ESP8266 SDK published by vendor, -* tool for flashing the on-chip memories. +- Xtensa lx106 architecture toolchain, +- ESP8266 SDK published by vendor, +- tool for flashing the on-chip memories. -Of course, we can assemble all the tools manually, but -**it's not the optimal solution**. Instead, we can use +Of course, we can assemble all the tools manually, but **it's not the optimal +solution**. Instead, we can use [**ESP-Open-SDK**](https://github.com/pfalcon/esp-open-sdk), which contains **everything we need in one place**. If you also prefer this solution, the only thing you have to do is to execute those simple steps: -* clone repository: +- clone repository: - ``` - git clone --recursive https://github.com/pfalcon/esp-open-sdk.git - ``` + ```bash + git clone --recursive https://github.com/pfalcon/esp-open-sdk.git + ``` -* install dependencies: +- install dependencies: - ``` - sudo apt-get install make unrar-free autoconf automake libtool gcc g++ gperf \ - flex bison texinfo gawk ncurses-dev libexpat-dev python-dev python python-serial \ - sed git unzip bash help2man wget bzip2 libtool-bin - ``` + ```bash + sudo apt-get install make unrar-free autoconf automake libtool gcc g++ gperf \ + flex bison texinfo gawk ncurses-dev libexpat-dev python-dev python python-serial \ + sed git unzip bash help2man wget bzip2 libtool-bin + ``` -* build the toolchain: +- build the toolchain: - We can build the toolchain in two ways: - - with a completely **standalone** ESP8266 SDK containing the vendor SDK -files merged into the toolchain - - with a **separate** toolchain and vendor SDK files + We can build the toolchain in two ways: - We definitely **prefer the second option**. It will be needed to add -**extra -I and -L flags** during compilation, but this approach gives us some -benefits. We'll have a **better control** in what we do and we'll can easily use -different version of sdk when needed. To build the separate version all you need -is to use make with `STANDALONE=n`. + - with a completely **standalone** ESP8266 SDK containing the vendor SDK files + merged into the toolchain - ``` + - with a **separate** toolchain and vendor SDK files + + We definitely **prefer the second option**. It will be needed to add **extra + -I and -L flags** during compilation, but this approach gives us some + benefits. We'll have a **better control** in what we do and we'll can easily + use different version of sdk when needed. To build the separate version all + you need is to use make with `STANDALONE=n`. + + ```bash make STANDALONE=n ``` It'll take few minutes, so be patient. When the compilation process is + completed, the toolchain will be available in the `xtensa-lx106-elf/` subdirectory. At the end of build process, command for adding the `xtensa-lx106-elf/bin/` subdirectory to your **PATH environment variable** will @@ -123,9 +124,9 @@ be shown. You can **save it**, because it will be needed to execute it each time you want to use the **xtensa-lx106-elf-gcc** and other tools in a new shell session. In my case, command looks like below: - ``` - export PATH=/home/lagun/workspace/esp-open-sdk/xtensa-lx106-elf/bin:$PATH - ``` +```bash +export PATH=/home/lagun/workspace/esp-open-sdk/xtensa-lx106-elf/bin:$PATH +``` ### Build led blink example @@ -134,7 +135,7 @@ application. It's located in `examples/blinky` directory. If you have built the **non-standalone version of toolchain** as I did, then you will need to make small changes in the Makefile: -``` +```bash diff --git a/examples/blinky/Makefile b/examples/blinky/Makefile index 52d3790d4bc1..7711f2fb50b4 100644 --- a/examples/blinky/Makefile @@ -154,35 +155,35 @@ As a result, two files should be built: `blinky-0x00000.bin` and ### Flash the firmware -Before we flash built firmware, lets **erase whole memory of the chip**. -We can use the **esptool.py** for this purpose. It's placed in -`xtensa-lx106-elf/bin/` directory, so if you have this directory added to the -PATH, then you can use this tool in any directory. In order to erase the flash -memory use command below: +Before we flash built firmware, lets **erase whole memory of the chip**. We can +use the **esptool.py** for this purpose. It's placed in `xtensa-lx106-elf/bin/` +directory, so if you have this directory added to the PATH, then you can use +this tool in any directory. In order to erase the flash memory use command +below: -``` +```bash esptool.py erase_flash ``` -Now, lets flash built firmware. Name of each output file contains -**memory address** to which the specific part should be flashed. +Now, lets flash built firmware. Name of each output file contains **memory +address** to which the specific part should be flashed. -``` +```bash esptool.py write_flash 0x00000 blinky-0x00000.bin 0x10000 blinky-0x10000.bin ``` After you flash the firmware, you will notice that **LED doesn't blink**. It's because we erased the whole memory and there's nothing there beyond our blinky -led application firmware. Programs which use the SDK -**need additional firmware** in specific flash memory location. Detailed -description of the flash maps can be found in **Chapter 4. Flash Maps** of +led application firmware. Programs which use the SDK **need additional +firmware** in specific flash memory location. Detailed description of the flash +maps can be found in **Chapter 4. Flash Maps** of [**ESP8266 SDK - Getting Started Guide**](https://www.espressif.com/sites/default/files/documentation/2a-esp8266-sdk_getting_started_guide_en.pdf). There are two types of flash memory maps for different firmware: -* **FOTA (Firmware Over-The-Air)** firmware, which is used for applications with -update possibilities -* **Non-OTA** firmware, which is used in standard applications. +- **FOTA (Firmware Over-The-Air)** firmware, which is used for applications with + update possibilities +- **Non-OTA** firmware, which is used in standard applications. In our case **Non-OTA firmware** will be needed. Flash maps in that case looks like below. Description of each block can be found in documentation I linked @@ -190,35 +191,36 @@ earlier. ![esp8266_nonfota_flash_map](/img/esp8266_nonfota_flash_map.png) -Needed files are located in `esp-open-sdk/sdk/bin` directory. -For clarity, `esp-open-sdk/sdk/` is a +Needed files are located in `esp-open-sdk/sdk/bin` directory. For clarity, +`esp-open-sdk/sdk/` is a [**ESP8266_NONOS_SDK**](https://github.com/espressif/ESP8266_NONOS_SDK) repository used as a **git submodule**. Let's deal with flashing additional firmware now. Specific addresses for specific files looks like below: ![esp8266_flash_map_addresses](/img/esp8266_flash_map_addresses.png) -Our chip has **4096KB** of memory so we'll use addresses from that column. -We already flashed the application firmware at **0x00000** and **0x10000**, so -now it's enough to flash only `blank.bin`, `esp_init_data_default_v05.bin` -binaries. After that blue LED should start blinking. +Our chip has **4096KB** of memory so we'll use addresses from that column. We +already flashed the application firmware at **0x00000** and **0x10000**, so now +it's enough to flash only `blank.bin`, `esp_init_data_default_v05.bin` binaries. +After that blue LED should start blinking. -``` +```bash esptool.py write_flash 0x3FB000 blank.bin 0x3FC000 esp_init_data_default_v05.bin 0x3FE000 blank.bin ``` As you may already noticed, there is no `main()` function in `blinky.c`. In case of **Non-OS SDK** the main function is named as `user_init()`. There is more specific details about **developing firmware for ESP8266 using Non-OS SDK**, but -everything is well decribed in the [**ESP8266 Non-OS SDK - API Reference**](https://www.espressif.com/sites/default/files/documentation/2a-esp8266-sdk_getting_started_guide_en.pdf). +everything is well described in the +[**ESP8266 Non-OS SDK - API Reference**](https://www.espressif.com/sites/default/files/documentation/2a-esp8266-sdk_getting_started_guide_en.pdf). If you would like to get more information, it's a good document to read at this point. ## Summary -If you need a support in **IoT nodes firmware** / -**gateways applications development**, or looking for someone who can boost your -**IoT product** by leveraging advanced features feel free to +If you need a support in **IoT nodes firmware** / **gateways applications +development**, or looking for someone who can boost your **IoT product** by +leveraging advanced features feel free to [**book a call with us**](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [**sign up to our newsletter**](http://eepurl.com/doF8GX). +content feel free to [**sign up to our newsletter**](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2019-08-07-qubes-os-and-3mdeb-minisummit.md b/blog/content/post/2019-08-07-qubes-os-and-3mdeb-minisummit.md index 4615fdd8..15af2e9b 100644 --- a/blog/content/post/2019-08-07-qubes-os-and-3mdeb-minisummit.md +++ b/blog/content/post/2019-08-07-qubes-os-and-3mdeb-minisummit.md @@ -1,7 +1,7 @@ --- title: Qubes OS and 3mdeb 'minisummit' 2019 abstract: 'In May we had pleasure to meet Marek Marczykowski-Górecki #QubesOS - Project Lead in 3mdeb office in Gdańsk. We dicussed various #QubesOS, + Project Lead in 3mdeb office in Gdańsk. We discussed various #QubesOS, #Xen, #firmware, #coreboot, #security and #TPM related topics. Results of that "minisummit" was presented in following blog post.' cover: /covers/qubesos_3mdeb_minisummit.png @@ -22,130 +22,145 @@ categories: --- -In May we had pleasure to meet with [Marek Marczykowski-Górecki](https://www.qubes-os.org/team/) in 3mdeb office in +In May we had pleasure to meet with +[Marek Marczykowski-Górecki](https://www.qubes-os.org/team/) in 3mdeb office in Gdańsk, Poland. Since we are long term fans of Qubes OS and its approach to -security, as also fans of Joanna Rutkowska security research in area of -firmware and computer architecture, we couldn't miss the opportunity and -decided to organize one day event during which we discussed topics at Qubes OS -and firmware boundary. - -Humorously we called it "minisummit". Topics discussed and related presentations: - -* [Qubes OS certification and open source firmware requirements](https://cloud.3mdeb.com/index.php/s/CJC8qBeMMT6T8oL) - Piotr Król -* Xen and Qubes OS status - discussion -* [Qubes OS and OpenEmbedded/OpenXT/Yocto collaboration](https://cloud.3mdeb.com/index.php/s/obx7qDFic5otR54) - Maciej Pijanowski -* [TPM2.0 in Qubes OS](https://cloud.3mdeb.com/index.php/s/kAQoEBHXAXNEtwL) - Michał Żygowski -* [Lightning talks](https://cloud.3mdeb.com/index.php/s/Si9YXM2ymWQMj7n): - - DRTM/TrenchBoot - Piotr Król - - HCL report and its lifecycle (automation, anonymization, maintenance) - Piotr Król - - fwupd - Piotr Król -* [Status of AEM for Intel and AMD](https://cloud.3mdeb.com/index.php/s/aPYPeSfJPoZ2gPM) - Michał Żygowski - -There were also lot of side-talks, but overall agenda was as above. Below I -will elaborate more on presented topics below. - -# Qubes OS certification - -Various 3mdeb customers are interested in Qubes OS certification. Recently -Qubes OS announced on their website that [Insurgo PrivacyBeast X230 Laptop](https://www.qubes-os.org/news/2019/07/18/insurgo-privacybeast-qubes-certification/) -meets and exceeds certification criteria. There is nothing that prevent -hardware vendors to certify their hardware, but some firmware requirements have -to be fulfilled: - -* hardware should run only open-source boot firmware - there are some technical +security, as also fans of Joanna Rutkowska security research in area of firmware +and computer architecture, we couldn't miss the opportunity and decided to +organize one day event during which we discussed topics at Qubes OS and firmware +boundary. + +Humorously we called it "minisummit". Topics discussed and related +presentations: + +- [Qubes OS certification and open source firmware requirements](https://shop.3mdeb.com/wp-content/uploads/2021/06/Qubes-Hardware-Certification.pdf) + \- Piotr Król +- Xen and Qubes OS status - discussion +- [Qubes OS and OpenEmbedded/OpenXT/Yocto collaboration](https://shop.3mdeb.com/wp-content/uploads/2021/06/Qubes-build-system.pdf) + \- Maciej Pijanowski +- [TPM2.0 in Qubes OS](https://shop.3mdeb.com/wp-content/uploads/2021/06/TPM-2.0.pdf) + \- Michał Żygowski +- [Lightning talks](https://shop.3mdeb.com/wp-content/uploads/2021/06/Lightning-Talks.pdf): + - DRTM/TrenchBoot - Piotr Król + - HCL report and its lifecycle (automation, anonymization, maintenance) - + Piotr Król + - fwupd - Piotr Król +- [Status of AEM for Intel and AMD](https://shop.3mdeb.com/wp-content/uploads/2021/06/Anti-Evil-Maid.pdf) + \- Michał Żygowski + +There were also lot of side-talks, but overall agenda was as above. Below I will +elaborate more on presented topics below. + +## Qubes OS certification + +Various 3mdeb customers are interested in Qubes OS certification. Recently Qubes +OS announced on their website that +[Insurgo PrivacyBeast X230 Laptop](https://www.qubes-os.org/news/2019/07/18/insurgo-privacybeast-qubes-certification/) +meets and exceeds certification criteria. There is nothing that prevent hardware +vendors to certify their hardware, but some firmware requirements have to be +fulfilled: + +- hardware should run only open-source boot firmware - there are some technical exceptions to that e.g. CPU vendor binary blobs like FSP, AGESA, ME and PSP -* properly exposed advanced hardware features for Intel those are VT-x, VT-d and SLAT -* ACPI tables that expose above features to OS should be constructed correctly +- properly exposed advanced hardware features for Intel those are VT-x, VT-d and + SLAT +- ACPI tables that expose above features to OS should be constructed correctly - DMAR for Intel and IVRS for AMD Enabling or improving support of above features definitely lay in area of 3mdeb expertise, so if you looking for someone who can help you in Qubes OS hardware -certification please [contact us](https://calendly.com/3mdeb/consulting-remote-meeting). +certification please +[contact us](https://calendly.com/3mdeb/consulting-remote-meeting). As mentioned on slides linked above we discussed also: -* Alternative computer architectures that have potential of being not-harmful - as x86 (in opposition to [Joanna paper](https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf)). +- Alternative computer architectures that have potential of being not-harmful as + x86 (in opposition to + [Joanna paper](https://blog.invisiblethings.org/papers/2015/x86_harmful.pdf)). Unfortunately we can't see shiny future right now. Qubes OS focus on end-user devices, so laptops and workstations. It looks like we would have to wait little bit for reasonably performing ARM systems. There is also some hope in OpenPOWER and RISC-V, but ports to those architectures would require reasonably market demand for which we don't see potential right now. Interestingly there is 2BTC bounty for Power Architecture support in Qubes OS - you can read about it [here](https://github.com/QubesOS/qubes-issues/issues/4318). -* It looks like Qubes OS development doesn't face any significant issues from - firmware level. It's good to know that hardware Qubes OS operate on - reasonable quality firmware. + you can read about it + [here](https://github.com/QubesOS/qubes-issues/issues/4318). +- It looks like Qubes OS development doesn't face any significant issues from + firmware level. It's good to know that hardware Qubes OS operate on reasonable + quality firmware. -# Xen and Qubes OS status +## Xen and Qubes OS status There was no formal presentation about that topic, but discussion drifted to -that topic, so it is definitely worth to mention. Of course we are not -hard-core Xen or Qubes OS developers, so some of those information may be not -complete: +that topic, so it is definitely worth to mention. Of course we are not hard-core +Xen or Qubes OS developers, so some of those information may be not complete: -* There are some issues with PCI pass-through. Qubes OS would like to use that +- There are some issues with PCI pass-through. Qubes OS would like to use that feature more, but because of complex PCI architecture and design assumptions in Xen, leveraging that feature is not so easy. -* There is some problem PCI hot-plug since all connected devices automatically - appear in dom0, which can cause some security issues if malicious device - would be connected. Technically speaking Xen community know how to solve - that, but there are no resources available at this point to address the - problem. -* USB Type C is another problem since host controller is visible only after +- There is some problem PCI hot-plug since all connected devices automatically + appear in dom0, which can cause some security issues if malicious device would + be connected. Technically speaking Xen community know how to solve that, but + there are no resources available at this point to address the problem. +- USB Type C is another problem since host controller is visible only after connecting device, so OS doesn't have control over it before -* It seems that correct support for IOMMU can mitigate most of above problems -* There are very interesting improvement in new microarchitectures like +- It seems that correct support for IOMMU can mitigate most of above problems +- There are very interesting improvement in new microarchitectures like Denverton, especially VT-c, but Xen still doesn't have support for that -* There are also know issues in GPU support e.g. Nvidia requires dedicated, - more expensive hardware, if it would be used in virtualized environment -* Because of above problems and other reasons Qubes OS community consider KVM +- There are also know issues in GPU support e.g. Nvidia requires dedicated, more + expensive hardware, if it would be used in virtualized environment +- Because of above problems and other reasons Qubes OS community consider KVM support We also discussed how 3mdeb can involve in improving Qubes OS and Xen and of course community activity would be best approach. Of course as for-profit organization we have to align that with some business activity. We plan to work -on that in 2019. As first step towards that is this blog and following ideas -for contribution. +on that in 2019. As first step towards that is this blog and following ideas for +contribution. -# Qubes OS build system +## Qubes OS build system According to [documentation](https://www.qubes-os.org/doc/qubes-builder/) Qubes OS should be build using rpm-based distro like Fedora. According to Marek build should also work on Debian without big issues. Definitely it is something to check and maybe improve documentation. -But moving forward discussion about Qubes OS build system, as [Yocto Participants](https://www.yoctoproject.org/ecosystem/participants/), -we advertised OE/Yocto as build system for dom0 in Qubes OS. During that -discussion various problems pop up: - -* OE/Yocto not verify hashes or does it in doubtful way. We started discussion - about that [on Yocto mailing list](https://lists.yoctoproject.org/pipermail/yocto/2019-June/045574.html). -* We can't freeze dom0, we need flexibility in extending it additional software - through package manager - as Marek mentioned this statement is valid until - GUI is in dom0 and pointed us to [The Update Framework - website](https://theupdateframework.github.io/) and [Package Management Security paper](https://theupdateframework.github.io/papers/package-management-security-tr08-02.pdf?raw=true). +But moving forward discussion about Qubes OS build system, as +[Yocto Participants](https://www.yoctoproject.org/ecosystem/participants/), we +advertised OE/Yocto as build system for dom0 in Qubes OS. During that discussion +various problems pop up: + +- OE/Yocto not verify hashes or does it in doubtful way. We started discussion + about that + [on Yocto mailing list](https://lists.yoctoproject.org/pipermail/yocto/2019-June/045574.html). +- We can't freeze dom0, we need flexibility in extending it additional software + through package manager - as Marek mentioned this statement is valid until GUI + is in dom0 and pointed us to + [The Update Framework website](https://theupdateframework.github.io/) and + [Package Management Security paper](https://theupdateframework.github.io/papers/package-management-security-tr08-02.pdf?raw=true). Goal is definitely to get rid of GUI from dom0. -* We should treat big distros like Debian and Fedora as role models in package +- We should treat big distros like Debian and Fedora as role models in package management, they already use lots of good practice that are not followed by OE/Yocto, because of that 3mdeb should understand better how Debian/Fedora does package management and help reflect best practice in OE/Yocto to improve probability of using it as dom0 build system. -* Build system should not require networking connection, this is question about +- Build system should not require networking connection, this is question about security as well as control over whole building process. If package build - system download arbitrary code during build process then definitely we - loosing control over each component verification. Secure build should be - performed on air-gapped hardware/VM. -* Not all recipes in OE/Yocto are reproducible, Debian solve that issue by + system download arbitrary code during build process then definitely we losing + control over each component verification. Secure build should be performed on + air-gapped hardware/VM. +- Not all recipes in OE/Yocto are reproducible, Debian solve that issue by stripping stuff causing problems, maybe that approach should be adapted in OE/Yocto. More details about reproducible builds can be found - [here](https://reproducible-builds.org/docs/). There is also discussion related to that topic [here](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/001580.html). -* Toolchain flags for security hardening are not easy to set and use. -* Qubes OS will use Mirage OS as firewall. It is sign of another interesting + [here](https://reproducible-builds.org/docs/). There is also discussion + related to that topic + [here](https://lists.reproducible-builds.org/pipermail/rb-general/2019-June/001580.html). +- Toolchain flags for security hardening are not easy to set and use. +- Qubes OS will use Mirage OS as firewall. It is sign of another interesting technology in service of security , namely unikernels. Marek mentioned that there is big potential for unikernels in Qubes OS e.g. GPG VM, because unikernels are in-line with system goals and design. -* It looks unikraft evolve as unikernels build system, we are concerned about +- It looks unikraft evolve as unikernels build system, we are concerned about another build system which would be very hard to integrate. We wondered if it would be possible to build unikernels using OE/Yocto Marek commented that it would be hard or impossible in practice, because unikernels are assumed to be @@ -161,41 +176,45 @@ achieve long term stable and minimal dom0. We plan to create OE/Yocto hardening guidelines which hopefully can help rise probability of using OE/Yocto as build system for Qubes OS dom0. -# TPM2.0 +## TPM2.0 + +It looks that TPM2.0 is not supported in Qubes OS mostly because nobody had time +to take a look at it. From 3mdeb it would be ideal contribution especially if +can be combined with open-source firmware based hardware like +[Librebox](https://web.archive.org/web/20190527025638/https://shop.3mdeb.com/product/librebox/). -It looks that TPM2.0 is not supported in Qubes OS mostly because nobody had -time to take a look at it. From 3mdeb it would be ideal contribution especially -if can be combined with open-source firmware based hardware like -[Librebox](https://shop.3mdeb.com/product/librebox/). +There are various other ways how TPM2.0 can be leveraged in Qubes OS e.g. PKCS -There are various other ways how TPM2.0 can be leveraged in Qubes OS e.g. PKCS #11, VPN. +## 11, VPN -# fwupd +## fwupd Marek mentioned that he is very interested in fwupd support in Qubes OS. 3mdeb already contributed to LFSV/fwupd project, by adding flashrom support and ability to update coreboot-based platforms. LVFS/fwupd is treated by 3mdeb as strategic project since it exist at OS and firmware boundary. -There is even discussion started in this topic [here](https://github.com/QubesOS/qubes-issues/issues/4855). -Key problem at this point is that dom0 has no networking connection, so fwupd -have to respect other means of getting information from LVFS servers. +There is even discussion started in this topic +[here](https://github.com/QubesOS/qubes-issues/issues/4855). Key problem at this +point is that dom0 has no networking connection, so fwupd have to respect other +means of getting information from LVFS servers. -Richard (LFVS maintainer) and 3mdeb team will attend [OSFC 2019](https://osfc.io/) -we believe it would be good opportunity to talk more about issues that Qubes OS -may consider. +Richard (LFVS maintainer) and 3mdeb team will attend +[OSFC 2019](https://osfc.io/) we believe it would be good opportunity to talk +more about issues that Qubes OS may consider. -## Summary +### Summary Overall we would like to thank Marek for spending whole day with 3mdeb team and providing his insights about Qubes OS and its relation to firmware. For us it -was important step to build relation and improve networking. We look for -similar meetings in future and hope to see each other during various security +was important step to build relation and improve networking. We look for similar +meetings in future and hope to see each other during various security conferences happen in this year. If you think we can help in improving Qubes OS support for your hardware, help -you with Qubes OS certification on firmware level or you looking for someone -who can boost your product by leveraging advanced features of used hardware -platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +you with Qubes OS certification on firmware level or you looking for someone who +can boost your product by leveraging advanced features of used hardware +platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-08-19-3mdeb-roadmap.md b/blog/content/post/2019-08-19-3mdeb-roadmap.md index e58040b1..ddbfd81c 100644 --- a/blog/content/post/2019-08-19-3mdeb-roadmap.md +++ b/blog/content/post/2019-08-19-3mdeb-roadmap.md @@ -35,27 +35,27 @@ consultancy and development is working on NXP Layerscape board and analyzing interesting QUIC protocol for usage on Embedded Linux platforms. This includes technologies such as: -* Linux kernel -* U-Boot -* devices tree -* QUIC transport layer +- Linux kernel +- U-Boot +- devices tree +- QUIC transport layer ## Firmware Team 3mdeb Firmware Team is working on: -* enabling brand new features in PC Engines apu2 firmware: - * persistent bootorder - * runtime configuration using VPD - * offline binary customization for maintained open-source platforms -* analysis of the current FIDO solutions +- enabling brand new features in PC Engines apu2 firmware: + - persistent bootorder + - runtime configuration using VPD + - offline binary customization for maintained open-source platforms +- analysis of the current FIDO solutions This includes technologies such as: -* coreboot -* libpayload -* Bareflank -* hypervisors +- coreboot +- libpayload +- Bareflank +- hypervisors ## Validation Team @@ -63,22 +63,23 @@ This includes technologies such as: Raspberry Pi Zero W and Raspberry Pi 3 A+ and prepares manual and automated tests for: -* wireless multimedia streaming devices -* firmware stability and new feature validation of PC Engines binary releases -* connectivity and operating with IoT gateway +- wireless multimedia streaming devices +- firmware stability and new feature validation of PC Engines binary releases +- connectivity and operating with IoT gateway This includes technologies such as: -* RobotFramework -* Python -* Node.js -* MQTT -* AWS Services +- RobotFramework +- Python +- Node.js +- MQTT +- AWS Services ## Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2019-09-06-embedded-systems-consulting-insiders-view.md b/blog/content/post/2019-09-06-embedded-systems-consulting-insiders-view.md index c45a73d6..0e69e9de 100644 --- a/blog/content/post/2019-09-06-embedded-systems-consulting-insiders-view.md +++ b/blog/content/post/2019-09-06-embedded-systems-consulting-insiders-view.md @@ -20,15 +20,17 @@ categories: ## Introduction -__NOTE__: Following content was initially edited and published in [Elektor 10/2018](https://www.elektormagazine.com/magazine/elektor-75/42164). +**NOTE**: Following content was initially edited and published in +[Elektor 10/2018](https://www.elektormagazine.com/magazine/elektor-75/42164). -Every engineer at some point in career wonder about taking everything in -her/his own hands and starting work as an independent freelancer or consultant. -When that thought got to me the first time I was working for a big international +Every engineer at some point in career wonder about taking everything in her/his +own hands and starting work as an independent freelancer or consultant. When +that thought got to me the first time I was working for a big international corporation and I was naive enough to think that I can organize things much better. Sadly there are not many sources where you can read how to start and navigate through the first year or so. It is hard to not mention here embedded -systems guru Jack Ganssle and his classical [Guide to Being an Embedded Consultant](http://www.ganssle.com/item/becoming-a-consultant.htm), +systems guru Jack Ganssle and his classical +[Guide to Being an Embedded Consultant](http://www.ganssle.com/item/becoming-a-consultant.htm), which was motivation to me and must-read for anyone thinking about change. In the following article I describe my path to building Embedded System @@ -36,45 +38,45 @@ Consulting company and problems I faced when building an organization. I silently assume you have decent experience in embedded systems or related field and considering a change in your career. Below consideration is rather for -engineers starting solo who would like to know how to start and how the -everyday operation may look like. +engineers starting solo who would like to know how to start and how the everyday +operation may look like. ## Dream Reality is usually much different than our expectations. That’s why I recommend -trying things before making the move. Before I made the decision of leaving -the corporate world I worked for over 6 months part-time as a freelancer through +trying things before making the move. Before I made the decision of leaving the +corporate world I worked for over 6 months part-time as a freelancer through various popular websites. Thanks to that experience I faced all critical parts of the business that can be new to engineers from embedded systems field: -* Customer relationship - explaining technical things in a non-technical way is +- Customer relationship - explaining technical things in a non-technical way is crucial, helping understand what can and cannot be done -* Project planning and estimation - impossible to learn in theory, requires a +- Project planning and estimation - impossible to learn in theory, requires a lot of practice -* Pipeline filling - no new customers means no paycheck next month -* Legal, accounting, marketing +- Pipeline filling - no new customers means no paycheck next month +- Legal, accounting, marketing -Of course key engineering work have to be done on time despite all problems -that enumerated areas may bring. Overall consultant or freelancer get rid of +Of course key engineering work have to be done on time despite all problems that +enumerated areas may bring. Overall consultant or freelancer get rid of corporate processes, but have to build their own to make things stable for a time longer than a couple of months. Initially, I thought that it would be possible to avoid processes, but building business requires solid structures which cannot be destroyed by minor change on market. It is important to understand Embedded Systems Consulting may bring a -lot of unexpected issues, but if you can navigate and stabilize that kind of -a business reward can be worth the effort. +lot of unexpected issues, but if you can navigate and stabilize that kind of a +business reward can be worth the effort. ## From Dream to Action -There are still tons of questions to answer, but most important at this point -is to start work for yourself, what means either paid project from some -customer or project that will help you promote your profile. Key questions that -should build a framework are: +There are still tons of questions to answer, but most important at this point is +to start work for yourself, what means either paid project from some customer or +project that will help you promote your profile. Key questions that should build +a framework are: -* How much time I can spend on side projects during week/month? -* Does my contract allow working for other people/companies? -* What are the technology areas that are most interesting to me? +- How much time I can spend on side projects during week/month? +- Does my contract allow working for other people/companies? +- What are the technology areas that are most interesting to me? The first point you should consult with your family and friends. Amount of time and hours you working should be clearly defined (e.g. Mon-Fri: 9am-5pm - regular @@ -87,10 +89,10 @@ work over hours for your current employer you should spend this time on your side projects. You should consult your contract with a lawyer, in some states employers cannot -forbid additional professional activity. Some contracts obligate you to ask -the employer for permission, please note that you can be rejected and to proceed -you will have to change your job. Rethinking your tactics twice before talking -with a manager is very important. In any case, you have to avoid conflict of +forbid additional professional activity. Some contracts obligate you to ask the +employer for permission, please note that you can be rejected and to proceed you +will have to change your job. Rethinking your tactics twice before talking with +a manager is very important. In any case, you have to avoid conflict of interest. There are tons of technologies used in the embedded systems area, so you have to @@ -117,18 +119,18 @@ when get there. ### What you need to build a good profile? -* Profile overview - some introduction that would be read by a potential -customer and give feeling what kind of work she/he may expect from you. +- Profile overview - some introduction that would be read by a potential + customer and give feeling what kind of work she/he may expect from you. -* Sample projects - key rule should be “always document your work” since you -never know when it can help you gain traction. Pictures and a short description -of the project with used technologies is something that can drive customers. -Please note that project documentation is your key marketing material - better -you can create, better customers you will attract. +- Sample projects - key rule should be “always document your work” since you + never know when it can help you gain traction. Pictures and a short + description of the project with used technologies is something that can drive + customers. Please note that project documentation is your key marketing + material - better you can create, better customers you will attract. -* Visibility - it should be easy to find you, make you are available through -freelancing websites, professional profile website as well as Stack Overflow -and forums related to your expertise. +- Visibility - it should be easy to find you, make you are available through + freelancing websites, professional profile website as well as Stack Overflow + and forums related to your expertise. A profile containing the above characteristics should be consistent across various social media and can build a good ground for a personal website. It is @@ -143,8 +145,8 @@ published it on most important freelance websites. What now? There are 2 main strategies, either you bid everything that falls in your area of expertise, either you wait for being invited. You have to master interaction through given freelancing service and understand all its pros and cons. It is -important to have some badges that prove your skillset as well as earning -a reputation through activity. I was lucky enough to have got most of my project +important to have some badges that prove your skillset as well as earning a +reputation through activity. I was lucky enough to have got most of my project through direct invitation. Personally, I never bid projects that I was not 100% sure I can finish below the budget and on time - those projects were typically things that I accomplished many times and I already had everything solved in my @@ -158,24 +160,24 @@ On-boarding is the phase where engineers made the most mistakes. Incorrectly handled relation, lack of process, over-optimistic pricing and delivery dates, all that give terrible results. That is why I operate using the following rules: -* Always have an introductory call with a new customer - if a customer does not -have time to talk about the project it is a bad sign. -* Never perform complex project estimates without being paid - typically -embedded systems projects are complex and analysis take a significant amount of -time, because of that estimates preparation is project in itself which prove -the basic concept and feasibility of further activities. I believe this point -itself could easily take the whole article, but we don’t have space to dive deep -into it. -* Never provide estimates without having the hardware (or at least development -board on which target hardware was based) on your desk - we all know-how -embedded systems development can be surprising: buggy designs, insufficient -documentation or lack of vendor support, we faced that before. Adding one more -possible point of failure by committing to a hardware platform that we have no -hands-on experience is way too much and may easily destroy our brand. -* Be honest about the project idea and what is reasonable with provided -resources, do not forget to write down limitations - it is easy to enter not -well defined project, but closing that project without failure and financial -consequences may be impossible. +- Always have an introductory call with a new customer - if a customer does not + have time to talk about the project it is a bad sign. +- Never perform complex project estimates without being paid - typically + embedded systems projects are complex and analysis take a significant amount + of time, because of that estimates preparation is project in itself which + prove the basic concept and feasibility of further activities. I believe this + point itself could easily take the whole article, but we don’t have space to + dive deep into it. +- Never provide estimates without having the hardware (or at least development + board on which target hardware was based) on your desk - we all know-how + embedded systems development can be surprising: buggy designs, insufficient + documentation or lack of vendor support, we faced that before. Adding one more + possible point of failure by committing to a hardware platform that we have no + hands-on experience is way too much and may easily destroy our brand. +- Be honest about the project idea and what is reasonable with provided + resources, do not forget to write down limitations - it is easy to enter not + well defined project, but closing that project without failure and financial + consequences may be impossible. Above rules should help in the onboarding process, but then we have the execution phase. This stage requires correct communication adjusted to customer @@ -208,33 +210,34 @@ project results, other deliverables like source code or binaries. ## Business Tips The non-engineering, business side of consulting can seem daunting. But it -doesn't have to be. Here are a few simple tips to keep in mind as you start -your own consulting business: - -* Be an engineer. Remember that you are first and foremost an -engineer/programmer, not an accountant, lawyer, or bookkeeper. Focus on your -strengths, and don't be afraid to find accounting, bookkeeping, legal, and -business support early on that is, as soon as you start your consulting -business. There are plenty of resources online to help you get started. And -talking one-on-one with a business professional in the early stages of your -endeavor will make starting and running your consulting business easier than -trying to troubleshoot problems later down the road while you're working on -actual engineering-related projects. Freelancing portals typically handle most -of those problems for you, of course you have to agree to their rates at -the beginning. - -* If you work without third party between you and customer, then use contracts. -It's important to use written contracts and the Scope of Work/Statement of Work -(SOW) statements clearly define project or services you will perform. Creating -the correct project charter is the art in itself and there are online courses -that can help you do that correctly. In short, make sure both you and customers -agree upon project/service: - * Goals - * Scope and out of scope activities - * Your and customer responsibilities - * Requirements - ideally defined using RFC 2119 terminology - * Execution procedure - * Deliverables +doesn't have to be. Here are a few simple tips to keep in mind as you start your +own consulting business: + +- Be an engineer. Remember that you are first and foremost an + engineer/programmer, not an accountant, lawyer, or bookkeeper. Focus on your + strengths, and don't be afraid to find accounting, bookkeeping, legal, and + business support early on that is, as soon as you start your consulting + business. There are plenty of resources online to help you get started. And + talking one-on-one with a business professional in the early stages of your + endeavor will make starting and running your consulting business easier than + trying to troubleshoot problems later down the road while you're working on + actual engineering-related projects. Freelancing portals typically handle most + of those problems for you, of course you have to agree to their rates at the + beginning. + +- If you work without third party between you and customer, then use contracts. + It's important to use written contracts and the Scope of Work/Statement of + Work (SOW) statements clearly define project or services you will perform. + Creating the correct project charter is the art in itself and there are online + courses that can help you do that correctly. In short, make sure both you and + customers agree upon project/service: + + - Goals + - Scope and out of scope activities + - Your and customer responsibilities + - Requirements - ideally defined using RFC 2119 terminology + - Execution procedure + - Deliverables In addition, you may add assumptions and constraints that you know of as well as risks related to various project requirements. @@ -262,6 +265,7 @@ Think about your motivation before making a move. If you think we can help you in building your business by any means. Or you simply looking for a good partner that can provide embedded firmware for your -solution, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +solution, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-10-22-psec-2019.md b/blog/content/post/2019-10-22-psec-2019.md index 7a45bfda..78c2989c 100644 --- a/blog/content/post/2019-10-22-psec-2019.md +++ b/blog/content/post/2019-10-22-psec-2019.md @@ -25,10 +25,10 @@ PSEC 2019 enables hardware/firmware engineers, VMM/OS developers, architects, integrators, verifiers and senior technical staff to collaborate on hardware-assisted platform security and composable software supply chain integrity, from edge to cloud. Piotr Król, 3mdeb founder and Embedded Systems -Consultant was one of the speakers with [the article](https://www.platformsecuritysummit.com/#krol) -"Less-Insecure Network Edge Virtualization with Low Size, Weight and Power" and -shared with us his thoughts and notes, which will be published here in the next -weeks. +Consultant was one of the speakers with +[the article](https://www.platformsecuritysummit.com/#krol) "Less-Insecure +Network Edge Virtualization with Low Size, Weight and Power" and shared with us +his thoughts and notes, which will be published here in the next weeks. ![Trespassers will be eaten](/img/PSEC_2019_1.jpg) @@ -38,35 +38,35 @@ exalted mood. The most interesting of the videos touched the areas of necessity of support for organizations like NASA that rise the level of knowledge in all the mankind. It was also related to the power of stories, myths, that push our species growth. Next all the presentations took place as planned. We'll gonna -shorten the most interesting ones. Reader can find all the abstracts on -the conference page. +shorten the most interesting ones. Reader can find all the abstracts on the +conference page. -__"Guarding against physical attacks; Xbox" Tony Chen__ +## "Guarding against physical attacks; Xbox" Tony Chen -Imagine, that your task is to create a nuclear shelter. It should be safe -and secure but also easy accessible for anyone with proper key. And it should be +Imagine, that your task is to create a nuclear shelter. It should be safe and +secure but also easy accessible for anyone with proper key. And it should be located on the hostile territory. This was essentially the problem with one of the most attacked devices in history. When you are working on PC security you can assume, that your job is to protect the PC owner and his stuff from outer threats. You can consider him -being a good guy. On the contrary to the Xbox the owner is a threat himself. -It is him, who will probably try to use software and hardware tools to -compromise it. Why should he? Because it may give him an advantage in online -games or enable piracy. +being a good guy. On the contrary to the Xbox the owner is a threat himself. It +is him, who will probably try to use software and hardware tools to compromise +it. Why should he? Because it may give him an advantage in online games or +enable piracy. ![Security architecture](/img/xbox-one.jpg) -Modern gaming platforms are priced below the manufacturing cost. Companies -want to rather earn their share with software - games designed for specific -platform. That's why they consider eventual piracy an extremely dangerous -threat. It may be a matter of company existence - the best example is SEGA. +Modern gaming platforms are priced below the manufacturing cost. Companies want +to rather earn their share with software - games designed for specific platform. +That's why they consider eventual piracy an extremely dangerous threat. It may +be a matter of company existence - the best example is SEGA. There are two ways to make a device recognize tampered optical disk as a genuine one. The first one is to make the disk absolutely identical - which can be obtained but is not a part of the scope of this article. The second one is to -make a device recognize not-exactly-identical disk as the original one. This -is the place where an physical attack can be performed. +make a device recognize not-exactly-identical disk as the original one. This is +the place where an physical attack can be performed. The device is controlled by the attacker. Silicon die inside the CPU has 28 nm, this size makes it not economically feasible to modify. This is the reason why @@ -77,11 +77,11 @@ Moreover, have to assume, that every PIN was exposed and attacked. Attacker can use whatever he wants with any tools to manipulate with connections between any parts of hardware. If we don't want to become paranoid we should come back to the economical feasibility. Yes, there are some invasive silicon attacks methods -that will successfully pass almost every security walls, but let's assume, -that our attacker won't spend thousands of dollars to buy tools used for -analysis and debugging by semiconductor manufacturers. Microsoft stated -that threat modding game have to be more expensive than 10 games - about $600. -So what have they actually done? +that will successfully pass almost every security walls, but let's assume, that +our attacker won't spend thousands of dollars to buy tools used for analysis and +debugging by semiconductor manufacturers. Microsoft stated that threat modding +game have to be more expensive than 10 games - about $600. So what have they +actually done? ![Security architecture](/img/PSEC_2019_2.jpg) @@ -99,28 +99,29 @@ by CPU and then stored encrypted with different key in DRAM. After boot Xbox split OS into separate partitions - read-only and read-write. While read-write partitions are empty from the beginning, the read only partition integrity is checked and comes from XVD binary file. XVD files can't -be modified, and during upgrade they are just replaced with the new one, -which means that cold boot of the platform brings it to the trusted state. +be modified, and during upgrade they are just replaced with the new one, which +means that cold boot of the platform brings it to the trusted state. -Then Chen described how using sophisticated methods and tools these -security features has been successfully broken. A group of individuals bought -several Xbox platforms for research purposes and tried to scrape layer after -layer from the silicon chip to reveal proprietary architecture. They have -designed a scheme of the points where to drill and selective destroy areas that -leverage platform security. Exact datasheets were obviously not shown. +Then Chen described how using sophisticated methods and tools these security +features has been successfully broken. A group of individuals bought several +Xbox platforms for research purposes and tried to scrape layer after layer from +the silicon chip to reveal proprietary architecture. They have designed a scheme +of the points where to drill and selective destroy areas that leverage platform +security. Exact datasheets were obviously not shown. ## Summary -These materials were presented the first time for an open audience, though -they are six years old. Security methodology about keys and verification of -further phases is very similar to RIoT architecture that Microsoft ties to DICE. -Chen claimed this is Azure Sphere architecture (what is unverifiable at the -time). Below you can watch the full lecture video. +These materials were presented the first time for an open audience, though they +are six years old. Security methodology about keys and verification of further +phases is very similar to RIoT architecture that Microsoft ties to DICE. Chen +claimed this is Azure Sphere architecture (what is unverifiable at the time). +Below you can watch the full lecture video. [![Original lecture video](https://img.youtube.com/vi/U7VwtOrwceo/0.jpg)](https://www.youtube.com/watch?v=U7VwtOrwceo) If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-11-06-pfsense-under-xen-introduction.md b/blog/content/post/2019-11-06-pfsense-under-xen-introduction.md index 724b6adc..eed0ce4f 100644 --- a/blog/content/post/2019-11-06-pfsense-under-xen-introduction.md +++ b/blog/content/post/2019-11-06-pfsense-under-xen-introduction.md @@ -28,7 +28,7 @@ categories: Network devices, such as modems, routers or servers are largely prone to cyber attacks. Their security issue is a priority if we want to keep everything behind them safe. As a solution user might choose from many available firewall -softwares. +software. However, skeptics will say that this is still not enough, because how they can be sure if that software is in 100% compatible with their hardware? We are those @@ -39,7 +39,7 @@ and what changes could be invoked to improve it. ## pfSense, Xen, hypervisor... what is this all about? pfSense is an **open-source firewall** (and router itself) based on FreeBSD -distribution. It has a lot of useful features: high performance, scalability, +distribution. It has a lot of useful features: high performance, scalability, management via web interface, large community support and many others. No wonder it is very popular and commonly used by companies and private users. However, its implementation is not always so straightforward. Basically there are two @@ -56,8 +56,8 @@ For better understanding our build configuration, you should be familiar with some basics about virtualization, hypervisors and Xen itself. I will introduce those issues at high-level overview. It should be enough to understand topic of that blogpost, but if you are more interested in those fields and want to read -about details I refer to [Red Hat -article](https://www.redhat.com/en/topics/virtualization/what-is-virtualization) +about details I refer to +[Red Hat article](https://www.redhat.com/en/topics/virtualization/what-is-virtualization) and to our [blogposts](https://blog.3mdeb.com/tags/virtualization/) with *virtualization* tag. @@ -110,13 +110,14 @@ Configurations for both realizations are shown in the table below. | Hypervisor | - | Xen 4.13-unstable | | boot drive | SD card SanDisk Ultra 16GB | SD card SanDisk Ultra 16GB | -We didn't want to simplify our build too much. Virtualization is very -powerful tool and besides compatibility advantages, it gives security features -either. We decided to 'close' in VM not only pfSense, but also Network Interface -Controlers (NIC). In this way we prepared platform on which is running Xen. Then -Xen runs 3 VMs: - - 2x **Network Driver Virtual Machines (NDVM)** (one VM for one NIC) - - 1x **pfSense in Virtual Machine**. +We didn't want to simplify our build too much. Virtualization is very powerful +tool and besides compatibility advantages, it gives security features either. We +decided to 'close' in VM not only pfSense, but also Network Interface +Controllers (NIC). In this way we prepared platform on which is running Xen. +Then Xen runs 3 VMs: + +- 2x **Network Driver Virtual Machines (NDVM)** (one VM for one NIC) +- 1x **pfSense in Virtual Machine**. It might sounds confusing, so I believe picture below would clarify entire concept. @@ -124,7 +125,7 @@ concept. ![platform-config](/img/platform-config.png) What we achieved by that? Platform is now more secure than with only pfSense -firewall. Remember, that VMs are *software environments* adjusted by user. It's +firewall. Remember, that VMs are _software environments_ adjusted by user. It's you, who decides what to keep in there and what task it should perform. NDVM creates emulated network interface which is passed to pfSense. If something goes wrong (e.g. infected data get through pfSense), there is still additional @@ -142,6 +143,7 @@ So stay tuned and look forward to the second part of that article! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-11-22-Websummit-2019.md b/blog/content/post/2019-11-22-Websummit-2019.md index 1e8931aa..93e8f646 100644 --- a/blog/content/post/2019-11-22-Websummit-2019.md +++ b/blog/content/post/2019-11-22-Websummit-2019.md @@ -24,8 +24,8 @@ decided, that it is the right time to send one. "Tech event" is the keyword that turns all of us on and makes us travel over thousand kilometers, but after the struggle, I was the one who becomes the first -official 3mdeb representative on that event. Full of hope and curiosity, with -a great financial and organizational support provided by +official 3mdeb representative on that event. Full of hope and curiosity, with a +great financial and organizational support provided by [Pomeranian Export Broker](http://www.brokereksportowy.pl), at Sunday, November 3, I've joined Polish group on the Lech Walesa Airport in Gdansk. @@ -43,32 +43,33 @@ in the capital of freedom - Moscow. Though I don't consider him the most reliable man living, the speech itself was fine. In the end, he started to accuse companies by their name for trying to enslave the world population, and when he got to Huawei it appeared that he runs out of time. The next speaker was -Guo Ping, Huawei's Rotating Chairman - astonishing coincidence, isn't it? -He tried to persuade an audience that all the things anyone heard about his -company are lies, no matter the facts. Hopefully, there were a lot of young -and inexperienced people there, in the other case, the audience might not be +Guo Ping, Huawei's Rotating Chairman - astonishing coincidence, isn't it? He +tried to persuade an audience that all the things anyone heard about his company +are lies, no matter the facts. Hopefully, there were a lot of young and +inexperienced people there, in the other case, the audience might not be persuaded. After the opening, there should be a Night Summit event. But it was raining, and -almost no one came. +almost no one came. Day two started with a something-like-fairs, but many of the companies -exhibiting there had nothing but themselves for sale. At first, I stayed -at [Polish Agency for Enterprise Development](https://en.parp.gov.pl/) stand. -I want to sincerely thank all the people there for helping me to present our +exhibiting there had nothing but themselves for sale. At first, I stayed at +[Polish Agency for Enterprise Development](https://en.parp.gov.pl/) stand. I +want to sincerely thank all the people there for helping me to present our products and let me leave our materials on the stand. After several hours of explaining to children what firmware and embedded are, I've decided to stop wasting my time, and move forward to hunt some commercial pray. I've visited surroundings stands to look for someone who would understand what are we doing, why, and be interested in cooperation. It was tough. Web Summit is large. I was -told that there were over 70.000 attenders and 12.000 CEO. Founding someone -who runs a REAL tech company suitable for us was a lot of walking and talking. +told that there were over 70.000 attenders and 12.000 CEO. Founding someone who +runs a REAL tech company suitable for us was a lot of walking and talking. Finally, I've succeeded but in a bit unexpected way. [![Vadim from Cervi Robotics](https://img.youtube.com/vi/iXUO7wY9EeM/0.jpg)](http://www.youtube.com/watch?v=iXUO7wY9EeM&t) -Vadim has been a member of a [Pomeranian Export Broker](http://www.brokereksportowy.pl) -team and it appeared that the darkest place is under the candlestick. +Vadim has been a member of a +[Pomeranian Export Broker](http://www.brokereksportowy.pl) team and it appeared +that the darkest place is under the candlestick. Day three was marked by the Ukrainian Summit - as far as I know, this party was unofficial and the founders of Web Summit didn't have a hand in it. Yet, that @@ -92,16 +93,17 @@ The next morning has started a bit later than usual, but we've put great pressure to make it efficient. Personally, I've talked to more than a hundred people, visited all the stands on the whole conference and shared cards with anyone who would at least share my interest in IT. In the meantime, it appeared -that our airline has some problems and there might be some issues with -coming home on time. I think the best summary of this whole trip is that the -perspective of its unintentional extension wasn't disturbing at all. +that our airline has some problems and there might be some issues with coming +home on time. I think the best summary of this whole trip is that the +perspective of its unintentional extension wasn't disturbing at all. ## Summary Web Summit wasn't an IT conference in the matter I've expected, yet It was worth -going. If I have another chance to go there I wouldn't hesitate at all. -If you think we can help in improving the security of your firmware or you -looking for someone who can boost your product by leveraging advanced features -of a used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +going. If I have another chance to go there I wouldn't hesitate at all. If you +think we can help in improving the security of your firmware or you looking for +someone who can boost your product by leveraging advanced features of a used +hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2019-12-13-pfsense-boot-under-xen.md b/blog/content/post/2019-12-13-pfsense-boot-under-xen.md index 9a04ec7e..eb0dab96 100644 --- a/blog/content/post/2019-12-13-pfsense-boot-under-xen.md +++ b/blog/content/post/2019-12-13-pfsense-boot-under-xen.md @@ -2,7 +2,7 @@ title: pfSense firewall boot process optimization under Xen hypervisor. Part 2 abstract: In previous article we introduce our implementation of pfSense under Xen. Now, we want to show how you can improve boot process and reduce - virutalized pfSense boot time to minimum. + virtualized pfSense boot time to minimum. cover: /covers/pfsense-logo.png author: piotr.kleinschmidt layout: post @@ -24,11 +24,10 @@ categories: ## Introduction -That article is continuation of [pfSense firewall implementation under Xen -hypervisor. Part -1](https://blog.3mdeb.com/2019/2019-11-06-pfsense-under-xen-introduction/). If -you haven't read that yet, I strongly recommend to get familiar with it before -reading this article. There is basic information about virtualization, +That article is continuation of +[pfSense firewall implementation under Xen hypervisor. Part 1](https://blog.3mdeb.com/2019/2019-11-06-pfsense-under-xen-introduction/). +If you haven't read that yet, I strongly recommend to get familiar with it +before reading this article. There is basic information about virtualization, hypervisor and our build configuration. Here, I focused only on **pfSense booting optimization**. You will find out what @@ -60,7 +59,7 @@ way determined by vendors as `beastie menu`). Also we disabled auto-boot time, so the kernel is loaded automatically without any delay. Following logs show what boot time we achieved. -``` +```bash [09:47:49] PC Engines apu2 [09:47:49] coreboot build 20190810 [09:47:49] BIOS version v4.10.0.2 @@ -114,8 +113,8 @@ what boot time we achieved. ``` > Timestamps shown above are taken as local time used in running machine. -Therefore, to count boot time, it is needed to subtract last time log from first -time log +> Therefore, to count boot time, it is needed to subtract last time log from +> first time log Boot time is given in following format: `HH:MM:SS` @@ -130,7 +129,7 @@ Running pfSense without any modifications wasn't optimistic. Boot performance was very poor and it seemed like there are unnecessary delays in-between entire process. -``` +```bash 00:00:06 /boot/config: -S115200 -D 00:00:10 Consoles: internal video/keyboard serial port 00:00:10 BIOS drive C: is disk0 @@ -193,8 +192,8 @@ process. 00:03:58 ``` ->Timestamps are given as stopwatch format counting from 00:00:00. Therefore, -last value is boot time +> Timestamps are given as stopwatch format counting from 00:00:00. Therefore, +> last value is boot time Attempt 1: **pfSense in VM boot time** : **00:03:58** @@ -206,7 +205,7 @@ We can see several issues here: To optimize pfSense we added those lines to `/boot/loader.conf.local` file: -``` +```bash autoboot_delay="-1" // Disable autoboot kern.cam.boot_delay=0 // Disable additional installation disc delay boot_multicons="NO" // Disable multiconsole support @@ -222,8 +221,8 @@ maybe we should look for the source of the problem somewhere else... ### Debug Xen -If the problem doesn't lie in pfSense itself, then it certainly must lie higher - -in the hypervisor. Fortuantely, Xen has a very helpful tool for debugging +If the problem doesn't lie in pfSense itself, then it certainly must lie higher +\- in the hypervisor. Fortuantely, Xen has a very helpful tool for debugging purpose. We used `Xentrace` and `Xenalyze`. Usage of them is well-descripted [here](https://xenproject.org/2012/09/27/tracing-with-xentrace-and-xenalyze/), so I won't duplicate that article. What you might need to know, `Xentrace` is a @@ -257,7 +256,7 @@ register accesses = less IOIO interrupts = less exits to hypervisor. Entire configuration of `pfsense.cfg` is shown below: -``` +```bash name = "pfsense" type = "hvm" vcpus = 4 @@ -285,18 +284,18 @@ disk = [ '/usr/share/xen-images/pfsense.img,,sdb,rw' ] Let see how it affected boot process: -``` -00:00:06 /boot/config: -S115200 -D -00:00:10 Consoles: internal video/keyboard serial port -00:00:10 BIOS drive C: is disk0 -00:00:10 BIOS 639kB/1047548kB available memory -00:00:10 -00:00:10 FreeBSD/x86 bootstrap loader, Revision 1.1 -00:00:10 (Wed Nov 21 08:03:01 EST 2018 root@buildbot2.nyi.netgate.com) -00:00:11 Loading /boot/defaults/loader.conf -00:00:11 Finish /boot/defaults/loader.conf -00:00:12 Loading /boot/loader.conf.local -00:00:12 Finish /boot/loader.conf.local +```bash +00:00:06 /boot/config: -S115200 -D +00:00:10 Consoles: internal video/keyboard serial port +00:00:10 BIOS drive C: is disk0 +00:00:10 BIOS 639kB/1047548kB available memory +00:00:10 +00:00:10 FreeBSD/x86 bootstrap loader, Revision 1.1 +00:00:10 (Wed Nov 21 08:03:01 EST 2018 root@buildbot2.nyi.netgate.com) +00:00:11 Loading /boot/defaults/loader.conf +00:00:11 Finish /boot/defaults/loader.conf +00:00:12 Loading /boot/loader.conf.local +00:00:12 Finish /boot/loader.conf.local 00:00:30 (...) /boot/kernel/kernel text=0x17c1930 data=0xb93d38+0x557b28 syms=[0x8+0x197400+0x8+0x197f72] @@ -328,8 +327,8 @@ Let see how it affected boot process: 00:01:40 ``` ->Timestamps are given as stopwatch format counting from 00:00:00. Therefore, -last value is boot time +> Timestamps are given as stopwatch format counting from 00:00:00. Therefore, +> last value is boot time Attempt 3: **pfSense in VM boot time** : **00:01:40** @@ -347,6 +346,7 @@ the better you know the problem, the better solution you can apply. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-01-10-genode.md b/blog/content/post/2020-01-10-genode.md index eaa0ee78..f153d82e 100644 --- a/blog/content/post/2020-01-10-genode.md +++ b/blog/content/post/2020-01-10-genode.md @@ -21,20 +21,19 @@ categories: --- -L4 microkernels -=============== +## L4 microkernels Recently we've had an idea to create a hypervisor managing 2 virtual machines each one running simultaneously. One VM should run an RTOS and second a simple application performing calculations. This article is about considerations on using L4 microkernels on VM in such project. -``` +```bash A concept is tolerated inside the μ-kernel only if moving it outside the kernel, i.e. permitting competing implementations, would prevent the implementation of the system’s required functionality. - J. Liedtke + J. Liedtke ``` Because of that rule microkernels implement only address spaces, threads and IPC @@ -47,23 +46,22 @@ Least Authority (POLA). Advantages of microkernels: -* modularity - functionality can be added without changes to the kernel itself, -* security - POLA, address spaces are isolated by the kernel, -* robustness - simple code base, easy to test and review, drivers are +- modularity - functionality can be added without changes to the kernel itself, +- security - POLA, address spaces are isolated by the kernel, +- robustness - simple code base, easy to test and review, drivers are implemented mainly in user space so bad driver cannot directly crash the kernel Disadvantages: -* performance - more context switches between kernel and user space, especially -for drivers -* complex process management -* as kernel itself is very simple, application usually must implement key +- performance - more context switches between kernel and user space, especially + for drivers +- complex process management +- as kernel itself is very simple, application usually must implement key components or ensure that another application implements it and communicate with that second application. This generates even more context switches. -Genode -====== +## Genode [Genode](https://genode.org/) is an Operating System Framework. It is built from [components](https://genode.org/documentation/components) which can be anything @@ -75,22 +73,22 @@ There are many kernels in L4 family. Genode can use some of them by using [getting started](https://genode.org/documentation/developer-resources/getting_started) section, but it might not be complete (e.g. `sel4` kernel requires some additional Python modules). The most complete and reliable source about Genode -is [Genode Foundation book](https://genode.org/documentation/genode-foundations/index) +is +[Genode Foundation book](https://genode.org/documentation/genode-foundations/index) . -seL4 ----- +### seL4 This kernel can be build with: -``` +```bash make KERNEL=sel4 BOARD=pc run/demo ``` Unfortunately, kernel seems to hang or stuck in loop in QEMU with black screen and output on serial port ending with: -``` +```bash [init -> drivers -> fb_drv] fb mapped to 0xb000000 [init -> drivers -> fb_drv] using video mode: 1024x768@16 [init -> drivers -> fb_drv] using buffered output @@ -111,24 +109,23 @@ VM cannot monopolize CPU time or control resources outside of its permitted address space. These limitations are common to all L4 kernels as a consequence of POLA. -NOVA ----- +### NOVA NOVA is an OS virtualization architecture. It consists of two distinct parts. -First one is microhypervisor, which is a privileged layer of virtualization, -it is responsible for isolation and communication mechanisms. The other part -runs in user-level environment, this piece is called VMM and it is *not* a part -of hypervisor in NOVA's language. This might be different from other -definitions of those terms. For more information see [this paper](http://hypervisor.org/eurosys2010.pdf). -It also contains some general information about device virtualization and -benchmark results. +First one is microhypervisor, which is a privileged layer of virtualization, it +is responsible for isolation and communication mechanisms. The other part runs +in user-level environment, this piece is called VMM and it is _not_ a part of +hypervisor in NOVA's language. This might be different from other definitions of +those terms. For more information see +[this paper](http://hypervisor.org/eurosys2010.pdf). It also contains some +general information about device virtualization and benchmark results. Following the microkernel approach, the NOVA microhypervisor provides the three basic abstractions: -* Address spaces isolating processes are called Protection Domains (PD), -* Threads are formed by Execution Contexts (EC) and Scheduling Contexts (SC), -* Inter-process communication is established via Portals. +- Address spaces isolating processes are called Protection Domains (PD), +- Threads are formed by Execution Contexts (EC) and Scheduling Contexts (SC), +- Inter-process communication is established via Portals. VMM is the part that defines virtualization level of NOVA. It can be a faithful virtualization (where unmodified guest OS is run as Genode subsystem) via @@ -136,20 +133,21 @@ VirtualBox for most OSes or via Seoul VMM for Linux-based guests. Other VMMs might have better performance due to paravirtualization (by reducing required number of VM exits), but these require support from the guest OSes. -## Summary +### Summary One of the VMs in original idea was supposed to be a complete RTOS, delivered in binary form. As such, it would be very difficult (if not impossible) to port this to run as an application under L4 kernel. Because of that we couldn't use seL4, even though it is a good option if one starts such project from scratch. -NOVA is better suited for such uses. For Linux-like OS Seoul can be used as -a VMM, for other systems choose VirtualBox. If OS has working drivers, other +NOVA is better suited for such uses. For Linux-like OS Seoul can be used as a +VMM, for other systems choose VirtualBox. If OS has working drivers, other options with paravirtualization can be used for achieving better performance while keeping low size of VMM. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-01-23-vmx-exit-reasons-and-handlers.md b/blog/content/post/2020-01-23-vmx-exit-reasons-and-handlers.md index 8b3744f7..4140ebc0 100644 --- a/blog/content/post/2020-01-23-vmx-exit-reasons-and-handlers.md +++ b/blog/content/post/2020-01-23-vmx-exit-reasons-and-handlers.md @@ -30,7 +30,7 @@ Previous posts: 1. [5 terms every hypervisor developer should know](https://blog.3mdeb.com/2019/2019-04-30-5-terms-every-hypervisor-developer-should-know/) \- very basic theory of VMX -2. [Building and running Bareflank](https://blog.3mdeb.com/2019/2019-05-15-building-bareflank/) +1. [Building and running Bareflank](https://blog.3mdeb.com/2019/2019-05-15-building-bareflank/) \- instructions for building and running Bareflank-based hypervisor on a UEFI platform @@ -49,26 +49,26 @@ MSRs (index 480h and following). Unconditional reasons for VM exit include: -* CPUID -* RDMSR and WRMSR unless MSR bitmap is used -* most of VMX instructions -* INIT signal -* SIPI signal - does not result in exit if the processor is not in wait-for-SIPI +- CPUID +- RDMSR and WRMSR unless MSR bitmap is used +- most of VMX instructions +- INIT signal +- SIPI signal - does not result in exit if the processor is not in wait-for-SIPI state -* triple fault -* task switches (hardware, including -* VM entry failure +- triple fault +- task switches (hardware, including +- VM entry failure There are too many controllable exit reasons to describe each one separately, but most of them can be classified as one of: -* interrupts or interrupt windows -* I/O ports access -* memory access - controlled by EPT -* HLT/PAUSE and pre-emption timer - useful for multiple VMs running on one +- interrupts or interrupt windows +- I/O ports access +- memory access - controlled by EPT +- HLT/PAUSE and pre-emption timer - useful for multiple VMs running on one physical CPU -* changes to descriptor tables and control registers -* APIC access +- changes to descriptor tables and control registers +- APIC access Exit reason is reported in VMCS after VM exit, along with exit qualification when necessary. @@ -84,21 +84,21 @@ control registers needs to be processed by VMM so they can be masked in VMCS. ### Handlers Handlers for various exit reasons are the most important part of hypervisors. -They can emulate some hardware accesses and pass through the rest of them to -the hardware, possibly modifying them along the way. +They can emulate some hardware accesses and pass through the rest of them to the +hardware, possibly modifying them along the way. Almost all VM exits are like faults when compared to normal IA-32 interrupts - state from **before** exiting instruction is saved, none of the results is stored and saved RIP points to that instruction. Unlike interrupts, the size of instruction is also saved so it can be skipped easily if needed. -An example of a trap-like VM exit (when a state **after** exiting instruction -is saved) is APIC write. Usually there are multiple writes to APIC memory (or -MSRs in the case of x2APIC) that only describe an interrupt that will happen -later. It is possible to virtualize APIC accesses - data is written to a -remapped, virtual APIC page without causing VM exits. Trap-like delivery of -this exit reason makes it possible to read all the necessary information from -the virtual APIC page, instead of parsing the last write instruction manually. +An example of a trap-like VM exit (when a state **after** exiting instruction is +saved) is APIC write. Usually there are multiple writes to APIC memory (or MSRs +in the case of x2APIC) that only describe an interrupt that will happen later. +It is possible to virtualize APIC accesses - data is written to a remapped, +virtual APIC page without causing VM exits. Trap-like delivery of this exit +reason makes it possible to read all the necessary information from the virtual +APIC page, instead of parsing the last write instruction manually. VMCS does not have fields for general purpose registers - only RIP, RSP, control, segment and system table registers are saved. This is done because not @@ -143,10 +143,11 @@ performance considerations. Using default API, events are not directly injected. Instead, they are added to the queue and VM exit on interrupt window (see below) is enabled. Bareflank does not check if interrupt can be injected at the moment, so it ends up with an additional trip to the VM and back. Every transition takes -hundreds of clock cycles, some more are required for VMM code. It does, -however, allow for easy queuing of events, and helps with a situation when -multiple events are being injected on one VM entry. For rationale and better -explanation see note in [interrupt_window.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit/interrupt_window.cpp#L47). +hundreds of clock cycles, some more are required for VMM code. It does, however, +allow for easy queuing of events, and helps with a situation when multiple +events are being injected on one VM entry. For rationale and better explanation +see note in +[interrupt_window.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit/interrupt_window.cpp#L47). > Interrupt window is a period in which CPU can receive external interrupts. > They can be received only when RFLAGS.IF = 1, but they are also inhibited for @@ -157,10 +158,11 @@ explanation see note in [interrupt_window.cpp](https://github.com/Bareflank/hype Keep in mind that we are looking at almost a year-old code. It is most likely no longer valid, but I don't want to change to newer code in the middle of these series of blog posts to avoid confusion. This isn't a full description of API by -any means, it is just a list of methods from [vcpu.h](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/include/hve/arch/intel_x64/vcpu.h) +any means, it is just a list of methods from +[vcpu.h](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/include/hve/arch/intel_x64/vcpu.h) which we will be using, along with some of my personal notes. -```cpp +```bashcpp vcpu::advance() ``` @@ -171,38 +173,40 @@ in another VM exit when re-run. This small-but-potent function patches guest RIP in VMCS by adding the instruction size to it. It is usually used as `return vcpu->advance()` in handlers, hence the return value. -```cpp +```bashcpp vcpu::dump(const char *str) ``` + > Outputs the state of the vCPU with a custom header Prints general-purpose registers, control registers, guest address (both linear and physical), exit reason and exit qualification. -```cpp +```bashcpp vcpu::add_exit_handler(const handler_delegate_t &d) ``` -> Adds an exit function to the exit list. Exit functions are executed -> right after a vCPU exits for any reason. Use this with care because -> this function will be executed a lot. +> Adds an exit function to the exit list. Exit functions are executed right +> after a vCPU exits for any reason. Use this with care because this function +> will be executed a lot. > > Note the return value of the delegate is ignored More about delegates below. -```cpp +```bashcpp vcpu::add_handler(::intel_x64::vmcs::value_type reason,const handler_delegate_t &d) ``` > Adds an exit handler to the vCPU Generic way of adding handlers for all defined reasons. Bareflank's names for -exit reasons can be found in [32bit_read_only_data_fields.h](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfintrinsics/include/arch/intel_x64/vmcs/32bit_read_only_data_fields.h#L155). -For most common exit reasons (or those requiring some additional work) there -are specialized `add_*_handler()` methods. +exit reasons can be found in +[32bit_read_only_data_fields.h](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfintrinsics/include/arch/intel_x64/vmcs/32bit_read_only_data_fields.h#L155). +For most common exit reasons (or those requiring some additional work) there are +specialized `add_*_handler()` methods. -```cpp +```bashcpp vcpu::add_io_instruction_handler( vmcs_n::value_type port, const io_instruction_handler::handler_delegate_t &in_d, @@ -214,7 +218,7 @@ on given port by setting the appropriate bit in I/O bitmaps. Separate handlers can be defined for read and write operations. Notice that it uses a different type for handler delegate - more about it later. -```cpp +```bashcpp vcpu::add_default_io_instruction_handler(const ::handler_delegate_t &d) ``` @@ -222,13 +226,13 @@ Nothing special about this particular adder, I just listed it to show that some exit reasons have default handlers. Those are called if all other handlers returned `false`. -```cpp +```bashcpp vcpu::trap_on_msr_access(vmcs_n::value_type msr) ``` -> Sets a '1' in the MSR bitmap corresponding with the provided msr. All -> attempts made by the guest to read/write from the provided msr will be -> trapped by the hypervisor. +> Sets a '1' in the MSR bitmap corresponding with the provided msr. All attempts +> made by the guest to read/write from the provided msr will be trapped by the +> hypervisor. Helper function that enables exiting without installing a new handler. Might be used along with `pass_through_msr_access()` to toggle exiting. If run without @@ -236,16 +240,18 @@ installing a handler, the default handler is used. ### Handlers, delegates and info -VM exit lands in [exit_handler_entry.asm](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/exit_handler_entry.asm) +VM exit lands in +[exit_handler_entry.asm](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/exit_handler_entry.asm) initially, where it just saves guest values of registers and calls -`exit_handler::handle()` from [exit_handler.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/exit_handler.cpp#L727). +`exit_handler::handle()` from +[exit_handler.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/exit_handler.cpp#L727). At the point of merging EAPIs to the main tree, this was done with some assumptions about name mangling, it is no longer the case in newer code. Apart from exception handling and dumping CPU state in case of not handled exit reason, this function performs two loops: -```cpp +```bashcpp for (const auto &d : exit_handler->m_exit_handlers) { d(exit_handler->m_vcpu); } @@ -262,17 +268,18 @@ reason, this function performs two loops: } ``` -First one calls **all** of the delegates added with `vcpu::add_exit_handler(const handler_delegate_t &d)`. -The other one goes through the delegates for the appropriate reason. Note that -only the second loop checks for a return value of delegate and calls `vcpu::run()` -when `true` is returned. Without going into too many details, this results in VM -entry. +First one calls **all** of the delegates added with +`vcpu::add_exit_handler(const handler_delegate_t &d)`. The other one goes +through the delegates for the appropriate reason. Note that only the second loop +checks for a return value of delegate and calls `vcpu::run()` when `true` is +returned. Without going into too many details, this results in VM entry. Most VM exits provide more information than just an exit reason. In such a case, it makes sense to use that information to reduce the number of delegates called. For example, on exits due to I/O port accesses, port number and direction of access (in or out) is saved. So, instead of calling final delegates directly, -another layer is added, and a handler from [io_instruction.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit/io_instruction.cpp#L128) +another layer is added, and a handler from +[io_instruction.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit/io_instruction.cpp#L128) is called. It is responsible for filling `info_t` structure for final handlers, dealing with string instructions and `rep` prefixes and calling `handle_in()` or `handle_out()`, depending on the direction. Only then user-implemented handlers @@ -281,12 +288,13 @@ given port number. If there are no valid handlers for that port (i.e. handlers that return `true`), a default one (added with `vcpu::add_default_io_instruction_handler()`) is called. -For I/O, user handlers use delegates in form of `bool handler_name(vcpu *, info_t &)`, -where `info_t` is defined in [io_instruction.h](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/include/hve/arch/intel_x64/vmexit/io_instruction.h#L66) +For I/O, user handlers use delegates in form of +`bool handler_name(vcpu *, info_t &)`, where `info_t` is defined in +[io_instruction.h](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/include/hve/arch/intel_x64/vmexit/io_instruction.h#L66) as (original comments removed for clarity - check them for description and default values; my warnings added instead): -```cpp +```bashcpp struct info_t { uint64_t port_number; uint64_t size_of_access; @@ -303,9 +311,11 @@ default values; my warnings added instead): That example was specific for I/O operations, other exit reasons use different logic in handlers. Internals of them isn't usually important, but for curious, -they can be found in [vmexit](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit) +they can be found in +[vmexit](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/src/hve/arch/intel_x64/vmexit) directory. What is important, `info_t` and delegate function type is different -for other exit reasons. Both of them can be found in another [vmexit](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/include/hve/arch/intel_x64/vmexit) +for other exit reasons. Both of them can be found in another +[vmexit](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/include/hve/arch/intel_x64/vmexit) directory, in header files for appropriate exit reasons. ## Our very own handler @@ -320,14 +330,15 @@ case of every printed letter. Now, the proper way would be to create another directory and showing Cmake that it should use it. As we are building on top of the EFI target from the [previous post](https://blog.3mdeb.com/2019/2019-05-15-building-bareflank/), -adding code to [test_efi.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/integration/arch/intel_x64/efi/test_efi.cpp) +adding code to +[test_efi.cpp](https://github.com/Bareflank/hypervisor/blob/ba613e2c687f7042bac6886858cf6da3132a61d6/bfvmm/integration/arch/intel_x64/efi/test_efi.cpp) is much easier, especially for someone who is not experienced in Cmake. This file contains a minimal constructor for vCPU. Those two calls are used to set up EPT, suffice it to say EPT is required for Bareflank on top of UEFI (more about it in the next posts). This is where we are going to add our own handlers: -```cpp +```bashcpp explicit vcpu(vcpuid::type id) : bfvmm::intel_x64::vcpu{id} { @@ -353,7 +364,7 @@ starting with the read handler. We need to do so even though we won't do anything in this handler, as there is no way to enable exiting on writes, but not on reads for the given port. Delegates can be private members of vcpu class: -```cpp +```bashcpp private: bool in_handler(gsl::not_null vcpu, io_instruction_handler::info_t &info) @@ -372,7 +383,7 @@ This one is also easy. Remember `write_value` in `info_t`? Just set it to `true` and we're done. The value will not be sent through this port anymore from the VM (Bareflank can still print its messages with e.g. `bfdebug_info()`). -```cpp +```bashcpp bool out_handler(gsl::not_null vcpu, io_instruction_handler::info_t &info) { @@ -381,14 +392,15 @@ and we're done. The value will not be sent through this port anymore from the VM } ``` -To test it, follow instructions from the [previous post](https://blog.3mdeb.com/2019/2019-05-15-building-bareflank/). +To test it, follow instructions from the +[previous post](https://blog.3mdeb.com/2019/2019-05-15-building-bareflank/). Compare output from VGA and serial. ### Second modification - case swap This one seems easier than it is, actually. Starting with a naive approach: -```cpp +```bashcpp bool out_handler(gsl::not_null vcpu, io_instruction_handler::info_t &info) { @@ -407,8 +419,10 @@ return key Bad Things™ happen... #### Second modification - revised -The issue is that UEFI uses [ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code) -to move around the screen. From table with [terminal output sequences](https://en.wikipedia.org/wiki/ANSI_escape_code#Terminal_output_sequences) +The issue is that UEFI uses +[ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code) to move +around the screen. From table with +[terminal output sequences](https://en.wikipedia.org/wiki/ANSI_escape_code#Terminal_output_sequences) we can read that those sequences start with `ESC [`, followed by some non-alpha sequence (zero or more decimal numbers and possibly a semicolon), followed by a single letter. This means that we must pass everything from the initial `0x1B` @@ -416,7 +430,7 @@ byte (`ESC`) up to and including first letter character unchanged. At the very beginning of `out_handler()` add: -```cpp +```bashcpp static bool is_escape_code = false; // escape codes - do not modify them @@ -468,6 +482,7 @@ posts will be more regular. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-02-05-meta-pcengines-xen.md b/blog/content/post/2020-02-05-meta-pcengines-xen.md index 627260bc..700a831d 100644 --- a/blog/content/post/2020-02-05-meta-pcengines-xen.md +++ b/blog/content/post/2020-02-05-meta-pcengines-xen.md @@ -20,85 +20,80 @@ categories: - Manufacturing --- + ### What is the Xen Project? Xen Project creates a software system, that allows the execution of multiple -virtual guest environments simultaneously on a single physical machine. -It is valuable when you want to create a complex security software system -consisting of several operating systems. Unprivileged domains -(domUs), such as virtual operating systems have no direct access to the -hardware. - -Between software and hardware is a hypervisor. It allocates resources for -new domains (the virtual operating systems) and schedules the existing ones. -To learn more about hypervisor see the official +virtual guest environments simultaneously on a single physical machine. It is +valuable when you want to create a complex security software system consisting +of several operating systems. Unprivileged domains (domUs), such as virtual +operating systems have no direct access to the hardware. + +Between software and hardware is a hypervisor. It allocates resources for new +domains (the virtual operating systems) and schedules the existing ones. To +learn more about hypervisor see the official [documentation](https://wiki.xenproject.org/wiki/Hypervisor). ### What is Domain0? - -

    -

    Xen Project architecture

    -

    -     - ![Diagram](/img/xen-architecture.jpg) As shown in the figure, domain0 (dom0) is the privileged domain, which manages -unprivileged domUs. Dom0 is started by the hypervisor at the boot and -ensures its usability. Therefore the dom0 has direct access to the -hardware. The Domain0 provides hardware connections to domUs. Depending on the -guest type, dom0 allows hardware virtualized guests (HVM) to use emulated -hardware. In the case of paravirtualized domains (PV), the dom0 connects -the domUs with the hardware via backend and the drivers. Here is more -information about [Virtualization Spectrum](https://wiki.xenproject.org/wiki/Understanding_the_Virtualization_Spectrum) +unprivileged domUs. Dom0 is started by the hypervisor at the boot and ensures +its usability. Therefore the dom0 has direct access to the hardware. The Domain0 +provides hardware connections to domUs. Depending on the guest type, dom0 allows +hardware virtualized guests (HVM) to use emulated hardware. In the case of +paravirtualized domains (PV), the dom0 connects the domUs with the hardware via +backend and the drivers. Here is more information about +[Virtualization Spectrum](https://wiki.xenproject.org/wiki/Understanding_the_Virtualization_Spectrum) ### How to build Dom0 on the PC Engines apu2? -We will use the [meta-pcengines repository](https://github.com/3mdeb/meta-pcengines/tree/c4ee98ab390b073807173584107c09f49ac1e390). -to build the special domain for the PC Engines apu2 board. -The repository contains the yocto layer, that allows you to create a -minimal image of the dom0. The meta-pcengines uses a -[kas tool](https://kas.readthedocs.io/en/1.0/) to build the dom0 image. -Installation, configuration, and some more information about this tool -you can find in the previous [blog](https://blog.3mdeb.com/2019/2019-02-07-kas/). +We will use the +[meta-pcengines repository](https://github.com/3mdeb/meta-pcengines/tree/c4ee98ab390b073807173584107c09f49ac1e390). +to build the special domain for the PC Engines apu2 board. The repository +contains the yocto layer, that allows you to create a minimal image of the dom0. +The meta-pcengines uses a [kas tool](https://kas.readthedocs.io/en/1.0/) to +build the dom0 image. Installation, configuration, and some more information +about this tool you can find in the previous +[blog](https://blog.3mdeb.com/2019/2019-02-07-kas/). Once you have installed the kas, clone the [meta-pcengines repository](https://github.com/3mdeb/meta-pcengines/tree/c4ee98ab390b073807173584107c09f49ac1e390). -To reproduce my results, check if the source commit matches shown above. -The source consists of configuration files, a kas configuration file, -and recipe files. The layer configuration specifies settings for the platform -and distro It points out where the recipes are placed. The kas configuration -file is used by the kas tool to clone and checkout Yocto layers. It also -allows kas to create default BitBake variables such as MACHINE, DISTRO, etc. +To reproduce my results, check if the source commit matches shown above. The +source consists of configuration files, a kas configuration file, and recipe +files. The layer configuration specifies settings for the platform and distro It +points out where the recipes are placed. The kas configuration file is used by +the kas tool to clone and checkout Yocto layers. It also allows kas to create +default BitBake variables such as MACHINE, DISTRO, etc. Now it is time to create the build. Move to the meta-pcengines parent directory and enter the command: -``` +```bash SHELL=bash kas-docker build meta-pcengines/kas.yml ``` The dom0 image build process can take several hours, so you can take a coffee break. Once the build is finished, you will see a similar output: -``` +```bash NOTE: Executing Tasks NOTE: Setscene tasks completed -NOTE: Tasks Summary: Attempted 2871 tasks of which 0 didn't need to be rerun and all - succeeded. +NOTE: Tasks Summary: Attempted 2871 tasks of which 0 didn't need to be rerun and + all succeeded. ``` At this point, create a bootable USB drive. Change the directory to `/build/tmp/deploy/images/pcengines-apu2` and replace sdx in below command with the device node of your USB flash drive. -``` +```bash sudo dd bs=4M if=xen-dom0-image-pcengines-apu2.hddimg of=/dev/sdx ``` -Once you have created the bootable drive, try to boot your platform. -The following video shows the correct bootlog: +Once you have created the bootable drive, try to boot your platform. The +following video shows the correct bootlog: [![asciicast](https://asciinema.org/a/Tr4hhF9sBKC0C9YO5GkwHUrcJ.svg)](https://asciinema.org/a/Tr4hhF9sBKC0C9YO5GkwHUrcJ?t=16) @@ -108,7 +103,7 @@ Once you have booted the dom0 on your apu2 platform, it is time to launch a VM guest. At first write the config file, where you will set up the guest domain options. Here is an example: -``` +```bashtoml name = "ndvm" type = "hvm" vcpus = 2 @@ -121,11 +116,12 @@ disk=[ '/mnt/xen-ndvm-image-1.hddimg,,sda,rw' ] You have to set the `name` of your new guest domain. In the `disk` variable, point the path of the image guest image. A detailed description of each variable -is given on the [xenbits website](https://xenbits.xen.org/docs/unstable/man/xl.cfg.5.html). +is given on the +[xenbits website](https://xenbits.xen.org/docs/unstable/man/xl.cfg.5.html). Create the VM guest with the command: -``` +```bash xl create \.cfg ``` @@ -136,6 +132,6 @@ The following output shows the boot process of the domU: ### Conclusions The main goal of the meta-pcengines is to enable Yocto builds for pcengines -(apu2) boards. It provides a good base for various use cases such as Xen. -In future blogs, we will show more application examples. -So if you are interested [sign up to our newsletter](http://eepurl.com/doF8GX). +(apu2) boards. It provides a good base for various use cases such as Xen. In +future blogs, we will show more application examples. So if you are interested +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-02-18-ew2020-btg-demo.md b/blog/content/post/2020-02-18-ew2020-btg-demo.md index e7d377ea..062c60bc 100644 --- a/blog/content/post/2020-02-18-ew2020-btg-demo.md +++ b/blog/content/post/2020-02-18-ew2020-btg-demo.md @@ -22,48 +22,49 @@ categories: - Firmware - Security - --- + ### What is Boot Guard? -Boot Guard does not mean exactly what its name suggest, it is not -protecting shoes. In firmware and BIOS nomenclature `boot` means the bootstrap -process, which is the early processor initialization routine. Almost every -modern machine or processor has some kind of firmware which is responsible for -the bootstrap process - booting - which prepares the silicon to load the target -application or operating system. So ‘Boot Guard’ quite literally protects the -boot process and the firmware. But from what should it protect and why? You can -find it out by spending a few minutes to read this post. +Boot Guard does not mean exactly what its name suggest, it is not protecting +shoes. In firmware and BIOS nomenclature `boot` means the bootstrap process, +which is the early processor initialization routine. Almost every modern machine +or processor has some kind of firmware which is responsible for the bootstrap +process - booting - which prepares the silicon to load the target application or +operating system. So ‘Boot Guard’ quite literally protects the boot process and +the firmware. But from what should it protect and why? You can find it out by +spending a few minutes to read this post. ![Boot + Guard](/covers/boot_guard.png) --- + ### Why Boot Guard? -Nowadays security researchers are very focused on the trustworthiness, -security, and hardware-level safety of the computers we use everyday. These -so-called “white hat” researchers explore every possible vulnerability and -attack vector in modern systems to find holes in the security of the most -crucial parts of our modern systems, such as Intel ME, UEFI, and others. -Conversely, the bad guys, commonly known as “black hats” are constantly trying -to find new and innovative ways of gaining access to systems that are harder to -detect. Traditionally, the bad guys would find bugs in browsers or network -protocols that would give them root access to the operating system and allow -them to then install tools to keep their access persistent. Researchers and -anti-virus companies would usually detect these exploits by scanning memory or -files for known virus signatures, then patch holes and cleanse infected -systems. However, this game of security cat and mouse has now evolved to the -point where the bad guys are looking for new and interesting ways of not only -gaining access to systems, but also maintaining that access undetected. -Logically, the place for malicious software to hide and stay undetected is in -the part of the system that the operating system and no knowledge of or access -to - the system firmware. +Nowadays security researchers are very focused on the trustworthiness, security, +and hardware-level safety of the computers we use everyday. These so-called +“white hat” researchers explore every possible vulnerability and attack vector +in modern systems to find holes in the security of the most crucial parts of our +modern systems, such as Intel ME, UEFI, and others. Conversely, the bad guys, +commonly known as “black hats” are constantly trying to find new and innovative +ways of gaining access to systems that are harder to detect. Traditionally, the +bad guys would find bugs in browsers or network protocols that would give them +root access to the operating system and allow them to then install tools to keep +their access persistent. Researchers and anti-virus companies would usually +detect these exploits by scanning memory or files for known virus signatures, +then patch holes and cleanse infected systems. However, this game of security +cat and mouse has now evolved to the point where the bad guys are looking for +new and interesting ways of not only gaining access to systems, but also +maintaining that access undetected. Logically, the place for malicious software +to hide and stay undetected is in the part of the system that the operating +system and no knowledge of or access to - the system firmware. How do you know that software you use is trustful, secure and hasn't been maliciously modified before execution? One can only ensure this by establishing the Root of Trust (ROT) as early as possible. There are 2 main type of ROTs: + - SRTM - Static Root of Trust for Measurement - DRTM - Dynamic Root of Trust for Measurement @@ -79,15 +80,17 @@ responsible for establishing ROT and further firmware image verification. While this all sounds great, how can one protect this early code responsible for temporary memory setup and ROT establishment? -> For more details about ROT refer to [NIST](https://csrc.nist.gov/Projects/Hardware-Roots-of-Trust). +> For more details about ROT refer to +> [NIST](https://csrc.nist.gov/Projects/Hardware-Roots-of-Trust). > -> Some details about DRTM can be found on [TrenchBoot GitHub](https://github.com/TrenchBoot/documentation). -> We are also involved in DRTM development on AMD platforms and contribute -> actively to TrenchBoot. One may find our achievements on various conferences: +> Some details about DRTM can be found on +> [TrenchBoot GitHub](https://github.com/TrenchBoot/documentation). We are also +> involved in DRTM development on AMD platforms and contribute actively to +> TrenchBoot. One may find our achievements on various conferences: > > - [PSEC2019 - Less-Insecure Network Edge Virtualization with Low Size, Weight and Power](https://www.platformsecuritysummit.com/2019/) > -> - [OSFC2019 - TrenchBoot - Open DRTM implementation for AMD platforms](https://osfc.io/talks/trenchboot-open-drtm-implementation-for-amd-platforms) +> - [OSFC2019 - TrenchBoot - Open DRTM implementation for AMD platforms](https://www.osfc.io/2019/talks/trenchboot-open-drtm-implementation-for-amd-platforms/) Protecting the ROT can be achieved by locking the SPI flash containing the firmware for example, however this does not protect the SPI from a desoldering @@ -101,52 +104,53 @@ setup and ROT establishment before the firmware is able to execute. Because of that Boot Guard is an SRTM solution. --- + ### How Boot Guard works? -Intel Boot Guard is a feature that allows firmware verification before the -first instructions get executed. How was this achieved? This feature is -supported by Intel ME, which instructs the processor to load an Authenticated -Code Module (ACM) signed by Intel responsible for manifests validation and boot -policy enforcement. During the verification process, ME utilizes the Key -Manifest, Boot Policy Manifest (which is a part of Boot Guard) and the Firmware -Interface Table (FIT). Before fetching the first firmware instructions, the -processor searches for the FIT and applies microcode updates which are pointed -by FIT. The microcode verifies the ACM, which verifies the Key Manifest, which -verifies Boot Policy Manifest (so complicated right?). In the end the Boot -Policy Manifest contains the hashes and signatures of the code regions in -firmware that have to be protected and verified. After the firmware -verification, ACM allows the processor to fetch the first instructions to be -executed. +Intel Boot Guard is a feature that allows firmware verification before the first +instructions get executed. How was this achieved? This feature is supported by +Intel ME, which instructs the processor to load an Authenticated Code Module +(ACM) signed by Intel responsible for manifests validation and boot policy +enforcement. During the verification process, ME utilizes the Key Manifest, Boot +Policy Manifest (which is a part of Boot Guard) and the Firmware Interface Table +(FIT). Before fetching the first firmware instructions, the processor searches +for the FIT and applies microcode updates which are pointed by FIT. The +microcode verifies the ACM, which verifies the Key Manifest, which verifies Boot +Policy Manifest (so complicated right?). In the end the Boot Policy Manifest +contains the hashes and signatures of the code regions in firmware that have to +be protected and verified. After the firmware verification, ACM allows the +processor to fetch the first instructions to be executed. So in the event that the firmware is maliciously modified, it would not be able to execute. It would fail because the manifest that holds the firmware signing -keys would fail the firmware verification. As an added step, the public key -hash of the key used to sign the Key Manifest can be burned into the ME and -locked permanently to ensure that no one except the key owner can change the -firmware signed in the Boot Policy Manifest. - -The flow described here is one of the most restrictive profiles that Boot -Guard offers - strict verification without remediation. There are less -restrictive profiles which allow the platform to keep running for 30 minutes if -firmware verification fails in order to restore the system and flash trusted -firmware. But the production behavior of Boot Guard ensures that unverified -firmware cannot execute on the processor and immediately shuts the platform -down. +keys would fail the firmware verification. As an added step, the public key hash +of the key used to sign the Key Manifest can be burned into the ME and locked +permanently to ensure that no one except the key owner can change the firmware +signed in the Boot Policy Manifest. + +The flow described here is one of the most restrictive profiles that Boot Guard +offers - strict verification without remediation. There are less restrictive +profiles which allow the platform to keep running for 30 minutes if firmware +verification fails in order to restore the system and flash trusted firmware. +But the production behavior of Boot Guard ensures that unverified firmware +cannot execute on the processor and immediately shuts the platform down. --- + ### Where can I get Boot Guard for my platform? -One has to either pay thousands of dollars to a big firmware development -company to enable Boot Guard on your hardware or buy costly hardware which has -Boot Guard already enabled. +One has to either pay thousands of dollars to a big firmware development company +to enable Boot Guard on your hardware or buy costly hardware which has Boot +Guard already enabled. -That was true until now. Recently, one of our customers -[Protectli](https://protectli.com/?utm_source=3mdeb&utm_medium=blog&utm_campaign=bootguard) - -asked us to improve the security of their network focused product called the +That was true until now. Recently, one of our customers +-[Protectli](https://protectli.com/?utm_source=3mdeb&utm_medium=blog&utm_campaign=bootguard) +\- asked us to improve the security of their network focused product called the Vault by implementing Boot Guard. Protectli sells compact network devices running Intel processors and the most powerful of them have Intel processors which are Boot Guard capable. As a matter of fact, 3mdeb had previously -implemented coreboot for these platforms, so implementing Boot Guard was -a natural enhancement to the overall security of the system. +implemented coreboot for these platforms, so implementing Boot Guard was a +natural enhancement to the overall security of the system. And today we have succeeded. The first official platform running open-source firmware that has Boot Guard enabled is here. It is possible thanks to the fact @@ -162,7 +166,8 @@ at the Embedded World 2020 exhibition. ![EW2020](/img/ew2020.png) --- -### Boot Guard and coreboot? Yes, of course. + +### Boot Guard and coreboot? Yes, of course The below asciinema video presents the Protectli FW6B platform booted with Boot Guard enabled coreboot firmware executing an Intel tool called `MEInfo`, which @@ -181,14 +186,15 @@ The `OEM Public Key Hash` represents the SHA256 of the key used to verify the Key Manifest. It is located in the ME and on production devices is is burned into FPF (Field Programmable Fuses). -`ACM SVN FPF` describes the ACM security version, `0x2` means it is a -production ACM. +`ACM SVN FPF` describes the ACM security version, `0x2` means it is a production +ACM. `KM SVN FPF` is a Key Manifest security version. It is used to revoke Key Manifests. `0x0` means that no Key Manifest was revoked yet. There are also some additional variables stored in ME: -``` + +```bash FPF ME --- -- Force Boot Guard ACM Not set Disabled @@ -202,8 +208,8 @@ Enforcement Policy Not set 0x1 PTT Not set Enabled ``` -`Force Boot Guard ACM`, `Measured Boot`, `Verified Boot` and `Enforcement -Policy` make up the Boot Guard profile. +`Force Boot Guard ACM`, `Measured Boot`, `Verified Boot` and +`Enforcement Policy` make up the Boot Guard profile. They can be encoded as follows: @@ -212,9 +218,9 @@ Firmware verification with Boot Guard is enabled, `Enforcement Policy` equal to verification fails. Disabled `Force Boot Guard ACM` means that if ACM is not found in firmware, the processor will execute the code from a reset vector. If enabled, the system will shut down with a delay based on the -`Enforcement Policy`. It must be noted that not all combinations of these -fields are allowed. Only strictly defined Boot Guard profiles determine these -fields' values. +`Enforcement Policy`. It must be noted that not all combinations of these fields +are allowed. Only strictly defined Boot Guard profiles determine these fields' +values. Other interesting values are `CPU Debugging` and `BSP Initialization` which additionally protect the boot flow from modification via DCI or INIT signal. @@ -233,8 +239,7 @@ successful Boot Guard firmware verification lies in the status registers: That means the system will not shutdown after 30 minutes as the Boot Guard profile instructs the processor (if verification fails). -Summing it up: -**Boot Guard verified the firmware successfully.** +Summing it up: **Boot Guard verified the firmware successfully.** ## Summary @@ -252,6 +257,7 @@ project realized by the 3mdeb Embedded Systems Consulting company. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of your hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email at `contact3mdebcom`. If you are interested in -similar content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of your hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email at `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-02-19-GRUB2_and_3mdeb_minisummit.md b/blog/content/post/2020-02-19-GRUB2_and_3mdeb_minisummit.md index 38725ee4..0b79b400 100644 --- a/blog/content/post/2020-02-19-GRUB2_and_3mdeb_minisummit.md +++ b/blog/content/post/2020-02-19-GRUB2_and_3mdeb_minisummit.md @@ -1,7 +1,7 @@ --- title: GRUB2 and 3mdeb minisummit 2019 abstract: 'In December 2019 we had pleasure to meet Daniel Kiper #GRUB2 - maintanaer in 3mdeb office in Gdańsk. We dicussed various #GRUB2, + maintanaer in 3mdeb office in Gdańsk. We discussed various #GRUB2, #Xen, #firmware, #coreboot, #security and #TPM related topics. Results of that "minisummit" was presented in following blog post in form of presentations and videos.' @@ -23,43 +23,47 @@ categories: --- -In December 2019 we had pleasure to meet with [Daniel Kiper](https://www.linkedin.com/in/dkiper/) -GRUB maintainer, Software Developer, TrenchBoot technical leader at Oracle and -conference speaker. Since we are working with GRUB2 across many commercial -projects and our customers leverage it often we decided to take advantage of -this relation and organize a meeting during which 3mdeb engineers and team -leaders presented GRUB related topics. This blog post summarizes the discussion -and creates reference point for interested parties: +In December 2019 we had pleasure to meet with +[Daniel Kiper](https://www.linkedin.com/in/dkiper/) GRUB maintainer, Software +Developer, TrenchBoot technical leader at Oracle and conference speaker. Since +we are working with GRUB2 across many commercial projects and our customers +leverage it often we decided to take advantage of this relation and organize a +meeting during which 3mdeb engineers and team leaders presented GRUB related +topics. This blog post summarizes the discussion and creates reference point for +interested parties: Somehow 'minisummit' name survived since no one offered better title after -publishing [Qubes OS and 3mdeb 'minisummit' 2019](https://blog.3mdeb.com/2019/2019-08-07-qubes-os-and-3mdeb-minisummit/) +publishing +[Qubes OS and 3mdeb 'minisummit' 2019](https://blog.3mdeb.com/2019/2019-08-07-qubes-os-and-3mdeb-minisummit/) blog post. What we discussed during our meeting with Daniel: -* [Intro](https://cloud.3mdeb.com/index.php/s/Dk526gCtpjXRSDK) - introduction, +- [Intro](https://shop.3mdeb.com/wp-content/uploads/2021/06/Intro.pdf) - introduction, motivation and agenda presented by me -* [Redundant GRUB2 env file](https://cloud.3mdeb.com/index.php/s/bBcbXNkHwLBPZLn) - - Maciej Pijanowski presented redundant GRUB2 environment file, feature needed +- [Redundant GRUB2 env file](https://shop.3mdeb.com/wp-content/uploads/2021/06/Redundant-GRUB2-env-file.pdf) + \- Maciej Pijanowski presented redundant GRUB2 environment file, feature needed for power fail safe upgrades, similar mechanism was already implemented in U-Boot -* [TPM support in GRUB2 for legacy boot mode](https://cloud.3mdeb.com/index.php/s/gxg595WG35xSjjb) - - update on [talk presented on LPC 2019](https://linuxplumbersconf.org/event/4/contributions/517/) - in which Michał Żygowski highlights changes made in TrustedGRUB2 and build - base for discussion about merging changes to GRUB2 mainline -* [GRUB2 security features overview](https://cloud.3mdeb.com/index.php/s/trSb3RnjfJWxkM3) - - general talk overviewing security features in GRUB2 presented by me -* [Python 3 support in GRUB2](https://cloud.3mdeb.com/index.php/s/7KKJ5cQfGxPkYyi) - - talk in which Michał Żygowski presents how we used Python with GRUB2 and +- [TPM support in GRUB2 for legacy boot mode](https://shop.3mdeb.com/wp-content/uploads/2021/06/TPM-support-in-GRUB2-for-legacy-boot-mode.pdf) + - update on + [talk presented on LPC 2019](https://linuxplumbersconf.org/event/4/contributions/517/) + in which Michał Żygowski highlights changes made in TrustedGRUB2 and build + base for discussion about merging changes to GRUB2 mainline +- [GRUB2 security features overview](https://shop.3mdeb.com/wp-content/uploads/2021/06/GRUB2-security-features-overview.pdf) + \- general talk overviewing security features in GRUB2 presented by me +- [Python 3 support in GRUB2](https://shop.3mdeb.com/wp-content/uploads/2021/06/Python-3-support-in-GRUB2.pdf) + \- talk in which Michał Żygowski presents how we used Python with GRUB2 and starts a discussion about making Python 3 first class citizen in GRUB2 bootloader -* [AMD TrenchBoot support in GRUB2](https://cloud.3mdeb.com/index.php/s/WGpJJndeE2yBxR7) - - final talk in which I present status of AMD TrenchBoot support, implementation - and possible paths to upstream related code +- [AMD TrenchBoot support in GRUB2](https://shop.3mdeb.com/wp-content/uploads/2021/06/AMD-TrenchBoot-support-in-GRUB2-1.pdf) + \- final talk in which I present status of AMD TrenchBoot support, + implementation and possible paths to upstream related code -We also published all videos on our [YouTube channel](https://www.youtube.com/playlist?list=PLuISieMwVBpJ7JyAMGUmxIVjLs1lipKhZ). +We also published all videos on our +[YouTube channel](https://www.youtube.com/playlist?list=PLuISieMwVBpJ7JyAMGUmxIVjLs1lipKhZ). -# Redundant GRUB2 env file +## Redundant GRUB2 env file The key problem mentioned during presentations are lack of integrity check in the current implementation of GRUB2, what means any corruption of environment @@ -73,16 +77,15 @@ Unfortunately, if trying to use GRUB2 in the embedded environment there is a risk of ending up with an unbootable product, which of course leads to all other problems on the vendor's side. -We all agreed that this feature is needed in GRUB2 and if 3mdeb will get -correct sponsoring from vendors using GRUB2 such support will be developed and +We all agreed that this feature is needed in GRUB2 and if 3mdeb will get correct +sponsoring from vendors using GRUB2 such support will be developed and contributed. On the other hand, some vendors assume that file corruption is so -rare that they don't want to spend additional engineering hours on such -feature. +rare that they don't want to spend additional engineering hours on such feature. -Before such support is available, there are still methods to mitigate the -impact of the problem for which reference you can find in the presentation. +Before such support is available, there are still methods to mitigate the impact +of the problem for which reference you can find in the presentation. -# TPM support in GRUB2 for legacy boot mode +## TPM support in GRUB2 for legacy boot mode The key problem here is the lack of boot process integrity in non-UEFI systems. Since GRUB2 is in boot process chain also in legacy systems we wanted to @@ -94,10 +97,10 @@ measurement purposes. There are couple problems with that: -* this approach is complaint with TPM1.2, no support for TPM2.0 -* GRUB2 is neither consumer or producer of INT 1Ah -* at this point GRUB2 supports TPM only through UEFI API -* GRUB2 should preserve interrupt handlers +- this approach is complaint with TPM1.2, no support for TPM2.0 +- GRUB2 is neither consumer or producer of INT 1Ah +- at this point GRUB2 supports TPM only through UEFI API +- GRUB2 should preserve interrupt handlers Because the whole problem seems to not be so important (it affects the limited amount of hardware) we are thinking about the simplest way of having correct @@ -114,19 +117,19 @@ Addressing a lack of support for TPM2.0 through INT 1Ah seems not to be a big issue since we can hide hardware version behind SeaBIOS implementation. Bootloader just need to extend PCRs and do not use any sophisticated TPM features. This approach implies that our stack needs SeaBIOS, since we were not -able to find anyone who can confirm existence of legacy BIOS or CSM with INT -1Ah support. SeaBIOS of course limit us to coreboot and QEMU based platforms. +able to find anyone who can confirm existence of legacy BIOS or CSM with INT 1Ah +support. SeaBIOS of course limit us to coreboot and QEMU based platforms. -Based on previous assumption we have to admit that GRUB2 can be only consumer -of INT 1Ah API. The simplest solution for that would be to port support from +Based on previous assumption we have to admit that GRUB2 can be only consumer of +INT 1Ah API. The simplest solution for that would be to port support from TrustedGRUB2. -In previously described cases, GRUB2 is the second stage bootloader. If we -would like to have GRUB2 as first stage bootloader GRUB2 should be producer of -INT 1Ah API. That implies targets like: +In previously described cases, GRUB2 is the second stage bootloader. If we would +like to have GRUB2 as first stage bootloader GRUB2 should be producer of INT 1Ah +API. That implies targets like: -* \*BSD booted from GRUB2 on top of Legacy BIOS/CSM without INT 1Ah -* any system booted from GRUB2 on top of coreboot - here GRUB2 sill can be a +- \*BSD booted from GRUB2 on top of Legacy BIOS/CSM without INT 1Ah +- any system booted from GRUB2 on top of coreboot - here GRUB2 sill can be a consumer if coreboot would install INT 1Ah API what would be a little bit bizarre in light of already having that in SeaBIOS @@ -134,7 +137,7 @@ Moreover being a producer means providing a driver for TPM communication. According to minisummit discussion producer scenario is technically possible to implement things but may be economically not feasible. -# GRUB2 security features overview +## GRUB2 security features overview During this presentation I complained a little bit about the usability of various GRUB2 security features and suggested possible extensions that could @@ -145,10 +148,10 @@ Most of the talk focused on how those features help coreboot based platforms. The overall adoption of security features is slow, mostly because of a lack of integration across the system components. -# Python 3 support in GRUB2 +## Python 3 support in GRUB2 Whole topic started with our talk about "CHIPSEC as coreboot payload" from -[OSFC2018](https://2018.osfc.io/). +[OSFC2018](https://www.osfc.io/2018/talks/). [![CHIPSEC as coreboot payload](https://img.youtube.com/vi/P49uLPCXgjo/0.jpg)](https://www.youtube.com/watch?v=P49uLPCXgjo) @@ -163,24 +166,26 @@ and probably the cost time of developers. Other mentioned alternative was MicroPython since it would resolve the same problem but probably with less maintainer overhead. -# AMD TrenchBoot support in GRUB2 +## AMD TrenchBoot support in GRUB2 From this presentation you can learn how to run most recent code and test it. -Most of the presentation and discussion was about internals how things should -be implemented and if what we did is acceptable. +Most of the presentation and discussion was about internals how things should be +implemented and if what we did is acceptable. General conclusion was that we have to implement DRTM specific relocator as it was done for other boot options. This session was more like live code review, but we took the chance to discuss -each aspect of TrenchBoot support for AMD in GRUB project. Most of the -mentioned problems were already implemented and sent for [review to grub-devel](https://www.mail-archive.com/grub-devel@gnu.org/msg29472.html) +each aspect of TrenchBoot support for AMD in GRUB project. Most of the mentioned +problems were already implemented and sent for +[review to grub-devel](https://www.mail-archive.com/grub-devel@gnu.org/msg29472.html) mailing list. In long run we plan to provide frequent updates related to AMD support in -TrenchBoot project. Next update is planned to [FOSDEM 2020](https://fosdem.org/2020/schedule/event/firmware_itsoecs/). +TrenchBoot project. Next update is planned to +[FOSDEM 2020](https://fosdem.org/2020/schedule/event/firmware_itsoecs/). -## Summary +### Summary It was pleasure to whole 3mdeb to meet with Daniel and understand his perspective and vision of GRUB2 from community and commercial perspective. We @@ -188,15 +193,17 @@ definitely see possible synergies and hope to find resources to support GRUB bootloader. Some may ask if GRUB2 existence is justifiable in light of Linux booting -directly from UEFI and growth of projects like [LinuxBoot](https://www.linuxboot.org/). -Our opinion is that we choose solutions that fits best for outcome we want to -achieve. Amount of work, expertise and features set accumulated over 25 years -of development cannot be ignores and largely simplify our lives in some cases. -It may mean that it is faster and easier to use GRUB2 in some cases and in -other leverage LinuxBoot or other solution. +directly from UEFI and growth of projects like +[LinuxBoot](https://www.linuxboot.org/). Our opinion is that we choose solutions +that fits best for outcome we want to achieve. Amount of work, expertise and +features set accumulated over 25 years of development cannot be ignores and +largely simplify our lives in some cases. It may mean that it is faster and +easier to use GRUB2 in some cases and in other leverage LinuxBoot or other +solution. If you need bootloader support or you think we can help in improving the security of your firmware or you looking for someone who can boost your product -by leveraging advanced features of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in -similar content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +by leveraging advanced features of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-03-04-esxi-67-boot-issue-part1.md b/blog/content/post/2020-03-04-esxi-67-boot-issue-part1.md index aaa22f73..df6f5340 100644 --- a/blog/content/post/2020-03-04-esxi-67-boot-issue-part1.md +++ b/blog/content/post/2020-03-04-esxi-67-boot-issue-part1.md @@ -23,15 +23,15 @@ categories: --- -[First mentions](http://pcengines.info/forums/?page=post&id=511E5F7D-AD74-4041-8C0C-72FBADD95504&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A&pageindex=3) +[First mentions](https://web.archive.org/web/20201026102303/http://pcengines.info/forums/?page=post&id=511E5F7D-AD74-4041-8C0C-72FBADD95504&fid=DF5ACB70-99C4-4C61-AFA6-4C0E0DB05B2A) that updated versions of VMware's ESXi 6.7.0 installer doesn't start on PC Engines platforms come from the beginning of 2019. We were aware of that issue -since April ([1](https://twitter.com/mibosshard/status/1118229143819362304), -[2](http://pcengines.info/forums/?page=post&id=4C472C95-E846-42BF-BC41-43D1C54DFBEA&fid=6D8DBBA4-9D40-4C87-B471-80CB5D9BD945&pageindex=6)). +since April ([1](https://twitter.com/mibosshard/status/1118229143819362304)). Older versions of ESXi worked fine. There were fixes from other firmware vendors for Intel NUC platforms, but -apparently those dealt with UEFI memory map problems, as mentioned [here](https://www.virtuallyghetto.com/2018/11/update-on-running-esxi-on-intel-nuc-hades-canyon-nuc8i7hnk-nuc8i7hvk.html). +apparently those dealt with UEFI memory map problems, as mentioned +[here](https://www.virtuallyghetto.com/2018/11/update-on-running-esxi-on-intel-nuc-hades-canyon-nuc8i7hnk-nuc8i7hvk.html). Release notes for 0051 linked in that article (you have to open BIOS Update page, direct link to release notes is no longer valid) mention that it fixes versions 6.7 and 6.5, so this probably is different issue altogether. @@ -40,7 +40,7 @@ versions 6.7 and 6.5, so this probably is different issue altogether. For older firmware versions, boot process hanged at: -``` +```bash <6>Loading /vsanmgmt.v00 <6>Loading /tools.t00 <6>Loading /xorg.v00 @@ -51,7 +51,7 @@ For older firmware versions, boot process hanged at: This changed to reboot in newer versions of coreboot: -``` +```bash <6>Loading /vsanheal.v00 <6>Loading /vsanmgmt.v00 <6>Loading /tools.t00 @@ -69,28 +69,31 @@ bootloader is in `mboot.c32` on the installation medium. ## Different versions of mboot.c32 -File with this name is a part of [SYSLINUX](https://wiki.syslinux.org/wiki/index.php?title=Mboot.c32). -It is responsible for loading images using Multiboot specification. During our +File with this name is a part of +[SYSLINUX](https://wiki.syslinux.org/wiki/index.php?title=Mboot.c32). It is +responsible for loading images using Multiboot specification. During our research, we tried to use `mboot.c32` from different versions of SYSLINUX. ESXi uses its own version, which implements Mutiboot (we first though that this is a typo, but apparently it's not) protocol. As the name suggests, it is a -mutated variant of Multiboot :) Do not try to start ESXi with SYSLINUX's -modules as they will not work. +mutated variant of Multiboot :) Do not try to start ESXi with SYSLINUX's modules +as they will not work. ## Source code and debug info -There are sources for vSphere available on the [VMware website](https://my.vmware.com/en/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7#open_source). -Code for `esxboot` is included in _Open Source Disclosure package for VMware vSphere Hypervisor (ESXi)_. -It can be downloaded as an ISO image containing all open source components. -There is also a stale [Github repo](https://github.com/vmware/esx-boot) with -older code. +There are sources for vSphere available on the +[VMware website](https://my.vmware.com/en/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_7#open_source). +Code for `esxboot` is included in _Open Source Disclosure package for VMware +vSphere Hypervisor (ESXi)_. It can be downloaded as an ISO image containing all +open source components. There is also a stale +[Github repo](https://github.com/vmware/esx-boot) with older code. -One of the most useful information found there is [list of mboot.c32 options](https://github.com/vmware/esx-boot/blob/master/mboot/mboot.c). +One of the most useful information found there is +[list of mboot.c32 options](https://github.com/vmware/esx-boot/blob/master/mboot/mboot.c). This allowed us to gather more verbose output. From SYSLINUX menu press Tab and change command line to: -``` +```bash > mboot.c32 -c boot.cfg -D -S 1 -H ``` @@ -98,7 +101,7 @@ Lines that were printed without additional flags will be printed twice, sometimes intertwined. This is output with most unimportant (for this issue) lines removed: -``` +```bash COM32 v4.7 (syslinux) mboot __executable_start is at 0x160000 Logging initial memory map @@ -214,11 +217,13 @@ Installing a safe environment... This is the place where it hangs or reboots. It is a few hundred lines below the `<6>Shutting down firmware services...` line. It is printed by the code in -`install_trampoline()` function in [reloc.c](https://github.com/vmware/esx-boot/blob/master/mboot/reloc.c#L828). +`install_trampoline()` function in +[reloc.c](https://github.com/vmware/esx-boot/blob/master/mboot/reloc.c#L828). With reverse engineering we established that `only_em64t` was not defined, so only `do_reloc()` is called before returning from this function. -`install_trampoline()` is called from `main()` in [mboot.c](https://github.com/vmware/esx-boot/blob/master/mboot/mboot.c#L431), +`install_trampoline()` is called from `main()` in +[mboot.c](https://github.com/vmware/esx-boot/blob/master/mboot/mboot.c#L431), followed by `Log()`, both for success and for failure, so we can assume that `install_trampoline()` does not return, right? Well, not quite. @@ -235,7 +240,7 @@ It basically came to disassembling original image (which was already done to check if `only_em64t` was defined) and inserting new code, in the point we were trying to test, using hexeditor. This code was (Intel syntax): -``` +```bash mov dx, 0x3f8 /* UART port */ mov al, 'x' out dx, al @@ -250,8 +255,8 @@ or, after a while, from memory (can be tedious), or use online tools like [this one](https://defuse.ca/online-x86-assembler.htm). Code above translates to byte sequence: `66 ba f8 03 b0 78 ee eb fe`. -This code has been put in important places as a checkpoints in the flow. -**It must overwrite the code, and not be inserted** because offsets to other +This code has been put in important places as a checkpoints in the flow. **It +must overwrite the code, and not be inserted** because offsets to other functions and structures must not change. Those checkpoints revealed that not only `do_reloc()` and `install_trampoline()` @@ -261,19 +266,20 @@ string which is, let's say, _less intolerable_ than printing random bytes. This seems like a broken relocation - call to `Log()` points to a string that is no longer there. At least `mboot.c32` read-only data section was relocated and overwritten, code might also be relocated but apparently it isn't overwritten -because our checkpoint executed. There is a [warning](https://github.com/vmware/esx-boot/blob/master/mboot/reloc.c#L238) +because our checkpoint executed. There is a +[warning](https://github.com/vmware/esx-boot/blob/master/mboot/reloc.c#L238) before `do_reloc()` code about it being position-independent. Trampoline code and data are objects of type `[t]` (see top of the file for description of types), and because of that they are handler with special care, but `main()`'s code and data isn't. -#### Relocation - why is it needed? +### Relocation - why is it needed? Not all of the code is position-independent. An example of such code is the kernel (at least its initial part). It must be loaded at the address for which it was linked, as printed in log: -``` +```bash ELF link address range is [0x400000:0x600000) [k] 1b1fa0 - 1b2fa0 -> 400000 - 401000 (4096 bytes) [k] 1b2fa0 - 211fa0 -> 401000 - 460000 (389120 bytes) @@ -306,8 +312,8 @@ for RIP relative addressing. There are some rules that must be followed during relocation. First of all, code responsible for relocation shouldn't return to the code that called it, if the -caller or the stack was being relocated. In that case, there should be -**no plain return statements**, because they read return address from the stack +caller or the stack was being relocated. In that case, there should be **no +plain return statements**, because they read return address from the stack (which might have been relocated), which holds the pointer to the old code (which also might have been relocated). Return address could be patched and stack could be protected, but that's not all. @@ -328,7 +334,8 @@ doesn't know enough about layout of sections of binary. It happens during self-initialization of a module, but nothing prevents us from doing something similar again after a relocation. -> Global Offset Table and PIC in general is described in [Eli Bendersky's article](https://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries/), +> Global Offset Table and PIC in general is described in +> [Eli Bendersky's article](https://eli.thegreenplace.net/2011/11/03/position-independent-code-pic-in-shared-libraries/), > with examples. It is focused on shared libraries, but the main principles are > still the same. @@ -360,7 +367,7 @@ Keep in mind that **this is not a solution**. It allows ESXi installer to boot. It was **not tested** against booting other OSes or installed version of ESXi. **Use at your own risk**. -``` +```bash diff --git a/src/lib/bootmem.c b/src/lib/bootmem.c index 8ca3bbd3f633..66c37c05843d 100644 --- a/src/lib/bootmem.c @@ -387,7 +394,7 @@ index 8ca3bbd3f633..66c37c05843d 100644 The log produced after applying the above change starts with: -``` +```bash COM32 v4.7 (syslinux) mboot __executable_start is at 0x160000 Logging initial memory map @@ -417,7 +424,8 @@ when one would suffice. There are other worrisome lines, however. One of those is `mboot __executable_start is at 0x160000` - it is well within the part of memory where we told it not to be. It was loaded at this address by the previous module - `menu.c32` in this case - so it suggests that it is not a -bug in `mboot.c32`, as we [initially thought](https://github.com/vmware/esx-boot/issues/4). +bug in `mboot.c32`, as we +[initially thought](https://github.com/vmware/esx-boot/issues/4). The second visible problem is in malloc arena - it also reports that a part of the memory in the reserved range is free to use by the module. This issue is a @@ -428,6 +436,7 @@ memory. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-03-28-trenchboot-nlnet-introduction.md b/blog/content/post/2020-03-28-trenchboot-nlnet-introduction.md index 1427d9bc..cbc8716d 100644 --- a/blog/content/post/2020-03-28-trenchboot-nlnet-introduction.md +++ b/blog/content/post/2020-03-28-trenchboot-nlnet-introduction.md @@ -30,7 +30,7 @@ legitimacy of the adopted philosophy, is a great community response. Big kudos to Marek Marczykowski-Górecki (QubesOS) and Thierry Laurion (Insurgo) who encouraged us to apply for NLnet founds. -We are glad to inform, that we have received a grant from **NLnet Foundation** +We are glad to inform, that we have received a grant from **NLnet Foundation** for *Open Source DRTM implementation with TrenchBoot for AMD processors* project. Under the subsidy, **3mdeb Embedded Systems Consulting** wants to contribute these solutions to the public good, not as proprietary products, but @@ -47,8 +47,8 @@ about the project. Our goal is twofold: -* Implement DRTM with TrenchBoot for AMD processors. -* Create a test environment with test suites for the community. +- Implement DRTM with TrenchBoot for AMD processors. +- Create a test environment with test suites for the community. Above issues will be described later. Both, as already mentioned, will be fully open-source and available for everybody. Solution which we provide will be @@ -66,11 +66,11 @@ Now, let me briefly discuss each goal, so you can better understand the project. Of course, we won't focus on details and all requirements now. Those will be systematically updated and presented to community. -#### DRTM with TrenchBoot +### DRTM with TrenchBoot -[TrenchBoot](https://github.com/TrenchBoot) *is a framework that allows +[TrenchBoot](https://github.com/TrenchBoot) _is a framework that allows individuals and projects to build security engines to perform launch integrity -actions for their systems.* In other words, it provides tools to create the +actions for their systems._ In other words, it provides tools to create the desirable solution. We will use a technology which measures and verifies running environment. To obtain that, TrenchBoot utilizes **Dynamic Root of Trust for Measurements** (DRTM). It is very complex topic and understanding it could take @@ -116,6 +116,7 @@ and wait for other articles! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-03-31-trenchboot-nlnet-lz.md b/blog/content/post/2020-03-31-trenchboot-nlnet-lz.md index fcbbf74b..0c689a66 100644 --- a/blog/content/post/2020-03-31-trenchboot-nlnet-lz.md +++ b/blog/content/post/2020-03-31-trenchboot-nlnet-lz.md @@ -21,7 +21,8 @@ categories: --- -If you haven't read [introductory blog post](https://blog.3mdeb.com/2020/2020-03-28-trenchboot-nlnet-introduction/) +If you haven't read +[introductory blog post](https://blog.3mdeb.com/2020/2020-03-28-trenchboot-nlnet-introduction/) yet, I strongly recommend to do it before proceeding here. We have presented our motivation, project's overview concept and goals there. Generally speaking, we will be introducing new issues according to project's state over time. If you @@ -29,7 +30,7 @@ want to keep up with project development, stay tuned and always try to catch up missed articles. > Those articles will not always be strictly technical. Therefore, if you think -some topics should be elaborated, feel free to ask us a question. +> some topics should be elaborated, feel free to ask us a question. In this article, I will explain how the project is built. Mostly, what hardware, firmware and software components we are using. The most essential parts of @@ -57,180 +58,182 @@ strongly utilized in entire project. Later, I will show you how to build custom package on `flashrom` example. > Of course, you can use any other Linux distribution. However, every procedure -will be carried out by us in NixOS. If you won't have all dedicated tools and -(supported? compatible?) configuration, we can't provide full reliability. +> will be carried out by us in NixOS. If you won't have all dedicated tools and +> (supported? compatible?) configuration, we can't provide full reliability. -#### NixOS installation +### NixOS installation -Now, I will guide through installation of NixOS. After it, you should have -an operating system in a default configuration. Later, I will show you how to +Now, I will guide through installation of NixOS. After it, you should have an +operating system in a default configuration. Later, I will show you how to customize it in a runtime. ->Important: NixOS installation is not interactive as in most Linux distributions -(e.g. Debian). Therefore, pay attention to typed commands and configurations! +> Important: NixOS installation is not interactive as in most Linux +> distributions (e.g. Debian). Therefore, pay attention to typed commands and +> configurations! -1. Download minimal installer image from the [website](https://nixos.org/nixos/download.html). +1. Download minimal installer image from the + [website](https://nixos.org/nixos/download.html). -2. Flash USB drive with the image. +1. Flash USB drive with the image. -3. Insert USB drive on the target platform and choose proper boot option. +1. Insert USB drive on the target platform and choose proper boot option. -4. In boot menu press `tab` and add serial console parameters: +1. In boot menu press `tab` and add serial console parameters: - ```bash - console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 - ``` + ```bash + console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 + ``` -5. Press enter and you will see following bootlog: +1. Press enter and you will see following bootlog: - ```bash - ott//iinniittrrdd + ```bash + ott//iinniittrrdd - early console in extract_kernel - input_data: 0x00000000023fc3b1 - input_len: 0x0000000000404c90 - output: 0x0000000001000000 - output_len: 0x00000000017d8030 - kernel_total_size: 0x000000000142c000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDTSC... - Virtual KASLR using RDTSC... + early console in extract_kernel + input_data: 0x00000000023fc3b1 + input_len: 0x0000000000404c90 + output: 0x0000000001000000 + output_len: 0x00000000017d8030 + kernel_total_size: 0x000000000142c000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDTSC... + Virtual KASLR using RDTSC... - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 4.19.107 (nixbld@localhost) (gcc version 8.3.0 (GCC)) #1-NixOS SMP Fri Feb 28 15:39:01 UTC 2020 - [ 0.000000] Command line: BOOT_IMAGE=/boot/bzImage init=/nix/store/ph9hjng3mwwsnnd20pq364fay8baqm6x-nixos-system-nixos-19.09.2201.7d31bbceaa1/init root=LABEL=NIXOS_ISO console=ttyS0,115200 earlyprintkd - (...) + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 4.19.107 (nixbld@localhost) (gcc version 8.3.0 (GCC)) #1-NixOS SMP Fri Feb 28 15:39:01 UTC 2020 + [ 0.000000] Command line: BOOT_IMAGE=/boot/bzImage init=/nix/store/ph9hjng3mwwsnnd20pq364fay8baqm6x-nixos-system-nixos-19.09.2201.7d31bbceaa1/init root=LABEL=NIXOS_ISO console=ttyS0,115200 earlyprintkd + (...) - <<< NixOS Stage 1 >>> + <<< NixOS Stage 1 >>> - loading module loop... - loading module vfat... - loading module nls_cp437... - loading module nls_iso8859-1... - loading module fuse... - loading module dm_mod... - running udev... - kbd_mode: KDSKBMODE: Inappropriate ioctl for device - Gstarting device mapper and LVM... - mounting tmpfs on /... - waiting for device /dev/root to appear... - mounting /dev/root on /iso... - mounting /mnt-root/iso/nix-store.squashfs on /nix/.ro-store... - mounting tmpfs on /nix/.rw-store... - mounting unionfs on /nix/store... + loading module loop... + loading module vfat... + loading module nls_cp437... + loading module nls_iso8859-1... + loading module fuse... + loading module dm_mod... + running udev... + kbd_mode: KDSKBMODE: Inappropriate ioctl for device + Gstarting device mapper and LVM... + mounting tmpfs on /... + waiting for device /dev/root to appear... + mounting /dev/root on /iso... + mounting /mnt-root/iso/nix-store.squashfs on /nix/.ro-store... + mounting tmpfs on /nix/.rw-store... + mounting unionfs on /nix/store... - <<< NixOS Stage 2 >>> + <<< NixOS Stage 2 >>> - running activation script... - setting up /etc... - unpacking the NixOS/Nixpkgs sources... - created 1 symlinks in user environment - ln: failed to create symbolic link '/root/.nix-defexpr/channels/channels': Read-only file system - starting systemd... + running activation script... + setting up /etc... + unpacking the NixOS/Nixpkgs sources... + created 1 symlinks in user environment + ln: failed to create symbolic link '/root/.nix-defexpr/channels/channels': Read-only file system + starting systemd... - Welcome to NixOS 19.09.2201.7d31bbceaa1 (Loris)! + Welcome to NixOS 19.09.2201.7d31bbceaa1 (Loris)! - [ OK ] Created slice system-getty.slice. - (...) - [ OK ] Started Login Service. + [ OK ] Created slice system-getty.slice. + (...) + [ OK ] Started Login Service. - <<< Welcome to NixOS 19.09.2201.7d31bbceaa1 (x86_64) - ttyS0 >>> - The "nixos" and "root" accounts have empty passwords. + <<< Welcome to NixOS 19.09.2201.7d31bbceaa1 (x86_64) - ttyS0 >>> + The "nixos" and "root" accounts have empty passwords. - Type `sudo systemctl start sshd` to start the SSH daemon. - You then must set a password for either "root" or "nixos" - with `passwd` to be able to login. + Type `sudo systemctl start sshd` to start the SSH daemon. + You then must set a password for either "root" or "nixos" + with `passwd` to be able to login. - Run `nixos-help` or press for the NixOS manual. + Run `nixos-help` or press for the NixOS manual. - nixos login: nixos (automatic login) - ``` + nixos login: nixos (automatic login) + ``` -6. Create legacy boot partition +1. Create legacy boot partition - >Be careful and choose correct /dev/sdX device. In our case it is `sda`, which - is SSD disk. + > Be careful and choose correct /dev/sdX device. In our case it is `sda`, + > which is SSD disk. - Create a MBR partition table + Create a MBR partition table - ```bash - parted /dev/sda -- mklabel msdos - ``` + ```bash + parted /dev/sda -- mklabel msdos + ``` - Add the root partition. This will fill the the disk except for the end part, - where the swap will live. + Add the root partition. This will fill the the disk except for the end part, + where the swap will live. - ```bash - parted /dev/sda -- mkpart primary 1MiB -8GiB - ``` + ```bash + parted /dev/sda -- mkpart primary 1MiB -8GiB + ``` - Add swap partition + Add swap partition - ```bash - parted /dev/sda -- mkpart primary linux-swap -8GiB 100% - ``` + ```bash + parted /dev/sda -- mkpart primary linux-swap -8GiB 100% + ``` -7. Format partitons +1. Format partitions - sda1 + sda1 - ```bash - mkfs.ext4 -L nixos /dev/sda1 - ``` + ```bash + mkfs.ext4 -L nixos /dev/sda1 + ``` - sda2 (swap) + sda2 (swap) - ```boot - mkswap -L swap /dev/sda2 - ``` + ```bashboot + mkswap -L swap /dev/sda2 + ``` -8. Mount partiton +1. Mount partition - ```bash - mount /dev/disk/by-label/nixos /mnt - ``` + ```bash + mount /dev/disk/by-label/nixos /mnt + ``` -9. Generate initial configuration: +1. Generate initial configuration: - ```bash - nixos-generate-config --root /mnt - ``` + ```bash + nixos-generate-config --root /mnt + ``` - >Above command will create `configuration.nix` file. It contains all default - configuration options according to which NixOS will be installed. + > Above command will create `configuration.nix` file. It contains all default + > configuration options according to which NixOS will be installed. -10. Uncomment following line in `configuration.nix` file. +1. Uncomment following line in `configuration.nix` file. - ```bash - $ vim /mnt/etc/nixos/configuration.nix - boot.loader.grub.device = "/dev/sda"; - ``` + ```bash + $ vim /mnt/etc/nixos/configuration.nix + boot.loader.grub.device = "/dev/sda"; + ``` -11. Add boot kernel parameters for serial connection: +1. Add boot kernel parameters for serial connection: - ```bash - boot.kernelParams = [ "console=ttyS0,115200 earlyprintk=serial,ttyS0,115200" ]; - ``` + ```bash + boot.kernelParams = [ "console=ttyS0,115200 earlyprintk=serial,ttyS0,115200" ]; + ``` -12. Install NixOS based on config (it will take a few minutes) +1. Install NixOS based on config (it will take a few minutes) - ```bash - nixos-install - ``` + ```bash + nixos-install + ``` -13. Set password for root. +1. Set password for root. -14. Reboot OS. (Now you can remove installation media) +1. Reboot OS. (Now you can remove installation media) If above procedure was successful, NixOS is installed in default configuration. Boot to system and play around to check if everything is correct. If yes, let's move on to package manager and system customization. -#### NixOS package installation +### NixOS package installation As already mentioned, your NixOS is now in default configuration. It means it have already installed only basic tools and applications. Additional ones can be @@ -245,87 +248,88 @@ nix-env -qaP '*' --description |grep -i name As you can see most tools are presented in `nixpkgs`. However, there is possibility to build your own (custom ones), based on github repository. Let's -try to this with custom `flashrom` and [3mdeb github fork](https://github.com/3mdeb/flashrom/commit/5f164cc28fdc055c272d21c60a0a32dc23d29e3b). +try to this with custom `flashrom` and +[3mdeb github fork](https://github.com/3mdeb/flashrom/commit/5f164cc28fdc055c272d21c60a0a32dc23d29e3b). 1. First, clone the `nixpkgs` repo. Without it, you won't have access to any -package. - - ```bash - git clone git@github.com:NixOS/nixpkgs.git - ``` - -2. Change directory to `nixpkgs` and create the package directory for new -flashrom. We named it `flashrom2`, as `flashrom` already exists. - - ```bash - cd nixpkgs - mkdir pkgs/tools/misc/flashrom2 - ``` - -3. Move to the `flashrom2` directory and create a `default.nix` config file. - - ```bash - cd pkgs/tools/misc/flashrom2 - touch default.nix - vim default.nix - ``` - -4. Fill `default.nix` file with following content - - >`default.nix` is a recipe for building a package. It contains all dependencies, - package source and description. - - ```bash - { lib - , stdenv - , fetchurl - , meson - , ninja - , pkgconfig - , libftdi1 - , libusb1 - , pciutils - }: - - stdenv.mkDerivation rec { - pname = "flashrom2"; - version = "2.0"; - - src = builtins.fetchGit { - url = "https://github.com/3mdeb/flashrom.git"; - ref = "wip"; - rev = "5f164cc28fdc055c272d21c60a0a32dc23d29e3b"; - }; - - nativeBuildInputs = [ meson pkgconfig ninja ]; - buildInputs = [ libftdi1 libusb1 pciutils ]; - - meta = with lib; { - homepage = http://www.flashrom.org; - description = "Utility for reading, writing, erasing and verifying flash ROM chips"; - license = licenses.gpl2; - platforms = platforms.all; - }; - } - ``` - -5. Build `flashrom2` - - ```bash - nix-build -A flashrom2 - ``` - - > `nix-build` command builds any package which is added or already exists in - `nixpkgs` library. - -6. Add `flashrom2` to NixOS profile to create symlinks. - - ```bash - nix-env -f . -iA flashrom2 - installing 'flashrom2-2.0' - building '/nix/store/hbxi8l93x2qv3kzg7kjpfaa6pmkij48f-user-environment.drv'... - created 21 symlinks in user environment - ``` + package. + + ```bash + git clone git@github.com:NixOS/nixpkgs.git + ``` + +1. Change directory to `nixpkgs` and create the package directory for new + flashrom. We named it `flashrom2`, as `flashrom` already exists. + + ```bash + cd nixpkgs + mkdir pkgs/tools/misc/flashrom2 + ``` + +1. Move to the `flashrom2` directory and create a `default.nix` config file. + + ```bash + cd pkgs/tools/misc/flashrom2 + touch default.nix + vim default.nix + ``` + +1. Fill `default.nix` file with following content + + > `default.nix` is a recipe for building a package. It contains all + > dependencies, package source and description. + + ```bash + { lib + , stdenv + , fetchurl + , meson + , ninja + , pkgconfig + , libftdi1 + , libusb1 + , pciutils + }: + + stdenv.mkDerivation rec { + pname = "flashrom2"; + version = "2.0"; + + src = builtins.fetchGit { + url = "https://github.com/3mdeb/flashrom.git"; + ref = "wip"; + rev = "5f164cc28fdc055c272d21c60a0a32dc23d29e3b"; + }; + + nativeBuildInputs = [ meson pkgconfig ninja ]; + buildInputs = [ libftdi1 libusb1 pciutils ]; + + meta = with lib; { + homepage = http://www.flashrom.org; + description = "Utility for reading, writing, erasing and verifying flash ROM chips"; + license = licenses.gpl2; + platforms = platforms.all; + }; + } + ``` + +1. Build `flashrom2` + + ```bash + nix-build -A flashrom2 + ``` + + > `nix-build` command builds any package which is added or already exists in + > `nixpkgs` library. + +1. Add `flashrom2` to NixOS profile to create symlinks. + + ```bash + nix-env -f . -iA flashrom2 + installing 'flashrom2-2.0' + building '/nix/store/hbxi8l93x2qv3kzg7kjpfaa6pmkij48f-user-environment.drv'... + created 21 symlinks in user environment + ``` You have just built your first package in NixOS. Moreover, it is your custom build! However, as you can see entire process is non-trivial. Essential part of @@ -337,8 +341,8 @@ manager on your own. Good point to start are already existing packages and their You may wonder why do we build our own tools, when most of them are available in default `nixpkgs`. Answer is simple - we have possibility to build not only -tools, but also many other software and firmware components... You will -learn more about it in next section. +tools, but also many other software and firmware components... You will learn +more about it in next section. ## Firmware @@ -350,7 +354,7 @@ of entire project. Let's break our entire system into following main parts. They are listed in order of execution when the platform is booted, so you can also see the flow and relations between them. -#### BIOS +### BIOS Our solution is open-source, so we also use such firmware (BIOS) - **coreboot**. Also, as we are maintainers of coreboot for PC Engines platforms, we use @@ -360,27 +364,27 @@ find up-to-date firmware. I won't describe coreboot itself here. What you need to know, it is first code which is running during boot process. It initializes all hardware components on platform. -#### GRUB +### GRUB When coreboot ends its work, a bootloader comes in. We use **GRUB**. Its task is to boot operating system. Normally, if NixOS is installed on hard disk, GRUB -loads it to RAM. Being more precise, *Linux kernel* and *initrd* are being +loads it to RAM. Being more precise, _Linux kernel_ and _initrd_ are being loaded. However, that operation is slightly different when we enable DRTM. As it is main goal of our project, let's take a look a little bit closer on it. We prepared extension module called `slaunch`. When DRTM is enabled, `slaunch` executes AMD's dedicated machine instruction `SKINIT`. Treat it as 'pre-DRTM' -operation. It prepares all components and jump to secure loader - `Landing -Zone`. +operation. It prepares all components and jump to secure loader - +`Landing Zone`. -#### Landing Zone (LZ) +### Landing Zone (LZ) LZ has 2 main tasks: measure Linux kernel and then run it. If you wonder, when measurements are done, then you have just found out. Without LZ, DRTM doesn't exist. Although it seems inconspicuous, it does fundamental job in secure boot process. -#### Linux kernel +### Linux kernel Linux kernel is a core of all Linux based operating systems. Actually, it is operating system without any additional applications. It can be modified to @@ -389,9 +393,9 @@ general, it is done to limit size of kernel image and adjust its performance. In Trenchboot Secure Launch process it performs additional operations - makes some measurements. But more about it, we will discuss later. -#### initrd +### initrd -initrd stands for *initial ramdisk*. It is an image used by bootloader to mount +initrd stands for _initial ramdisk_. It is an image used by bootloader to mount initial file system in memory. Also, that image contains modules which will be loaded by Linux kernel. @@ -429,6 +433,7 @@ DRTM. Of course, everything in reproducible way, so you can perform it too! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-04-03-trenchboot-nlnet-lz-validation.md b/blog/content/post/2020-04-03-trenchboot-nlnet-lz-validation.md index bb117ed1..3351cc69 100644 --- a/blog/content/post/2020-04-03-trenchboot-nlnet-lz-validation.md +++ b/blog/content/post/2020-04-03-trenchboot-nlnet-lz-validation.md @@ -25,16 +25,17 @@ categories: verification and kernel measurements requirements. It is done now. As a result, we have added/updated following sections: -- **Landing Zone update** section with procedure how to update Landing Zone only; +- **Landing Zone update** section with procedure how to update Landing Zone + only; - **Landing Zone** section with explanation of extending PCRs by Landing Zone -and kernel, so it should be easily distinguished; -- **Landing Zone** section with -*check if LZ utilizes SHA1 algorithm when using TPM1.2 module* requirement -verification; + and kernel, so it should be easily distinguished; +- **Landing Zone** section with _check if LZ utilizes SHA1 algorithm when using + TPM1.2 module_ requirement verification; - **Changes in source code** section with point to exact place in LZ's code, -where SHA1 algorithm is utilized; + where SHA1 algorithm is utilized; -In [previous article](https://blog.3mdeb.com/2020/2020-03-31-trenchboot-nlnet-lz/) +In +[previous article](https://blog.3mdeb.com/2020/2020-03-31-trenchboot-nlnet-lz/) I introduced project's basics. I explained briefly what parts of system are necessary in DRTM and how to prepare them. Now, let's try to build them, so you can enjoy having secure platform too. Also, we will verify first requirements @@ -63,8 +64,8 @@ A normal boot process without DRTM enabled, typically looks like this: ![boot without drtm](/img/boot-non-drtm.png) GRUB bootloader **directly** loads Linux kernel and whereby NixOS boots. As you -know, by modifying GRUB, Linux kernel and adding special boot modules, we -enable DRTM. Then, the boot process looks like this: +know, by modifying GRUB, Linux kernel and adding special boot modules, we enable +DRTM. Then, the boot process looks like this: ![boot drtm](/img/boot-drtm.png) @@ -91,293 +92,298 @@ and follow these steps: 1. Install `cachix` - `cachix` is binary cache hosting. It allows to store binary files, so there - is no need to build them on your own. If it is not very useful for small - builds, it is very handy for large ones e.g. Linux kernel binary. + `cachix` is binary cache hosting. It allows to store binary files, so there + is no need to build them on your own. If it is not very useful for small + builds, it is very handy for large ones e.g. Linux kernel binary. - ```bash - $ nix-env -iA cachix -f https://cachix.org/api/v1/install - ``` + ```bash + nix-env -iA cachix -f https://cachix.org/api/v1/install + ``` -2. Add 3mdeb cachix hosting as default. +1. Add 3mdeb cachix hosting as default. - ```bash - $ cachix use 3mdeb - Cachix configuration written to /etc/nixos/cachix.nix. - Binary cache 3mdeb configuration written to /etc/nixos/cachix/3mdeb.nix. + ```bash + $ cachix use 3mdeb + Cachix configuration written to /etc/nixos/cachix.nix. + Binary cache 3mdeb configuration written to /etc/nixos/cachix/3mdeb.nix. - To start using cachix add the following to your /etc/nixos/configuration.nix: + To start using cachix add the following to your /etc/nixos/configuration.nix: - imports = [ ./cachix.nix ]; + imports = [ ./cachix.nix ]; - Then run: + Then run: - $ sudo nixos-rebuild switch - ``` + $ sudo nixos-rebuild switch + ``` -3. Meet above requirement by editing `/etc/nixos/configuration.nix`. +1. Meet above requirement by editing `/etc/nixos/configuration.nix`. - > Probably vim editor is not available at this stage. Instead of vim, you - can use nano. + > Probably vim editor is not available at this stage. Instead of vim, you can + > use nano. - ```bash - $ nano /etc/nixos/configuration.nix - (...) - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./cachix.nix - ]; - (...) - ``` + ```bash + $ nano /etc/nixos/configuration.nix + (...) + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./cachix.nix + ]; + (...) + ``` - > Don't rebuild NixOS yet. It will be done later. + > Don't rebuild NixOS yet. It will be done later. -4. Install git package. +1. Install git package. - ```bash - $ nix-env -iA nixos.git - ``` + ```bash + nix-env -iA nixos.git + ``` -5. Clone [3mdeb/nixpkgs](https://github.com/3mdeb/nixpkgs/tree/trenchboot_support_2020.03) -repository. +1. Clone + [3mdeb/nixpkgs](https://github.com/3mdeb/nixpkgs/tree/trenchboot_support_2020.03) + repository. - `3mdeb nixpkgs` contains additional packages compared with default NixOS - `nixpkgs`, so everything is in one place. Most of all, there are: + `3mdeb nixpkgs` contains additional packages compared with default NixOS + `nixpkgs`, so everything is in one place. Most of all, there are: - 1. [grub-tb](https://github.com/3mdeb/grub2/tree/trenchboot_support) - - custom GRUB2 with `slaunch` module enabled; - 1. [landing-zone](https://github.com/TrenchBoot/landing-zone.git) - LZ + 1. [grub-tb](https://github.com/3mdeb/grub2/tree/trenchboot_support) - custom + GRUB2 with `slaunch` module enabled; + 1. [landing-zone](https://github.com/TrenchBoot/landing-zone.git) - LZ without debug flag - 1. [landing-zone-debug](https://github.com/TrenchBoot/landing-zone.git) - LZ + 1. [landing-zone-debug](https://github.com/TrenchBoot/landing-zone.git) - LZ with debug - 1. [linux-5.1](https://github.com/3mdeb/linux-stable/tree/linux-sl-5.1-sha2-amd) - - custom Linux kernel with initrd - - ```bash - $ git clone https://github.com/3mdeb/nixpkgs.git -b trenchboot_support_2020.03 - (...) - $ ls - nixpkgs - ``` - -6. Update (rebuild) NixOS. - - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - ``` - - > IMPORTANT: `-I nixpkgs=~/nixpkgs` flag is needful here! It replaces - default `nixpkgs` with previously downloaded one. Make sure the directory is - valid (we have it in home (~)). If you follow our instruction step-by-step, - you have it also there. - -7. Reboot platform. - - > DRTM is not enabled yet! Boot to NixOS and finish configuration. - -8. Clone [3mdeb/nixos-trenchboot-configs](https://github.com/3mdeb/nixos-trenchboot-configs.git) -repository. - - This repository contains all necessary NixOS configuration files in - ready-to-use form, so there is no need to edit them by hand at this moment. - - ```bash - $ git clone https://github.com/3mdeb/nixos-trenchboot-configs.git - ``` - - List `nixos-trenchboot-configs` folder. - - ```bash - $ cd nixos-trenchboot-configs/ - $ ls - configuration.nix linux-5.1.nix MANUAL.md README.md tb-config.nix - ``` - - Among listed files, most interesting one is `configuration.nix`. Customizing it - saves time and work compared with tools and package manual installs. Manual work - is good for small and fast builds. The more (and more significant) changes you - want to do, the more efficient way is to re-build your NixOS system. That is - done by editing `configuration.nix` file. As you already know, among others we - want to rebuild Linux kernel, replace GRUB bootloader and install custom - packages. That is why we decided to prepare new config and re-install NixOS. - - Let's take a closer look at its content. Entire file is rather large, so the - output will be truncated and only essential parts/lines will be mentioned. - - ```bash - $ cat configuration.nix - - (...) - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./cachix.nix - ./linux-5.1.nix - ]; - (...) - boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only - boot.loader.grub.extraEntries = '' - menuentry "NixOS - Secure Launch" { - search --set=drive1 --fs-uuid 178473b0-282f-4994-96fc-a8e51e2cfdac - search --set=drive2 --fs-uuid 178473b0-282f-4994-96fc-a8e51e2cfdac - slaunch skinit - slaunch_module ($drive2)/boot/lz_header - linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/b32wgz392q99cls12pkd8adddzbdkprn-nixos-system-nixos-20.09.git.50c3e448fceM init=/nix/store/b32wgz392q99cls12pkd8adddzbdkprn-nixos-system-nixos-20.09.git.50c3e448fceM/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 - initrd ($drive2)/nix/store/zv2vl35xldkbss1y2fib1nifmw0yvick-initrd-linux-5.1.0/initrd - } - ''; - - # OS utilities - environment.systemPackages = [ - pkgs.pkg-config - pkgs.git - pkgs.gnumake - pkgs.autoconf - pkgs.automake - pkgs.gettext - pkgs.python - pkgs.m4 - pkgs.libtool - pkgs.bison - pkgs.flex - pkgs.gcc - pkgs.gcc_multi - pkgs.libusb - pkgs.ncurses - pkgs.freetype - pkgs.qemu - pkgs.lvm2 - pkgs.unifont - pkgs.fuse - pkgs.gnulib - pkgs.stdenv - pkgs.nasm - pkgs.binutils - pkgs.tpm2-tools - pkgs.tpm2-tss - pkgs.landing-zone - pkgs.landing-zone-debug - pkgs.grub-tb - ]; - - # Grub override - nixpkgs.config.packageOverrides = pkgs: { grub2 = pkgs.grub-tb; }; - ``` - - Remarks: - 1. we import `cachix` service and custom linux 5.1 kernel to be built; - 1. adjust GRUB entries to boot `slaunch` and change directories of - `bzImage` (Linux kernel) and `initrd` to custom ones; - 1. add all necessary system packages (i.a. `landing-zone`, - `landing-zone-debug` and `grub-tb`); - 1. override default GRUB package with custom one; - -9. Copy all configuration files to `/etc/nixos/` directory. - - ```bash - $ cp nixos-trenchboot-configs/*.nix /etc/nixos - ``` - -10. Update (re-build) system. - - ```bash - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - building Nix... - building the system configuration... - ``` - -11. Reboot platform. - - > DRTM is not enabled yet. Choose `"NixOs - Default"` entry in GRUB menu. - -12. Install GRUB2-TrenchBoot to `/dev/sdX`. - - ```bash - $ grub-install /dev/sda - ``` - - > Remember to choose proper device (disk) - in our case it is `/dev/sda`. - -13. Ensure that `slaunch` module is present in `/boot/grub/i386-pc/`. - - ```bash - $ ls /boot/grub/i386-pc | grep slaunch - slaunch.mod - ``` - -14. Find Landing Zone package in `/nixos/store/`. - - ```bash - $ ls /nix/store/ | grep landing-zone - 5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv - 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv - dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 - zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 - ``` - - > Package without `-debug` in its name and without *.drv* extension is what - we are looking for. - -15. Copy `lz_header.bin` to `/boot/` directory. - - ```bash - $ cp /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0/lz_header.bin /boot/lz_header - ``` - -16. Check `/boot/grub/grub.cfg` file and its `NixOS - Default` menu entry. -Adjust `/etc/nixos/configuration.nix` and its `boot.loader.grub.extraEntries` -line to have exactly the same directories included. - - ```bash - $ cat /boot/grub/grub.cfg - (...) - menuentry "NixOS - Default" { - search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f - search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f - linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixo - s-system-nixos-20.09.git.c36910d42c5 init=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5/init console=tt - yS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 - initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd - } - (...) - ``` - - With `grub.cfg` content as above `configuration.nix` must have - `boot.loader.grub.extraEntries `line like this: - - ```bash - $ cat /etc/nixos/configuration.nix - (...) - boot.loader.grub.extraEntries = '' - menuentry "NixOS - Secure Launch" { - search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f - search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f - slaunch skinit - slaunch_module ($drive2)/boot/lz_header - linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5 init=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 - initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd - } - ''; - ``` - - If there are differences in any of `search --set=drive1...`, `search - --set=drive2...`, `linux ($drive2)/nix/store...` lines, edit - `configuration.nix` content and copy those lines from `grub.cfg` menuentry - `"NixOS - Default"`. They must be exactly the same. - -17. Update system for the last time. - - ```bash - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - ``` - -18. Reboot platform. - -During platform booting, in GRUB menu there should be at least `"NixOS - -Default"` and `"NixOS - Secure Launch"` entries. First entry boots platform -without DRTM. Second entry **executes DRTM**! Choose the second entry and see if -platform boots successfully. If yes, you have secure platform with DRTM enabled. + 1. [linux-5.1](https://github.com/3mdeb/linux-stable/tree/linux-sl-5.1-sha2-amd) + \- custom Linux kernel with initrd + + ```bash + $ git clone https://github.com/3mdeb/nixpkgs.git -b trenchboot_support_2020.03 + (...) + $ ls + nixpkgs + ``` + +1. Update (rebuild) NixOS. + + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + ``` + + > IMPORTANT: `-I nixpkgs=~/nixpkgs` flag is needful here! It replaces default + > `nixpkgs` with previously downloaded one. Make sure the directory is valid + > (we have it in home (~)). If you follow our instruction step-by-step, you + > have it also there. + +1. Reboot platform. + + > DRTM is not enabled yet! Boot to NixOS and finish configuration. + +1. Clone + [3mdeb/nixos-trenchboot-configs](https://github.com/3mdeb/nixos-trenchboot-configs.git) + repository. + + This repository contains all necessary NixOS configuration files in + ready-to-use form, so there is no need to edit them by hand at this moment. + + ```bash + git clone https://github.com/3mdeb/nixos-trenchboot-configs.git + ``` + + List `nixos-trenchboot-configs` folder. + + ```bash + $ cd nixos-trenchboot-configs/ + $ ls + configuration.nix linux-5.1.nix MANUAL.md README.md tb-config.nix + ``` + + Among listed files, most interesting one is `configuration.nix`. Customizing + it saves time and work compared with tools and package manual installs. + Manual work is good for small and fast builds. The more (and more + significant) changes you want to do, the more efficient way is to re-build + your NixOS system. That is done by editing `configuration.nix` file. As you + already know, among others we want to rebuild Linux kernel, replace GRUB + bootloader and install custom packages. That is why we decided to prepare new + config and re-install NixOS. + + Let's take a closer look at its content. Entire file is rather large, so the + output will be truncated and only essential parts/lines will be mentioned. + + ```bash + $ cat configuration.nix + + (...) + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./cachix.nix + ./linux-5.1.nix + ]; + (...) + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + boot.loader.grub.extraEntries = '' + menuentry "NixOS - Secure Launch" { + search --set=drive1 --fs-uuid 178473b0-282f-4994-96fc-a8e51e2cfdac + search --set=drive2 --fs-uuid 178473b0-282f-4994-96fc-a8e51e2cfdac + slaunch skinit + slaunch_module ($drive2)/boot/lz_header + linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/b32wgz392q99cls12pkd8adddzbdkprn-nixos-system-nixos-20.09.git.50c3e448fceM init=/nix/store/b32wgz392q99cls12pkd8adddzbdkprn-nixos-system-nixos-20.09.git.50c3e448fceM/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 + initrd ($drive2)/nix/store/zv2vl35xldkbss1y2fib1nifmw0yvick-initrd-linux-5.1.0/initrd + } + ''; + + # OS utilities + environment.systemPackages = [ + pkgs.pkg-config + pkgs.git + pkgs.gnumake + pkgs.autoconf + pkgs.automake + pkgs.gettext + pkgs.python + pkgs.m4 + pkgs.libtool + pkgs.bison + pkgs.flex + pkgs.gcc + pkgs.gcc_multi + pkgs.libusb + pkgs.ncurses + pkgs.freetype + pkgs.qemu + pkgs.lvm2 + pkgs.unifont + pkgs.fuse + pkgs.gnulib + pkgs.stdenv + pkgs.nasm + pkgs.binutils + pkgs.tpm2-tools + pkgs.tpm2-tss + pkgs.landing-zone + pkgs.landing-zone-debug + pkgs.grub-tb + ]; + + # Grub override + nixpkgs.config.packageOverrides = pkgs: { grub2 = pkgs.grub-tb; }; + ``` + + Remarks: + + 1. we import `cachix` service and custom linux 5.1 kernel to be built; + 1. adjust GRUB entries to boot `slaunch` and change directories of `bzImage` + (Linux kernel) and `initrd` to custom ones; + 1. add all necessary system packages (i.a. `landing-zone`, + `landing-zone-debug` and `grub-tb`); + 1. override default GRUB package with custom one; + +1. Copy all configuration files to `/etc/nixos/` directory. + + ```bash + cp nixos-trenchboot-configs/*.nix /etc/nixos + ``` + +1. Update (re-build) system. + + ```bash + $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + building Nix... + building the system configuration... + ``` + +1. Reboot platform. + + > DRTM is not enabled yet. Choose `"NixOs - Default"` entry in GRUB menu. + +1. Install GRUB2-TrenchBoot to `/dev/sdX`. + + ```bash + grub-install /dev/sda + ``` + + > Remember to choose proper device (disk) - in our case it is `/dev/sda`. + +1. Ensure that `slaunch` module is present in `/boot/grub/i386-pc/`. + + ```bash + $ ls /boot/grub/i386-pc | grep slaunch + slaunch.mod + ``` + +1. Find Landing Zone package in `/nixos/store/`. + + ```bash + $ ls /nix/store/ | grep landing-zone + 5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv + 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv + dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 + zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 + ``` + + > Package without `-debug` in its name and without _.drv_ extension is what + > we are looking for. + +1. Copy `lz_header.bin` to `/boot/` directory. + + ```bash + cp /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0/lz_header.bin /boot/lz_header + ``` + +1. Check `/boot/grub/grub.cfg` file and its `NixOS - Default` menu entry. Adjust + `/etc/nixos/configuration.nix` and its `boot.loader.grub.extraEntries` line + to have exactly the same directories included. + + ```bash + $ cat /boot/grub/grub.cfg + (...) + menuentry "NixOS - Default" { + search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f + search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f + linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixo + s-system-nixos-20.09.git.c36910d42c5 init=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5/init console=tt + yS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 + initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd + } + (...) + ``` + + With `grub.cfg` content as above `configuration.nix` must have + `boot.loader.grub.extraEntries`line like this: + + ```bash + $ cat /etc/nixos/configuration.nix + (...) + boot.loader.grub.extraEntries = '' + menuentry "NixOS - Secure Launch" { + search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f + search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f + slaunch skinit + slaunch_module ($drive2)/boot/lz_header + linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5 init=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nixos-system-nixos-20.09.git.c36910d42c5/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 + initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd + } + ''; + ``` + + If there are differences in any of `search --set=drive1...`, + `search --set=drive2...`, `linux ($drive2)/nix/store...` lines, edit + `configuration.nix` content and copy those lines from `grub.cfg` menuentry + `"NixOS - Default"`. They must be exactly the same. + +1. Update system for the last time. + + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + ``` + +1. Reboot platform. + +During platform booting, in GRUB menu there should be at least +`"NixOS - Default"` and `"NixOS - Secure Launch"` entries. First entry boots +platform without DRTM. Second entry **executes DRTM**! Choose the second entry +and see if platform boots successfully. If yes, you have secure platform with +DRTM enabled. ## Validation @@ -391,9 +397,9 @@ project's requirement. There are two ways to validate if GRUB will load `slaunch` module and hence run SKINIT and LZ (DRTM). -##### Verify content of `grub.cfg` file. +#### Verify content of `grub.cfg` file -``` +```bash $ cat /boot/grub/grub.cfg menuentry "NixOS - Default" { search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f @@ -408,7 +414,7 @@ menuentry "NixOS - Secure Launch" { slaunch skinit slaunch_module ($drive2)/boot/lz_header linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nix4 - initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd + initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd } ``` @@ -418,90 +424,90 @@ In "NixOS - Secure Launch" entry there must be `slaunch skinit` entry and ##### Compare bootlog with DRTM and without DRTM 1. Reboot platform. In GRUB menu choose `"NixOS - Default"` entry (without -DRTM). - - Collect logs during boot to be able to verify them. Using `dmesg` command in - NixOS doesn't work because it doesn't show pre-kernel stage logs! Correct - bootlog is shown below. - - ``` - early console in extract_kernel - input_data: 0x00000000023eb3b1 - input_len: 0x0000000000424e94 - output: 0x0000000001000000 - output_len: 0x00000000017e7398 - kernel_total_size: 0x000000000142c000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDTSC... - Virtual KASLR using RDTSC... - - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 - [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/74 - [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' - - (...) - - <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> - - Run 'nixos-help' for the NixOS manual. - ``` - - **Verification**: As expected, bootloader executes Linux kernel directly. - Platform booted without DRTM then. - -2. Reboot platform once again. In GRUB menu choose `"NixOS - Secure Launch"` -entry. - - Once again, collect logs during boot to be able to verify them. Using `dmesg` - command in NixOS doesn't work, as in previous case. Correct bootlog is shown - below. - - ``` - grub_cmd_slaunch:122: check for manufacturer - grub_cmd_slaunch:126: check for cpuid - grub_cmd_slaunch:136: set slaunch - grub_cmd_slaunch_module:156: check argc - grub_cmd_slaunch_module:161: check relocator - grub_cmd_slaunch_module:170: open file - grub_cmd_slaunch_module:175: get size - grub_cmd_slaunch_module:180: allocate memory - grub_cmd_slaunch_module:192: addr: 0x100000 - grub_cmd_slaunch_module:194: target: 0x100000 - grub_cmd_slaunch_module:196: add module - grub_cmd_slaunch_module:205: read file - grub_cmd_slaunch_module:215: close file - grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000 - grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 - grub_slaunch_boot_skinit:43: params: 0xcfe7745early console in extract_kernel - input_data: 0x00000000023eb3b1 - input_len: 0x0000000000424e94 - output: 0x0000000001000000 - output_len: 0x00000000017e7398 - kernel_total_size: 0x000000000142c000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDTSC... - Virtual KASLR using RDTSC... - - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 - [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/j4 - [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' - - (...) - - <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> - - Run 'nixos-help' for the NixOS manual. - ``` - - **Verification**: As expected, before Linux kernel, there should be - `slaunch` module executed. It proves that DRTM is enabled. There is no - information about LZ execution because it is non-debug version. + DRTM). + + Collect logs during boot to be able to verify them. Using `dmesg` command in + NixOS doesn't work because it doesn't show pre-kernel stage logs! Correct + bootlog is shown below. + + ```bash + early console in extract_kernel + input_data: 0x00000000023eb3b1 + input_len: 0x0000000000424e94 + output: 0x0000000001000000 + output_len: 0x00000000017e7398 + kernel_total_size: 0x000000000142c000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDTSC... + Virtual KASLR using RDTSC... + + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 + [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/74 + [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' + + (...) + + <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> + + Run 'nixos-help' for the NixOS manual. + ``` + + **Verification**: As expected, bootloader executes Linux kernel directly. + Platform booted without DRTM then. + +1. Reboot platform once again. In GRUB menu choose `"NixOS - Secure Launch"` + entry. + + Once again, collect logs during boot to be able to verify them. Using `dmesg` + command in NixOS doesn't work, as in previous case. Correct bootlog is shown + below. + + ```bash + grub_cmd_slaunch:122: check for manufacturer + grub_cmd_slaunch:126: check for cpuid + grub_cmd_slaunch:136: set slaunch + grub_cmd_slaunch_module:156: check argc + grub_cmd_slaunch_module:161: check relocator + grub_cmd_slaunch_module:170: open file + grub_cmd_slaunch_module:175: get size + grub_cmd_slaunch_module:180: allocate memory + grub_cmd_slaunch_module:192: addr: 0x100000 + grub_cmd_slaunch_module:194: target: 0x100000 + grub_cmd_slaunch_module:196: add module + grub_cmd_slaunch_module:205: read file + grub_cmd_slaunch_module:215: close file + grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000 + grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 + grub_slaunch_boot_skinit:43: params: 0xcfe7745early console in extract_kernel + input_data: 0x00000000023eb3b1 + input_len: 0x0000000000424e94 + output: 0x0000000001000000 + output_len: 0x00000000017e7398 + kernel_total_size: 0x000000000142c000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDTSC... + Virtual KASLR using RDTSC... + + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 + [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/j4 + [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' + + (...) + + <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> + + Run 'nixos-help' for the NixOS manual. + ``` + + **Verification**: As expected, before Linux kernel, there should be `slaunch` + module executed. It proves that DRTM is enabled. There is no information + about LZ execution because it is non-debug version. ### Landing Zone @@ -510,11 +516,11 @@ Linux kernel as well. LZ extends only **PCR17**, kernel extends only **PCR18**. It's important to distinguish those two values. If kernel doesn't make measurements, there should be only `00000...` in PCR18. In requirements verification procedures (presented later), you can notice, that regardless of -using TPM2.0 or TPM1.2 module, PCR17 and PCR18 are both filled with -non-zero values. It proves that both LZ and kernel takes measurements. +using TPM2.0 or TPM1.2 module, PCR17 and PCR18 are both filled with non-zero +values. It proves that both LZ and kernel takes measurements. + +There are few aspects which can be verified in LZ. We will focus on those three: -There are few aspects which can be verified in LZ. We will focus on -those three: - check if LZ utilizes SHA256 algorithm when using TPM2.0 module - check if LZ utilizes SHA1 algorithm when using TPM1.2 module - check if LZ debug option can be enabled @@ -524,446 +530,445 @@ have all latest changes applied. 1. Pull `trenchboot_support_2020.06` branch from `3mdeb/nixpkgs` repository. - ``` - $ cd ~/nixpkgs/ - $ git checkout trenchboot_support_2020.04 - $ git pull - ``` + ```bash + cd ~/nixpkgs/ + git checkout trenchboot_support_2020.04 + git pull + ``` -2. Rebuild NixOS. +1. Rebuild NixOS. - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - ``` + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + ``` -##### check if LZ utilizes SHA256 algorithm when using TPM2.0 module +#### check if LZ utilizes SHA256 algorithm when using TPM2.0 module 1. If not already booted to `"NixOS - Secure Launch"`, reboot platform and boot -to NixOS via `"NixOS - Secure Launch"` entry in GRUB menu. - -2. Run `tpm2_pcrread` command. - - ``` - $ tpm2_pcrread - sha1: - 0 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 - 1 : 0xFE4F0F826A15FA9E426722AAE12731508D84110D - 2 : 0x53DE584DCEF03F6A7DAC1A240A835893896F218D - 3 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 - 4 : 0x017A3DE82F4A1B77FC33A903FEF6AD27EE92BE04 - 5 : 0x46DF69CCCFB08DE09E8BC2E8FAAD8D4F942FDD85 - 6 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 - 7 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 - 8 : 0x0000000000000000000000000000000000000000 - 9 : 0x0000000000000000000000000000000000000000 - 10: 0x0000000000000000000000000000000000000000 - 11: 0x0000000000000000000000000000000000000000 - 12: 0x0000000000000000000000000000000000000000 - 13: 0x0000000000000000000000000000000000000000 - 14: 0x0000000000000000000000000000000000000000 - 15: 0x0000000000000000000000000000000000000000 - 16: 0x0000000000000000000000000000000000000000 - 17: 0xD425110792179753635626B3FAB43E8F657026E2 - 18: 0x0000000000000000000000000000000000000000 - 19: 0x0000000000000000000000000000000000000000 - 20: 0x0000000000000000000000000000000000000000 - 21: 0x0000000000000000000000000000000000000000 - 22: 0x0000000000000000000000000000000000000000 - 23: 0x0000000000000000000000000000000000000000 - sha256: - 0 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 - 1 : 0xF4CE533757FFD1AA737A15D0D6804CAFEBE9FF2B507C696709557E72E49FFD34 - 2 : 0xFA8791BB6BCE8EBF4AD7B516ADFBBB9B2F1499A8876E2C909135AEBDCCA2D84C - 3 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 - 4 : 0x94855A1DF928211EAB2000178968B4B630B9BAC53B4C34177EE5224E9AAF2304 - 5 : 0x9DEEEAA62816FDC5BB53C83AEDE49BAD1F92A7DABC35A9548253A3B9D535574A - 6 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 - 7 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 - 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 - 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 - 10: 0x0000000000000000000000000000000000000000000000000000000000000000 - 11: 0x0000000000000000000000000000000000000000000000000000000000000000 - 12: 0x0000000000000000000000000000000000000000000000000000000000000000 - 13: 0x0000000000000000000000000000000000000000000000000000000000000000 - 14: 0x0000000000000000000000000000000000000000000000000000000000000000 - 15: 0x0000000000000000000000000000000000000000000000000000000000000000 - 16: 0x0000000000000000000000000000000000000000000000000000000000000000 - 17: 0x7392BE6CD449323115D11BBC97AF4CB2ADAD25B9CF52D0861F87934FEEA7B03E - 18: 0x47D99FC5D85B202479E2D5473224E144B51759EE1F34BBFE8073134E72A073E3 - 19: 0x0000000000000000000000000000000000000000000000000000000000000000 - 20: 0x0000000000000000000000000000000000000000000000000000000000000000 - 21: 0x0000000000000000000000000000000000000000000000000000000000000000 - 22: 0x0000000000000000000000000000000000000000000000000000000000000000 - 23: 0x0000000000000000000000000000000000000000000000000000000000000000 - ``` - -3. Run `extend_all.sh` script from `landing-zone` package. - - This script simulates what should be extended into PCR17 by SKINIT, LZ and - kernel during platform booting. It extends both SHA256 and SHA1 values. - However, expected result is valid only for SHA256 if used with TPM2.0 - device. - - To properly execute script, first find correct directory to `bzImage` and - `initrd`. Best way to find exact directories is to see `"NixOS - Secure - Launch"` entry in `/boot/grub/grub.cfg`: - - ``` - $ cat /boot/grub/grub.cfg - (...) - menuentry "NixOS - Secure Launch" { - search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f - search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f - slaunch skinit - slaunch_module ($drive2)/boot/lz_header - linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nix4 - initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd - } - (...) - ``` - - `/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage` is directory - to Linux kernel. - `/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd` is - directory to initrd. - -4. Go to `/nix/store/` and run below command: - - ``` - $ cd /nix/store - $ ls | grep landing-zone - 5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv - 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv - dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 - zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 - ``` - - > Hash before `-landing-zone-1.0` is dependent on built version and might be - different in yours. Choose non-debug version from above results. - -5. Go to `/nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0` -directory. - - ``` - $ cd /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 - ``` - -6. Execute `./extend_all.sh` script. - - Usage is `./extend_all.sh ` - - It must be executed inside directory containing currently used (debug or - non-debug) version of `lz_header.bin`. You should already be in this - directory after previous step. Directories to `bzImage` and `initrd` we - found in step 3. - - ``` - ./extend_all.sh /nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage /nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd - d91e7f685bcae20f84308eafe46f02eea8fcc90c SHA1 - 7392be6cd449323115d11bbc97af4cb2adad25b9cf52d0861f87934feea7b03e SHA256 - ``` - - Compare SHA256 value with PCR17 content checked previously with - `tpm2_pcrread` output. If DRTM is enabled and executes properly, they should - be the same. It proves that LZ code utilizes SHA256 algorithm during - measurements. + to NixOS via `"NixOS - Secure Launch"` entry in GRUB menu. + +1. Run `tpm2_pcrread` command. + + ```bash + $ tpm2_pcrread + sha1: + 0 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 + 1 : 0xFE4F0F826A15FA9E426722AAE12731508D84110D + 2 : 0x53DE584DCEF03F6A7DAC1A240A835893896F218D + 3 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 + 4 : 0x017A3DE82F4A1B77FC33A903FEF6AD27EE92BE04 + 5 : 0x46DF69CCCFB08DE09E8BC2E8FAAD8D4F942FDD85 + 6 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 + 7 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 + 8 : 0x0000000000000000000000000000000000000000 + 9 : 0x0000000000000000000000000000000000000000 + 10: 0x0000000000000000000000000000000000000000 + 11: 0x0000000000000000000000000000000000000000 + 12: 0x0000000000000000000000000000000000000000 + 13: 0x0000000000000000000000000000000000000000 + 14: 0x0000000000000000000000000000000000000000 + 15: 0x0000000000000000000000000000000000000000 + 16: 0x0000000000000000000000000000000000000000 + 17: 0xD425110792179753635626B3FAB43E8F657026E2 + 18: 0x0000000000000000000000000000000000000000 + 19: 0x0000000000000000000000000000000000000000 + 20: 0x0000000000000000000000000000000000000000 + 21: 0x0000000000000000000000000000000000000000 + 22: 0x0000000000000000000000000000000000000000 + 23: 0x0000000000000000000000000000000000000000 + sha256: + 0 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 + 1 : 0xF4CE533757FFD1AA737A15D0D6804CAFEBE9FF2B507C696709557E72E49FFD34 + 2 : 0xFA8791BB6BCE8EBF4AD7B516ADFBBB9B2F1499A8876E2C909135AEBDCCA2D84C + 3 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 + 4 : 0x94855A1DF928211EAB2000178968B4B630B9BAC53B4C34177EE5224E9AAF2304 + 5 : 0x9DEEEAA62816FDC5BB53C83AEDE49BAD1F92A7DABC35A9548253A3B9D535574A + 6 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 + 7 : 0xD27CC12614B5F4FF85ED109495E320FB1E5495EB28D507E952D51091E7AE2A72 + 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 + 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 + 10: 0x0000000000000000000000000000000000000000000000000000000000000000 + 11: 0x0000000000000000000000000000000000000000000000000000000000000000 + 12: 0x0000000000000000000000000000000000000000000000000000000000000000 + 13: 0x0000000000000000000000000000000000000000000000000000000000000000 + 14: 0x0000000000000000000000000000000000000000000000000000000000000000 + 15: 0x0000000000000000000000000000000000000000000000000000000000000000 + 16: 0x0000000000000000000000000000000000000000000000000000000000000000 + 17: 0x7392BE6CD449323115D11BBC97AF4CB2ADAD25B9CF52D0861F87934FEEA7B03E + 18: 0x47D99FC5D85B202479E2D5473224E144B51759EE1F34BBFE8073134E72A073E3 + 19: 0x0000000000000000000000000000000000000000000000000000000000000000 + 20: 0x0000000000000000000000000000000000000000000000000000000000000000 + 21: 0x0000000000000000000000000000000000000000000000000000000000000000 + 22: 0x0000000000000000000000000000000000000000000000000000000000000000 + 23: 0x0000000000000000000000000000000000000000000000000000000000000000 + ``` + +1. Run `extend_all.sh` script from `landing-zone` package. + + This script simulates what should be extended into PCR17 by SKINIT, LZ and + kernel during platform booting. It extends both SHA256 and SHA1 values. + However, expected result is valid only for SHA256 if used with TPM2.0 device. + + To properly execute script, first find correct directory to `bzImage` and + `initrd`. Best way to find exact directories is to see + `"NixOS - Secure Launch"` entry in `/boot/grub/grub.cfg`: + + ```bash + $ cat /boot/grub/grub.cfg + (...) + menuentry "NixOS - Secure Launch" { + search --set=drive1 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f + search --set=drive2 --fs-uuid fcc62677-b961-4ccf-bd66-376db104240f + slaunch skinit + slaunch_module ($drive2)/boot/lz_header + linux ($drive2)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/1mgqiy35hksf0r66gfffrl76s2img9z2-nix4 + initrd ($drive2)/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd + } + (...) + ``` + + `/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage` is + directory to Linux kernel. + `/nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd` is + directory to initrd. + +1. Go to `/nix/store/` and run below command: + + ```bash + $ cd /nix/store + $ ls | grep landing-zone + 5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv + 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv + dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 + zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 + ``` + + > Hash before `-landing-zone-1.0` is dependent on built version and might be + > different in yours. Choose non-debug version from above results. + +1. Go to `/nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0` + directory. + + ```bash + cd /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 + ``` + +1. Execute `./extend_all.sh` script. + + Usage is `./extend_all.sh ` + + It must be executed inside directory containing currently used (debug or + non-debug) version of `lz_header.bin`. You should already be in this + directory after previous step. Directories to `bzImage` and `initrd` we found + in step 3. + + ```bash + ./extend_all.sh /nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage /nix/store/gyqhrgvapfhfqq8x1km3z9ipv7phcadq-initrd-linux-5.1.0/initrd + d91e7f685bcae20f84308eafe46f02eea8fcc90c SHA1 + 7392be6cd449323115d11bbc97af4cb2adad25b9cf52d0861f87934feea7b03e SHA256 + ``` + + Compare SHA256 value with PCR17 content checked previously with + `tpm2_pcrread` output. If DRTM is enabled and executes properly, they should + be the same. It proves that LZ code utilizes SHA256 algorithm during + measurements. ##### check if LZ utilizes SHA1 algorithm when using TPM1.2 module 1. If not already booted to `"NixOS - Secure Launch"`, reboot platform and boot -to NixOS via `"NixOS - Secure Launch"` entry in GRUB menu. - -2. Update `landing-zone` package to have support for TPM1.2. - - ``` - $ cd ~/nixpkgs - $ git checkout tpm12_support - $ nix-build -A landing-zone - ``` - -4. Go to `/nix/store/` directory and search for newly build landing-zone -package. - - ``` - $ cd /nix/store - $ ls | grep landing-zone - 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 - l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv - lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 - mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv - ``` - - We are looking for entry without `-debug` and `.drv` extension. In this - particular example, it is - `5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0`. - -3. Copy `lz_header.bin` from above directory to `/boot` directory. - - ``` - $ cp /nix/store/5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0/lz_header.bin /boot/lz_header - ``` - -4. Reboot platform to apply changes. - -5. Check PCR values of TPM1.2 module. - - > Notice, that `tpm2_tools` is not compatible with TPM1.2 module, so it - won't work! - - ``` - # cat /sys/class/tpm/tpm0/pcrs - PCR-00: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 - PCR-01: 40 9C 01 12 67 A9 37 5E BF 5A 5C 43 C6 96 FE 25 AD 0F 02 3B - PCR-02: B2 2A 53 5A C8 0C CA 8A 49 AD 1A D8 77 29 82 6F 49 2D 53 7E - PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 - PCR-04: 01 7A 3D E8 2F 4A 1B 77 FC 33 A9 03 FE F6 AD 27 EE 92 BE 04 - PCR-05: 37 0C 7F 87 39 AF DC E7 1F EB 67 FE 83 B2 47 6F D7 B5 59 CD - PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 - PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 - PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-17: AD CA 0E DC CD A7 EF 26 71 27 51 42 BE C2 E3 95 BF 37 3F 02 - PCR-18: EF F6 CC FC 57 41 36 4A DF 29 68 E5 50 81 E8 AF AD 72 B4 7B - PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ``` - -6. Execute steps 3-6 from -*check if LZ utilizes SHA256 algorithm when using TPM2.0 module* instruction. - - ``` - ./extend_all.sh /nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage /nix/store/n9wj42p2kvm84rxr7bwh8qjxmawa447k-initrd-linux-5.5.3/initrd - adca0edccda7ef2671275142bec2e395bf373f02 SHA1 - b06f177d3fe280bd0bb1cc24ad54930d953751ee028f461a4d352959d10f9fd0 SHA256 - ``` - - Compare SHA1 value with PCR17 content checked previously with - `/sys/class/tpm/tpm0/pcrs` output. If DRTM is enabled and executes properly, - they should be the same. It proves that LZ code utilizes SHA1 algorithm - during measurements. - - >It is ok, if your PCRs values aren't exactly the same as in above logs. - Since writing this instruction, some changes were most probably added to LZ. - Therefore, make sure to always compare values between script and command - output on your local machine, rather than with above logs. + to NixOS via `"NixOS - Secure Launch"` entry in GRUB menu. + +1. Update `landing-zone` package to have support for TPM1.2. + + ```bash + cd ~/nixpkgs + git checkout tpm12_support + nix-build -A landing-zone + ``` + +1. Go to `/nix/store/` directory and search for newly build landing-zone + package. + + ```bash + $ cd /nix/store + $ ls | grep landing-zone + 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 + l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv + lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 + mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv + ``` + + We are looking for entry without `-debug` and `.drv` extension. In this + particular example, it is + `5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0`. + +1. Copy `lz_header.bin` from above directory to `/boot` directory. + + ```bash + cp /nix/store/5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0/lz_header.bin /boot/lz_header + ``` + +1. Reboot platform to apply changes. + +1. Check PCR values of TPM1.2 module. + + > Notice, that `tpm2_tools` is not compatible with TPM1.2 module, so it won't + > work! + + ```bash + # cat /sys/class/tpm/tpm0/pcrs + PCR-00: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 + PCR-01: 40 9C 01 12 67 A9 37 5E BF 5A 5C 43 C6 96 FE 25 AD 0F 02 3B + PCR-02: B2 2A 53 5A C8 0C CA 8A 49 AD 1A D8 77 29 82 6F 49 2D 53 7E + PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 + PCR-04: 01 7A 3D E8 2F 4A 1B 77 FC 33 A9 03 FE F6 AD 27 EE 92 BE 04 + PCR-05: 37 0C 7F 87 39 AF DC E7 1F EB 67 FE 83 B2 47 6F D7 B5 59 CD + PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 + PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 + PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-17: AD CA 0E DC CD A7 EF 26 71 27 51 42 BE C2 E3 95 BF 37 3F 02 + PCR-18: EF F6 CC FC 57 41 36 4A DF 29 68 E5 50 81 E8 AF AD 72 B4 7B + PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ``` + +1. Execute steps 3-6 from _check if LZ utilizes SHA256 algorithm when using + TPM2.0 module_ instruction. + + ```bash + ./extend_all.sh /nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage /nix/store/n9wj42p2kvm84rxr7bwh8qjxmawa447k-initrd-linux-5.5.3/initrd + adca0edccda7ef2671275142bec2e395bf373f02 SHA1 + b06f177d3fe280bd0bb1cc24ad54930d953751ee028f461a4d352959d10f9fd0 SHA256 + ``` + + Compare SHA1 value with PCR17 content checked previously with + `/sys/class/tpm/tpm0/pcrs` output. If DRTM is enabled and executes properly, + they should be the same. It proves that LZ code utilizes SHA1 algorithm + during measurements. + + > It is ok, if your PCRs values aren't exactly the same as in above logs. + > Since writing this instruction, some changes were most probably added to + > LZ. Therefore, make sure to always compare values between script and + > command output on your local machine, rather than with above logs. ##### Check if LZ debug option can be enabled 1. Boot NixOS and go to `/nix/store/` directory. - ``` - $ cd /nix/store/ - ``` - -2. Find landing-zone package (without debug). - - ``` - $ ls /nix/store/ | grep landing-zone - 5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv - 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv - dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 - zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 - ``` - - We are looking for entry without `-debug` and `.drv` extension. In this - particular example, it is - `zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0`. - -3. Copy `lz_header.bin` from above directory to `/boot` directory. - - ``` - $ cp /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0/lz_header.bin /boot/lz_header - ``` - -4. Reboot platform and choose `"NixOS - Secure Launch"` entry in GRUB. - - Collect logs during boot to be able to verify them. Using `dmesg` command in - NixOS doesn't work because it doesn't show pre-kernel stage logs. Correct - bootlog is shown below. - - ``` - grub_cmd_slaunch:122: check for manufacturer - grub_cmd_slaunch:126: check for cpuid - grub_cmd_slaunch:136: set slaunch - grub_cmd_slaunch_module:156: check argc - grub_cmd_slaunch_module:161: check relocator - grub_cmd_slaunch_module:170: open file - grub_cmd_slaunch_module:175: get size - grub_cmd_slaunch_module:180: allocate memory - grub_cmd_slaunch_module:192: addr: 0x100000 - grub_cmd_slaunch_module:194: target: 0x100000 - grub_cmd_slaunch_module:196: add module - grub_cmd_slaunch_module:205: read file - grub_cmd_slaunch_module:215: close file - grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000 - grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 - grub_slaunch_boot_skinit:43: params: 0xcfe7745early console in extract_kernel - input_data: 0x00000000023eb3b1 - input_len: 0x0000000000424e94 - output: 0x0000000001000000 - output_len: 0x00000000017e7398 - kernel_total_size: 0x000000000142c000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDTSC... - Virtual KASLR using RDTSC... - - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 - [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/j4 - [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' - - (...) - - <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> - - Run 'nixos-help' for the NixOS manual. - ``` - - **Verification**: We have chosen `lz_header` (LZ) without debug. Above log - is correct example for such case. Pre-kernel logs are limited to minimum. - -5. Go to `/nix/store/` directory. - - ``` - $ cd /nix/store/ - ``` - -6. Find landing-zone package (with debug). - - ``` - $ ls /nix/store/ | grep landing-zone-debug - 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv - dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 - ``` - - `dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0` is directory - we are looking for. - -7. Copy `lz_header.bin` from above directory to `/boot` directory. - - ``` - $ cp /nix/store/dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0/lz_header.bin /boot/lz_header - ``` - -8. Reboot platform and choose `"NixOS - Secure Launch"` entry in GRUB. - - Once again, collect logs during boot to be able to verify them. Using `dmesg` - command in NixOS doesn't work, as in previous case. Correct bootlog is shown - below. - - ``` - grub_cmd_slaunch:122: check for manufacturer - grub_cmd_slaunch:126: check for cpuid - grub_cmd_slaunch:136: set slaunch - grub_cmd_slaunch_module:156: check argc - grub_cmd_slaunch_module:161: check relocator - grub_cmd_slaunch_module:170: open file - grub_cmd_slaunch_module:175: get size - grub_cmd_slaunch_module:180: allocate memory - grub_cmd_slaunch_module:192: addr: 0x100000 - grub_cmd_slaunch_module:194: target: 0x100000 - grub_cmd_slaunch_module:196: add module - grub_cmd_slaunch_module:205: read file - grub_cmd_slaunch_module:215: close file - grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000 - grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 - grub_slaunch_boot_skinit:43: params: 0xcfe7746sl_stub_entry_offset: - 0x00000000014318a8: d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 0x00000000014318b8: 23 02 00 00 00 00 00 00 00 00 00 00 66 66 2e 0f #...........ff.. - 0x00000000014318c8: 1f 84 00 00 00 00 00 90 fa fc 8d a5 c4 9c 43 00 ..............C. - 0x00000000014318d8: 01 ad 72 6c 43 00 0f 01 95 70 6c 43 00 b8 10 00 ..rlC....plC.... - 0x00000000014318e8: 00 00 8e d8 8e c0 8e e0 8e e8 8e d0 8d 85 fe 18 ................ - 0x00000000014318f8: 43 00 6a 08 50 cb b9 1b 00 00 00 0f 32 a9 00 01 C.j.P.......2... - 0x0000000001431908: 00 00 75 02 0f 0b bf 01 00 00 00 31 c0 0f a2 81 ..u........1.... - 0x0000000001431918: fb 47 65 6e 75 0f 85 82 00 00 00 81 fa 69 6e 65 .Genu........ine - 0x0000000001431928: 49 75 7a 81 f9 6e 74 65 6c 75 72 bf 02 00 00 00 Iuz..ntelur..... - 0x0000000001431938: c7 85 b0 6c 43 00 02 00 00 00 ff 85 bc 6c 43 00 ...lC........lC. - 0x0000000001431948: 31 db b8 07 00 00 00 0f 37 8d 85 5c 19 43 00 9c 1.......7..\.C.. - 0x0000000001431958: 6a 08 50 cf c7 05 30 00 d2 fe 00 00 00 00 c7 05 j.P...0......... - 0x0000000001431968: 08 00 d2 fe ff ff ff ff a1 00 03 d2 fe 8b 08 8d ................ - 0x0000000001431978: 44 08 08 8b 70 04 89 a8 34 02 00 00 8b b8 3c 02 D...p...4.....<. - 0x0000000001431988: 00 00 89 bd c0 6c 43 00 50 56 e8 e9 00 00 00 5e .....lC.PV.....^ - 0x0000000001431998: e8 c3 01 00 00 5f e8 5d 01 00 00 eb 0e c7 85 b0 ....._.]........ - shasum calculated: - 0x00000000001001b0: ed a5 f1 9e 28 0e d8 b3 5a de bc b6 e7 15 c8 de ....(...Z....... - 0x00000000001001c0: 1f bb 2c aa f2 8a af c8 a0 2f d3 60 d5 d0 78 a1 ..,....../.`..x. - PCR extended - pm_kernel_entry: - 0x00000000010001d0: 8d ab 30 fe ff ff e9 f5 16 43 00 00 00 00 00 00 ..0......C...... - 0x00000000010001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - ... - 0x0000000001000200: 31 c0 8e d8 8e c0 8e d0 8e e0 8e e8 48 8d 2d ed 1...........H.-. - 0x0000000001000210: fd ff ff 8b 86 30 02 00 00 ff c8 48 01 c5 48 f7 .....0.....H..H. - 0x0000000001000220: d0 48 21 c5 48 81 fd 00 00 00 01 7d 07 48 c7 c5 .H!.H......}.H.. - 0x0000000001000230: 00 00 00 01 8b 9e 60 02 00 00 81 eb 00 60 46 00 ......`......`F. - 0x0000000001000240: 48 01 eb 48 8d a3 40 de 44 00 48 31 c0 e8 00 00 H..H..@.D.H1.... - 0x0000000001000250: 00 00 5f 48 81 ef 52 02 00 00 e8 3e 50 42 00 48 .._H..R....>PB.H - 0x0000000001000260: 8d 05 e4 68 43 00 48 89 05 d5 68 43 00 0f 01 15 ...hC.H...hC.... - 0x0000000001000270: cc 68 43 00 56 48 89 f7 e8 b3 a9 42 00 5e 48 89 .hC.VH.....B.^H. - 0x0000000001000280: c1 48 8d 3d 0c 00 00 00 6a 08 48 8d 80 00 10 00 .H.=....j.H..... - 0x0000000001000290: 00 50 48 cb 48 8d a3 40 de 44 00 56 48 8d bb 00 .PH.H..@.D.VH... - 0x00000000010002a0: 50 46 00 e8 c8 ab 42 00 5e 6a 00 9d e8 00 00 00 PF....B.^j...... - 0x00000000010002b0: 00 58 48 2d b1 02 00 00 48 89 df e8 dd 4f 42 00 .XH-....H....OB. - 0x00000000010002c0: 56 48 8d 35 70 9b 43 00 48 8d bb 38 9e 43 00 48 VH.5p.C.H..8.C.H - zero_page: - 0x000000000008a000: 00 0d 00 80 00 00 03 50 00 00 00 00 00 00 19 01 .......P........ - 0x000000000008a010: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 0x000000000008a020: 3f a3 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ?............... - 0x000000000008a030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - ... - 0x000000000008a0d0: 00 00 00 00 00 00 00 00 00 a0 10 00 00 00 00 00 ................ - 0x000000000008a0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - ... - lz_base: - 0x0000000000100000: d4 01 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 0x0000000000100010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - ... - 0x0000000000100060: 19 19 10 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - 0x0000000000100070: b0 00 10 00 00 00 00 00 40 00 00 00 aa f3 e2 dc ........@....... - 0x0000000000100080: 00 29 10 00 00 00 00 00 1a 13 e2 aa 1d af ab 59 .).............Y - 0x0000000000100090: cc 8e 1e 1c 68 42 f8 12 28 01 10 00 00 00 00 00 ....hB..(....... - 0x00000000001000a0: b3 e1 3a e9 08 00 00 00 58 01 10 00 00 00 00 00 ..:.....X....... - 0x00000000001000b0: 4b 88 d2 cb 27 91 a5 53 bb 49 64 ae 32 40 a6 ce K...'..S.Id.2@.. - 0x00000000001000c0: aa a1 96 a1 e6 b4 6c df 8e b7 83 ee 2c 13 aa 8f ......l.....,... - 0x00000000001000d0: 98 5a cb bb b0 64 34 b3 5f 8c 20 28 a7 52 64 06 .Z...d4._. (.Rd. - 0x00000000001000e0: d1 b4 50 95 e6 2b 8f b2 4d 33 a4 80 ca e5 7d 48 ..P..+..M3....}H - 0x00000000001000f0: 30 01 10 00 00 00 00 00 b0 01 10 00 00 00 00 00 0............... - early console in extract_kernel - input_data: 0x00000000023eb3b1 - input_len: 0x0000000000424e94 - output: 0x0000000001000000 - output_len: 0x00000000017e7398 - kernel_total_size: 0x000000000142c000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDTSC... - Virtual KASLR using RDTSC... - - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 - [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/14 - [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' - (...) - ``` - - **Verification**: As you can see, debug output is more verbose than previous - one. It has additional information about e.g. LZ, zero page etc. Above - procedure proves that LZ is available in debug and non-debug version. Both - can be easily adopted by user in NixOS. However, we recommend to use - non-debug one. + ```bash + cd /nix/store/ + ``` + +1. Find landing-zone package (without debug). + + ```bash + $ ls /nix/store/ | grep landing-zone + 5q92f6l4s1jfbw5ygfr1sd4hlczjj6l2-landing-zone-0.3.0.drv + 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv + dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 + zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0 + ``` + + We are looking for entry without `-debug` and `.drv` extension. In this + particular example, it is + `zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0`. + +1. Copy `lz_header.bin` from above directory to `/boot` directory. + + ```bash + cp /nix/store/zpcf7yf1fjf9slz2sr2f6s3wl3ch1har-landing-zone-0.3.0/lz_header.bin /boot/lz_header + ``` + +1. Reboot platform and choose `"NixOS - Secure Launch"` entry in GRUB. + + Collect logs during boot to be able to verify them. Using `dmesg` command in + NixOS doesn't work because it doesn't show pre-kernel stage logs. Correct + bootlog is shown below. + + ```bash + grub_cmd_slaunch:122: check for manufacturer + grub_cmd_slaunch:126: check for cpuid + grub_cmd_slaunch:136: set slaunch + grub_cmd_slaunch_module:156: check argc + grub_cmd_slaunch_module:161: check relocator + grub_cmd_slaunch_module:170: open file + grub_cmd_slaunch_module:175: get size + grub_cmd_slaunch_module:180: allocate memory + grub_cmd_slaunch_module:192: addr: 0x100000 + grub_cmd_slaunch_module:194: target: 0x100000 + grub_cmd_slaunch_module:196: add module + grub_cmd_slaunch_module:205: read file + grub_cmd_slaunch_module:215: close file + grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000 + grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 + grub_slaunch_boot_skinit:43: params: 0xcfe7745early console in extract_kernel + input_data: 0x00000000023eb3b1 + input_len: 0x0000000000424e94 + output: 0x0000000001000000 + output_len: 0x00000000017e7398 + kernel_total_size: 0x000000000142c000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDTSC... + Virtual KASLR using RDTSC... + + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 + [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/j4 + [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' + + (...) + + <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> + + Run 'nixos-help' for the NixOS manual. + ``` + + **Verification**: We have chosen `lz_header` (LZ) without debug. Above log is + correct example for such case. Pre-kernel logs are limited to minimum. + +1. Go to `/nix/store/` directory. + + ```bash + cd /nix/store/ + ``` + +1. Find landing-zone package (with debug). + + ```bash + $ ls /nix/store/ | grep landing-zone-debug + 6v15ikqsyqk5fs0jg1n6755dp1nr6cyc-landing-zone-debug-0.3.0.drv + dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0 + ``` + + `dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0` is directory we + are looking for. + +1. Copy `lz_header.bin` from above directory to `/boot` directory. + + ```bash + cp /nix/store/dnpqvb64jjr3x2kxx92wvdkvmah72h6m-landing-zone-debug-0.3.0/lz_header.bin /boot/lz_header + ``` + +1. Reboot platform and choose `"NixOS - Secure Launch"` entry in GRUB. + + Once again, collect logs during boot to be able to verify them. Using `dmesg` + command in NixOS doesn't work, as in previous case. Correct bootlog is shown + below. + + ```bash + grub_cmd_slaunch:122: check for manufacturer + grub_cmd_slaunch:126: check for cpuid + grub_cmd_slaunch:136: set slaunch + grub_cmd_slaunch_module:156: check argc + grub_cmd_slaunch_module:161: check relocator + grub_cmd_slaunch_module:170: open file + grub_cmd_slaunch_module:175: get size + grub_cmd_slaunch_module:180: allocate memory + grub_cmd_slaunch_module:192: addr: 0x100000 + grub_cmd_slaunch_module:194: target: 0x100000 + grub_cmd_slaunch_module:196: add module + grub_cmd_slaunch_module:205: read file + grub_cmd_slaunch_module:215: close file + grub_slaunch_boot_skinit:41: real_mode_target: 0x8a000 + grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 + grub_slaunch_boot_skinit:43: params: 0xcfe7746sl_stub_entry_offset: + 0x00000000014318a8: d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 0x00000000014318b8: 23 02 00 00 00 00 00 00 00 00 00 00 66 66 2e 0f #...........ff.. + 0x00000000014318c8: 1f 84 00 00 00 00 00 90 fa fc 8d a5 c4 9c 43 00 ..............C. + 0x00000000014318d8: 01 ad 72 6c 43 00 0f 01 95 70 6c 43 00 b8 10 00 ..rlC....plC.... + 0x00000000014318e8: 00 00 8e d8 8e c0 8e e0 8e e8 8e d0 8d 85 fe 18 ................ + 0x00000000014318f8: 43 00 6a 08 50 cb b9 1b 00 00 00 0f 32 a9 00 01 C.j.P.......2... + 0x0000000001431908: 00 00 75 02 0f 0b bf 01 00 00 00 31 c0 0f a2 81 ..u........1.... + 0x0000000001431918: fb 47 65 6e 75 0f 85 82 00 00 00 81 fa 69 6e 65 .Genu........ine + 0x0000000001431928: 49 75 7a 81 f9 6e 74 65 6c 75 72 bf 02 00 00 00 Iuz..ntelur..... + 0x0000000001431938: c7 85 b0 6c 43 00 02 00 00 00 ff 85 bc 6c 43 00 ...lC........lC. + 0x0000000001431948: 31 db b8 07 00 00 00 0f 37 8d 85 5c 19 43 00 9c 1.......7..\.C.. + 0x0000000001431958: 6a 08 50 cf c7 05 30 00 d2 fe 00 00 00 00 c7 05 j.P...0......... + 0x0000000001431968: 08 00 d2 fe ff ff ff ff a1 00 03 d2 fe 8b 08 8d ................ + 0x0000000001431978: 44 08 08 8b 70 04 89 a8 34 02 00 00 8b b8 3c 02 D...p...4.....<. + 0x0000000001431988: 00 00 89 bd c0 6c 43 00 50 56 e8 e9 00 00 00 5e .....lC.PV.....^ + 0x0000000001431998: e8 c3 01 00 00 5f e8 5d 01 00 00 eb 0e c7 85 b0 ....._.]........ + shasum calculated: + 0x00000000001001b0: ed a5 f1 9e 28 0e d8 b3 5a de bc b6 e7 15 c8 de ....(...Z....... + 0x00000000001001c0: 1f bb 2c aa f2 8a af c8 a0 2f d3 60 d5 d0 78 a1 ..,....../.`..x. + PCR extended + pm_kernel_entry: + 0x00000000010001d0: 8d ab 30 fe ff ff e9 f5 16 43 00 00 00 00 00 00 ..0......C...... + 0x00000000010001e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + ... + 0x0000000001000200: 31 c0 8e d8 8e c0 8e d0 8e e0 8e e8 48 8d 2d ed 1...........H.-. + 0x0000000001000210: fd ff ff 8b 86 30 02 00 00 ff c8 48 01 c5 48 f7 .....0.....H..H. + 0x0000000001000220: d0 48 21 c5 48 81 fd 00 00 00 01 7d 07 48 c7 c5 .H!.H......}.H.. + 0x0000000001000230: 00 00 00 01 8b 9e 60 02 00 00 81 eb 00 60 46 00 ......`......`F. + 0x0000000001000240: 48 01 eb 48 8d a3 40 de 44 00 48 31 c0 e8 00 00 H..H..@.D.H1.... + 0x0000000001000250: 00 00 5f 48 81 ef 52 02 00 00 e8 3e 50 42 00 48 .._H..R....>PB.H + 0x0000000001000260: 8d 05 e4 68 43 00 48 89 05 d5 68 43 00 0f 01 15 ...hC.H...hC.... + 0x0000000001000270: cc 68 43 00 56 48 89 f7 e8 b3 a9 42 00 5e 48 89 .hC.VH.....B.^H. + 0x0000000001000280: c1 48 8d 3d 0c 00 00 00 6a 08 48 8d 80 00 10 00 .H.=....j.H..... + 0x0000000001000290: 00 50 48 cb 48 8d a3 40 de 44 00 56 48 8d bb 00 .PH.H..@.D.VH... + 0x00000000010002a0: 50 46 00 e8 c8 ab 42 00 5e 6a 00 9d e8 00 00 00 PF....B.^j...... + 0x00000000010002b0: 00 58 48 2d b1 02 00 00 48 89 df e8 dd 4f 42 00 .XH-....H....OB. + 0x00000000010002c0: 56 48 8d 35 70 9b 43 00 48 8d bb 38 9e 43 00 48 VH.5p.C.H..8.C.H + zero_page: + 0x000000000008a000: 00 0d 00 80 00 00 03 50 00 00 00 00 00 00 19 01 .......P........ + 0x000000000008a010: 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 0x000000000008a020: 3f a3 00 10 00 00 00 00 00 00 00 00 00 00 00 00 ?............... + 0x000000000008a030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + ... + 0x000000000008a0d0: 00 00 00 00 00 00 00 00 00 a0 10 00 00 00 00 00 ................ + 0x000000000008a0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + ... + lz_base: + 0x0000000000100000: d4 01 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 0x0000000000100010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + ... + 0x0000000000100060: 19 19 10 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 0x0000000000100070: b0 00 10 00 00 00 00 00 40 00 00 00 aa f3 e2 dc ........@....... + 0x0000000000100080: 00 29 10 00 00 00 00 00 1a 13 e2 aa 1d af ab 59 .).............Y + 0x0000000000100090: cc 8e 1e 1c 68 42 f8 12 28 01 10 00 00 00 00 00 ....hB..(....... + 0x00000000001000a0: b3 e1 3a e9 08 00 00 00 58 01 10 00 00 00 00 00 ..:.....X....... + 0x00000000001000b0: 4b 88 d2 cb 27 91 a5 53 bb 49 64 ae 32 40 a6 ce K...'..S.Id.2@.. + 0x00000000001000c0: aa a1 96 a1 e6 b4 6c df 8e b7 83 ee 2c 13 aa 8f ......l.....,... + 0x00000000001000d0: 98 5a cb bb b0 64 34 b3 5f 8c 20 28 a7 52 64 06 .Z...d4._. (.Rd. + 0x00000000001000e0: d1 b4 50 95 e6 2b 8f b2 4d 33 a4 80 ca e5 7d 48 ..P..+..M3....}H + 0x00000000001000f0: 30 01 10 00 00 00 00 00 b0 01 10 00 00 00 00 00 0............... + early console in extract_kernel + input_data: 0x00000000023eb3b1 + input_len: 0x0000000000424e94 + output: 0x0000000001000000 + output_len: 0x00000000017e7398 + kernel_total_size: 0x000000000142c000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDTSC... + Virtual KASLR using RDTSC... + + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 5.1.0 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 + [ 0.000000] Command line: BOOT_IMAGE=(hd0,msdos1)/nix/store/ymvcgas7b1bv76n35r19g4p142v4cr0b-linux-5.1.0/bzImage systemConfig=/nix/store/14 + [ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' + (...) + ``` + + **Verification**: As you can see, debug output is more verbose than previous + one. It has additional information about e.g. LZ, zero page etc. Above + procedure proves that LZ is available in debug and non-debug version. Both + can be easily adopted by user in NixOS. However, we recommend to use + non-debug one. ## Changes in source code @@ -972,42 +977,51 @@ give references to exact places (repository and files), where to find this features. 1. LZ can be built with and without debug flag; by default it is non-debug -build. + build. + + Repository: + [TrenchBoot/landing-zone - tag v0.3.0](https://github.com/TrenchBoot/landing-zone/tree/v0.3.0) + + Files: + + 1. [Makefile](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/Makefile#L5L7) + 1. [main.c](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/main.c#L31#L141) + +1. LZ code utilizes SHA256 algorithm during measurements with TPM2.0. + + Repository: + [TrenchBoot/landing-zone - tag v0.3.0](https://github.com/TrenchBoot/landing-zone/tree/v0.3.0) - Repository: [TrenchBoot/landing-zone - tag v0.3.0](https://github.com/TrenchBoot/landing-zone/tree/v0.3.0) + Files: - Files: - 1. [Makefile](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/Makefile#L5L7) - 1. [main.c](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/main.c#L31#L141) + 1. [sha256.c](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/sha256.c) -2. LZ code utilizes SHA256 algorithm during measurements with TPM2.0. +1. LZ code utilizes SHA1 algorithm during measurements with TPM1.2. - Repository: [TrenchBoot/landing-zone - tag v0.3.0](https://github.com/TrenchBoot/landing-zone/tree/v0.3.0) + Repository: + [3mdeb/landing-zone - branch tpm12_fix](https://github.com/3mdeb/landing-zone/tree/tpm12_fix) - Files: - 1. [sha256.c](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/sha256.c) + Files: -3. LZ code utilizes SHA1 algorithm during measurements with TPM1.2. + 1. [sha1sum.c](https://github.com/3mdeb/landing-zone/blob/tpm12_fix/sha1sum.c) - Repository: [3mdeb/landing-zone - branch tpm12_fix](https://github.com/3mdeb/landing-zone/tree/tpm12_fix) +1. LZ implementation of TPM interface cover both TPM2.0 and TPM1.2 and use + appropriate SHA algorithm. - Files: - 1. [sha1sum.c](https://github.com/3mdeb/landing-zone/blob/tpm12_fix/sha1sum.c) + Repository: + [TrenchBoot/landing-zone - tag v0.3.0](https://github.com/TrenchBoot/landing-zone/tree/v0.3.0) -4. LZ implementation of TPM interface cover both TPM2.0 and TPM1.2 and use -appropriate SHA algorithm. + Files: - Repository: [TrenchBoot/landing-zone - tag v0.3.0](https://github.com/TrenchBoot/landing-zone/tree/v0.3.0) + 1. [main.c](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/main.c#L220#L236) - Files: - 1. [main.c](https://github.com/TrenchBoot/landing-zone/blob/v0.3.0/main.c#L220#L236) +1. Linux kernel utilizes SHA256 during measurements. -5. Linux kernel utilizes SHA256 during measurements. + Repository: [3mdeb/linux-stable](https://github.com/3mdeb/linux-stable) - Repository: [3mdeb/linux-stable](https://github.com/3mdeb/linux-stable) + Files: - Files: - 1. [arch/x86/boot/compressed/sl_main.c](https://github.com/3mdeb/linux-stable/blob/linux-sl-5.1-sha2-amd/arch/x86/boot/compressed/sl_main.c#L115#L158) + 1. [arch/x86/boot/compressed/sl_main.c](https://github.com/3mdeb/linux-stable/blob/linux-sl-5.1-sha2-amd/arch/x86/boot/compressed/sl_main.c#L115#L158) ## Summary @@ -1019,6 +1033,7 @@ information! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-04-16-3mdeb-contrib-Q1.md b/blog/content/post/2020-04-16-3mdeb-contrib-Q1.md index e6a8529a..30ce1b96 100644 --- a/blog/content/post/2020-04-16-3mdeb-contrib-Q1.md +++ b/blog/content/post/2020-04-16-3mdeb-contrib-Q1.md @@ -2,7 +2,7 @@ title: 3mdeb contribution 2020'Q1 - coreboot ports all over the place. abstract: The starter of the new series - 3mdeb contribution summary! First quarter of 2020 brings many new merged patches. Check the samples of - code that we succesfully contributed and feel free to use them in your + code that we successfully contributed and feel free to use them in your own projects. cover: /covers/combined-logos.png author: artur.raglis @@ -47,17 +47,17 @@ Let's introduce the new changes: 1. [coreboot](https://coreboot.org/) - > coreboot is an extended firmware framework that delivers a lightning fast - > and secure boot experience on modern computers and embedded systems. As - > an Open Source project it provides auditability and maximum control over - > technology. + > coreboot is an extended firmware framework that delivers a lightning fast + > and secure boot experience on modern computers and embedded systems. As an + > Open Source project it provides auditability and maximum control over + > technology. - This project is the unquestioned number one in this overview. To sum up, the - most significant changes are unification of the AMD coreboot code and - support for 6 new mainboards (Libretrend Librebox and Protectli Vault FW2B, - FW4B, FW6A, FW6B and FW6C). + This project is the unquestioned number one in this overview. To sum up, the + most significant changes are unification of the AMD coreboot code and support + for 6 new mainboards (Libretrend Librebox and Protectli Vault FW2B, FW4B, + FW6A, FW6B and FW6C). - Full list of 2020'Q1 patches: + Full list of 2020'Q1 patches: Author | Category | Patch | URL -------------------|---------------------|-------|---- @@ -88,7 +88,7 @@ Let's introduce the new changes: Michał Żygowski | mb/* | Use ACPIMMIO common block wherever possible | [link][37] Michał Żygowski | acpi | Correct the processor devices scope | [link][20] Michał Żygowski | x86/acpi | Add definitions for IVHD type 11h | [link][24] - Michał Żygowski | drivers/pc80/tpm | Change the _HID and _CID for TPM2 device | [link][26] + Michał Żygowski | drivers/pc80/tpm | Change the _HID and_CID for TPM2 device | [link][26] Michał Żygowski | maintainers | Add 3mdeb as Protectli mainboards maintainers | [link][8] Michał Żygowski | protectli/vault | Add FW2B and FW4B Braswell based boards support | [link][7] Michał Żygowski | protectli/vault_kbl | Add FW6 support | [link][10] @@ -100,19 +100,19 @@ Let's introduce the new changes: Michał Żygowski | intel/braswell | Generate microcode binaries from tree | [link][5] Michał Żygowski | intel/braswell | Include smbios.h for Type9 Entries | [link][6] - --- + --- - ![TrenchBoot logo](/covers/trenchboot-logo.png) + ![TrenchBoot logo](/covers/trenchboot-logo.png) -2. [TrenchBoot/landing-zone](https://github.com/TrenchBoot/landing-zone/) +1. [TrenchBoot/landing-zone](https://github.com/TrenchBoot/landing-zone/) - > TrenchBoot is a framework that allows individuals and projects to build - > security engines to perform launch integrity actions for their systems. - > The framework builds upon Boot Integrity Technologies (BITs) that - > establish one or more Roots of Trust (RoT) from which a degree of - > confidence that integrity actions were not subverted. + > TrenchBoot is a framework that allows individuals and projects to build + > security engines to perform launch integrity actions for their systems. The + > framework builds upon Boot Integrity Technologies (BITs) that establish one + > or more Roots of Trust (RoT) from which a degree of confidence that + > integrity actions were not subverted. - Full list of 2020'Q1 patches: + Full list of 2020'Q1 patches: Author | Category | Patch | URL ----------------|----------|-------|---- @@ -122,32 +122,32 @@ Let's introduce the new changes: Michał Żygowski | README | Add basic readme with Travis build status | [link][42] Krystian Hebel | Main | Move PCR extension logic to a separate function | [link][43] - ---- + --- - ![ACPICA logo](/img/acpica-logo.png) + ![ACPICA logo](/img/acpica-logo.png) -3. [acpica](https://github.com/acpica/acpica) +1. [acpica](https://github.com/acpica/acpica) - > The ACPI Component Architecture (ACPICA) project provides an open-source - > operating system-independent implementation of the Advanced Configuration - > and Power Interface specification (ACPI) + > The ACPI Component Architecture (ACPICA) project provides an open-source + > operating system-independent implementation of the Advanced Configuration + > and Power Interface specification (ACPI) - Full list of 2020'Q1 patches: + Full list of 2020'Q1 patches: Author | Patch | URL ----------------|-------|---- Michał Żygowski | Implement IVRS IVHD type 11h parsing | [link][44] - --- + --- - ![Yocto Project Logo](/img/YoctoProject_Logo_RGB.jpg) + ![Yocto Project Logo](/img/YoctoProject_Logo_RGB.jpg) -4. [meta-virtualization](https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/) +1. [meta-virtualization](https://git.yoctoproject.org/cgit/cgit.cgi/meta-virtualization/) - > This layer enables hypervisor, virtualization tool stack, and cloud - > support. + > This layer enables hypervisor, virtualization tool stack, and cloud + > support. - Full list of 2020'Q1 patches: + Full list of 2020'Q1 patches: Author | Category | Patch | URL -----------|----------|-------|---- @@ -160,17 +160,18 @@ requests that are in the review state or marked as work in progress. In the TrenchBoot/landing-zone project, 3mdeb's Firmware Team is working on [Multiboot2][pr1] and [new kernel info structure][pr2]. If you are interested in -this project, check out posts describing our work on Open Source DRTM - [Project -basics](https://blog.3mdeb.com/2020/2020-03-31-trenchboot-nlnet-lz/) and +this project, check out posts describing our work on Open Source DRTM - +[Project basics](https://blog.3mdeb.com/2020/2020-03-31-trenchboot-nlnet-lz/) +and [Landing Zone validation](https://blog.3mdeb.com/2020/2020-04-03-trenchboot-nlnet-lz-validation/). coreboot community is active as always and 3mdeb's team send support patches for -[Dell OptiPlex 9010 SFF][pr3], [SMSC SCH5545][pr4], [intel/bd82x6x missing power -button events][pr5], [SeaBIOS fix][pr6] and intruder detection system -([patch1][pr7], [patch2][pr8], [patch3][pr9])! Below you can find a little -demonstration what it is all about: +[Dell OptiPlex 9010 SFF][pr3], [SMSC SCH5545][pr4], +[intel/bd82x6x missing power button events][pr5], [SeaBIOS fix][pr6] and +intruder detection system ([patch1][pr7], [patch2][pr8], [patch3][pr9])! Below +you can find a little demonstration what it is all about: -{{< tweet user="3mdeb_com" id="1247072310324080640" >}} +{{\< tweet user="3mdeb_com" id="1247072310324080640" >}} ## Last but not least news @@ -197,10 +198,10 @@ open source family! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of a used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +of a used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) [1]: https://review.coreboot.org/c/coreboot/+/38342 [2]: https://review.coreboot.org/c/coreboot/+/35906 diff --git a/blog/content/post/2020-04-24-Hummingboard-Buildroot-Yocto.md b/blog/content/post/2020-04-24-Hummingboard-Buildroot-Yocto.md index 01efb38e..0da9b36f 100644 --- a/blog/content/post/2020-04-24-Hummingboard-Buildroot-Yocto.md +++ b/blog/content/post/2020-04-24-Hummingboard-Buildroot-Yocto.md @@ -23,9 +23,9 @@ categories: ## Introduction -In this article, I will describe differences between two types of system -images, i.e. Buildroot and Yocto. I was using a HummingBoard Pulse as a -platform for my work. Wide description of a board you can found on +In this article, I will describe differences between two types of system images, +i.e. Buildroot and Yocto. I was using a HummingBoard Pulse as a platform for my +work. Wide description of a board you can found on [this](https://developer.solid-run.com/knowledge-base/hummingboard-pulse-getting-started/) website. After reading this, you will better understand which basics components are important for building own Linux distribution and how to use tools to do it. @@ -36,151 +36,156 @@ are important for building own Linux distribution and how to use tools to do it. It's several things you need to possess: -* Linux at your PC (because this way is easier) -* 16GB Micro SD card -* 12V Power adapter (the board has wide-range input of 7V-36V but 12V is -recommended) -* MicroUSB to USB for the console because the HummingBoard Pulse has an onboard -FTDI chip, which means that there is no need to use external UART/USB converter -* HummingBoard with SOM of course +- Linux at your PC (because this way is easier) +- 16GB Micro SD card +- 12V Power adapter (the board has wide-range input of 7V-36V but 12V is + recommended) +- MicroUSB to USB for the console because the HummingBoard Pulse has an onboard + FTDI chip, which means that there is no need to use external UART/USB + converter +- HummingBoard with SOM of course ## Build and run a Buildroot image -Buildroot was adopted by a SolidRun company as a target platform for their devices. -For iMX8M includes a custom config pre-configured to pull in the latest +Buildroot was adopted by a SolidRun company as a target platform for their +devices. For iMX8M includes a custom config pre-configured to pull in the latest U-Boot and Linux kernel from the SolidRun BSP. Before explaining a build process have a closer look at needed tools: -* C/C++ compiler -* GNU Make +- C/C++ compiler +- GNU Make You can download and check it like this: - ```bash - sudo apt-get install build-essential - gcc -v - make -v - ``` +```bash +sudo apt-get install build-essential +gcc -v +make -v +``` Now follow these steps: 1. First thing to do is clone a github repository at your computer. - ```bash - git clone https://github.com/SolidRun/buildroot.git --branch sr-latest - ``` + ```bash + git clone https://github.com/SolidRun/buildroot.git --branch sr-latest + ``` -2. Change a directory. +1. Change a directory. - ```bash - cd buildroot - ``` + ```bash + cd buildroot + ``` -3. Make a default configuration for our HummingBoard then build an image. +1. Make a default configuration for our HummingBoard then build an image. - ```bash - make solidrun_imx8mq_hbpulse_defconfig - make - ``` + ```bash + make solidrun_imx8mq_hbpulse_defconfig + make + ``` - It will seem something like this: + It will seem something like this: - ```bash - >>> Finalizing target directory - # Check files that are touched by more than one package - ./support/scripts/check-uniq-files -t target /home/csobczak/Documents/buildroot/output/build/packages-file-list.txt - ./support/scripts/check-uniq-files -t staging /home/csobczak/Documents/buildroot/output/build/packages-file-list-staging.txt - ./support/scripts/check-uniq-files -t host /home/csobczak/Documents/buildroot/output/build/packages-file-list-host.txt - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/gsyslimits.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/gcc-rich-location.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/internal-fn.def" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/ansidecl.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/tree-scalar-evolution.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/gimple-predict.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./libexec/gcc/aarch64-buildroot-linux-uclibc/7.4.0/install-tools/mkheaders" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/langhooks.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/lra.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/dbxout.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./bin/aarch64-buildroot-linux-uclibc-gcc.br_real" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/profile.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/highlev-plugin-common.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/tree-hasher.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/cfg-flags.def" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] - ``` + ```bash + >>> Finalizing target directory + # Check files that are touched by more than one package + ./support/scripts/check-uniq-files -t target /home/csobczak/Documents/buildroot/output/build/packages-file-list.txt + ./support/scripts/check-uniq-files -t staging /home/csobczak/Documents/buildroot/output/build/packages-file-list-staging.txt + ./support/scripts/check-uniq-files -t host /home/csobczak/Documents/buildroot/output/build/packages-file-list-host.txt + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/gsyslimits.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/gcc-rich-location.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/internal-fn.def" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/ansidecl.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/tree-scalar-evolution.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/gimple-predict.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./libexec/gcc/aarch64-buildroot-linux-uclibc/7.4.0/install-tools/mkheaders" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/langhooks.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/lra.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/dbxout.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./bin/aarch64-buildroot-linux-uclibc-gcc.br_real" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/profile.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/highlev-plugin-common.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/tree-hasher.h" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + Warning: host file "./lib/gcc/aarch64-buildroot-linux-uclibc/7.4.0/plugin/include/cfg-flags.def" is touched by more than one package: [u'host-gcc-initial', u'host-gcc-final'] + ``` -4. Now our image has to be flashed at SD card. +1. Now our image has to be flashed at SD card. - ```bash - sudo dd if=output/images/sdcard.img of=/dev/sdX bs=4M conv=fsync - ``` + ```bash + sudo dd if=output/images/sdcard.img of=/dev/sdX bs=4M conv=fsync + ``` - > `/dev/sdX` means a USB adapter device with SD card for example `sdc` + > `/dev/sdX` means a USB adapter device with SD card for example `sdc` -5. Check how it looks like at a HummingBoard +1. Check how it looks like at a HummingBoard - ```bash - sudo minicom -b 115200 -D /dev/ttyUSBx - ``` + ```bash + sudo minicom -b 115200 -D /dev/ttyUSBx + ``` - > Note: you need to connect a MicroUSB port with PC first + > Note: you need to connect a MicroUSB port with PC first ## Build and run a Yocto image -SolidRun does not provide Yocto support for **imx8**. -For this purpose repository `3mdeb/meta-imx8` was created. It contains -BSP layer for **HummingBoard Pulse** now only, but support for -other **imx8** could be available in the future. We might also push support -for this board to one of the already existing Yocto meta-layers. +SolidRun does not provide Yocto support for **imx8**. For this purpose +repository `3mdeb/meta-imx8` was created. It contains BSP layer for +**HummingBoard Pulse** now only, but support for other **imx8** could be +available in the future. We might also push support for this board to one of the +already existing Yocto meta-layers. -As you may know, Yocto Project is using a `bitbake`, so for easier -management and update components, we are using a tool named `kas`. In more -detail, it is described in an earlier [blog](https://blog.3mdeb.com/2019/2019-02-07-kas/) -and [documentation](https://kas.readthedocs.io/en/1.0/). +As you may know, Yocto Project is using a `bitbake`, so for easier management +and update components, we are using a tool named `kas`. In more detail, it is +described in an earlier [blog](https://blog.3mdeb.com/2019/2019-02-07-kas/) and +[documentation](https://kas.readthedocs.io/en/1.0/). For HummingBoard Pulse this layers was used: -* meta-freescale -* meta-freescale-distro -* meta-imx8 -* meta-openembedded +- meta-freescale +- meta-freescale-distro +- meta-imx8 +- meta-openembedded -`meta-imx8` is our custom layer, where we made modifications. You can find -here machines, layers and kernel configurations, BSP and kernel recipes. -We create or modify a BSP recipes for few elements: +`meta-imx8` is our custom layer, where we made modifications. You can find here +machines, layers and kernel configurations, BSP and kernel recipes. We create or +modify a BSP recipes for few elements: -* ARM Trusted Firmware for secure boot -* U-Boot as a bootloader -* make image +- ARM Trusted Firmware for secure boot +- U-Boot as a bootloader +- make image -We forked SolidRun Buildroot repository and on that we based own -bootloader and Linux distribution. Whereas for **ATF** newest version was -adopted, than for `meta-freescale`, because of a problem with kernel booting. +We forked SolidRun Buildroot repository and on that we based own bootloader and +Linux distribution. Whereas for **ATF** newest version was adopted, than for +`meta-freescale`, because of a problem with kernel booting. ### Prerequisites + If you want the process of building executed properly, you have to install and update the tools below: -* [docker](https://docs.docker.com/engine/install/ubuntu/) -* [kas-docker 1.0](https://github.com/siemens/kas/blob/1.0/kas-docker) script - downloaded and available in [PATH](https://en.wikipedia.org/wiki/PATH_(variable)) +- [docker](https://docs.docker.com/engine/install/ubuntu/) + +- [kas-docker 1.0](https://github.com/siemens/kas/blob/1.0/kas-docker) script + downloaded and available in + [PATH]() ```bash wget -O ~/bin/kas-docker https://raw.githubusercontent.com/siemens/kas/1.0/kas-docker ``` -* [bmaptool](https://source.tizen.org/documentation/reference/bmaptool) + +- [bmaptool](https://source.tizen.org/documentation/reference/bmaptool) ```bash sudo apt install bmap-tools ``` > You can also use `bmap-tools` - > [from github](https://github.com/intel/bmap-tools) if it is not available - > in your distro. + > [from github](https://github.com/intel/bmap-tools) if it is not available in + > your distro. Next thing is repository: -* [meta-imx8](https://github.com/3mdeb/meta-imx8) repository cloned +- [meta-imx8](https://github.com/3mdeb/meta-imx8) repository cloned ```bash mkdir bsp-imx8 && cd bsp-imx8 @@ -189,596 +194,597 @@ Next thing is repository: ### Building -After an installation and update phase, it's time for building Yocto image. -For this purpose, I used the `kas-docker` script. +After an installation and update phase, it's time for building Yocto image. For +this purpose, I used the `kas-docker` script. - ```bash - kas-docker build meta-imx8/kas.yml - ``` +```bash +kas-docker build meta-imx8/kas.yml +``` - > Note: It will take a while +> Note: It will take a while You will see something like this: - ```bash - 2020-04-08 07:51:39 - INFO - kas 2.0 started - 2020-04-08 07:51:39 - INFO - /repo$ git rev-parse --show-toplevel - 2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel - 2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 - 2020-04-08 07:51:40 - INFO - /work/poky$ git remote set-url origin https://git.yoctoproject.org/git/poky - 2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git remote set-url origin http://git.openembedded.org/meta-openembedded - 2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git remote set-url origin https://github.com/Freescale/meta-freescale.git - 2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git remote set-url origin https://github.com/Freescale/meta-freescale-distro.git - 2020-04-08 07:51:40 - INFO - /work/poky$ git cat-file -t fe857e4179355bcfb79303c16baf3ad87fca59a4 - 2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git cat-file -t e855ecc6d35677e79780adc57b2552213c995731 - 2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git cat-file -t 3a3b13bef12c3a46da976fbf3b666310f8b694a7 - 2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git cat-file -t ca27d12e4964d1336e662bcc60184bbff526c857 - 2020-04-08 07:51:40 - INFO - Repository poky already contains fe857e4179355bcfb79303c16baf3ad87fca59a4 as commit - 2020-04-08 07:51:40 - INFO - Repository meta-freescale already contains 3a3b13bef12c3a46da976fbf3b666310f8b694a7 as commit - 2020-04-08 07:51:40 - INFO - Repository meta-freescale-distro already contains ca27d12e4964d1336e662bcc60184bbff526c857 as commit - 2020-04-08 07:51:40 - INFO - Repository meta-openembedded already contains e855ecc6d35677e79780adc57b2552213c995731 as commit - 2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel - 2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 - 2020-04-08 07:51:40 - INFO - /work/poky$ git status -s - 2020-04-08 07:51:40 - INFO - /work/poky$ git rev-parse --verify HEAD - 2020-04-08 07:51:40 - INFO - fe857e4179355bcfb79303c16baf3ad87fca59a4 - 2020-04-08 07:51:40 - INFO - Repo poky has already been checked out with correct refspec. Nothing to do. - 2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git status -s - 2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git rev-parse --verify HEAD - 2020-04-08 07:51:40 - INFO - e855ecc6d35677e79780adc57b2552213c995731 - 2020-04-08 07:51:40 - INFO - Repo meta-openembedded has already been checked out with correct refspec. Nothing to do. - 2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git status -s - 2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git rev-parse --verify HEAD - 2020-04-08 07:51:40 - INFO - 3a3b13bef12c3a46da976fbf3b666310f8b694a7 - 2020-04-08 07:51:40 - INFO - Repo meta-freescale has already been checked out with correct refspec. Nothing to do. - 2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git status -s - 2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git rev-parse --verify HEAD - 2020-04-08 07:51:40 - INFO - ca27d12e4964d1336e662bcc60184bbff526c857 - 2020-04-08 07:51:40 - INFO - Repo meta-freescale-distro has already been checked out with correct refspec. Nothing to do. - 2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel - 2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 - 2020-04-08 07:51:40 - INFO - /work/poky$ /tmp/tmpyoicsymr /work/build - 2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel - 2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 - 2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel - 2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 - 2020-04-08 07:51:40 - INFO - /work/build$ /work/poky/bitbake/bin/bitbake -k -c build core-image-minimal - ``` +```bash +2020-04-08 07:51:39 - INFO - kas 2.0 started +2020-04-08 07:51:39 - INFO - /repo$ git rev-parse --show-toplevel +2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel +2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 +2020-04-08 07:51:40 - INFO - /work/poky$ git remote set-url origin https://git.yoctoproject.org/git/poky +2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git remote set-url origin http://git.openembedded.org/meta-openembedded +2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git remote set-url origin https://github.com/Freescale/meta-freescale.git +2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git remote set-url origin https://github.com/Freescale/meta-freescale-distro.git +2020-04-08 07:51:40 - INFO - /work/poky$ git cat-file -t fe857e4179355bcfb79303c16baf3ad87fca59a4 +2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git cat-file -t e855ecc6d35677e79780adc57b2552213c995731 +2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git cat-file -t 3a3b13bef12c3a46da976fbf3b666310f8b694a7 +2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git cat-file -t ca27d12e4964d1336e662bcc60184bbff526c857 +2020-04-08 07:51:40 - INFO - Repository poky already contains fe857e4179355bcfb79303c16baf3ad87fca59a4 as commit +2020-04-08 07:51:40 - INFO - Repository meta-freescale already contains 3a3b13bef12c3a46da976fbf3b666310f8b694a7 as commit +2020-04-08 07:51:40 - INFO - Repository meta-freescale-distro already contains ca27d12e4964d1336e662bcc60184bbff526c857 as commit +2020-04-08 07:51:40 - INFO - Repository meta-openembedded already contains e855ecc6d35677e79780adc57b2552213c995731 as commit +2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel +2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 +2020-04-08 07:51:40 - INFO - /work/poky$ git status -s +2020-04-08 07:51:40 - INFO - /work/poky$ git rev-parse --verify HEAD +2020-04-08 07:51:40 - INFO - fe857e4179355bcfb79303c16baf3ad87fca59a4 +2020-04-08 07:51:40 - INFO - Repo poky has already been checked out with correct refspec. Nothing to do. +2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git status -s +2020-04-08 07:51:40 - INFO - /work/meta-openembedded$ git rev-parse --verify HEAD +2020-04-08 07:51:40 - INFO - e855ecc6d35677e79780adc57b2552213c995731 +2020-04-08 07:51:40 - INFO - Repo meta-openembedded has already been checked out with correct refspec. Nothing to do. +2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git status -s +2020-04-08 07:51:40 - INFO - /work/meta-freescale$ git rev-parse --verify HEAD +2020-04-08 07:51:40 - INFO - 3a3b13bef12c3a46da976fbf3b666310f8b694a7 +2020-04-08 07:51:40 - INFO - Repo meta-freescale has already been checked out with correct refspec. Nothing to do. +2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git status -s +2020-04-08 07:51:40 - INFO - /work/meta-freescale-distro$ git rev-parse --verify HEAD +2020-04-08 07:51:40 - INFO - ca27d12e4964d1336e662bcc60184bbff526c857 +2020-04-08 07:51:40 - INFO - Repo meta-freescale-distro has already been checked out with correct refspec. Nothing to do. +2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel +2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 +2020-04-08 07:51:40 - INFO - /work/poky$ /tmp/tmpyoicsymr /work/build +2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel +2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 +2020-04-08 07:51:40 - INFO - /repo$ git rev-parse --show-toplevel +2020-04-08 07:51:40 - INFO - Using /repo as root for repository meta-imx8 +2020-04-08 07:51:40 - INFO - /work/build$ /work/poky/bitbake/bin/bitbake -k -c build core-image-minimal +``` ### Flashing For this purpose use a `bmaptool`. This tool allows fast flashing, because of the creation maps of blocks which improve all process. - ```bash - sudo bmaptool copy --bmap core-image-minimal-hummingboard-pulse.wic.bmap core-image-minimal-hummingboard-pulse.wic.gz /dev/sdX - ``` +```bash +sudo bmaptool copy --bmap core-image-minimal-hummingboard-pulse.wic.bmap core-image-minimal-hummingboard-pulse.wic.gz /dev/sdX +``` - > First parameter after `--bmap` is file map then our image. As you can see - > at the end is the target device. +> First parameter after `--bmap` is file map then our image. As you can see at +> the end is the target device. ### Running image at HummingBoard -From now you have `u-boot` and `kernel image` at your SD card. -Next thing you have to do is connect MicroUSB at the board with your PC and -run this line like before: +From now you have `u-boot` and `kernel image` at your SD card. Next thing you +have to do is connect MicroUSB at the board with your PC and run this line like +before: - ```bash - sudo minicom -b 115200 -D /dev/ttyUSBx - ``` +```bash +sudo minicom -b 115200 -D /dev/ttyUSBx +``` In the console, you will see information about `u-boot` at first then a kernel will start. - ``` - Starting kernel ... - - [ 0.000000] Booting Linux on physical CPU 0x0 - [ 0.000000] Linux version 4.14.166-solidrun+ga33b5bfc5cc1 (oe-user@oe-host) (gcc version 9.2.0 (G0 - [ 0.000000] Boot CPU: AArch64 Processor [410fd034] - [ 0.000000] Machine model: SolidRun i.MX8MQ HummingBoard Pulse - [ 0.000000] earlycon: ec_imx6q0 at MMIO 0x0000000030860000 (options '115200') - [ 0.000000] bootconsole [ec_imx6q0] enabled - [ 0.000000] efi: Getting EFI parameters from FDT: - [ 0.000000] efi: UEFI not found. - [ 0.000000] cma: Reserved 320 MiB at 0x00000000ec000000 - [ 0.000000] psci: probing for conduit method from DT. - [ 0.000000] psci: PSCIv1.1 detected in firmware. - [ 0.000000] psci: Using standard PSCI v0.2 function IDs - [ 0.000000] psci: MIGRATE_INFO_TYPE not supported. - [ 0.000000] psci: SMC Calling Convention v1.1 - [ 0.000000] percpu: Embedded 20 pages/cpu s43288 r8192 d30440 u81920 - [ 0.000000] Detected VIPT I-cache on CPU0 - [ 0.000000] CPU features: enabling workaround for ARM errata 826319, 827319, 824069 - [ 0.000000] CPU features: enabling workaround for ARM erratum 845719 - [ 0.000000] Speculative Store Bypass Disable mitigation not required - [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 773120 - [ 0.000000] Kernel command line: console=ttymxc0,115200 earlycon=ec_imx6q,0x30860000,115200 root=0 - [ 0.000000] log_buf_len individual max cpu contribution: 4096 bytes - [ 0.000000] log_buf_len total cpu_extra contributions: 12288 bytes - [ 0.000000] log_buf_len min size: 16384 bytes - [ 0.000000] log_buf_len: 32768 bytes - [ 0.000000] early log buf free: 14396(87%) - [ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes) - [ 0.000000] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes) - [ 0.000000] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes) - [ 0.000000] Memory: 2742008K/3141632K available (10364K kernel code, 948K rwdata, 3712K rodata, 5) - [ 0.000000] Virtual kernel memory layout: - [ 0.000000] modules : 0xffff000000000000 - 0xffff000008000000 ( 128 MB) - [ 0.000000] vmalloc : 0xffff000008000000 - 0xffff7dffbfff0000 (129022 GB) - [ 0.000000] .text : 0xffff000008080000 - 0xffff000008aa0000 ( 10368 KB) - [ 0.000000] .rodata : 0xffff000008aa0000 - 0xffff000008e50000 ( 3776 KB) - [ 0.000000] .init : 0xffff000008e50000 - 0xffff000008ee0000 ( 576 KB) - [ 0.000000] .data : 0xffff000008ee0000 - 0xffff000008fcd200 ( 949 KB) - [ 0.000000] .bss : 0xffff000008fcd200 - 0xffff00000900d4a0 ( 257 KB) - [ 0.000000] fixed : 0xffff7dfffe7fb000 - 0xffff7dfffec00000 ( 4116 KB) - [ 0.000000] PCI I/O : 0xffff7dfffee00000 - 0xffff7dffffe00000 ( 16 MB) - [ 0.000000] vmemmap : 0xffff7e0000000000 - 0xffff800000000000 ( 2048 GB maximum) - [ 0.000000] 0xffff7e0000000000 - 0xffff7e0003000000 ( 48 MB actual) - [ 0.000000] memory : 0xffff800000000000 - 0xffff8000c0000000 ( 3072 MB) - [ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 - [ 0.000000] Preemptible hierarchical RCU implementation. - [ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=4. - [ 0.000000] Tasks RCU enabled. - [ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4 - [ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0 - [ 0.000000] GICv3: GIC: Using split EOI/Deactivate mode - [ 0.000000] GICv3: no VLPI support, no direct LPI support - [ 0.000000] ITS: No ITS available, not enabling LPIs - [ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000 - [ 0.000000] i.MX8MQ clock driver init done - [ 0.000000] arch_timer: cp15 timer(s) running at 8.33MHz (phys). - [ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1ec0311ec, max_ids - [ 0.000003] sched_clock: 56 bits at 8MHz, resolution 120ns, wraps every 2199023255541ns - [ 0.008045] system counter timer init - [ 0.011613] sched_clock: 56 bits at 8MHz, resolution 120ns, wraps every 2199023255541ns - [ 0.019528] clocksource: imx sysctr: mask: 0xffffffffffffff max_cycles: 0x1ec0311ec, max_idle_ns:s - [ 0.029946] Console: colour dummy device 80x25 - [ 0.034149] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.66 Bogo) - [ 0.044331] pid_max: default: 32768 minimum: 301 - [ 0.048976] Security Framework initialized - [ 0.053013] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes) - [ 0.059634] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes) - [ 0.082768] ASID allocator initialised with 32768 entries - [ 0.090768] Hierarchical SRCU implementation. - [ 0.099162] CPU identified as i.MX8MQ, silicon rev 2.0 - [ 0.101506] EFI services will not be available. - [ 0.113951] smp: Bringing up secondary CPUs ... - [ 0.142077] Detected VIPT I-cache on CPU1 - [ 0.142100] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000 - [ 0.142117] CPU1: Booted secondary processor [410fd034] - [ 0.170120] Detected VIPT I-cache on CPU2 - [ 0.170136] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000 - [ 0.170150] CPU2: Booted secondary processor [410fd034] - [ 0.198182] Detected VIPT I-cache on CPU3 - [ 0.198198] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000 - [ 0.198211] CPU3: Booted secondary processor [410fd034] - [ 0.198274] smp: Brought up 1 node, 4 CPUs - [ 0.247466] SMP: Total of 4 processors activated. - [ 0.252127] CPU features: detected: GIC system register CPU interface - [ 0.258527] CPU features: detected: 32-bit EL0 Support - [ 0.264478] CPU: All CPU(s) started at EL2 - [ 0.267704] alternatives: patching kernel code - [ 0.273031] devtmpfs: initialized - [ 0.280811] random: get_random_u32 called from bucket_table_alloc+0x104/0x268 with crng_init=0 - [ 0.286946] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 764504178s - [ 0.296226] futex hash table entries: 1024 (order: 5, 131072 bytes) - [ 0.310301] pinctrl core: initialized pinctrl subsystem - [ 0.313325] NET: Registered protocol family 16 - [ 0.321113] cpuidle: using governor menu - [ 0.322763] vdso: 2 pages (1 code @ ffff000008aa6000, 1 data @ ffff000008ee4000) - [ 0.329529] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers. - [ 0.341793] DMA: preallocated 256 KiB pool for atomic allocations - [ 0.345236] imx rpmsg driver is registered. - [ 0.352919] imx8mq-pinctrl 30330000.iomuxc: initialized IMX pinctrl driver - [ 0.362467] MU is ready for cross core communication! - [ 0.366071] virtio_rpmsg_bus virtio0: rpmsg host is online - [ 0.381002] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages - [ 0.392085] vgaarb: loaded - [ 0.392307] SCSI subsystem initialized - [ 0.395947] usbcore: registered new interface driver usbfs - [ 0.401138] usbcore: registered new interface driver hub - [ 0.407079] usbcore: registered new device driver usb - [ 0.412188] i2c i2c-0: IMX I2C adapter registered - [ 0.416065] i2c i2c-0: can't use DMA, using PIO instead. - [ 0.421630] i2c i2c-1: IMX I2C adapter registered - [ 0.425998] i2c i2c-1: can't use DMA, using PIO instead. - [ 0.431605] i2c i2c-2: IMX I2C adapter registered - [ 0.435973] i2c i2c-2: can't use DMA, using PIO instead. - [ 0.441315] media: Linux media interface: v0.10 - [ 0.445711] Linux video capture interface: v2.00 - [ 0.450345] pps_core: LinuxPPS API ver. 1 registered - [ 0.455186] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti - [ 0.464280] PTP clock support registered - [ 0.468499] Advanced Linux Sound Architecture Driver Initialized. - [ 0.474663] Bluetooth: Core ver 2.22 - [ 0.477751] NET: Registered protocol family 31 - [ 0.482144] Bluetooth: HCI device and connection manager initialized - [ 0.488452] Bluetooth: HCI socket layer initialized - [ 0.493289] Bluetooth: L2CAP socket layer initialized - [ 0.498312] Bluetooth: SCO socket layer initialized - [ 0.503857] clocksource: Switched to clocksource arch_sys_counter - [ 0.509293] VFS: Disk quotas dquot_6.6.0 - [ 0.513125] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) - [ 0.525603] NET: Registered protocol family 2 - [ 0.527436] TCP established hash table entries: 32768 (order: 6, 262144 bytes) - [ 0.534517] TCP bind hash table entries: 32768 (order: 7, 524288 bytes) - [ 0.541356] TCP: Hash tables configured (established 32768 bind 32768) - [ 0.547382] UDP hash table entries: 2048 (order: 4, 65536 bytes) - [ 0.553368] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes) - [ 0.559843] NET: Registered protocol family 1 - [ 0.564261] RPC: Registered named UNIX socket transport module. - [ 0.569883] RPC: Registered udp transport module. - [ 0.574540] RPC: Registered tcp transport module. - [ 0.579200] RPC: Registered tcp NFSv4.1 backchannel transport module. - [ 0.586332] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available - [ 0.596382] audit: initializing netlink subsys (disabled) - [ 0.598998] audit: type=2000 audit(0.479:1): state=initialized audit_enabled=0 res=1 - [ 0.599373] workingset: timestamp_bits=46 max_order=20 bucket_order=0 - [ 0.618775] squashfs: version 4.0 (2009/01/31) Phillip Lougher - [ 0.622285] NFS: Registering the id_resolver key type - [ 0.626774] Key type id_resolver registered - [ 0.630919] Key type id_legacy registered - [ 0.634880] nfs4filelayout_init: NFSv4 File Layout Driver Registering... - [ 0.641697] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc. - [ 0.647980] 9p: Installing v9fs 9p2000 file system support - [ 0.657751] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246) - [ 0.662277] io scheduler noop registered - [ 0.666257] io scheduler cfq registered (default) - [ 0.670827] io scheduler mq-deadline registered - [ 0.675336] io scheduler kyber registered - [ 0.679454] io scheduler bfq registered - [ 0.686141] imx-sdma 30bd0000.sdma: no iram assigned, using external mem - [ 0.693608] imx-sdma 30bd0000.sdma: Falling back to user helper - [ 0.697011] imx-sdma 302c0000.sdma: no iram assigned, using external mem - [ 0.712017] Bus freq driver module loaded - [ 0.714272] Config NOC for VPU and CPU - [ 0.717874] pfuze100-regulator 0-0008: Full layer: 2, Metal layer: 1 - [ 0.723508] pfuze100-regulator 0-0008: FAB: 0, FIN: 0 - [ 0.728253] pfuze100-regulator 0-0008: pfuze100 found. - [ 0.743938] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled - [ 0.749303] 30860000.serial: ttymxc0 at MMIO 0x30860000 (irq = 39, base_baud = 1562500) is a IMX - [ 0.759006] console [ttymxc0] enabled - [ 0.759006] console [ttymxc0] enabled - [ 0.763472] bootconsole [ec_imx6q0] disabled - [ 0.763472] bootconsole [ec_imx6q0] disabled - [ 0.772500] 30880000.serial: ttymxc2 at MMIO 0x30880000 (irq = 40, base_baud = 5000000) is a IMX - [ 0.784039] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 41, base_baud = 1562500) is a IMX - [ 0.793293] 30a60000.serial: ttymxc3 at MMIO 0x30a60000 (irq = 43, base_baud = 5000000) is a IMX - [ 0.810977] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). - [ 0.817609] [drm] No driver support for vblank timestamp query. - [ 0.823663] imx-drm display-subsystem: bound imx-dcss-crtc.0 (ops dcss_crtc_ops) - [ 0.831212] [drm] CDN_API_General_Test_Echo_Ext_blocking - APB(ret = 0 echo_resp = echo test) - [ 0.839756] [drm] CDN_API_General_getCurVersion - ver 13196 verlib 13062 - [ 0.846504] [drm] Pixel clock frequency: 594000 KHz, character clock frequency: 594000, color dep. - [ 0.856437] [drm] Pixel clock frequency (594000 KHz) is supported in this color depth (8-bit). Se7 - [ 0.867226] [drm] VCO frequency is 5940000 - [ 0.871336] [drm] VCO frequency (5940000 KHz) is supported. Settings found in row 14 - [ 0.903139] [drm] CDN_API_General_Write_Register_blocking LANES_CONFIG ret = 0 - [ 0.910388] [drm] Failed to get HDCP config - using HDCP 2.2 only - [ 0.916556] [drm] Failed to initialize HDCP - [ 0.921078] [drm] hdmi-audio-codec driver bound to HDMI - [ 0.926324] imx-drm display-subsystem: bound 32c00000.hdmi (ops imx_hdp_imx_ops) - [ 0.933777] [drm] Cannot find any crtc or sizes - [ 0.938626] [drm] Initialized imx-drm 1.0.0 20120507 for display-subsystem on minor 0 - [ 0.951477] loop: module loaded - [ 0.955270] slram: not enough parameters. - [ 0.959937] libphy: Fixed MDIO Bus: probed - [ 0.964045] tun: Universal TUN/TAP device driver, 1.6 - [ 0.970540] fec 30be0000.ethernet: 30be0000.ethernet supply phy not found, using dummy regulator - [ 0.982524] pps pps0: new PPS source ptp0 - [ 0.991230] libphy: fec_enet_mii_bus: probed - [ 0.996363] fec 30be0000.ethernet eth0: registered PHC device 0 - [ 1.002963] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k - [ 1.008811] e1000e: Copyright(c) 1999 - 2015 Intel Corporation. - [ 1.014793] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.4.0-k - [ 1.021768] igb: Copyright (c) 2007-2014 Intel Corporation. - [ 1.027394] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.4.0-k - [ 1.035237] igbvf: Copyright (c) 2009 - 2012 Intel Corporation. - [ 1.041201] sky2: driver version 1.30 - [ 1.050294] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver - [ 1.056844] ehci-pci: EHCI PCI platform driver - [ 1.061344] ehci-platform: EHCI generic platform driver - [ 1.066745] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver - [ 1.072950] ohci-pci: OHCI PCI platform driver - [ 1.077435] ohci-platform: OHCI generic platform driver - [ 1.083188] Can't support > 32 bit dma. - [ 1.087070] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller - [ 1.092585] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1 - [ 1.105648] xhci-hcd xhci-hcd.0.auto: hcc params 0x0220fe6c hci version 0x110 quirks 0x00000000010 - [ 1.115100] xhci-hcd xhci-hcd.0.auto: irq 231, io mem 0x38100000 - [ 1.121632] hub 1-0:1.0: USB hub found - [ 1.125419] hub 1-0:1.0: 1 port detected - [ 1.129588] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller - [ 1.135094] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2 - [ 1.142772] xhci-hcd xhci-hcd.0.auto: Host supports USB 3.0 SuperSpeed - [ 1.149828] hub 2-0:1.0: USB hub found - [ 1.153616] hub 2-0:1.0: 1 port detected - [ 1.157809] Can't support > 32 bit dma. - [ 1.161694] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller - [ 1.167199] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 3 - [ 1.180208] xhci-hcd xhci-hcd.1.auto: hcc params 0x0220fe6c hci version 0x110 quirks 0x00000000010 - [ 1.189656] xhci-hcd xhci-hcd.1.auto: irq 232, io mem 0x38200000 - [ 1.196126] hub 3-0:1.0: USB hub found - [ 1.199914] hub 3-0:1.0: 1 port detected - [ 1.204077] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller - [ 1.209582] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 4 - [ 1.217254] xhci-hcd xhci-hcd.1.auto: Host supports USB 3.0 SuperSpeed - [ 1.224313] hub 4-0:1.0: USB hub found - [ 1.228093] hub 4-0:1.0: 1 port detected - [ 1.232458] usbcore: registered new interface driver usb-storage - [ 1.238519] usbcore: registered new interface driver usb_ehset_test - [ 1.248049] rtc-abx80x 2-0069: model 1805, revision 2.3, lot 15, wafer 14, uid 17b1 - [ 1.256796] rtc-abx80x 2-0069: Enabling trickle charger: 05 - [ 1.265076] rtc-abx80x 2-0069: Oscillator failure, data is invalid. - [ 1.271494] rtc-abx80x 2-0069: rtc core: registered abx8xx as rtc0 - [ 1.278223] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc1 - [ 1.284526] i2c /dev entries driver - [ 1.288368] IR NEC protocol handler initialized - [ 1.292916] IR RC5(x/sz) protocol handler initialized - [ 1.297976] IR RC6 protocol handler initialized - [ 1.302515] IR JVC protocol handler initialized - [ 1.307053] IR Sony protocol handler initialized - [ 1.311678] IR SANYO protocol handler initialized - [ 1.316390] IR Sharp protocol handler initialized - [ 1.321107] IR MCE Keyboard/mouse protocol handler initialized - [ 1.326948] IR XMP protocol handler initialized - [ 1.332828] imx2-wdt 30280000.wdog: timeout 60 sec (nowayout=0) - [ 1.338825] Bluetooth: HCI UART driver ver 2.3 - [ 1.343281] Bluetooth: HCI UART protocol H4 registered - [ 1.348480] usbcore: registered new interface driver btusb - [ 1.354031] usbcore: registered new interface driver ath3k - [ 1.360304] sdhci: Secure Digital Host Controller Interface driver - [ 1.366494] sdhci: Copyright(c) Pierre Ossman - [ 1.370890] sdhci-pltfm: SDHCI platform and OF driver helper - [ 1.424419] mmc0: SDHCI controller on 30b40000.usdhc [30b40000.usdhc] using ADMA - [ 1.433441] mmc1: CQHCI version 0.00 - [ 1.437078] sdhci-esdhc-imx 30b50000.usdhc: Got CD GPIO - [ 1.493081] mmc1: SDHCI controller on 30b50000.usdhc [30b50000.usdhc] using ADMA - [ 1.507570] ledtrig-cpu: registered to indicate activity on CPUs - [ 1.514149] caam 30900000.caam: ERA source: CCBVID. - [ 1.520241] caam 30900000.caam: device ID = 0x0a16040100000000 (Era 9) - [ 1.526790] caam 30900000.caam: job rings = 3, qi = 0, dpaa2 = no - [ 1.535775] caam_jr 30901000.jr0: Entropy delay = 3200 - [ 1.541040] caam_jr 30901000.jr0: Entropy delay = 3600 - [ 1.552388] usb 3-1: new high-speed USB device number 2 using xhci-hcd - [ 1.573563] mmc1: host does not support reading read-only switch, assuming write-enable - [ 1.606074] mmc0: new HS400 MMC card at address 0001 - [ 1.611617] mmcblk0: mmc0:0001 8GTF4R 7.28 GiB - [ 1.616167] caam_jr 30901000.jr0: Instantiated RNG4 SH0. - [ 1.621841] mmcblk0boot0: mmc0:0001 8GTF4R partition 1 4.00 MiB - [ 1.628128] mmcblk0boot1: mmc0:0001 8GTF4R partition 2 4.00 MiB - [ 1.634177] mmcblk0rpmb: mmc0:0001 8GTF4R partition 3 512 KiB, chardev (244:0) - [ 1.681567] caam_jr 30901000.jr0: Instantiated RNG4 SH1. - [ 1.701886] caam algorithms registered in /proc/crypto - [ 1.708245] random: fast init done - [ 1.712736] caam_jr 30901000.jr0: registering rng-caam - [ 1.718126] caam 30900000.caam: caam pkc algorithms registered in /proc/crypto - [ 1.726606] caam-snvs 30370000.caam-snvs: can't get snvs clock - [ 1.732507] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state - [ 1.740575] hub 3-1:1.0: USB hub found - [ 1.741349] usbcore: registered new interface driver usbhid - [ 1.749938] hub 3-1:1.0: 4 ports detected - [ 1.754016] usbhid: USB HID core driver - [ 1.770237] mmc1: new ultra high speed SDR104 SDHC card at address aaaa - [ 1.777409] mmcblk1: mmc1:aaaa SC16G 14.8 GiB - [ 1.784221] imx-wm8524 sound-wm8524: wm8524-hifi <-> 308b0000.sai mapping ok - [ 1.791342] mmcblk1: p1 p2 - [ 1.797107] imx-spdif sound-spdif: snd-soc-dummy-dai <-> 30810000.spdif mapping ok - [ 1.806640] imx-spdif sound-hdmi-arc: snd-soc-dummy-dai <-> 308a0000.spdif mapping ok - [ 1.816186] imx-cdnhdmi sound-hdmi: i2s-hifi <-> 30050000.sai mapping ok - [ 1.823464] NET: Registered protocol family 26 - [ 1.828023] NET: Registered protocol family 17 - [ 1.832555] Bluetooth: RFCOMM TTY layer initialized - [ 1.837451] Bluetooth: RFCOMM socket layer initialized - [ 1.839918] usb 4-1: new SuperSpeed USB device number 2 using xhci-hcd - [ 1.842610] Bluetooth: RFCOMM ver 1.11 - [ 1.852881] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 - [ 1.858200] Bluetooth: BNEP filters: protocol multicast - [ 1.863438] Bluetooth: BNEP socket layer initialized - [ 1.868411] Bluetooth: HIDP (Human Interface Emulation) ver 1.2 - [ 1.874340] Bluetooth: HIDP socket layer initialized - [ 1.879351] lib80211: common routines for IEEE802.11 drivers - [ 1.885057] 9pnet: Installing 9P2000 support - [ 1.889385] Key type dns_resolver registered - [ 1.894658] registered taskstats version 1 - [ 1.906271] cpu cpu0: registered imx8mq-cpufreq - [ 1.911151] imx6q-pcie 33800000.pcie: 33800000.pcie supply epdev_on not found, using dummy regular - [ 1.912062] hub 4-1:1.0: USB hub found - [ 1.924274] hub 4-1:1.0: 4 ports detected - [ 1.960537] OF: PCI: host bridge /pcie@0x33800000 ranges: - [ 1.965945] OF: PCI: No bus range found for /pcie@0x33800000, using [bus 00-ff] - [ 1.967919] [drm] Cannot find any crtc or sizes - [ 1.973441] OF: PCI: IO 0x1ff80000..0x1ff8ffff -> 0x00000000 - [ 1.983894] OF: PCI: MEM 0x18000000..0x1fefffff -> 0x18000000 - [ 1.990592] imx6q-pcie 33800000.pcie: pcie phy pll is locked. - [ 2.240443] imx6q-pcie 33800000.pcie: phy link never came up - [ 2.246119] imx6q-pcie 33800000.pcie: failed to initialize host - [ 2.252042] imx6q-pcie 33800000.pcie: unable to add pcie port. - [ 2.258542] imx6q-pcie: probe of 33800000.pcie failed with error -110 - [ 2.265426] imx6q-pcie 33c00000.pcie: 33c00000.pcie supply epdev_on not found, using dummy regular - [ 2.274751] OF: PCI: host bridge /pcie@0x33c00000 ranges: - [ 2.280162] OF: PCI: No bus range found for /pcie@0x33c00000, using [bus 00-ff] - [ 2.287656] OF: PCI: IO 0x27f80000..0x27f8ffff -> 0x00000000 - [ 2.293587] OF: PCI: MEM 0x20000000..0x27efffff -> 0x20000000 - [ 2.300356] imx6q-pcie 33c00000.pcie: pcie phy pll is locked. - [ 2.319442] imx6q-pcie 33c00000.pcie: Link: Gen2 disabled - [ 2.324845] imx6q-pcie 33c00000.pcie: Link up, Gen1 - [ 2.332017] imx6q-pcie 33c00000.pcie: PCI host bridge to bus 0000:00 - [ 2.338409] pci_bus 0000:00: root bus resource [bus 00-ff] - [ 2.343936] pci_bus 0000:00: root bus resource [io 0x10000-0x1ffff] (bus address [0x0000-0xffff]) - [ 2.352923] pci_bus 0000:00: root bus resource [mem 0x20000000-0x27efffff] - [ 2.373023] pci 0000:00:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit] - [ 2.380390] pci 0000:00:00.0: BAR 14: assigned [mem 0x20100000-0x201fffff] - [ 2.387304] pci 0000:00:00.0: BAR 6: assigned [mem 0x20200000-0x2020ffff pref] - [ 2.394566] pci 0000:00:00.0: BAR 13: assigned [io 0x10000-0x10fff] - [ 2.400955] pci 0000:01:00.0: BAR 0: assigned [mem 0x20100000-0x2011ffff] - [ 2.407796] pci 0000:01:00.0: BAR 3: assigned [mem 0x20120000-0x20123fff] - [ 2.414627] pci 0000:01:00.0: BAR 2: assigned [io 0x10000-0x1001f] - [ 2.420950] pci 0000:00:00.0: PCI bridge to [bus 01-ff] - [ 2.426207] pci 0000:00:00.0: bridge window [io 0x10000-0x10fff] - [ 2.432504] pci 0000:00:00.0: bridge window [mem 0x20100000-0x201fffff] - [ 2.439969] pcieport 0000:00:00.0: Signaling PME with IRQ 268 - [ 2.445929] pcieport 0000:00:00.0: AER enabled with IRQ 268 - [ 2.451968] igb 0000:01:00.0: enabling device (0000 -> 0002) - [ 2.457676] Can't support > 32 bit dma. - [ 2.695382] pps pps1: new PPS source ptp1 - [ 2.700410] igb 0000:01:00.0: added PHC on eth1 - [ 2.704968] igb 0000:01:00.0: Intel(R) Gigabit Ethernet Network Connection - [ 2.711864] igb 0000:01:00.0: eth1: (PCIe:2.5Gb/s:Width x1) d0:63:b4:01:e3:15 - [ 2.719017] igb 0000:01:00.0: eth1: PBA No: FFFFFF-0FF - [ 2.724172] igb 0000:01:00.0: Using MSI-X interrupts. 4 rx queue(s), 4 tx queue(s) - [ 2.733443] hantrodec: module inserted. Major = 243 - [ 2.742360] rtc-abx80x 2-0069: Oscillator failure, data is invalid. - [ 2.748643] rtc-abx80x 2-0069: hctosys: unable to read the hardware clock - [ 2.756219] usb1_vbus: disabling - [ 2.759570] usbh1_vbus: disabling - [ 2.763203] SW1AB: disabling - [ 2.766373] VGEN1: disabling - [ 2.769528] VGEN6: disabling - [ 2.772682] ALSA device list: - [ 2.775651] #0: wm8524-audio - [ 2.778716] #1: imx-spdif - [ 2.781518] #2: imx-hdmi-arc - [ 2.784580] #3: imx-audio-hdmi - [ 2.819711] EXT4-fs (mmcblk1p2): recovery complete - [ 2.829184] EXT4-fs (mmcblk1p2): mounted filesystem with ordered data mode. Opts: (null) - [ 2.837313] VFS: Mounted root (ext4 filesystem) on device 179:98. - [ 2.847302] devtmpfs: mounted - [ 2.850570] Freeing unused kernel memory: 576K - [ 2.983748] systemd[1]: System time before build time, advancing clock. - [ 3.018590] NET: Registered protocol family 10 - [ 3.024206] Segment Routing with IPv6 - [ 3.040854] systemd[1]: systemd 243.2+ running in system mode. (+PAM -AUDIT -SELINUX +IMA -APPARM) - [ 3.062879] systemd[1]: Detected architecture arm64. - - Welcome to FSLC Wayland 3.0 (zeus)! - - [ 3.091799] systemd[1]: Set hostname to . - [ 3.103123] random: systemd: uninitialized urandom read (16 bytes read) - [ 3.109767] systemd[1]: Initializing machine ID from random generator. - [ 3.299299] systemd[1]: /lib/systemd/system/dbus.socket:5: ListenStream= references a path below . - [ 3.393586] random: systemd: uninitialized urandom read (16 bytes read) - [ 3.400361] systemd[1]: system-getty.slice: unit configures an IP firewall, but the local system . - [ 3.412748] systemd[1]: (This warning is only shown for the first unit using IP firewalling.) - [ 3.425855] systemd[1]: Created slice system-getty.slice. - [ OK ] Created slice system-getty.slice. - [ 3.443956] random: systemd: uninitialized urandom read (16 bytes read) - [ 3.451288] systemd[1]: Created slice system-serial\x2dgetty.slice. - [ OK ] Created slice system-serial\x2dgetty.slice. - [ 3.477886] systemd[1]: Created slice User and Session Slice. - [ OK ] Created slice User and Session Slice. - [ OK ] Started Dispatch Password …ts to Console Directory Watch. - [ OK ] Started Forward Password R…uests to Wall Directory Watch. - [ OK ] Reached target Paths. - [ OK ] Reached target Remote File Systems. - [ OK ] Reached target Slices. - [ OK ] Reached target Swap. - [ OK ] Listening on Syslog Socket. - [ OK ] Listening on initctl Compatibility Named Pipe. - [ OK ] Listening on Journal Audit Socket. - [ OK ] Listening on Journal Socket (/dev/log). - [ OK ] Listening on Journal Socket. - [ OK ] Listening on Network Service Netlink Socket. - [ OK ] Listening on udev Control Socket. - [ OK ] Listening on udev Kernel Socket. - Mounting Huge Pages File System... - Mounting POSIX Message Queue File System... - Mounting Kernel Debug File System... - Mounting Temporary Directory (/tmp)... - Starting Journal Service... - Mounting Kernel Configuration File System... - Starting Remount Root and Kernel File Systems... - Starting Apply Kernel Variables... - [ 3.903620] EXT4-fs (mmcblk1p2): re-mounted. Opts: (null) - Starting udev Coldplug all Devices... - [ OK ] Started Journal Service. - [ OK ] Mounted Huge Pages File System. - [ OK ] Mounted POSIX Message Queue File System. - [ OK ] Mounted Kernel Debug File System. - [ OK ] Mounted Temporary Directory (/tmp). - [ OK ] Mounted Kernel Configuration File System. - [ OK ] Started Remount Root and Kernel File Systems. - [ OK ] Started Apply Kernel Variables. - Starting Flush Journal to Persistent Storage... - Starting Create[ 4.111789] systemd-journald[1483]: Received client request to flush runt. - System Users... - [ OK ] Started Flush Journal to Persistent Storage. - [ OK ] Started Create System Users. - Starting Create Static Device Nodes in /dev... - [ OK ] Started Create Static Device Nodes in /dev. - [ OK ] Started udev Coldplug all Devices. - [ OK ] Reached target Local File Systems (Pre). - Mounting /var/volatile... - Starting udev Kernel Device Manager... - [ OK ] Mounted /var/volatile. - Starting Load/Save Random Seed... - [ OK ] Reached target Local File Systems. - Starting Rebuild Dynamic Linker Cache... - Starting Create Volatile Files and Directories... - [ OK ] Started udev Kernel Device Manager. - Starting Network Service... - [ OK ] Started Create Volatile Files and Directories. - Starting Run pending postinsts... - Starting Rebuild Journal Catalog... - Starting Network Time Synchronization... - Starting Update UTMP about System Boot/Shutdown... - [ OK ] Started Network Service. - [ OK ] Started Rebuild Dynamic Linker Cache. - [ OK ] Started Rebuild Journal Catalog. - [ OK ] Started Update UTMP about System Boot/Shutdown. - Starting Network Name Resolution... - Starting Update is Completed... - [ OK ] Started Network Time Synchronization. - [ OK ] Started Run pending postinsts. - [ OK ] Started Update is Completed. - [ 4.896872] Atheros 8031 ethernet 30be0000.ethernet-1:04: attached PHY driver [Atheros 8031 ether) - [ 4.925921] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready - [ 4.945269] igb 0000:01:00.0 enp1s0: renamed from eth1 - [ OK ] Reached target Sound Card. - [ OK ] Reached target System Initialization. - [ OK ] Started Daily Cleanup of Temporary Directories. - [ 5.051753] IPv6: ADDRCONF(NETDEV_UP): enp1s0: link is not ready - [ OK ] Reached target System Time Set. - [ OK ] Reached target System Time Synchronized. - [ OK ] Reached target Timers. - [ OK ] Listening on D-Bus System Message Bus Socket. - [ OK ] Reached target Sockets. - [ OK ] Reached target Basic System. - [ OK ] Listening on Load/Save RF …itch Status /dev/rfkill Watch. - [ OK ] Started Kernel Logging Service. - [ OK ] Started System Logging Service. - [ OK ] Started D-Bus System Message Bus. - Starting Login Service... - [ OK ] Started Network Name Resolution. - [ OK ] Reached target Network. - [ OK ] Reached target Host and Network Name Lookups. - Starting Permit User Sessions... - [ OK ] Started Permit User Sessions. - [ OK ] Started Getty on tty1. - [ OK ] Started Serial Getty on ttymxc0. - [ OK ] Reached target Login Prompts. - [ OK ] Started Login Service. - [ OK ] Reached target Multi-User System. - Starting Update UTMP about System Runlevel Changes... - [ OK ] Started Update UTMP about System Runlevel Changes. - - FSLC Wayland 3.0 hummingboard-pulse ttymxc0 - - hummingboard-pulse login: root - [ 40.429032] audit: type=1006 audit(1583407507.443:2): pid=2364 uid=0 old-auid=4294967295 auid=0 t1 - root@hummingboard-pulse:~# uname -a - Linux hummingboard-pulse 4.14.166-solidrun+ga33b5bfc5cc1 #1 SMP PREEMPT Thu Mar 5 11:51:27 UTC 2020 x - ``` +```bash +Starting kernel ... + +[ 0.000000] Booting Linux on physical CPU 0x0 +[ 0.000000] Linux version 4.14.166-solidrun+ga33b5bfc5cc1 (oe-user@oe-host) (gcc version 9.2.0 (G0 +[ 0.000000] Boot CPU: AArch64 Processor [410fd034] +[ 0.000000] Machine model: SolidRun i.MX8MQ HummingBoard Pulse +[ 0.000000] earlycon: ec_imx6q0 at MMIO 0x0000000030860000 (options '115200') +[ 0.000000] bootconsole [ec_imx6q0] enabled +[ 0.000000] efi: Getting EFI parameters from FDT: +[ 0.000000] efi: UEFI not found. +[ 0.000000] cma: Reserved 320 MiB at 0x00000000ec000000 +[ 0.000000] psci: probing for conduit method from DT. +[ 0.000000] psci: PSCIv1.1 detected in firmware. +[ 0.000000] psci: Using standard PSCI v0.2 function IDs +[ 0.000000] psci: MIGRATE_INFO_TYPE not supported. +[ 0.000000] psci: SMC Calling Convention v1.1 +[ 0.000000] percpu: Embedded 20 pages/cpu s43288 r8192 d30440 u81920 +[ 0.000000] Detected VIPT I-cache on CPU0 +[ 0.000000] CPU features: enabling workaround for ARM errata 826319, 827319, 824069 +[ 0.000000] CPU features: enabling workaround for ARM erratum 845719 +[ 0.000000] Speculative Store Bypass Disable mitigation not required +[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 773120 +[ 0.000000] Kernel command line: console=ttymxc0,115200 earlycon=ec_imx6q,0x30860000,115200 root=0 +[ 0.000000] log_buf_len individual max cpu contribution: 4096 bytes +[ 0.000000] log_buf_len total cpu_extra contributions: 12288 bytes +[ 0.000000] log_buf_len min size: 16384 bytes +[ 0.000000] log_buf_len: 32768 bytes +[ 0.000000] early log buf free: 14396(87%) +[ 0.000000] PID hash table entries: 4096 (order: 3, 32768 bytes) +[ 0.000000] Dentry cache hash table entries: 524288 (order: 10, 4194304 bytes) +[ 0.000000] Inode-cache hash table entries: 262144 (order: 9, 2097152 bytes) +[ 0.000000] Memory: 2742008K/3141632K available (10364K kernel code, 948K rwdata, 3712K rodata, 5) +[ 0.000000] Virtual kernel memory layout: +[ 0.000000] modules : 0xffff000000000000 - 0xffff000008000000 ( 128 MB) +[ 0.000000] vmalloc : 0xffff000008000000 - 0xffff7dffbfff0000 (129022 GB) +[ 0.000000] .text : 0xffff000008080000 - 0xffff000008aa0000 ( 10368 KB) +[ 0.000000] .rodata : 0xffff000008aa0000 - 0xffff000008e50000 ( 3776 KB) +[ 0.000000] .init : 0xffff000008e50000 - 0xffff000008ee0000 ( 576 KB) +[ 0.000000] .data : 0xffff000008ee0000 - 0xffff000008fcd200 ( 949 KB) +[ 0.000000] .bss : 0xffff000008fcd200 - 0xffff00000900d4a0 ( 257 KB) +[ 0.000000] fixed : 0xffff7dfffe7fb000 - 0xffff7dfffec00000 ( 4116 KB) +[ 0.000000] PCI I/O : 0xffff7dfffee00000 - 0xffff7dffffe00000 ( 16 MB) +[ 0.000000] vmemmap : 0xffff7e0000000000 - 0xffff800000000000 ( 2048 GB maximum) +[ 0.000000] 0xffff7e0000000000 - 0xffff7e0003000000 ( 48 MB actual) +[ 0.000000] memory : 0xffff800000000000 - 0xffff8000c0000000 ( 3072 MB) +[ 0.000000] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=4, Nodes=1 +[ 0.000000] Preemptible hierarchical RCU implementation. +[ 0.000000] RCU restricting CPUs from NR_CPUS=64 to nr_cpu_ids=4. +[ 0.000000] Tasks RCU enabled. +[ 0.000000] RCU: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=4 +[ 0.000000] NR_IRQS: 64, nr_irqs: 64, preallocated irqs: 0 +[ 0.000000] GICv3: GIC: Using split EOI/Deactivate mode +[ 0.000000] GICv3: no VLPI support, no direct LPI support +[ 0.000000] ITS: No ITS available, not enabling LPIs +[ 0.000000] GICv3: CPU0: found redistributor 0 region 0:0x0000000038880000 +[ 0.000000] i.MX8MQ clock driver init done +[ 0.000000] arch_timer: cp15 timer(s) running at 8.33MHz (phys). +[ 0.000000] clocksource: arch_sys_counter: mask: 0xffffffffffffff max_cycles: 0x1ec0311ec, max_ids +[ 0.000003] sched_clock: 56 bits at 8MHz, resolution 120ns, wraps every 2199023255541ns +[ 0.008045] system counter timer init +[ 0.011613] sched_clock: 56 bits at 8MHz, resolution 120ns, wraps every 2199023255541ns +[ 0.019528] clocksource: imx sysctr: mask: 0xffffffffffffff max_cycles: 0x1ec0311ec, max_idle_ns:s +[ 0.029946] Console: colour dummy device 80x25 +[ 0.034149] Calibrating delay loop (skipped), value calculated using timer frequency.. 16.66 Bogo) +[ 0.044331] pid_max: default: 32768 minimum: 301 +[ 0.048976] Security Framework initialized +[ 0.053013] Mount-cache hash table entries: 8192 (order: 4, 65536 bytes) +[ 0.059634] Mountpoint-cache hash table entries: 8192 (order: 4, 65536 bytes) +[ 0.082768] ASID allocator initialised with 32768 entries +[ 0.090768] Hierarchical SRCU implementation. +[ 0.099162] CPU identified as i.MX8MQ, silicon rev 2.0 +[ 0.101506] EFI services will not be available. +[ 0.113951] smp: Bringing up secondary CPUs ... +[ 0.142077] Detected VIPT I-cache on CPU1 +[ 0.142100] GICv3: CPU1: found redistributor 1 region 0:0x00000000388a0000 +[ 0.142117] CPU1: Booted secondary processor [410fd034] +[ 0.170120] Detected VIPT I-cache on CPU2 +[ 0.170136] GICv3: CPU2: found redistributor 2 region 0:0x00000000388c0000 +[ 0.170150] CPU2: Booted secondary processor [410fd034] +[ 0.198182] Detected VIPT I-cache on CPU3 +[ 0.198198] GICv3: CPU3: found redistributor 3 region 0:0x00000000388e0000 +[ 0.198211] CPU3: Booted secondary processor [410fd034] +[ 0.198274] smp: Brought up 1 node, 4 CPUs +[ 0.247466] SMP: Total of 4 processors activated. +[ 0.252127] CPU features: detected: GIC system register CPU interface +[ 0.258527] CPU features: detected: 32-bit EL0 Support +[ 0.264478] CPU: All CPU(s) started at EL2 +[ 0.267704] alternatives: patching kernel code +[ 0.273031] devtmpfs: initialized +[ 0.280811] random: get_random_u32 called from bucket_table_alloc+0x104/0x268 with crng_init=0 +[ 0.286946] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 764504178s +[ 0.296226] futex hash table entries: 1024 (order: 5, 131072 bytes) +[ 0.310301] pinctrl core: initialized pinctrl subsystem +[ 0.313325] NET: Registered protocol family 16 +[ 0.321113] cpuidle: using governor menu +[ 0.322763] vdso: 2 pages (1 code @ ffff000008aa6000, 1 data @ ffff000008ee4000) +[ 0.329529] hw-breakpoint: found 6 breakpoint and 4 watchpoint registers. +[ 0.341793] DMA: preallocated 256 KiB pool for atomic allocations +[ 0.345236] imx rpmsg driver is registered. +[ 0.352919] imx8mq-pinctrl 30330000.iomuxc: initialized IMX pinctrl driver +[ 0.362467] MU is ready for cross core communication! +[ 0.366071] virtio_rpmsg_bus virtio0: rpmsg host is online +[ 0.381002] HugeTLB registered 2.00 MiB page size, pre-allocated 0 pages +[ 0.392085] vgaarb: loaded +[ 0.392307] SCSI subsystem initialized +[ 0.395947] usbcore: registered new interface driver usbfs +[ 0.401138] usbcore: registered new interface driver hub +[ 0.407079] usbcore: registered new device driver usb +[ 0.412188] i2c i2c-0: IMX I2C adapter registered +[ 0.416065] i2c i2c-0: can't use DMA, using PIO instead. +[ 0.421630] i2c i2c-1: IMX I2C adapter registered +[ 0.425998] i2c i2c-1: can't use DMA, using PIO instead. +[ 0.431605] i2c i2c-2: IMX I2C adapter registered +[ 0.435973] i2c i2c-2: can't use DMA, using PIO instead. +[ 0.441315] media: Linux media interface: v0.10 +[ 0.445711] Linux video capture interface: v2.00 +[ 0.450345] pps_core: LinuxPPS API ver. 1 registered +[ 0.455186] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti +[ 0.464280] PTP clock support registered +[ 0.468499] Advanced Linux Sound Architecture Driver Initialized. +[ 0.474663] Bluetooth: Core ver 2.22 +[ 0.477751] NET: Registered protocol family 31 +[ 0.482144] Bluetooth: HCI device and connection manager initialized +[ 0.488452] Bluetooth: HCI socket layer initialized +[ 0.493289] Bluetooth: L2CAP socket layer initialized +[ 0.498312] Bluetooth: SCO socket layer initialized +[ 0.503857] clocksource: Switched to clocksource arch_sys_counter +[ 0.509293] VFS: Disk quotas dquot_6.6.0 +[ 0.513125] VFS: Dquot-cache hash table entries: 512 (order 0, 4096 bytes) +[ 0.525603] NET: Registered protocol family 2 +[ 0.527436] TCP established hash table entries: 32768 (order: 6, 262144 bytes) +[ 0.534517] TCP bind hash table entries: 32768 (order: 7, 524288 bytes) +[ 0.541356] TCP: Hash tables configured (established 32768 bind 32768) +[ 0.547382] UDP hash table entries: 2048 (order: 4, 65536 bytes) +[ 0.553368] UDP-Lite hash table entries: 2048 (order: 4, 65536 bytes) +[ 0.559843] NET: Registered protocol family 1 +[ 0.564261] RPC: Registered named UNIX socket transport module. +[ 0.569883] RPC: Registered udp transport module. +[ 0.574540] RPC: Registered tcp transport module. +[ 0.579200] RPC: Registered tcp NFSv4.1 backchannel transport module. +[ 0.586332] hw perfevents: enabled with armv8_pmuv3 PMU driver, 7 counters available +[ 0.596382] audit: initializing netlink subsys (disabled) +[ 0.598998] audit: type=2000 audit(0.479:1): state=initialized audit_enabled=0 res=1 +[ 0.599373] workingset: timestamp_bits=46 max_order=20 bucket_order=0 +[ 0.618775] squashfs: version 4.0 (2009/01/31) Phillip Lougher +[ 0.622285] NFS: Registering the id_resolver key type +[ 0.626774] Key type id_resolver registered +[ 0.630919] Key type id_legacy registered +[ 0.634880] nfs4filelayout_init: NFSv4 File Layout Driver Registering... +[ 0.641697] jffs2: version 2.2. (NAND) © 2001-2006 Red Hat, Inc. +[ 0.647980] 9p: Installing v9fs 9p2000 file system support +[ 0.657751] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 246) +[ 0.662277] io scheduler noop registered +[ 0.666257] io scheduler cfq registered (default) +[ 0.670827] io scheduler mq-deadline registered +[ 0.675336] io scheduler kyber registered +[ 0.679454] io scheduler bfq registered +[ 0.686141] imx-sdma 30bd0000.sdma: no iram assigned, using external mem +[ 0.693608] imx-sdma 30bd0000.sdma: Falling back to user helper +[ 0.697011] imx-sdma 302c0000.sdma: no iram assigned, using external mem +[ 0.712017] Bus freq driver module loaded +[ 0.714272] Config NOC for VPU and CPU +[ 0.717874] pfuze100-regulator 0-0008: Full layer: 2, Metal layer: 1 +[ 0.723508] pfuze100-regulator 0-0008: FAB: 0, FIN: 0 +[ 0.728253] pfuze100-regulator 0-0008: pfuze100 found. +[ 0.743938] Serial: 8250/16550 driver, 4 ports, IRQ sharing disabled +[ 0.749303] 30860000.serial: ttymxc0 at MMIO 0x30860000 (irq = 39, base_baud = 1562500) is a IMX +[ 0.759006] console [ttymxc0] enabled +[ 0.759006] console [ttymxc0] enabled +[ 0.763472] bootconsole [ec_imx6q0] disabled +[ 0.763472] bootconsole [ec_imx6q0] disabled +[ 0.772500] 30880000.serial: ttymxc2 at MMIO 0x30880000 (irq = 40, base_baud = 5000000) is a IMX +[ 0.784039] 30890000.serial: ttymxc1 at MMIO 0x30890000 (irq = 41, base_baud = 1562500) is a IMX +[ 0.793293] 30a60000.serial: ttymxc3 at MMIO 0x30a60000 (irq = 43, base_baud = 5000000) is a IMX +[ 0.810977] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013). +[ 0.817609] [drm] No driver support for vblank timestamp query. +[ 0.823663] imx-drm display-subsystem: bound imx-dcss-crtc.0 (ops dcss_crtc_ops) +[ 0.831212] [drm] CDN_API_General_Test_Echo_Ext_blocking - APB(ret = 0 echo_resp = echo test) +[ 0.839756] [drm] CDN_API_General_getCurVersion - ver 13196 verlib 13062 +[ 0.846504] [drm] Pixel clock frequency: 594000 KHz, character clock frequency: 594000, color dep. +[ 0.856437] [drm] Pixel clock frequency (594000 KHz) is supported in this color depth (8-bit). Se7 +[ 0.867226] [drm] VCO frequency is 5940000 +[ 0.871336] [drm] VCO frequency (5940000 KHz) is supported. Settings found in row 14 +[ 0.903139] [drm] CDN_API_General_Write_Register_blocking LANES_CONFIG ret = 0 +[ 0.910388] [drm] Failed to get HDCP config - using HDCP 2.2 only +[ 0.916556] [drm] Failed to initialize HDCP +[ 0.921078] [drm] hdmi-audio-codec driver bound to HDMI +[ 0.926324] imx-drm display-subsystem: bound 32c00000.hdmi (ops imx_hdp_imx_ops) +[ 0.933777] [drm] Cannot find any crtc or sizes +[ 0.938626] [drm] Initialized imx-drm 1.0.0 20120507 for display-subsystem on minor 0 +[ 0.951477] loop: module loaded +[ 0.955270] slram: not enough parameters. +[ 0.959937] libphy: Fixed MDIO Bus: probed +[ 0.964045] tun: Universal TUN/TAP device driver, 1.6 +[ 0.970540] fec 30be0000.ethernet: 30be0000.ethernet supply phy not found, using dummy regulator +[ 0.982524] pps pps0: new PPS source ptp0 +[ 0.991230] libphy: fec_enet_mii_bus: probed +[ 0.996363] fec 30be0000.ethernet eth0: registered PHC device 0 +[ 1.002963] e1000e: Intel(R) PRO/1000 Network Driver - 3.2.6-k +[ 1.008811] e1000e: Copyright(c) 1999 - 2015 Intel Corporation. +[ 1.014793] igb: Intel(R) Gigabit Ethernet Network Driver - version 5.4.0-k +[ 1.021768] igb: Copyright (c) 2007-2014 Intel Corporation. +[ 1.027394] igbvf: Intel(R) Gigabit Virtual Function Network Driver - version 2.4.0-k +[ 1.035237] igbvf: Copyright (c) 2009 - 2012 Intel Corporation. +[ 1.041201] sky2: driver version 1.30 +[ 1.050294] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver +[ 1.056844] ehci-pci: EHCI PCI platform driver +[ 1.061344] ehci-platform: EHCI generic platform driver +[ 1.066745] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver +[ 1.072950] ohci-pci: OHCI PCI platform driver +[ 1.077435] ohci-platform: OHCI generic platform driver +[ 1.083188] Can't support > 32 bit dma. +[ 1.087070] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller +[ 1.092585] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 1 +[ 1.105648] xhci-hcd xhci-hcd.0.auto: hcc params 0x0220fe6c hci version 0x110 quirks 0x00000000010 +[ 1.115100] xhci-hcd xhci-hcd.0.auto: irq 231, io mem 0x38100000 +[ 1.121632] hub 1-0:1.0: USB hub found +[ 1.125419] hub 1-0:1.0: 1 port detected +[ 1.129588] xhci-hcd xhci-hcd.0.auto: xHCI Host Controller +[ 1.135094] xhci-hcd xhci-hcd.0.auto: new USB bus registered, assigned bus number 2 +[ 1.142772] xhci-hcd xhci-hcd.0.auto: Host supports USB 3.0 SuperSpeed +[ 1.149828] hub 2-0:1.0: USB hub found +[ 1.153616] hub 2-0:1.0: 1 port detected +[ 1.157809] Can't support > 32 bit dma. +[ 1.161694] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller +[ 1.167199] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 3 +[ 1.180208] xhci-hcd xhci-hcd.1.auto: hcc params 0x0220fe6c hci version 0x110 quirks 0x00000000010 +[ 1.189656] xhci-hcd xhci-hcd.1.auto: irq 232, io mem 0x38200000 +[ 1.196126] hub 3-0:1.0: USB hub found +[ 1.199914] hub 3-0:1.0: 1 port detected +[ 1.204077] xhci-hcd xhci-hcd.1.auto: xHCI Host Controller +[ 1.209582] xhci-hcd xhci-hcd.1.auto: new USB bus registered, assigned bus number 4 +[ 1.217254] xhci-hcd xhci-hcd.1.auto: Host supports USB 3.0 SuperSpeed +[ 1.224313] hub 4-0:1.0: USB hub found +[ 1.228093] hub 4-0:1.0: 1 port detected +[ 1.232458] usbcore: registered new interface driver usb-storage +[ 1.238519] usbcore: registered new interface driver usb_ehset_test +[ 1.248049] rtc-abx80x 2-0069: model 1805, revision 2.3, lot 15, wafer 14, uid 17b1 +[ 1.256796] rtc-abx80x 2-0069: Enabling trickle charger: 05 +[ 1.265076] rtc-abx80x 2-0069: Oscillator failure, data is invalid. +[ 1.271494] rtc-abx80x 2-0069: rtc core: registered abx8xx as rtc0 +[ 1.278223] snvs_rtc 30370000.snvs:snvs-rtc-lp: registered as rtc1 +[ 1.284526] i2c /dev entries driver +[ 1.288368] IR NEC protocol handler initialized +[ 1.292916] IR RC5(x/sz) protocol handler initialized +[ 1.297976] IR RC6 protocol handler initialized +[ 1.302515] IR JVC protocol handler initialized +[ 1.307053] IR Sony protocol handler initialized +[ 1.311678] IR SANYO protocol handler initialized +[ 1.316390] IR Sharp protocol handler initialized +[ 1.321107] IR MCE Keyboard/mouse protocol handler initialized +[ 1.326948] IR XMP protocol handler initialized +[ 1.332828] imx2-wdt 30280000.wdog: timeout 60 sec (nowayout=0) +[ 1.338825] Bluetooth: HCI UART driver ver 2.3 +[ 1.343281] Bluetooth: HCI UART protocol H4 registered +[ 1.348480] usbcore: registered new interface driver btusb +[ 1.354031] usbcore: registered new interface driver ath3k +[ 1.360304] sdhci: Secure Digital Host Controller Interface driver +[ 1.366494] sdhci: Copyright(c) Pierre Ossman +[ 1.370890] sdhci-pltfm: SDHCI platform and OF driver helper +[ 1.424419] mmc0: SDHCI controller on 30b40000.usdhc [30b40000.usdhc] using ADMA +[ 1.433441] mmc1: CQHCI version 0.00 +[ 1.437078] sdhci-esdhc-imx 30b50000.usdhc: Got CD GPIO +[ 1.493081] mmc1: SDHCI controller on 30b50000.usdhc [30b50000.usdhc] using ADMA +[ 1.507570] ledtrig-cpu: registered to indicate activity on CPUs +[ 1.514149] caam 30900000.caam: ERA source: CCBVID. +[ 1.520241] caam 30900000.caam: device ID = 0x0a16040100000000 (Era 9) +[ 1.526790] caam 30900000.caam: job rings = 3, qi = 0, dpaa2 = no +[ 1.535775] caam_jr 30901000.jr0: Entropy delay = 3200 +[ 1.541040] caam_jr 30901000.jr0: Entropy delay = 3600 +[ 1.552388] usb 3-1: new high-speed USB device number 2 using xhci-hcd +[ 1.573563] mmc1: host does not support reading read-only switch, assuming write-enable +[ 1.606074] mmc0: new HS400 MMC card at address 0001 +[ 1.611617] mmcblk0: mmc0:0001 8GTF4R 7.28 GiB +[ 1.616167] caam_jr 30901000.jr0: Instantiated RNG4 SH0. +[ 1.621841] mmcblk0boot0: mmc0:0001 8GTF4R partition 1 4.00 MiB +[ 1.628128] mmcblk0boot1: mmc0:0001 8GTF4R partition 2 4.00 MiB +[ 1.634177] mmcblk0rpmb: mmc0:0001 8GTF4R partition 3 512 KiB, chardev (244:0) +[ 1.681567] caam_jr 30901000.jr0: Instantiated RNG4 SH1. +[ 1.701886] caam algorithms registered in /proc/crypto +[ 1.708245] random: fast init done +[ 1.712736] caam_jr 30901000.jr0: registering rng-caam +[ 1.718126] caam 30900000.caam: caam pkc algorithms registered in /proc/crypto +[ 1.726606] caam-snvs 30370000.caam-snvs: can't get snvs clock +[ 1.732507] caam-snvs 30370000.caam-snvs: violation handlers armed - non-secure state +[ 1.740575] hub 3-1:1.0: USB hub found +[ 1.741349] usbcore: registered new interface driver usbhid +[ 1.749938] hub 3-1:1.0: 4 ports detected +[ 1.754016] usbhid: USB HID core driver +[ 1.770237] mmc1: new ultra high speed SDR104 SDHC card at address aaaa +[ 1.777409] mmcblk1: mmc1:aaaa SC16G 14.8 GiB +[ 1.784221] imx-wm8524 sound-wm8524: wm8524-hifi <-> 308b0000.sai mapping ok +[ 1.791342] mmcblk1: p1 p2 +[ 1.797107] imx-spdif sound-spdif: snd-soc-dummy-dai <-> 30810000.spdif mapping ok +[ 1.806640] imx-spdif sound-hdmi-arc: snd-soc-dummy-dai <-> 308a0000.spdif mapping ok +[ 1.816186] imx-cdnhdmi sound-hdmi: i2s-hifi <-> 30050000.sai mapping ok +[ 1.823464] NET: Registered protocol family 26 +[ 1.828023] NET: Registered protocol family 17 +[ 1.832555] Bluetooth: RFCOMM TTY layer initialized +[ 1.837451] Bluetooth: RFCOMM socket layer initialized +[ 1.839918] usb 4-1: new SuperSpeed USB device number 2 using xhci-hcd +[ 1.842610] Bluetooth: RFCOMM ver 1.11 +[ 1.852881] Bluetooth: BNEP (Ethernet Emulation) ver 1.3 +[ 1.858200] Bluetooth: BNEP filters: protocol multicast +[ 1.863438] Bluetooth: BNEP socket layer initialized +[ 1.868411] Bluetooth: HIDP (Human Interface Emulation) ver 1.2 +[ 1.874340] Bluetooth: HIDP socket layer initialized +[ 1.879351] lib80211: common routines for IEEE802.11 drivers +[ 1.885057] 9pnet: Installing 9P2000 support +[ 1.889385] Key type dns_resolver registered +[ 1.894658] registered taskstats version 1 +[ 1.906271] cpu cpu0: registered imx8mq-cpufreq +[ 1.911151] imx6q-pcie 33800000.pcie: 33800000.pcie supply epdev_on not found, using dummy regular +[ 1.912062] hub 4-1:1.0: USB hub found +[ 1.924274] hub 4-1:1.0: 4 ports detected +[ 1.960537] OF: PCI: host bridge /pcie@0x33800000 ranges: +[ 1.965945] OF: PCI: No bus range found for /pcie@0x33800000, using [bus 00-ff] +[ 1.967919] [drm] Cannot find any crtc or sizes +[ 1.973441] OF: PCI: IO 0x1ff80000..0x1ff8ffff -> 0x00000000 +[ 1.983894] OF: PCI: MEM 0x18000000..0x1fefffff -> 0x18000000 +[ 1.990592] imx6q-pcie 33800000.pcie: pcie phy pll is locked. +[ 2.240443] imx6q-pcie 33800000.pcie: phy link never came up +[ 2.246119] imx6q-pcie 33800000.pcie: failed to initialize host +[ 2.252042] imx6q-pcie 33800000.pcie: unable to add pcie port. +[ 2.258542] imx6q-pcie: probe of 33800000.pcie failed with error -110 +[ 2.265426] imx6q-pcie 33c00000.pcie: 33c00000.pcie supply epdev_on not found, using dummy regular +[ 2.274751] OF: PCI: host bridge /pcie@0x33c00000 ranges: +[ 2.280162] OF: PCI: No bus range found for /pcie@0x33c00000, using [bus 00-ff] +[ 2.287656] OF: PCI: IO 0x27f80000..0x27f8ffff -> 0x00000000 +[ 2.293587] OF: PCI: MEM 0x20000000..0x27efffff -> 0x20000000 +[ 2.300356] imx6q-pcie 33c00000.pcie: pcie phy pll is locked. +[ 2.319442] imx6q-pcie 33c00000.pcie: Link: Gen2 disabled +[ 2.324845] imx6q-pcie 33c00000.pcie: Link up, Gen1 +[ 2.332017] imx6q-pcie 33c00000.pcie: PCI host bridge to bus 0000:00 +[ 2.338409] pci_bus 0000:00: root bus resource [bus 00-ff] +[ 2.343936] pci_bus 0000:00: root bus resource [io 0x10000-0x1ffff] (bus address [0x0000-0xffff]) +[ 2.352923] pci_bus 0000:00: root bus resource [mem 0x20000000-0x27efffff] +[ 2.373023] pci 0000:00:00.0: BAR 0: assigned [mem 0x20000000-0x200fffff 64bit] +[ 2.380390] pci 0000:00:00.0: BAR 14: assigned [mem 0x20100000-0x201fffff] +[ 2.387304] pci 0000:00:00.0: BAR 6: assigned [mem 0x20200000-0x2020ffff pref] +[ 2.394566] pci 0000:00:00.0: BAR 13: assigned [io 0x10000-0x10fff] +[ 2.400955] pci 0000:01:00.0: BAR 0: assigned [mem 0x20100000-0x2011ffff] +[ 2.407796] pci 0000:01:00.0: BAR 3: assigned [mem 0x20120000-0x20123fff] +[ 2.414627] pci 0000:01:00.0: BAR 2: assigned [io 0x10000-0x1001f] +[ 2.420950] pci 0000:00:00.0: PCI bridge to [bus 01-ff] +[ 2.426207] pci 0000:00:00.0: bridge window [io 0x10000-0x10fff] +[ 2.432504] pci 0000:00:00.0: bridge window [mem 0x20100000-0x201fffff] +[ 2.439969] pcieport 0000:00:00.0: Signaling PME with IRQ 268 +[ 2.445929] pcieport 0000:00:00.0: AER enabled with IRQ 268 +[ 2.451968] igb 0000:01:00.0: enabling device (0000 -> 0002) +[ 2.457676] Can't support > 32 bit dma. +[ 2.695382] pps pps1: new PPS source ptp1 +[ 2.700410] igb 0000:01:00.0: added PHC on eth1 +[ 2.704968] igb 0000:01:00.0: Intel(R) Gigabit Ethernet Network Connection +[ 2.711864] igb 0000:01:00.0: eth1: (PCIe:2.5Gb/s:Width x1) d0:63:b4:01:e3:15 +[ 2.719017] igb 0000:01:00.0: eth1: PBA No: FFFFFF-0FF +[ 2.724172] igb 0000:01:00.0: Using MSI-X interrupts. 4 rx queue(s), 4 tx queue(s) +[ 2.733443] hantrodec: module inserted. Major = 243 +[ 2.742360] rtc-abx80x 2-0069: Oscillator failure, data is invalid. +[ 2.748643] rtc-abx80x 2-0069: hctosys: unable to read the hardware clock +[ 2.756219] usb1_vbus: disabling +[ 2.759570] usbh1_vbus: disabling +[ 2.763203] SW1AB: disabling +[ 2.766373] VGEN1: disabling +[ 2.769528] VGEN6: disabling +[ 2.772682] ALSA device list: +[ 2.775651] #0: wm8524-audio +[ 2.778716] #1: imx-spdif +[ 2.781518] #2: imx-hdmi-arc +[ 2.784580] #3: imx-audio-hdmi +[ 2.819711] EXT4-fs (mmcblk1p2): recovery complete +[ 2.829184] EXT4-fs (mmcblk1p2): mounted filesystem with ordered data mode. Opts: (null) +[ 2.837313] VFS: Mounted root (ext4 filesystem) on device 179:98. +[ 2.847302] devtmpfs: mounted +[ 2.850570] Freeing unused kernel memory: 576K +[ 2.983748] systemd[1]: System time before build time, advancing clock. +[ 3.018590] NET: Registered protocol family 10 +[ 3.024206] Segment Routing with IPv6 +[ 3.040854] systemd[1]: systemd 243.2+ running in system mode. (+PAM -AUDIT -SELINUX +IMA -APPARM) +[ 3.062879] systemd[1]: Detected architecture arm64. + +Welcome to FSLC Wayland 3.0 (zeus)! + +[ 3.091799] systemd[1]: Set hostname to . +[ 3.103123] random: systemd: uninitialized urandom read (16 bytes read) +[ 3.109767] systemd[1]: Initializing machine ID from random generator. +[ 3.299299] systemd[1]: /lib/systemd/system/dbus.socket:5: ListenStream= references a path below . +[ 3.393586] random: systemd: uninitialized urandom read (16 bytes read) +[ 3.400361] systemd[1]: system-getty.slice: unit configures an IP firewall, but the local system . +[ 3.412748] systemd[1]: (This warning is only shown for the first unit using IP firewalling.) +[ 3.425855] systemd[1]: Created slice system-getty.slice. +[ OK ] Created slice system-getty.slice. +[ 3.443956] random: systemd: uninitialized urandom read (16 bytes read) +[ 3.451288] systemd[1]: Created slice system-serial\x2dgetty.slice. +[ OK ] Created slice system-serial\x2dgetty.slice. +[ 3.477886] systemd[1]: Created slice User and Session Slice. +[ OK ] Created slice User and Session Slice. +[ OK ] Started Dispatch Password …ts to Console Directory Watch. +[ OK ] Started Forward Password R…uests to Wall Directory Watch. +[ OK ] Reached target Paths. +[ OK ] Reached target Remote File Systems. +[ OK ] Reached target Slices. +[ OK ] Reached target Swap. +[ OK ] Listening on Syslog Socket. +[ OK ] Listening on initctl Compatibility Named Pipe. +[ OK ] Listening on Journal Audit Socket. +[ OK ] Listening on Journal Socket (/dev/log). +[ OK ] Listening on Journal Socket. +[ OK ] Listening on Network Service Netlink Socket. +[ OK ] Listening on udev Control Socket. +[ OK ] Listening on udev Kernel Socket. + Mounting Huge Pages File System... + Mounting POSIX Message Queue File System... + Mounting Kernel Debug File System... + Mounting Temporary Directory (/tmp)... + Starting Journal Service... + Mounting Kernel Configuration File System... + Starting Remount Root and Kernel File Systems... + Starting Apply Kernel Variables... +[ 3.903620] EXT4-fs (mmcblk1p2): re-mounted. Opts: (null) + Starting udev Coldplug all Devices... +[ OK ] Started Journal Service. +[ OK ] Mounted Huge Pages File System. +[ OK ] Mounted POSIX Message Queue File System. +[ OK ] Mounted Kernel Debug File System. +[ OK ] Mounted Temporary Directory (/tmp). +[ OK ] Mounted Kernel Configuration File System. +[ OK ] Started Remount Root and Kernel File Systems. +[ OK ] Started Apply Kernel Variables. + Starting Flush Journal to Persistent Storage... + Starting Create[ 4.111789] systemd-journald[1483]: Received client request to flush runt. + System Users... +[ OK ] Started Flush Journal to Persistent Storage. +[ OK ] Started Create System Users. + Starting Create Static Device Nodes in /dev... +[ OK ] Started Create Static Device Nodes in /dev. +[ OK ] Started udev Coldplug all Devices. +[ OK ] Reached target Local File Systems (Pre). + Mounting /var/volatile... + Starting udev Kernel Device Manager... +[ OK ] Mounted /var/volatile. + Starting Load/Save Random Seed... +[ OK ] Reached target Local File Systems. + Starting Rebuild Dynamic Linker Cache... + Starting Create Volatile Files and Directories... +[ OK ] Started udev Kernel Device Manager. + Starting Network Service... +[ OK ] Started Create Volatile Files and Directories. + Starting Run pending postinsts... + Starting Rebuild Journal Catalog... + Starting Network Time Synchronization... + Starting Update UTMP about System Boot/Shutdown... +[ OK ] Started Network Service. +[ OK ] Started Rebuild Dynamic Linker Cache. +[ OK ] Started Rebuild Journal Catalog. +[ OK ] Started Update UTMP about System Boot/Shutdown. + Starting Network Name Resolution... + Starting Update is Completed... +[ OK ] Started Network Time Synchronization. +[ OK ] Started Run pending postinsts. +[ OK ] Started Update is Completed. +[ 4.896872] Atheros 8031 ethernet 30be0000.ethernet-1:04: attached PHY driver [Atheros 8031 ether) +[ 4.925921] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready +[ 4.945269] igb 0000:01:00.0 enp1s0: renamed from eth1 +[ OK ] Reached target Sound Card. +[ OK ] Reached target System Initialization. +[ OK ] Started Daily Cleanup of Temporary Directories. +[ 5.051753] IPv6: ADDRCONF(NETDEV_UP): enp1s0: link is not ready +[ OK ] Reached target System Time Set. +[ OK ] Reached target System Time Synchronized. +[ OK ] Reached target Timers. +[ OK ] Listening on D-Bus System Message Bus Socket. +[ OK ] Reached target Sockets. +[ OK ] Reached target Basic System. +[ OK ] Listening on Load/Save RF …itch Status /dev/rfkill Watch. +[ OK ] Started Kernel Logging Service. +[ OK ] Started System Logging Service. +[ OK ] Started D-Bus System Message Bus. + Starting Login Service... +[ OK ] Started Network Name Resolution. +[ OK ] Reached target Network. +[ OK ] Reached target Host and Network Name Lookups. + Starting Permit User Sessions... +[ OK ] Started Permit User Sessions. +[ OK ] Started Getty on tty1. +[ OK ] Started Serial Getty on ttymxc0. +[ OK ] Reached target Login Prompts. +[ OK ] Started Login Service. +[ OK ] Reached target Multi-User System. + Starting Update UTMP about System Runlevel Changes... +[ OK ] Started Update UTMP about System Runlevel Changes. + +FSLC Wayland 3.0 hummingboard-pulse ttymxc0 + +hummingboard-pulse login: root +[ 40.429032] audit: type=1006 audit(1583407507.443:2): pid=2364 uid=0 old-auid=4294967295 auid=0 t1 +root@hummingboard-pulse:~# uname -a +Linux hummingboard-pulse 4.14.166-solidrun+ga33b5bfc5cc1 #1 SMP PREEMPT Thu Mar 5 11:51:27 UTC 2020 x +``` ## Summary From now on, you will be able to build and run many other images from Yocto -Project, not only at HummingBoard but many others. If you are interested in -this subject follow our social media for more information! +Project, not only at HummingBoard but many others. If you are interested in this +subject follow our social media for more information! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-04-28-remote_work_post.md b/blog/content/post/2020-04-28-remote_work_post.md old mode 100755 new mode 100644 index 1311a7e6..af2b2f6f --- a/blog/content/post/2020-04-28-remote_work_post.md +++ b/blog/content/post/2020-04-28-remote_work_post.md @@ -21,13 +21,13 @@ categories: Since the recent COVID-19 outbreak we all have been forced to pack our tools along with our potential and switch to home office. One may say that for IT it -is not a milestone; after all our work didn’t change significantly. We can -still develop solutions of an invariably good quality providing that our remote +is not a milestone; after all our work didn’t change significantly. We can still +develop solutions of an invariably good quality providing that our remote environment has been fully set. Apart from tools there are more factors, -combined in workflow, of which we are deprived while working remotely for a -long term. Among endless interruptions and no watchful eyes around, with -difficulties to connect people directly, there is the question that rises -inside the head: **Ping or not to ping?** +combined in workflow, of which we are deprived while working remotely for a long +term. Among endless interruptions and no watchful eyes around, with difficulties +to connect people directly, there is the question that rises inside the head: +**Ping or not to ping?** ![remote_work03](/img/remote_work03.jpg) @@ -58,15 +58,16 @@ certain tasks. With a little help comes Jitsi Meet on Docker. As we use Docker widely in our projects for firmware and embedded software building, conducting trainings and when rootfs building for infrastructure deployment, here again, for Jitsi Meet, fully encrypted, 100% Open Source videoconferencing solution, -you can find in our repository all the necessary tools to run a [Jitsi -Meet](https://github.com/jitsi/docker-jitsi-meet) stack on Docker using Docker -Compose. Another grind-team-gears issue is difficulty with maintaining proper -work-life balance. It is easy to merge with desk when having all the necessities -for the taking along with the good tools to work on. We didn't investigate -whether our testers work in pyjamas, but let's have a glimpse on what they are -having in the basic toolkit: [Flashrom](https://github.com/3mdeb/flashrom), -utility designed for flashing images on various programmer devices, helpful in -preparing device for further operations such as testing. Worthy to mention +you can find in our repository all the necessary tools to run a +[Jitsi Meet](https://github.com/jitsi/docker-jitsi-meet) stack on Docker using +Docker Compose. Another grind-team-gears issue is difficulty with maintaining +proper work-life balance. It is easy to merge with desk when having all the +necessities for the taking along with the good tools to work on. We didn't +investigate whether our testers work in pyjamas, but let's have a glimpse on +what they are having in the basic toolkit: +[Flashrom](https://github.com/3mdeb/flashrom), utility designed for flashing +images on various programmer devices, helpful in preparing device for further +operations such as testing. Worthy to mention [Cukinia](https://github.com/3mdeb/cukinia), Linux firmware validation framework helps to run simple system-level validation tests on firmware, and when analyzing security, [Chipsec](https://github.com/chipsec/chipsec) with its @@ -81,21 +82,20 @@ repository. Apart from useful tolls, 3mdeb team shared how they do the work and stay effective while remote working and frankly speaking it is all about simplicity of a good planning and smart goals. How does it look in practise? We make -checklists, detailed notes and to-do lists, planning each day in detail and -thus make the most of work hours. Some of us effectively use the pomodoro -technique, others break the eight-hour work system by dividing it into smaller -parts. To maintain workflow, we make smart breaks, during which we try to -leave the computer, spending time with the household members, taking a bit of -the fresh air or doing sports: and by sports we don't mean rush-to-the-fridge. -Doing our best to adapt to the current situation, we can proudly say that it -works. The quality of our solutions works. Whereas looking further, we all -agree that our struggles are going to have a positive impact when back to -office, as current situation taught us about better work organization, -self-discipline and the sense of responsibility. When it will become easier -for us to stay focused in the work environment with the colleagues sitting -nearby, what we will miss about remote working? Surely the flexibility of -working hours, lack of commuting and in some cases homey pyjamas. -Nevertheless, we are all waiting for the end of the pandemic and quick return -to our desks, screens and mugs. +checklists, detailed notes and to-do lists, planning each day in detail and thus +make the most of work hours. Some of us effectively use the pomodoro technique, +others break the eight-hour work system by dividing it into smaller parts. To +maintain workflow, we make smart breaks, during which we try to leave the +computer, spending time with the household members, taking a bit of the fresh +air or doing sports: and by sports we don't mean rush-to-the-fridge. Doing our +best to adapt to the current situation, we can proudly say that it works. The +quality of our solutions works. Whereas looking further, we all agree that our +struggles are going to have a positive impact when back to office, as current +situation taught us about better work organization, self-discipline and the +sense of responsibility. When it will become easier for us to stay focused in +the work environment with the colleagues sitting nearby, what we will miss about +remote working? Surely the flexibility of working hours, lack of commuting and +in some cases homey pyjamas. Nevertheless, we are all waiting for the end of the +pandemic and quick return to our desks, screens and mugs. ![remote_work02](/img/remote_work02.jpg) diff --git a/blog/content/post/2020-04-30-trenchboot-nlnet-release-04.md b/blog/content/post/2020-04-30-trenchboot-nlnet-release-04.md index 040dc6b4..69dfcdff 100644 --- a/blog/content/post/2020-04-30-trenchboot-nlnet-release-04.md +++ b/blog/content/post/2020-04-30-trenchboot-nlnet-release-04.md @@ -41,8 +41,8 @@ and prepared exact step-by-step procedure, so you can enable it too! We have made following changes since last release: -1. general **DRTM update in NixOS** (including landing-zone, Linux kernel -and Grub) +1. general **DRTM update in NixOS** (including landing-zone, Linux kernel and + Grub) 1. enabled DRTM in Yocto custom Linux built - **meta-trenchboot** 1. introduced **CI/CD system** to build each TrenchBoot components @@ -53,7 +53,7 @@ is divided into sections: 1. Enable DRTM in custom Linux built > Depending on specific section, there are already met project's requirements - mentioned and ways to verify them. +> mentioned and ways to verify them. CI/CD system is rather comprehensive topic, so we decided to describe it in separate article. @@ -64,348 +64,350 @@ Since last release, there are improvements in **landing-zone, grub and Linux kernel**. All of these components should be updated. Following procedure is showing how to do this properly. ->Remember, that everything is done in NixOS and further verification is done for -system precisely configured this way. - ->**IMPORTANT**: We needed to replace 16 GB SSD disk with 32 GB one. It's because -during system update, there were issues with space left and update didn't -finish. Therefore, remember to have **at least 32 GB disk**. +> Remember, that everything is done in NixOS and further verification is done +> for system precisely configured this way. +> +> **IMPORTANT**: We needed to replace 16 GB SSD disk with 32 GB one. It's +> because during system update, there were issues with space left and update +> didn't finish. Therefore, remember to have **at least 32 GB disk**. 1. Pull `3mdeb/nixpkgs` repository. - ``` - $ cd ~/nixpkgs - $ git branch trenchboot_support_2020.04 - $ git pull - ``` - -2. Pull `3mdeb/nixos-trenchboot-configs` repository. - - ``` - $ cd ~/nixos-trenchboot-configs - $ git branch master - $ git pull - ``` - -3. Copy all configuration files to `/etc/nixos/` directory. - - ``` - $ cp nixos-trenchboot-configs/*.nix /etc/nixos - ``` - -4. Update Linux kernel. - - > Linux kernel update must be done separately due to *out of memory error* - which might appear when entire system is rebuilt. - - ``` - $ nix-build -v -E 'with import {}; callPackage ./linux-5.5.nix {}' - ``` - -5. Update entire system. - - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - building Nix... - building the system configuration... - ``` - -6. Find new `Landing Zone` package in `/nixos/store/`. - - ``` - # ls /nix/store/ | grep landing-zone - 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 - l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv - lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 - mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv - ``` - - > Choose directory with newest package. Debug or non-debug version doesn't - matter, it is up to your preferences. In our case it is - `lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0`. - -9. Copy `lz_header.bin` to `/boot/` directory. - - ``` - $ cp /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0/lz_header.bin /boot/lz_header - ``` - - > Notice, that file `lz_header.bin` changed its name to `lz_header` without - *.bin* extension. - -10. Check `/boot/grub/grub.cfg` file and its `NixOS - Default menu entry`. -Adjust `/etc/nixos/configuration.nix` and its `boot.loader.grub.extraEntries` -line to have exactly the same directories included. - - ``` - $ cat /boot/grub/grub.cfg - (...) - menuentry "NixOS - Default" { - search --set=drive1 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 - search --set=drive2 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 - linux ($drive2)/nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage systemConfig=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 - initrd ($drive2)/nix/store/7q64073svk689cvk36z78zj7y2ifgjdv-initrd-linux-5.5.3/initrd - } - (...) - ``` - - With `grub.cfg` content as above `configuration.nix` must have - `boot.loader.grub.extraEntries` line like this: - - ``` - $ cat /etc/nixos/configuration.nix - (...) - boot.loader.grub.extraEntries = '' - menuentry "NixOS - Secure Launch" { - search --set=drive1 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 - search --set=drive2 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 - slaunch skinit - slaunch_module ($drive2)/boot/lz_header - linux ($drive2)/nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage systemConfig=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 - initrd ($drive2)/nix/store/7q64073svk689cvk36z78zj7y2ifgjdv-initrd-linux-5.5.3/initrd - } - ''; - ``` - - If there are differences in any of `search --set=drive1...`, `search - --set=drive2...`, `linux ($drive2)/nix/store...` lines, edit - `configuration.nix` content and copy those lines from `grub.cfg` menuentry - `"NixOS - Default"`. They must be exactly the same. - -11. Update system for the last time. - - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - ``` - -12. Reboot platform - - ``` - $ reboot - ``` - -13. Choose `"NixOS - Secure Launch"` entry in grub menu and check if platform - boots correctly. - + ```bash + cd ~/nixpkgs + git branch trenchboot_support_2020.04 + git pull + ``` + +1. Pull `3mdeb/nixos-trenchboot-configs` repository. + + ```bash + cd ~/nixos-trenchboot-configs + git branch master + git pull + ``` + +1. Copy all configuration files to `/etc/nixos/` directory. + + ```bash + cp nixos-trenchboot-configs/*.nix /etc/nixos + ``` + +1. Update Linux kernel. + + > Linux kernel update must be done separately due to *out of memory error* + > which might appear when entire system is rebuilt. + + ```bash + nix-build -v -E 'with import {}; callPackage ./linux-5.5.nix {}' + ``` + +1. Update entire system. + + ```bash + $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + building Nix... + building the system configuration... + ``` + +1. Find new `Landing Zone` package in `/nixos/store/`. + + ```bash + # ls /nix/store/ | grep landing-zone + 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 + l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv + lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 + mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv + ``` + + > Choose directory with newest package. Debug or non-debug version doesn't + > matter, it is up to your preferences. In our case it is + > `lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0`. + +1. Copy `lz_header.bin` to `/boot/` directory. + + ```bash + cp /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0/lz_header.bin /boot/lz_header + ``` + + > Notice, that file `lz_header.bin` changed its name to `lz_header` without + > _.bin_ extension. + +1. Check `/boot/grub/grub.cfg` file and its `NixOS - Default menu entry`. Adjust + `/etc/nixos/configuration.nix` and its `boot.loader.grub.extraEntries` line + to have exactly the same directories included. + + ```bash + $ cat /boot/grub/grub.cfg + (...) + menuentry "NixOS - Default" { + search --set=drive1 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 + search --set=drive2 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 + linux ($drive2)/nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage systemConfig=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 + initrd ($drive2)/nix/store/7q64073svk689cvk36z78zj7y2ifgjdv-initrd-linux-5.5.3/initrd + } + (...) + ``` + + With `grub.cfg` content as above `configuration.nix` must have + `boot.loader.grub.extraEntries` line like this: + + ```bash + $ cat /etc/nixos/configuration.nix + (...) + boot.loader.grub.extraEntries = '' + menuentry "NixOS - Secure Launch" { + search --set=drive1 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 + search --set=drive2 --fs-uuid fdd9e92a-3d69-4bde-8c39-167ff7fba974 + slaunch skinit + slaunch_module ($drive2)/boot/lz_header + linux ($drive2)/nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage systemConfig=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/3adz0xnfnr71hrg84nyawg2rqxrva3x3-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 loglevel=4 + initrd ($drive2)/nix/store/7q64073svk689cvk36z78zj7y2ifgjdv-initrd-linux-5.5.3/initrd + } + ''; + ``` + + If there are differences in any of `search --set=drive1...`, + `search --set=drive2...`, `linux ($drive2)/nix/store...` lines, edit + `configuration.nix` content and copy those lines from `grub.cfg` menuentry + `"NixOS - Default"`. They must be exactly the same. + +1. Update system for the last time. + + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + ``` + +1. Reboot platform + + ```bash + reboot + ``` + +1. Choose `"NixOS - Secure Launch"` entry in grub menu and check if platform + boots correctly. -#### Requirements verification - LZ content and layout +### Requirements verification - LZ content and layout There are two requirements which LZ must met: 1. bootloader information header in LZ should be moved at the end of the LZ -binary or the end of code section of the LZ. + binary or the end of code section of the LZ. 1. the size of the measured part of the SLB must be set to the code size only. Bootloader information header is special data structure which layout is -hardcoded in [landing-zone source code](https://github.com/TrenchBoot/landing-zone/blob/master/include/boot.h#L50). +hardcoded in +[landing-zone source code](https://github.com/TrenchBoot/landing-zone/blob/master/include/boot.h#L50). The requirement is to keep that data in `lz_header.bin` file after code section. Hence, when SKINIT instruction makes measurements of the Landing Zone, only code section is measured. Verification of above requirements can be carried out like this: 1. Copy `lz_header.bin` file from non-debug landing-zone package to home -directory. - - ``` - $ cp /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0/lz_header.bin ~/lz_header.bin - ``` - -2. Check the value of second word of `lz_header.bin` file using `hexdump` -tool. - - ``` - $ hexdump -C ~/lz_header.bin | head - 00000000 d4 01 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 |................| - 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| - * - 000001d0 00 00 00 00 89 c5 8d a5 00 02 00 00 b9 14 01 01 |................| - 000001e0 c0 0f 32 83 e0 f9 0f 30 01 ad bc 27 00 00 01 ad |..2....0...'....| - 000001f0 52 02 00 00 01 ad 00 90 00 00 01 ad 00 80 00 00 |R...............| - 00000200 01 ad 08 80 00 00 01 ad 10 80 00 00 01 ad 18 80 |................| - 00000210 00 00 01 ad 00 40 00 00 0f 01 95 ba 27 00 00 b8 |.....@......'...| - 00000220 10 00 00 00 8e d8 8e c0 0f 20 e1 83 c9 20 0f 22 |......... ... ."| - 00000230 e1 8d 85 00 90 00 00 0f 22 d8 b9 80 00 00 c0 0f |........".......| - ``` - - > Value of second word (`00 d0`) is size of code section and concurrently - offset (address) of bootloader information header. Used notation is - little-endian so the value is actually `0xd000` (NOT 0x00d0). - -3. Check the content of `lz_header.bin` file from `0xd000` address. - - ``` - $ hexdump -C -s 0xd000 ~/lz_header.bin | head - 0000d000 78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc 02 |x.&......*.[v...| - 0000d010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| - * - 0000d030 04 00 00 00 10 00 00 00 05 00 00 00 47 4e 55 00 |............GNU.| - 0000d040 01 00 00 c0 04 00 00 00 01 00 00 00 00 00 00 00 |................| - 0000d050 - ``` - - > As you can see, there is `78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc - 02` data under 0xd000 address. - -4. If above data is the same as in data structure in -[landing-zone source code](https://github.com/TrenchBoot/landing-zone/blob/master/include/boot.h#L50) -then it is **bootloader information header**. In given example, it is -placed after code section in LZ. - - Debug version of landing zone can be checked exactly the same way. Just - make sure, you read address properly, as it probably isn't the same - value as in non-debug landing-zone. - -1. Copy `lz_header.bin` file from debug landing-zone package to home -directory. Rename it to `lz_header_debug.bin` - - ``` - $ cp /nix/store/5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0/lz_header.bin ~/lz_header_debug.bin - ``` - -2. Check value of second word of `lz_header_debug.bin` file using -`hexdump` tool. - - ``` - $ hexdump -C ~/lz_header_debug.bin | head - 00000000 d4 01 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 |................| - 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| - * - 000001d0 00 00 00 00 89 c5 8d a5 00 02 00 00 b9 14 01 01 |................| - 000001e0 c0 0f 32 83 e0 f9 0f 30 01 ad ac 2b 00 00 01 ad |..2....0...+....| - 000001f0 52 02 00 00 01 ad 00 a0 00 00 01 ad 00 90 00 00 |R...............| - 00000200 01 ad 08 90 00 00 01 ad 10 90 00 00 01 ad 18 90 |................| - 00000210 00 00 01 ad 00 50 00 00 0f 01 95 aa 2b 00 00 b8 |.....P......+...| - 00000220 10 00 00 00 8e d8 8e c0 0f 20 e1 83 c9 20 0f 22 |......... ... ."| - 00000230 e1 8d 85 00 a0 00 00 0f 22 d8 b9 80 00 00 c0 0f |........".......| - ``` - - > Value of the second word (`00 e0`) is size of code section and - concurrently offset (address) of bootloader information header. Used - notation is little-endian so the offset is actually `0xe000` (NOT 0x00e0). - -3. Check the content of `lz_header_debug.bin` file from `0xe000` address. - - ``` - $ hexdump -C -s 0xe000 ~/lz_header_debug.bin | head - 0000e000 78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc 02 |x.&......*.[v...| - 0000e010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| - * - 0000e030 04 00 00 00 10 00 00 00 05 00 00 00 47 4e 55 00 |............GNU.| - 0000e040 01 00 00 c0 04 00 00 00 01 00 00 00 00 00 00 00 |................| - 0000e050 - ``` - - > As you can see, there is `78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc - 02` data under 0xe000 address. - -4. If above data is the same as in data structure in -[landing-zone source code](https://github.com/TrenchBoot/landing-zone/blob/master/include/boot.h#L50) -then it is **bootloader information header**. In given example, it is -placed after code section in LZ. + directory. + + ```bash + cp /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0/lz_header.bin ~/lz_header.bin + ``` + +1. Check the value of second word of `lz_header.bin` file using `hexdump` tool. + + ```bash + $ hexdump -C ~/lz_header.bin | head + 00000000 d4 01 00 d0 00 00 00 00 00 00 00 00 00 00 00 00 |................| + 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 000001d0 00 00 00 00 89 c5 8d a5 00 02 00 00 b9 14 01 01 |................| + 000001e0 c0 0f 32 83 e0 f9 0f 30 01 ad bc 27 00 00 01 ad |..2....0...'....| + 000001f0 52 02 00 00 01 ad 00 90 00 00 01 ad 00 80 00 00 |R...............| + 00000200 01 ad 08 80 00 00 01 ad 10 80 00 00 01 ad 18 80 |................| + 00000210 00 00 01 ad 00 40 00 00 0f 01 95 ba 27 00 00 b8 |.....@......'...| + 00000220 10 00 00 00 8e d8 8e c0 0f 20 e1 83 c9 20 0f 22 |......... ... ."| + 00000230 e1 8d 85 00 90 00 00 0f 22 d8 b9 80 00 00 c0 0f |........".......| + ``` + + > Value of second word (`00 d0`) is size of code section and concurrently + > offset (address) of bootloader information header. Used notation is + > little-endian so the value is actually `0xd000` (NOT 0x00d0). + +1. Check the content of `lz_header.bin` file from `0xd000` address. + + ```bash + $ hexdump -C -s 0xd000 ~/lz_header.bin | head + 0000d000 78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc 02 |x.&......*.[v...| + 0000d010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 0000d030 04 00 00 00 10 00 00 00 05 00 00 00 47 4e 55 00 |............GNU.| + 0000d040 01 00 00 c0 04 00 00 00 01 00 00 00 00 00 00 00 |................| + 0000d050 + ``` + + > As you can see, there is + > `78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc 02` data under 0xd000 + > address. + +1. If above data is the same as in data structure in + [landing-zone source code](https://github.com/TrenchBoot/landing-zone/blob/master/include/boot.h#L50) + then it is **bootloader information header**. In given example, it is placed + after code section in LZ. + + Debug version of landing zone can be checked exactly the same way. Just make + sure, you read address properly, as it probably isn't the same value as in + non-debug landing-zone. + +1. Copy `lz_header.bin` file from debug landing-zone package to home directory. + Rename it to `lz_header_debug.bin` + + ```bash + cp /nix/store/5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0/lz_header.bin ~/lz_header_debug.bin + ``` + +1. Check value of second word of `lz_header_debug.bin` file using `hexdump` + tool. + + ```bash + $ hexdump -C ~/lz_header_debug.bin | head + 00000000 d4 01 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 |................| + 00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 000001d0 00 00 00 00 89 c5 8d a5 00 02 00 00 b9 14 01 01 |................| + 000001e0 c0 0f 32 83 e0 f9 0f 30 01 ad ac 2b 00 00 01 ad |..2....0...+....| + 000001f0 52 02 00 00 01 ad 00 a0 00 00 01 ad 00 90 00 00 |R...............| + 00000200 01 ad 08 90 00 00 01 ad 10 90 00 00 01 ad 18 90 |................| + 00000210 00 00 01 ad 00 50 00 00 0f 01 95 aa 2b 00 00 b8 |.....P......+...| + 00000220 10 00 00 00 8e d8 8e c0 0f 20 e1 83 c9 20 0f 22 |......... ... ."| + 00000230 e1 8d 85 00 a0 00 00 0f 22 d8 b9 80 00 00 c0 0f |........".......| + ``` + + > Value of the second word (`00 e0`) is size of code section and concurrently + > offset (address) of bootloader information header. Used notation is + > little-endian so the offset is actually `0xe000` (NOT 0x00e0). + +1. Check the content of `lz_header_debug.bin` file from `0xe000` address. + + ```bash + $ hexdump -C -s 0xe000 ~/lz_header_debug.bin | head + 0000e000 78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc 02 |x.&......*.[v...| + 0000e010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| + * + 0000e030 04 00 00 00 10 00 00 00 05 00 00 00 47 4e 55 00 |............GNU.| + 0000e040 01 00 00 c0 04 00 00 00 01 00 00 00 00 00 00 00 |................| + 0000e050 + ``` + + > As you can see, there is + > `78 f1 26 8e 04 92 11 e9 83 2a c8 5b 76 c4 cc 02` data under 0xe000 + > address. + +1. If above data is the same as in data structure in + [landing-zone source code](https://github.com/TrenchBoot/landing-zone/blob/master/include/boot.h#L50) + then it is **bootloader information header**. In given example, it is placed + after code section in LZ. ## Enable DRTM in custom Linux built We are using the [Yocto Project](https://www.yoctoproject.org/) to build our -custom Linux distribution. Besides the standard `meta-layers`, we also use -the [meta-pcengines](https://github.com/pcengines/meta-pcengines) and -[meta-trenchboot](https://github.com/3mdeb/meta-trenchboot) layers. -You can learn more about the `meta-pcengines` usage in our others posts, like +custom Linux distribution. Besides the standard `meta-layers`, we also use the +[meta-pcengines](https://github.com/pcengines/meta-pcengines) and +[meta-trenchboot](https://github.com/3mdeb/meta-trenchboot) layers. You can +learn more about the `meta-pcengines` usage in our others posts, like [this one](https://blog.3mdeb.com/2020/2020-02-05-meta-pcengines-xen/). To use the custom Linux distribution on your PC Engines apu2 platform, all you need to have is: 1. SSD disk to store image. -1. Linux operating system (e.g. Debian) with `bmaptool` tool to flash SSD - disk. -1. *tb-minimal-image-pcengines-apu2.wic.bmap* file. -1. *tb-minimal-image-pcengines-apu2.wic.gz* file. +1. Linux operating system (e.g. Debian) with `bmaptool` tool to flash SSD disk. +1. _tb-minimal-image-pcengines-apu2.wic.bmap_ file. +1. _tb-minimal-image-pcengines-apu2.wic.gz_ file. `tb-minimal-image-pcengines-apu2.wic.*` files are built from [3mdeb/meta-trenchboot](https://github.com/3mdeb/meta-trenchboot) repository with our CI/CD system. You can build those images on your own by following instruction in repository. However, we recommend to use our images, which are already tested on hardware and can be downloaded from -[our GitLab CI](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/-/jobs/533986608/artifacts/download). +[our GitLab CI](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/-/jobs/913043457/artifacts/download?file_type=archive). Installation procedure will cover second scenario. -Procedure that will be presented shortly is conventional *disk flashing process -with usage of `bmaptool`*. Therefore, steps 1-3 can be carried out on any +Procedure that will be presented shortly is conventional _disk flashing process +with usage of `bmaptool`_. Therefore, steps 1-3 can be carried out on any machine with Linux. In this particular example, we are using only PC Engines apu2 platform with iPXE enabled and SSD disk included. 1. Boot to Linux based operating system. - In our case it is Debian Stable 4.16 booted via iPXE. - -2. Download *tb-minimal-image.bmap* and *tb-minimal-image.gz* files from GitLab -CI. - - > Our GitLab CI infrastructure is described in next article. For now, you - need to know that you can download release images from - [3mdeb/meta-trenchboot/pipelines](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/pipelines?scope=tags&page=1) - tags tab. - - ``` - $ wget -O artifacts.zip https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/-/jobs/533986608/artifacts/download - $ unzip artifacts.zip - ``` - -3. Using `bmaptool` flash SSD disk with downloaded image. - - > **IMPORTANT**: Make sure to use proper target device - /dev/sdX. In our - case it is /dev/sda, but can be different for you. - - Usage of bmaptool is: `bmaptool copy --bmap ` - - ``` - $ bmaptool copy --bmap tb-minimal-image-pcengines-apu2.wic.bmap tb-minimal-image-pcengines-apu2.wic.gz /dev/sda - [ 1076.049347] sda: sda1 sda2 - bmaptool: info: block map format version 2.0 - bmaptool: info: 532480 blocks of size 4096 (2.0 GiB), mapped 48007 blocks (187.5 MiB or 9.0%) - bmaptool: info: copying image 'tb-minimal-image-pcengines-apu2.wic.gz' to block device '/dev/sda' using bmap file 'tb-minimal-image-pcengines-apu2.wic.bmap' - (...) - bmaptool: info: 99% copied - [ 1120.645490] sda: sda1 sda2 - ``` - -4. Reboot platform and boot from just flashed SSD disk. - - You should see GRUB menu with 2 entries: - - - boot - it is 'normal' boot without DRTM - - secure-boot - it is boot with **DRTM enabled** - -5. Choose `secure-boot` entry, verify bootlog and enjoy platform with DRTM! - - At the beginning, there should be similar output: - - ``` - grub_cmd_slaunch:122: check for manufacturer - grub_cmd_slaunch:126: check for cpuid - grub_cmd_slaunch:136: set slaunch - grub_cmd_slaunch_module:156: check argc - grub_cmd_slaunch_module:161: check relocator - grub_cmd_slaunch_module:170: open file - grub_cmd_slaunch_module:175: get size - grub_cmd_slaunch_module:180: allocate memory - grub_cmd_slaunch_module:192: addr: 0x100000 - grub_cmd_slaunch_module:194: target: 0x100000 - grub_cmd_slaunch_module:196: add module - grub_cmd_slaunch_module:205: read file - grub_cmd_slaunch_module:215: close file - grub_slaunch_boot_skinit:41: real_mode_target: 0x8b000 - grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 - grub_slaunch_boot_skinit:43: params: 0xcfe2391 - code32_start 0x0000000001000000: - (...) - ``` - - > It indicates that DRTM is enabled and executed. For details about bootflow - and DRTM verification we refer to [previous article](https://blog.3mdeb.com/2020/2020-04-03-trenchboot-nlnet-lz-validation/) - in which it is precisely described. - -# Summary + In our case it is Debian Stable 4.16 booted via iPXE. + +1. Download _tb-minimal-image.bmap_ and _tb-minimal-image.gz_ files from GitLab + CI. + + > Our GitLab CI infrastructure is described in next article. For now, you + > need to know that you can download release images from + > [3mdeb/meta-trenchboot/pipelines](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/pipelines?scope=tags&page=1) + > tags tab. + + ```bash + wget -O artifacts.zip https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/-/jobs/913043457/artifacts/download?file_type=archive + unzip artifacts.zip + ``` + +1. Using `bmaptool` flash SSD disk with downloaded image. + + > **IMPORTANT**: Make sure to use proper target device - /dev/sdX. In our + > case it is /dev/sda, but can be different for you. + + Usage of bmaptool is: + `bmaptool copy --bmap ` + + ```bash + $ bmaptool copy --bmap tb-minimal-image-pcengines-apu2.wic.bmap tb-minimal-image-pcengines-apu2.wic.gz /dev/sda + [ 1076.049347] sda: sda1 sda2 + bmaptool: info: block map format version 2.0 + bmaptool: info: 532480 blocks of size 4096 (2.0 GiB), mapped 48007 blocks (187.5 MiB or 9.0%) + bmaptool: info: copying image 'tb-minimal-image-pcengines-apu2.wic.gz' to block device '/dev/sda' using bmap file 'tb-minimal-image-pcengines-apu2.wic.bmap' + (...) + bmaptool: info: 99% copied + [ 1120.645490] sda: sda1 sda2 + ``` + +1. Reboot platform and boot from just flashed SSD disk. + + You should see GRUB menu with 2 entries: + + - boot - it is 'normal' boot without DRTM + - secure-boot - it is boot with **DRTM enabled** + +1. Choose `secure-boot` entry, verify bootlog and enjoy platform with DRTM! + + At the beginning, there should be similar output: + + ```bash + grub_cmd_slaunch:122: check for manufacturer + grub_cmd_slaunch:126: check for cpuid + grub_cmd_slaunch:136: set slaunch + grub_cmd_slaunch_module:156: check argc + grub_cmd_slaunch_module:161: check relocator + grub_cmd_slaunch_module:170: open file + grub_cmd_slaunch_module:175: get size + grub_cmd_slaunch_module:180: allocate memory + grub_cmd_slaunch_module:192: addr: 0x100000 + grub_cmd_slaunch_module:194: target: 0x100000 + grub_cmd_slaunch_module:196: add module + grub_cmd_slaunch_module:205: read file + grub_cmd_slaunch_module:215: close file + grub_slaunch_boot_skinit:41: real_mode_target: 0x8b000 + grub_slaunch_boot_skinit:42: prot_mode_target: 0x1000000 + grub_slaunch_boot_skinit:43: params: 0xcfe2391 + code32_start 0x0000000001000000: + (...) + ``` + + > It indicates that DRTM is enabled and executed. For details about bootflow + > and DRTM verification we refer to + > [previous article](https://blog.3mdeb.com/2020/2020-04-03-trenchboot-nlnet-lz-validation/) + > in which it is precisely described. + +## Summary If you followed showed procedures, you should have up-to-date DRTM in your NixOS or custom Linux image with DRTM enabled. As mentioned at the beginning, in next @@ -414,6 +416,7 @@ and how entire community will take advantage of it. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-05-05-trenchboot-nlnet-ci-cd-system.md b/blog/content/post/2020-05-05-trenchboot-nlnet-ci-cd-system.md index 85210acc..65b1b0e7 100644 --- a/blog/content/post/2020-05-05-trenchboot-nlnet-ci-cd-system.md +++ b/blog/content/post/2020-05-05-trenchboot-nlnet-ci-cd-system.md @@ -33,75 +33,74 @@ Before you get acquainted with our particular system, we will get you familiar with **Continuous Integration / Continuous Delivery** concept. What is behind this idea and how it improves quality of work and final product. -#### Continuous Integration (CI) +### Continuous Integration (CI) Basically this practice is used in the development stage of project and greatly simplifies release process. Let's consider cyclic, monthly release of our `TrenchBoot: Open Source DRTM` project. Throughout the whole month, there are code changes in all repositories related to project. Over time verification of -introduced changes manually becomes too complex and too uncomfortable. Imagine +introduced changes manually becomes too complex and too uncomfortable. Imagine building same binaries each time when there is even slight change. It must be done, but it is ineffective when delegated person must do it by hand. At this -point, **CI** comes with help! It is a system which *automatically builds and -tests specific component* in response to a defined event. This event is mostly +point, **CI** comes with help! It is a system which _automatically builds and +tests specific component_ in response to a defined event. This event is mostly new git commit, tag or merge - it is defined by the owner and adapted to project's needs. As a result, every code change is automatically checked against crash and hereby gives quick feedback to the developers. -#### Continuous Delivery (CD) +### Continuous Delivery (CD) **Continuous Delivery (CD)** is a successor of CI phase. As mentioned, CI checks the build and validates its correctness. However, the end products are always binary files (applications) which should be provided to the users. That is the -scope of CD part. *It releases and publishes* final deliverables called artifacts, -so it can be freely used by user. Moreover, you are sure that those deliveries -(binary files mostly) have passed build and test phases (in CI), which confirms -their correctness in operation. +scope of CD part. _It releases and publishes_ final deliverables called +artifacts, so it can be freely used by user. Moreover, you are sure that those +deliveries (binary files mostly) have passed build and test phases (in CI), +which confirms their correctness in operation. ## Our CI/CD system Now, when you are familiar with CI/CD concept, let us introduce you to our environment. We decided to use the **GitLab CI**. For our usage it is most convenient solution and (in opposition as the name suggest) it works seamlessly -with GitHub repositories too. Please refer to the *TrenchBoot CI/CD -infrastructure* diagram to see the details. +with GitHub repositories too. Please refer to the _TrenchBoot CI/CD +infrastructure_ diagram to see the details. + +### TrenchBoot CI/CD infrastructure ![TrenchBoot CI/CD infrastructure](/img/tb_gitlab_ci.png) -

    *TrenchBoot CI/CD infrastructure*

    As you can see our environment is divided into 3 main layers: 1. **Cloud** - It is a 'gate to the external word' or 'frontend' of our CI/CD system. - The effects of work of CI/CD are visible in this layer. Also it joins - together: + It is a 'gate to the external word' or 'frontend' of our CI/CD system. The + effects of work of CI/CD are visible in this layer. Also it joins together: - 1. All TrenchBoot Github repositories - 1. GitLab CI master (actual CI/CD tool) - 1. Document with reports and status of builds + 1. All TrenchBoot Github repositories + 1. GitLab CI master (actual CI/CD tool) + 1. Document with reports and status of builds -2. **3mdeb/TrenchBoot infrastructure** +1. **3mdeb/TrenchBoot infrastructure** - It is a core of our CI/CD system. When build request is triggered, - GitLab CI runner is doing the entire job. Results of its work are delivered - in 3 ways: + It is a core of our CI/CD system. When build request is triggered, GitLab CI + runner is doing the entire job. Results of its work are delivered in 3 ways: - 1. Publish artifacts (binaries) to the Cloud layer. - 1. Publish Yocto cached components which are utilized in - `meta-trenchboot` builds. - 1. Run tests on hardware included in 3mdeb lab. + 1. Publish artifacts (binaries) to the Cloud layer. + 1. Publish Yocto cached components which are utilized in `meta-trenchboot` + builds. + 1. Run tests on hardware included in 3mdeb lab. - As you can see, that layer gathers all parts together. It is connector - between high-level Cloud (frontend) and low-level hardware which - actually use TrenchBoot. + As you can see, that layer gathers all parts together. It is connector + between high-level Cloud (frontend) and low-level hardware which actually use + TrenchBoot. -3. **3mdeb lab** +1. **3mdeb lab** - This layer includes all platforms (Devices Under Test) on which builds - are automatically tested. They are physically placed in our 3mdeb - office. So far there is only PC Engines apu2, but as mentioned in - previous articles, as the project develops, new platforms will be added. + This layer includes all platforms (Devices Under Test) on which builds are + automatically tested. They are physically placed in our 3mdeb office. So far + there is only PC Engines apu2, but as mentioned in previous articles, as the + project develops, new platforms will be added. Our CI/CD system is still under development and it is constantly expanded and improved. It still demands more tests and greater integration between elements. @@ -114,66 +113,70 @@ As we mentioned, we use GitLab CI tools in our system. The entry point in this example is the [GitLab CI organization](https://gitlab.com/trenchboot1) set up by us. It contains 2 groups of repositories: -1. `TrenchBoot` which contains **mirrors of offcial TrenchBoot upstream -repositories** +1. `TrenchBoot` which contains **mirrors of official TrenchBoot upstream + repositories** 1. `3mdeb` which contains **mirrors of 3mdeb/TrenchBoot repositories** +#### GtiLab CI repositories + ![GtiLab CI repositories](/img/tb-gitlab-ci-repositories.png) -

    *GtiLab CI repositories*

    Whenever there are changes in any of the above repository, related CI/CD process (called pipeline) is triggered. Its result is indicated as `passed` or `failed` -and dedicated artifacts are published and can be download by user. Let's -analyze it with details on the example of `3mdeb/landing-zone` repository. -Follow the procedure: +and dedicated artifacts are published and can be download by user. Let's analyze +it with details on the example of `3mdeb/landing-zone` repository. Follow the +procedure: + +1. Open + [trenchboot1/3mdeb/landing-zone](https://gitlab.com/trenchboot1/3mdeb/landing-zone/) + repository. -1. Open [trenchboot1/3mdeb/landing-zone](https://gitlab.com/trenchboot1/3mdeb/landing-zone/) -repository. +1. Navigate through left sidebar to `CI/CD->Pipelines` page. -2. Navigate through left sidebar to `CI/CD->Pipelines` page. + Here you can see all pipelines which were run from the very beginning of + CI/CD system. Most important indicators are: - Here you can see all pipelines which were run from the very beginning of - CI/CD system. Most important indicators are: + 1. Status - passed/failed/canceled; + 1. Pipeline - unique ID of build, which can be entered to see details; + 1. Commit - exact commit which triggered the pipeline; + 1. Stages - what stages were done by pipeline; so far there are `build` and + `test` stages implemented; in this particular example only `build` stage + is being done; - 1. Status - passed/failed/canceled; - 1. Pipeline - unique ID of build, which can be entered to see details; - 1. Commit - exact commit which triggered the pipeline; - 1. Stages - what stages were done by pipeline; so far there are `build` - and `test` stages implemented; in this particular example only `build` - stage is being done; + > `Build stage` builds binaries from given repository. `Test stage` tests + > those binaries on real hardware. So far test stage is implemented only in + > [trenchboot1/3mdeb/meta-trenchboot](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/) + > pipelines. The test checks if PC Engines apu2 platform boots with just + > built meta-trenchboot operating system. - > `Build stage` builds binaries from given repository. `Test stage` tests - those binaries on real hardware. So far test stage is implemented only in - [trenchboot1/3mdeb/meta-trenchboot](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/) - pipelines. The test checks if PC Engines apu2 platform boots with just built - meta-trenchboot operating system. +1. Check details of one of pipelines, e.g. + [#140929156](https://gitlab.com/trenchboot1/3mdeb/landing-zone/pipelines/140929156) -3. Check details of one of pipelines, e.g. [#140929156](https://gitlab.com/trenchboot1/3mdeb/landing-zone/pipelines/140929156) + There are builds (jobs) of particular element which were done. Go to details + of one of them, e.g. + [build_debug_enabled-passed](https://gitlab.com/trenchboot1/3mdeb/landing-zone/-/jobs/531119883) - There are builds (jobs) of particular element which were done. Go to - details of one of them, e.g. - [build_debug_enabled-passed](https://gitlab.com/trenchboot1/3mdeb/landing-zone/-/jobs/531119883) +1. Analyze particular build job. -4. Analyze particular build job. + ![GtiLab CI build job](/img/tb-gitlab-ci-build-job.png) - ![GtiLab CI build job](/img/tb-gitlab-ci-build-job.png) -

    *GtiLab CI build job details*

    + **GtiLab CI build job details** - As you can see, there is console with logs informing what job has been done, - how it was executed and what is final result. On the right panel, there is - `Job artifacts` section, where you can browse all artifacts and download - them. For this particular job there is `lz_header.bin` file. As job's name - suggest it is debug version of it. Via build job's artifacts you can freely - download all necessary components to update DRTM in your system. + As you can see, there is console with logs informing what job has been done, + how it was executed and what is final result. On the right panel, there is + `Job artifacts` section, where you can browse all artifacts and download + them. For this particular job there is `lz_header.bin` file. As job's name + suggest it is debug version of it. Via build job's artifacts you can freely + download all necessary components to update DRTM in your system. -5. Play around and analyze another pipelines, builds and jobs to have better -insight in our CI/CD infrastructure and, the most important, to obtain all -up-to-date binaries of all TrenchBoot components. +1. Play around and analyze another pipelines, builds and jobs to have better + insight in our CI/CD infrastructure and, the most important, to obtain all + up-to-date binaries of all TrenchBoot components. ### Requirements verification -##### LZ, Bootloader and operating system is built with CI/CD system. +#### LZ, Bootloader and operating system is built with CI/CD system Each new commit in given repository is automatically built. You can check the build status in corresponding repositories. You can also download artifacts @@ -181,13 +184,13 @@ there if they are available. 1. [3mdeb/Landing Zone](https://gitlab.com/trenchboot1/3mdeb/landing-zone/pipelines) -2. [3mdeb/GRUB Bootloader](https://gitlab.com/trenchboot1/3mdeb/grub/pipelines) +1. [3mdeb/GRUB Bootloader](https://gitlab.com/trenchboot1/3mdeb/grub/pipelines) -3. [3mdeb/Linux kernel](https://gitlab.com/trenchboot1/3mdeb/linux/pipelines) +1. [3mdeb/Linux kernel](https://gitlab.com/trenchboot1/3mdeb/linux/pipelines) -4. [3mdeb/meta-trenchboot - operating system images](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/pipelines) +1. [3mdeb/meta-trenchboot - operating system images](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/pipelines) -##### CI/CD system SHALL automatically check for regressions of upstream patches to related projects. +#### CI/CD system SHALL automatically check for regressions Some pipelines besides build triggers test case, which checks component correctness on PC Engines apu2 platform. Currently it is done for @@ -197,7 +200,7 @@ boots correct. [meta-trenchboot test](https://gitlab.com/trenchboot1/3mdeb/meta-trenchboot/-/jobs/538548815) -# Summary +## Summary Now, you should be familiar with CI/CD concept and advantages it brings. Moreover, we have introduced our custom CI/CD infrastructure to you. Remember, @@ -207,6 +210,7 @@ so you will smoothly move in this environment in the future. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-05-06-ipxe-https.md b/blog/content/post/2020-05-06-ipxe-https.md index 19f09f5e..6ef15c33 100644 --- a/blog/content/post/2020-05-06-ipxe-https.md +++ b/blog/content/post/2020-05-06-ipxe-https.md @@ -34,8 +34,8 @@ differs from coreboot distribution provided by 3mdeb for PC Engines hardware. ## Firmware image preparation In this article I will use PC Engines apu4 as an example of building coreboot -with SeaBIOS and iPXE. Believe me or not, it is pretty easy. To begin, clone -the coreboot repository: +with SeaBIOS and iPXE. Believe me or not, it is pretty easy. To begin, clone the +coreboot repository: ```bash git clone --recurse-submodules https://review.coreboot.org/coreboot.git @@ -78,7 +78,8 @@ The default configuration for apu4 is loaded. We may for example disable/limit debugging by: 1. Setting debug level to 0 in `Console -> Default console log level (0:EMERG)` -2. Setting SeaBIOS debug level to o `Payload -> (0) SeaBIOS debug level (verbosity)` +1. Setting SeaBIOS debug level to o + `Payload -> (0) SeaBIOS debug level (verbosity)` Now it is time to choose our iPXE configuration. Since the [iPXE HTTPS support](https://review.coreboot.org/c/coreboot/+/31086) has been @@ -118,7 +119,7 @@ flashrom -p internal -w coreboot.rom Now, if you have flashed the image try rebooting the platform. The output on serial port on apu4 will look as follows: -``` +```bash SeaBIOS (version rel-1.13.0-0-gf21b5a4) iPXE (http://ipxe.org) 01:00.0 C000 PCI2.10 PnP PMM+CFE3C6F0+CFD7C6F0 C000 @@ -126,7 +127,7 @@ iPXE (http://ipxe.org) 01:00.0 C000 PCI2.10 PnP PMM+CFE3C6F0+CFD7C6F0 C000 When the iPXE prompt appears, press `Ctrl+B` to enter iPXE shell: -``` +```bash iPXE (PCI 01:00.0) starting execution...ok iPXE initialising devices...ok @@ -144,11 +145,11 @@ Now you have variety of options: - Boot kernel and initrd directly to diskless systems using NFS, - etc. -Example menu entries used by 3mdeb are available on [3mdeb -GitHub](https://github.com/3mdeb/netboot/blob/master/menu.ipxe) Those are HTTP -only. To boot such menu user has to setup the [3mdeb PXE -server](https://github.com/3mdeb/pxe-server) which uses the netboot repository -and invoke the following from iPXE shell: +Example menu entries used by 3mdeb are available on +[3mdeb GitHub](https://github.com/3mdeb/netboot/blob/master/menu.ipxe) Those are +HTTP only. To boot such menu user has to setup the +[3mdeb PXE server](https://github.com/3mdeb/pxe-server) which uses the netboot +repository and invoke the following from iPXE shell: ```bash iPXE> dhcp net0 @@ -185,8 +186,8 @@ iPXE> chain https://boot.3mdeb.com/menu.ipxe https://boot.3mdeb.com/menu.ipxe.... ok ``` -Sometimes during the menu.ipxe file loading, iPXE shortly prints the -certificate name from Let's Encrypt. +Sometimes during the menu.ipxe file loading, iPXE shortly prints the certificate +name from Let's Encrypt. ![3mdeb iPXE menu](/img/3mdeb_pxe_menu.png) @@ -195,7 +196,8 @@ certain certificates. In the default configuration, iPXE trusts only a single root certificate: the `iPXE root CA` certificate. This root certificate is used to cross-sign the standard Mozilla list of public CA certificates. In the default configuration, iPXE will therefore automatically trust the same set of -certificates as the Firefox web browser. More details on [iPXE documentation](https://ipxe.org/crypto) +certificates as the Firefox web browser. More details on +[iPXE documentation](https://ipxe.org/crypto) ## Future @@ -206,6 +208,7 @@ embed your own iPXE scripts, so stay tuned. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-05-06-trenchboot-uefi-environment.md b/blog/content/post/2020-05-06-trenchboot-uefi-environment.md index bda2a417..27ee3bb2 100644 --- a/blog/content/post/2020-05-06-trenchboot-uefi-environment.md +++ b/blog/content/post/2020-05-06-trenchboot-uefi-environment.md @@ -21,9 +21,9 @@ categories: --- -__*UPDATE 18.01.2021: Step 14th of Trenchboot installation section has been +***UPDATE 18.01.2021: Step 14th of Trenchboot installation section has been extended with more straightforward instructions how to create GRUB entry for -Secure Launch.*__ +Secure Launch.*** If you haven't read previous blog posts about the TrenchBoot project, I encourage you to do so by discovering the @@ -33,15 +33,15 @@ with project development, stay tuned, and always try to catch up with missed articles. > Those articles will not always be strictly technical. Therefore, if you think -some topics should be elaborated, feel free to ask us a question. +> some topics should be elaborated, feel free to ask us a question. In this article, I will explain how to install the NixOS on machines with UEFI firmware and how to install TrenchBoot. The most essential parts of the system will be also described in detail. It's important to understand their role, so you will be able to reproduce the environment smoothly and consciously. For now TrenchBoot focuses only on early launch (the initial launch of operating -system), but the late launch (relaunching the operating system with DRTM -without physical reboot) is also on the roadmap. Find out more about DRTM in the +system), but the late launch (relaunching the operating system with DRTM without +physical reboot) is also on the roadmap. Find out more about DRTM in the [TCG DRTM Architecture specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf) ## Testing platform @@ -49,8 +49,8 @@ without physical reboot) is also on the roadmap. Find out more about DRTM in the As you already know, our solution is built for AMD processors. Therefore, for tests, we use suitable platforms. Our hardware infrastructure is still being expanded. Eventually, there will be a few more devices with different -characteristics. For this particular article, we use [**Supermicro Super** -**Server M11SDV-4C**](https://www.supermicro.com/en/products/motherboard/M11SDV-4C-LN4F) +characteristics. For this particular article, we use +[**Supermicro Super** **Server M11SDV-4C**](https://www.supermicro.com/en/products/motherboard/M11SDV-4C-LN4F) which has **AMD EPYC 3151** processor. We use connection via serial port, so every relevant output will be presented in the form of logs. What is important, our platform is equipped with **TPM** module (aka dTPM) which is obligatory in @@ -61,536 +61,541 @@ this project. Make sure you have it on your platform too. To better understand the next section, first I will introduce an operating system which we use. Our choice is [NixOS](https://nixos.org/nixos/) which is a Linux distribution based on unusual (but reliable) package management. You can -install tools from official packages or build your ones. The second feature -will be strongly utilized in the entire project. +install tools from official packages or build your ones. The second feature will +be strongly utilized in the entire project. > Of course, you can use any other Linux distribution. However, every procedure -will be carried out by us in NixOS. If you won't have all dedicated tools and -(supported and/or compatible) configuration, we can't provide full reliability. +> will be carried out by us in NixOS. If you won't have all dedicated tools and +> (supported and/or compatible) configuration, we can't provide full +> reliability. -#### NixOS installation +### NixOS installation Now, I will guide through the installation of NixOS. After it, you should have an operating system in a default configuration. Later, I will show you how to customize it at runtime. ->Important: NixOS installation is not interactive as in most Linux -distributions (e.g. Debian). Therefore, pay attention to typed commands and -configurations! +> Important: NixOS installation is not interactive as in most Linux +> distributions (e.g. Debian). Therefore, pay attention to typed commands and +> configurations! -1. Download a minimal installer image from the [website](https://nixos.org/nixos/download.html). +1. Download a minimal installer image from the + [website](https://nixos.org/nixos/download.html). -2. Flash USB drive with the image. +1. Flash USB drive with the image. -3. Insert the USB drive on the target platform and choose the proper boot +1. Insert the USB drive on the target platform and choose the proper boot option. -4. In the boot menu press `tab` and add serial console parameters: +1. In the boot menu press `tab` and add serial console parameters: - ```bash - console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 - ``` + ```bash + console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 + ``` -5. Press enter and you will see following boot log: +1. Press enter and you will see following boot log: - ```bash - ott//iinniittrrdd + ```bash + ott//iinniittrrdd - early console in extract_kernel - input_data: 0x00000000023fc3b1 - input_len: 0x0000000000404c90 - output: 0x0000000001000000 - output_len: 0x00000000017d8030 - kernel_total_size: 0x000000000142c000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDTSC... - Virtual KASLR using RDTSC... + early console in extract_kernel + input_data: 0x00000000023fc3b1 + input_len: 0x0000000000404c90 + output: 0x0000000001000000 + output_len: 0x00000000017d8030 + kernel_total_size: 0x000000000142c000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDTSC... + Virtual KASLR using RDTSC... - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 4.19.107 (nixbld@localhost) (gcc version 8.3.0 (GCC)) #1-NixOS SMP Fri Feb 28 15:39:01 UTC 2020 - [ 0.000000] Command line: BOOT_IMAGE=/boot/bzImage init=/nix/store/ph9hjng3mwwsnnd20pq364fay8baqm6x-nixos-system-nixos-19.09.2201.7d31bbceaa1/init root=LABEL=NIXOS_ISO console=ttyS0,115200 earlyprintkd - (...) + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 4.19.107 (nixbld@localhost) (gcc version 8.3.0 (GCC)) #1-NixOS SMP Fri Feb 28 15:39:01 UTC 2020 + [ 0.000000] Command line: BOOT_IMAGE=/boot/bzImage init=/nix/store/ph9hjng3mwwsnnd20pq364fay8baqm6x-nixos-system-nixos-19.09.2201.7d31bbceaa1/init root=LABEL=NIXOS_ISO console=ttyS0,115200 earlyprintkd + (...) - <<< NixOS Stage 1 >>> + <<< NixOS Stage 1 >>> - loading module loop... - loading module vfat... - loading module nls_cp437... - loading module nls_iso8859-1... - loading module fuse... - loading module dm_mod... - running udev... - kbd_mode: KDSKBMODE: Inappropriate ioctl for device - Gstarting device mapper and LVM... - mounting tmpfs on /... - waiting for device /dev/root to appear... - mounting /dev/root on /iso... - mounting /mnt-root/iso/nix-store.squashfs on /nix/.ro-store... - mounting tmpfs on /nix/.rw-store... - mounting unionfs on /nix/store... + loading module loop... + loading module vfat... + loading module nls_cp437... + loading module nls_iso8859-1... + loading module fuse... + loading module dm_mod... + running udev... + kbd_mode: KDSKBMODE: Inappropriate ioctl for device + Gstarting device mapper and LVM... + mounting tmpfs on /... + waiting for device /dev/root to appear... + mounting /dev/root on /iso... + mounting /mnt-root/iso/nix-store.squashfs on /nix/.ro-store... + mounting tmpfs on /nix/.rw-store... + mounting unionfs on /nix/store... - <<< NixOS Stage 2 >>> + <<< NixOS Stage 2 >>> - running activation script... - setting up /etc... - unpacking the NixOS/Nixpkgs sources... - created 1 symlinks in user environment - ln: failed to create symbolic link '/root/.nix-defexpr/channels/channels': Read-only file system - starting systemd... + running activation script... + setting up /etc... + unpacking the NixOS/Nixpkgs sources... + created 1 symlinks in user environment + ln: failed to create symbolic link '/root/.nix-defexpr/channels/channels': Read-only file system + starting systemd... - Welcome to NixOS 19.09.2201.7d31bbceaa1 (Loris)! + Welcome to NixOS 19.09.2201.7d31bbceaa1 (Loris)! - [ OK ] Created slice system-getty.slice. - (...) - [ OK ] Started Login Service. + [ OK ] Created slice system-getty.slice. + (...) + [ OK ] Started Login Service. - <<< Welcome to NixOS 19.09.2201.7d31bbceaa1 (x86_64) - ttyS0 >>> - The "nixos" and "root" accounts have empty passwords. + <<< Welcome to NixOS 19.09.2201.7d31bbceaa1 (x86_64) - ttyS0 >>> + The "nixos" and "root" accounts have empty passwords. - Type `sudo systemctl start sshd` to start the SSH daemon. - You then must set a password for either "root" or "nixos" - with `passwd` to be able to log in. - - - Run `nixos-help` or press for the NixOS manual. - - nixos login: nixos (automatic login) - ``` - -6. Create partitions for UEFI - - >Be careful and choose the correct /dev/sdX device. In our case, it is - `sda`, which is SSD disk. + Type `sudo systemctl start sshd` to start the SSH daemon. + You then must set a password for either "root" or "nixos" + with `passwd` to be able to log in. - Create a GPT partition table - ```bash - parted /dev/sda -- mklabel gpt - ``` + Run `nixos-help` or press for the NixOS manual. + + nixos login: nixos (automatic login) + ``` - Add the root partition. This will fill the disk except for the end part, - where the swap will live and spare 512MiB for the boot partition. +1. Create partitions for UEFI - ```bash - parted /dev/sda -- mkpart primary 512MiB -8GiB - ``` + > Be careful and choose the correct /dev/sdX device. In our case, it is + > `sda`, which is SSD disk. - Add swap partition + Create a GPT partition table - ```bash - parted /dev/sda -- mkpart primary linux-swap -8GiB 100% - ``` + ```bash + parted /dev/sda -- mklabel gpt + ``` - Add EFI System Partition (ESP) + Add the root partition. This will fill the disk except for the end part, + where the swap will live and spare 512MiB for the boot partition. - ```bash - parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB - parted /dev/sda -- set 3 boot on - ``` + ```bash + parted /dev/sda -- mkpart primary 512MiB -8GiB + ``` -7. Format partitions + Add swap partition - sda1 + ```bash + parted /dev/sda -- mkpart primary linux-swap -8GiB 100% + ``` - ```bash - mkfs.ext4 -L nixos /dev/sda1 - ``` + Add EFI System Partition (ESP) - sda2 (swap) + ```bash + parted /dev/sda -- mkpart ESP fat32 1MiB 512MiB + parted /dev/sda -- set 3 boot on + ``` - ```bash - mkswap -L swap /dev/sda2 - ``` +1. Format partitions - sda3 (ESP) - ```bash - mkfs.fat -F 32 -n boot /dev/sda3 - ``` + sda1 -8. Mount partitions + ```bash + mkfs.ext4 -L nixos /dev/sda1 + ``` - ```bash - mount /dev/disk/by-label/nixos /mnt - mkdir -p /mnt/boot - mount /dev/disk/by-label/boot /mnt/boot - ``` + sda2 (swap) -9. Generate initial configuration: + ```bash + mkswap -L swap /dev/sda2 + ``` - ```bash - nixos-generate-config --root /mnt - ``` + sda3 (ESP) - >Above command will create `configuration.nix` file. It contains all - default configuration options according to which NixOS will be installed. + ```bash + mkfs.fat -F 32 -n boot /dev/sda3 + ``` -10. Change the bootloader settings in `configuration.nix` file. +1. Mount partitions - ```bash - boot.loader.systemd-boot = { - enable = true; - editor = false; - }; - boot.loader.efi = { - canTouchEfiVariables = true; - }; - boot.loader.grub = { - enable = true; - copyKernels = true; - efiInstallAsRemovable = false; - efiSupport = true; - fsIdentifier = "uuid"; - splashMode = "stretch"; - version = 2; - device = "nodev"; - extraEntries = '' - menuentry "Reboot" { - reboot - } - menuentry "Poweroff" { - halt - } - ''; - }; - ``` + ```bash + mount /dev/disk/by-label/nixos /mnt + mkdir -p /mnt/boot + mount /dev/disk/by-label/boot /mnt/boot + ``` -11. Add boot kernel parameters for serial connection: +1. Generate initial configuration: - ```bash - boot.kernelParams = [ "console=ttyS0,115200 earlyprintk=serial,ttyS0,115200" ]; - ``` + ```bash + nixos-generate-config --root /mnt + ``` -12. Install NixOS based on config (it will take a few minutes) + > Above command will create `configuration.nix` file. It contains all default + > configuration options according to which NixOS will be installed. - ```bash - nixos-install - ``` +1. Change the bootloader settings in `configuration.nix` file. -13. Set a password for root. + ```bash + boot.loader.systemd-boot = { + enable = true; + editor = false; + }; + boot.loader.efi = { + canTouchEfiVariables = true; + }; + boot.loader.grub = { + enable = true; + copyKernels = true; + efiInstallAsRemovable = false; + efiSupport = true; + fsIdentifier = "uuid"; + splashMode = "stretch"; + version = 2; + device = "nodev"; + extraEntries = '' + menuentry "Reboot" { + reboot + } + menuentry "Poweroff" { + halt + } + ''; + }; + ``` -14. Reboot OS. (Now you can remove installation media) +1. Add boot kernel parameters for serial connection: + + ```bash + boot.kernelParams = [ "console=ttyS0,115200 earlyprintk=serial,ttyS0,115200" ]; + ``` + +1. Install NixOS based on config (it will take a few minutes) + + ```bash + nixos-install + ``` + +1. Set a password for root. + +1. Reboot OS. (Now you can remove installation media) If the above procedure was successful, NixOS is installed in the default configuration. Boot to the system and play around to check if everything is correct. If yes, let's move on to the TrenchBoot installation. -# TrenchBoot installation +## TrenchBoot installation 1. Install `cachix` - `cachix` is binary cache hosting. It allows to store binary files, so there - is no need to build them on your own. If it is not very useful for small - builds, it is very handy for large ones e.g. Linux kernel binary. + `cachix` is binary cache hosting. It allows to store binary files, so there + is no need to build them on your own. If it is not very useful for small + builds, it is very handy for large ones e.g. Linux kernel binary. - ```bash - $ nix-env -iA cachix -f https://cachix.org/api/v1/install - ``` + ```bash + nix-env -iA cachix -f https://cachix.org/api/v1/install + ``` -2. Add 3mdeb cachix hosting as default. +1. Add 3mdeb cachix hosting as default. - ```bash - $ cachix use 3mdeb - Cachix configuration written to /etc/nixos/cachix.nix. - Binary cache 3mdeb configuration written to /etc/nixos/cachix/3mdeb.nix. + ```bash + $ cachix use 3mdeb + Cachix configuration written to /etc/nixos/cachix.nix. + Binary cache 3mdeb configuration written to /etc/nixos/cachix/3mdeb.nix. - To start using cachix add the following to your /etc/nixos/configuration.nix: + To start using cachix add the following to your /etc/nixos/configuration.nix: - imports = [ ./cachix.nix ]; + imports = [ ./cachix.nix ]; - Then run: + Then run: - $ sudo nixos-rebuild switch - ``` + $ sudo nixos-rebuild switch + ``` -3. Meet above requirement by editing `/etc/nixos/configuration.nix`. +1. Meet above requirement by editing `/etc/nixos/configuration.nix`. - > Probably vim editor is not available at this stage. Instead of vim, you - can use nano. + > Probably vim editor is not available at this stage. Instead of vim, you can + > use nano. - ```bash - $ nano /etc/nixos/configuration.nix - (...) - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./cachix.nix - ]; - (...) - ``` + ```bash + $ nano /etc/nixos/configuration.nix + (...) + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./cachix.nix + ]; + (...) + ``` - > Don't rebuild NixOS yet. It will be done later. + > Don't rebuild NixOS yet. It will be done later. -4. Install git package. +1. Install git package. - ```bash - $ nix-env -iA nixos.git - ``` + ```bash + nix-env -iA nixos.git + ``` -5. Clone [3mdeb/nixpkgs](https://github.com/3mdeb/nixpkgs/tree/trenchboot_support_2020.04) +1. Clone + [3mdeb/nixpkgs](https://github.com/3mdeb/nixpkgs/tree/trenchboot_support_2020.04) repository. - `3mdeb nixpkgs` contains additional packages compared with default NixOS - `nixpkgs`, so everything is in one place. Most of all, there are: + `3mdeb nixpkgs` contains additional packages compared with default NixOS + `nixpkgs`, so everything is in one place. Most of all, there are: - - [grub-tb](https://github.com/3mdeb/grub2/tree/trenchboot_support_efi) - - custom GRUB2 with `slaunch` module enabled; - - [landing-zone](https://github.com/TrenchBoot/landing-zone.git) - LZ - without debug flag - - [landing-zone-debug](https://github.com/TrenchBoot/landing-zone.git) - LZ - with debug - - [linux-5.5](https://github.com/TrenchBoot/linux/tree/linux-sl-5.5) - - custom Linux kernel with initrd + - [grub-tb](https://github.com/3mdeb/grub2/tree/trenchboot_support_efi) - + custom GRUB2 with `slaunch` module enabled; + - [landing-zone](https://github.com/TrenchBoot/landing-zone.git) - LZ without + debug flag + - [landing-zone-debug](https://github.com/TrenchBoot/landing-zone.git) - LZ + with debug + - [linux-5.5](https://github.com/TrenchBoot/linux/tree/linux-sl-5.5) - custom + Linux kernel with initrd - ```bash - $ git clone https://github.com/3mdeb/nixpkgs.git -b trenchboot_support_2020.04 - (...) - $ ls - nixpkgs - ``` + ```bash + $ git clone https://github.com/3mdeb/nixpkgs.git -b trenchboot_support_2020.04 + (...) + $ ls + nixpkgs + ``` -6. Update (rebuild) NixOS. +1. Update (rebuild) NixOS. - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - ``` + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + ``` - > IMPORTANT: `-I nixpkgs=~/nixpkgs` flag is necessary here! It replaces - default `nixpkgs` with previously downloaded ones. Make sure the directory - is valid (we have it in home (~)). If you follow our instruction - step-by-step, you have it also there. + > IMPORTANT: `-I nixpkgs=~/nixpkgs` flag is necessary here! It replaces + > default `nixpkgs` with previously downloaded ones. Make sure the directory + > is valid (we have it in home (~)). If you follow our instruction + > step-by-step, you have it also there. -7. Reboot platform. +1. Reboot platform. - > DRTM is not enabled yet! Boot to NixOS and finish the configuration. + > DRTM is not enabled yet! Boot to NixOS and finish the configuration. -8. Clone [3mdeb/nixos-trenchboot-configs](https://github.com/3mdeb/nixos-trenchboot-configs.git) +1. Clone + [3mdeb/nixos-trenchboot-configs](https://github.com/3mdeb/nixos-trenchboot-configs.git) repository. - This repository contains all necessary NixOS configuration files in - ready-to-use form, so there is no need to edit them by hand at this moment. - - ```bash - $ git clone https://github.com/3mdeb/nixos-trenchboot-configs.git - ``` - - List `nixos-trenchboot-configs` folder. - - ```bash - $ cd nixos-trenchboot-configs/ - $ ls - configuration-efi.nix configuration.nix linux-5.5.nix MANUAL.md nixpkgs README.md tb-config.nix - ``` - - Among the listed files, the most interesting one is `configuration.nix`. - Customizing it saves time and work compared with tools and package manual - installs. Manual work is good for small and fast builds. The more (and more - significant) changes you want to do, the more efficient way is to re-build - your NixOS system. That is done by editing `configuration.nix` file. As you - already know, among others we want to rebuild Linux kernel, replace GRUB - bootloader and install custom packages. That is why we decided to prepare a - new config and re-install NixOS. - - Let's take a closer look at its content. The entire file is rather large, - so the output will be truncated and only essential parts/lines will be - mentioned. In this post, we will use `configuration-efi.nix` since we have - installed the NixOS in UEFI mode. - - ```bash - $ cat configuration-efi.nix - - (...) - imports = - [ # Include the results of the hardware scan. - ./hardware-configuration.nix - ./cachix.nix - ./linux-5.5.nix - ]; - - boot.loader.systemd-boot = { - enable = true; - editor = false; - }; - # Automatically add boot entry to UEFI boot order. - boot.loader.efi = { - canTouchEfiVariables = true; - }; - boot.loader.grub = { - enable = true; - copyKernels = true; - efiInstallAsRemovable = false; - efiSupport = true; - fsIdentifier = "uuid"; - splashMode = "stretch"; - version = 2; - device = "nodev"; - extraEntries = '' - menuentry "NixOS - Secure Launch" { - --set=drive1 --fs-uuid 4881-6D27 - slaunch skinit - slaunch_module ($drive1)/boot/lz_header - linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 - initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd - - } - menuentry "Reboot" { - reboot - } - menuentry "Poweroff" { - halt - } - ''; - }; - boot.kernelParams = [ "console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0" ]; - - # OS utilities - environment.systemPackages = [ - pkgs.pkg-config - pkgs.git - pkgs.gnumake - pkgs.autoconf - pkgs.automake - pkgs.gettext - pkgs.python - pkgs.m4 - pkgs.libtool - pkgs.bison - pkgs.flex - pkgs.gcc - pkgs.gcc_multi - pkgs.libusb - pkgs.ncurses - pkgs.freetype - pkgs.qemu - pkgs.lvm2 - pkgs.unifont - pkgs.fuse - pkgs.gnulib - pkgs.stdenv - pkgs.nasm - pkgs.binutils - pkgs.tpm2-tools - pkgs.tpm2-tss - pkgs.landing-zone - pkgs.landing-zone-debug - pkgs.grub-tb-efi - ]; - - # Grub override - nixpkgs.config.packageOverrides = pkgs: { grub2 = pkgs.grub-tb-efi; }; - - ``` - - Remarks: - - we import `cachix` service and custom linux 5.5 kernel to be built; - - adjust GRUB entries to boot `slaunch` and change directories of - `bzImage` (Linux kernel) and `initrd` to custom ones; - - add all necessary system packages (i.a. `landing-zone`, - `landing-zone-debug` and `grub-tb-efi`); - - override default GRUB package with custom one; - -9. Copy all configuration files to `/etc/nixos/` directory and replace - the configuration for EFI. - - ```bash - $ cp nixos-trenchboot-configs/*.nix /etc/nixos - $ cp nixos-trenchboot-configs/configuration-efi.nix /etc/nixos/configuration.nix - ``` - -10. Update (re-build) system. - - ```bash - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - building Nix... - building the system configuration... - ``` - -11. Ensure that `slaunch` module is present in `/boot/grub/i386-pc/` (or - `/boot/grub/x86_64-efi/` on 64bit GRUB EFI installation). - - ```bash - $ ls /boot/grub/x86_64-efi | grep slaunch - slaunch.mod - ``` - -12. Find the Landing Zone package in `/nix/store/`. - - ```bash - $ ls /nix/store/ | grep landing-zone - 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 - l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv - lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 - mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv - ``` - - > Package without `-debug` in its name and without *.drv* extension is what - we are looking for. - -13. Copy `lz_header.bin` to `/boot/` directory. - - ```bash - $ cp /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0/lz_header.bin /boot/lz_header - ``` - -14. Check `/boot/grub/grub.cfg` file and its `NixOS - Default` menu entry. - Adjust `/etc/nixos/configuration.nix` and its - `boot.loader.grub.extraEntries` line to have exactly the same directories - included. - - ```bash - $ cat /boot/grub/grub.cfg - (...) - menuentry "NixOS - Default" { - search --set=drive1 --fs-uuid 4881-6D27 - linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 - initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd - } - (...) - ``` - - > The hashes in the `/nix/store` or `/kernels` may be different for your - > installation, especially initrd, that is why you should copy them from - > the `NixOS - Default` entry and apply to a new entry shown below. - - Just copy the `Default` entry, rename it to `Secure Launch` and add two - lines before `linux` command: - - ```bash - slaunch skinit - slaunch_module ($drive1)//lz_header - ``` - - With `grub.cfg` content as above `configuration.nix` must have - `boot.loader.grub.extraEntries` line like this: - - ```bash - $ cat /etc/nixos/configuration.nix - (...) - boot.loader.grub.extraEntries = '' - menuentry "NixOS - Secure Launch" { - search --set=drive1 --fs-uuid 4881-6D27 - slaunch skinit - slaunch_module ($drive1)//lz_header - linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 - initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd - } - ''; - ``` - - If there are differences in any of `search --set=drive1...`, - `linux ($drive1)/nix/store...` or lines, edit `configuration.nix` content and - copy those lines from `grub.cfg` menuentry `"NixOS - Default"`. They must - be exactly the same. - -15. Update the system for the last time. - - ```bash - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - ``` - -16. Reboot platform. + This repository contains all necessary NixOS configuration files in + ready-to-use form, so there is no need to edit them by hand at this moment. + + ```bash + git clone https://github.com/3mdeb/nixos-trenchboot-configs.git + ``` + + List `nixos-trenchboot-configs` folder. + + ```bash + $ cd nixos-trenchboot-configs/ + $ ls + configuration-efi.nix configuration.nix linux-5.5.nix MANUAL.md nixpkgs README.md tb-config.nix + ``` + + Among the listed files, the most interesting one is `configuration.nix`. + Customizing it saves time and work compared with tools and package manual + installs. Manual work is good for small and fast builds. The more (and more + significant) changes you want to do, the more efficient way is to re-build + your NixOS system. That is done by editing `configuration.nix` file. As you + already know, among others we want to rebuild Linux kernel, replace GRUB + bootloader and install custom packages. That is why we decided to prepare a + new config and re-install NixOS. + + Let's take a closer look at its content. The entire file is rather large, so + the output will be truncated and only essential parts/lines will be + mentioned. In this post, we will use `configuration-efi.nix` since we have + installed the NixOS in UEFI mode. + + ```bash + $ cat configuration-efi.nix + + (...) + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ./cachix.nix + ./linux-5.5.nix + ]; + + boot.loader.systemd-boot = { + enable = true; + editor = false; + }; + # Automatically add boot entry to UEFI boot order. + boot.loader.efi = { + canTouchEfiVariables = true; + }; + boot.loader.grub = { + enable = true; + copyKernels = true; + efiInstallAsRemovable = false; + efiSupport = true; + fsIdentifier = "uuid"; + splashMode = "stretch"; + version = 2; + device = "nodev"; + extraEntries = '' + menuentry "NixOS - Secure Launch" { + --set=drive1 --fs-uuid 4881-6D27 + slaunch skinit + slaunch_module ($drive1)/boot/lz_header + linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 + initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd + + } + menuentry "Reboot" { + reboot + } + menuentry "Poweroff" { + halt + } + ''; + }; + boot.kernelParams = [ "console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0" ]; + + # OS utilities + environment.systemPackages = [ + pkgs.pkg-config + pkgs.git + pkgs.gnumake + pkgs.autoconf + pkgs.automake + pkgs.gettext + pkgs.python + pkgs.m4 + pkgs.libtool + pkgs.bison + pkgs.flex + pkgs.gcc + pkgs.gcc_multi + pkgs.libusb + pkgs.ncurses + pkgs.freetype + pkgs.qemu + pkgs.lvm2 + pkgs.unifont + pkgs.fuse + pkgs.gnulib + pkgs.stdenv + pkgs.nasm + pkgs.binutils + pkgs.tpm2-tools + pkgs.tpm2-tss + pkgs.landing-zone + pkgs.landing-zone-debug + pkgs.grub-tb-efi + ]; + + # Grub override + nixpkgs.config.packageOverrides = pkgs: { grub2 = pkgs.grub-tb-efi; }; + + ``` + + Remarks: + + - we import `cachix` service and custom linux 5.5 kernel to be built; + - adjust GRUB entries to boot `slaunch` and change directories of `bzImage` + (Linux kernel) and `initrd` to custom ones; + - add all necessary system packages (i.a. `landing-zone`, + `landing-zone-debug` and `grub-tb-efi`); + - override default GRUB package with custom one; + +1. Copy all configuration files to `/etc/nixos/` directory and replace the + configuration for EFI. + + ```bash + cp nixos-trenchboot-configs/*.nix /etc/nixos + cp nixos-trenchboot-configs/configuration-efi.nix /etc/nixos/configuration.nix + ``` + +1. Update (re-build) system. + + ```bash + $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + building Nix... + building the system configuration... + ``` + +1. Ensure that `slaunch` module is present in `/boot/grub/i386-pc/` (or + `/boot/grub/x86_64-efi/` on 64bit GRUB EFI installation). + + ```bash + $ ls /boot/grub/x86_64-efi | grep slaunch + slaunch.mod + ``` + +1. Find the Landing Zone package in `/nix/store/`. + + ```bash + $ ls /nix/store/ | grep landing-zone + 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 + l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv + lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 + mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv + ``` + + > Package without `-debug` in its name and without _.drv_ extension is what + > we are looking for. + +1. Copy `lz_header.bin` to `/boot/` directory. + + ```bash + cp /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0/lz_header.bin /boot/lz_header + ``` + +1. Check `/boot/grub/grub.cfg` file and its `NixOS - Default` menu entry. Adjust + `/etc/nixos/configuration.nix` and its `boot.loader.grub.extraEntries` line + to have exactly the same directories included. + + ```bash + $ cat /boot/grub/grub.cfg + (...) + menuentry "NixOS - Default" { + search --set=drive1 --fs-uuid 4881-6D27 + linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 + initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd + } + (...) + ``` + + > The hashes in the `/nix/store` or `/kernels` may be different for your + > installation, especially initrd, that is why you should copy them from the + > `NixOS - Default` entry and apply to a new entry shown below. + + Just copy the `Default` entry, rename it to `Secure Launch` and add two lines + before `linux` command: + + ```bash + slaunch skinit + slaunch_module ($drive1)//lz_header + ``` + + With `grub.cfg` content as above `configuration.nix` must have + `boot.loader.grub.extraEntries` line like this: + + ```bash + $ cat /etc/nixos/configuration.nix + (...) + boot.loader.grub.extraEntries = '' + menuentry "NixOS - Secure Launch" { + search --set=drive1 --fs-uuid 4881-6D27 + slaunch skinit + slaunch_module ($drive1)//lz_header + linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 + initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd + } + ''; + ``` + + If there are differences in any of `search --set=drive1...`, + `linux ($drive1)/nix/store...` or lines, edit `configuration.nix` content and + copy those lines from `grub.cfg` menuentry `"NixOS - Default"`. They must be + exactly the same. + +1. Update the system for the last time. + + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + ``` + +1. Reboot platform. During platform booting, in GRUB menu there should be at least `"NixOS - Default"` and `"NixOS - Secure Launch"` entries. First entry boots @@ -600,19 +605,19 @@ DRTM enabled. ## Validation -You can still be suspicious if it really works. And rightly so. In this -section, I will show you, how to verify each component of the system to make -you sure about its correctness. Also, I will present how we met the second -stage project's requirements. +You can still be suspicious if it really works. And rightly so. In this section, +I will show you, how to verify each component of the system to make you sure +about its correctness. Also, I will present how we met the second stage +project's requirements. ### GRUB There are two ways to validate if GRUB will load `slaunch` module and hence run SKINIT and LZ (DRTM). -##### Verify content of `grub.cfg` file. +#### Verify content of `grub.cfg` file -``` +```bash $ cat /boot/grub/grub.cfg menuentry "NixOS - Default" { search --set=drive1 --fs-uuid 4881-6D27 @@ -637,71 +642,71 @@ In "NixOS - Secure Launch" entry there must be `slaunch skinit` entry and 1. Reboot platform. In GRUB menu choose `"NixOS - Default"` entry (without DRTM). - Collect logs during boot to be able to verify them. Using `dmesg` command - in NixOS doesn't work because it doesn't show pre-kernel stage logs! The - correct boot log is shown below. - - ``` - early console in extract_kernel - input_data: 0x00000000041fd3b1 - input_len: 0x000000000045e254 - output: 0x0000000002c00000 - output_len: 0x0000000001a301c0 - kernel_total_size: 0x000000000182c000 - needed_size: 0x0000000001c00000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDRAND RDTSC... - Virtual KASLR using RDRAND RDTSC... - - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 5.5.3 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 - (...) - - <<< Welcome to NixOS 20.09.git.c156a866dd7M (x86_64) - ttyS0 >>> - - Run 'nixos-help' for the NixOS manual. - ``` - - **Verification**: As expected, the bootloader executes Linux kernel - directly. Platform booted without DRTM then. - -2. Reboot platform once again. In GRUB menu choose `"NixOS - Secure Launch"` + Collect logs during boot to be able to verify them. Using `dmesg` command in + NixOS doesn't work because it doesn't show pre-kernel stage logs! The correct + boot log is shown below. + + ```bash + early console in extract_kernel + input_data: 0x00000000041fd3b1 + input_len: 0x000000000045e254 + output: 0x0000000002c00000 + output_len: 0x0000000001a301c0 + kernel_total_size: 0x000000000182c000 + needed_size: 0x0000000001c00000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDRAND RDTSC... + Virtual KASLR using RDRAND RDTSC... + + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 5.5.3 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 + (...) + + <<< Welcome to NixOS 20.09.git.c156a866dd7M (x86_64) - ttyS0 >>> + + Run 'nixos-help' for the NixOS manual. + ``` + + **Verification**: As expected, the bootloader executes Linux kernel directly. + Platform booted without DRTM then. + +1. Reboot platform once again. In GRUB menu choose `"NixOS - Secure Launch"` entry. - Once again, collect logs during boot to be able to verify them. Using - `dmesg` command in NixOS doesn't work, as in the previous case. The correct - boot log is shown below. + Once again, collect logs during boot to be able to verify them. Using `dmesg` + command in NixOS doesn't work, as in the previous case. The correct boot log + is shown below. - ``` - early console in extract_kernel - input_data: 0x00000000041fd3b1 - input_len: 0x000000000045e254 - output: 0x0000000002c00000 - output_len: 0x0000000001a301c0 - kernel_total_size: 0x000000000182c000 - needed_size: 0x0000000001c00000 - trampoline_32bit: 0x000000000009d000 - booted via startup_32() - Physical KASLR using RDRAND RDTSC... - Virtual KASLR using RDRAND RDTSC... + ```bash + early console in extract_kernel + input_data: 0x00000000041fd3b1 + input_len: 0x000000000045e254 + output: 0x0000000002c00000 + output_len: 0x0000000001a301c0 + kernel_total_size: 0x000000000182c000 + needed_size: 0x0000000001c00000 + trampoline_32bit: 0x000000000009d000 + booted via startup_32() + Physical KASLR using RDRAND RDTSC... + Virtual KASLR using RDRAND RDTSC... - Decompressing Linux... Parsing ELF... Performing relocations... done. - Booting the kernel. - [ 0.000000] Linux version 5.5.3 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 - [ 0.000000] Command line: BOOT_IMAGE=(hd1,gpt3)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/bxjlwx3dcjg8jjvd6792fdjwnw1idgfg-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/bxjlwx3dcjg8jjvd6792fdjwnw1idgfg-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 + Decompressing Linux... Parsing ELF... Performing relocations... done. + Booting the kernel. + [ 0.000000] Linux version 5.5.3 (nixbld@localhost) (gcc version 9.2.0 (GCC)) #1-NixOS SMP Thu Jan 1 00:00:01 UTC 1970 + [ 0.000000] Command line: BOOT_IMAGE=(hd1,gpt3)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/bxjlwx3dcjg8jjvd6792fdjwnw1idgfg-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/bxjlwx3dcjg8jjvd6792fdjwnw1idgfg-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 - (...) + (...) - <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> + <<< Welcome to NixOS 20.09.git.a070e686875 (x86_64) - ttyS0 >>> - Run 'nixos-help' for the NixOS manual. - ``` + Run 'nixos-help' for the NixOS manual. + ``` - **Verification**: As expected, before the Linux kernel, there should be - `slaunch` module executed. It proves that DRTM is enabled. There is no - information about LZ execution because it is a non-debug version. + **Verification**: As expected, before the Linux kernel, there should be + `slaunch` module executed. It proves that DRTM is enabled. There is no + information about LZ execution because it is a non-debug version. ### Landing Zone @@ -711,136 +716,136 @@ those two: - check if LZ utilizes the SHA256 algorithm when using TPM2.0 module - check if LZ debug option can be enabled -##### check if LZ utilizes SHA256 algorithm when using TPM2.0 module - -1. If not already booted to `"NixOS - Secure Launch"`, reboot platform, and - boot to NixOS via `"NixOS - Secure Launch"` entry in GRUB menu. - -2. Run `tpm2_pcrread` command. - - ``` - $ tpm2_pcrread - sha1: - 0 : 0x122896C747F64CE4E9081BBF36513BB26C7D7841 - 1 : 0xFF0B4D5E2B550AB4C56E27C69DEF49AA933B9722 - 2 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 - 3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 - 4 : 0x8E15F45C1AC99950850949C3D2D425B8A59EE2AC - 5 : 0x81DCF5ED6034C0BE3F992869AD1F78BA713A8548 - 6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 - 7 : 0x4037336FA7BC0EABE3778FCFFF5FCD0EE6ADCDE3 - 8 : 0x0000000000000000000000000000000000000000 - 9 : 0x0000000000000000000000000000000000000000 - 10: 0x0000000000000000000000000000000000000000 - 11: 0x0000000000000000000000000000000000000000 - 12: 0x0000000000000000000000000000000000000000 - 13: 0x0000000000000000000000000000000000000000 - 14: 0x0000000000000000000000000000000000000000 - 15: 0x0000000000000000000000000000000000000000 - 16: 0x0000000000000000000000000000000000000000 - 17: 0x00883227E275C12E1FAD0024133C1F71D8BA699A - 18: 0x0000000000000000000000000000000000000000 - 19: 0x0000000000000000000000000000000000000000 - 20: 0x0000000000000000000000000000000000000000 - 21: 0x0000000000000000000000000000000000000000 - 22: 0x0000000000000000000000000000000000000000 - 23: 0x0000000000000000000000000000000000000000 - sha256: - 0 : 0xF831C72F6C06F0196169E9B13F76B93B01316761142C98E2BF7AF2B069970A03 - 1 : 0xFFE279C00FAC3B552E88E24EF5CB6D456DB19CE13D9F8A8EB848E94E01791347 - 2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 - 3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 - 4 : 0x5155731E9498F6BA0AF9CBFA785AE5C107809745C51FB98ED01DF1E283FE25CD - 5 : 0x701DC6CA7B80B2C6BC2E563ED34BD06E8ABDE913A7E69C56D0BB2323D65C7371 - 6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 - 7 : 0xB5710BF57D25623E4019027DA116821FA99F5C81E9E38B87671CC574F9281439 - 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 - 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 - 10: 0x0000000000000000000000000000000000000000000000000000000000000000 - 11: 0x0000000000000000000000000000000000000000000000000000000000000000 - 12: 0x0000000000000000000000000000000000000000000000000000000000000000 - 13: 0x0000000000000000000000000000000000000000000000000000000000000000 - 14: 0x0000000000000000000000000000000000000000000000000000000000000000 - 15: 0x0000000000000000000000000000000000000000000000000000000000000000 - 16: 0x0000000000000000000000000000000000000000000000000000000000000000 - 17: 0x21D3D024420A4149A3A226D39331A3A69E434200EE2D1C56FB02F3B982DC97B2 - 18: 0xF60CE5BD1FBA080302211F6FAD660374B82DE4AEC102369764E411461C7B71E6 - 19: 0x0000000000000000000000000000000000000000000000000000000000000000 - 20: 0x0000000000000000000000000000000000000000000000000000000000000000 - 21: 0x0000000000000000000000000000000000000000000000000000000000000000 - 22: 0x0000000000000000000000000000000000000000000000000000000000000000 - 23: 0x0000000000000000000000000000000000000000000000000000000000000000 - ``` - -3. Run `extend_all.sh` script from `landing-zone` package. - - This script simulates what should be extended into PCR17 by SKINIT, LZ and - kernel during platform booting. It extends both SHA256 and SHA1 values. - However, the expected result is valid only for SHA256 if used with TPM2.0 - device. - - To properly execute script, first find correct directory to `bzImage` and - `initrd`. Best way to find exact directories is to see `"NixOS - Secure - Launch"` entry in `/boot/grub/grub.cfg`: - - ``` - $ cat /boot/grub/grub.cfg - (...) - menuentry "NixOS - Secure Launch" { - search --set=drive1 --fs-uuid 4881-6D27 - slaunch skinit - slaunch_module ($drive1)//lz_header - linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 - initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd - } - (...) - ``` - - `/nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage` - is directory to Linux kernel. - `/nix/store/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3/initrd` is - directory to initrd. - -4. Go to `/nix/store/` and run below command: - - ``` - $ cd /nix/store - $ ls | grep landing-zone - 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 - l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv - lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 - mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv - ``` - - > Hash before `-landing-zone-0.3.0` is dependent on built version and might - > be different in yours. Choose non-debug version from above results. - -5. Go to `/nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0` +#### check if LZ utilizes SHA256 algorithm when using TPM2.0 module + +1. If not already booted to `"NixOS - Secure Launch"`, reboot platform, and boot + to NixOS via `"NixOS - Secure Launch"` entry in GRUB menu. + +1. Run `tpm2_pcrread` command. + + ```bash + $ tpm2_pcrread + sha1: + 0 : 0x122896C747F64CE4E9081BBF36513BB26C7D7841 + 1 : 0xFF0B4D5E2B550AB4C56E27C69DEF49AA933B9722 + 2 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 + 3 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 + 4 : 0x8E15F45C1AC99950850949C3D2D425B8A59EE2AC + 5 : 0x81DCF5ED6034C0BE3F992869AD1F78BA713A8548 + 6 : 0xB2A83B0EBF2F8374299A5B2BDFC31EA955AD7236 + 7 : 0x4037336FA7BC0EABE3778FCFFF5FCD0EE6ADCDE3 + 8 : 0x0000000000000000000000000000000000000000 + 9 : 0x0000000000000000000000000000000000000000 + 10: 0x0000000000000000000000000000000000000000 + 11: 0x0000000000000000000000000000000000000000 + 12: 0x0000000000000000000000000000000000000000 + 13: 0x0000000000000000000000000000000000000000 + 14: 0x0000000000000000000000000000000000000000 + 15: 0x0000000000000000000000000000000000000000 + 16: 0x0000000000000000000000000000000000000000 + 17: 0x00883227E275C12E1FAD0024133C1F71D8BA699A + 18: 0x0000000000000000000000000000000000000000 + 19: 0x0000000000000000000000000000000000000000 + 20: 0x0000000000000000000000000000000000000000 + 21: 0x0000000000000000000000000000000000000000 + 22: 0x0000000000000000000000000000000000000000 + 23: 0x0000000000000000000000000000000000000000 + sha256: + 0 : 0xF831C72F6C06F0196169E9B13F76B93B01316761142C98E2BF7AF2B069970A03 + 1 : 0xFFE279C00FAC3B552E88E24EF5CB6D456DB19CE13D9F8A8EB848E94E01791347 + 2 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 + 3 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 + 4 : 0x5155731E9498F6BA0AF9CBFA785AE5C107809745C51FB98ED01DF1E283FE25CD + 5 : 0x701DC6CA7B80B2C6BC2E563ED34BD06E8ABDE913A7E69C56D0BB2323D65C7371 + 6 : 0x3D458CFE55CC03EA1F443F1562BEEC8DF51C75E14A9FCF9A7234A13F198E7969 + 7 : 0xB5710BF57D25623E4019027DA116821FA99F5C81E9E38B87671CC574F9281439 + 8 : 0x0000000000000000000000000000000000000000000000000000000000000000 + 9 : 0x0000000000000000000000000000000000000000000000000000000000000000 + 10: 0x0000000000000000000000000000000000000000000000000000000000000000 + 11: 0x0000000000000000000000000000000000000000000000000000000000000000 + 12: 0x0000000000000000000000000000000000000000000000000000000000000000 + 13: 0x0000000000000000000000000000000000000000000000000000000000000000 + 14: 0x0000000000000000000000000000000000000000000000000000000000000000 + 15: 0x0000000000000000000000000000000000000000000000000000000000000000 + 16: 0x0000000000000000000000000000000000000000000000000000000000000000 + 17: 0x21D3D024420A4149A3A226D39331A3A69E434200EE2D1C56FB02F3B982DC97B2 + 18: 0xF60CE5BD1FBA080302211F6FAD660374B82DE4AEC102369764E411461C7B71E6 + 19: 0x0000000000000000000000000000000000000000000000000000000000000000 + 20: 0x0000000000000000000000000000000000000000000000000000000000000000 + 21: 0x0000000000000000000000000000000000000000000000000000000000000000 + 22: 0x0000000000000000000000000000000000000000000000000000000000000000 + 23: 0x0000000000000000000000000000000000000000000000000000000000000000 + ``` + +1. Run `extend_all.sh` script from `landing-zone` package. + + This script simulates what should be extended into PCR17 by SKINIT, LZ and + kernel during platform booting. It extends both SHA256 and SHA1 values. + However, the expected result is valid only for SHA256 if used with TPM2.0 + device. + + To properly execute script, first find correct directory to `bzImage` and + `initrd`. Best way to find exact directories is to see + `"NixOS - Secure Launch"` entry in `/boot/grub/grub.cfg`: + + ```bash + $ cat /boot/grub/grub.cfg + (...) + menuentry "NixOS - Secure Launch" { + search --set=drive1 --fs-uuid 4881-6D27 + slaunch skinit + slaunch_module ($drive1)//lz_header + linux ($drive1)//kernels/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3-bzImage systemConfig=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M init=/nix/store/ci38is4cvjlz528jay66h7qpqr6ws22n-nixos-system-nixos-20.09.git.c156a866dd7M/init console=ttyS0,115200 earlyprintk=serial,ttyS0,115200 console=tty0 loglevel=4 + initrd ($drive1)//kernels/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3-initrd + } + (...) + ``` + + `/nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage` is + directory to Linux kernel. + `/nix/store/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3/initrd` is + directory to initrd. + +1. Go to `/nix/store/` and run below command: + + ```bash + $ cd /nix/store + $ ls | grep landing-zone + 5a6kapnjxs8dj4jp49qagz1mw2r6hnr2-landing-zone-debug-0.3.0 + l1b2h84fdw8g0m9aygmv8g3nhbnw9kic-landing-zone-debug-0.3.0.drv + lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 + mnbh5xahlbzmfa50r60y5z4lph9rd41k-landing-zone-0.3.0.drv + ``` + + > Hash before `-landing-zone-0.3.0` is dependent on built version and might + > be different in yours. Choose non-debug version from above results. + +1. Go to `/nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0` directory. - ``` - $ cd /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 - ``` + ```bash + cd /nix/store/lf763br9hm0ipp76k2p16iq75x3xpgrm-landing-zone-0.3.0 + ``` -6. Execute `./extend_all.sh` script. +1. Execute `./extend_all.sh` script. - Usage is `./extend_all.sh ` + Usage is `./extend_all.sh ` - It must be executed inside the directory containing currently used (debug or - non-debug) version of `lz_header.bin`. You should already be in this - directory after the previous step. Directories to `bzImage` and `initrd` we - found in step 3. + It must be executed inside the directory containing currently used (debug or + non-debug) version of `lz_header.bin`. You should already be in this + directory after the previous step. Directories to `bzImage` and `initrd` we + found in step 3. - ``` - ./extend_all.sh /nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage /nix/store/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3/initrd - ff4562570be624792d7cc1ae8dcb8a2c9d978cfd SHA1 - 21d3d024420a4149a3a226d39331a3a69e434200ee2d1c56fb02f3b982dc97b2 SHA256 - ``` + ```bash + ./extend_all.sh /nix/store/3w98shnz1a6nxpqn2wwn728mr12dy3kz-linux-5.5.3/bzImage /nix/store/k1x969q4mwj59hyq3hn2mcxck8s2410a-initrd-linux-5.5.3/initrd + ff4562570be624792d7cc1ae8dcb8a2c9d978cfd SHA1 + 21d3d024420a4149a3a226d39331a3a69e434200ee2d1c56fb02f3b982dc97b2 SHA256 + ``` - Compare SHA256 value with PCR17 content checked previously with - `tpm2_pcrread` output. If DRTM is enabled and executes properly, they - should be the same. It proves that the LZ code utilizes the SHA256 algorithm during - measurements. + Compare SHA256 value with PCR17 content checked previously with + `tpm2_pcrread` output. If DRTM is enabled and executes properly, they should + be the same. It proves that the LZ code utilizes the SHA256 algorithm during + measurements. ## Summary @@ -853,6 +858,7 @@ experiment with your hardware too! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of the used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of the used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-05-14-measuring_memory_usage_rte.md b/blog/content/post/2020-05-14-measuring_memory_usage_rte.md index 1e690a37..9fbc5949 100644 --- a/blog/content/post/2020-05-14-measuring_memory_usage_rte.md +++ b/blog/content/post/2020-05-14-measuring_memory_usage_rte.md @@ -31,15 +31,17 @@ necessary to perform such analysis and match the specification exactly with the planned workload and the profit from such action will show as the system grows larger. -Hardware configuration we will use is based on [RTE](https://3mdeb.com/products/open-source-hardware/rte/) -with Orange Pi Zero 256MB. This is the default configuration with which the device -is shipped. A question may be made, whether 256MB of memory is sufficient, or -should alternative, 512MB Orange Pi Zero be worth upgrading to. We will compare -the usage of memory on the two operating systems - Armbian and Yocto. We've used Armbian -version: 5.32.170919. Armbian binaries can be downloaded [here](https://dl.armbian.com/_old/orangepizero/archive/). +Hardware configuration we will use is based on +[RTE](https://3mdeb.com/products/open-source-hardware/rte/) with Orange Pi Zero +256MB. This is the default configuration with which the device is shipped. A +question may be made, whether 256MB of memory is sufficient, or should +alternative, 512MB Orange Pi Zero be worth upgrading to. We will compare the +usage of memory on the two operating systems - Armbian and Yocto. We've used +Armbian version: 5.32.170919. Armbian binaries can be downloaded +[here](https://www.armbian.com/orange-pi-zero/). [Yocto meta-rte](https://github.com/3mdeb/meta-rte) which we used can be found -[here](https://cloud.3mdeb.com/index.php/s/myTkar9CgrgKG9m/download). -Memory will be checked before and during the run of regression test suite. +[here](https://cloud.3mdeb.com/index.php/s/RgD9MyGRzGmLxMT). Memory +will be checked before and during the run of regression test suite. ## Tools we will use @@ -49,35 +51,35 @@ These should be available on virtually every system. #### free -`free` displays the total amount of free and used physical and swap -memory in the system, as well as the buffers and caches used by the -kernel. The information is gathered by parsing `/proc/meminfo`. Running -it with `-m` option will print the values in mebibytes, which often get -confused with megabytes. The difference is that the former are express the -values as powers of two, while the latter express the values as powers of ten. +`free` displays the total amount of free and used physical and swap memory in +the system, as well as the buffers and caches used by the kernel. The +information is gathered by parsing `/proc/meminfo`. Running it with `-m` option +will print the values in mebibytes, which often get confused with megabytes. The +difference is that the former are express the values as powers of two, while the +latter express the values as powers of ten. To get real-time readings we will combine it with `watch` command, which will -print the result of command supplied to it with the freqency specified by +print the result of command supplied to it with the frequency specified by number passed to `-n` parameter in seconds. The final command is `watch -n 1 free -m` #### top `top` program provides a dynamic real-time view of a running system. It can -display system summary information as well as a list of tasks currently -being managed by the Linux kernel. Its output is complete enough so that -we won't be specifying any additional parameters. +display system summary information as well as a list of tasks currently being +managed by the Linux kernel. Its output is complete enough so that we won't be +specifying any additional parameters. #### /sys/class/thermal/thermal_zone -Thermal sysfs provides us with information about readings from various temperature -sensors installed. Different sensors are available as thermal_zone[0-*] files. -You can check the sensor type by reading `type` file from thermal_zone directory. -In our case the CPU thermal_zone has number `0`. Temperature is stored in -`temp` file as an integer. To get the output in a more accessible format -of Celcius degrees we will use such command: +Thermal sysfs provides us with information about readings from various +temperature sensors installed. Different sensors are available as +thermal_zone\[0-\*\] files. You can check the sensor type by reading `type` file +from thermal_zone directory. In our case the CPU thermal_zone has number `0`. +Temperature is stored in `temp` file as an integer. To get the output in a more +accessible format of Celsius degrees we will use such command: -``` +```bash echo $((`cat /sys/class/thermal/thermal_zone0/temp | cut -c 1-2`)).$((`cat /sys/class/thermal/thermal_zone0/temp | cut -c 3-5`)) ``` @@ -100,7 +102,7 @@ delay. The process and memory reports are instantaneous in either case. `free` output before tests: -``` +```bash total used free shared buff/cache available Mem: 242M 39M 41M 14M 162M 164M Swap: 127M 0B 127M @@ -108,13 +110,13 @@ Swap: 127M 0B 127M `free` output during tests: -``` +```bash total used free shared buff/cache available Mem: 242M 65M 13M 14M 163M 137M Swap: 127M 0B 127M ``` -``` +```bash total used free shared buff/cache available Mem: 242M 35M 43M 14M 163M 167M Swap: 127M 0B 127M @@ -122,7 +124,7 @@ Swap: 127M 0B 127M `top` output before tests: -``` +```bash load average: 0.00, 0.00, 0.00 Tasks: 123 total, 1 running, 122 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.3 us, 0.4 sy, 0.0 ni, 99.3 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st @@ -132,7 +134,7 @@ KiB Swap: 131068 total, 131068 free, 0 used. 168392 avail Mem `top` output during tests: -``` +```bash load average: 0.53, 0.30, 0.12 Tasks: 132 total, 1 running, 131 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.0 us, 0.0 sy, 0.0 ni, 99.9 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st @@ -140,7 +142,7 @@ KiB Mem : 248564 total, 38644 free, 42900 used, 167020 buff/cache KiB Swap: 131068 total, 131068 free, 0 used. 165280 avail Mem ``` -``` +```bash load average: 0.03, 0.13, 0.10 Tasks: 125 total, 1 running, 124 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.2 us, 0.6 sy, 0.0 ni, 99.2 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st @@ -153,9 +155,10 @@ KiB Swap: 131068 total, 131068 free, 0 used. 171404 avail Mem ![Armbian](/img/Armbian_load&mem_usage_chart.svg) ### Yocto + `free` output before tests: -``` +```bash total used free shared buff/cache available Mem: 244 31 140 9 72 195 Swap: 0 0 0 @@ -163,7 +166,7 @@ Swap: 0 0 0 `free` output during tests: -``` +```bash total used free shared buff/cache available Mem: 244 35 139 9 72 194 Swap: 0 0 0 @@ -171,7 +174,7 @@ Swap: 0 0 0 `top` output before tests: -``` +```bash load average: 0.01, 0.03, 0.01 Tasks: 88 total, 1 running, 47 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.3 us, 0.8 sy, 0.0 ni, 98.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st @@ -181,7 +184,7 @@ KiB Swap: 0 total, 0 free, 0 used. 200956 avail Mem `top` output during tests: -``` +```bash load average: 0.05, 0.04, 0.01 Tasks: 90 total, 1 running, 49 sleeping, 0 stopped, 0 zombie %Cpu(s): 0.2 us, 0.9 sy, 0.0 ni, 98.8 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st @@ -189,7 +192,7 @@ KiB Mem : 250680 total, 142676 free, 33552 used, 74452 buff/cache KiB Swap: 0 total, 0 free, 0 used. 199148 avail Mem ``` -``` +```bash load average: 0.08, 0.12, 0.06 Tasks: 90 total, 1 running, 49 sleeping, 0 stopped, 0 zombie %Cpu(s): 4.1 us, 8.9 sy, 0.0 ni, 87.0 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st @@ -202,20 +205,21 @@ KiB Swap: 0 total, 0 free, 0 used. 200580 avail Mem ![Yocto](/img/Yocto_load&mem_usage_chart.svg) ## Summary -As we can see, 256MB of RAM is beyond enough for current feature-set on the -RTE both on Armbian and Yocto, yet there are significant differences between -them as the former had almost twice as high maximal memory usage as the latter. -A similar difference was seen in the maximal spike in cpu load, which on Armbian + +As we can see, 256MB of RAM is beyond enough for current feature-set on the RTE +both on Armbian and Yocto, yet there are significant differences between them as +the former had almost twice as high maximal memory usage as the latter. A +similar difference was seen in the maximal spike in cpu load, which on Armbian was over 4 times that of Yocto. As Yocto is not really an embedded Linux -distribution, but a framework for creating your own, suited specifically to -your goals and hardware it is able to provide much better performance. Armbian -is a good choice for early prototyping, as it's popular and easy to use, but -for final product it is worth considering using Yocto. +distribution, but a framework for creating your own, suited specifically to your +goals and hardware it is able to provide much better performance. Armbian is a +good choice for early prototyping, as it's popular and easy to use, but for +final product it is worth considering using Yocto. 3mdeb is a registered Yocto Participant and provides embedded system validation -services. -If you think we can help in improving the security of your firmware or you -looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +services. If you think we can help in improving the security of your firmware or +you looking for someone who can boost your product by leveraging advanced +features of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-05-15-qubesOs.md b/blog/content/post/2020-05-15-qubesOs.md index 59f9b5e0..3aaa2beb 100644 --- a/blog/content/post/2020-05-15-qubesOs.md +++ b/blog/content/post/2020-05-15-qubesOs.md @@ -18,8 +18,8 @@ categories: - Security - Firmware - --- + **Update (06/02/2020)**: Video recordings have been added to the agenda. Previous Qubes OS 'minisummit' @@ -34,33 +34,39 @@ beyond the agenda. This year, we will stand side by side with Frédéric Pierret and Marek Marczykowski-Górecki from [QubesOS](https://www.qubes-os.org/team), covering the following topics: -* 20.05 - 1. Michał Żygowski Qubes OS on modern AMD platform - * [recording](https://www.youtube.com/watch?v=Rw7rAPPyPPc&t=31s) - 2. Norbert Kamiński Status fwupd/LVFS support for Qubes OS - * [recording](https://www.youtube.com/watch?v=o_IdERo3aiE&t=984s) - 3. AMA session - * [recording](https://www.youtube.com/watch?v=BSGUcW6QDYU&t=1509s) - -* 28.05 - 1. Piotr Król SRTM for Qubes OS VMs - * [recording](https://www.youtube.com/watch?v=Eip5Rts6S2I&t=2s) - 2. Michał Żygowski Anti Evil Maid for modern AMD UEFI-based platform - * [recording](https://youtu.be/rM0vRi6qABE?t=3) - 3. AMA session - * [recording](https://youtu.be/rM0vRi6qABE?t=1904) - -* 04.06 +- 20.05 + + 1. Michał Żygowski Qubes OS on modern AMD platform - + [recording](https://www.youtube.com/watch?v=Rw7rAPPyPPc&t=31s) + + 2. Norbert Kamiński Status fwupd/LVFS support for Qubes OS - + [recording](https://www.youtube.com/watch?v=o_IdERo3aiE&t=984s) + + 3. AMA session - [recording](https://www.youtube.com/watch?v=BSGUcW6QDYU&t=1509s) + +- 28.05 + + 1. Piotr Król SRTM for Qubes OS VMs - + [recording](https://www.youtube.com/watch?v=Eip5Rts6S2I&t=2s) + + 2. Michał Żygowski Anti Evil Maid for modern AMD UEFI-based platform - + [recording](https://youtu.be/rM0vRi6qABE?t=3) + + 3. AMA session - [recording](https://youtu.be/rM0vRi6qABE?t=1904) + +- 04.06 + 1. Piotr Król DRTM for Qubes OS VMs - 2. Michał Żygowski Anti Evil Maid for Intel coreboot-based platform - 3. AMA session + 1. Michał Żygowski Anti Evil Maid for Intel coreboot-based platform + 1. AMA session + +- 10.06 -* 10.06 1. Frédéric Pierret: How to build Qubes? From components to operating system -overview - 2. Marek Marczykowski-Górecki Operating system testing, when it itself uses - virtual machines - 3. AMA session + overview + 1. Marek Marczykowski-Górecki Operating system testing, when it itself uses + virtual machines + 1. AMA session An introductory presentation will open 3mdeb and Qubes OS discussion about the topic followed by chat discussion, from which prelegents will choose the most @@ -98,26 +104,27 @@ templates maintainer. To gain security of an open-source quality. > There is not enough synergy between firmware and operating systems world, -especially in the light of heavy use of isolation mechanisms like -(nested-)virtualization or cgroups. Co-organizing this event with Qubes OS we -would like to build awareness about opportunities that open collaboration can -bring to community through correct leveraging of modern platform security -features. We hope this activity may convince silicon vendors and their -OEM/ODM, that putting more effort in contribution to open source projects has -not only ethical implications, but brings better economical results through -wider and faster adoption of new hardware. In recent years open-source and -security community proven many times its effectivness in after-market product -suppport and discovering inefficiencies and security issues in the hardware -design. - -> -- Piotr Król - -> Because modern software is very complex and it is unrealistic to have it - bug-free, isolation is the only practical way to mitigate security issues. At - Qubes OS we try to provide the strongest possible isolation, while preserving - usability of the system user interface. - - > -- Marek Marczykowski-Górecki +> especially in the light of heavy use of isolation mechanisms like +> (nested-)virtualization or cgroups. Co-organizing this event with Qubes OS we +> would like to build awareness about opportunities that open collaboration can +> bring to community through correct leveraging of modern platform security +> features. We hope this activity may convince silicon vendors and their +> OEM/ODM, that putting more effort in contribution to open source projects has +> not only ethical implications, but brings better economical results through +> wider and faster adoption of new hardware. In recent years open-source and +> security community proven many times its effectiveness in after-market product +> support and discovering inefficiencies and security issues in the hardware +> design. +> -- Piotr Król + +Qubes OS we try to provide the strongest possible isolation, while preserving +usability of the system user interface. + +> Because modern software is very complex and it is unrealistic to have it +> bug-free, isolation is the only practical way to mitigate security issues. At +> Qubes OS we try to provide the strongest possible isolation, while preserving +> usability of the system user interface. +> -- Marek Marczykowski-Górecki ### Why you should join? @@ -125,11 +132,10 @@ To gain practical, valuable first-hand knowledge and meet experts who are happy to answer intriguing questions and share their passion without creating any marketing pitch. ->I'm excited about upcoming Qubes OS minisummit, happening thanks to 3mdeb -folks. There will be many interesting topics presented by competent people. And -also a lot of potential for further collaboration! - -> -- Marek Marczykowski-Górecki +> I'm excited about upcoming Qubes OS minisummit, happening thanks to 3mdeb +> folks. There will be many interesting topics presented by competent people. +> And also a lot of potential for further collaboration! +> -- Marek Marczykowski-Górecki ## Summary @@ -145,7 +151,7 @@ experience, but also the participants of the event, passionate about Qubes OS If you think we can help in improving Qubes OS support for your hardware, help you with Qubes OS certification on firmware level or you looking for someone who can boost your product by leveraging advanced features of used hardware -platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us -[email](mailto:contact@3mdeb.com). If you are interested in similar content feel -free to [sign up to our newsletter](http://eepurl.com/doF8GX) +platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us [email](mailto:contact@3mdeb.com). If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-06-01-ipxe_lz_support.md b/blog/content/post/2020-06-01-ipxe_lz_support.md index 5172cc4f..4d9758f5 100644 --- a/blog/content/post/2020-06-01-ipxe_lz_support.md +++ b/blog/content/post/2020-06-01-ipxe_lz_support.md @@ -50,22 +50,24 @@ can test it without messing with your current installation. Isn't that a treat? ## Building iPXE binary -Code can be found in our iPXE fork, [landing_zone branch](https://github.com/3mdeb/ipxe/tree/landing_zone). -It can be build either as a standalone binary or as a coreboot PXE ROM. Let's -start with the latter one. +Code can be found in our iPXE fork, +[landing_zone branch](https://github.com/3mdeb/ipxe/tree/landing_zone). It can +be build either as a standalone binary or as a coreboot PXE ROM. Let's start +with the latter one. -#### Embedded in coreboot +### Embedded in coreboot -Follow [HTTPS enabling tutorial](https://blog.3mdeb.com/2020/2020-05-06-ipxe-https/), +Follow +[HTTPS enabling tutorial](https://blog.3mdeb.com/2020/2020-05-06-ipxe-https/), with two important changes: -* clone from PC Engines repository and switch to proper branch: +- clone from PC Engines repository and switch to proper branch: ```bash git clone --recurse-submodules https://github.com/pcengines/coreboot.git -b pcengines_trenchboot_4.11.x ``` -* after starting Docker, copy config from a different file: +- after starting Docker, copy config from a different file: ```bash cp configs/config.pcengines_apu2_tb_ipxe .config @@ -76,11 +78,11 @@ properly, including change to iPXE version, or change it to `make olddefconfig` and skip graphical menu. The rest of build and flashing process is the same. > Remember to do a `make distclean` before `make menuconfig` when touching any -iPXE options. To save recompilation time, coreboot build system **does not** -clean the payloads automatically, you have to explicitly tell it to do so. You -also have to copy the config file again. +> iPXE options. To save recompilation time, coreboot build system **does not** +> clean the payloads automatically, you have to explicitly tell it to do so. You +> also have to copy the config file again. -#### Standalone binary +## Standalone binary This builds a generic image which can be used for chainloading, both on coreboot (legacy) and UEFI platforms with CSM. We can choose between building one binary @@ -99,18 +101,19 @@ docker run --rm -it -v $PWD/ipxe:/home/coreboot/ipxe -w /home/coreboot/ipxe \ coreboot/coreboot-sdk:65718760fa /bin/bash ``` -All build targets are summarised on [iPXE website](https://ipxe.org/appnote/buildtargets). -We will build `.lkrn` file, as it is the most portable option of those listed -when it comes to chainloading. It mimics Linux's kernel, so every bootloader -capable of booting Linux (using 16-bit entry point) can also boot this flavour -of iPXE image. +All build targets are summarised on +[iPXE website](https://ipxe.org/appnote/buildtargets). We will build `.lkrn` +file, as it is the most portable option of those listed when it comes to +chainloading. It mimics Linux's kernel, so every bootloader capable of booting +Linux (using 16-bit entry point) can also boot this flavour of iPXE image. Most of the features are turned off to save the size by default. In order to switch them on, we need to define some symbols in configuration file(s). For the list of all configurable options, see [here](https://ipxe.org/buildcfg). The best way of enabling a feature is to `#define` it in appropriate file in `src/config/local/`. We can either manually enable each option or (the lazy way) -just copy the `general.h` from [PC Engines coreboot repo](https://github.com/pcengines/coreboot/blob/develop/payloads/external/iPXE/general.h) +just copy the `general.h` from +[PC Engines coreboot repo](https://github.com/pcengines/coreboot/blob/develop/payloads/external/iPXE/general.h) to `src/config/local/general.h`. After we are happy with our config, we can finally build iPXE binary: @@ -123,13 +126,13 @@ If you want smaller binary, but only for one NIC model, you can change the last line accordingly, e.g. for apu2 it can become `bin/8086157b.lkrn`. This is also the path to the resulting binary, relative to `src` directory. -###### Additional step required for serial output on other platforms +### Additional step required for serial output on other platforms Such binary will use `int 10h` to print its messages, which thanks to SeaBIOS and `sercon-port` file in CBFS is redirected also to serial port on coreboot -platforms. If you want to get output on serial for different platforms (e.g. -a proprietary UEFI), it can be done by defining `CONSOLE_SERIAL`. A commented -out example is in `src/config/console.h`, but more elegant way is to use local +platforms. If you want to get output on serial for different platforms (e.g. a +proprietary UEFI), it can be done by defining `CONSOLE_SERIAL`. A commented out +example is in `src/config/console.h`, but more elegant way is to use local configuration, so lets do this. ```bash @@ -140,27 +143,28 @@ That's it, now we can rebuild the image. Unfortunately, this image will double every character for platforms with `sercon` redirection, it is impossible to fix one issue without breaking the other: -``` +```bash iPii - XPEX Ei niintiitailailsii...okogd edveivciecse.s... -ik + XPEX Ei niintiitailailsii...okogd edveivciecse.s... +ik PiXPEX E1 .12.02.01.+1 +( g(4oSuorucrec eN eNtewtowrokr kB oBooto tF iFro.rogrwe -Fg +Fg eFaetautruerse:s :D NDSN SH THTTPT Pi LEFL FM BMOBOOTO TP XPEX Eb zbIzmIamgaeg X WT ``` ## Starting -Embedded iPXE is started just as in [previous post](https://blog.3mdeb.com/2020/2020-05-06-ipxe-https/#network-booting). +Embedded iPXE is started just as in +[previous post](https://blog.3mdeb.com/2020/2020-05-06-ipxe-https/#network-booting). For a standalone binary the exact instructions for chainloading iPXE depend on bootloader used and the location of binary. Two common examples are starting from a remote server with another iPXE or loading the file from a local disk using GRUB2. -###### iPXE +### iPXE -``` +```bash chain http://example.com/ipxe.lkrn ``` @@ -175,7 +179,7 @@ shell, not in the second one. Another option is to load a [script](https://ipxe.org/scripting) containing the command line as an initrd: -``` +```bash kernel http://example.com/ipxe.lkrn initrd http://example.com/cmdline.ipxe boot @@ -187,9 +191,9 @@ other NICs, including wireless ones, for apu platforms. There is an official image available at `https://boot.ipxe.org/ipxe.lkrn`. You can also use one of [our images with LZ support](https://boot.3mdeb.com/tb/). -###### GRUB2 +### GRUB2 -``` +```bash linux16 path/to/ipxe.lkrn boot ``` @@ -211,7 +215,7 @@ any of `module`, `initrd` or `imgfetch` would work, as they are all This is what we use to start simple Linux for testing PCR values (assuming network is already configured by `dhcp` or manually): -``` +```bash module http://boot.3mdeb.com/tb/lz_header.bin kernel http://boot.3mdeb.com/tb/bzImage console=ttyS0,115200 initrd http://boot.3mdeb.com/tb/test_initramfs.cpio @@ -220,7 +224,7 @@ boot We've put those lines into a script, so it can be started with just: -``` +```bash chain http://boot.3mdeb/com/tb/test.ipxe ``` @@ -230,7 +234,7 @@ Feel free to test it on your box - it should work on all recent AMD platforms (starting from ~2007, but we haven't tested such old CPUs yet) with dTPM. Unfortunately, fTPM included in newer AMD CPUs is not good enough. -#### PCR values +### PCR values The initramfs used for testing has some BusyBox commands, but the most important for us is a binary from `tpm2-tools` - `tpm2_pcrread`: @@ -240,9 +244,9 @@ for us is a binary from `tpm2-tools` - `tpm2_pcrread`: These values are from apu2 platform, using the binaries from our server at the time of writing this post. Here's a short description of the values: -* PCRs 0-7 - these come from SRTM, and are of no interest right now. They depend +- PCRs 0-7 - these come from SRTM, and are of no interest right now. They depend on version of coreboot (or other firmware) used for starting the platform. -* PCRs 17-22 have initial values of all 1s (0xFFFF...), they are reset to 0s as +- PCRs 17-22 have initial values of all 1s (0xFFFF...), they are reset to 0s as a result of SKINIT instruction. They can be extended from a locality 2 or higher. - SKINIT sends a part of LZ (constant code and data part, not including data @@ -252,7 +256,7 @@ time of writing this post. Here's a short description of the values: - Kernel extends PCR18 with the hash of zero page (a set of data passed to kernel by a bootloader, such as command line and memory maps) and PCR17 with the hash of initrd -* All other PCRs are free to be used by a user +- All other PCRs are free to be used by a user The above rules mean that SHA256 should be checked e.g. by TPM sealing. PCR17 is constant for the same code base. PCR18 should be used with care, as it includes @@ -268,36 +272,38 @@ above, the rest of them may differ. They can be calculated by scripts from [Landing Zone repository](https://github.com/TrenchBoot/landing-zone). `extend_all.sh` should print proper SHA256, and `extend_lz_only.sh` - SHA1. -#### Troubleshooting +### Troubleshooting -###### Machine reboots immediately after jumping into kernel +#### Machine reboots immediately after jumping into kernel This usually means that the TPM is not found. Make sure it is connected and enabled in BIOS/UEFI setup menu. -###### PCRs 17-22 are all FFs +#### PCRs 17-22 are all FFs Firmware TPM (fTPM) was used instead of discrete TPM (dTPM). fTPM doesn't have means of changing the locality, so it cannot be used. Sometimes dTPM is used automatically if connected, but usually you have to explicitly choose it in BIOS menu. -###### PCRs have wrong values +#### PCRs have wrong values Most common wrong value is `31A2DC4C22F9C5444A41625D05F95898E055F750` for SHA1 of PCR17. It means that TPM extended a data stream of zero length (as in `/dev/null`). -> For SHA256 this would be `1C9ECEC90E28D2461650418635878A5C91E49F47586ECF75F2B0CBB94E897112`, -such value should also raise suspicion. +> For SHA256 this would be +> `1C9ECEC90E28D2461650418635878A5C91E49F47586ECF75F2B0CBB94E897112`, such value +> should also raise suspicion. This happens when the platform is in wrong state during SKINIT call. As part of preparing for SKINIT, the INIT signal is broadcasted to APs, after which it needs some time to propagate. We experimentally set this value to 2^16 CPU clock -cycles, because value of 1000 [suggested by AMD](https://www.amd.com/system/files/TechDocs/24593.pdf#G21.1091120) +cycles, because value of 1000 +[suggested by AMD](https://www.amd.com/system/files/TechDocs/24593.pdf#G21.1091120) was not enough. If this still happens on any platform, please let us know. -###### Unsupported device. The device is a TPM 1.2 +#### Unsupported device. The device is a TPM 1.2 Try `cat /sys/class/tpm/tpm0/device/pcrs` instead. Format of the output will be slightly different. TPM 1.2 does not require SHA256, in this case SHA1 PCR @@ -308,19 +314,20 @@ support don't hesitate to let us know. ## Summary -We hope that test presented here will be a fast and safe way of checking if -your platform is DRTM-ready. You won't have to go through the time-consuming -task of installing the new OS just to check whether it will work. It also -enables us to start a relatively safe* OS on the top of unknown -(assume unsafe) environment without too much preparation required. +We hope that test presented here will be a fast and safe way of checking if your +platform is DRTM-ready. You won't have to go through the time-consuming task of +installing the new OS just to check whether it will work. It also enables us to +start a relatively safe [1] OS on the top of unknown (assume unsafe) +environment without too much preparation required. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) - -> *) There are still some safety issues like using unmeasured ACPI code and a -whole lot of problems that can be caused by a malicious SMM code. Protection -against DMA attacks is also somewhat lacking at the moment, but we are working -on it. +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) + +> [1]) There are still some safety issues like using unmeasured ACPI code and a +> whole lot of problems that can be caused by a malicious SMM code. Protection +> against DMA attacks is also somewhat lacking at the moment, but we are working +> on it. diff --git a/blog/content/post/2020-06-17-qubes_summation.md b/blog/content/post/2020-06-17-qubes_summation.md index 4532c0a3..4324cb84 100644 --- a/blog/content/post/2020-06-17-qubes_summation.md +++ b/blog/content/post/2020-06-17-qubes_summation.md @@ -18,54 +18,51 @@ categories: - Security - Firmware - --- + The second Qubes OS and 3mdeb 'minisummit' is ahead of us. We have gone through four evenings of topics devoted to Qubes OS. It has been another fruitful and productive event, during which we have exchanged loads of knowledge and expertise. Below you will find list of topics, we have discussed with related videos and broad report of each day. +- 20.05 + + 1. Michał Żygowski: Qubes OS on modern AMD platform - + [recording](https://www.youtube.com/watch?v=Rw7rAPPyPPc&t=31s) + 2. Norbert Kamiński: Status fwupd/LVFS support for Qubes OS - + [recording](https://www.youtube.com/watch?v=o_IdERo3aiE&t=984s) + 3. AMA session - [recording](https://www.youtube.com/watch?v=BSGUcW6QDYU&t=1509s) + +- 28.05 + + 1. Piotr Król: SRTM for Qubes OS VMs - + [recording](https://www.youtube.com/watch?v=Eip5Rts6S2I&t=2s) + 2. Michał Żygowski: Anti Evil Maid for modern AMD UEFI-based platform - + [recording](https://youtu.be/rM0vRi6qABE?t=3) + 3. AMA session - [recording](https://youtu.be/rM0vRi6qABE?t=1904) + +- 04.06 + + 1. Piotr Król: DRTM for Qubes OS VMs - [recording](https://youtu.be/pZF-jyJWTE4) + 2. Michał Żygowski: Anti Evil Maid for Intel coreboot-based platform - + [recording](https://youtu.be/YE2FbFlszI4?t=9) + 3. AMA session - [recording](https://youtu.be/YE2FbFlszI4?t=1725) + +- 10.06 -* 20.05 - 1. Michał Żygowski: Qubes OS on modern AMD platform - * [recording](https://www.youtube.com/watch?v=Rw7rAPPyPPc&t=31s) - 2. Norbert Kamiński: Status fwupd/LVFS support for Qubes OS - * [recording](https://www.youtube.com/watch?v=o_IdERo3aiE&t=984s) - 3. AMA session - * [recording](https://www.youtube.com/watch?v=BSGUcW6QDYU&t=1509s) - -* 28.05 - 1. Piotr Król: SRTM for Qubes OS VMs - * [recording](https://www.youtube.com/watch?v=Eip5Rts6S2I&t=2s) - 2. Michał Żygowski: Anti Evil Maid for modern AMD UEFI-based platform - * [recording](https://youtu.be/rM0vRi6qABE?t=3) - 3. AMA session - * [recording](https://youtu.be/rM0vRi6qABE?t=1904) - -* 04.06 - 1. Piotr Król: DRTM for Qubes OS VMs - * [recording](https://youtu.be/pZF-jyJWTE4) - 2. Michał Żygowski: Anti Evil Maid for Intel coreboot-based platform - * [recording](https://youtu.be/YE2FbFlszI4?t=9) - 3. AMA session - * [recording](https://youtu.be/YE2FbFlszI4?t=1725) - -* 10.06 1. Frédéric Pierret: How to build Qubes? From components to operating system - overview - * [recording](https://www.youtube.com/watch?v=WYDfzg9T0MU) + overview -[recording](https://www.youtube.com/watch?v=WYDfzg9T0MU) 2. Marek Marczykowski-Górecki: Operating system testing, when it itself uses - virtual machines - * [recording](https://www.youtube.com/watch?v=kKGjtKa_zok) - 3. AMA session - * [recording](https://youtu.be/kKGjtKa_zok?t=2057) + virtual machines - [recording](https://www.youtube.com/watch?v=kKGjtKa_zok) + 3. AMA session - [recording](https://youtu.be/kKGjtKa_zok?t=2057) ### Qubes OS future: AMD SEV and fwupd/LVFS The first day of 'minisummit' gathered us around Qubes OS future: AMD SEV and fwupd/LVFS, where speakers were discussing projects based on Qubes OS. The -opening presentation dedicated to [Qubes OS on modern AMD platform](https://cloud.3mdeb.com/index.php/apps/files/?dir=/projects/3mdeb/conf_and_shows/QubesOS_3mdeb_minisummit_2020&fileid=247810#pdfviewer) +opening presentation dedicated to +[Qubes OS on modern AMD platform](https://shop.3mdeb.com/wp-content/uploads/2021/06/Qubes-on-modern-AMD-platform.pdf) was held by [Michał Żygowski](https://blog.3mdeb.com/authors/michal-zygowski/), Firmware Engineer in 3mdeb, Braswell SoC, PC Engines and Protectli maintainer in coreboot who has presented Qubes on SuperMicro M11SDV-4C-LN4F superserver @@ -81,10 +78,11 @@ Non-automatic Exits (NAE). After presentation, our specialists took the floor debating over host system protection, memory encryption on the BIOS level, XEN support and many more issues that can be found in the video above. -The second speaker was [Norbert Kamiński](https://blog.3mdeb.com/authors/norbert-kaminski/). -Junior Embedded Systems Engineer in 3mdeb and open-source contributor, who has +The second speaker was +[Norbert Kamiński](https://blog.3mdeb.com/authors/norbert-kaminski/). Junior +Embedded Systems Engineer in 3mdeb and open-source contributor, who has introduced us status of fwupd/LVFS support for Qubes OS. Starting with overall -informations about Firmware Update and Linux Vendor Firmware Service, Norbert +information about Firmware Update and Linux Vendor Firmware Service, Norbert described three layers of it’s architecture (system, session, internet) and explained how exactly works secure web service used by hardware vendors to upload firmware archives. He also presented fwupdmgr CLI, client tool for manual @@ -100,26 +98,26 @@ tool, services that provide proofs of reproducibility and many more. What we hope to do in the nearest future inside fwupd/LVFS is upstream of `qubes-fwupd` component to Qubes OS Project repository. - ### Different approaches of using RTMs in Qubes OS The second day of the 'minisummit' was devoted to different approaches of using RTMs in Qubes OS. [Piotr Król](https://blog.3mdeb.com/authors/piotr-krol/), -founder and Embedded Systems Consultant, has introduced [SRTM for Qubes OSVMs](https://www.slideshare.net/PiotrKrl/srtm-for-qubes-os-vms), covering feasibility and security of various -S-RTM implementations for Qubes OS virtual machines. Piotr has presented S-RTM, -giving practical use cases and explained how it is created on real hardware, -presenting ways of moving it to VMs. He described Xen stub domains and explained -how to enable TPM in QEMU, considering options of boot firmare, bootloaders, -operating systems and Xen version. We were broadly familiarised with -libtpm-based TPM emulator swtpm, Xen vTPMs and finally with assumptions and -future ideas for 3mdeb. Among Q&A questions specialists were debating over an -option for hosting QEMU emulation outside of QEMU and a general idea of TPM -inside VM. 3mdeb is looking for possible founding of S-RTM effort either through -the foundation, commercial agreement, or community effort. +founder and Embedded Systems Consultant, has introduced +[SRTM for Qubes OSVMs](https://www.slideshare.net/PiotrKrl/srtm-for-qubes-os-vms), +covering feasibility and security of various S-RTM implementations for Qubes OS +virtual machines. Piotr has presented S-RTM, giving practical use cases and +explained how it is created on real hardware, presenting ways of moving it to +VMs. He described Xen stub domains and explained how to enable TPM in QEMU, +considering options of boot firmware, bootloaders, operating systems and Xen +version. We were broadly familiarised with libtpm-based TPM emulator swtpm, Xen +vTPMs and finally with assumptions and future ideas for 3mdeb. Among Q&A +questions specialists were debating over an option for hosting QEMU emulation +outside of QEMU and a general idea of TPM inside VM. 3mdeb is looking for +possible founding of S-RTM effort either through the foundation, commercial +agreement, or community effort. [Michał Żygowski](https://blog.3mdeb.com/authors/michal-zygowski/) presented -[Anti Evil Maid for modern AMD UEFI-based -platform](https://cloud.3mdeb.com/index.php/apps/files/?dir=/projects/3mdeb/conf_and_shows/QubesOS_3mdeb_minisummit_2020&fileid=247810#pdfviewer), +[Anti Evil Maid for modern AMD UEFI-based platform](https://shop.3mdeb.com/wp-content/uploads/2021/06/Anti-Evil-Maid-for-modern-AMD-UEFI-based-platform.pdf), where he has explained what exactly Evil Maid attacks are and how can we protect ourselves from them with Qubes OS Anti-Evil-Maid. Michał presented the current status of AEM, explained what it provides and which attacks are still not @@ -133,41 +131,46 @@ Intel in AEM script and more. The third day was devoted to DRTM in Qubes OS – not only for Dom0 but also for VMs. [Piotr Król](https://blog.3mdeb.com/authors/piotr-krol/) has introduced [DRTM for Qubes OS VMs](https://www.slideshare.net/PiotrKrl/drtm-for-qubes-os-vms), - discussing the value and usage models of D-RTM implementation in Qubes OS. He - started presenting Root of Trust family discussing D-RTM and how does it differ - from S-RTM proceeding with an overview of boot process for Qubes OS with - Early/Late Launch scenario and Flicker session. Based on Flicker, Piotr has - proposed scenarios in which D-RTM may be used for: Platform Relaunch, Virtual - Machine Introspection technique and D-RTM, vTPM and D-RTM, Network booted vDLME - and Visual Trust level indicator for VMs. The presentation has ended with - future ideas, among others trusted system backups and migration, trusted - firmware update, dynamic RPC policy or secure storage. The broad discussion - covered among others the best way to re-establish trust in the platform. D-RTM - is a vast and complicated topic and requires much more education and - development. Our work related to [OpenDRTM for AMD using TrenchBoot](https://nlnet.nl/project/OpenDRTM/) -founded by NLnet should move the ecosystem forward, but we are still looking at -how to advance Intel-based solutions. There is also quite a lot of work in Xen -and Linux kernel. We believe that Qubes OS minisummit 2021 should cover -practical demos of TrenchBoot as a reference open source D-RTM implementation. - -The second speaker, [Michał Żygowski](https://blog.3mdeb.com/authors/michal-zygowski/) -has presented an [Anti-Evil-Maid for Intel coreboot-based platform](https://cloud.3mdeb.com/index.php/apps/files/?dir=/projects/3mdeb/conf_and_shows/QubesOS_3mdeb_minisummit_2020&fileid=247810#pdfviewer). +discussing the value and usage models of D-RTM implementation in Qubes OS. He +started presenting Root of Trust family discussing D-RTM and how does it differ +from S-RTM proceeding with an overview of boot process for Qubes OS with +Early/Late Launch scenario and Flicker session. Based on Flicker, Piotr has +proposed scenarios in which D-RTM may be used for: Platform Relaunch, Virtual +Machine Introspection technique and D-RTM, vTPM and D-RTM, Network booted vDLME +and Visual Trust level indicator for VMs. The presentation has ended with future +ideas, among others trusted system backups and migration, trusted firmware +update, dynamic RPC policy or secure storage. The broad discussion covered among +others the best way to re-establish trust in the platform. D-RTM is a vast and +complicated topic and requires much more education and development. Our work +related to +[OpenDRTM for AMD using TrenchBoot](https://nlnet.nl/project/OpenDRTM/) founded +by NLnet should move the ecosystem forward, but we are still looking at how to +advance Intel-based solutions. There is also quite a lot of work in Xen and +Linux kernel. We believe that Qubes OS minisummit 2021 should cover practical +demos of TrenchBoot as a reference open source D-RTM implementation. + +The second speaker, +[Michał Żygowski](https://blog.3mdeb.com/authors/michal-zygowski/) has presented +an +[Anti-Evil-Maid for Intel coreboot-based platform](https://shop.3mdeb.com/wp-content/uploads/2021/06/Anti-Evil-Maid-for-modern-AMD-UEFI-based-platform.pdf). Michał described what is needed for AEM to work on Intel processors, how Qubes -OS Anti-Evil Maid works, what are instalation steps, what troubleshooting steps +OS Anti-Evil Maid works, what are installation steps, what troubleshooting steps he himself had to go through to make AEM work, what is Intel TXT status in coreboot and how to enable Intel TXT on other hardware. ### Qubes OS testing and development – by Qubes core developers -On the last day of minisummit Qubes core developers took the floor. [Frédéric Pierret](https://www.qubes-os.org/team/), general packaging, CentOS and Fedora templates maintainer, explained how -to build Qubes: [from components to operating system overview](https://cloud.3mdeb.com/index.php/apps/files/?dir=/projects/3mdeb/conf_and_shows/QubesOS_3mdeb_minisummit_2020&fileid=247810#pdfviewer). +On the last day of minisummit Qubes core developers took the floor. +[Frédéric Pierret](https://www.qubes-os.org/team/), general packaging, CentOS +and Fedora templates maintainer, explained how to build Qubes: +[from components to operating system overview](https://cloud.3mdeb.com/index.php/s/aDX3csekLeAy6aM). The speaker described what is Qubes OS composed of, in terms of developing qubes (UX, Qubes, Isolation Provider Layer), presented the choice of Fedora as Dom0 and VMs side distributions overview. In the next step, Frederic has explained how Qubes OS developers are introducing new features, fixes, what tools do they use and develop, on the example of Qubes builder v.1 and v.2. - The last speaker, [Marek Marczykowski-Górecki](https://www.qubes-os.org/team/), +The last speaker, [Marek Marczykowski-Górecki](https://www.qubes-os.org/team/), Project lead in QubesOS has introduced operating system testing, when it itself uses virtual machines. Marek briefly presented how to test Qubes OS, by describing python unit tests and pytest frameworks, used inside Qubes OS with @@ -199,9 +202,11 @@ that events such as 'minisummit' are important and necessary. We have exchanged loads of knowledge and experience and we would like to meet again, on Qubes OS and 3mdeb 'minisummit' 2021. Thank you all once again. - If you think we can help in improving Qubes OS support for your hardware, help -you with Qubes OS certification on firmware level or you looking for someone -who can boost your product by leveraging advanced features of used hardware -platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us [email](mailto:contact3mdebcom). If you are interested in -similar content feel free to sign up to our [sign up to our newsletter](http://eepurl.com/doF8GX). +If you think we can help in improving Qubes OS support for your hardware, help +you with Qubes OS certification on firmware level or you looking for someone who +can boost your product by leveraging advanced features of used hardware +platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us [email](contact@3mdeb.com). If you are interested +in similar content feel free to sign up to our +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-06-24-dell-optiplex-port.md b/blog/content/post/2020-06-24-dell-optiplex-port.md index 7395415f..54751ca2 100644 --- a/blog/content/post/2020-06-24-dell-optiplex-port.md +++ b/blog/content/post/2020-06-24-dell-optiplex-port.md @@ -22,34 +22,34 @@ categories: --- -# Introduction +## Introduction 3mdeb Embedded Systems Consulting is a company that evangelizes open-source software on all levels. That includes the firmware, bootloaders, hypervisors, operating systems, and more. As befits a company promoting open-source, it should utilize open-source in daily lives. That is our hardware should run open and secure software whenever and wherever possible. Since the center of our -daily work is a workstation, it should meet our requirements in the first -place. Most of the employees' PCs in 3mdeb are either HP Compaq 8200 / 8300 -(Elite) or Dell OptiPlex 7010 / 9010. Because our company is a -[licensed coreboot consultant](https://www.coreboot.org/consulting.html), -it would be a shame for us to not have our hardware running coreboot. -While the [HP workstations are supported in coreboot](https://doc.coreboot.org/mainboard/hp/compaq_8200_sff.html) +daily work is a workstation, it should meet our requirements in the first place. +Most of the employees' PCs in 3mdeb are either HP Compaq 8200 / 8300 (Elite) or +Dell OptiPlex 7010 / 9010. Because our company is a +[licensed coreboot consultant](https://www.coreboot.org/consulting.html), it +would be a shame for us to not have our hardware running coreboot. While the +[HP workstations are supported in coreboot](https://doc.coreboot.org/mainboard/hp/compaq_8200_sff.html) the Dell machines are not (or rather weren't 1 year ago when I started my work with them). This fact was the only thing separating us from the dream of having all machines running open-source firmware. That's how my journey began. I hope you will enjoy reading this and the next posts from the series. -# Enabling mainboard support in coreboot +## Enabling mainboard support in coreboot HP Compaq 8200 Elite and Dell OptiPlex 7010 / 9010 are old, one would say. What is the gain from porting such outdated hardware, one would ask. There are three reasons (at least from my perspective): -- **profession fetish** (yeah well... when you work with hardware for some - time, you fall in love with it at some point to the extent that you want to - control your machine at every possible level, you want to play with it as - much as you can) +- **profession fetish** (yeah well... when you work with hardware for some time, + you fall in love with it at some point to the extent that you want to control + your machine at every possible level, you want to play with it as much as you + can) - **realize the company open-source firmware dream** - **these machines have 2nd / 3rd Gen Intel processors** which have native initialization support in coreboot, that means you can control whole boot @@ -66,42 +66,44 @@ made of such people. Being fully open-source is one thing, but the ease of enabling new hardware is unbelievable. coreboot developers created a Go utility that helps to port new -hardware to the project called [autoport](https://github.com/coreboot/coreboot/blob/master/util/autoport/readme.md). +hardware to the project called +[autoport](https://github.com/coreboot/coreboot/blob/master/util/autoport/readme.md). This tool is capable of creating a patch that should be already bootable and is ready to be upstreamed. What is more, the tool can generate CMOS runtime -configuration, native graphics initialization support, and even certain -Embedded Controller support. +configuration, native graphics initialization support, and even certain Embedded +Controller support. The first patches introducing the Dell OptiPlex 7010 / 9010 support in coreboot were generated by the autoport. There were two patchsets for the OptiPlex 7010: -- by Paul Menzel: https://review.coreboot.org/c/coreboot/+/25095/1 -- by Alexander Couzens (Lynxis): https://review.coreboot.org/c/coreboot/+/20239/1 +- by Paul Menzel: +- by Alexander Couzens (Lynxis): + -However, neither of them provided a booting implementation. 3mdeb Founder, -Piotr Król joined the porting effort at the end of 2018. But due to his limited -free time, lack of development machine (Piotr was testing on his own -workstation for daily jobs) and sudden lack of responses on the patchset, he -stopped soon after. At that time I though about taking over the effort. +However, neither of them provided a booting implementation. 3mdeb Founder, Piotr +Król joined the porting effort at the end of 2018. But due to his limited free +time, lack of development machine (Piotr was testing on his own workstation for +daily jobs) and sudden lack of responses on the patchset, he stopped soon after. +At that time I though about taking over the effort. -# Debugging booting problems +## Debugging booting problems -In the Q1 of 2019 I decided to buy a Dell OptiPlex 7010 / 9010 myself so I -could continue the porting efforts. I could not use any production workstation -from the office and this board has two SPI flashes what makes it hardware for +In the Q1 of 2019 I decided to buy a Dell OptiPlex 7010 / 9010 myself so I could +continue the porting efforts. I could not use any production workstation from +the office and this board has two SPI flashes what makes it hardware for development (need to switch the SPI clip or have two CS pins). Having an own machine made the development and debugging much easier. Fortunately I had a RaspberryPi 3 in stock which was able to drive 2 CS pins so I could quickly flash both chips. +### Dell OptiPlex 9010 flashing clips 10.03.2019 + ![Dell OptiPlex 9010 flashing clips 10.03.2019](/img/optiplex_clips.jpg) -
    __*Dell OptiPlex 9010 flashing clips 10.03.2019*__
    +### Dell OptiPlex 9010 flashing setup 10.03.2019 ![Dell OptiPlex 9010 flashing setup 10.03.2019](/img/optiplex_setup.jpg) -
    __*Dell OptiPlex 9010 flashing setup 10.03.2019*__
    - > The flash chips were so close to the CPU heatsink, that I had to remove it. > Watch out, the CPU overheats quickly, so this setup is only viable for > quick-flash testing (but for me it was more than enough to resolve most @@ -109,39 +111,40 @@ flash both chips. In the beginning, I tried to reproduce the problems mentioned in the patchsets, i.e. build a coreboot binary with SPI flash console - it is a debug messages -buffer in the BIOS flash written during the boot process. Allows gathering -debug information where the board has no other means of connecting a debug -hardware (serial port like RS232, LPC debug card or USB debug dongle). -Gathering the logs from SPI flash revealed some information, the board was -hanging at postcar stage loading (a stage after RAM initialization, that tears -the temporary memory environment down). The results were the same as obtained -by Piotr: http://paste.ubuntu.com/p/BztHbKNtVm/ +buffer in the BIOS flash written during the boot process. Allows gathering debug +information where the board has no other means of connecting a debug hardware +(serial port like RS232, LPC debug card or USB debug dongle). Gathering the logs +from SPI flash revealed some information, the board was hanging at postcar stage +loading (a stage after RAM initialization, that tears the temporary memory +environment down). The results were the same as obtained by Piotr: + One thing that came to my mind is that the SPI flash console may interfere with the boot process. So I have decided to change the debug interface. There were three other options for me: LPC debug card, USB serial debug or serial port debug. Only the last one was viable for me at that time, because I had no debug -card (and I would have to solder the LPC header) and FTDI USB dongle. To -achieve the goal, I looked for the Super I/O chip model on the board and the -datasheet for it. It occurred to be the SMSC SCH5545 (the same as one detected -by Lynxis in https://review.coreboot.org/c/coreboot/+/20238/1 ). -Unfortunately, there is no datasheet for this particular chip and it doesn't -figure in [Microchip product offer](https://www.microchip.com/design-centers/embedded-controllers-and-super-i-o/products/desktop-and-super-i-o). -As I have been informed later, the SMSC SCH55\*\* are a special design chips -for Dell, so obviously I would never find a datasheet for it. However, I could -use a [SCH5627 datasheet](http://ww1.microchip.com/downloads/en/DeviceDoc/00001996A.pdf). +card (and I would have to solder the LPC header) and FTDI USB dongle. To achieve +the goal, I looked for the Super I/O chip model on the board and the datasheet +for it. It occurred to be the SMSC SCH5545 (the same as one detected by Lynxis +in ). Unfortunately, there is +no datasheet for this particular chip and it doesn't figure in +[Microchip product offer](https://www.microchip.com/en-us/products/embedded-controllers-and-super-io/desktop-and-super-io). +As I have been informed later, the SMSC SCH55\*\* are a special design chips for +Dell, so obviously I would never find a datasheet for it. However, I could use a +[SCH5627 datasheet](http://ww1.microchip.com/downloads/en/DeviceDoc/00001996A.pdf). I had all the basic information needed to implement a driver to initialize the -serial port. Based on the [Lynixs' patchset](https://review.coreboot.org/c/coreboot/+/20238/1) -I have made the serial port working (although I had to fix some bugs, for -example to IO base address byte order was incorrect, thus the patch was not -working). Disabled SPI flash console in favor of the serial console, rebuilt -the coreboot image and burned on the flash, powered the machine on, and... it -worked! I have booted the machine up to the SeaBIOS! Prepared a Linux live -image quickly to check how it will behave with the operating system running. -Thankfully it didn't have any outstanding issues. - -## Summary +serial port. Based on the +[Lynixs' patchset](https://review.coreboot.org/c/coreboot/+/20238/1) I have made +the serial port working (although I had to fix some bugs, for example to IO base +address byte order was incorrect, thus the patch was not working). Disabled SPI +flash console in favor of the serial console, rebuilt the coreboot image and +burned on the flash, powered the machine on, and... it worked! I have booted the +machine up to the SeaBIOS! Prepared a Linux live image quickly to check how it +will behave with the operating system running. Thankfully it didn't have any +outstanding issues. + +### Summary That would conclude the bringup of the Dell OptiPlex 7010/9010 with coreboot. One would think that the port is almost complete (all that is left is the Super @@ -149,12 +152,13 @@ I/O support and code cleanups), but unfortunately not yet. One day a power cut occurred and the machine lost the AC power. When I tried to power the platform on, it was no longer booting. If you are wondering why the title calls this PC "cursed hardware", then know that the power loss booting problem was one of the -reasons why I used this term. If you are curious about the whole story then -stay tuned to the next blog posts from the series. There is also a free product +reasons why I used this term. If you are curious about the whole story then stay +tuned to the next blog posts from the series. There is also a free product incoming which would be ready-to-use binary for this hardware. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-07-03-dev_and_iommu.md b/blog/content/post/2020-07-03-dev_and_iommu.md index 3c5b9d93..efbe61c0 100644 --- a/blog/content/post/2020-07-03-dev_and_iommu.md +++ b/blog/content/post/2020-07-03-dev_and_iommu.md @@ -30,16 +30,16 @@ introduced in previous posts will not be repeated here. An important part of any trust chain is to make sure that the code that is run is the same code as was measured. This does not mean that the code must always -be read-only, it can be a self-modifying code (and usually is, mostly because -it performs some kind of relocation); it means that no external (as in: not +be read-only, it can be a self-modifying code (and usually is, mostly because it +performs some kind of relocation); it means that no external (as in: not measured) entity can change it, at least after the measurement is done. There are two main actors that can try to attack our TCB (Trusted Computing Base): -* DMA (Direct Memory Access), a mechanism that allows a device to directly +- DMA (Direct Memory Access), a mechanism that allows a device to directly read/write system memory without CPU intervention -* SMM (System Management Mode), a privileged mode that CPU enters after +- SMM (System Management Mode), a privileged mode that CPU enters after receiving System Management Interrupt (SMI). Privileged means that this mode is entered unconditionally after receiving SMI and is unrestricted in its code execution. Moreover execution of SMM handler is transparent to the OS or other @@ -49,11 +49,11 @@ Base): Today we will focus on the first one. > These two can change the code in a predictable way, so they are considered - useful for potential attackers. There are also different kinds of events that - can change the content of RAM in random and uncontrollable manner, such as - damaged hardware, bad power supply or spontaneous bit flips due to radiation. - Keep the last one in mind especially if you plan to send your platform to the - outer space :) +> useful for potential attackers. There are also different kinds of events that +> can change the content of RAM in random and uncontrollable manner, such as +> damaged hardware, bad power supply or spontaneous bit flips due to radiation. +> Keep the last one in mind especially if you plan to send your platform to the +> outer space :) ## DEV @@ -72,7 +72,8 @@ dropped, a Master Abort error response will be returned in both cases. Crude, but effective. DEV is (mostly) no longer supported in newer CPUs, even though it is still -described in the most recent AMD [Architecture Programmer’s Manual](https://www.amd.com/system/files/TechDocs/24593.pdf), +described in the most recent AMD +[Architecture Programmer’s Manual](https://www.amd.com/system/files/TechDocs/24593.pdf), with no indication that it is obsolete. It didn't go out with a bang, it just slowly faded away giving way to the more all-rounded solution - the IOMMU. @@ -85,10 +86,11 @@ remap physical addresses between CPU and peripheral devices, control access to those memory regions (separate read and write permissions) and remap interrupts. > It also has additional capabilities relevant for virtualisation, which are out - of scope for this blog post. +> of scope for this blog post. IOMMU is way more powerful than DEV was, but it is also proportionally more -complicated to set up - as a rough estimate, [IOMMU specification](https://developer.amd.com/wp-content/resources/48882_IOMMU_3.05_PUB.pdf) +complicated to set up - as a rough estimate, +[IOMMU specification](https://developer.amd.com/wp-content/resources/48882_IOMMU_3.05_PUB.pdf) is 278 pages long, where DEV description fits in less than 9 pages of the Pacifica specification mentioned earlier. It also needs to be set up by the firmware, so check your BIOS/UEFI settings. @@ -108,23 +110,23 @@ DMA. Both Pacifica and APM under a chapter describing DEV have a section called `Secure Initialization Support` with identical text, starting with: > The host bridge contains additional logic that operates in conjunction with - the SKINIT instruction to provide a limited form of memory protection during - the secure startup protocol. This provides protection for a Secure Loader - image in memory, allowing it to, among other things, set up full DEV - protection. (...) - The host bridge logic includes a hidden (not accessible to software) - SL_DEV_BASE address register. SL_DEV_BASE points to a 64KB-aligned 64KB region - of physical memory. When SL_DEV_EN is 1, the 64KB region defined by - SL_DEV_BASE is protected from external access (as if it were protected by the - DEV). - -First of all, starting from [AMD Family 15h](https://www.amd.com/system/files/TechDocs/42300_15h_Mod_10h-1Fh_BKDG.pdf) +> the SKINIT instruction to provide a limited form of memory protection during +> the secure startup protocol. This provides protection for a Secure Loader +> image in memory, allowing it to, among other things, set up full DEV +> protection. (...) The host bridge logic includes a hidden (not accessible to +> software) SL_DEV_BASE address register. SL_DEV_BASE points to a 64KB-aligned +> 64KB region of physical memory. When SL_DEV_EN is 1, the 64KB region defined +> by SL_DEV_BASE is protected from external access (as if it were protected by +> the DEV). + +First of all, starting from +[AMD Family 15h](https://www.amd.com/system/files/TechDocs/42300_15h_Mod_10h-1Fh_BKDG.pdf) processors full DEV protection is not implemented, only a single register for SL_DEV_EN and a few other bits exists (search for D18F3xF4 in that document). In Family 17h CPUs this register doesn't even exist, the SKINIT protection is controlled by another register, not described in publicly available documentation. What's more, this register holds both the enable bit as well as -the base address of protected region, so it *is* accessible to software. +the base address of protected region, so it _is_ accessible to software. To summarise the state we are in after SKINIT: SLB is protected by DEV-like protection by DMA accesses, there are no interrupts, no one can touch us and we @@ -136,21 +138,21 @@ order: 1. protect the memory containing the code from external access (DMA), so there is no window for changes between steps 2 and 3 (TOCTOU) -2. measure the code and extend appropriate PCR -3. jump to the code +1. measure the code and extend appropriate PCR +1. jump to the code > Every piece of data that can impact the execution should also be measured. In - case of LZ, kernel's *zero page*, also known as *boot_params*, is an example - of such data. We deliberately do not measure it in LZ, as it must be done - later, in the kernel code on Intel's TXT version of TrenchBoot - the ACM does - not measure it, and this behaviour cannot be changed because ACM is closed - source binary signed by Intel. This way we can minimise the amount of - differences between these two vendors. Memory is already protected by the time - we access any data from that page, and we use it to obtain the kernel base - address and size (so any modifications would result in different hash of the - kernel's code), and its entry point, which must be located inside the measured - part and it is tested by the LZ code. It shouldn't impact the security because - of these assertions, but feel free to prove us wrong. +> case of LZ, kernel's _zero page_, also known as _boot_params_, is an example +> of such data. We deliberately do not measure it in LZ, as it must be done +> later, in the kernel code on Intel's TXT version of TrenchBoot - the ACM does +> not measure it, and this behaviour cannot be changed because ACM is closed +> source binary signed by Intel. This way we can minimise the amount of +> differences between these two vendors. Memory is already protected by the time +> we access any data from that page, and we use it to obtain the kernel base +> address and size (so any modifications would result in different hash of the +> kernel's code), and its entry point, which must be located inside the measured +> part and it is tested by the LZ code. It shouldn't impact the security because +> of these assertions, but feel free to prove us wrong. As full DEV protection is not supported on newer platforms, so we have to go with the IOMMU. The initial protection of SLB is still in place, so it should be @@ -158,12 +160,14 @@ turned off after the memory access permissions are properly set up in the IOMMU. ### Where's the catch? -This comes down to just two sentences, one comes from the [APM](https://www.amd.com/system/files/TechDocs/24593.pdf#G21.1090402): +This comes down to just two sentences, one comes from the +[APM](https://www.amd.com/system/files/TechDocs/24593.pdf#G21.1090402): > When SL_DEV_EN is 1, the 64KB region defined by SL_DEV_BASE is protected from - external access (as if it were protected by the DEV) (...). +> external access (as if it were protected by the DEV) (...). -and the second one from the [IOMMU specification](https://developer.amd.com/wp-content/resources/48882_IOMMU_3.05_PUB.pdf#G10.2641308): +and the second one from the +[IOMMU specification](https://developer.amd.com/wp-content/resources/48882_IOMMU_3.05_PUB.pdf#G10.2641308): > The IOMMU is implemented as an independent PCI Function. @@ -175,7 +179,7 @@ master abort errors when trying to access them. This is not good... Two relatively simple solutions come to mind: 1. put the relevant tables outside of SLB, or -2. put the tables inside the SLB and disable DEV before enabling IOMMU. +1. put the tables inside the SLB and disable DEV before enabling IOMMU. Both of these ideas leave a time window in which memory holding what will become the IOMMU tables is not protected against DMA attacks. If during that window a @@ -212,7 +216,8 @@ printing through UART probably delays execution long enough already. The following tests were run on apu2, Fam17h does not support (or disables?) legacy ISA DMA. They use a variation of what is described under memory to memory DMA [here](http://www.osdever.net/tutorials/view/how-to-program-the-dma). Code -for the final test can be found [here](https://github.com/3mdeb/landing-zone/tree/test_iommu). +for the final test can be found +[here](https://github.com/3mdeb/landing-zone/tree/test_iommu). As a proof that **SLB DEV-like protection works** we took the fact that IOMMU is unable to read it, it is not possible to test it with the same ISA DMA engine @@ -222,33 +227,33 @@ after the whole test. All of these tests were performed from inside LZ, so after SKINIT instruction. As a general rule, we tried to do the simplest possible protection, which is "deny all DMA". -##### Test 1 (pass) +#### Test 1 (pass) Starting from cold boot, the following sequence was done: 1. enable IOMMU with tables inside SLB, the tables were set to block all DMA, -2. disable SLB protection, -3. enable IOMMU again using the same tables. +1. disable SLB protection, +1. enable IOMMU again using the same tables. DMA was possible only before point 1. We are only concerned with DMA between points 2 and 3, so this proves that the default IOMMU settings used when it cannot read the proper ones are safe. This test is a pass. -##### Test 2 (pass) +#### Test 2 (pass) The same as above, but starting with warm reboot. Results were exactly the same. -##### Test 3 (pass) +#### Test 3 (pass) Starting either from cold boot or reboot: 1. enable IOMMU with tables inside SLB, the tables were set to **allow** DMA, -2. disable SLB protection, -3. enable IOMMU again using the same tables, -4. reboot and do SKINIT again, with different LZ image, -5. enable IOMMU with tables inside SLB, the tables were set to **block** DMA, -6. disable SLB protection, -7. enable IOMMU again using the same tables. +1. disable SLB protection, +1. enable IOMMU again using the same tables, +1. reboot and do SKINIT again, with different LZ image, +1. enable IOMMU with tables inside SLB, the tables were set to **block** DMA, +1. disable SLB protection, +1. enable IOMMU again using the same tables. The critical point in this test is between points 6 and 7. DMA is allowed before the first point and after points 3 and 4. It is blocked starting with point 5, @@ -257,16 +262,16 @@ so this test is also a pass. From the above we can conclude that either IOMMU always does a fallback to safe values when it cannot access its tables or every reboot clears the cache. To differentiate between those two we need to test it without a reboot in between -the *allow* and *block* settings. +the _allow_ and _block_ settings. -##### Test 4 (fail) +#### Test 4 (fail) For this test it also doesn't matter whether we start from a cold boot or not. 1. enable IOMMU with tables outside of SLB, tables set to **allow** DMA, -2. enable IOMMU with tables inside SLB, tables set to **block** DMA, -3. disable SLB protection, -4. enable IOMMU again using the same tables. +1. enable IOMMU with tables inside SLB, tables set to **block** DMA, +1. disable SLB protection, +1. enable IOMMU again using the same tables. In this case DMA **is possible** between points 3 and 4. This happens because cache is invalidated in 1, but not in 2 - the IOMMU is unable to read the @@ -304,6 +309,7 @@ after SKINIT. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-07-03-trenchboot-grub-cbfs.md b/blog/content/post/2020-07-03-trenchboot-grub-cbfs.md index 5236f904..e3c9e6be 100644 --- a/blog/content/post/2020-07-03-trenchboot-grub-cbfs.md +++ b/blog/content/post/2020-07-03-trenchboot-grub-cbfs.md @@ -21,7 +21,7 @@ categories: --- -If you haven't read previous blog posts from *TrenchBoot* series, we strongly +If you haven't read previous blog posts from _TrenchBoot_ series, we strongly encourage to catch up on it. Best way, is to search under [TrenchBoot](https://blog.3mdeb.com/tags/trenchboot/) tag. In this article, we want to show what changes have been made in GRUB and what was our motivation to @@ -33,8 +33,8 @@ examples and verification procedures. ## GRUB additional feature - CBFS and LZMA support Before moving to essential part of GRUB development, first you need to -understand what stands behind **CBFS** and **LZMA**. *CBFS* stands for *coreboot -filesystem* and it is 'kind of layout' in which every coreboot's binary file is +understand what stands behind **CBFS** and **LZMA**. _CBFS_ stands for _coreboot +filesystem_ and it is 'kind of layout' in which every coreboot's binary file is organized. As name might be misleading, it is **not actual filesystem**. It only describes what components in what order should be presented in SPI Flash (if it is flashed with coreboot of course). With such unification, it is much easier @@ -68,9 +68,9 @@ coreboot image and decompress any LZMA-compressed components. ### GRUB features verification -As every requirement, this one can also be validated by you. Before -GRUB verification, first we need to preapre special coreboot image and update -GRUB package to have additional features included. +As every requirement, this one can also be validated by you. Before GRUB +verification, first we need to prepare special coreboot image and update GRUB +package to have additional features included. Hardware and firmware specification which we are using for test: @@ -78,8 +78,8 @@ Hardware and firmware specification which we are using for test: - coreboot v4.12.0.2 - NixOS operating system ->We don't ensure valid test results if you don't have exactly the same -configuration and environment as above. +> We don't ensure valid test results if you don't have exactly the same +> configuration and environment as above. Procedure is divided into 3 sections: @@ -98,283 +98,283 @@ can use `cbfstool` utility. It is available with coreboot repository, in repository for apu platforms. To prepare image with custom text file, follow the procedure below. -1. Download latest coreboot release from [github.io](https://pcengines.github.io/) - - ``` - $ wget https://3mdeb.com/open-source-firmware/pcengines/apu2/apu2_v4.12.0.2.rom -O apu2_v4.12.0.2.rom - ``` - - > At time of writing this blog post, v4.12.0.2.rom was latest release - -2. Clone -[pcengines/coreboot](https://github.com/pcengines/coreboot/tree/develop/) -repository. - - ``` - $ git clone https://github.com/pcengines/coreboot -b develop - ``` - -3. Enter `coreboot/util/cbfstool` directory and build `cbfstool`. - - ``` - $ cd coreboot/util/cbfstool - $ make - ``` - - If built was successful, there should be executable file `./cbfstool` - available. - -4. Create text file with any content you wish. - - Only limitation here is to have long enough content, so LZMA will be done. - If file is too short (e.g. it contains only one sentence), most probably - LZMA will produce a file bigger than the original (because of the - compression header and dictionary) and `cbfstool` will choose the - uncompressed form instead. So make sure to have big enough file, but not too - big though. Name the file `test-file.txt`. - -5. Add previously made text file to coreboot image. - - To achieve this, we will use `cbfstool`. First check layout of original - coreboot image. Usage is `./cbfstool print`. - - ``` - $ cd coreboot/util/cbfstool - $ ./cbfstool ../../../apu2_v4.12.0.2.rom print - FMAP REGION: COREBOOT - Name Offset Type Size Comp - cbfs master header 0x0 cbfs header 32 none - fallback/romstage 0x80 stage 21644 none - config 0x5580 raw 963 none - revision 0x5980 raw 673 none - spd.bin 0x5c80 spd 256 none - bootorder 0x5dc0 raw 4096 none - fallback/ramstage 0x6e00 stage 72787 none - fallback/dsdt.aml 0x18ac0 raw 7098 none - fallback/postcar 0x1a700 stage 16856 none - fallback/payload 0x1e940 simple elf 49499 none - payload_config 0x2ab00 raw 1571 none - payload_revision 0x2b180 raw 237 none - bootorder_map 0x2b2c0 raw 153 none - bootorder_def 0x2b3c0 raw 611 none - etc/boot-menu-key 0x2b680 raw 8 none - etc/boot-menu-wait 0x2b700 raw 8 none - etc/boot-menu-message 0x2b780 raw 48 none - img/memtest 0x2b800 simple elf 60495 none - img/setup 0x3a480 simple elf 38882 none - genroms/pxe.rom 0x43cc0 raw 83456 none - etc/sercon-port 0x58300 raw 8 none - (empty) 0x58340 null 5929560 none - AGESA 0x5ffdc0 raw 504032 none - (empty) 0x67af00 null 675480 none - apu/amdfw 0x71fdc0 raw 239872 none - (empty) 0x75a700 null 644760 none - bootblock 0x7f7dc0 bootblock 32768 none - ``` - - >As you can see there is no section named `test-file` yet. - - Add text file to `apu2_v4.12.0.2.rom`. Assuming text file name is - `test-file.txt` command is as follow: - `./cbfstool add -f -n test-file -t raw -c lzma` - - ``` - $ cd coreboot/util/cbfstool - $ ./cbfstool ../../../apu2_v4.12.0.2.rom add -f ../../../test-file.txt -n test-file -t raw -c lzma - ``` - - Check layout of modified file once again. - - ``` - $ cd coreboot/util/cbfstool - $ ./cbfstool ../../../apu2_v4.12.0.2.rom print - FMAP REGION: COREBOOT - Name Offset Type Size Comp - cbfs master header 0x0 cbfs header 32 none - fallback/romstage 0x80 stage 21644 none - config 0x5580 raw 963 none - revision 0x5980 raw 673 none - spd.bin 0x5c80 spd 256 none - bootorder 0x5dc0 raw 4096 none - fallback/ramstage 0x6e00 stage 72787 none - fallback/dsdt.aml 0x18ac0 raw 7098 none - fallback/postcar 0x1a700 stage 16856 none - fallback/payload 0x1e940 simple elf 49499 none - payload_config 0x2ab00 raw 1571 none - payload_revision 0x2b180 raw 237 none - bootorder_map 0x2b2c0 raw 153 none - bootorder_def 0x2b3c0 raw 611 none - etc/boot-menu-key 0x2b680 raw 8 none - etc/boot-menu-wait 0x2b700 raw 8 none - etc/boot-menu-message 0x2b780 raw 48 none - img/memtest 0x2b800 simple elf 60495 none - img/setup 0x3a480 simple elf 38882 none - genroms/pxe.rom 0x43cc0 raw 83456 none - etc/sercon-port 0x58300 raw 8 none - test-file 0x58340 raw 584 LZMA (2067 decompressed) - (empty) 0x585c0 null 5928920 none - AGESA 0x5ffdc0 raw 504032 none - (empty) 0x67af00 null 675480 none - apu/amdfw 0x71fdc0 raw 239872 none - (empty) 0x75a700 null 644760 none - bootblock 0x7f7dc0 bootblock 32768 none - ``` - - > There should be `test-file` section added with `LZMA` description in - compressed column. - -6. Flash your platform with prepared image. - - Now you have properly prepared firmware, on which further verification can - be performed. +1. Download latest coreboot release from + [github.io](https://pcengines.github.io/) + + ```bash + wget https://3mdeb.com/open-source-firmware/pcengines/apu2/apu2_v4.12.0.2.rom -O apu2_v4.12.0.2.rom + ``` + + > At time of writing this blog post, v4.12.0.2.rom was latest release + +1. Clone + [pcengines/coreboot](https://github.com/pcengines/coreboot/tree/develop/) + repository. + + ```bash + git clone https://github.com/pcengines/coreboot -b develop + ``` + +1. Enter `coreboot/util/cbfstool` directory and build `cbfstool`. + + ```bash + cd coreboot/util/cbfstool + make + ``` + + If built was successful, there should be executable file `./cbfstool` + available. + +1. Create text file with any content you wish. + + Only limitation here is to have long enough content, so LZMA will be done. If + file is too short (e.g. it contains only one sentence), most probably LZMA + will produce a file bigger than the original (because of the compression + header and dictionary) and `cbfstool` will choose the uncompressed form + instead. So make sure to have big enough file, but not too big though. Name + the file `test-file.txt`. + +1. Add previously made text file to coreboot image. + + To achieve this, we will use `cbfstool`. First check layout of original + coreboot image. Usage is `./cbfstool print`. + + ```bash + $ cd coreboot/util/cbfstool + $ ./cbfstool ../../../apu2_v4.12.0.2.rom print + FMAP REGION: COREBOOT + Name Offset Type Size Comp + cbfs master header 0x0 cbfs header 32 none + fallback/romstage 0x80 stage 21644 none + config 0x5580 raw 963 none + revision 0x5980 raw 673 none + spd.bin 0x5c80 spd 256 none + bootorder 0x5dc0 raw 4096 none + fallback/ramstage 0x6e00 stage 72787 none + fallback/dsdt.aml 0x18ac0 raw 7098 none + fallback/postcar 0x1a700 stage 16856 none + fallback/payload 0x1e940 simple elf 49499 none + payload_config 0x2ab00 raw 1571 none + payload_revision 0x2b180 raw 237 none + bootorder_map 0x2b2c0 raw 153 none + bootorder_def 0x2b3c0 raw 611 none + etc/boot-menu-key 0x2b680 raw 8 none + etc/boot-menu-wait 0x2b700 raw 8 none + etc/boot-menu-message 0x2b780 raw 48 none + img/memtest 0x2b800 simple elf 60495 none + img/setup 0x3a480 simple elf 38882 none + genroms/pxe.rom 0x43cc0 raw 83456 none + etc/sercon-port 0x58300 raw 8 none + (empty) 0x58340 null 5929560 none + AGESA 0x5ffdc0 raw 504032 none + (empty) 0x67af00 null 675480 none + apu/amdfw 0x71fdc0 raw 239872 none + (empty) 0x75a700 null 644760 none + bootblock 0x7f7dc0 bootblock 32768 none + ``` + + > As you can see there is no section named `test-file` yet. + + Add text file to `apu2_v4.12.0.2.rom`. Assuming text file name is + `test-file.txt` command is as follow: + + ```bash + cd coreboot/util/cbfstool + ./cbfstool ../../../apu2_v4.12.0.2.rom add -f ../../../test-file.txt -n test-file -t raw -c lzma + ``` + + Check layout of modified file once again. + + ```bash + $ cd coreboot/util/cbfstool + $ ./cbfstool ../../../apu2_v4.12.0.2.rom print + FMAP REGION: COREBOOT + Name Offset Type Size Comp + cbfs master header 0x0 cbfs header 32 none + fallback/romstage 0x80 stage 21644 none + config 0x5580 raw 963 none + revision 0x5980 raw 673 none + spd.bin 0x5c80 spd 256 none + bootorder 0x5dc0 raw 4096 none + fallback/ramstage 0x6e00 stage 72787 none + fallback/dsdt.aml 0x18ac0 raw 7098 none + fallback/postcar 0x1a700 stage 16856 none + fallback/payload 0x1e940 simple elf 49499 none + payload_config 0x2ab00 raw 1571 none + payload_revision 0x2b180 raw 237 none + bootorder_map 0x2b2c0 raw 153 none + bootorder_def 0x2b3c0 raw 611 none + etc/boot-menu-key 0x2b680 raw 8 none + etc/boot-menu-wait 0x2b700 raw 8 none + etc/boot-menu-message 0x2b780 raw 48 none + img/memtest 0x2b800 simple elf 60495 none + img/setup 0x3a480 simple elf 38882 none + genroms/pxe.rom 0x43cc0 raw 83456 none + etc/sercon-port 0x58300 raw 8 none + test-file 0x58340 raw 584 LZMA (2067 decompressed) + (empty) 0x585c0 null 5928920 none + AGESA 0x5ffdc0 raw 504032 none + (empty) 0x67af00 null 675480 none + apu/amdfw 0x71fdc0 raw 239872 none + (empty) 0x75a700 null 644760 none + bootblock 0x7f7dc0 bootblock 32768 none + ``` + + > There should be `test-file` section added with `LZMA` description in + > compressed column. + +1. Flash your platform with prepared image. + + Now you have properly prepared firmware, on which further verification can be + performed. #### GRUB package update 1. Update `nixpkgs` repository. - It is assumed that you have already downloaded custom - [3mdeb/nixpkg](https://github.com/3mdeb/nixpkgs) repository to your NixOS. - If yes, then go to `nixpkgs/` directory and pull latest changes. Change - branch to `grub_cbfs_lzma`. + It is assumed that you have already downloaded custom + [3mdeb/nixpkg](https://github.com/3mdeb/nixpkgs) repository to your NixOS. If + yes, then go to `nixpkgs/` directory and pull latest changes. Change branch + to `grub_cbfs_lzma`. - ``` - $ cd ~/nixpkgs/ - $ git pull - $ git checkout grub_cbfs_lzma - ``` + ```bash + cd ~/nixpkgs/ + git pull + git checkout grub_cbfs_lzma + ``` -2. Rebuild NixOS to apply changes. +1. Rebuild NixOS to apply changes. - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - building Nix... - building the system configuration... - (...) - updating GRUB 2 menu... - installing the GRUB 2 boot loader on /dev/sda... - Installing for i386-pc platform. - Installation finished. No error reported. - ``` + ```bash + $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + building Nix... + building the system configuration... + (...) + updating GRUB 2 menu... + installing the GRUB 2 boot loader on /dev/sda... + Installing for i386-pc platform. + Installation finished. No error reported. + ``` - > There should be `updating GRUB 2 menu...` log after above command. It - indicates that grub has been updated. + > There should be `updating GRUB 2 menu...` log after above command. It + > indicates that grub has been updated. -3. Reboot system and check if you can boot to NixOS via `Secure Launch` entry. +1. Reboot system and check if you can boot to NixOS via `Secure Launch` entry. - ``` - $ reboot - ``` + ```bash + reboot + ``` -If GRUB update procedure went well, we can move on to *GRUB CBFS and LZMA -support* verification. +If GRUB update procedure went well, we can move on to _GRUB CBFS and LZMA +support_ verification. #### GRUB CBFS and LZMA support verification 1. Reboot platform and go to GRUB menu. - ``` - $ reboot - (...) - - *NixOS - Default - NixOS - Secure Launch - NixOS - All configurations - - Press enter to boot the selected OS, `e' to edit the commands - before booting or `c' for a command-line. - ``` - -2. Press `c` to enter command-line. Do not boot to NixOS. - - ``` - Minimal BASH-like line editing is supported. For the first word, TAB - lists possible command completions. Anywhere else TAB lists possible - device or file completions. ESC at any time exits. - - grub> - ``` - -3. Load necessary modules for CBFS and LZMA support. - - ``` - grub> insmod /boot/grub/i386-pc/lzma.mod - grub> insmod /boot/grub/i386-pc/cbfs.mod - ``` - -4. Check if `(cbfsdisk)` is seen by GRUB. - - ``` - grub> ls - (cbfsdisk) (hd0) (hd0,msdos2) (hd0,msdos1) (hd1) (hd1,msdos5) (hd1,msdos1) (hd2 - ) (hd3) (hd4) (hd4,msdos5) (hd4,msdos1) - ``` - - >`cbfsdisk` is your SPI flash and coreboot binary file itself. - -5. Check `cbfsdisk` layout. - - ``` - grub> ls (cbfsdisk)/ - - cbfs master header fallback/ config revision bootorder_map bootorder fallback/ - spd.bin fallback/ payload_config payload_revision bootorder_def etc/ img/ - genroms/ etc/ test-file AGESA apu/ bootblock - ``` - - Although components are not presented in listed form, check if content above - is exactly the same as previously checked with `cbfstool`. Especially, look - for added `test-file`. If content is verified by you, it means that **GRUB - supports CBFS**. - -6. Decompress `test-file` from `cbfsdisk`. - - ``` - grub> cat (cbfsdisk)/test-file - First part of file: - If you can read this, then it is the proof that grub LZMA decompression works c - orrectly. - If you can read this, then it is the proof that grub LZMA decompression works c - orrectly. - If you can read this, then it is the proof that grub LZMA decompression works c - orrectly. - If you can read this, then it is the proof that grub LZMA decompression works c - orrectly. - If you can read this, then it is the proof that grub LZMA decompression works c - orrectly. - If you caan read this, then it is the proof that grub LZMA decompression works c - orrectly. - If you can read this, then it is the proof that grub LZMA decompression works c - orrectly. - Second part: - It is the second part of file, just to have something else besides one repeated - sentence. - It is the second part of file, just to have something else besides one repeated - sentence. - It is the second part of file, just to have something else besides one repeated - sentence. - It is the second part of file, just to have something else besides one repeated - sentence. - It is the second part of file, just to have something else besides one repeated - sentence. - It is the second part of file, just to have something else besides one repeated - sentence. - It is the second part of file, just to have something else besides one repeated - sentence. - Third part: - Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin nibh augue, susc - ipit a, scelerisque sed, lacinia in, mi. Cras vel lorem. Etiam pellentesque ali - quet tellus. Phasellus pharetra nullla ac diam. Quisque semper justo at risus. D - onec venenatis, turpis vel hendrerit interdum, dui ligula ultricies purus, sed - posuere libero dui id orci. Nam congue, pede vitae dapibus aliquet, elit magna - vulputate arcu, vel tempus metus leo non est. Etiam sit amet lectus quis est co - ngue mollis. Phasellus congue lacus eget neque. Phasellus ornare, ante vitae co - nsectetuer consequat, purus sapien ultricies dolor, et mollis pede metus eget n - isi. Praesent sodales velit quis augue. Cras suscipit, urna at aliquuam rhoncus, - urna quam viverra nisi, in interdum massa nibh nec erat. - ``` - - If the content of above command is exactly the same as your `test-file.txt`, - then it means that **GRUB supports LZMA decompression of CBFS file** + ```bash + $ reboot + (...) + + *NixOS - Default + NixOS - Secure Launch + NixOS - All configurations + + Press enter to boot the selected OS, `e' to edit the commands + before booting or `c' for a command-line. + ``` + +1. Press `c` to enter command-line. Do not boot to NixOS. + + ```bash + Minimal BASH-like line editing is supported. For the first word, TAB + lists possible command completions. Anywhere else TAB lists possible + device or file completions. ESC at any time exits. + + grub> + ``` + +1. Load necessary modules for CBFS and LZMA support. + + ```bash + grub> insmod /boot/grub/i386-pc/lzma.mod + grub> insmod /boot/grub/i386-pc/cbfs.mod + ``` + +1. Check if `(cbfsdisk)` is seen by GRUB. + + ```bash + grub> ls + (cbfsdisk) (hd0) (hd0,msdos2) (hd0,msdos1) (hd1) (hd1,msdos5) (hd1,msdos1) (hd2 + ) (hd3) (hd4) (hd4,msdos5) (hd4,msdos1) + ``` + + > `cbfsdisk` is your SPI flash and coreboot binary file itself. + +1. Check `cbfsdisk` layout. + + ```bash + grub> ls (cbfsdisk)/ + + cbfs master header fallback/ config revision bootorder_map bootorder fallback/ + spd.bin fallback/ payload_config payload_revision bootorder_def etc/ img/ + genroms/ etc/ test-file AGESA apu/ bootblock + ``` + + Although components are not presented in listed form, check if content above + is exactly the same as previously checked with `cbfstool`. Especially, look + for added `test-file`. If content is verified by you, it means that **GRUB + supports CBFS**. + +1. Decompress `test-file` from `cbfsdisk`. + + ```bash + grub> cat (cbfsdisk)/test-file + First part of file: + If you can read this, then it is the proof that grub LZMA decompression works c + orrectly. + If you can read this, then it is the proof that grub LZMA decompression works c + orrectly. + If you can read this, then it is the proof that grub LZMA decompression works c + orrectly. + If you can read this, then it is the proof that grub LZMA decompression works c + orrectly. + If you can read this, then it is the proof that grub LZMA decompression works c + orrectly. + If you caan read this, then it is the proof that grub LZMA decompression works c + orrectly. + If you can read this, then it is the proof that grub LZMA decompression works c + orrectly. + Second part: + It is the second part of file, just to have something else besides one repeated + sentence. + It is the second part of file, just to have something else besides one repeated + sentence. + It is the second part of file, just to have something else besides one repeated + sentence. + It is the second part of file, just to have something else besides one repeated + sentence. + It is the second part of file, just to have something else besides one repeated + sentence. + It is the second part of file, just to have something else besides one repeated + sentence. + It is the second part of file, just to have something else besides one repeated + sentence. + Third part: + Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin nibh augue, susc + ipit a, scelerisque sed, lacinia in, mi. Cras vel lorem. Etiam pellentesque ali + quet tellus. Phasellus pharetra nullla ac diam. Quisque semper justo at risus. D + onec venenatis, turpis vel hendrerit interdum, dui ligula ultricies purus, sed + posuere libero dui id orci. Name congue, pede vitae dapibus aliquet, elit magna + vulputate arcu, vel tempus metus leo non est. Etiam sit amet lectus quis est co + ngue mollis. Phasellus congue lacus eget neque. Phasellus ornare, ante vitae co + nsectetuer consequat, purus sapien ultricies dolor, et mollis pede metus eget n + isi. Praesent sodales velit quis augue. Cras suscipit, urna at aliquuam rhoncus, + urna quam viverra nisi, in interdum massa nibh nec erat. + ``` + + If the content of above command is exactly the same as your `test-file.txt`, + then it means that **GRUB supports LZMA decompression of CBFS file** ## TPM event log @@ -403,11 +403,12 @@ implemented. Where those logs are? The answer is **DRTM ACPI table**. It is special structure which holds information related to DRTM. It is optionally for BIOS to have it implemented or not. What we have done, is **we added support for DRTM ACPI to PC Engines apuX platforms since release v4.12.0.2**. We needed to -meet requirements which are mentioned in [TCG DRTM Architecture Specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf). +meet requirements which are mentioned in +[TCG DRTM Architecture Specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf). In the Specification you can read more details about implementation and requirements. As it is not trivial topic, we won't elaborate about it in this -blog post. What you should know is DRTM Table has special structure and *points -to memory area where TPM logs are stored*. That's how we collect them and +blog post. What you should know is DRTM Table has special structure and _points +to memory area where TPM logs are stored_. That's how we collect them and present. ### TPM event log verification @@ -418,203 +419,204 @@ Hardware and firmware specification which we are using for test: - coreboot v4.12.0.2 - NixOS operating system ->We don't ensure valid test results if you don't have exactly the same -configuration and environment as above. +> We don't ensure valid test results if you don't have exactly the same +> configuration and environment as above. Following procedure will guide you step-by-step how to enable and read TPM event log. Before giving final example, you need to prepare all necessary components. 1. Install `xxd` tool. - > This tool will be used during `landing-zone` build, so it must be done - earlier. + > This tool will be used during `landing-zone` build, so it must be done + > earlier. + + ```bash + $ cd ~/nixpkgs + $ nix-build -A unixtools.xxd + (...) + /nix/store/2q94zc1agpkvchxxnx6pwy1v6rpdqzdx-xxd-1003.1-2008 + ``` + + Last line points to directory where package is installed. Copy `/bin/xxd` + file to one of the `PATH` directory. + + ```bash + $ echo $PATH + /run/wrappers/bin:/root/.nix-profile/bin:/etc/profiles/per-user/root/bin:/nix/var/nix/profiles/default/bin + $ cp /nix/store/2q94zc1agpkvchxxnx6pwy1v6rpdqzdx-xxd-1003.1-2008/bin/xxd /run/wrappers/bin/ + ``` + + > Adding `xxd` binary to PATH is necessary, so landing-zone compilation + > process will end successfully. + +1. Update `nixpkgs` repository. - ``` - $ cd ~/nixpkgs - $ nix-build -A unixtools.xxd - (...) - /nix/store/2q94zc1agpkvchxxnx6pwy1v6rpdqzdx-xxd-1003.1-2008 - ``` - - Last line points to directory where package is installed. Copy `/bin/xxd` - file to one of the `PATH` directory. - - ``` - $ echo $PATH - /run/wrappers/bin:/root/.nix-profile/bin:/etc/profiles/per-user/root/bin:/nix/var/nix/profiles/default/bin - $ cp /nix/store/2q94zc1agpkvchxxnx6pwy1v6rpdqzdx-xxd-1003.1-2008/bin/xxd /run/wrappers/bin/ - ``` - - > Adding `xxd` binary to PATH is necessary, so landing-zone compilation - process will end successfully. - -2. Update `nixpkgs` repository. - - It is assumed that you have already downloaded custom - [3mdeb/nixpkg](https://github.com/3mdeb/nixpkgs) repository to your NixOS. - If yes, then go to `nixpkgs` directory and pull latest changes. - - ``` - $ cd ~/nixpkgs - $ git pull - ``` - - Change branch to `tpm_event_log` - - ``` - $ git checkout tpm_event_log - ``` - -3. Rebuild NixOS. - - ``` - $ sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs - $ reboot - ``` - - There are changes in `grub-tb` and `landing-zone` packages. Moreover there - is new package `cbmem-tb` added. It contains `cbmem` utility, which is a - tool for gathering early logs. It lets reading TPM event logs from OS level. - -4. Replace `/boot/lz_header` with just built new one. - - ``` - $ cd /nix/store - $ ls | grep -i 'landing-zone-0.6.0' - bqi0phr2rvwqlzfr3qj5117arxjhlbil-landing-zone-0.6.0 - nw8rsi5jfx9zikv06dhjxc6a5219xr20-landing-zone-0.6.0.drv - ``` - - >`landing-zone-0.6.0` without any extension is directory you looking for. - - ``` - $ cp /nix/store/bqi0phr2rvwqlzfr3qj5117arxjhlbil-landing-zone-0.6.0/lz_header.bin /boot/lz_header - ``` - -5. Reboot platform and boot to NixOS Secure Launch. - -6. Install `cbmem-tb` package manually. - - ``` - $ cd ~/nixpkgs - $ nix-build -A cbmem-tb - (...) - /nix/store/8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12 - ``` - -7. Copy `cbmem` utility to home directory. - - ``` - $ cd /nix/store/ - $ ls | grep -i 'cbmem-4.12' - 8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12 - b4pds6l5fbkxdykkf2248c4mfnhf5ll5-cbmem-4.12.drv - plm3jyg54hjyiy3zldclx83k14i34lpq-cbmem-4.12.drv - pzifnqhgk0xarm3xrgkn07s9l572aw5p-cbmem-4.12.lock - ``` - - Search for entry with `cbmem-4.12` without any extension. In above case - `cbmem` is installed in - `/nix/store/8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12` directory. - - ``` - $ cp /nix/store/8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12/sbin/cbmem ~/ - ``` - -7. Go to home directory and use `cbmem` to read TPM event log. - - ``` - $ cd ~ - $ ./cbmem -d - DRTM TPM2 log: - Specification: 2.00 Platform class: PC Client - No vendor information provided - DRTM TPM2 log entry 1: - PCR: 17 - Event type: Unknown (0x600) - Digests: - SHA1: 2400e5bdfbaa8cfc42eae13d9b742b89d0ba35b4 - SHA256: b65067767baf988b18e3a83410f90f055a4dcd59509b1ab6b17e18926ad8de82 - Event data not provided - DRTM TPM2 log entry 2: - PCR: 17 - Event type: Unknown (0x601) - Digests: - SHA1: ecad3658a0cda535a8db50c207d726d2dac46509 - SHA256: f76f571cb78beddba64ceab81b679ab3328ec15e2c4ff49f9fff625c300dc5a1 - Event data: Kernel - ``` - - > `-d` flag means 'print DRTM TPM log'. For more information about cbmem - usage, type `cbmem --help`. - - Above logs are collected on platform with TPM2.0. Below there is example for - platform with TPM1.2. - - ``` - $ cd ~ - $ ./cbmem -d - DRTM TCPA log: - Specification: 1.21 Platform class: PC Client - No vendor information provided - DRTM TCPA log entry 1: - PCR: 17 - Event type: Unknown (0x600) - Digest: 2400e5bdfbaa8cfc42eae13d9b742b89d0ba35b4 - Event data not provided - DRTM TCPA log entry 2: - PCR: 17 - Event type: Unknown (0x601) - Digest: ecad3658a0cda535a8db50c207d726d2dac46509 - Event data: Kernel - ``` - -As you can see output for platform with TPM1.2 is slightly different than with -TPM2.0. This is due to different TPM specification requirements about TPM1.2 -event log and TPM2.0 event log. However, both are showing events and hashes -which extend PCR 17. For now, there is lack of support for adding entries to the -DRTM TPM event log in Linux kernel. We are going to add this feature in near -future, so TPM event log will be complete and will be suitable for real-case -use. Notice also, that log entry values are hashes with which PCRs are extended. -Do not confuse them with PCRs values read with tpm_tools. - -8. Compare `DRTM TPM2 log entry 1` with `LZ hash`. - - `DRTM TPM log entry 1` is hash of Landing Zone. Let's verify it against real - value. Hexdump `/boot/lz_header` with `xxd` tool. Assuming `xxd` is added to - PATH: - - ``` - $ xxd /boot/lz_header | tail - 00009ff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ - 0000a000: 78f1 268e 0492 11e9 832a c85b 76c4 cc02 x.&......*.[v... - 0000a010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ - 0000a020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ - 0000a030: 0000 0000 0200 0000 0400 2400 e5bd fbaa ..........$..... - 0000a040: 8cfc 42ea e13d 9b74 2b89 d0ba 35b4 0b00 ..B..=.t+...5... - 0000a050: b650 6776 7baf 988b 18e3 a834 10f9 0f05 .Pgv{......4.... - 0000a060: 5a4d cd59 509b 1ab6 b17e 1892 6ad8 de82 ZM.YP....~..j... - 0000a070: 0400 0000 1000 0000 0500 0000 474e 5500 ............GNU. - 0000a080: 0100 00c0 0400 0000 0100 0000 0000 0000 ................ - ``` - - Starting from `0000a050` offset, there is SHA256 value: - `b650 6776 7baf 988b 18e3 a834 10f9 0f05 5a4d cd59 509b 1ab6 b17e 1892 6ad8 de82` - This value is exactly the same as *`DRTM TPM2 log entry 1* shows. It proves - that TPM event log works correct. + It is assumed that you have already downloaded custom + [3mdeb/nixpkg](https://github.com/3mdeb/nixpkgs) repository to your NixOS. If + yes, then go to `nixpkgs` directory and pull latest changes. + + ```bash + cd ~/nixpkgs + git pull + ``` + + Change branch to `tpm_event_log` + + ```bash + git checkout tpm_event_log + ``` + +1. Rebuild NixOS. + + ```bash + sudo nixos-rebuild switch -I nixpkgs=~/nixpkgs + reboot + ``` + + There are changes in `grub-tb` and `landing-zone` packages. Moreover there is + new package `cbmem-tb` added. It contains `cbmem` utility, which is a tool + for gathering early logs. It lets reading TPM event logs from OS level. + +1. Replace `/boot/lz_header` with just built new one. + + ```bash + $ cd /nix/store + $ ls | grep -i 'landing-zone-0.6.0' + bqi0phr2rvwqlzfr3qj5117arxjhlbil-landing-zone-0.6.0 + nw8rsi5jfx9zikv06dhjxc6a5219xr20-landing-zone-0.6.0.drv + ``` + + > `landing-zone-0.6.0` without any extension is directory you looking for. + + ```bash + cp /nix/store/bqi0phr2rvwqlzfr3qj5117arxjhlbil-landing-zone-0.6.0/lz_header.bin /boot/lz_header + ``` + +1. Reboot platform and boot to NixOS Secure Launch. + +1. Install `cbmem-tb` package manually. + + ```bash + $ cd ~/nixpkgs + $ nix-build -A cbmem-tb + (...) + /nix/store/8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12 + ``` + +1. Copy `cbmem` utility to home directory. + + ```bash + $ cd /nix/store/ + $ ls | grep -i 'cbmem-4.12' + 8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12 + b4pds6l5fbkxdykkf2248c4mfnhf5ll5-cbmem-4.12.drv + plm3jyg54hjyiy3zldclx83k14i34lpq-cbmem-4.12.drv + pzifnqhgk0xarm3xrgkn07s9l572aw5p-cbmem-4.12.lock + ``` + + Search for entry with `cbmem-4.12` without any extension. In above case + `cbmem` is installed in + `/nix/store/8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12` directory. + + ```bash + cp /nix/store/8y25mfqw0igqa5yfpvrks0nvr5wah5kn-cbmem-4.12/sbin/cbmem ~/ + ``` + +1. Go to home directory and use `cbmem` to read TPM event log. + + ```bash + $ cd ~ + $ ./cbmem -d + DRTM TPM2 log: + Specification: 2.00 Platform class: PC Client + No vendor information provided + DRTM TPM2 log entry 1: + PCR: 17 + Event type: Unknown (0x600) + Digests: + SHA1: 2400e5bdfbaa8cfc42eae13d9b742b89d0ba35b4 + SHA256: b65067767baf988b18e3a83410f90f055a4dcd59509b1ab6b17e18926ad8de82 + Event data not provided + DRTM TPM2 log entry 2: + PCR: 17 + Event type: Unknown (0x601) + Digests: + SHA1: ecad3658a0cda535a8db50c207d726d2dac46509 + SHA256: f76f571cb78beddba64ceab81b679ab3328ec15e2c4ff49f9fff625c300dc5a1 + Event data: Kernel + ``` + + > `-d` flag means 'print DRTM TPM log'. For more information about cbmem + > usage, type `cbmem --help`. + + Above logs are collected on platform with TPM2.0. Below there is example for + platform with TPM1.2. + + ```bash + $ cd ~ + $ ./cbmem -d + DRTM TCPA log: + Specification: 1.21 Platform class: PC Client + No vendor information provided + DRTM TCPA log entry 1: + PCR: 17 + Event type: Unknown (0x600) + Digest: 2400e5bdfbaa8cfc42eae13d9b742b89d0ba35b4 + Event data not provided + DRTM TCPA log entry 2: + PCR: 17 + Event type: Unknown (0x601) + Digest: ecad3658a0cda535a8db50c207d726d2dac46509 + Event data: Kernel + ``` + + As you can see output for platform with TPM1.2 is slightly different than with + TPM2.0. This is due to different TPM specification requirements about TPM1.2 + event log and TPM2.0 event log. However, both are showing events and hashes + which extend PCR 17. For now, there is lack of support for adding entries to the + DRTM TPM event log in Linux kernel. We are going to add this feature in near + future, so TPM event log will be complete and will be suitable for real-case + use. Notice also, that log entry values are hashes with which PCRs are extended. + Do not confuse them with PCRs values read with tpm_tools. + +1. Compare `DRTM TPM2 log entry 1` with `LZ hash`. + + `DRTM TPM log entry 1` is hash of Landing Zone. Let's verify it against real + value. Hexdump `/boot/lz_header` with `xxd` tool. Assuming `xxd` is added to + PATH: + + ```bash + $ xxd /boot/lz_header | tail + 00009ff0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ + 0000a000: 78f1 268e 0492 11e9 832a c85b 76c4 cc02 x.&......*.[v... + 0000a010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ + 0000a020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ + 0000a030: 0000 0000 0200 0000 0400 2400 e5bd fbaa ..........$..... + 0000a040: 8cfc 42ea e13d 9b74 2b89 d0ba 35b4 0b00 ..B..=.t+...5... + 0000a050: b650 6776 7baf 988b 18e3 a834 10f9 0f05 .Pgv{......4.... + 0000a060: 5a4d cd59 509b 1ab6 b17e 1892 6ad8 de82 ZM.YP....~..j... + 0000a070: 0400 0000 1000 0000 0500 0000 474e 5500 ............GNU. + 0000a080: 0100 00c0 0400 0000 0100 0000 0000 0000 ................ + ``` + + Starting from `0000a050` offset, there is SHA256 value: + `b650 6776 7baf 988b 18e3 a834 10f9 0f05 5a4d cd59 509b 1ab6 b17e 1892 6ad8 de82` + This value is exactly the same as _\`DRTM TPM2 log entry 1_ shows. It proves + that TPM event log works correct. ## Summary As you can see, in this release we mainly focus on TrenchBoot's components adaptation to suit further requirements. First of all, we have made big step for integration TrenchBoot into coreboot. We introduced changes in GRUB, so it would -operate on CBFS files and treat with LZMA. Second of all, we added *TPM event -logs* which further allow users to attest their platform on their own. Briefly +operate on CBFS files and treat with LZMA. Second of all, we added _TPM event +logs_ which further allow users to attest their platform on their own. Briefly speaking, although presented features seem to be not very useful now, they will definitely be crucial in TrenchBoot project development. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-07-14-qubesos-fwupd-core.md b/blog/content/post/2020-07-14-qubesos-fwupd-core.md index bb21e550..67bd4562 100644 --- a/blog/content/post/2020-07-14-qubesos-fwupd-core.md +++ b/blog/content/post/2020-07-14-qubesos-fwupd-core.md @@ -31,8 +31,8 @@ information about the progress. We have used the suggestions, that we got during the Qubes OS minisummit and we have rethought the whole architecture concept. We decided to create a wrapper, which will adapt fwupd to the Qubes OS requirements. There is no need to show -all the connections in the one diagram. A more straightforward approach to -the subject will be focusing on the functionalities one by one. +all the connections in the one diagram. A more straightforward approach to the +subject will be focusing on the functionalities one by one. ### Development platform @@ -40,21 +40,23 @@ We have used following setup during the development process: 1. OS version: Qubes OS R4.1 -2. Dom0: - - fwupd: - - client version: 1.3.9 - - gusb: 0.3.4 - - efivar: 37 - - daemon version: 1.3.9 - - python: 3.7.6 - -3. sys-usb (usbVM): - - fwupd: - - client version: 1.2.12 - - gusb: 0.3.1 - - efivar: 37 - - daemon version: 1.2.12 - - python: 3.7.6 +1. Dom0: + + - fwupd: + - client version: 1.3.9 + - gusb: 0.3.4 + - efivar: 37 + - daemon version: 1.3.9 + - python: 3.7.6 + +1. sys-usb (usbVM): + + - fwupd: + - client version: 1.2.12 + - gusb: 0.3.1 + - efivar: 37 + - daemon version: 1.2.12 + - python: 3.7.6 Required packages in the dom0 and the TemplateVM: @@ -70,10 +72,10 @@ usbVM. Let's take a look at the architecture diagram. ![qubes_fwupdmgr-refresh](/img/qfwupd-refresh.png) -Everything starts in `qubes_fwupdmgr`. It is the main python script, where -a user is communicating his needs. Downloading the metadata is initialized by -the `_download_metadata` method. It calls subprocess, that runs -`fwupd-dom0-update` with a `--metadata` argument. +Everything starts in `qubes_fwupdmgr`. It is the main python script, where a +user is communicating his needs. Downloading the metadata is initialized by the +`_download_metadata` method. It calls subprocess, that runs `fwupd-dom0-update` +with a `--metadata` argument. `fwupd-dom0-update` is the bash script, that initializes the processes in UpdateVM. During the updating metadata, `fwupd-dom0-update` clears existing @@ -81,14 +83,13 @@ cache files. Afterward, it creates cache directories in updateVM with the corresponding ownerships. Then it calls the `fwupd-download-updates.sh`, that verifies and provides the metadata update files to UpdateVM. In the next step, `fwupd-dom0-update` runs a `fwupd_receive_updates`, that is responsible for -checking signature. If everything is as expected it copies files to -dom0. +checking signature. If everything is as expected it copies files to dom0. In the end, the whole process comes back to `qubes_fwupdmgr`. The main script checks the usbVM flag. If it is true, it copies files to usbVM and runs `fwupd_usbvm_validate`. It validates metadata update files. If we have no error -code to that point, `qubes_fwupdmgr` uses the fwupd client to refresh -"manually" metadata. +code to that point, `qubes_fwupdmgr` uses the fwupd client to refresh "manually" +metadata. The refresh process is presented in the following video. @@ -100,9 +101,9 @@ The `get-devices` command shows information about connected devices. ![qubes_fwupdmgr-devices](/img/qfwupd-get-devices.png) -`qubes_fwupdmgr` calls a `fwupdagent get-devices` in the usbVM and dom0. -The agent provides a JSON output that contains device information. The main -script parses the output and shows the information in the structured form. +`qubes_fwupdmgr` calls a `fwupdagent get-devices` in the usbVM and dom0. The +agent provides a JSON output that contains device information. The main script +parses the output and shows the information in the structured form. ### qubes-fwupdmgr get-updates @@ -115,8 +116,7 @@ version of the `fwupdagent`. 1.3.9 client version has dedicated command `fwupdagent get-updates`, which generates information about possible updates in the JSON form. 1.2.12 version has no such command. At first, we need to acquire devices information from `fwupdagent get-devices`. Updates details are obtained -in the comparison of the current device version with versions in a release -list. +in the comparison of the current device version with versions in a release list. ### qubes-fwupdmgr update @@ -133,10 +133,9 @@ updateVM. Then the `fwupd_receive_updates` copies the firmware to dom0 and it verifies the checksum once again. The script unpacks the archive and checks the signature of the firmware. Also during the system firmware update, `qubes_fwupdmgr` verifies DMI details with the information contained in firmware -metadata. If the device is connected in usbVM, `qubes_fwupdmgr` copies -the firmware file to sys-usb. The main script initializes -`fwupd_usbvm_validate`, that verifies the firmware in usbVM before it will be -installed. +metadata. If the device is connected in usbVM, `qubes_fwupdmgr` copies the +firmware file to sys-usb. The main script initializes `fwupd_usbvm_validate`, +that verifies the firmware in usbVM before it will be installed. The update process of the device connected in dom0 is shown below. @@ -182,15 +181,15 @@ Following videos show the testing process on Qubes OS and Ubuntu. The main issue we are facing now is the difference between fwupd versions in dom0 and usbVM. The newer version of the tool has different binaries locations. Also, fwupdagent has more features (`get-updates` command). Therefore the next -step of the development process will be replacing the static paths of -fwupd with the dynamic ones, that will depend on the fwupd version. In addition, -the `get-updates` command should properly obtain details of the update depending -on the fwupd version. Soon we will add support for +step of the development process will be replacing the static paths of fwupd with +the dynamic ones, that will depend on the fwupd version. In addition, the +`get-updates` command should properly obtain details of the update depending on +the fwupd version. Soon we will add support for [heads updates](http://osresearch.net) and UEFI capsule updates. As well we want to implement installation by the qubes-builder. ## Summary -If you have any questions, suggestions, or ideas, feel free to share them in -the comment section. If you want to hear more about the Qubes OS support for -fwupd I encourage you to [sign up to our newsletter](http://eepurl.com/doF8GX). +If you have any questions, suggestions, or ideas, feel free to share them in the +comment section. If you want to hear more about the Qubes OS support for fwupd I +encourage you to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-07-23-secure-app-coding-practices.md b/blog/content/post/2020-07-23-secure-app-coding-practices.md index 2770abf6..14e39d03 100644 --- a/blog/content/post/2020-07-23-secure-app-coding-practices.md +++ b/blog/content/post/2020-07-23-secure-app-coding-practices.md @@ -46,8 +46,8 @@ really not used this password somewhere? Attackers know very well that most internet users often use the same combination of characters. So you can expose yourself to the fact that someone will try to use the login data found, e.g. on Twitter or Google account. So instead of setting the password directly in the -configuration files in your codebase, you can use a reference to an [environment -variable](https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1&tabs=windows/) +configuration files in your codebase, you can use a reference to an +[environment variable](https://docs.microsoft.com/en-us/aspnet/core/security/app-secrets?view=aspnetcore-3.1&tabs=windows/) However, when others can look into the code, they are able to point out those security issues, maybe even fix it. That's why hiding the code makes it harder @@ -69,18 +69,17 @@ password containing at least 14 characters that include special characters, numbers, letters lower and upper cases. It is also very important to not use the same password for everything, they must be all different. Password manager, such as -[LastPass](https://blog.lastpass.com/2018/01/sites-protect-password-manager.html/) +[LastPass](https://web.archive.org/web/20190714081029/https://blog.lastpass.com/2018/01/sites-protect-password-manager.html/) can be useful. However, this is the minimum that we should stick to. It is difficult to create an exact list of requirements, as these often change, e.g. until recently it was a very popular practice to force users to periodically change their password. Meanwhile, Microsoft says, based on its experience, that this approach does more harm than good. Out of laziness, users choose almost identical passwords anyway, changing only one of the last characters, which is -why, for example, in their [new -guidelines](https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide/) +why, for example, in their +[new guidelines](https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide/) for Office 365, the technological giant recommends abandoning this idea. - ### Always validate the data also on the server The validation written on a frontend side (like give attribute "required" to the @@ -128,8 +127,8 @@ app to take advantage of these changes (fixes), you need to update them as needed. Unfortunately, we often have so many of them that checking each of them manually would be quite a breakneck task. So a good solution may be to use a tool called **Snyk**. It automatically checks the GitHub repository and reports -on possible dangers. You can use it online at [this -link](https://snyk.io/test/). +on possible dangers. You can use it online at +[this link](https://snyk.io/test/). In addition to the above good practices, the use of the **helmet** package is standard. Its task is to properly set the HTTP headers so that our server is @@ -151,7 +150,7 @@ Only this approach gives us a relatively large guarantee as to safety. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-08-09-coreboot_blogpost.md b/blog/content/post/2020-08-09-coreboot_blogpost.md index 3b32384c..3d39ac7c 100644 --- a/blog/content/post/2020-08-09-coreboot_blogpost.md +++ b/blog/content/post/2020-08-09-coreboot_blogpost.md @@ -19,12 +19,12 @@ categories: --- -#### [coreboot Fundamentals Training](https://training.3mdeb.com/courses/coreboot-fundamentals) +#### [coreboot Fundamentals Training](https://3mdeb.com/training/#coreboot-for-embedded-linux-developers) It's hard to find a reliable source from which developers could draw and quickly acquire knowledge substantial for fluent cooperation with coreboot. Relying on official documentation and extensive practice is obviously the best way to -become proficient – we went this way ourselves – unfortunately, it is +become proficient – we went this way ourselves – unfortunately, it is time-consuming, especially when the new employee is joining the team and he needs to be quickly introduced with the coreboot-based project. Based on years of experience, vast knowledge, and a passion towards open source solutions, @@ -32,10 +32,11 @@ we've responded to this need by providing reliable and professional training that covers essential basics. We are proud of the way we've managed to hammer out years of experience into modular, easy-to-follow 4-hours training. **In this new blogpost series we will be publishing coreboot fundamentals mini-course** -equipped with coreboot essentials. [coreboot Fundamentals -Training](https://training.3mdeb.com/courses/coreboot-fundamentals) is the first -step of 3mdeb Firmware Training path. It provides solid grounds for further -development towards proficiency in coreboot firmware platform enginering. +equipped with coreboot essentials. +[coreboot Fundamentals Training](https://3mdeb.com/training/#coreboot-for-embedded-linux-developers) +is the first step of 3mdeb Firmware Training path. It provides solid grounds for +further development towards proficiency in coreboot firmware platform +enginering. ![graf](/img/training_path.png) @@ -43,18 +44,17 @@ development towards proficiency in coreboot firmware platform enginering. Most modern platforms require closed-source BIOS for booting purposes. However, BIOS is not featured by flexibility and easiness in supporting custom hardware -or maintenance. coreboot performs absolutely minimal -hardware initialization before kernel boot, what makes it much faster than BIOS. -It supports online updates, allows for SSH connections to load the kernel and by -being open source provides full insight of it's intestines and by that enhancing -security. All these features make users trust coreboot more than BIOS provided -by hardware vendors. +or maintenance. coreboot performs absolutely minimal hardware initialization +before kernel boot, what makes it much faster than BIOS. It supports online +updates, allows for SSH connections to load the kernel and by being open source +provides full insight of it's intestines and by that enhancing security. All +these features make users trust coreboot more than BIOS provided by hardware +vendors. > Do as much as needed, then jump straight payload. > > – coreboot. - #### Why worthy The training will give you an insight into coreboot firmware platform, defining @@ -74,19 +74,19 @@ experience by developing Embedded Firmware Training Program. We've been through a long way developing and working on coreboot. It is a high time, to pass on our experience in this field to support and shorten a long path of gaining proficiency with coreboot. Even more eagerly, having in mind that there is no -reliable coreboot trainig available at all. +reliable coreboot training available at all. ![graf2](/img/program_tree.png) #### Training Overview -* coreboot basics +- coreboot basics -* coreboot boot process +- coreboot boot process -* coreboot building +- coreboot building -* running coreboot in QEMU +- running coreboot in QEMU #### I am an embedded engineer. What is your superpower? @@ -94,14 +94,16 @@ A path of Embedded Firmware Engineering is not an easy one to follow. It not only forces the constant need of self-development but demands being up-to-date with rapid changes around both; hardware and firmware area. However, gained knowledge gets more and more value over time what provides stable work position -with above-average salary and greater recognition inside the industry. Embedded engineer is a -kind of a hybrid that brings together electrical engineering and logic skills -of a software programming. His path brings lots of opportunities both -in commercial and open ecosystem and even greater satisfacion thanks to the role -of mediator between hardware and software worlds. Embedded engineers can be +with above-average salary and greater recognition inside the industry. Embedded +engineer is a kind of a hybrid that brings together electrical engineering and +logic skills of a software programming. His path brings lots of opportunities +both in commercial and open ecosystem and even greater satisfacion thanks to the +role of mediator between hardware and software worlds. Embedded engineers can be proudly called the alchemists of computing industry. If you think we can help in improving the security of your firmware or you are -looking for a training that can boost your team of developers inside UEFI, coreboot or Yocto area, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +looking for a training that can boost your team of developers inside UEFI, +coreboot or Yocto area, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-08-13-trenchboot-event-log.md b/blog/content/post/2020-08-13-trenchboot-event-log.md index fd027b76..ad654e04 100644 --- a/blog/content/post/2020-08-13-trenchboot-event-log.md +++ b/blog/content/post/2020-08-13-trenchboot-event-log.md @@ -20,16 +20,17 @@ categories: --- -If you haven't read previous blog posts from *TrenchBoot* series, we strongly +If you haven't read previous blog posts from _TrenchBoot_ series, we strongly encourage to catch up on it. Best way, is to search under [TrenchBoot](https://blog.3mdeb.com/tags/trenchboot/) tag. In this article, we will take a deeper look into the reworked `extend_all.sh` script, along with -`util.sh` which is sourced by it, to show how it can be used to check if the -PCR values are proper. +`util.sh` which is sourced by it, to show how it can be used to check if the PCR +values are proper. ## New event log entries -You can follow the [verification instructions](https://blog.3mdeb.com/2020/2020-07-03-trenchboot-grub-cbfs/#tpm-event-log-verification) +You can follow the +[verification instructions](https://blog.3mdeb.com/2020/2020-07-03-trenchboot-grub-cbfs/#tpm-event-log-verification) from the previous TrenchBoot post, up to the part where the log entries are read with `cbmem` tool. Remember that `cbmem` requires kernel built with `CONFIG_IO_STRICT_DEVMEM` disabled or with `iomem=relaxed` in the command line! @@ -40,7 +41,7 @@ If in doubt, refer to the previous post. This is the example log: -``` +```bash $ ./cbmem -d DRTM TPM2 log: Specification: 2.00 @@ -105,7 +106,8 @@ You can see that there are new entries. Lets check if those are correct. ### extend_all.sh -This script was used since [one of the first posts about TrenchBoot](https://blog.3mdeb.com/2020/2020-04-03-trenchboot-nlnet-lz-validation/). +This script was used since +[one of the first posts about TrenchBoot](https://blog.3mdeb.com/2020/2020-04-03-trenchboot-nlnet-lz-validation/). In this release, it was rewritten to be easier to understand, and also to have option to reuse some of the functions implemented there. This is the source of that file: @@ -115,14 +117,14 @@ that file: . util.sh if [[ $# -eq 2 ]] && [[ -e "$1" ]] && [[ -e "$2" ]] ; then - extend_sha1 $sha1_zeroes $(sha1_lz) $(sha1_kernel "$1") "$2" - extend_sha256 $sha256_zeroes $(sha256_lz) $(sha256_kernel "$1") "$2" + extend_sha1 $sha1_zeroes $(sha1_lz) $(sha1_kernel "$1") "$2" + extend_sha256 $sha256_zeroes $(sha256_lz) $(sha256_kernel "$1") "$2" elif [[ $# -eq 1 ]] && [[ -e "$1" ]] ; then - extend_sha1 $sha1_zeroes $(sha1_lz) $(sha1_kernel "$1") - extend_sha256 $sha256_zeroes $(sha256_lz) $(sha256_kernel "$1") + extend_sha1 $sha1_zeroes $(sha1_lz) $(sha1_kernel "$1") + extend_sha256 $sha256_zeroes $(sha256_lz) $(sha256_kernel "$1") else - echo "Usage: $0 path/to/bzImage [path/to/initrd]" - exit + echo "Usage: $0 path/to/bzImage [path/to/initrd]" + exit fi ``` @@ -139,13 +141,13 @@ will be described later. We can run this script for our kernel and initramfs and compare the result with the output of `tpm2_pcrread`: -``` +```bash $ ./extend_all.sh path/to/bzImage path/to/initrd 545e5cccba8775c28f07f9ed214d73e0167b002d SHA1 86319148902e0f12fb1fc286c46fec26b3a7b7f0e8480b591c4b0a8d5034356a SHA256 ``` -``` +```bash $ tpm2_pcrread sha1: 0 : 0x3A3F780F11A4B49969FCAA80CD6E3957C33B2275 @@ -232,16 +234,17 @@ tedious task of repeating and counting zeroes. ```bash sha1_kernel () { - local KERNEL_PROT_SKIP=$((`hexdump "$1" -s0x1f1 -n1 -e '/1 "%u"'` * 512 + 512)) - dd if="$1" bs=1 skip=$KERNEL_PROT_SKIP 2>/dev/null | sha1sum | grep -o "^[a-fA-F0-9]*" + local KERNEL_PROT_SKIP=$((`hexdump "$1" -s0x1f1 -n1 -e '/1 "%u"'` * 512 + 512)) + dd if="$1" bs=1 skip=$KERNEL_PROT_SKIP 2>/dev/null | sha1sum | grep -o "^[a-fA-F0-9]*" } ``` This function takes a path to the Linux kernel as an argument. Historically, Linux was started in real mode (RM, 16 bits), where it could -gather all necessary information required to boot using the [BIOS interrupt calls](https://en.wikipedia.org/wiki/BIOS_interrupt_call). -It saved all gathered data in a structure called zero page and jumped into the +gather all necessary information required to boot using the +[BIOS interrupt calls](https://en.wikipedia.org/wiki/BIOS_interrupt_call). It +saved all gathered data in a structure called zero page and jumped into the protected mode (PM). These two modes are two separate pieces of bzImage file. Nowadays, the zero page is prepared by the bootloader and the kernel is started @@ -257,7 +260,7 @@ the file (the PM part) and calculates its hash. ```bash sha1_lz () { - dd if="$SLB_FILE" bs=1 count=$SL_SIZE 2>/dev/null | sha1sum | grep -o "^[a-fA-F0-9]*" + dd if="$SLB_FILE" bs=1 count=$SL_SIZE 2>/dev/null | sha1sum | grep -o "^[a-fA-F0-9]*" } ``` @@ -265,45 +268,46 @@ Calculates hash of the measured part of the LZ, uses constants defined earlier. ```bash validate_and_escape_hash () { - local TRIM=`echo -n "$1" | sed -r -e "s/ .*//"` - if (( ${#TRIM} != 64 && ${#TRIM} != 40 )); then - >&2 echo "\"$TRIM\" is not a valid SHA1/SHA256 hash" - return - fi - echo -n $TRIM | sed -r -e "s/([a-f0-9]{2})/\\\x\1/g" + local TRIM=`echo -n "$1" | sed -r -e "s/ .*//"` + if (( ${#TRIM} != 64 && ${#TRIM} != 40 )); then + >&2 echo "\"$TRIM\" is not a valid SHA1/SHA256 hash" + return + fi + echo -n $TRIM | sed -r -e "s/([a-f0-9]{2})/\\\x\1/g" } ``` Removes anything that comes after the hash (usually file name), checks its length and transforms the hex string into an escaped format. -> Example: '01fe23dc45ba...' is transformed to '\x01\xfe\x23\xdc\x45\xba...' +> Example: '01fe23dc45ba...' is transformed to +> '\\x01\\xfe\\x23\\xdc\\x45\\xba...' ```bash extend_sha1 () { - local HASH1 - local HASH2 - case $# in - [01] ) >&2 echo "extend_sha1 called with not enough arguments provided" - return - ;; - 2 ) if [ -f "$2" ]; then - HASH1="$1" - HASH2=`dd if="$2" 2>/dev/null | sha1sum` - else - HASH1="$1" - HASH2="$2" - fi - ;; - * ) HASH1=$(extend_sha1 "$1" "$2") - shift 2 - extend_sha1 "$HASH1" $@ - return - ;; - esac - local HASH1_ESC=$(validate_and_escape_hash "$HASH1") - local HASH2_ESC=$(validate_and_escape_hash "$HASH2") - printf "%b" $HASH1_ESC $HASH2_ESC | sha1sum | sed "s/-/SHA1/" + local HASH1 + local HASH2 + case $# in + [01] ) >&2 echo "extend_sha1 called with not enough arguments provided" + return + ;; + 2 ) if [ -f "$2" ]; then + HASH1="$1" + HASH2=`dd if="$2" 2>/dev/null | sha1sum` + else + HASH1="$1" + HASH2="$2" + fi + ;; + * ) HASH1=$(extend_sha1 "$1" "$2") + shift 2 + extend_sha1 "$HASH1" $@ + return + ;; + esac + local HASH1_ESC=$(validate_and_escape_hash "$HASH1") + local HASH2_ESC=$(validate_and_escape_hash "$HASH2") + printf "%b" $HASH1_ESC $HASH2_ESC | sha1sum | sed "s/-/SHA1/" } ``` @@ -331,12 +335,12 @@ sourcing the file, so we won't have to craft new scripts for every test: First order of business is to take a look at the event log and check if all of the expected entries are there. If they end at some point, most likely the -module that was measured most recently is broken - remember that each module -is expected to measure the next one. +module that was measured most recently is broken - remember that each module is +expected to measure the next one. If all of the entries appear to be in order, we should check the result of -extending the PCR using the values from the event log. Assuming we are using -the log from [above](#new-event-log-entries), we can do this with command: +extending the PCR using the values from the event log. Assuming we are using the +log from [above](#new-event-log-entries), we can do this with command: ```bash extend_sha256 \ @@ -362,12 +366,12 @@ extend_sha256 $sha256_zeroes \ There are few possible outcomes: -* the result is the same as `extend_all.sh` - there were additional extend - operations, most likely after the last one (initramfs), but without logging - OR the TPM extend operation did not succeeded -* the result is the same as the current PCR value - it means that every measured +- the result is the same as `extend_all.sh` - there were additional extend + operations, most likely after the last one (initramfs), but without logging OR + the TPM extend operation did not succeeded +- the result is the same as the current PCR value - it means that every measured component was also logged, so it should be easy to pinpoint the modified one -* none of the above - files passed to `extend_all.sh` are different than the +- none of the above - files passed to `extend_all.sh` are different than the ones that were actually run AND not all extend operations were properly logged For the first one, the debug process using event log ends here, we can't get @@ -446,6 +450,7 @@ will greatly help with more complicated cases with many more measured modules. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-08-19-race-condition-debugging.md b/blog/content/post/2020-08-19-race-condition-debugging.md index c7e41272..bdff18e2 100644 --- a/blog/content/post/2020-08-19-race-condition-debugging.md +++ b/blog/content/post/2020-08-19-race-condition-debugging.md @@ -18,7 +18,6 @@ categories: --- - One of the hardest and exhaustive problems in software engineering are race conditions. They are sneaky, cunning, and nasty, often changing form, disguised under many different stack traces. In this article, I'll present my naive @@ -26,17 +25,20 @@ approach to this problem, why it wasn't the best option, and what tool can help to solve the issue in projects written in `Go`. ### The problem -One day, I was presented with the error in the [fork of the socketio library](https://github.com/3mdeb/socketio). -The `socketio` is the library implementing real-time communication between -a browser and a server. In my version of the library, there was a race condition -error that sporadically led to a library-panic. + +One day, I was presented with the error in the +[fork of the socketio library](https://github.com/3mdeb/socketio). The +`socketio` is the library implementing real-time communication between a browser +and a server. In my version of the library, there was a race condition error +that sporadically led to a library-panic. ### Debugging it the hard way + When the program panics, the `Go` interpreter prints the stack trace on the standard output. The stack trace was my starting point on the hunt for the bug. A colleague also gave me the reproduction guide and the test repository with a -simple app using the library to separate the problem from a project. -The bug seemed to be connected with the +simple app using the library to separate the problem from a project. The bug +seemed to be connected with the [pingLoop()](https://github.com/3mdeb/socketio/blob/5e3badd8466ad335885957abcfdd1cc7aa8fe554/engineio/server_conn.go#L356) and the [NextWriter()](https://github.com/3mdeb/socketio/blob/5e3badd8466ad335885957abcfdd1cc7aa8fe554/engineio/websocket/server.go#L57) @@ -53,27 +55,31 @@ brute-force the solution of the problem. I had one part of the problem in the stack trace, but couldn't find the other half. ### The better way to approach + At some point, a colleague hinted me to try `-race` option of `Go`. -``` + +```bash export GORACE=history_size=7 go run -race main.go ``` + Enabling this option was the solution to my problems. It quickly presented me with much more information than I could hope for. When the `-race` flag is enabled, `Go` carefully watches the code for any variable access, that could result in race condition. The only issue is, it sometimes appears to not work -correctly, reporting a problem. -`[failed to restore the stack]` -But even with this issue, it allows us to gather very detailed information about -the threads accessing the variable at the same time. +correctly, reporting a problem. `[failed to restore the stack]` But even with +this issue, it allows us to gather very detailed information about the threads +accessing the variable at the same time. `GORACE` is the environment variable, where you can supply parameters for `-race` option. In this case case, I needed only a `history_size` parameter. Increasing `history_size` allocates more memory for the goroutine stack trace, -but acceptable values are 0..7, so even with maximal history size, -stack restoration will fail from time to time. -You can read more about `-race` parameters in [the docs](https://golang.org/doc/articles/race_detector.html#Options). -``` +but acceptable values are 0..7, so even with maximal history size, stack +restoration will fail from time to time. You can read more about `-race` +parameters in +[the docs](https://golang.org/doc/articles/race_detector.html#Options). + +```bash ================== WARNING: DATA RACE Read at 0x00c4201e0a8d by goroutine 26: @@ -161,17 +167,17 @@ Goroutine 30 (running) created at: /usr/lib/go-1.10/src/net/http/server.go:1830 +0x7dc ================== ``` -This tool quickly pointed me to the problematical place in code. -It showed me, that the problem is located in two functions that lacked a mutex -shared with the + +This tool quickly pointed me to the problematical place in code. It showed me, +that the problem is located in two functions that lacked a mutex shared with the [NextWriter()](https://github.com/3mdeb/socketio/blob/5e3badd8466ad335885957abcfdd1cc7aa8fe554/engineio/websocket/server.go#L57) -function. -The solution to the problem was to add mutex to the +function. The solution to the problem was to add mutex to the [Write()](https://github.com/3mdeb/socketio/blob/5e3badd8466ad335885957abcfdd1cc7aa8fe554/engineio/parser/packet.go#L107) and [Close()](https://github.com/3mdeb/socketio/blob/5e3badd8466ad335885957abcfdd1cc7aa8fe554/engineio/parser/packet.go#L112) functions. -``` + +```bash // Write writes bytes p. func (e *PacketEncoder) Write(p []byte) (int, error) { WriterLocker.Lock() @@ -191,6 +197,7 @@ func (e *PacketEncoder) Close() error { ``` ## Summary + Race conditions are quite challenging problems. Solving them may be a lot of work, but if you know well your toolset, it can get easier. If you are working in an environment you are not familiar with, look for available tools. @@ -198,6 +205,7 @@ Especially with `Go`, use `-race` flag. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-08-31-booting-coreboot-on-cometlake.md b/blog/content/post/2020-08-31-booting-coreboot-on-cometlake.md index edef8330..b704848f 100644 --- a/blog/content/post/2020-08-31-booting-coreboot-on-cometlake.md +++ b/blog/content/post/2020-08-31-booting-coreboot-on-cometlake.md @@ -20,7 +20,7 @@ categories: --- -# Introduction +## Introduction coreboot is an open source framework for developing firmware for various architectures: x86, ARM, RISC-V, POWER PC and others. Its ultimate goal is to @@ -28,13 +28,12 @@ have as much open hardware initialization code as possible and to maintain the simplicity in the development and usability. of the solution. In this post I will show you how to build coreboot for a modern Intel platform based on 10th Generation Comet Lake S processor. You will probably see that the newer the -hardware is, the more harder the build procedure is. The fact that the -mainboard port exists does not mean it will build and work out of the box. It -often requires much experience and intuition for a firmware developer to locate -issues and fix them quickly. This post should lend you a little share of those -skills. +hardware is, the more harder the build procedure is. The fact that the mainboard +port exists does not mean it will build and work out of the box. It often +requires much experience and intuition for a firmware developer to locate issues +and fix them quickly. This post should lend you a little share of those skills. -# What is Intel RVP? +## What is Intel RVP? Intel RVP stands for Reference Validation Platform. It is a board designed for early validation of the microarchitecture and processor series before launching @@ -42,12 +41,12 @@ the production line of processors to the market. It also serves a purpose of a CRB (Customer Reference Board), that is, a reference design of a platform with given processor family. Hardware vendor often base their designs on RVP and CRB boards, because it is a lot easier to move certain parts of a ready and -validated design into a new one, than make one from scratch. The process is -less error prone and allows to save time during early manufacturing. The RVP -boards are also a good material for experiments with firmware and software -development. Typically there are a lot of connectors on those boards, that let -the users attach various peripherals and implement applications for their -particular needs. +validated design into a new one, than make one from scratch. The process is less +error prone and allows to save time during early manufacturing. The RVP boards +are also a good material for experiments with firmware and software development. +Typically there are a lot of connectors on those boards, that let the users +attach various peripherals and implement applications for their particular +needs. ![Confidential](/img/confidential.png) @@ -58,16 +57,16 @@ schematics and design files. But rest assured, because: 1. If you are OEM/ODM with the reasonable volume you can obtain RVP through Intel representative, but don't worry we got you covered if you just need it for firmware development -2. If you know how to boot it on the reference design and you know the delta +1. If you know how to boot it on the reference design and you know the delta between RVP and your design, then we can easily price coreboot port for you -# Preparing to work with the platform +## Preparing to work with the platform As I have mentioned earlier, building coreboot firmware should be easy and straightforward thanks to the simplicity of the project design. Well it should... It is not always true when it comes to relatively new hardware, -especially when adding a first platform supporting given microarchitecture, -such as in this case. +especially when adding a first platform supporting given microarchitecture, such +as in this case. But let's start from the beginning. Typically when starting the work with new platform you want to check whether it works, so you plug the power supply and @@ -76,15 +75,15 @@ just try to boot it. Let's see... ![Confidential](/img/cometlake_splash.jpg) Cool! Fortunately it works, the worst part behind us. Imagine the platform does -not work, you have to think what is wrong: maybe missing firmware or firmware -is corrupted, improper jumper settings or the worst scenario, platform is -damaged. But in my situation, nothing like this happened (typically Intel -refurbished the platform before shipping by flashing the reference firmware, -setting jumpers to default positions, etc.). Now next step would be to backup -the golden firmware image, that is proven to work, in case we will brick the -platform and need recovery. You may use the flashrom and internal programmer -and read the binary back (but not recommended) or use external programmer to -dump the contents of the SPI flash. I personally recommend the latter, because: +not work, you have to think what is wrong: maybe missing firmware or firmware is +corrupted, improper jumper settings or the worst scenario, platform is damaged. +But in my situation, nothing like this happened (typically Intel refurbished the +platform before shipping by flashing the reference firmware, setting jumpers to +default positions, etc.). Now next step would be to backup the golden firmware +image, that is proven to work, in case we will brick the platform and need +recovery. You may use the flashrom and internal programmer and read the binary +back (but not recommended) or use external programmer to dump the contents of +the SPI flash. I personally recommend the latter, because: - flashrom may not support the chipset yet - flash descriptor may lock certain regions, so you will not be able to read @@ -99,23 +98,22 @@ use flashrom with linux_spi programmer to read the contents. Now when we have the golden firmware binary secured, we may proceed with experimenting with the firmware. -# Building and booting coreboot +## Building and booting coreboot Comet Lake S RVP8 was just recently upstreamed by Intel to [coreboot](https://review.coreboot.org/c/coreboot/+/36685). But I suggest to download 1 [patch](https://review.coreboot.org/c/coreboot/+/38288) ahead in the -relation chain, because it seems to be related to Comet Lake S. For building -the image we will use the +relation chain, because it seems to be related to Comet Lake S. For building the +image we will use the [coreboot-sdk](https://hub.docker.com/r/coreboot/coreboot-sdk) container: - -``` +```bash docker pull coreboot/coreboot-sdk:65718760fa ``` And launch the container with mounting the coreboot directory inside it: -``` +```bash docker run --rm -it -v $PWD:/home/coreboot/coreboot -w /home/coreboot/coreboot \ coreboot/coreboot-sdk:65718760fa /bin/bash ``` @@ -123,34 +121,33 @@ docker run --rm -it -v $PWD:/home/coreboot/coreboot -w /home/coreboot/coreboot \ Then run `make menuconfig` to open coreboot configuration menu. In the `Mainboard` submenu select the mainboard vendor and model as follows: -``` +```bash Mainboard vendor (Intel) ---> Mainboard model (-> Cometlake S U-DIMM DDR4 RVP8) ---> ``` -Save the config and exit the menu. You may now start the build process by -typing `make`. But wait... something is wrong: +Save the config and exit the menu. You may now start the build process by typing +`make`. But wait... something is wrong: -``` +```bash make: *** [src/cpu/Makefile.inc:44: build/cpu_microcode_blob.bin] Error 1 ``` No microcode... Microcode files are automatically added to coreboot image for -given microarchitecture from intel-microcode submodule. If the microcode -updates were not included that means, there is probably no microcode in the -repository yet... Trying to update to recent revision did not help either. What -now? Without microcode, we will not boot probably either. In such case our -golden firmware image and [UEFITool](https://github.com/LongSoft/UEFITool) from -Long Soft will come with help. UEFITool is a cool UEFI image explorer which -allows extraction of the UEFI modules. That also applies to raw files and -microcode. So let's open the binary in the tool and search for microcode! If -you wonder what UEFI is, it is an Unified Extensible Firmware Interface, a -standard defining the firmware design and interface to bootloaders and -operating system. +given microarchitecture from intel-microcode submodule. If the microcode updates +were not included that means, there is probably no microcode in the repository +yet... Trying to update to recent revision did not help either. What now? +Without microcode, we will not boot probably either. In such case our golden +firmware image and [UEFITool](https://github.com/LongSoft/UEFITool) from Long +Soft will come with help. UEFITool is a cool UEFI image explorer which allows +extraction of the UEFI modules. That also applies to raw files and microcode. So +let's open the binary in the tool and search for microcode! If you wonder what +UEFI is, it is an Unified Extensible Firmware Interface, a standard defining the +firmware design and interface to bootloaders and operating system. ![UEFITool](/img/cometlake_uefitool.png) -If you open the binary you should be bale to find the FIT table panel at the +If you open the binary you should be able to find the FIT table panel at the bottom of the window, it will point the location of microcode containers. Right click the parent container Microcode of Type:File and Subtype:Raw, then choose extract body option. Save the microcode file somewhere in coreboot directory. @@ -158,7 +155,7 @@ extract body option. Save the microcode file somewhere in coreboot directory. If we have the microcode file, launch the coreboot configuration menu in docker container again and move to `Chipset` submenu. From there you should select: -``` +```bash Include CPU microcode in CBFS (Generate from tree) ---> ``` @@ -169,12 +166,12 @@ managed to build an image. It is time to flash it and boot it. Remember we are building only coreboot so we must flash only BIOS region (you may achieve it by adding `--ifd- i bios` flags to flashrom). So now the results are as follows: -``` +```bash FspMemoryInit returned an error! ``` -Great... Another problem occurred, but this one is more serious. FSP memory -init return an error, that means memory training has failed. So either we have +Great... Another problem occurred, but this one is more serious. FSP memory init +return an error, that means memory training has failed. So either we have unsupported memory configuration by FSP or we have incorrect FSP binary. > FSP stands for Firmware Support Package and it is a binary released by Intel @@ -184,7 +181,7 @@ unsupported memory configuration by FSP or we have incorrect FSP binary. How to resolve it then? At least we have a good microcode (see first lines of debug output on serial): -``` +```bash CPU: ID a0651, Cometlake-H/S P0 (10+2), ucode: 000000c1 ``` @@ -197,14 +194,14 @@ surprise there were 4 different FSP binaries: - CometLakeS - CometLakeV -Previously only CometLake1 was avilable which is suited for +Previously only CometLake1 was available which is suited for `10th Generation U-Series Intel® Core™ processors` according to README in this directory. This is clearly the culprit of the problem I have hit. So I just had to tell coreboot to use different FSP binary. Typically this is set on the microarchitecture level. So I have searched for the appropriate directory in `src/soc/intel` by looking at my config file (`cat .config |grep SOC_INTEL`): -``` +```bash CONFIG_SOC_INTEL_COMETLAKE ``` @@ -212,29 +209,28 @@ But there is no cometlake directory in `src/soc/intel`, but for simplicity certain directories handle multiple microarchitectures, so in this case Comet Lake support can be found in `src/soc/intel/cannonlake`. And there I could find -``` +```bash config FSP_HEADER_PATH - default "3rdparty/fsp/CoffeeLakeFspBinPkg/Include/" if SOC_INTEL_COFFEELAKE || SOC_INTEL_WHISKEYLAKE - default "3rdparty/fsp/CometLakeFspBinPkg/CometLake1/Include/" if SOC_INTEL_COMETLAKE - default "src/vendorcode/intel/fsp/fsp2_0/cannonlake/" if SOC_INTEL_CANNONLAKE + default "3rdparty/fsp/CoffeeLakeFspBinPkg/Include/" if SOC_INTEL_COFFEELAKE || SOC_INTEL_WHISKEYLAKE + default "3rdparty/fsp/CometLakeFspBinPkg/CometLake1/Include/" if SOC_INTEL_COMETLAKE + default "src/vendorcode/intel/fsp/fsp2_0/cannonlake/" if SOC_INTEL_CANNONLAKE config FSP_FD_PATH - default "3rdparty/fsp/CoffeeLakeFspBinPkg/Fsp.fd" if SOC_INTEL_COFFEELAKE || SOC_INTEL_WHISKEYLAKE - default "3rdparty/fsp/CometLakeFspBinPkg/CometLake1/FSP.fd" if SOC_INTEL_COMETLAKE + default "3rdparty/fsp/CoffeeLakeFspBinPkg/Fsp.fd" if SOC_INTEL_COFFEELAKE || SOC_INTEL_WHISKEYLAKE + default "3rdparty/fsp/CometLakeFspBinPkg/CometLake1/FSP.fd" if SOC_INTEL_COMETLAKE ``` Yes... There is only a single pointer to Comet Lake FSP. Since the submodule -have not yet been updated to latest revision, I had to do it myself. Also I -have added some quick workaround in the -`src/mainboard/intel/coffeelake_rvp/Kconfig` (yes, this RVP is a Coffee Lake -RVP variant) to include the correct FSP files: +have not yet been updated to latest revision, I had to do it myself. Also I have +added some quick workaround in the `src/mainboard/intel/coffeelake_rvp/Kconfig` +(yes, this RVP is a Coffee Lake RVP variant) to include the correct FSP files: -``` +```bash config FSP_HEADER_PATH - default "3rdparty/fsp/CometLakeFspBinPkg/CometLakeS/Include/" if BOARD_INTEL_COMETLAKE_RVP8 + default "3rdparty/fsp/CometLakeFspBinPkg/CometLakeS/Include/" if BOARD_INTEL_COMETLAKE_RVP8 config FSP_FD_PATH - default "3rdparty/fsp/CometLakeFspBinPkg/CometLakeS/Fsp.fd" if BOARD_INTEL_COMETLAKE_RVP8 + default "3rdparty/fsp/CometLakeFspBinPkg/CometLakeS/Fsp.fd" if BOARD_INTEL_COMETLAKE_RVP8 ``` FSP take two paths: @@ -246,7 +242,7 @@ FSP take two paths: Now regenerate the config file, rebuild and flash again... Results? We have a booting SeaBIOS!!! -``` +```bash SeaBIOS (version rel-1.13.0-0-gf21b5a4) BUILD: gcc: (coreboot toolchain v1.52 June 11th, 2018) 8.1.0 binutils: (GNU Binutils) 2.30 SeaBIOS (version rel-1.13.0-0-gf21b5a4) @@ -257,12 +253,12 @@ Found mainboard Intel cmlrvp Time to launch some Linux. I had at hand a USB with already installed Debian Buster, so I simply plugged it in USB port and connected a HDMI cable for -display. But... No graphics output from Linux. Well that is expected. We did -not configure any graphics initialization method. By default coreboot and -SeaBIOS will launch the option ROMs, but we didn't include one for graphics yet +display. But... No graphics output from Linux. Well that is expected. We did not +configure any graphics initialization method. By default coreboot and SeaBIOS +will launch the option ROMs, but we didn't include one for graphics yet (integrated graphics requires external VGA ROM). Unfortunately Comet Lake S -golden binary does not include VGA option rom. What to do in such situations? -We have basically 3 choices: +golden binary does not include VGA option rom. What to do in such situations? We +have basically 3 choices: - somehow get the VGA option ROM - use coreboot's libgfxinit (no go for now, since Comet Lake is rather not @@ -271,9 +267,9 @@ We have basically 3 choices: in FSP You may find these options in coreboot configuration menu under `Devices` -submenu as `Graphics initialization` option. Select `Run a GOP driver` there -and it will automatically select to add VBT. Where to find VBT? You may use the -one included in FSP directory: +submenu as `Graphics initialization` option. Select `Run a GOP driver` there and +it will automatically select to add VBT. Where to find VBT? You may use the one +included in FSP directory: `3rdparty/fsp/CometLakeFspBinPkg/CometLakeS/SampleCode/Vbt.bin` but it may not be suited for your platform. Best way to obtain it is to extract it from the platform firmware image. Again we will use the UEFITool. Now you have to search @@ -288,20 +284,20 @@ Linux do not print on memory mapped serial console): [![asciicast](https://asciinema.org/a/354741.svg)](https://asciinema.org/a/354741?speed=1) -## Summary +### Summary -The road of a firmware developer is not easy at the beginning. But with time -you earn experience and a sort of intuition that helps you locate and resolve -the problems pretty quickly. The more problems you resolve the more knowledge -you gather and things become more and more easier. Unfortunately booting newer -microarchitectures will not become simpler, so it is good to experiment with -new hardware, so that when real products and project come, you know what -problems to expect and how to deal with them. +The road of a firmware developer is not easy at the beginning. But with time you +earn experience and a sort of intuition that helps you locate and resolve the +problems pretty quickly. The more problems you resolve the more knowledge you +gather and things become more and more easier. Unfortunately booting newer +microarchitectures will not become simpler, so it is good to experiment with new +hardware, so that when real products and project come, you know what problems to +expect and how to deal with them. If you are OEM/ODM trying to build hardware and firmware on top of Comet Lake -microarchitecture and looking for support in the firmware field, do not -hesitate and [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) +microarchitecture and looking for support in the firmware field, do not hesitate +and [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to `contact3mdebcom`. We will help you in improving the security of your firmware and boost your product by leveraging advanced features of used hardware platform. If you are interested in similar content -feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) \ No newline at end of file +feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-09-03-3mdeb_Q2.md b/blog/content/post/2020-09-03-3mdeb_Q2.md index f35c2a5a..fca0ff2d 100644 --- a/blog/content/post/2020-09-03-3mdeb_Q2.md +++ b/blog/content/post/2020-09-03-3mdeb_Q2.md @@ -2,7 +2,7 @@ title: 3mdeb contribution 2020'Q2 abstract: 'The second post on 3mdeb contribution summary! The second quarter of 2020 has brought new merged patches. Check the samples of - code that we succesfully contributed and feel free to use them in your + code that we successfully contributed and feel free to use them in your own projects.' cover: /covers/combined-logos.png author: kamila.banecka @@ -39,79 +39,77 @@ patches that have not been merged yet) getting in total over `17,5k` [SLOC](https://en.wikipedia.org/wiki/Source_lines_of_code) in `35` unique projects so far. -## Our contributions: -
    +## Our contributions ![coreboot logo](/covers/coreboot-logo.svg) 1. [coreboot](https://coreboot.org/) - > coreboot is an extended firmware framework that delivers a lightning fast - > and secure boot experience on modern computers and embedded systems. As - > an Open Source project it provides auditability and maximum control over - > technology. + > coreboot is an extended firmware framework that delivers a lightning fast + > and secure boot experience on modern computers and embedded systems. As an + > Open Source project it provides auditability and maximum control over + > technology. - Full list of 2020'Q2 patches: + Full list of 2020'Q2 patches: - Author | Category | Patch | URL - -------------------|---------------------|-------|---- - Michał Żygowski | payloads/external | Pass hardware IRQ option to SeaBIOS Makefile | [link](https://review.coreboot.org/c/coreboot/+/41147) - Piotr Kleinschmidt | pcengines/apu1 | Unset UsbRxMode to avoid platform reset issue | [link](https://review.coreboot.org/c/coreboot/+/41627) - Piotr Kleinschmidt | pcengines/apu2 | unify hexadecimal notation using capital letters | [link](https://review.coreboot.org/c/coreboot/+/42388) - Michał Żygowski | protectli/vault_kbl | Enable Intel PTT | [link](https://review.coreboot.org/c/coreboot/+/42565) - Piotr Kleinschmidt | pcengines/apu1 | reorder includes | [link](https://review.coreboot.org/c/coreboot/+/42512) +| Author | Category | Patch | URL | +|-------------------|---------------------|--------|----------| +| Michał Żygowski | payloads/external | Pass hardware IRQ option to SeaBIOS Makefile | [link](https://review.coreboot.org/c/coreboot/+/41147) | +| Piotr Kleinschmidt| pcengines/apu1 | Unset UsbRxMode to avoid platform reset issue | [link](https://review.coreboot.org/c/coreboot/+/41627) | +| Piotr Kleinschmidt| pcengines/apu2 | Unify hexadecimal notation using capital letters | [link](https://review.coreboot.org/c/coreboot/+/42388) | +| Michał Żygowski | protectli/vault_kbl| Enable Intel PTT | [link](https://review.coreboot.org/c/coreboot/+/42565) | +| Piotr Kleinschmidt| pcengines/apu1 | Reorder includes | [link](https://review.coreboot.org/c/coreboot/+/42512) | - --- -
    + --- - ![TrenchBoot logo](/covers/trenchboot-logo.png) + ![TrenchBoot logo](/covers/trenchboot-logo.png) -2. [TrenchBoot/landing-zone](https://github.com/TrenchBoot/landing-zone/) +1. [TrenchBoot/landing-zone](https://github.com/TrenchBoot/landing-zone/) - > TrenchBoot is a framework that allows individuals and projects to build - > security engines to perform launch integrity actions for their systems. - > The framework builds upon Boot Integrity Technologies (BITs) that - > establish one or more Roots of Trust (RoT) from which a degree of - > confidence that integrity actions were not subverted. + > TrenchBoot is a framework that allows individuals and projects to build + > security engines to perform launch integrity actions for their systems. The + > framework builds upon Boot Integrity Technologies (BITs) that establish one + > or more Roots of Trust (RoT) from which a degree of confidence that + > integrity actions were not subverted. - Full list of 2020'Q2 patches: + Full list of 2020'Q2 patches: - Author | Category | Patch | URL - ----------------|----------|-------|---- - Krystian Hebel | Build | support kernels with embedded initramfs | [link](https://github.com/TrenchBoot/landing-zone/pull/54) - Krystian Hebel | Build | TPM unmerge | [link](https://github.com/TrenchBoot/landing-zone/pull/53) +| Author | Category | Patch | URL | +|----------------|----------|------------------------------------------------|----------------------------------------------------------------------| +| Krystian Hebel | Build | Support kernels with embedded initramfs | [link](https://github.com/TrenchBoot/landing-zone/pull/54) | +| Krystian Hebel | Build | TPM unmerge | [link](https://github.com/TrenchBoot/landing-zone/pull/53) | - Code for TPM support no longer consists of one big, merged file, it uses the - original form of tpmlib instead. It is included as a git submodule, which - should make it easier to keep up to date. + Code for TPM support no longer consists of one big, merged file, it uses the + original form of tpmlib instead. It is included as a git submodule, which + should make it easier to keep up to date. + + --- - --- -
    ![Chirpstack logo](/img/chirpstacklogo.png) -
    -3. [chirpstack-gateway-os](https://www.chirpstack.io/gateway-os/) +1. [chirpstack-gateway-os](https://www.chirpstack.io/gateway-os/) - > ChirpStack Gateway OS is an open-source Linux based embedded OS which can - > run on various LoRa® gateway models. The goal is to make it easy to get - > started with LoRaWAN® and the ChirpStack open-source LoRaWAN Network - > Server stack with the minimum steps required to setup your gateway(s). + > ChirpStack Gateway OS is an open-source Linux based embedded OS which can + > run on various LoRa® gateway models. The goal is to make it easy to get + > started with LoRaWAN® and the ChirpStack open-source LoRaWAN Network Server + > stack with the minimum steps required to setup your gateway(s). - Patch released in 2020'Q2: + Patch released in 2020'Q2: - Author | Category | Patch | URL - ----------------|----------|-------|---- - Maciej Pijanowski | Build | Update to dunfell | [link](https://github.com/brocaar/chirpstack-gateway-os/commit/a8170775aaadb108f2078aa213adcde37e4a6da8) +| Author | Category | Patch | URL | +|--------------------|----------|-------------------|-----------------------------------------------------------------------------------------------| +| Maciej Pijanowski | Build | Update to dunfell | [link](https://github.com/brocaar/chirpstack-gateway-os/commit/a8170775aaadb108f2078aa213adcde37e4a6da8) | - We have updated the chirpstack-gateway-os to the latest Yocto release - (dunfell) and improved chirpstack Golang Yocto recipies in order to avoid - shipping binaries. + We have updated the chirpstack-gateway-os to the latest Yocto release + (dunfell) and improved chirpstack Golang Yocto recipes in order to avoid + shipping binaries. ## In the future We are keep progressing, having interesting merge and pull requests that are in the review state or marked as work in progress. We will be developing -**TrenchBoot/landing-zone** project, working on [Multiboot2](https://github.com/TrenchBoot/landing-zone/pull/28), +**TrenchBoot/landing-zone** project, working on +[Multiboot2](https://github.com/TrenchBoot/landing-zone/pull/28), [Event log](https://github.com/TrenchBoot/landing-zone/pull/52), and [Headers redesign](https://github.com/TrenchBoot/landing-zone/pull/56). @@ -121,7 +119,8 @@ find open source related activities and achievements on [opensource.3mdeb.com](https://opensource.3mdeb.com/). If you are looking for open source containers, check our newly created subdomain that is full of docker containers maintained by our team or forked from Open Source projects with -additional useful adjustments: [containers.3mdeb.com](https://containers.3mdeb.com/). +additional useful adjustments: +[containers.3mdeb.com](https://containers.3mdeb.com/). ## Summary @@ -134,7 +133,7 @@ open source family! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of a used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +of a used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-09-07-trenchboot-multiboot2-support.md b/blog/content/post/2020-09-07-trenchboot-multiboot2-support.md index 5945423b..536c9c82 100644 --- a/blog/content/post/2020-09-07-trenchboot-multiboot2-support.md +++ b/blog/content/post/2020-09-07-trenchboot-multiboot2-support.md @@ -21,7 +21,7 @@ categories: --- -If you haven't read previous blog posts from *TrenchBoot* series, we strongly +If you haven't read previous blog posts from _TrenchBoot_ series, we strongly encourage to catch up on it. Best way, is to search under [TrenchBoot](https://blog.3mdeb.com/tags/trenchboot/) tag. This article roughly describes how to start Multiboot2 kernels on the top of Landing Zone. As an @@ -47,7 +47,8 @@ structure. This also forbids the use of variable length fields, unless such field is the last one in the structure, but this in turn means that we can't add new fields anymore. -We decided to implement something similar to [Multiboot2 boot information format](https://www.gnu.org/software/grub/manual/multiboot2/multiboot.html#Boot-information-format). +We decided to implement something similar to +[Multiboot2 boot information format](https://www.gnu.org/software/grub/manual/multiboot2/multiboot.html#Boot-information-format). This gives a good compromise between ease of use, relatively low size and ability to add new features in the future. We also don't have to pass the pieces of information (tags) that are not relevant for the other boot protocols than @@ -66,27 +67,27 @@ tags, not just the ones known to the LZ. This is an example of what the LZ tag looks like: -```c +```bashc struct lz_tag_hdr { - u8 type; - u8 len; + u8 type; + u8 len; } __packed; struct lz_tag_boot_mb2 { - struct lz_tag_hdr hdr; - u32 mbi; - u32 kernel_entry; - u32 kernel_size; + struct lz_tag_hdr hdr; + u32 mbi; + u32 kernel_entry; + u32 kernel_size; } __packed; ``` They can also have a variable length: -```c +```bashc struct lz_tag_hash { - struct lz_tag_hdr hdr; - u16 algo_id; - u8 digest[]; + struct lz_tag_hdr hdr; + u16 algo_id; + u8 digest[]; } __packed; ``` @@ -122,7 +123,8 @@ we used before for obtaining and printing the event log. ### Important parts of Multiboot2 specification From the Multiboot2 specification we need mostly just two sections. The first -one is [Machine state](https://www.gnu.org/software/grub/manual/multiboot2/multiboot.html#I386-machine-state), +one is +[Machine state](https://www.gnu.org/software/grub/manual/multiboot2/multiboot.html#I386-machine-state), which tells what the CPU registers values should be. It isn't very restrictive, it just requires that the CPU is in flat protected mode with no paging, where all segment registers are properly set. Just two general purpose registers have @@ -165,27 +167,30 @@ starts it through the usual entry point, not the Secure Launch one. The rebuild is needed for starting Linux directly, though. Below are the links to the branches from which the components should be built: -* [iPXE](https://github.com/3mdeb/ipxe/tree/headers_redesign) ([build instructions](https://blog.3mdeb.com/2020/2020-06-01-ipxe_lz_support/#building-ipxe-binary)) -* [GRUB2](https://github.com/3mdeb/grub/tree/lz_tags) ([instructions for NixOS](https://blog.3mdeb.com/2020/2020-07-03-trenchboot-grub-cbfs/#grub-package-update)) -* [Landing Zone](https://github.com/3mdeb/landing-zone/tree/headers_redesign) -* [Linux kernel](https://github.com/3mdeb/linux/tree/amd_event_log) +- [iPXE](https://github.com/3mdeb/ipxe) + ([build instructions](https://blog.3mdeb.com/2020/2020-06-01-ipxe_lz_support/#building-ipxe-binary)) +- [GRUB2](https://github.com/3mdeb/grub/tree/lz_tags) + ([instructions for NixOS](https://blog.3mdeb.com/2020/2020-07-03-trenchboot-grub-cbfs/#grub-package-update)) +- [Landing Zone](https://github.com/3mdeb/landing-zone/tree/headers_redesign) +- [Linux kernel](https://github.com/3mdeb/linux/tree/amd_event_log) -All binaries (except for GRUB2) can be found [here](https://boot.3mdeb.com/tb/mb2/). -Initramfs with busybox, `tpm2_pcrread` and `cbmem` modified as [described below](#obtaining-drtm-event-log) -is also available there. You can save these files on disk or run them directly -from iPXE. +All binaries (except for GRUB2) can be found +[here](https://boot.3mdeb.com/tb/mb2/). Initramfs with busybox, `tpm2_pcrread` +and `cbmem` modified as [described below](#obtaining-drtm-event-log) is also +available there. You can save these files on disk or run them directly from +iPXE. #### iPXE For the iPXE bootloader, most of the image loading commands are actually aliases to a different command. As a result, the LZ, Linux kernel and initramfs can all be loaded with the same command. iPXE discovers what image format it is by -comparing magic numbers specific for given image type. Order of commands -*should not* matter, but from our experience this is not always true - memory -management in iPXE is poor, it also doesn't take into account that some of the -components are later decompressed in place. +comparing magic numbers specific for given image type. Order of commands _should +not_ matter, but from our experience this is not always true - memory management +in iPXE is poor, it also doesn't take into account that some of the components +are later decompressed in place. -``` +```bash dhcp # or set IP address manually module http://url/to/lz_header.bin kernel http://url/to/xen dom0_mem=2048M loglvl=all guest_loglvl=all com1=115200,8n1 console=com1 @@ -194,12 +199,14 @@ module http://url/to/initramfs.cpio boot ``` -You can also [chainload modified iPXE](https://blog.3mdeb.com/2020/2020-06-01-ipxe_lz_support/#ipxe) -from the unmodified one, using binaries from [here](https://boot.3mdeb.com/tb/mb2/). +You can also +[chainload modified iPXE](https://blog.3mdeb.com/2020/2020-06-01-ipxe_lz_support/#ipxe) +from the unmodified one, using binaries from +[here](https://boot.3mdeb.com/tb/mb2/). #### GRUB2 -``` +```bash slaunch skinit slaunch_module path/to/lz_header.bin multiboot2 path/to/xen dom0_mem=2048M loglvl=all guest_loglvl=all com1=115200,8n1 console=com1 @@ -215,8 +222,8 @@ coreboot tables (in which DRTM event log is located, along with other tables) are not cleared, the forwarding table is. > Forwarding table is a short table containing pointer to the main table. It is -> located in either `0-0x1000` or `0xf0000-0xf1000` memory ranges. This reduces the -> time required to find it, while giving the ability to put the bigger main +> located in either `0-0x1000` or `0xf0000-0xf1000` memory ranges. This reduces +> the time required to find it, while giving the ability to put the bigger main > tables somewhere else. The main tables are near the top of RAM (but below 4 GB so they can be accessed @@ -224,12 +231,13 @@ from 32b operating systems), in the same range as the ACPI tables, just above them. We added two switches to the `cbmem` utility to allow searching for coreboot tables in range defined by user. Those options are: -``` +```bash -a | --addr address: set base address -s | --size size: set table size. Change is applied only if address is also specified ``` -Code has been uploaded to the [develop branch of coreboot](https://github.com/pcengines/coreboot/tree/develop), +Code has been uploaded to the +[develop branch of coreboot](https://github.com/pcengines/coreboot/tree/develop), it will be included in the following releases. To build `cbmem` run these commands: @@ -246,7 +254,7 @@ There are many ways to do this, but the easiest and most universal one is through `dmesg`. Near the beginning of kernel logs we can see something like this: -``` +```bash BIOS-provided physical RAM map: Xen: [mem 0x0000000000000000-0x000000000009efff] usable Xen: [mem 0x000000000009fc00-0x00000000000fffff] reserved @@ -289,7 +297,7 @@ Knowing those values we can now try to read the DRTM event log: DRTM TPM2 log: Specification: 2.00 Platform class: PC Client - Vendor information: + Vendor information: DRTM TPM2 log entry 1: PCR: 17 Event type: Unknown (0x502) @@ -352,6 +360,7 @@ us know in a comment below. If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-09-18-qubes_fwupd_heads_uefi.md b/blog/content/post/2020-09-18-qubes_fwupd_heads_uefi.md index d9e5fbcd..f05a1e69 100644 --- a/blog/content/post/2020-09-18-qubes_fwupd_heads_uefi.md +++ b/blog/content/post/2020-09-18-qubes_fwupd_heads_uefi.md @@ -24,10 +24,10 @@ categories: --- As you may know from the previous -[blog post](https://blog.3mdeb.com/2020/2020-07-14-qubesos-fwupd-core/), -the qubes-fwupd is the wrapper that allows you to update the firmware of your -devices in the Qubes OS. This time I will briefly describe the new -features, whereby you will securely update your system firmware. +[blog post](https://blog.3mdeb.com/2020/2020-07-14-qubesos-fwupd-core/), the +qubes-fwupd is the wrapper that allows you to update the firmware of your +devices in the Qubes OS. This time I will briefly describe the new features, +whereby you will securely update your system firmware. ## UEFI update capsule @@ -49,8 +49,8 @@ to the dom0 kernel that gives access to the ESRT tables if the OS is paravirtualized. Big kudos to Marek Marczykowski-Górecki, who helped us solve this problem. -``` -$ sudo qubes-fwupdmgr update +```bash +sudo qubes-fwupdmgr update ``` [![asciicast](https://asciinema.org/a/XH8SKNt4vEez6iIXEIhSxdZxC.svg)](https://asciinema.org/a/XH8SKNt4vEez6iIXEIhSxdZxC) @@ -63,21 +63,20 @@ If you want to reproduce our results, have a look at the Referring to the Heads documentation, it is an open source custom firmware and OS configuration for laptops and servers that aims to provide slightly better physical security and protection for data on the system. The Qubes OS is the -preferred operating system that should be used under the Heads. -If you are installing Heads for the first time, you need to take apart your -laptop. Then you need to use the SPI programmer to flash BIOS chips. A firmware -update could be done in the same way, but there are easier ways to provide it. -The first option is to build the Heads update file from the source and deliver -the firmware with a USB drive. qubes-fwupd wrapper offers another way to update -the Heads firmware. The fwupd daemon reads BIOS information from the DMI. Then -the wrapper compares the current version of firmware with the latest one -that exists in the [LVFS](https://fwupd.org/). If the update is available, -the qubes-fwupd downloads and extracts the cabinet archive. The wrapper -verifies and copies the ROM file to `/boot` directory. During the update -process, Heads detects the update file and asks the user if he wants to flash -the BIOS. - -``` +preferred operating system that should be used under the Heads. If you are +installing Heads for the first time, you need to take apart your laptop. Then +you need to use the SPI programmer to flash BIOS chips. A firmware update could +be done in the same way, but there are easier ways to provide it. The first +option is to build the Heads update file from the source and deliver the +firmware with a USB drive. qubes-fwupd wrapper offers another way to update the +Heads firmware. The fwupd daemon reads BIOS information from the DMI. Then the +wrapper compares the current version of firmware with the latest one that exists +in the [LVFS](https://fwupd.org/). If the update is available, the qubes-fwupd +downloads and extracts the cabinet archive. The wrapper verifies and copies the +ROM file to `/boot` directory. During the update process, Heads detects the +update file and asks the user if he wants to flash the BIOS. + +```bash sudo qubes-fwupdmgr update-heads --device=x230 --url=https://fwupd.org/downloads/firmware-3c81bfdc9db5c8a42c09d38091944bc1a05b27b0.xml.gz ``` @@ -92,14 +91,14 @@ Last but not least feature we added is the Whonix flag. It allows a user to use `sys-whonix` as a updateVM. `sys-whonix` ensures advanced anonymity during the downloads due to the TOR connection. -``` -$ sudo qubes-fwupdmgr refresh --whonix +```bash +sudo qubes-fwupdmgr refresh --whonix ``` [![asciicast](https://asciinema.org/a/5zJhIZeATwx9OYVOELoK69ZMo.svg)](https://asciinema.org/a/5zJhIZeATwx9OYVOELoK69ZMo) ## Summary -If you have any questions, suggestions, or ideas, feel free to share them in -the comment section. If you are interested in similar content, I encourage you -to [sign up for our newsletter](http://eepurl.com/doF8GX). +If you have any questions, suggestions, or ideas, feel free to share them in the +comment section. If you are interested in similar content, I encourage you to +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-09-23-raspberrypi_docker.md b/blog/content/post/2020-09-23-raspberrypi_docker.md index 32471250..f0a303be 100644 --- a/blog/content/post/2020-09-23-raspberrypi_docker.md +++ b/blog/content/post/2020-09-23-raspberrypi_docker.md @@ -21,23 +21,22 @@ categories: - App Dev --- -Have you ever been trying to automate something at home or at work? -Here it comes for the rescue Raspberry Pi along with Docker! With these tools, -you can create a lot of projects of small effort and low cost. +Have you ever been trying to automate something at home or at work? Here it +comes for the rescue Raspberry Pi along with Docker! With these tools, you can +create a lot of projects of small effort and low cost. ### What is Raspberry Pi? -Raspberry Pi represents of a small computer. It has all the basic -hardware components like memory, processor, etc. and extensions like USB, Wi-FI, -sound controller. Components of this device depend on the model that -you are using.Due to its small size, availability and low price -it is a very popular device that can perform everything you would expect from -typical PC. For example, you can play videos, browse the internet, -or even play some simple games. However, don't expect the Raspberry Pi -to be as good as the best PC on the market. It is decent computer with some -limitations and it would have some issues loading complex websites -or running more aggravating games, but still the possibilities of this device are -very impressive. For example, with Raspberry Pi you can create: +Raspberry Pi represents of a small computer. It has all the basic hardware +components like memory, processor, etc. and extensions like USB, Wi-FI, sound +controller. Components of this device depend on the model that you are using.Due +to its small size, availability and low price it is a very popular device that +can perform everything you would expect from typical PC. For example, you can +play videos, browse the internet, or even play some simple games. However, don't +expect the Raspberry Pi to be as good as the best PC on the market. It is decent +computer with some limitations and it would have some issues loading complex +websites or running more aggravating games, but still the possibilities of this +device are very impressive. For example, with Raspberry Pi you can create: - Retro Gaming Console, - Google Home, @@ -49,116 +48,116 @@ and a lot more! ### What is Docker? -Docker is an open source project helping developers that helps to create, deploy, -and run applications in a much simpler way by operating on so-called containers. -They are lightweight execution environments that share operating system kernel. -Except for sharing system kernel, containers are running in isolation -with each other. Containers allow us to store libraries, dependencies, -etc. in one place. By that, we can assume that the application will run -on any other device without worries of possible customized settings of -this particular machine. +Docker is an open source project helping developers that helps to create, +deploy, and run applications in a much simpler way by operating on so-called +containers. They are lightweight execution environments that share operating +system kernel. Except for sharing system kernel, containers are running in +isolation with each other. Containers allow us to store libraries, dependencies, +etc. in one place. By that, we can assume that the application will run on any +other device without worries of possible customized settings of this particular +machine. -___ +--- ### How to run Docker on Raspberry Pi? Installation Docker on Raspberry Pi is really fast and easy. Follow these steps: Download: + ```bash curl -fsSL https://get.docker.com -o get-docker.sh ``` Execute script: + ```bash sh get-docker.sh ``` -This script will detect OS, install packages, and run Docker. -This operation may take a while so you need to wait. In the end, -the script will output all necessary information about Docker and how to use it. -Additionally, if you want to run commands without prepending sudo -(as a non-root user) you have to add the user name to the Docker group. +This script will detect OS, install packages, and run Docker. This operation may +take a while so you need to wait. In the end, the script will output all +necessary information about Docker and how to use it. Additionally, if you want +to run commands without prepending sudo (as a non-root user) you have to add the +user name to the Docker group. Add user to Docker group: + ```bash sudo usermod -aG docker \$USER ``` -**Note:** ```$USER``` variable holds your username. -It comes from the environment. +**Note:** `$USER` variable holds your username. It comes from the environment. -Now Docker is set up on Raspberry Pi and finally, -you can do some cool stuff! +Now Docker is set up on Raspberry Pi and finally, you can do some cool stuff! ### How to use Docker? The basic concepts of Docker are **images** and **containers**. The first is -made of filesystem layers that allow to execute applications. -Images contain source code, dependencies, libraries, tools, or instructions for -installing and running an application. Dockerfile image is just a binary file -that is immutable for the user. The second one - containers are mutable beings -that are using Docker images as templates. images and containers may be -compared to classes and instances of this particular class in object-oriented -programming. +made of filesystem layers that allow to execute applications. Images contain +source code, dependencies, libraries, tools, or instructions for installing and +running an application. Dockerfile image is just a binary file that is immutable +for the user. The second one - containers are mutable beings that are using +Docker images as templates. images and containers may be compared to classes and +instances of this particular class in object-oriented programming. ![Docker Containers](/img/containersdocker.png) Docker images are available at a cloud-based registry service called -[Docker Hub](https://hub.docker.com/). -To search for an image (e.g. Debian), use the following commands: +[Docker Hub](https://hub.docker.com/). To search for an image (e.g. Debian), use +the following commands: ```bash sudo docker search debian ``` To start, manage, remove, and stop a container you will always -use```docker container``` command. -At this example, we will run Debian from the previous code. +use`docker container` command. At this example, we will run Debian from the +previous code. ```bash sudo docker container run debian ``` -This container will stop after executing, it doesn't have long-running processes. -To simplify let's say that there were two states: +This container will stop after executing, it doesn't have long-running +processes. To simplify let's say that there were two states: - booting up -> booted, - running commands -> empty command. -Then exit process. To interact with the container you have to use flag ```-it```. +Then exit process. To interact with the container you have to use flag `-it`. -``` +```bash sudo docker container run -it debian /bin/bash ``` To show all running Docker Containers use: -``` +```bash sudo docker container ls ``` -To show all containers use flag ```-a```: +To show all containers use flag `-a`: -``` +```bash sudo docker container ls -a ``` To delete container use (pass your container ID): -``` +```bash sudo docker container rm CONTAINER_ID ``` ### What are the advantages of using Docker with Raspberry Pi? Docker is giving you the ability to deploy applications with its main -dependencies without needing to reinstall the operating system or undoing -a botched upgrade. These two things are very important for embedded applications -and devices. They may need some redeployments which could brick a device. -Docker on AMR (Advanced RISC Machine) brings hardware products closer to the - SaaS (Software-as-a-Service) deployment. Continuous updates on the SaaS model -are something very obvious and taken for granted. Docker also allows sending +dependencies without needing to reinstall the operating system or undoing a +botched upgrade. These two things are very important for embedded applications +and devices. They may need some redeployments which could brick a device. Docker +on AMR (Advanced RISC Machine) brings hardware products closer to the SaaS +(Software-as-a-Service) deployment. Continuous updates on the SaaS model are +something very obvious and taken for granted. Docker also allows sending container differences to the device saving lots of bandwidth. This is another important thing for embedded devices which they can be often poorly connected. Another benefit of using Docker with Raspberry Pi is that you can run multiple @@ -167,136 +166,135 @@ where each of them is adding new functionality to our device. ### Docker security best practices -Docker is not like traditional infrastructure where -applications are hosted on virtual machines or bare-metal servers. -As a result, using containers is breaking some prior assumptions about -visibility. Regular maintenance and proper configuration are highly recommended -to organize servers and containers without any blind spots. There is a list of -best practices about optimizing the Docker environment. +Docker is not like traditional infrastructure where applications are hosted on +virtual machines or bare-metal servers. As a result, using containers is +breaking some prior assumptions about visibility. Regular maintenance and proper +configuration are highly recommended to organize servers and containers without +any blind spots. There is a list of best practices about optimizing the Docker +environment. -- Use images from a trusted source. -There are a lot of poorly configured containers or they can be infected -with malware. To avoid this enable -[Docker Content Trust (DCT)](https://docs.docker.com/engine/security/trust/content_trust/). +- Use images from a trusted source. There are a lot of poorly configured + containers or they can be infected with malware. To avoid this enable + [Docker Content Trust (DCT)](https://docs.docker.com/engine/security/trust/content_trust/). -- Harden the host. -You can consider using distributions of OS only for running containers. -Because of that even if someone will hack one container, the other ones will be safe. +- Harden the host. You can consider using distributions of OS only for running + containers. Because of that even if someone will hack one container, the other + ones will be safe. -- Don't mix containers to protect data. -It is a good practice to avoid mixing containers with different security -requirements. Sharing container infrastructures for multiple customers demand -a very high level of monitoring security. +- Don't mix containers to protect data. It is a good practice to avoid mixing + containers with different security requirements. Sharing container + infrastructures for multiple customers demand a very high level of monitoring + security. -- Use containers which are lightweight and short-living. -It is a bad practice to continually adding files to one container, -there will be a larger attack surface with not maintained areas. +- Use containers which are lightweight and short-living. It is a bad practice to + continually adding files to one container, there will be a larger attack + surface with not maintained areas. - Use Docker Bench Security. -[Docker Bench Security](https://hub.docker.com/r/docker/docker-bench-security) -is an analyzing tool of your configuration settings. + [Docker Bench Security](https://hub.docker.com/r/docker/docker-bench-security) + is an analyzing tool of your configuration settings. -- Use seccomp to filter system calls. -Every container is using a Linux kernel. If there are some vulnerabilities -with it our Docker host is also vulnerable. Seccomp (secure computing mode) -filters are enabling to you which system calls a container is allowed to make -to the Linux kernel. Because of that, we are limiting the attack surface. +- Use seccomp to filter system calls. Every container is using a Linux kernel. + If there are some vulnerabilities with it our Docker host is also vulnerable. + Seccomp (secure computing mode) filters are enabling to you which system calls + a container is allowed to make to the Linux kernel. Because of that, we are + limiting the attack surface. - -### Raspberry Pi projects and ideas: +### Raspberry Pi projects and ideas There are some interesting projects which can be done by anyone who has -Raspberry Pi and some engineering skills. Every project has step by -step guide so the entry threshold is very low. +Raspberry Pi and some engineering skills. Every project has step by step guide +so the entry threshold is very low. #### Yocto Project -The Yocto Project is an open-source collaboration project that helps -developers build custom Linux-based systems despite the hardware architecture. -The project gives a manageable set of tools and space. Embedded developers can -share configurations, software stacks, technologies, and best practices that can -be used to perform tailored Linux images for embedded and IoT devices, -or anywhere a customized Linux OS is needed. As an open-source project, -the Yocto Project works with a hierarchical governance structure based on -meritocracy and managed by its chief architect. [There](https://www.yoctoproject.org/) -you can read more about this project. +The Yocto Project is an open-source collaboration project that helps developers +build custom Linux-based systems despite the hardware architecture. The project +gives a manageable set of tools and space. Embedded developers can share +configurations, software stacks, technologies, and best practices that can be +used to perform tailored Linux images for embedded and IoT devices, or anywhere +a customized Linux OS is needed. As an open-source project, the Yocto Project +works with a hierarchical governance structure based on meritocracy and managed +by its chief architect. [There](https://www.yoctoproject.org/) you can read more +about this project. #### RPI build -RPI build is an open-source project that 3mdeb have participated in. -It is a tool to build, install and release Linux kernels -for the Raspberry Pi platform. Check documentation -[here](https://github.com/notro/rpi-build). +RPI build is an open-source project that 3mdeb have participated in. It is a +tool to build, install and release Linux kernels for the Raspberry Pi platform. +Check documentation [here](https://github.com/notro/rpi-build). #### Smart home hub + The IoT technology connects smart home devices like lights, locks, or security -cameras but you have to control them by something. Often you can use just -a phone to monitor and change states of these devices but if you use multiple -products from different services they might not communicate well with each other. -The hub is a center of your home automation system, it allows you to control -them easily. Nowadays smart technology is a common feature using everywhere. -If you are a person who wants to automate a lot of processes in your home there -is an easy way to do it at a low cost using Raspberry Pi. There is a -[step by step guide](https://www.forbes.com/sites/forbes-personal-shopper/2018/07/12/everything-you-need-to-set-up-raspberry-pi-home-automation/#4bf1a2f74cdb) written on Forbes magazine how to set up Raspberry Pi -for a smart home hub. +cameras but you have to control them by something. Often you can use just a +phone to monitor and change states of these devices but if you use multiple +products from different services they might not communicate well with each +other. The hub is a center of your home automation system, it allows you to +control them easily. Nowadays smart technology is a common feature using +everywhere. If you are a person who wants to automate a lot of processes in your +home there is an easy way to do it at a low cost using Raspberry Pi. There is a +[step by step guide](https://www.forbes.com/sites/forbes-personal-shopper/2018/07/12/everything-you-need-to-set-up-raspberry-pi-home-automation/#4bf1a2f74cdb) +written on Forbes magazine how to set up Raspberry Pi for a smart home hub. #### AI assistant -An artificial intelligence assistant is a software agent which means that -is a computer program acting for a user or other program in a relationship -of agency. AI assistant is performing tasks for an individual based on questions -or commands. Now you can create one using Raspberry Pi instead of buying -expensive devices from big corporations like Google or Amazon. -Google established cooperation with [The MagPi](https://magpi.raspberrypi.org/), -official Raspberry Pi magazine. This cooperation has provided addons that enable -producers to add artificial intelligence and voice control to -Raspberry Pi projects. There is an official -[documentation](https://developers.google.com/assistant/sdk/overview) + +An artificial intelligence assistant is a software agent which means that is a +computer program acting for a user or other program in a relationship of agency. +AI assistant is performing tasks for an individual based on questions or +commands. Now you can create one using Raspberry Pi instead of buying expensive +devices from big corporations like Google or Amazon. Google established +cooperation with [The MagPi](https://magpi.raspberrypi.org/), official Raspberry +Pi magazine. This cooperation has provided addons that enable producers to add +artificial intelligence and voice control to Raspberry Pi projects. There is an +official [documentation](https://developers.google.com/assistant/sdk/overview) of Google Assistant on Raspberry Pi. #### Smart TV -If you have some old TV without Smart technology you can connect -it to the internet with all features with Raspberry Pi. Your new Smart TV will -have new abilities like streaming Netflix, play media from USB storage, search -the web through Google, or check news and weather. Buying a brand new TV -is expensive, there is always a cheaper way if you have some skills -as an engineer. However, don't bother if you are a newbie to Raspberry Pi. -There are a lot of information on the internet and instructions are mostly -written clearly. There is a + +If you have some old TV without Smart technology you can connect it to the +internet with all features with Raspberry Pi. Your new Smart TV will have new +abilities like streaming Netflix, play media from USB storage, search the web +through Google, or check news and weather. Buying a brand new TV is expensive, +there is always a cheaper way if you have some skills as an engineer. However, +don't bother if you are a newbie to Raspberry Pi. There are a lot of information +on the internet and instructions are mostly written clearly. There is a [step by step guide](https://www.instructables.com/id/Make-any-Dumb-TV-a-Smart-TV/) -how to create Smart TV from regular TV using Raspberry Pi -and free software called Kodi. +how to create Smart TV from regular TV using Raspberry Pi and free software +called Kodi. #### Garage opener with plate recognition -There are many projects with openers on the button but we want to automate -it a little bit more. In this project, Raspberry Pi will help us detect which -car is standing in front of our garage door and then check if this particular -car has permissions to access. Everything can be created easily with a simple -camera and [OpenALPR](https://www.openalpr.com/) service of plate verification. -There is a + +There are many projects with openers on the button but we want to automate it a +little bit more. In this project, Raspberry Pi will help us detect which car is +standing in front of our garage door and then check if this particular car has +permissions to access. Everything can be created easily with a simple camera and +[OpenALPR](https://www.openalpr.com/) service of plate verification. There is a [guide](https://randomnerdtutorials.com/car-plate-recognition-system-with-raspberry-pi-and-node-red/) with all prerequisites. ## Summary + Raspberry Pi is a very powerful, small, and cheap device. The number of projects -is infinitely big and the only barrier is your imagination. -There are a lot of add-ons, tools, and controllers which are working perfectly -with Raspberry Pi. I think that every developer or engineer should interest -in this subject and try to do some stuff on his own. The entry threshold is very -low because of a large number of projects on the internet. You can find all the -things you need to develop projects. If you are a newbie I would recommend you -follow instructions on some projects of the previous list. There are also a lot -of open-source projects of Raspberry Pi which can be very interesting. You can -find them [here](https://awesomeopensource.com/projects/raspberry-pi). -If you finish some projects you can try to extend one from the open-source list. -3mdeb is highly recommending open source software because working with these -kinds of projects is strongly developing you to be a better engineer. -The code is publicly accessible and modifiable which allows you to expand -it for your purposes without any restrictions. If you are interested in an -open-source you can check where we have contributed. -[3mdeb open-source](https://opensource.3mdeb.com/) +is infinitely big and the only barrier is your imagination. There are a lot of +add-ons, tools, and controllers which are working perfectly with Raspberry Pi. I +think that every developer or engineer should interest in this subject and try +to do some stuff on his own. The entry threshold is very low because of a large +number of projects on the internet. You can find all the things you need to +develop projects. If you are a newbie I would recommend you follow instructions +on some projects of the previous list. There are also a lot of open-source +projects of Raspberry Pi which can be very interesting. You can find them +[here](https://awesomeopensource.com/projects/raspberry-pi). If you finish some +projects you can try to extend one from the open-source list. 3mdeb is highly +recommending open source software because working with these kinds of projects +is strongly developing you to be a better engineer. The code is publicly +accessible and modifiable which allows you to expand it for your purposes +without any restrictions. If you are interested in an open-source you can check +where we have contributed. [3mdeb open-source](https://opensource.3mdeb.com/) If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) \ No newline at end of file +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-09-30-system_latency.md b/blog/content/post/2020-09-30-system_latency.md index 58c599e3..a04994f4 100644 --- a/blog/content/post/2020-09-30-system_latency.md +++ b/blog/content/post/2020-09-30-system_latency.md @@ -1,6 +1,6 @@ --- title: Latency - The most crucial aspect of real-time systems. -abstract: "What in reality is RT system? This post will explain what to expect +abstract: "What in reality is RT system? This post will explain what to expect from Real-Time systems and how can we test performance in this kind of builds." author: jakub.lecki cover: /covers/activity_monitor.png @@ -20,30 +20,31 @@ categories: --- ## Intro + Many words have been spoken about RT systems and their supremacy over typical systems in specific fields. But should we trust their name? Real-Time?\ -As usual, the answer is no. RT system just trying to be what they're called, -that means, react to triggers like interruptions and response immediately. -More often it's just not later than the strictly defined time, called latency. +As +usual, the answer is no. RT system just trying to be what they're called, that +means, react to triggers like interruptions and response immediately. More often +it's just not later than the strictly defined time, called latency. ## Strategy -So how can we measure the 'quality' of our rt system? -Let's say we want a task to be woken up after 200 us. -To this task, we can use a timer which will generate interruption -when the time runs out and wake up the task. -Before we put the task to sleep lets get and remember the current time in some -kind of variable. +So how can we measure the 'quality' of our rt system? Let's say we want a task +to be woken up after 200 us. To this task, we can use a timer which will +generate interruption when the time runs out and wake up the task. Before we put +the task to sleep lets get and remember the current time in some kind of +variable. 1. The start point of measuring kernel latencies is when the interrupt occurs. -2. The First thing kernel must do is observe it and while there is a lot to do +1. The First thing kernel must do is observe it and while there is a lot to do and to observe even that part can take some time. -3. After that, relevant ISR is called to handle interruption(in our case to wake +1. After that, relevant ISR is called to handle interruption(in our case to wake up the task) -4. Next goes the kernel scheduler whose job is to manage all of the processes +1. Next goes the kernel scheduler whose job is to manage all of the processes working in the system. When our task has been woken up, it was placed on the CPU queue indeed. So now it's the scheduler thing to handle the task ASAP. -5. When it's time come, CPU starts to process the task and we can end measuring +1. When it's time come, CPU starts to process the task and we can end measuring the latency. After that, we can once again get the current time, subtract it from the time @@ -51,7 +52,7 @@ before we put the task to sleep, and get the latency by subtracting time difference with the time given to timer. The given example is the exact methodology of the -[`cyclictest`](http://manpages.ubuntu.com/manpages/cosmic/man8/cyclictest.8.html) +[`cyclictest`](https://web.archive.org/web/20190717084727/http://manpages.ubuntu.com/manpages/cosmic/man8/cyclictest.8.html) test program for testing system latencies which will be using here by us. ### Additional load @@ -62,152 +63,76 @@ and [`stressapptest`](http://manpages.ubuntu.com/manpages/trusty/man1/stressapptest.1.html) can be used. -* [`Hackbench`](http://manpages.ubuntu.com/manpages/xenial/man8/hackbench.8.html)- +- [`Hackbench`](http://manpages.ubuntu.com/manpages/xenial/man8/hackbench.8.html)- tool for stressing kernel scheduler by creating pairs of threads communicating with each other via sockets -* [`Stressapptest`](http://manpages.ubuntu.com/manpages/trusty/man1/stressapptest.1.html)- +- [`Stressapptest`](http://manpages.ubuntu.com/manpages/trusty/man1/stressapptest.1.html)- program for generating a realistic load of memory, CPU, and I/O by creating a specified amount of threads writing to memory, to file, or communicate with given IP server ## Testing platform -Tests will be performed on an i.mx8 platform with two builds of yocto-linux. -A Regular version and a specially configured as RT using +Tests will be performed on an i.mx8 platform with two builds of yocto-linux. A +Regular version and a specially configured as RT using [rt patch](https://mirrors.edge.kernel.org/pub/linux/kernel/projects/rt/). ## Tests cases To get a complete system's characteristic at least a couple of tests with a different load must be performed. To get fully reliable results, a test's time -must take at least a couple of hours. -Although in our case to demonstrate results each test will take around 1 hour +must take at least a couple of hours. Although in our case to demonstrate +results each test will take around 1 hour Test sheet: -* **_CASE 1:_** `cyclictest` with no load +- **_CASE 1:_** `cyclictest` with no load -* **_CASE 2:_** `cyclictest` with `hackbench` sending 128B data packages +- **_CASE 2:_** `cyclictest` with `hackbench` sending 128B data packages -* **_CASE 3:_** `cyclictest` with `stressapptest` on 2 memory threads testing +- **_CASE 3:_** `cyclictest` with `stressapptest` on 2 memory threads testing 256MB of memory -* **_CASE 4:_** `cyclictest` with `stressapptest` on 4 memory threads testing +- **_CASE 4:_** `cyclictest` with `stressapptest` on 4 memory threads testing 256MB of memory -* **_CASE 5:_** `cyclictest` with `stressapptest` on 8 memory threads testing +- **_CASE 5:_** `cyclictest` with `stressapptest` on 8 memory threads testing 256MB of memory, 4 I/O threads and 4 network threads ## Results -* **_CASE 1:_**(No load) -_Regular Build_ - -_RT Build_ - - -* **_CASE 2:_**(with hackbench) -_Regular Build_ - -_RT Build_ - - -* **_CASE 3:_**(light stresstest) -_Regular Build_ - -_RT Build_ - - -* **_CASE 4:_**(medium stresstest) -_Regular Build_ - -_RT Build_ - - -* **_CASE 5:_**(hard stresstest) -_Regular Build_ - -_RT Build_ - - - - Maximum latency - - - - - - - - - - - - - - - - - - - - - - - - -
    - Build - - Case 1 - - Case 2 - - Case 3 - - Case 4 - - Case 5 -
    - RT - - 71us - - 97us - - 172us - - 157us - - 176us -
    - Actual - - 5959us - - 6167us - - 6195us - - 6153us - - 7937us -
    +- **_CASE 1:_** (No load) _Regular Build_ + ![Case 1 - RT Build](/img/system_latency_plots/normal/cyclic_alone.png) + +- **_CASE 2:_** (with hackbench) _Regular Build_ + ![Case 2 - RT Build](/img/system_latency_plots/normal/hack.png) + +- **_CASE 3:_** (light stresstest) _Regular Build_ + ![Case 3 - RT Build](/img/system_latency_plots/normal/cyc_stress_plots/stress_case_1.png) + +- **_CASE 4:_** (medium stresstest) _Regular Build_ + ![Case 4 - RT Build](/img/system_latency_plots/normal/cyc_stress_plots/stress_case_2.png) + +- **_CASE 5:_** (hard stresstest) _Regular Build_ + ![Case 5 - RT Build](/img/system_latency_plots/normal/cyc_stress_plots/stress_case_3.png) + +| Maximum latency | Case 1 | Case 2 | Case 3 | Case 4 | Case 5 | +|:---------------:|:------:|:------:|:------:|:------:|:------:| +| **RT** | 71us | 97us | 172us | 157us | 176us | +| **Actual** | 5959us | 6167us | 6195us | 6153us | 7937us | ### Conclusions As expected differences in these builds are huge. Even with no load regular build seems to not care about such thing as latency. Delays around 6ms of processing are almost visible to a human eye so there is no talking about -considering regular build in rt-requiring projects. -On the other hand, RT build yocto despite much better results, -may also cause problems. -Let's say in our project we use an external device that collecting data samples, -save them, and sending an interrupt to our main board to collect with 8KHz -frequency or higher, that means every 125 us. If interrupt handling -latency will be bigger than 125 us data on the external device -will be overwritten by next and lost. +considering regular build in rt-requiring projects. On the other hand, RT build +yocto despite much better results, may also cause problems. Let's say in our +project we use an external device that collecting data samples, save them, and +sending an interrupt to our main board to collect with 8KHz frequency or higher, +that means every 125 us. If interrupt handling latency will be bigger than 125 +us data on the external device will be overwritten by next and lost. ## Summary @@ -221,4 +146,4 @@ looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-10-08-PCIe-features.md b/blog/content/post/2020-10-08-PCIe-features.md index 8715ef6b..b180c9b0 100644 --- a/blog/content/post/2020-10-08-PCIe-features.md +++ b/blog/content/post/2020-10-08-PCIe-features.md @@ -27,41 +27,40 @@ lists some example capability described in PCI Express (PCIe) specification. Probably everyone knows about the existence of the PCIe standard. It is commonly used in PCs to connect various devices to the motherboard. Every possible modern -graphic card uses PCIe, most sound cards use it, it starts to become the standard -even for SSDs, and that's just a tip of the iceberg. But how does the OS communicate -with all of these devices and how does it know what these devices are capable of? -This post will bring you closer to knowing the answer for those questions, but -let's start from the beginning... +graphic card uses PCIe, most sound cards use it, it starts to become the +standard even for SSDs, and that's just a tip of the iceberg. But how does the +OS communicate with all of these devices and how does it know what these devices +are capable of? This post will bring you closer to knowing the answer for those +questions, but let's start from the beginning... PCI Express uses inverted tree topology. It starts from the Root Complex which is connected directly to the CPU and RAM. Root Complex branches to Switches and Endpoints. Switches branch founder and can be connected to more Switches or to -Endpoints. Endpoints reside at the bottom of branches and have only one -upstream Port (facing toward the Root). By comparison, a Switch may have several -downstream Ports, but can only one upstream Port. Possible are also Bridges -and Legacy Endpoints. Bridges are interfaces to other buses such as PCI. Legacy +Endpoints. Endpoints reside at the bottom of branches and have only one upstream +Port (facing toward the Root). By comparison, a Switch may have several +downstream Ports, but can only one upstream Port. Possible are also Bridges and +Legacy Endpoints. Bridges are interfaces to other buses such as PCI. Legacy Endpoints are devices which were designed for the operation of an older bus like PCI‐X but now have a PCIe interface. -![PCIe topology](/img/Example_PCI_Express_Topology.png) -Every Switch, Bridge and Endpoint is a PCIe Device. All Devices have at least one -Function, and each Function has its Configuration Space which is Device registers -mapped to either I/O memory space (used mostly by PCI Devices) or to normal -memory space. By writing or reading from this memory OS can exchange information -with a Function. For example OS can check the vendor of a Device by checking the -Vendor ID field in Configuration Space Header of this device function. +![PCIe topology](/img/Example_PCI_Express_Topology.png) Every Switch, Bridge and +Endpoint is a PCIe Device. All Devices have at least one Function, and each +Function has its Configuration Space which is Device registers mapped to either +I/O memory space (used mostly by PCI Devices) or to normal memory space. By +writing or reading from this memory OS can exchange information with a Function. +For example OS can check the vendor of a Device by checking the Vendor ID field +in Configuration Space Header of this device function. -###### In the Configuration Space we can find most importantly 2 structures: +### In the Configuration Space we can find most importantly 2 structures -- **Header** -![config header](/img/Pci-config-space.png) -It contains information like vendor ID, and Device ID, pointers to memory -assigned to the Function and pointer to first capability in linked list. +- **Header** ![config header](/img/Pci-config-space.png) It contains information + like vendor ID, and Device ID, pointers to memory assigned to the Function and + pointer to first capability in linked list. -- **Linked list of capabilities** -Each capability has its own header, it contains ID of the -capability, its version and pointer to the next capability in the list. Beneath -this header are mapped registers needed by the capability. +- **Linked list of capabilities** Each capability has its own header, it + contains ID of the capability, its version and pointer to the next capability + in the list. Beneath this header are mapped registers needed by the + capability. To check if a given capability is implemented by Function, a software has to search through the list and check if a given capability ID is present in it. @@ -69,13 +68,14 @@ search through the list and check if a given capability ID is present in it. ## What PCIe capability actually is It is nothing more than a predefined feature of the Device Function, a feature -that is known to be possible to be implemented in every Function, but most of them -are optional. Every capability has registers in a Device mapped to configuration -space. Those registers are a kind of interface to the capability. Some are read -only and contain information needed by the software, others are read/write and -can be used to pass information to the Function. +that is known to be possible to be implemented in every Function, but most of +them are optional. Every capability has registers in a Device mapped to +configuration space. Those registers are a kind of interface to the capability. +Some are read only and contain information needed by the software, others are +read/write and can be used to pass information to the Function. + +## List of capabilities structures -## List of capabilities structures: (This list can be incomplete) - **PCI Express Capability register block** @@ -83,63 +83,65 @@ can be used to pass information to the Function. This is one of the most important capability structure, it must be present in all PCIe Functions. It is a collection of various information about: -1. **Device** e.g.: +1. **Device** e.g.: + + - Maximum payload of Transaction Layer Packet size that the Function can + support, + - Maximum accepted change latency between power states. - - Maximum payload of Transaction Layer Packet size that the Function can support, - - Maximum accepted change latency between power states. +1. **Link** e.g.: -2. **Link** e.g.: + - Link max speed \[GT/s\] + - Link max width (number of lines) + - Link change latency between power states + - Port number for given Link - - Link max speed \[GT/s\] - - Link max width (number of lines) - - Link change latency between power states - - Port number for given Link +1. **Port** e.g.: -3. **Port** e.g.: - - - Physical slot number which is a chassis unique identifier for a slot. + - Physical slot number which is a chassis unique identifier for a slot. -4. **Hot-Plug** +1. **Hot-Plug** - Registers responsible for this capability are located in the Capability register - block. This capability allows change of Device in the PCIe slot at runtime. - By writing to registers corresponding to this capability OS can let the Root or - Switch Ports know to power Off or power On. After power is turned Off an user - can safely remove the Device, after inserting new one power should be turned On - to its Port. + Registers responsible for this capability are located in the Capability + register block. This capability allows change of Device in the PCIe slot at + runtime. By writing to registers corresponding to this capability OS can let + the Root or Switch Ports know to power Off or power On. After power is turned + Off an user can safely remove the Device, after inserting new one power + should be turned On to its Port. -5. **Baseline Error Reporting** +1. **Baseline Error Reporting** - Bits corresponding to this capability are located partially in the configuration - header, partially in the Capability register block. All of them must be present in - all PCIe Functions. Some bits of this capability are used to set error reporting, - others store status of errors. + Bits corresponding to this capability are located partially in the + configuration header, partially in the Capability register block. All of them + must be present in all PCIe Functions. Some bits of this capability are used + to set error reporting, others store status of errors. - **Power Management** -OS can manage the power environment of a Function directly by accessing registers -corresponding to this capability. OS can set Device state to one of 4 states. Two -of them (D0, D3) are mandatory and other 2 (D1, D2) can be optionally implemented. -D0 state is a state where the Function is fully operational and uses full power, -every next state (D1,D2,D3) uses lower power, but also takes more time to recover -to D0. +OS can manage the power environment of a Function directly by accessing +registers corresponding to this capability. OS can set Device state to one of 4 +states. Two of them (D0, D3) are mandatory and other 2 (D1, D2) can be +optionally implemented. D0 state is a state where the Function is fully +operational and uses full power, every next state (D1,D2,D3) uses lower power, +but also takes more time to recover to D0. - **Message Signaled Interrupts** -PCI has pins to let the central interrupt controller know that it needs to be serviced. -This improves efficiency of the CPU which does not need to check every Function -periodically, but it also significantly increases the number of needed lines. In -PCIe instead of additional lines special messages are used to signal interrupt. -Message Signaled Interrupts (MSI) allow the Function to write a small amount of -interrupt-describing data to a special memory-mapped I/O address. The interrupt -controller then delivers the corresponding interrupt to a processor. Data and -address to which they are being written are located in MSI capability structure. +PCI has pins to let the central interrupt controller know that it needs to be +serviced. This improves efficiency of the CPU which does not need to check every +Function periodically, but it also significantly increases the number of needed +lines. In PCIe instead of additional lines special messages are used to signal +interrupt. Message Signaled Interrupts (MSI) allow the Function to write a small +amount of interrupt-describing data to a special memory-mapped I/O address. The +interrupt controller then delivers the corresponding interrupt to a processor. +Data and address to which they are being written are located in MSI capability +structure. -___ +--- **All following capabilities are optional.** -___ +--- - **Extended Message Signaled Interrupts** @@ -185,37 +187,38 @@ capability structure, allowing bigger memory space allocation for Functions. The PCIe specification allows for peer-to-peer transactions. It is possible and even desirable in some cases for one PCIe Endpoint to send data directly to -another Endpoint without having to go through the Root Complex. ACS provides -a mechanism by which a Peer-to-Peer PCIe transaction can be forced to go up -through the PCIe Root Complex. ACS can be thought of as a kind of -gate-keeper - preventing unauthorized transactions from occurring. +another Endpoint without having to go through the Root Complex. ACS provides a +mechanism by which a Peer-to-Peer PCIe transaction can be forced to go up +through the PCIe Root Complex. ACS can be thought of as a kind of gate-keeper - +preventing unauthorized transactions from occurring. - **Multicast** -It enables sending packets to more than one Endpoint eliminating the need for the -host to write a unicast packet multiple times to each Endpoint which improves -efficiency of the CPU. +It enables sending packets to more than one Endpoint eliminating the need for +the host to write a unicast packet multiple times to each Endpoint which +improves efficiency of the CPU. - **Alternative Routing ID-Interpretation** The motivation for this optional feature is to increase the number of Function numbers available to Endpoints. Device numbers were useful in a shared‐bus -architecture like PCI but are not usually needed in a point‐to‐point architecture. -When Alternative Routing ID-Interpretation is used the Device number is always -zero and the Function number uses the 5 bits in the ID that were previously the -Device number. Effectively, the Device number goes away while the Function -number grows to 8 bits. +architecture like PCI but are not usually needed in a point‐to‐point +architecture. When Alternative Routing ID-Interpretation is used the Device +number is always zero and the Function number uses the 5 bits in the ID that +were previously the Device number. Effectively, the Device number goes away +while the Function number grows to 8 bits. ## Summary PCIe Devices use registers mapped into memory space to allow the OS to know what -Device’s feature set is. These registers are grouped into capabilities structures -defined by PCI Special Interest Group in PCIe specification. -This blog post was only an introduction to PCIe capabilities, the idea is to -describe some of them in detail in future posts. +Device’s feature set is. These registers are grouped into capabilities +structures defined by PCI Special Interest Group in PCIe specification. This +blog post was only an introduction to PCIe capabilities, the idea is to describe +some of them in detail in future posts. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-10-15-xen-implementation-for-trenchboot.md b/blog/content/post/2020-10-15-xen-implementation-for-trenchboot.md index 1d269e03..79530327 100644 --- a/blog/content/post/2020-10-15-xen-implementation-for-trenchboot.md +++ b/blog/content/post/2020-10-15-xen-implementation-for-trenchboot.md @@ -23,19 +23,19 @@ categories: --- **EDIT 02.2021**: The blog post refers to the development stage of adding -Trenchboot support for the Xen hypervisor. The upstream changes are available -in the following commit: -https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=e4283bf38aae6c2f88cdbdaeef0f005a1a5f6c78 +Trenchboot support for the Xen hypervisor. The upstream changes are available in +the following commit: + If you haven’t read previous blog posts from the TrenchBoot series, we strongly -encourage you to catch up on it. The best way is to search under the [TrenchBoot -tag](https://blog.3mdeb.com/tags/trenchboot/). In this blog post, we will -describe the development of the Xen hypervisor support for TrenchBoot. +encourage you to catch up on it. The best way is to search under the +[TrenchBoot tag](https://blog.3mdeb.com/tags/trenchboot/). In this blog post, we +will describe the development of the Xen hypervisor support for TrenchBoot. ## Global interrupt flag reinitialization -As we have mentioned in the previous [blog -post](https://blog.3mdeb.com/2020/2020-09-07-trenchboot-multiboot2-support/), +As we have mentioned in the previous +[blog post](https://blog.3mdeb.com/2020/2020-09-07-trenchboot-multiboot2-support/), until now the Landing Zone (LZ) has re-enabled the interrupts during the multiboot. But why it has to be done? @@ -48,7 +48,7 @@ is not able to drop into NMI context. The CPU uses the NMI context to prevent crashes during sensitive operations. The logs presented below shows the panic error caused by cleared GIF bit: -``` +```bash (XEN) Platform timer is 14.318MHz HPET (XEN) Detected 998.204 MHz processor. (XEN) @@ -62,10 +62,10 @@ error caused by cleared GIF bit: The solution to this problem is to set again the GIF after execution of `SKINIT`. We used `STGI` (Set Global Interrupt Flag) instruction for this -purpose. We created the function in the secure virtual machine (SVM) header -file (`svm.h`): +purpose. We created the function in the secure virtual machine (SVM) header file +(`svm.h`): -```C +```bashC static inline void svm_stgi(void) { asm volatile ( @@ -78,7 +78,7 @@ It calls `STGI` instruction this sets `GIF`. The function is called during the CPU initialization, before the enabling NMIs in [`common.c`](https://github.com/3mdeb/xen/pull/4/files#diff-1bebd72d2d87eeadb3d0df2d5448f3b3270f47245efd63a6a4c97a627be23ab5R912): -```C +```bashC /* Set GIF flag */ svm_stgi(); ``` @@ -90,24 +90,23 @@ With this change Xen hypervisor boots correctly: ## Checking if Xen was started by SKINIT Following GIF reinitialization should be done only when the CPU was started with -`SKINIT` instruction. The `SKINIT` is a specific instruction for AMD CPUs, -so first we check if the processor is AMD: +`SKINIT` instruction. The `SKINIT` is a specific instruction for AMD CPUs, so +first we check if the processor is AMD: -```C +```bashC cpuid(0, &eax, (uint32_t *)&id[0], (uint32_t *)&id[8], (uint32_t *)&id[4]); if ((memcmp(id, "AuthenticAMD", 12) == 0) && ``` -To this purpose, we are using the Processor Identification -(CPUID). `CPUID` functions provide information about the CPU and its feature -set. Every `CPUID` function consists of the function number and the output -register(s). We will explain `CPUID` function at the example. When we are -sure that processor is AMD, we can check if the CPU supports `SKINIT` and -`STGI` instruction. Following `CPUID` function holds information about -`SKINIT` support: +To this purpose, we are using the Processor Identification (CPUID). `CPUID` +functions provide information about the CPU and its feature set. Every `CPUID` +function consists of the function number and the output register(s). We will +explain `CPUID` function at the example. When we are sure that processor is AMD, +we can check if the CPU supports `SKINIT` and `STGI` instruction. Following +`CPUID` function holds information about `SKINIT` support: -``` +```bash Fn8000_0001_ECX[SKINIT] ``` @@ -116,7 +115,7 @@ The number `8000_0001h` is the hexadecimal input value that is loaded to the contains information about the `SKINIT` support. In the Xen source, `CPUID` instruction is implemented in the `processor.h` file: -```C +```bashC static always_inline unsigned int cpuid_ecx(unsigned int op) { unsigned int eax, ecx; @@ -131,10 +130,10 @@ static always_inline unsigned int cpuid_ecx(unsigned int op) The function takes the `CPUID` function number as an input. It calls `CPUID` instruction and returns the `ECX` register. The following function is called -during validation. We are checking if the 12th bit of the `ECX` output -register is set: +during validation. We are checking if the 12th bit of the `ECX` output register +is set: -```C +```bashC if ((memcmp(id, "AuthenticAMD", 12) == 0) && (cpuid_ecx(0x80000001) & 0x1000)) { @@ -148,7 +147,7 @@ after reading. In code `VM_CR MSR` can be read by `rdmsrl` function which is a just wrap of the assembly instruction `rdmsrl`. It reads the content of model specific registers. -```C +```bashC /* Check is R_INIT bit set to determinate if xen was run by SKINIT */ rdmsrl(MSR_K8_VM_CR, msr_content); if (msr_content & K8_VMCR_R_INIT) @@ -157,7 +156,7 @@ assembly instruction `rdmsrl`. It reads the content of model specific registers. The R_INIT bit can be cleared with the following instructions: -```C +```bashC if (msr_content & K8_VMCR_R_INIT) { printk(KERN_INFO "K8_VMCR_R_INIT is set \n"); @@ -176,8 +175,8 @@ The changes are specified in the following ## Summary -In the next blog post, we will present the remote attestation system using -IETF RATS. So I encourage you to check our blog regularly. -If you have any questions, suggestions, or ideas, feel free to share them in -the comment section. If you are interested in similar content, I encourage you -to [sign up for our newsletter](http://eepurl.com/doF8GX). +In the next blog post, we will present the remote attestation system using IETF +RATS. So I encourage you to check our blog regularly. If you have any questions, +suggestions, or ideas, feel free to share them in the comment section. If you +are interested in similar content, I encourage you to +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-10-30-rpi4_yocto.md b/blog/content/post/2020-10-30-rpi4_yocto.md index 25a74e02..7f341355 100644 --- a/blog/content/post/2020-10-30-rpi4_yocto.md +++ b/blog/content/post/2020-10-30-rpi4_yocto.md @@ -21,8 +21,8 @@ categories: --- Since it's release Raspberry had a huge impact on the industry. "A low cost, -credit-card sized computer that plugs into a computer monitor or TV capable -of doing everything you'd expect a desktop computer to do, from browsing the +credit-card sized computer that plugs into a computer monitor or TV capable of +doing everything you'd expect a desktop computer to do, from browsing the internet and playing high-definition video, to making spreadsheets, word-processing, and playing games." Especially the third generation which reached approximately 6mln sales per year. @@ -32,25 +32,25 @@ reached approximately 6mln sales per year. ## Is a new model the game changer The Raspberry Pi 4 takes Pi to another level, with the performance that's good -enough to use in a pinch as a desktop PC. The company claims that the new -model is able to handle 4k video at 60Hz or power dual monitors. +enough to use in a pinch as a desktop PC. The company claims that the new model +is able to handle 4k video at 60Hz or power dual monitors. -It's not a hollow statement. Many tests proved that there's a huge leap -between the third and fourth generations. A Linpack offers a glimpse at just how -far the Raspberry Pi family has come. Roy Longbottom version of a synthetic -benchmark measures parameters such as: the fast single-precision, -double-precision and a single-precision accelerated by NEON instruction -available since Raspberry Pi 2. From a benchmark perspective, we can notice -a tremendous increase in performance over Pi 3B+ model: +It's not a hollow statement. Many tests proved that there's a huge leap between +the third and fourth generations. A Linpack offers a glimpse at just how far the +Raspberry Pi family has come. Roy Longbottom version of a synthetic benchmark +measures parameters such as: the fast single-precision, double-precision and a +single-precision accelerated by NEON instruction available since Raspberry Pi 2. +From a benchmark perspective, we can notice a tremendous increase in performance +over Pi 3B+ model: -* 4x greater CPU performance -* 2x faster browsing speed -* 50% more fps while playing Quake III! +- 4x greater CPU performance +- 2x faster browsing speed +- 50% more fps while playing Quake III! Among other countless changes in performance, such as: improved Memory -bandwidth, faster GPIO switching, better file compression. First time in -history Raspberry offers customizability. Now we can choose between 1,2 and -even 4GB of RAM. +bandwidth, faster GPIO switching, better file compression. First time in history +Raspberry offers customizability. Now we can choose between 1,2 and even 4GB of +RAM. ## Building minimal image with Yocto @@ -63,7 +63,7 @@ all required tools are installed and that you have enough free space on the system, it is safe to have at least 50gb of free space. To install needed packages type: -``` +```bash sudo apt-get install gawk wget git-core diffstat unzip texinfo gcc-multilib build-essential chrpath socat libsdl1.2-dev xterm python ``` @@ -73,7 +73,7 @@ point, we can start for real. First of all, let's download Yocto then switch to the "zeus" branch which is the newest community version of Yocto at the time of writing this post. -``` +```bash cd ~ mkdir Yocto && cd Yocto git clone -b zeus http://git.yoctoproject.org/git/poky @@ -82,29 +82,29 @@ git clone -b zeus http://git.yoctoproject.org/git/poky When cloning is finished we need to create a build directory and set up all the environmental variables, paths, etc. It can be obtained by typing: -``` +```bash cd poky source oe-init-build-env ``` -Yocto repository contains an extremally useful layer containing board support -a package called meta-raspberrypi that we need to add to our working directory. +Yocto repository contains an extremally useful layer containing board support a +package called meta-raspberrypi that we need to add to our working directory. -``` +```bash cd ~/Yocto git clone -b zeus git://git.yoctoproject.org/meta-raspberrypi ``` Before we build we need to make some changes in crucial configuration files. Let's start from editing `bblayers.conf` located in `~/Yocto/poky/build/conf`. -This file tells bitbake about the location of various layers locations which -are used to configure things like the target of a build and the location of -output files. +This file tells bitbake about the location of various layers locations which are +used to configure things like the target of a build and the location of output +files. -First of all we need to add `meta-raspberrypi` layer we -can do that by appending it to BBLAYERS. The result should look like this: +First of all we need to add `meta-raspberrypi` layer we can do that by appending +it to BBLAYERS. The result should look like this: -``` +```bash BBLAYERS ?= " \ /Yocto/poky/meta \ /Yocto/poky/meta-poky \ @@ -113,14 +113,14 @@ BBLAYERS ?= " \ " ``` -Then let's move to editing another file in the same directory. This time -we dive into `local.conf` which is one of the most important files where -many changes take place. +Then let's move to editing another file in the same directory. This time we dive +into `local.conf` which is one of the most important files where many changes +take place. -First of all, we have to specify the machine on which we are working on. -To do that just edit line containing `MACHINE ??=` to look like this: +First of all, we have to specify the machine on which we are working on. To do +that just edit line containing `MACHINE ??=` to look like this: -```shell +```bash MACHINE ??= "raspberrypi4-64" ``` @@ -128,7 +128,7 @@ By default image's build runs on number of CPU threads available on given platform but if you want you can change that value to e.g. 8 threads by simply append these two lines to `local.conf`: -```shell +```bash BB_NUMBER_THREADS = "8" PARALLEL_MAKE = "-j 8" ``` @@ -141,7 +141,7 @@ First of all, we can apply some features already provided by `meta-raspberrypi`. If we inspect `sdimage-raspberrypi.wks` file located in `Yocto/meta-raspberrypi/wic` we can see the following lines: -```shell +```bash # short-description: Create Raspberry Pi SD card image # long-description: Creates a partitioned SD card image for use with # Raspberry Pi. Boot files are located in the first vfat partition. @@ -154,7 +154,7 @@ If we add this to our project, an image will automatically create required partitions for boot and root on SD card after flashing. To provide that functionality everything we have to do is to add two lines to the `local.conf`: -```shell +```bash WKS_FILE = "sdimage-raspberrypi.wks" IMAGE_FSTYPES += "wic.gz wic.bmap" ``` @@ -166,21 +166,21 @@ map file. To save some time in the future we can also make Yocto responsible for enabling UART what we will need in the future, so add to `local.conf` following line: -```shell +```bash ENABLE_UART = "1" ``` That's it. Now we can use BitBake to build the image. -```shell +```bash cd ~/Yocto/poky source oe-init-build-env bitbake core-image-minimal ``` -If everything was successful we should see message simillar to this: +If everything was successful we should see message similar to this: -```shell +```bash Parsing recipes: 100% |######################################################################################################################################################################| Time: 0:00:27 Parsing of 801 .bb files complete (0 cached, 801 parsed). 1327 targets, 63 skipped, 0 masked, 0 errors. NOTE: Resolving any missing task queue dependencies @@ -212,7 +212,7 @@ Now among many files located in `Yocto/poky/build/tmp/deploy/images/raspberrypi4-64` we can find the ones which we will use to flash SD card. The easiest way to do that is to type: -```shell +```bash $ ls *wic* core-image-minimal-raspberrypi4-64-20200305115040.rootfs.wic.bmap core-image-minimal-raspberrypi4-64.wic.bmap core-image-minimal-raspberrypi4-64-20200305115040.rootfs.wic.gz core-image-minimal-raspberrypi4-64.wic.gz @@ -225,13 +225,13 @@ to use. Now we can insert the SD card to PC and necessarily check it's location e.g. by using: -```shell +```bash sudo fdisk -l ``` It will look like this: -```shell +```bash Disk /dev/sdc: 29,7 GiB, 31914983424 bytes, 62333952 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes @@ -244,30 +244,28 @@ It's important as flashing an image to the wrong location may cause serious damage. To do that we need one more tool called `bmap-tools`. If it's not already installed you can do that by typing: -```shell +```bash sudo apt-get install -y bmap-tools ``` Then we need to unmount our SD card and flash an image with `bmaptool` command. -```shell +```bash sudo umount /dev/sd[X] sudo bmaptool copy --bmap core-image-minimal-raspberrypi4-64.wic.bmap core-image-minimal-raspberrypi4-64.wic.gz /dev/sd[X] ``` -, where [X] is the location of a SD card. +, where \[X\] is the location of a SD card. We can now see the results by powering on raspberry and connecting it via UART to PC. Then type: -```shell +```bash sudo minicom -D /dev/ttyUSB0 -b115200 ``` Then press enter and log in as root. -[![asciicast](https://asciinema.org/a/35uGmrbXbqfYoXKNHffDWeDE5.svg)](https://asciinema.org/a/35uGmrbXbqfYoXKNHffDWeDE5) - ## Summary That was a quick example of how to start with new raspberry pi4 and make the diff --git a/blog/content/post/2020-11-02-GRUB2mini-summit.md b/blog/content/post/2020-11-02-GRUB2mini-summit.md index a5f8eaf1..36ce409f 100644 --- a/blog/content/post/2020-11-02-GRUB2mini-summit.md +++ b/blog/content/post/2020-11-02-GRUB2mini-summit.md @@ -20,56 +20,70 @@ categories: - Security --- + ### Introduction - Sometimes we should stop and look at the tools without which it would be - difficult to even imagine everyday work. Some of them are so essential, that to - avoid them means to develop a wheel once again in the history. Such a tool in - the world of firmware – along with keyboard, fridge and linux – is a dwarf that - became synonymous with the word bootloader. And by dwarf I mean of course GRUB. - - Last December, we've met with our friend, Daniel Kiper, GRUB upstream - maintainer and TrenchBoot technical leader inside Oracle. This meeting resulted - in organization of GRUB minisummit 2019, because we wanted to understand a - vision of both, GRUB/GRUB2 community and commercial perspective. All the event - was fruitful and grounded some common path that will be slightly summarized - below. This year we cannot miss this opportunity to meet again and face the - new challenges of GRUB/GRUB2. Dear reader, feel invited to look with us at GRUB2 - through a magnifying glass. + +Sometimes we should stop and look at the tools without which it would be +difficult to even imagine everyday work. Some of them are so essential, that to +avoid them means to develop a wheel once again in the history. Such a tool in +the world of firmware – along with keyboard, fridge and linux – is a dwarf that +became synonymous with the word bootloader. And by dwarf I mean of course GRUB. + +Last December, we've met with our friend, Daniel Kiper, GRUB upstream maintainer +and TrenchBoot technical leader inside Oracle. This meeting resulted in +organization of GRUB minisummit 2019, because we wanted to understand a vision +of both, GRUB/GRUB2 community and commercial perspective. All the event was +fruitful and grounded some common path that will be slightly summarized below. +This year we cannot miss this opportunity to meet again and face the new +challenges of GRUB/GRUB2. Dear reader, feel invited to look with us at GRUB2 +through a magnifying glass. ### How we are proceeding this year -**The fourth-and-last live goes on the 24th of November** [here](https://www.youtube.com/channel/UC_djHbyjuJvhVjfT18nyqmQ/live ) – you can [follow us](https://twitter.com/3mdeb_com) on twitter, to stay updated. +**The fourth-and-last live goes on the 24th of November** +[here](https://www.youtube.com/channel/UC_djHbyjuJvhVjfT18nyqmQ/live) – you can +[follow us](https://twitter.com/3mdeb_com) on twitter, to stay updated. -* **GRUB2 licence issues** by [Piotr Król](https://twitter.com/pietrushnic) -* **Support for RISC-V in GRUB2** by [Michał Żygowski](https://twitter.com/_miczyg_) and [Piotr Król](https://twitter.com/pietrushnic). +- **GRUB2 licence issues** by [Piotr Król](https://twitter.com/pietrushnic) +- **Support for RISC-V in GRUB2** by + [Michał Żygowski](https://twitter.com/_miczyg_) and + [Piotr Król](https://twitter.com/pietrushnic). ![schedule](/img/Grub24.11.png) #### Previous meetings of GRUB mini-summit 2020 - We were all really keen to meet and talk through presented issues. If - you were unable to participate, nothing to worry about! check the videos below. -**Day 1** +We were all really keen to meet and talk through presented issues. If you were +unable to participate, nothing to worry about! check the videos below. + +##### Day 1 -The opening with Piotr Król, Michał Żygowski and our friend Daniel Kiper from Oracle +The opening with Piotr Król, Michał Żygowski and our friend Daniel Kiper from +Oracle -* [Introduction to GRUB2 mini-summit](https://youtu.be/LEcM5C5hdjs?t=12) by [Piotr Król](https://twitter.com/pietrushnic), the founder of 3mdeb -* [Network boot in GRUB2](https://youtu.be/LEcM5C5hdjs?t=673) by [Michał Żygowski](https://twitter.com/_miczyg_) from 3mdeb -* [GRUB2 project status](https://youtu.be/LEcM5C5hdjs?t=3098) by Daniel Kiper +- [Introduction to GRUB2 mini-summit](https://youtu.be/LEcM5C5hdjs?t=12) by + [Piotr Król](https://twitter.com/pietrushnic), the founder of 3mdeb +- [Network boot in GRUB2](https://youtu.be/LEcM5C5hdjs?t=673) by + [Michał Żygowski](https://twitter.com/_miczyg_) from 3mdeb +- [GRUB2 project status](https://youtu.be/LEcM5C5hdjs?t=3098) by Daniel Kiper -**Day 2** +##### Day 2 Great live with a special guest: Daniel Axtens from IBM -* [Secure boot without UEFI: booting VMs on Power(PC)](https://youtu.be/u0sK6j-pQeM?t=53) by Daniel Axtens -* [AMD TrenchBoot support in GRUB2](https://youtu.be/u0sK6j-pQeM?t=2799) by [Piotr Król](https://twitter.com/pietrushnic) +- [Secure boot without UEFI: booting VMs on Power(PC)](https://youtu.be/u0sK6j-pQeM?t=53) + by Daniel Axtens +- [AMD TrenchBoot support in GRUB2](https://youtu.be/u0sK6j-pQeM?t=2799) by + [Piotr Król](https://twitter.com/pietrushnic) -**Day 3** +##### Day 3 -This time we've had a pleasure to host Patrick Rudolph from 9elements and Daniel Kiper from Oracle. +This time we've had a pleasure to host Patrick Rudolph from 9elements and Daniel +Kiper from Oracle. -* [XHCI support in GRUB2](https://youtu.be/SSrFv4a-zgU) by Patrick Rudolph -* [The Firmware and Bootloader log specification](https://youtu.be/SSrFv4a-zgU?t=2806) by Daniel Kiper +- [XHCI support in GRUB2](https://youtu.be/SSrFv4a-zgU) by Patrick Rudolph +- [The Firmware and Bootloader log specification](https://youtu.be/SSrFv4a-zgU?t=2806) + by Daniel Kiper Big kudos for our special guests. Thank you Daniel Kiper, Daniel Axtens and Patrick Rudolph for sharing your experience and knowledge with us during the @@ -78,29 +92,28 @@ meetings with GRUB. ### Where to link the event? You will find us on our YouTube 3mdeb channel. All you need to do is joining our -live [here](https://www.youtube.com/channel/UC_djHbyjuJvhVjfT18nyqmQ/live ) in -an appropriate time presented above. **We are starting tommorow -at 04:00 PM (UTC+1:00)**. +live [here](https://www.youtube.com/channel/UC_djHbyjuJvhVjfT18nyqmQ/live) in an +appropriate time presented above. **We are starting tomorrow at 04:00 PM +(UTC+1:00)**. ### Whom will you meet? + Prelections will be held by the team of experts and GRUB contributors from -3mdeb, Oracle, IBM and 9elements who are happy to answer intriguing questions and -share their passion without creating any marketing pitch. +3mdeb, Oracle, IBM and 9elements who are happy to answer intriguing questions +and share their passion without creating any marketing pitch. -> The GRUB bootloader is the most common bootloader in the Linux based operating +The GRUB bootloader is the most common bootloader in the Linux based operating systems. So, its further development requires close cooperation between -upstream maintainers, OS distributions and other users. The GRUB mini-summit is -a very good place to tighten it. We are going to discuss there current and -future GRUB developments but also challenges facing the project. The topics not -only cover technical aspects but also organizational and legal issues. If you -are interested in the bootloaders and firmware and you want to hear what is -happening in the GRUB world please join us. And we are also interested in +upstream maintainers, OS distributions and other users. The GRUB mini-summit +is a very good place to tighten it. We are going to discuss there current and +future GRUB developments but also challenges facing the project. The topics +not only cover technical aspects but also organizational and legal issues. If +you are interested in the bootloaders and firmware and you want to hear what +is happening in the GRUB world please join us. And we are also interested in hearing what you expect from the project... +> -- Daniel Kiper, GRUB maintainer, TrenchBoot technical leader at Oracle -> -- Daniel Kiper, GRUB maintainer, -TrenchBoot technical leader at Oracle - -> There are no enough evets discussing interfaces between firmware, bootloaders, +There are no enough evets discussing interfaces between firmware, bootloaders, and operating systems, especially in the light of recent vulnerabilities and evolution of firmware interfaces. 3mdeb co-organizing this event with Daniel Kiper (GRUB maintainer), we would like to raise awareness about the value @@ -110,24 +123,23 @@ bootloader, bootloader feature set and issues, and the interface between bootloader and OS. We hope this activity will convince silicon vendors, their OEMs/ODMs, and system developers that supporting the GRUB2 community can speed up the adoption of advanced security and hardware features. - -> -- Piotr Król, founder of 3mdeb +> -- Piotr Król, founder of 3mdeb ### GRUB mini-summit 2019 Last year we have decided to talk over some key issues: -* Redundant GRUB2 env file -* TPM support in GRUB2 for legacy boot mode -* overview of GRUB2 security features -* Python 3 support in GRUB2 -* AMD TrenchBoot support in GRUB2 +- Redundant GRUB2 env file +- TPM support in GRUB2 for legacy boot mode +- overview of GRUB2 security features +- Python 3 support in GRUB2 +- AMD TrenchBoot support in GRUB2 Thank you community for being there with us, for raising your voices and fostering discussion that has it's reflection in GRUB2 contributions of 2020. All the summary of raised issues you will find in our previous GRUB blogpost [here](https://blog.3mdeb.com/2020/2020-02-19-grub2_and_3mdeb_minisummit/). We -are waiting tommorow, once again for your prespective, ideas and voice. Let's +are waiting tomorrow, once again for your perspective, ideas and voice. Let's meet and talk over the important issues with GRUB/GRUB2 contributors. GRUB will always be the core axe of 3mdeb toolbox. @@ -137,7 +149,7 @@ always be the core axe of 3mdeb toolbox. If you need bootloader support or you think we can help in improving the security of your firmware or you looking for someone who can boost your product -by leveraging advanced features of used hardware platform, [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX). +by leveraging advanced features of used hardware platform, +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-11-13-security-part-2.md b/blog/content/post/2020-11-13-security-part-2.md index 92d51154..8f77aedd 100644 --- a/blog/content/post/2020-11-13-security-part-2.md +++ b/blog/content/post/2020-11-13-security-part-2.md @@ -46,18 +46,18 @@ what can happen if a data leak occurs in the company. The first noticeable effect may be financial penalties related to violation of the law or non-compliance with the industry certification. We operate in an -environment of data processing regulations such as [GDPR (General Data -Protection Regulation)](https://eugdpr.org/) in the European Union, [HIPAA -(Health Insurance Portability and Liability -Act)](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html) -in the USA and [PCI DSS (data security standard in the payment card -industry)](https://www.pcisecuritystandards.org/pci_security/) around the world. -On the Internet, we can find a lot of cases where the amount of fines in -relation to violations of these regulations is described. Penalties are counted -in thousands of euros, which affects the imagination how they can affect the -company. It is also worth adding that the imposed penalties are not the end of -costs. Incidental costs such as legal services, courts, etc. must be taken into -account. +environment of data processing regulations such as +[GDPR (General Data Protection Regulation)](https://web.archive.org/web/20190220055237/https://eugdpr.org/) +in the European Union, +[HIPAA (Health Insurance Portability and Liability Act)](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html) +in the USA and +[PCI DSS (data security standard in the payment card industry)](https://www.pcisecuritystandards.org/pci_security/) +around the world. On the Internet, we can find a lot of cases where the amount +of fines in relation to violations of these regulations is described. Penalties +are counted in thousands of euros, which affects the imagination how they can +affect the company. It is also worth adding that the imposed penalties are not +the end of costs. Incidental costs such as legal services, courts, etc. must be +taken into account. Let's say we have already paid the penalty costs. As a next step, we have to make up for these losses somehow, but our application still earns for itself? If @@ -100,24 +100,24 @@ We have to answer these questions ourselves. Being aware of your own approach is the beginning of the road to trying to combine speed and security when developing software. -### What's next? Know your enemy. +### What's next? Know your enemy Fortunately, the problems we face are similar for all developers and there are organizations that work to describe most of them and teach others how to protect themselves from outside threats. Therefore, we do not have to reinvent the wheel. -##### OWASP (Open Web Application Security Project) +#### OWASP (Open Web Application Security Project) -is a nonprofit foundation that works to improve the security of software. [OWASP -page](https://owasp.org/) +is a nonprofit foundation that works to improve the security of software. +[OWASP page](https://owasp.org/) This organization publishes a list of the most common errors in web applications. This list was established in 2017 and is based on real data obtained from companies, organizations and professionals involved in security testing. -##### The current list for 2020: +#### The current list for 2020 - Injection @@ -191,14 +191,14 @@ best set of security requirements and best practices, and most importantly, it works! Following and implementing the OWASP recommendations has only positive consequences and teaches you to apply the best available practices. -### 3mdeb role in the security world: +### 3mdeb role in the security world As a company, we specialize in developing embedded software, embedded operating systems and applications. We work with an emphasis on solutions based on open source code. Due to the area of operation, security is one of the most important factors taken into account in the solutions we implement. -Here you will find our contributions https://opensource.3mdeb.com/ +Here you will find our contributions ### Summary @@ -216,7 +216,7 @@ for future threats and the same our value in the eyes of customers will pay off. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-11-18-coreboot-riscv.md b/blog/content/post/2020-11-18-coreboot-riscv.md index 9992ab58..537e9f30 100644 --- a/blog/content/post/2020-11-18-coreboot-riscv.md +++ b/blog/content/post/2020-11-18-coreboot-riscv.md @@ -19,10 +19,9 @@ categories: --- +## Building coreboot for RISC-V and running it in Qemu -# Building coreboot for RISC-V and running it in Qemu - -#### 1. What is RISC-V? +## 1. What is RISC-V? RISC-V is relatively fresh and growing in popularity open standard ISA based on RISC principles. The fact that ISA is free to use and everyone can see every @@ -31,39 +30,40 @@ Spectre which are huge flaws of other architectures. The other reason it is getting so successful is while x86 or ARM require a license to be used, RISC-V can be implemented by anyone for free and companies can modify it to fit their needs, which makes them independent from the main providers and may lead to -increase of competitiveness in the aspect of innovation. -While getting more and more attention, RISC-V is also getting more support. It -is supported architecture for coreboot. In the next steps, I will explain how to -build coreboot for RISC-V and run it in Qemu emulator. - +increase of competitiveness in the aspect of innovation. While getting more and +more attention, RISC-V is also getting more support. It is supported +architecture for coreboot. In the next steps, I will explain how to build +coreboot for RISC-V and run it in Qemu emulator. -#### 2. Download and run Docker image +## 2. Download and run Docker image Docker container is a recommended choice to build coreboot as it has already built cross toolchains. You can set up environment with these commands: -```sh +```bashsh docker pull coreboot/coreboot-sdk:65718760fa docker run -u root --rm -it -v $PWD:/home/coreboot/coreboot -w /home/coreboot/coreboot coreboot/coreboot-sdk:65718760fa /bin/bash ``` -#### 3. Download coreboot source tree +## 3. Download coreboot source tree -```sh +```bashsh git clone https://review.coreboot.org/coreboot cd coreboot git checkout 9cc2a6a0c316f9cbf39af6c04fd65512b8e17b11 ``` -#### 4. Configure the build +## 4. Configure the build Configure your mainboard in coreboot directory -```sh + +```bashsh make menuconfig ``` Inside `menuconfig` follow these steps: -``` + +```bash select 'Mainboard' menu select '(Emulation)' in 'Mainboard vendor' select 'QEMU RISC-V rv64' in 'Mainboard model' @@ -76,31 +76,34 @@ Inside `menuconfig` follow these steps: ``` > NOTE: Unfortunately using demonstration payloads such as `coreinfo` or `tint` -is not possible as they use `libpayload` library which does not support RISC-V -architecture yet. However, there is a [WIP -branch](https://review.coreboot.org/c/coreboot/+/31356) working on adding -initial support for RISC-V you can check out. You can also try compiling linux -kernel and use it as a payload. +> is not possible as they use `libpayload` library which does not support RISC-V +> architecture yet. However, there is a +> [WIP branch](https://review.coreboot.org/c/coreboot/+/31356) working on adding +> initial support for RISC-V you can check out. You can also try compiling linux +> kernel and use it as a payload. (Optionally) You can check your configuration by these commands: -```sh + +```bashsh make savedefconfig cat defconfig ``` The output should look like this: -``` + +```bash CONFIG_BOARD_EMULATION_QEMU_RISCV_RV64=y ``` -#### 5. Build coreboot +## 5. Build coreboot -```sh +```bashsh make ``` At the end of the process, you can see the following output: -``` + +```bash FMAP REGION: COREBOOT Name Offset Type Size Comp cbfs master header 0x0 cbfs header 32 none @@ -118,21 +121,22 @@ header pointer 0x3dfdc0 cbfs header 4 none Built emulation/qemu-riscv (QEMU RISCV) ``` -#### 6. Test image in QEMU +## 6. Test image in QEMU + +If you do not have Qemu installed you can't do it via this command -If you do not have Qemu installed you cant do it via this command -```sh +```bashsh apt-get install qemu-system ``` Now you can run your image in Qemu -```sh + +```bashsh qemu-system-riscv64 -M virt -m 1024M -nographic -kernel build/coreboot.elf ``` -You should see coreboot booting with your payload if you chose one, -otherwise you should see booting coreboot alone with ending info `Paylod not -loaded`. +You should see coreboot booting with your payload if you chose one, otherwise +you should see booting coreboot alone with ending info `Paylod not loaded`. ## Summary @@ -144,6 +148,7 @@ providing more support for this architecture as it's not in the mainstream yet. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-12-14-trenchboot_attestation.md b/blog/content/post/2020-12-14-trenchboot_attestation.md index e596bb64..bcc98d61 100644 --- a/blog/content/post/2020-12-14-trenchboot_attestation.md +++ b/blog/content/post/2020-12-14-trenchboot_attestation.md @@ -1,7 +1,7 @@ --- title: 'Proof of concept implementation of RATS attestation for the TrenchBoot' abstract: 'This blog post will describe the concept of the IETF Remote - Attestation Procedures (RATS) and implementation of + Attestation Procedures (RATS) and implementation of CHAllenge-Response based Remote Attestation (CHARRA) with TPM 2.0 for TrenchBoot.' cover: /covers/trenchboot-logo.png @@ -39,10 +39,10 @@ The verification proceeds on the basis of believable evidence. The verifier checks the endorsement from endorsers, reference values, and the evidence against the appraisal policy from the verifier owner. -The endorsement is a secure statement that the attester can use to sign -the evidence. For example in the TPM2 context endorsement will be the -attestation private key. It confirms the integrity of a public key, which is -used to verify the signature of the Evidence. +The endorsement is a secure statement that the attester can use to sign the +evidence. For example in the TPM2 context endorsement will be the attestation +private key. It confirms the integrity of a public key, which is used to verify +the signature of the Evidence. To generate the attestation result the verifier uses the reference values, which determine the exact values or boundaries of the evidence data. The reference @@ -61,14 +61,14 @@ implementation of the CHAllenge-Response based Remote Attestation (CHARRA). ## CHAllenge-Response based Remote Attestation with TPM 2.0 -The Reference Interaction Models for Remote Attestation Procedures focus -on the interaction models between the attester and verifier in order to convey -the Evidence. +The Reference Interaction Models for Remote Attestation Procedures focus on the +interaction models between the attester and verifier in order to convey the +Evidence. ![CHARRA_architecture](/img/CHARRA_architecture.png) -In the beginning, the attester generates the values about its state and creates the -claims. Claims are assertions that represent characteristics of an +In the beginning, the attester generates the values about its state and creates +the claims. Claims are assertions that represent characteristics of an attester's target environment. The attester may consist of one or more target environments. The target environment represents the part of the attested device that could provide claims about its state. For example, it could be read-only @@ -79,8 +79,8 @@ attestation request to the attester. The request includes a handle, a list of authentication secrets IDs, and claim selection. The handle is composed of strongly randomly generated data (nonce), which guarantees Evidence freshness. Authentication Secrets IDs specify the target environment, which must provide -the evidence. Claim selection tells the attester which claims should be -included in the evidence. +the evidence. Claim selection tells the attester which claims should be included +in the evidence. In the next step, the attester collects the selected claims and on this base, it generates the evidence. The attester sends to the verifier the message, which @@ -92,89 +92,88 @@ More information about the Reference Interaction Models for Remote Attestation Procedures is presented in the IETF [document](https://www.ietf.org/archive/id/draft-birkholz-rats-reference-interaction-model-03.txt). - ## Proof of Concept Implementation of the CHARRA -The Fraunhofer SIT provides the [proof-of-concept implementation](https://github.com/Fraunhofer-SIT/charra) -for CHARRA. The Verifier and the attester are two separate instances -that provide functionalities that were described above. The -proof-of-concept implementation assumes that the verifier and the attester -are running in the same docker container. Though we cannot say that is the remote -attestation. The verifier and attester are using the TPM Simulator instead of -a physical one. +The Fraunhofer SIT provides the +[proof-of-concept implementation](https://github.com/Fraunhofer-SIT/charra) for +CHARRA. The Verifier and the attester are two separate instances that provide +functionalities that were described above. The proof-of-concept implementation +assumes that the verifier and the attester are running in the same docker +container. Though we cannot say that is the remote attestation. The verifier and +attester are using the TPM Simulator instead of a physical one. -Our goal is to provide the CHARRA for physical TPM and separate the attester -and verifier. +Our goal is to provide the CHARRA for physical TPM and separate the attester and +verifier. ### Separation of the attester and verifier As I mentioned before the proof of concept (PoC) implementation of the CHARRA -uses the docker container to provide and appraise evidence. Attestation -data is obtained via a TPM Quote function. It provides the quote and signature -for the given list of PCRs. In the PoC case, the attester and verifier generate -separates keys. In that case verification of TPM quote and signature will -work only when the keys are generated by the same TPM device. Otherwise, -the evidence verification will fail due to a mismatch of the attestation -identity key. To separate the instances we need to verify the signature and -attestation data with the attestation public key. +uses the docker container to provide and appraise evidence. Attestation data is +obtained via a TPM Quote function. It provides the quote and signature for the +given list of PCRs. In the PoC case, the attester and verifier generate +separates keys. In that case verification of TPM quote and signature will work +only when the keys are generated by the same TPM device. Otherwise, the evidence +verification will fail due to a mismatch of the attestation identity key. To +separate the instances we need to verify the signature and attestation data with +the attestation public key. In the PoC implementation, there is no endorser and key registration system. Every time the verifier sends the attestation request, the attester is generating the new attestation key based on the nonce. We need to obtain and -send to the verifier TPM public key that is used to generate the TPM quote. -TPM API (Esys) during the key creation allows obtaining the public and private -part of the attestation key. We added to the `charra_key_mgr` the additional +send to the verifier TPM public key that is used to generate the TPM quote. TPM +API (Esys) during the key creation allows obtaining the public and private part +of the attestation key. We added to the `charra_key_mgr` the additional parameter that conveys the public key to the attester. The communication between attester and verifier is provided by libcoap library. -It is the C implementation of the Constrained Application Protocol. -Currently, the communication between the attester and verifier is constrained by -a maximum transmission unit (~1500 bytes). The block-wise transmission is in the +It is the C implementation of the Constrained Application Protocol. Currently, +the communication between the attester and verifier is constrained by a maximum +transmission unit (~1500 bytes). The block-wise transmission is in the development plans. Though we need to fit the public key with the TPM signature quote and attestation data in the single transmission package. The following snippet adds the attester public key to the attester response. -```C - UsefulBufC Tpm2KeyPublic = {attestation_response->tpm2_public_key, attestation_response->tpm2_public_key_len}; - QCBOREncode_AddBytes(&EC, Tpm2KeyPublic); +```bashC + UsefulBufC Tpm2KeyPublic = {attestation_response->tpm2_public_key, attestation_response->tpm2_public_key_len}; + QCBOREncode_AddBytes(&EC, Tpm2KeyPublic); ``` -Following code allows the verifier to unmarshal the public key from the attestation -response. +Following code allows the verifier to unmarshal the public key from the +attestation response. -```C - /* parse "tpm2_public_key (bytes)" */ - if((cborerr = charra_cbor_getnext(&DC, &item, QCBOR_TYPE_BYTE_STRING))) - goto cbor_parse_error; - attestation_response->tpm2_public_key_len = item.val.string.len; - attestation_response->tpm2_public_key = (TPM2B_PUBLIC*)item.val.string.ptr; +```bashC + /* parse "tpm2_public_key (bytes)" */ + if((cborerr = charra_cbor_getnext(&DC, &item, QCBOR_TYPE_BYTE_STRING))) + goto cbor_parse_error; + attestation_response->tpm2_public_key_len = item.val.string.len; + attestation_response->tpm2_public_key = (TPM2B_PUBLIC*)item.val.string.ptr; ``` -The verifier must not create its key. Once it will receive the attester -public key, it must set the handle in its TPM context. +The verifier must not create its key. Once it will receive the attester public +key, it must set the handle in its TPM context. -```C +```bashC CHARRA_RC charra_load_external_public_key(ESYS_CONTEXT* ctx, - TPM2B_PUBLIC* external_public_key, ESYS_TR* key_handle) { - TSS2_RC r = TSS2_RC_SUCCESS; - if (external_public_key == NULL) { - charra_log_error("External public key do not exist."); - return CHARRA_RC_ERROR; - } - - r = Esys_LoadExternal(ctx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, - NULL, external_public_key, TPM2_RH_OWNER, key_handle); - if (r != TSS2_RC_SUCCESS ) { - charra_log_error("Loading external public key failed."); - return CHARRA_RC_ERROR; - } - - return CHARRA_RC_SUCCESS; + TPM2B_PUBLIC* external_public_key, ESYS_TR* key_handle) { + TSS2_RC r = TSS2_RC_SUCCESS; + if (external_public_key == NULL) { + charra_log_error("External public key do not exist."); + return CHARRA_RC_ERROR; + } + + r = Esys_LoadExternal(ctx, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE, + NULL, external_public_key, TPM2_RH_OWNER, key_handle); + if (r != TSS2_RC_SUCCESS ) { + charra_log_error("Loading external public key failed."); + return CHARRA_RC_ERROR; + } + + return CHARRA_RC_SUCCESS; } ``` -The following function allows to load external key and it creates `key_handle` that -is used for the TPM signature verification. +The following function allows to load external key and it creates `key_handle` +that is used for the TPM signature verification. The full scope of changes is available in the following [pull request](https://github.com/Fraunhofer-SIT/charra/pull/16). @@ -183,24 +182,25 @@ The full scope of changes is available in the following The PoC CHARRA implementation is using the TPM simulator provided in the docker container. To use CHARRA with the physical TPM we have created the Yocto layer + - [meta-trenchboot-attestation](https://github.com/3mdeb/meta-trenchboot-attestation), -which provides the required libraries, that are used by attester and verifier. -The Yocto Project (YP) is an open source collaboration project that helps -developers create custom Linux-based systems regardless of the hardware -architecture. [meta-trenchboot](https://github.com/3mdeb/meta-trenchboot) -builds the image which contains the TrenchBoot utilities. + which provides the required libraries, that are used by attester and verifier. + The Yocto Project (YP) is an open source collaboration project that helps + developers create custom Linux-based systems regardless of the hardware + architecture. [meta-trenchboot](https://github.com/3mdeb/meta-trenchboot) + builds the image which contains the TrenchBoot utilities. ### Proof of concept To proof the following concept we used the -[ASRock 4x4 Box R1000V](https://www.asrockind.com/en-gb/4X4%20BOX-R1000V) -with physical TPM as the attester and the PC with TPM simulator as the verifier. -Note that you need dTPM. Unfortunately, fTPM included in newer AMD CPUs is not -good enough. The following logs and videos show the attestation process. +[ASRock 4x4 Box R1000V](https://www.asrockind.com/en-gb/4X4%20BOX-R1000V) with +physical TPM as the attester and the PC with TPM simulator as the verifier. Note +that you need dTPM. Unfortunately, fTPM included in newer AMD CPUs is not good +enough. The following logs and videos show the attestation process. -**Attester** +#### Attester -``` +```bash 01:05:37 INFO src/attester.c:73: [attester] Starting up. 01:05:37 INFO src/attester.c:82: [attester] Initializing CoAP endpoint. 01:05:37 INFO src/attester.c:94: [attester] Registering CoAP resources. @@ -227,16 +227,16 @@ good enough. The following logs and videos show the attestation process. In the beginning, the attester is starting up. Then it initializes the CoAP communication and waits for the attestation request. When the attester receives -the request, it creates the TPM attestation key and collects selected PCRs. -With this data, the attester provides the TPM Quote and signature for a given -list of PRCs. In the next step, the attester creates the response, which -includes attestation data, signature, and the public part of the attestation -key. The message is marshaled into a single package, and the attester sends it -to the verifier. +the request, it creates the TPM attestation key and collects selected PCRs. With +this data, the attester provides the TPM Quote and signature for a given list of +PRCs. In the next step, the attester creates the response, which includes +attestation data, signature, and the public part of the attestation key. The +message is marshaled into a single package, and the attester sends it to the +verifier. -**Verifier** +#### Verifier -``` +```bash 01:06:06 INFO src/verifier.c:84: [verifier] Starting up. 01:06:06 INFO src/verifier.c:93: [verifier] Initializing CoAP endpoint. 01:06:06 INFO src/verifier.c:104: [verifier] Registering CoAP resource handlers. @@ -260,13 +260,12 @@ to the verifier. [![asciicast](https://asciinema.org/a/8cAV0h2FTCghAEFZ09you3J0A.svg)](https://asciinema.org/a/8cAV0h2FTCghAEFZ09you3J0A) - The verifier initializes the CoAP communication and sends the attestation -request to the attester. Then it waits for the attestation response. -When the verifier receives the message, it loads the external public key. -The verifier uses the external key handler to appraise the TPM Quote signature. -If there is no error during the verification process, it shows the message that -attestation is successful. +request to the attester. Then it waits for the attestation response. When the +verifier receives the message, it loads the external public key. The verifier +uses the external key handler to appraise the TPM Quote signature. If there is +no error during the verification process, it shows the message that attestation +is successful. ## Next steps @@ -280,24 +279,27 @@ send the public key. It will be conveyed by the endorser. The verifier should be able to start the attestation process, when device wants to be attested as soon as it starts. This is particularly useful for a large -number of devices. It is easier to use a single known attestation server IP -than multiple attesters addressees. +number of devices. It is easier to use a single known attestation server IP than +multiple attesters addressees. Currently, we are upstreaming the changes that were made during the development stage. Here is the list of current and merged pull requests: -* CHARRA: - - https://github.com/Fraunhofer-SIT/charra/pull/14 - - https://github.com/Fraunhofer-SIT/charra/pull/16 +- CHARRA: + + - + - + +- QCBOR: -* QCBOR: - - https://github.com/laurencelundblade/QCBOR/pull/63 + - ## Summary If you are looking for the basic implementation of the TPM attestation with the shell commands, I encourage you to take a look at the tpm2-software community -tutorial - [Remote Attestation With Tpm2 Tools](https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-tools.html) -If you have any questions, suggestions, or ideas, feel free to share them in -the comment section. If you are interested in similar content, I encourage you -to [sign up for our newsletter](http://eepurl.com/doF8GX). +tutorial - +[Remote Attestation With Tpm2 Tools](https://tpm2-software.github.io/2020/06/12/Remote-Attestation-With-tpm2-tools.html) +If you have any questions, suggestions, or ideas, feel free to share them in the +comment section. If you are interested in similar content, I encourage you to +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2020-12-17-docker-testing.md b/blog/content/post/2020-12-17-docker-testing.md index 0fd1eb02..47b28bf4 100644 --- a/blog/content/post/2020-12-17-docker-testing.md +++ b/blog/content/post/2020-12-17-docker-testing.md @@ -19,9 +19,9 @@ categories: --- -# Introduction +## Introduction -Docker is an open-source tool used for creating, deploying, and running +Docker is an open-source tool used for creating, deploying, and running applications using containers. It performs operating-system-level virtualization, also known as “containerization”. A container is a standard unit of code with libraries, dependencies and other configuration and binaries needed @@ -36,29 +36,28 @@ a container. Regardless of the operating system, it should run on each computer with an installed Docker. Another great advantage is that the containers are isolated from the environment -so it is very unlikely that we could destroy our environment or other containers. -You can read more about Docker basics +so it is very unlikely that we could destroy our environment or other +containers. You can read more about Docker basics [here](https://blog.3mdeb.com/2020/2020-09-23-raspberrypi_docker/). ## Why Docker -We could create virtual machines for testing embedded systems, but such a solution -would have many disadventages. One of the biggest advantage of Docker is its -portability and performance. A virtual machine acts as a physical computer and -uses the physical resources of the device it is operating on to replicate the -environment of a physical device. A fully virtualized system has its own -resources. Containers are lightweight because they don't boot a separate +We could create virtual machines for testing embedded systems, but such a +solution would have many disadventages. One of the biggest advantage of Docker +is its portability and performance. A virtual machine acts as a physical +computer and uses the physical resources of the device it is operating on to +replicate the environment of a physical device. A fully virtualized system has +its own resources. Containers are lightweight because they don't boot a separate operating system per virtual machine. They also share a kernel and common layers -across images. +across images. -Let's say that we have a hundred of tests that need a database, and -each test needs the same copy of a database. In case each test modifies a -database we need to reset a database after each test. With Docker we can create -the image of our database and run one instance per test. Additionally, the -simplicity of creating images using Dockerfile makes it much easier to transfer -them to another computer. But there are pros and cons. Fully virtualized systems -are more isolated than containers but for embedded testing, we don't need this -advantage. +Let's say that we have a hundred of tests that need a database, and each test +needs the same copy of a database. In case each test modifies a database we need +to reset a database after each test. With Docker we can create the image of our +database and run one instance per test. Additionally, the simplicity of creating +images using Dockerfile makes it much easier to transfer them to another +computer. But there are pros and cons. Fully virtualized systems are more +isolated than containers but for embedded testing, we don't need this advantage. But there are other ways to create virtual environments, for example, using Python virtualenv so why not use it? Of course we can, with the difference that @@ -75,31 +74,31 @@ whether data is correctly sent through the serial port. In our case, we write tests that anyone, regardless of the operating system, could run on their computer with Docker installed. -To simulate our case, we use an Arduino UNO, which serves as the device -under test (DUT), and Raspberry Pi, which tests our DUT. On the Arduino we -check 4th and 8th pin. Unfortunately, the Raspberry can only read voltage not -exceeding 3.3V. The range of GPIO pins of the Arduino is 0-5V so we have to -use here a level shifter or voltage divider. In our case, we use six 1K -resistors connected in the following way: +To simulate our case, we use an Arduino UNO, which serves as the device under +test (DUT), and Raspberry Pi, which tests our DUT. On the Arduino we check 4th +and 8th pin. Unfortunately, the Raspberry can only read voltage not exceeding +3.3V. The range of GPIO pins of the Arduino is 0-5V so we have to use here a +level shifter or voltage divider. In our case, we use six 1K resistors connected +in the following way: ![voltage_divider](/img/voltage_divider.jpg) ![voltage_divider](/img/rpi_arduino_diagram.jpg) -We need to know how to program Arduino. Usually, the Arduino IDE is -used for this purpose, but in our case, we need to learn how to program Arduino -from the command line so that it can be used in automatic tests. One solution is -to compile Arduino sketches using Makefile. To do that we use package -`arduino-mk` which allows us to compile the code and upload it to the Arduino. -On Linux based system we can download this package by typing: +We need to know how to program Arduino. Usually, the Arduino IDE is used for +this purpose, but in our case, we need to learn how to program Arduino from the +command line so that it can be used in automatic tests. One solution is to +compile Arduino sketches using Makefile. To do that we use package `arduino-mk` +which allows us to compile the code and upload it to the Arduino. On Linux based +system we can download this package by typing: -``` +```bash sudo apt install arduino-mk ``` After downloading, typing: -``` +```bash pi@raspberrypi:~ $ ls /usr/share/arduino/ Arduino.mk chipKIT.mk examples lib reference Teensy.mk arduino-mk-vars.md Common.mk hardware libraries revisions.txt tools @@ -112,13 +111,13 @@ know where that file is located. Our tests use 5 files that are uploaded to the Arduino: - - pin 4 on/off - - pin 8 on/off - - serial connection +- pin 4 on/off +- pin 8 on/off +- serial connection `pin4_off.ino` -``` +```bash void setup(){ pinMode(4, OUTPUT); } @@ -130,7 +129,7 @@ void loop(){ `pin4_on.ino` -``` +```bash void setup(){ pinMode(4, OUTPUT); } @@ -142,7 +141,7 @@ void loop(){ `serial.ino` -``` +```bash void setup(){ Serial.begin(9600); } @@ -160,8 +159,8 @@ from arduino-mk Makefile: `Makefile` -``` -ARDUINO_DIR = /usr/share/arduino +```bash +ARDUINO_DIR = /usr/share/arduino ARDUINO_PORT = /dev/ttyACM* BOARD_TAG = uno @@ -175,11 +174,11 @@ Arduino board. On Linux based system Arudino always shows up as ACM0 or ACM1 depending on how many devices we have connected so this works only if we have one Arduino connected to RPi. -To convert our code into the files that can be uploaded to Arduino we go to -a specific folder and type `make`. This creates a new folder that contains all -the necessary files. We can upload them by typing `make upload`. If we -also want to remove this folder after uploading files to Arduino, we can simply -add `make upload clean`. +To convert our code into the files that can be uploaded to Arduino we go to a +specific folder and type `make`. This creates a new folder that contains all the +necessary files. We can upload them by typing `make upload`. If we also want to +remove this folder after uploading files to Arduino, we can simply add +`make upload clean`. Now we have all the necessary files for our DUT. It's time to write automatic tests. To do that we use [RobotFramework](https://robotframework.org/) which is @@ -187,7 +186,8 @@ a great tool for writing tests. To download it, we also need Python installed. We can download `RobotFramework` by typing `pip install robotframework`. `arduino.robot` -``` + +```bash *** Settings *** Library SSHLibrary timeout=90 seconds @@ -247,13 +247,13 @@ ARD1.4 Pin 8 off To run the ARD1.0 test, we also need to download on RPi the `screen` program: -``` +```bash sudo apt install screen ``` The file structure on our PC should be as follows: -``` +```bash blog_rf/ ├── arduino │   ├── pin4_off @@ -277,7 +277,7 @@ blog_rf/ Before running the tests, we need to export pins 14 and 15 and set their direction to `in`: -``` +```bash pi@raspberrypi:~ $ echo 14 > /sys/class/gpio/export pi@raspberrypi:~ $ echo 15 > /sys/class/gpio/export pi@raspberrypi:~ $ echo in > /sys/class/gpio/gpio14/direction @@ -302,31 +302,32 @@ Thanks to this, everyone will be able to run it regardless of whether they use python 2 or 3 on their computer. Dockerfile might look like this: `Dockerfile` -``` + +```bash FROM python:3.7-slim-stretch RUN pip install robotframework==3.2.2 && \ - pip install robotframework-sshlibrary==3.5.1 + pip install robotframework-sshlibrary==3.5.1 ENTRYPOINT ["robot"] ``` - - the first line specifies the parent image from which we are building our - image. More python image names can be found - [here](https://hub.docker.com/_/python) - - `RUN` runs given commands in a shell inside the container - - `ENTRYPOINT` specifies a command that will always be executed when the - container starts +- the first line specifies the parent image from which we are building our + image. More python image names can be found + [here](https://hub.docker.com/_/python) +- `RUN` runs given commands in a shell inside the container +- `ENTRYPOINT` specifies a command that will always be executed when the + container starts -In the same directory where Dockerfile is located, let's enter: +In the same directory where Dockerfile is located, let's enter: -``` +```bash mateusz@mateusz:~/blog_rf$ docker build -t blog/docker:latest . ``` When we type `docker images` we should see our image: -``` +```bash mateusz@mateusz:~/blog_rf$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE blog/docker latest 61da82a7b715 35 minutes ago 129MB @@ -335,10 +336,10 @@ python 3.7-slim-stretch b72f35c13f06 3 weeks ago Now we can run the tests again but this time from the container. -``` +```bash mateusz@mateusz:~/blog_rf$ docker run --rm -it -v ${PWD}:${PWD} -w ${PWD} blog/docker arduino.robot ============================================================================== -Arduino +Arduino ============================================================================== ARD1.0 Serial Connection | PASS | ------------------------------------------------------------------------------ @@ -371,6 +372,6 @@ our team or forked from Open Source projects with additional useful adjustments. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to -[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-12-21-OSFC_2020.md b/blog/content/post/2020-12-21-OSFC_2020.md index dbeea9cb..5017c879 100644 --- a/blog/content/post/2020-12-21-OSFC_2020.md +++ b/blog/content/post/2020-12-21-OSFC_2020.md @@ -19,59 +19,73 @@ categories: - Security --- -This year we've again had double track insight into the [Open Source Firmware -Conference](https://osfc.io/) as both participants and presenters. We want to -share some thoughts that evolved during the talks and send kudos to many people -who made this conference happen, starting with [9elements Cyber -Security](https://9esec.io) for gathering crucial voices of contributors from -various firmware community corners. In this short, blogpost series, we will -leave a few notes on every attended presentation, starting from day 1, according -to the [schedule](https://cfp.osfc.io/osfc2020/schedule/) with references and -sources. You can go through the post or skip to the chosen conference. Remember, -presented descriptions are only our humble opinion, not official statements of -presenters. To watch the full video and get your own opinion, click the chosen -title. + +This year we've again had double track insight into the +[Open Source Firmware Conference](https://osfc.io/) as both participants and +presenters. We want to share some thoughts that evolved during the talks and +send kudos to many people who made this conference happen, starting with +[9elements Cyber Security](https://9esec.io) for gathering crucial voices of +contributors from various firmware community corners. In this short, blogpost +series, we will leave a few notes on every attended presentation, starting from +day 1, according to the [schedule](https://cfp.osfc.io/osfc2020/schedule/) with +references and sources. You can go through the post or skip to the chosen +conference. Remember, presented descriptions are only our humble opinion, not +official statements of presenters. To watch the full video and get your own +opinion, click the chosen title. ### Day 1 -#### [Why LVFS is Essential for OEMs](https://vimeo.com/488137809) by [Richard Hughes](https://twitter.com/hughsient) +#### [Why LVFS is Essential for OEMs](https://vimeo.com/488137809) + +##### by [Richard Hughes](https://twitter.com/hughsient) The Linux Vendor Firmware Service, an essential part of the Linux ecosystem, is worth digging in. It allows its users to keep hardware up to date with firmware updates. We appreciate enormous work Richard did for the community, and the -success he achieved in convincing vendors. The firmware became living -software, no more part of the hardware. Now we are waiting for fwupd for -QubesOS. Thanks, [Red Hat](https://2019.osfc.io/uploads/talk/paper/9/Introducing_the_Linux_vendor_Firmware_service.pdf). +success he achieved in convincing vendors. The firmware became living software, +no more part of the hardware. Now we are waiting for fwupd for QubesOS. Thanks, +[Red Hat](https://www.osfc.io/2019/talks/introducing-the-linux-vendor-firmware-service/). -[3mdeb – official LVFS consultant](https://fwupd.org/lvfs/docs/consulting) also contributes to LVFS: +[3mdeb – official LVFS consultant](https://fwupd.org/lvfs/docs/consulting) also +contributes to LVFS: -- [flashrom plugin](https://opensource.3mdeb.com/projects/fwupd.html) - Artur Raglis -- [fwupd for QubesOS](https://github.com/3mdeb/qubes-fwupd) - [Norbert Kamiński](https://twitter.com/asiderr/) +- [flashrom plugin](https://opensource.3mdeb.com/projects/fwupd.html) - Artur + Raglis +- [fwupd for QubesOS](https://github.com/3mdeb/qubes-fwupd) - + [Norbert Kamiński](https://twitter.com/asiderr/) - fwupd for BSD - approved by NLNet and work in progress on our side -#### [UEFI compliance testing](https://vimeo.com/488138727) by [Heinrich Schuchardt](https://cfp.osfc.io/osfc2020/speaker/RXDBSA/) +#### [UEFI compliance testing](https://vimeo.com/488138727) + +##### by [Heinrich Schuchardt](https://cfp.osfc.io/osfc2020/speaker/RXDBSA/) -Based on the UEFI lifetime in the presentation it seems that Heinrich and U-Boot developers are -interested in ARM and RISC-V support. Great insight for the presentation would be UEFI -SCT compliance across various UEFI implementations for various platforms (QEMU, -x86, RISC-V). Kudos to [U-Boot](https://github.com/u-boot/u-boot) for reporting -status of UEFI validation and problems that we may experience when using UEFI -Forum recommended tools. +Based on the UEFI lifetime in the presentation it seems that Heinrich and U-Boot +developers are interested in ARM and RISC-V support. Great insight for the +presentation would be UEFI SCT compliance across various UEFI implementations +for various platforms (QEMU, x86, RISC-V). Kudos to +[U-Boot](https://github.com/u-boot/u-boot) for reporting status of UEFI +validation and problems that we may experience when using UEFI Forum recommended +tools. -#### [coreboot Thermal Management on Intel based systems](https://vimeo.com/488143663) by [Sumeet Pawnikar](https://cfp.osfc.io/osfc2020/speaker/NTVYJH/), [Timothy Wawrzynczak](https://cfp.osfc.io/osfc2020/speaker/YZBZFU/) +#### [coreboot Thermal Management on Intel based systems](https://vimeo.com/488143663) + +##### [Sumeet Pawnikar](https://cfp.osfc.io/osfc2020/speaker/NTVYJH/) + +##### [Timothy Wawrzynczak](https://cfp.osfc.io/osfc2020/speaker/YZBZFU/) Intel works on this contribution to enable efficient thermal management for Google Chromebooks. It is an important topic for all types of devices, -especially those focused on energy saving, e.g. mobile platforms. The -presenters discussed the added ACPI code and explained the code tree with its -structure. This is significantly important because DPTF thermal management is -used across many laptop devices, not only Chromebooks. Furthermore, the authors -mentioned that they removed many duplicated files and code in favour of -unification of the implementation. Also they made it more usable by removing -hard to understand ACPI code and reducing the amount of code that platform must -include. +especially those focused on energy saving, e.g. mobile platforms. The presenters +discussed the added ACPI code and explained the code tree with its structure. +This is significantly important because DPTF thermal management is used across +many laptop devices, not only Chromebooks. Furthermore, the authors mentioned +that they removed many duplicated files and code in favour of unification of the +implementation. Also they made it more usable by removing hard to understand +ACPI code and reducing the amount of code that platform must include. + +#### [Bootling Linux more safely with safeboot](https://vimeo.com/488144473) -#### [Bootling Linux more safely with safeboot](https://vimeo.com/488144473) by [Trammell Hudson](https://twitter.com/qrs) +##### by [Trammell Hudson](https://twitter.com/qrs) Trammel, the founder, and contributor of safeboot, presented a great, practical talk around configuring UEFI Secure Boot tools. He explained safeboot @@ -79,29 +93,34 @@ configuration options, the threat model, and interestingly described attestation before accessing model (e.g. Google account, Lastpass account etc.) Thanks Trammel for your work [safeboot](https://safeboot.dev/). -#### [PRM: SMM Goes on a Diet](https://vimeo.com/488136678) by [Michael Kubacki](https://cfp.osfc.io/osfc2020/speaker/9DMPTB/) +#### [PRM: SMM Goes on a Diet](https://vimeo.com/488136678) + +##### by [Michael Kubacki](https://cfp.osfc.io/osfc2020/speaker/9DMPTB/) PRM stands for Platform Runtime Mechanism and is designed to reduce the privileged SMM mode code. Certain SMI handlers are moved to PRM modules which operating system may call to handle an event. A few noticeable facts: -* some hardware resources can only be accessed in SMM -* RAS relies on SMM and SMI handlers -* UEFI Capsule Update and Authenticated Variables also leverage that mode -* SMM is related to OCP and server use cases +- some hardware resources can only be accessed in SMM +- RAS relies on SMM and SMI handlers +- UEFI Capsule Update and Authenticated Variables also leverage that mode +- SMM is related to OCP and server use cases + +This talk reminded us concept proposed by +[Ron at the European coreboot Conference 2017](https://www.youtube.com/watch?v=6GEaw4msq6g). -This talk reminded us concept proposed by [Ron at the European coreboot Conference 2017](https://www.youtube.com/watch?v=6GEaw4msq6g). +#### [Building an alternative ecosystem to UEFI](https://vimeo.com/488136082) -#### [Building an alternative ecosystem to UEFI](https://vimeo.com/488136082) by [John Looney](https://cfp.osfc.io/osfc2020/speaker/AHQ8TJ/) +##### by [John Looney](https://cfp.osfc.io/osfc2020/speaker/AHQ8TJ/) This was one of the most important presentations during conference since it can be understood without much knowledge about firmware and gives clear signal that something is wrong even from perspective of reasonably big company. -John presented typical stages of hardware production (Prototype -> EVT -> DVT --> PVT -> Mass production) in light of problems with firmware ecosystem. One -thing is that Silicon Vendors, ODM and IBVs don't care about outdated hardware -and outdated for them usually means it already was released to the market. +John presented typical stages of hardware production (Prototype -> EVT -> DVT -> +PVT -> Mass production) in light of problems with firmware ecosystem. One thing +is that Silicon Vendors, ODM and IBVs don't care about outdated hardware and +outdated for them usually means it already was released to the market. Coincidentally it means solid enough to be deployed on server market customers site. Current ecosystem rushing through roadmap to meet stakeholders criteria and customers are left with whatever sub-optimal software stack was produced. @@ -111,24 +130,28 @@ with hash - this means at least basic software supply chain control, which is critical for stable firmware maintenance. Facebook already coach hardware engineers to develop coreboot code. According to Facebook: it's 2x faster to enable complex security features on coreboot than UEFI. Good to hear that! -Interesting thing is that Facebook use 1000 reboots to test DRAM init, what in fact -is interesting and we all should get to the point where this number of +Interesting thing is that Facebook use 1000 reboots to test DRAM init, what in +fact is interesting and we all should get to the point where this number of iterations works seamlessly on any DRAM configuration. -#### [System Transparency and it's bootloader implementation stboot](https://vimeo.com/488128723) by [Jens Drenhaus](https://twitter.com/jens_drenhaus) +#### [System Transparency and it's bootloader implementation stboot](https://vimeo.com/488128723) + +##### by [Jens Drenhaus](https://twitter.com/jens_drenhaus) Jens showed us the details of System Transparency's bootloader implementation, focusing on stboot LinuxBoot distribution. He described the state development, -issues and deployment scenarios with swtpm testing and D-RTM (Intel version) -use case for system provisioning with tboot. In light of 3mdeb involvement in +issues and deployment scenarios with swtpm testing and D-RTM (Intel version) use +case for system provisioning with tboot. In light of 3mdeb involvement in TrenchBoot project this is definitely very interesting and since we heard -decision about sticking to tboot instead of adopting TrenchBoot we would be -glad to talk more about reasons behind that decision. Also we really like +decision about sticking to tboot instead of adopting TrenchBoot we would be glad +to talk more about reasons behind that decision. Also we really like introduction of swtpm, which we discussed during 2020 Qubes OS mini-summit in light of [S-RTM](https://youtu.be/Eip5Rts6S2I) and [D-RTM](https://youtu.be/Eip5Rts6S2I). -#### [kexec based bootloaders/fast rebooting: Boon or Bane](https://vimeo.com/488150148) by [Bhupesh Sharma](https://twitter.com/bhupesh_sharma) +#### [kexec based bootloaders/fast rebooting: Boon or Bane](https://vimeo.com/488150148) + +##### by [Bhupesh Sharma](https://twitter.com/bhupesh_sharma) kexec based bootloaders are becoming a very popular and kexec itself are very capable (can boot Linux, Windows, Xen and more). kexec still is not robust, @@ -136,20 +159,24 @@ there is still a threat of DMA occurrence during kexec kernel loading. Not all Linux drivers are kexec-ready, they need a shutdown method to avoid undesired DMA and be relaunched correctly in new kernel. -#### [Unit testing coreboot](https://vimeo.com/488135518) by [Jan Dąbroś](https://cfp.osfc.io/osfc2020/speaker/T7TMMD/) +#### [Unit testing coreboot](https://vimeo.com/488135518) + +##### by [Jan Dąbroś](https://cfp.osfc.io/osfc2020/speaker/T7TMMD/) Interesting presentation on the coreboot unit testing infrastructure with the use of cmocka framework. Jan showed the benefits, implementation details, tests -build/run and the overall challenges. It looks like Google decided to have -unit testing in coreboot and they selected for that job fellow Polish -developers, so congratulations to [Semihalf](https://www.semihalf.com/) for -entering the coreboot land and we wish them lot of successful contributions. +build/run and the overall challenges. It looks like Google decided to have unit +testing in coreboot and they selected for that job fellow Polish developers, so +congratulations to [Semihalf](https://www.semihalf.com/) for entering the +coreboot land and we wish them lot of successful contributions. + +#### [Guiding Engineering Teams Toward a More Secure Usage of U-Boot](https://vimeo.com/488134063) -#### [Guiding Engineering Teams Toward a More Secure Usage of U-Boot](https://vimeo.com/488134063) by [Jon Szymaniak](https://twitter.com/sz_jynik) +##### by [Jon Szymaniak](https://twitter.com/sz_jynik) NCC Group presented its definition of Secure Boot (BSP), U-Boot usage, and its -supply chain. Jon showed us a toolkit built for U-Boot security issues, and -it's functionality. Thank you [NCC Group](https://www.nccgroup.com/us/) for +supply chain. Jon showed us a toolkit built for U-Boot security issues, and it's +functionality. Thank you [NCC Group](https://www.nccgroup.com/us/) for delivering, as always, high-quality content in the area of embedded systems and embedded firmware security. @@ -163,7 +190,7 @@ present some thoughts on OSFC 2020 day 2. If you think we can help in improving the security of your firmware or you are looking for a training that can boost your team of developers inside UEFI, -coreboot or Yocto area, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +coreboot or Yocto area, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2020-12-31-coreboot_for_power.md b/blog/content/post/2020-12-31-coreboot_for_power.md index dbc6512e..f67a81a0 100644 --- a/blog/content/post/2020-12-31-coreboot_for_power.md +++ b/blog/content/post/2020-12-31-coreboot_for_power.md @@ -18,11 +18,13 @@ categories: --- -You may have heard that we are working on coreboot port for [Talos II](https://raptorcs.com/TALOSII/). -OpenPOWER already has, as the name suggests, open source firmware, so one may -ask why bother? In this blog post we will try to answer that question. +You may have heard that we are working on coreboot port for +[Talos II](https://raptorcs.com/TALOSII/). OpenPOWER already has, as the name +suggests, open source firmware, so one may ask why bother? In this blog post we +will try to answer that question. -> There have been rumours that [Raptor Computing Systems sells POWER9 hardware with coreboot](https://twitter.com/rozendantz/status/1336113596837720065/retweets/with_comments), +> There have been rumours that +> [Raptor Computing Systems sells POWER9 hardware with coreboot](https://web.archive.org/web/20201208010209/https://twitter.com/rozendantz/status/1336113596837720065), > however this is not true. The confusion probably comes from a fact that Raptor > Engineering is a licensed coreboot contractor, and they did port the firmware > for POWER platforms, but this particular firmware was a port of OpenPOWER, not @@ -31,15 +33,17 @@ ask why bother? In this blog post we will try to answer that question. ## Short introduction to OpenPOWER boot process and its components Talos II is a server platform managed by a slightly customised (mainly to handle -specific dual-CPU boot synchronisation quirks) [OpenBMC fork](https://git.raptorcs.com/git/talos-openbmc/). -BMC signals the main (host) platform to start booting. - -Next comes the [Self-Boot Engine](https://wiki.raptorcs.com/wiki/Self-Boot_Engine). -This term is actually used both for a chip (which is part of main CPU, SBE is a -reduced PowerPC core) and its [firmware](https://git.raptorcs.com/git/talos-sbe/). -The code is stored in two redundant copies in SEEPROM - serial EEPROM located in -the CPU module, 4x64 KB for each copy. SBE's tasks are initialisation of main -CPU cores and loading and staring the next component called Hostboot. +specific dual-CPU boot synchronisation quirks) +[OpenBMC fork](https://git.raptorcs.com/git/talos-openbmc/). BMC signals the +main (host) platform to start booting. + +Next comes the +[Self-Boot Engine](https://wiki.raptorcs.com/wiki/Self-Boot_Engine). This term +is actually used both for a chip (which is part of main CPU, SBE is a reduced +PowerPC core) and its [firmware](https://git.raptorcs.com/git/talos-sbe/). The +code is stored in two redundant copies in SEEPROM - serial EEPROM located in the +CPU module, 4x64 KB for each copy. SBE's tasks are initialisation of main CPU +cores and loading and staring the next component called Hostboot. We can separate a piece of code called Hostboot bootloader (HBBL). It is located in SBE SEEPROM, along with secure boot root of trust hash. HBBL can be updated @@ -60,7 +64,8 @@ place. [Skiboot](https://git.raptorcs.com/git/talos-skiboot/) is then chainloaded. Its tasks include initialisation of the rest of the hardware, e.g. PCI Express host -bus controllers. It also implements OPAL ([OpenPOWER Abstraction Layer](https://open-power.github.io/skiboot/doc/opal-spec.html#what-is-opal)), +bus controllers. It also implements OPAL +([OpenPOWER Abstraction Layer](https://open-power.github.io/skiboot/doc/opal-spec.html#what-is-opal)), which is an interface to access firmware services from an OS. This is similar to the UEFI runtime services or legacy BIOS interrupt calls. @@ -93,7 +98,7 @@ separate hardware, and dividing Skiboot into "hardware" and "services" parts at this stage may introduce additional bugs. It is safer to implement one component at a time than fail trying to do them all in one go. -#### Risks +### Risks There are many moving parts in the OpenPOWER firmware. Sometimes a simple change in the firmware for one of the peripheral devices must be accompanied by a @@ -111,7 +116,7 @@ CPU. We can define two classes of possible benefits: one is what coreboot and its community can gain, the other one is what end users get from it. -#### For users +### For users **Boot time reduction** was one of the main reasons for doing this port. Hostboot itself takes more than 1 minute to run. This is mostly spent on @@ -119,12 +124,13 @@ accessing flash memory. It is split into multiple PNOR (Processor NOR, POWER name for flash) partitions, summing up to just below 32 megabytes. It runs from cache until it trains main memory, so it is limited to just 10 MB (size of L3 cache) split between two cores. To make it possible to load and execute that -amount of code, [Hostboot uses on-demand paging](https://youtu.be/fTLsS_QZ8us?t=1559). -It is similar to swap used by operating systems, except that it uses (EEP)ROM -instead of easily writable media, so only code and constant data can be -discarded from memory (L3 cache in this case). Saving temporary variables would -require dedicated partition in PNOR and would introduce many unnecessary writes, -which both reduce the lifetime of flash and slows down the boot process. Only +amount of code, +[Hostboot uses on-demand paging](https://youtu.be/fTLsS_QZ8us?t=1559). It is +similar to swap used by operating systems, except that it uses (EEP)ROM instead +of easily writable media, so only code and constant data can be discarded from +memory (L3 cache in this case). Saving temporary variables would require +dedicated partition in PNOR and would introduce many unnecessary writes, which +both reduce the lifetime of flash and slows down the boot process. Only persistent settings and VPD cache (which would otherwise have to be created with each boot, producing the same results on each boot) are saved to PNOR. @@ -132,19 +138,20 @@ With reduced boot time Talos II may as well become a board for a PC - it uses standard peripherals and has an EATX form that fits in most PC cases. It has decent power consumption and is really quiet. The only thing it lacks is an integrated sound card, but most graphic cards include HDMI audio anyway. There -is also a [project for designing a PowerPC notebook](https://www.powerpc-notebook.org/en/). +is also a +[project for designing a PowerPC notebook](https://www.powerpc-notebook.org/en/). Many Linux and BSD distributions provide PPC ports, you can even choose between big and little endian software, the hardware supports both, dynamically changed without requiring a reboot. This may be, especially when the cost of boards will -be reduced by constantly growing demand, **a good alternative to x86 platforms**, -which as of now are virtually impossible to be supported without at least some -binary, non-auditable components (FSP, AGESA, ME, PSP etc). +be reduced by constantly growing demand, **a good alternative to x86 +platforms**, which as of now are virtually impossible to be supported without at +least some binary, non-auditable components (FSP, AGESA, ME, PSP etc). Another issue was nicely formulated by Timothy Pearson from Raptor CS on one of the mails we exchanged when discussing the hows and whys: > Hostboot is a VM to run FSI routines, and the FSI routines are written one by -> one by the hardware engineers designing the silicon itself. This leads to +> one by the hardware engineers designing the silicon itself. This leads to > overly complex and difficult to understand code, as you can see. FSI is one of the buses Hostboot has to initialise. By simplifying the code we @@ -159,7 +166,8 @@ like new drivers for Skiroot. coreboot would get a **new architecture** supported. Although there are stubs, cross-compiler and libraries for PPC, the coreboot itself isn't in working state when it comes to this architecture as of now. It would also get a **new, truly -open** ([unless you want SATA controller](https://wiki.raptorcs.com/wiki/PM8068)), +open** +([unless you want SATA controller](https://wiki.raptorcs.com/wiki/PM8068)), [RYF-certified](https://www.fsf.org/news/talos-ii-mainboard-and-talos-ii-lite-mainboard-now-fsf-certified-to-respect-your-freedom) platform. Having usable POWER9 implementation should make an easy transition to POWER10 when it will reach customers in a year or so. @@ -198,13 +206,15 @@ code, so we ended up converting virtual address to a physical one using a negative offset compared to what we should have used. This is what you get from mixing virtual memory management and manual pointer calculations 🙂️ -Since then we believe we have [mostly fixed all of the endianness issues](https://github.com/3mdeb/coreboot/tree/talos_2_support), +Since then we believe we have +[mostly fixed all of the endianness issues](https://github.com/3mdeb/coreboot/tree/talos_2_support), so `Couldn't load romstage` became `Payload not loaded`, but without any actual initialisation code yet. After thorough tests and updates to the documentation we will begin to upstream these changes. If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-01-13-IOMMU.md b/blog/content/post/2021-01-13-IOMMU.md index b56d3b12..7f6e1685 100644 --- a/blog/content/post/2021-01-13-IOMMU.md +++ b/blog/content/post/2021-01-13-IOMMU.md @@ -32,18 +32,18 @@ hardware and software. Advantages of IOMMU usage: -- One single contiguous virtual memory region can be mapped to multiple non-contiguous -physical memory regions. IOMMU can make a non-contiguous memory region appear -contiguous to a device (scatter/gather). Scatter/gather optimizes streaming DMA -performance for the I/O device. +- One single contiguous virtual memory region can be mapped to multiple + non-contiguous physical memory regions. IOMMU can make a non-contiguous memory + region appear contiguous to a device (scatter/gather). Scatter/gather + optimizes streaming DMA performance for the I/O device. - Memory isolation and protection: device can only access memory regions that -are mapped for it. Hence faulty and/or malicious devices can't corrupt memory. + are mapped for it. Hence faulty and/or malicious devices can't corrupt memory. - Memory isolation allows safe device assignment to a virtual machine without -compromising host and other guest OSes. + compromising host and other guest OSes. - IOMMU enables 32-bit DMA capable devices to access to > 4GB memory. - Support hardware interrupt remapping. It extends limited hardware interrupts -to software interrupts. Primary uses are the interrupt isolation and translation -between interrupt domains (e.g. IOAPIC vs x2APIC on x86) + to software interrupts. Primary uses are the interrupt isolation and + translation between interrupt domains (e.g. IOAPIC vs x2APIC on x86) Disadvantages of IOMMU usage: @@ -54,13 +54,13 @@ Disadvantages of IOMMU usage: IOMMU’s architecture is designed to accommodate a variety of system topologies. There can be multiple IOMMUs located at a variety of places in the system -fabric. It can be placed at bridges inside one bus or at bridges between busses +fabric. It can be placed at bridges inside one buses or at bridges between buses of the same or different types. In modern systems, IOMMU is commonly integrated with the PCIe root complex. It connects to the PCIe bus from downstream and to the system bus (e.g. infinity fabric) from upstream. One example topology is shown below. -![Example Platform Architecture](/img/iommu.png) +![Example Platform Architecture](/img/iommu.png) ## In software @@ -74,9 +74,9 @@ the device's memory access permissions is stored there too. ## Enabling -IOMMU is a generic name for technologies such as VT-d by Intel, AMD-Vi by AMD, TCE -by IBM and SMMU by ARM. Make sure that your CPU supports one of these before you -try to enable IOMMU. +IOMMU is a generic name for technologies such as VT-d by Intel, AMD-Vi by AMD, +TCE by IBM and SMMU by ARM. Make sure that your CPU supports one of these before +you try to enable IOMMU. ### UEFI/BIOS @@ -99,11 +99,14 @@ type of CPU in use: After rebooting, you can check dmesg output to confirm that IOMMU is enabled On Intel platforms: -```sh + +```bashsh dmesg | grep -i -e DMAR -e IOMMU ``` + Output should look somewhat like this: -``` + +```bash [ 0.000000] ACPI: DMAR 0x00000000BDCB1CB0 0000B8 (v01 INTEL BDW 00000001 INTL 00000001) [ 0.000000] Intel-IOMMU: enabled [ 0.028543] dmar: IOMMU 0: reg_base_addr fed90000 ver 1:0 cap c0000020660462 ecap f0101a @@ -123,11 +126,14 @@ Output should look somewhat like this: ``` On AMD platforms: -```sh + +```bashsh dmesg | grep -i -e AMD-Vi ``` + Output should look somewhat like this: -``` + +```bash [ 0.805831] pci 0000:00:00.2: AMD-Vi: Found IOMMU cap 0x40 [ 0.805832] pci 0000:00:00.2: AMD-Vi: Extended features (0x4f77ef22294ada): [ 0.805834] AMD-Vi: Interrupt remapping enabled @@ -160,7 +166,7 @@ be the topic of one of a future post. ## Further reading -[https://www.amd.com/system/files/TechDocs/48882_IOMMU_3.05_PUB.pdf](https://www.amd.com/system/files/TechDocs/48882_IOMMU_3.05_PUB.pdf) +[https://www.amd.com/system/files/TechDocs/48882_3.07_PUB.pdf](https://www.amd.com/system/files/TechDocs/48882_3.07_PUB.pdf) [https://www.kernel.org/doc/html/latest/driver-api/vfio.html](https://www.kernel.org/doc/html/latest/driver-api/vfio.html) @@ -177,6 +183,7 @@ summary, the use of IOMMU seems to be beneficial in almost every case. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-02-02-fosdem2021.md b/blog/content/post/2021-02-02-fosdem2021.md index dd3f6e8b..989f98c7 100644 --- a/blog/content/post/2021-02-02-fosdem2021.md +++ b/blog/content/post/2021-02-02-fosdem2021.md @@ -17,23 +17,24 @@ categories: - Security --- + ### Introduction -This is another year in which, together with [Daniel -Kiper](https://fosdem.org/2021/schedule/speaker/daniel_kiper/) from Oracle, we -have the pleasure to organize Open Source Firmware, BMC and Bootloader devroom -during FOSDEM 2021 as a continuation of this devroom of the previous edition. We -take part in this event to promote the use of free and open source software, and -show how it can increase security and the quality of the code itself and give -more business freedom outside of the vendors lock-in, from the point of the -firmware level which is our bread and butter in 3mdeb. In this blogpost we will -gather all the information about the event and links to the videos from the -FOSDEM 2020. +This is another year in which, together with +[Daniel Kiper](https://fosdem.org/2021/schedule/speaker/daniel_kiper/) from +Oracle, we have the pleasure to organize Open Source Firmware, BMC and +Bootloader devroom during FOSDEM 2021 as a continuation of this devroom of the +previous edition. We take part in this event to promote the use of free and open +source software, and show how it can increase security and the quality of the +code itself and give more business freedom outside of the vendors lock-in, from +the point of the firmware level which is our bread and butter in 3mdeb. In this +blogpost we will gather all the information about the event and links to the +videos from the FOSDEM 2020. > FOSDEM is a free event for software developers to meet, share ideas and -collaborate. Every year, thousands of developers of free and open source -software from all over the world gather at the event in Brussels. In 2021, they -will gather online. +> collaborate. Every year, thousands of developers of free and open source +> software from all over the world gather at the event in Brussels. In 2021, +> they will gather online. ### Why Open source @@ -41,20 +42,20 @@ Before diving into the technical information around FOSDEM, let's make a step back and refresh the ground knowledge that made us choose the Open Source path as users, contributors, developers, supporters – OSS community members. -* Open source builds trust in the features and quality of the software. If the -company wants to start developing OS project, it needs to check its quality. The -published code's quality can be easily scanned by having full insight into the -source code. +- Open source builds trust in the features and quality of the software. If the + company wants to start developing OS project, it needs to check its quality. + The published code's quality can be easily scanned by having full insight into + the source code. -* Developers are building a visible portfolio by contributing to the Open Source -project. The company that decided to develop a particular project is more eager -to hire contributors with proven expertise. +- Developers are building a visible portfolio by contributing to the Open Source + project. The company that decided to develop a particular project is more + eager to hire contributors with proven expertise. -* The company can get improved performance for a relatively short amount of time. - Having open-source repository allows to prove the competencies and gain trust - without any additional audit or checks. +- The company can get improved performance for a relatively short amount of + time. Having open-source repository allows to prove the competencies and gain + trust without any additional audit or checks. -* The source code has no value itself. Most of the products are made by +- The source code has no value itself. Most of the products are made by modifying existing code components, so technology knowledge that allows performing on the ready-to-use code in the proposed business model brings the essential value. There are some exceptions to that like very innovative and @@ -67,46 +68,65 @@ in mind, let's have a look into event details below. ### Where to link the event? -* To participate, no registration is needed. Check the -[schedule](https://fosdem.org/2021/schedule/track/open_source_firmware_bmc_and_bootloader/) -and choose the talks you would take part in. We are in -[D.firmware](https://fosdem.org/2021/schedule/room/dfirmware/) room. -* Find the live streaming for a D.firmware -[here](https://fosdem.org/2021/schedule/streaming/). The page will be updated -every few minutes to show you what is currently scheduled in each room. +- To participate, no registration is needed. Check the + [schedule](https://fosdem.org/2021/schedule/track/open_source_firmware_bmc_and_bootloader/) + and choose the talks you would take part in. We are in + [D.firmware](https://fosdem.org/2021/schedule/room/dfirmware/) room. +- Find the live streaming for a D.firmware + [here](https://fosdem.org/2021/schedule/streaming/). The page will be updated + every few minutes to show you what is currently scheduled in each room. ### How we are proceeding this year -This online event will take place on 6 & 7 February 2021. Here you will find [the full schedule](https://fosdem.org/2021/schedule/track/open_source_firmware_bmc_and_bootloader/). +This online event will take place on 6 & 7 February 2021. Here you will find +[the full schedule](https://fosdem.org/2021/schedule/track/open_source_firmware_bmc_and_bootloader/). The below points will be updated with recordings after the event. -##### February 6 2021 +#### February 6 2021 -* [Open Source Firmware status on AMD platforms 2021](https://fosdem.org/2021/schedule/event/firmware_osfsoap2/) by [Piotr Król](https://twitter.com/pietrushnic) +- [Open Source Firmware status on AMD platforms 2021](https://fosdem.org/2021/schedule/event/firmware_osfsoap2/) + by [Piotr Król](https://twitter.com/pietrushnic) -* [OpenBMC introduction and porting guide](https://fosdem.org/2021/schedule/event/firmware_oiapg/) by [Saravanan Palanisamy](https://fosdem.org/2021/schedule/speaker/saravanan_palanisamy/) +- [OpenBMC introduction and porting guide](https://fosdem.org/2021/schedule/event/firmware_oiapg/) + by + [Saravanan Palanisamy](https://fosdem.org/2021/schedule/speaker/saravanan_palanisamy/) -* [Building an interactive Continuous Integration platform for Open Source Firmware](https://fosdem.org/2021/schedule/event/firmware_baicipfosf/) by [Jean-Marie Verdun](https://fosdem.org/2021/schedule/speaker/jean_marie_verdun/) +- [Building an interactive Continuous Integration platform for Open Source Firmware](https://fosdem.org/2021/schedule/event/firmware_baicipfosf/) + by + [Jean-Marie Verdun](https://fosdem.org/2021/schedule/speaker/jean_marie_verdun/) -* [How to build up an ecosystem for open-source firmware testing](https://fosdem.org/2021/schedule/event/firmware_htbuaefoft/) by [Christian Walter](https://fosdem.org/2021/schedule/speaker/christian_walter/) +- [How to build up an ecosystem for open-source firmware testing](https://fosdem.org/2021/schedule/event/firmware_htbuaefoft/) + by + [Christian Walter](https://fosdem.org/2021/schedule/speaker/christian_walter/) -* [EDK2 UEFI on RISC-V](https://fosdem.org/2021/schedule/event/firmware_uor/) by [Daniel Schaefer](https://fosdem.org/2021/schedule/speaker/daniel_schaefer/) +- [EDK2 UEFI on RISC-V](https://fosdem.org/2021/schedule/event/firmware_uor/) by + [Daniel Schaefer](https://fosdem.org/2021/schedule/speaker/daniel_schaefer/) -* [Improving the Secure Boot landscape: sbctl & go-uefi](https://fosdem.org/2021/schedule/event/firmware_itsblsg/) by [Morten Linderund](https://fosdem.org/2021/schedule/speaker/morten_linderud/) +- [Improving the Secure Boot landscape: sbctl & go-uefi](https://fosdem.org/2021/schedule/event/firmware_itsblsg/) + by + [Morten Linderund](https://fosdem.org/2021/schedule/speaker/morten_linderud/) -* [Secure Upgrades with DRTM](https://fosdem.org/2021/schedule/event/firmware_suwd/) by [Daniel Smith](https://fosdem.org/2021/schedule/speaker/daniel_smith/), [Brian Payne](https://fosdem.org/2021/schedule/speaker/brian_payne/) +- [Secure Upgrades with DRTM](https://fosdem.org/2021/schedule/event/firmware_suwd/) + by [Daniel Smith](https://fosdem.org/2021/schedule/speaker/daniel_smith/), + [Brian Payne](https://fosdem.org/2021/schedule/speaker/brian_payne/) ##### February 7 2021 -* [Open Source Firmware Status on Ampere ARM64 Platforms](https://fosdem.org/2021/schedule/event/firmware_osfsoaap/) by [Arjun Khare](https://fosdem.org/2021/schedule/speaker/arjun_khare/) +- [Open Source Firmware Status on Ampere ARM64 Platforms](https://fosdem.org/2021/schedule/event/firmware_osfsoaap/) + by [Arjun Khare](https://fosdem.org/2021/schedule/speaker/arjun_khare/) -* [Secure boot without UEFI: booting VMs on Power(PC)](https://fosdem.org/2021/schedule/event/firmware_sbwubvop/) by [Daniel Axtens](https://fosdem.org/2021/schedule/speaker/daniel_axtens/) +- [Secure boot without UEFI: booting VMs on Power(PC)](https://fosdem.org/2021/schedule/event/firmware_sbwubvop/) + by [Daniel Axtens](https://fosdem.org/2021/schedule/speaker/daniel_axtens/) -* [GRUB - Project Status Update](https://fosdem.org/2021/schedule/event/firmware_gpsu/) by [Daniel Kiper](https://fosdem.org/2021/schedule/speaker/daniel_kiper/) +- [GRUB - Project Status Update](https://fosdem.org/2021/schedule/event/firmware_gpsu/) + by [Daniel Kiper](https://fosdem.org/2021/schedule/speaker/daniel_kiper/) -* [Open source PMCI stack implementation for add-in-card manageability.](https://fosdem.org/2021/schedule/event/firmware_ospsifam/) by [sumanthbhatt](https://fosdem.org/2021/schedule/speaker/sumanthbhatt/) +- [Open source PMCI stack implementation for add-in-card manageability.](https://fosdem.org/2021/schedule/event/firmware_ospsifam/) + by [sumanthbhatt](https://web.archive.org/web/20210116173505/https://fosdem.org/2021/schedule/speaker/sumanthbhatt/) -* [Using OpenSPDM in Firmware as a Foundation for Secure Device Communication](https://fosdem.org/2021/schedule/event/firmware_uoifaaffsdc/) by [Jiewen Yao](https://fosdem.org/2021/schedule/speaker/jiewen_yao/), and [xiaoyuruan](https://fosdem.org/2021/schedule/speaker/xiaoyuruan/) +- [Using OpenSPDM in Firmware as a Foundation for Secure Device Communication](https://fosdem.org/2021/schedule/event/firmware_uoifaaffsdc/) + by [Jiewen Yao](https://fosdem.org/2021/schedule/speaker/jiewen_yao/), and + [xiaoyuruan](https://fosdem.org/2021/schedule/speaker/xiaoyuruan/) ### 3mdeb on FOSDEM 2020 @@ -116,26 +136,47 @@ success. Let's take a small glimpse on what was presented there. The schedule with the full description of the all presented talks you will find [here](https://archive.fosdem.org/2020/schedule/track/open_source_firmware_bmc_and_bootloader/) -* [Open source UEFI and TianoCore](https://www.youtube.com/watch?v=n9XtJkRRvUI) by [Leif Lindholm](https://archive.fosdem.org/2020/schedule/speaker/leif_lindholm/) +- [Open source UEFI and TianoCore](https://www.youtube.com/watch?v=n9XtJkRRvUI) + by + [Leif Lindholm](https://archive.fosdem.org/2020/schedule/speaker/leif_lindholm/) -* [Discover UEFI with U-Boot](https://www.youtube.com/watch?v=PFVP4oQnaEE) by [Heinrich Schuchardt](https://archive.fosdem.org/2020/schedule/speaker/heinrich_schuchardt/) +- [Discover UEFI with U-Boot](https://www.youtube.com/watch?v=PFVP4oQnaEE) by + [Heinrich Schuchardt](https://archive.fosdem.org/2020/schedule/speaker/heinrich_schuchardt/) -* [Heads OEM device ownership/reownership : A tamper evident approach to remote integrity attestation](https://www.youtube.com/watch?v=oline3C-W1g) by [Thierry Laurion](https://archive.fosdem.org/2020/schedule/speaker/thierry_laurion/) +- [Heads OEM device ownership/reownership : A tamper evident approach to remote + integrity attestation](https://www.youtube.com/watch?v=oline3C-W1g) + by + [Thierry Laurion](https://archive.fosdem.org/2020/schedule/speaker/thierry_laurion/) -* [Improving the Security of Edge Computing Services Update status of the support for AMD and Intel processors](https://www.youtube.com/watch?v=8tYZVNz0n7E) by [Daniel Kiper](https://archive.fosdem.org/2020/schedule/speaker/daniel_kiper/) and [Piotr Król](https://archive.fosdem.org/2020/schedule/speaker/piotr_krol/) +- [Improving the Security of Edge Computing Services Update status of the support + for AMD and Intel processors](https://www.youtube.com/watch?v=8tYZVNz0n7E) + by + [Daniel Kiper](https://archive.fosdem.org/2020/schedule/speaker/daniel_kiper/) + and [Piotr Król](https://archive.fosdem.org/2020/schedule/speaker/piotr_krol/) -* [Introducing AUTOREV. An automatic reverse-engineering framework for firmware BLOBs](https://www.youtube.com/watch?v=PzPxpBKa0HU) by [Patrick Rudolph](https://archive.fosdem.org/2020/schedule/speaker/patrick_rudolph/) +- [Introducing AUTOREV. An automatic reverse-engineering framework for firmware BLOBs](https://www.youtube.com/watch?v=PzPxpBKa0HU) + by + [Patrick Rudolph](https://archive.fosdem.org/2020/schedule/speaker/patrick_rudolph/) -* [Look at ME! Intel ME firmware investigation](https://www.youtube.com/watch?v=RPC5f7EJN6U) by [Daniel Maslowski (CyReVolt)](https://archive.fosdem.org/2020/schedule/speaker/daniel_maslowski_cyrevolt/) +- [Look at ME! Intel ME firmware investigation](https://www.youtube.com/watch?v=RPC5f7EJN6U) + by + [Daniel Maslowski (CyReVolt)](https://archive.fosdem.org/2020/schedule/speaker/daniel_maslowski_cyrevolt/) -* [Capsule Update & LVFS: Improving system firmware updates](https://www.youtube.com/watch?v=glsIKTbfoNg) by [Brian Richardson](https://archive.fosdem.org/2020/schedule/speaker/brian_richardson/) +- [Capsule Update & LVFS: Improving system firmware updates](https://www.youtube.com/watch?v=glsIKTbfoNg) + by + [Brian Richardson](https://archive.fosdem.org/2020/schedule/speaker/brian_richardson/) -* [Opening Intel Server firmware based on OpenBMC example](https://www.youtube.com/watch?v=i1FiOexyKTI) by [Maciej Lawniczak](https://archive.fosdem.org/2020/schedule/speaker/maciej_lawniczak/) and [Przemyslaw Czarnowski](https://archive.fosdem.org/2020/schedule/speaker/przemyslaw_czarnowski/) +- [Opening Intel Server firmware based on OpenBMC example](https://www.youtube.com/watch?v=i1FiOexyKTI) + by + [Maciej Lawniczak](https://archive.fosdem.org/2020/schedule/speaker/maciej_lawniczak/) + and + [Przemyslaw Czarnowski](https://archive.fosdem.org/2020/schedule/speaker/przemyslaw_czarnowski/) ## Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-02-16-fwupd-compilation-under-freebsd.md b/blog/content/post/2021-02-16-fwupd-compilation-under-freebsd.md index 9f09ac59..f9ec103c 100644 --- a/blog/content/post/2021-02-16-fwupd-compilation-under-freebsd.md +++ b/blog/content/post/2021-02-16-fwupd-compilation-under-freebsd.md @@ -19,59 +19,61 @@ categories: --- -The security of the whole system is not determined only by the software it -runs, but also the firmware. Firmware is a piece of software inseparable -from the hardware. It is responsible for proper hardware initialization as -well as its security features. That means that the safety of the machine -strongly depends on the mitigations of vulnerabilities provided by firmware -(like microcode updates, bug/exploit fixes). For these particular reasons, -the firmware should be kept up-to-date. We want to provide an easy firmware -update method to BSD distributions. - -This is the first blog-post from the fwupd port for the BSD distributions series. -We will present here the current status of our work. In this blog post, I will -show you how to compile and run the fwupd on FreeBSD. Please take into -account that this is heavily in **WIP** state and some fwupd functionalities -do not work correctly. +The security of the whole system is not determined only by the software it runs, +but also the firmware. Firmware is a piece of software inseparable from the +hardware. It is responsible for proper hardware initialization as well as its +security features. That means that the safety of the machine strongly depends on +the mitigations of vulnerabilities provided by firmware (like microcode updates, +bug/exploit fixes). For these particular reasons, the firmware should be kept +up-to-date. We want to provide an easy firmware update method to BSD +distributions. + +This is the first blog-post from the fwupd port for the BSD distributions +series. We will present here the current status of our work. In this blog post, +I will show you how to compile and run the fwupd on FreeBSD. Please take into +account that this is heavily in **WIP** state and some fwupd functionalities do +not work correctly. ## fwupd overall information ![fwupd-arch](https://lvfs.readthedocs.io/en/latest/_images/architecture-plan.png) -The architecture of the fwupd project could be split into three layers. -The internet layer contains the LVFS database and the content delivery network. -This layer provides firmware and the metadata about the possible updates. -The whole update process is managed by fwupdmgr which exists in the session -layer. The firmware update manager is a CLI client tool, that handles the update -process. It takes the role of connector between the LVFS database and a fwupd -daemon. The fwupd daemon is placed in the third layer of the project -architecture. It is a system-activated daemon with a D-Bus interface, -that can be used by unprivileged clients. The daemon allows users -to perform wide upgrades and downgrades according to security policy. - -If you want to know more about how the fwupd works, I encourage you to catch -up my on latest [FOSDEM presentation](https://video.fosdem.org/2021/D.bsd/porting_fwupd_to_the_bsd.webm). -Also, take a look at Artur's [blog post](https://blog.3mdeb.com/2019/2019-07-11-how-to-safely-and-easily-update-your-firmware/). +The architecture of the fwupd project could be split into three layers. The +internet layer contains the LVFS database and the content delivery network. This +layer provides firmware and the metadata about the possible updates. The whole +update process is managed by fwupdmgr which exists in the session layer. The +firmware update manager is a CLI client tool, that handles the update process. +It takes the role of connector between the LVFS database and a fwupd daemon. The +fwupd daemon is placed in the third layer of the project architecture. It is a +system-activated daemon with a D-Bus interface, that can be used by unprivileged +clients. The daemon allows users to perform wide upgrades and downgrades +according to security policy. + +If you want to know more about how the fwupd works, I encourage you to catch up +my on latest +[FOSDEM presentation](https://video.fosdem.org/2021/D.bsd/porting_fwupd_to_the_bsd.webm). +Also, take a look at Artur's +[blog post](https://blog.3mdeb.com/2019/2019-07-11-how-to-safely-and-easily-update-your-firmware/). ## Project configuration -We were using the FreeBSD 12.2 release during the development process. -If you want to follow our results, you can use our +We were using the FreeBSD 12.2 release during the development process. If you +want to follow our results, you can use our [fwupd fork](https://github.com/3mdeb/fwupd/tree/wip/3mdeb/BSD-port). You need to install fwupd dependencies: -``` +```bash # pkg install meson pkgconf libgudev python3 gobject-introspection gtk-doc vala json-glib libarchive gpgme help2man gcab tpm2-tss libelf freetype fontconfig ``` -FreeBSD has its implementation of the libusb library. It lacks several -functions that are used in the fwupd subproject - -[libgusb](https://github.com/hughsie/libgusb). -Currently, to work around the problem, we are disabling the code that uses missing -functions. Change `subprojects/gusb.wrap` subproject config to the following: +FreeBSD has its implementation of the libusb library. It lacks several functions +that are used in the fwupd subproject - +[libgusb](https://github.com/hughsie/libgusb). Currently, to work around the +problem, we are disabling the code that uses missing functions. Change +`subprojects/gusb.wrap` subproject config to the following: -``` +```bash [wrap-git] directory = gusb url = https://github.com/3mdeb/libgusb.git @@ -80,7 +82,7 @@ revision = 69f0dab94cb4255216d15bbcf1021f12b52652a5 After that, you can configure the fwupd project with the following command: -``` +```bash $ meson build -Dplugin_uefi_capsule='false' \ -Dplugin_dell='false' \ -Dplugin_redfish='false' \ @@ -100,7 +102,7 @@ $ meson build -Dplugin_uefi_capsule='false' \ Here is the configuration log: -```log +```bash nkaminski@nkaminski:~/projects/fwupd $ meson build -Dplugin_uefi_capsule='false' -Dplugin_dell='false' -Dplugin_redfish='false' -Dplugin_nvme='false' -Dsystemd='false' -Dtests='false' -Dgudev='false' -Dplugin_amt=false -Dtpm=false -Dplugin_emmc=false -Dplugin_altos=false -Dplugin_thunderbolt=false -Dplugin_synaptics_mst=false -Dpolkit=false -Dbsd=true Version: 0.56.0 Source dir: /usr/home/nkaminski/projects/fwupd @@ -193,7 +195,7 @@ WARNING: Project specifies a minimum meson_version '>=0.47.0' but uses features To compile the project go to build directory and run ninja: -```log +```bash nkaminski@nkaminski:~/projects/fwupd/build $ ninja [24/266] Generating symbol file libfwupd/libfwupd.so.2.0.0.p/libfwupd.so.2.0.0.symbols WARNING: Symbol extracting has not been implemented for this platform. Relinking will always happen on source changes. @@ -203,7 +205,8 @@ g_autoptr(GError) error_polkit = NULL; ^ 1 warning generated. [67/266] Generating Fwupd-2.0.gir with a custom command -g-ir-scanner: link: cc -pthread -o /usr/home/nkaminski/projects/fwupd/build/tmp-introspect44ijw9pe/Fwupd-2.0 /usr/home/nkaminski/projects/fwupd/build/tmp-introspect44ijw9pe/Fwupd-2.0.o -L. -Wl,-rpath,. -Wl,--no-as-needed -L/usr/home/nkaminski/projects/fwupd/build/libfwupd -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupd -L/usr/local/lib -Wl,-rpath,/usr/local/lib -lfwupd -lgio-2.0 -lgobject-2.0 -lglib-2.0 -lintl -lgmodule-2.0 -ljcat -ljson-glib-1.0 -lcurl -lgirepository-1.0 -L/usr/local/lib -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -lglib-2.0 -lintl +g-ir-scanner: link: cc -pthread -o /usr/home/nkaminski/projects/fwupd/build/tmp-introspect44ijw9pe/Fwupd-2.0 /usr/home/nkaminski/projects/fwupd/build/tmp-introspect44ijw9pe/Fwupd-2.0.o -L. -Wl,-rpath,. -Wl,--no-as-needed -L/usr/home/nkaminski/projects/fwupd/build/libfwupd -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupd -L/usr/local/lib +-Wl,-rpath,/usr/local/lib -lfwupd -lgio-2.0 -lgobject-2.0 -lglib-2.0 -lintl -lgmodule-2.0 -ljcat -ljson-glib-1.0 -lcurl -lgirepository-1.0 -L/usr/local/lib -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -lglib-2.0 -lintl ../libfwupd/fwupd-release.c:1856: Warning: Fwupd: fwupd_release_to_json: argument builder: Unresolved type: 'JsonBuilder*' ../libfwupd/fwupd-device.c:2284: Warning: Fwupd: fwupd_device_to_json: argument builder: Unresolved type: 'JsonBuilder*' ../libfwupd/fwupd-plugin.c:269: Warning: Fwupd: fwupd_plugin_to_json: argument builder: Unresolved type: 'JsonBuilder*' @@ -221,7 +224,9 @@ __attribute__ ((noinline, noclone)) ^ 2 warnings generated. [140/266] Generating FwupdPlugin-1.0.gir with a custom command -g-ir-scanner: link: cc -pthread -o /usr/home/nkaminski/projects/fwupd/build/tmp-introspectuunfvxp_/FwupdPlugin-1.0 /usr/home/nkaminski/projects/fwupd/build/tmp-introspectuunfvxp_/FwupdPlugin-1.0.o -L. -Wl,-rpath,. -Wl,--no-as-needed -L/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -L/usr/home/nkaminski/projects/fwupd/build/libfwupd -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupd -L/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -L/usr/local/lib -Wl,-rpath,/usr/local/lib -lfwupd -lfwupdplugin -lgio-2.0 -lgobject-2.0 -lglib-2.0 -lintl -lgmodule-2.0 -ljcat -ljson-glib-1.0 -lcurl -lxmlb -lgusb -lusb -lgirepository-1.0 -L/usr/local/lib -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -lglib-2.0 -lintl +g-ir-scanner: link: cc -pthread -o /usr/home/nkaminski/projects/fwupd/build/tmp-introspectuunfvxp_/FwupdPlugin-1.0 /usr/home/nkaminski/projects/fwupd/build/tmp-introspectuunfvxp_/FwupdPlugin-1.0.o +-L. -Wl,-rpath,. -Wl,--no-as-needed -L/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -L/usr/home/nkaminski/projects/fwupd/build/libfwupd -Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupd -L/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin +-Wl,-rpath,/usr/home/nkaminski/projects/fwupd/build/libfwupdplugin -L/usr/local/lib -Wl,-rpath,/usr/local/lib -lfwupd -lfwupdplugin -lgio-2.0 -lgobject-2.0 -lglib-2.0 -lintl -lgmodule-2.0 -ljcat -ljson-glib-1.0 -lcurl -lxmlb -lgusb -lusb -lgirepository-1.0 -L/usr/local/lib -lgio-2.0 -lgobject-2.0 -Wl,--export-dynamic -lgmodule-2.0 -pthread -lglib-2.0 -lglib-2.0 -lintl ../libfwupdplugin/fu-usb-device.h:13: Warning: FwupdPlugin: symbol='GUsbContext': Skipping foreign identifier 'GUsbContext' from namespace GUsb ../libfwupdplugin/fu-usb-device.h:14: Warning: FwupdPlugin: symbol='GUsbDevice': Skipping foreign identifier 'GUsbDevice' from namespace GUsb ../libfwupdplugin/fu-usb-device.h:15: Warning: FwupdPlugin: symbol='G_USB_CHECK_VERSION': Skipping foreign symbol from namespace GUsb @@ -234,24 +239,24 @@ g-ir-scanner: link: cc -pthread -o /usr/home/nkaminski/projects/fwupd/build/tmp- Install the fwupd files with the following command: -``` +```bash # ninja install ``` ## Testing fwupd -As I mentioned earlier, the fwupd uses D-bus daemon to connect with devices. -To enable D-bus in your FreeBSD, you need to add the following option to +As I mentioned earlier, the fwupd uses D-bus daemon to connect with devices. To +enable D-bus in your FreeBSD, you need to add the following option to `/etc/rc.conf`: -``` +```bash dbus_enable="YES" ``` Once it is set up, reboot your OS. The output fwupd binaries are available in the `build/src` directory. At first, run the fwupd daemon: -```log +```bash # ./fwupd -v 10:11:35:0893 FuDebug Verbose debugging enabled (on console 1) 10:11:35:0895 FuConfig loading config values from /usr/local/etc/fwupd/daemon.conf @@ -386,7 +391,7 @@ the fwupd project. ## fwupdmgr get-devices -```log +```bash nkaminski@nkaminski:~/projects/fwupd/build/src $ ./fwupdmgr get-devices WARNING: This package has not been validated, it may not work properly. Unknown Product @@ -408,7 +413,7 @@ Unknown Product ## fwupdmgr --version -```log +```bash nkaminski@nkaminski:~/projects/fwupd/build/src $ ./fwupdmgr --version client version: 1.5.5-175-gd6c2fee8 compile-time dependency versions @@ -418,7 +423,7 @@ daemon version: 1.5.5-175-gd6c2fee8 ## fwupdmgr get-updates -```log +```bash nkaminski@nkaminski:~/projects/fwupd/build/src $ ./fwupdmgr get-updates WARNING: This package has not been validated, it may not work properly. Unknown Product @@ -455,6 +460,6 @@ Unknown Product ## Summary -If you have any questions, suggestions, or ideas, feel free to share them in -the comment section. If you are interested in similar content, I encourage you -to [sign up for our newsletter](http://eepurl.com/doF8GX). +If you have any questions, suggestions, or ideas, feel free to share them in the +comment section. If you are interested in similar content, I encourage you to +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2021-02-18-testing.md b/blog/content/post/2021-02-18-testing.md index 8e2bed70..613b8865 100644 --- a/blog/content/post/2021-02-18-testing.md +++ b/blog/content/post/2021-02-18-testing.md @@ -37,7 +37,6 @@ thinking about the problem, where scripts perform the tests without human participation. And let's be clear – such investment into writing comes with many further benefits. - #### 3mdeb validation approach How are manual tests different from automated tests? Manual testing is based on @@ -80,7 +79,6 @@ execution. Sounds interesting? Try [rte](https://blog.3mdeb.com/tags/rte/) tag on our blog. You can also check it in our [shop](https://3mdeb.com/shop/open-source-hardware/open-source-hardware-3mdeb/rte/). - ![RTA](/img/RTA.png) An automated testing infrastructure can be paired with constant integration and @@ -126,11 +124,11 @@ Validation soon. ![testing_chart](/img/test3.png) - ## Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to . If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to . If you are interested in similar content +feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-02-23-OSF_vPub_01.md b/blog/content/post/2021-02-23-OSF_vPub_01.md index ad73707d..e24cfc0e 100644 --- a/blog/content/post/2021-02-23-OSF_vPub_01.md +++ b/blog/content/post/2021-02-23-OSF_vPub_01.md @@ -24,28 +24,32 @@ categories: Our meeting has been attended by ~50 firmware masters from all over the world! Together with our prominent 3mdeb hosts - Piotr Król and Michał Żygowski - it -was an honour to be visited by such rockstars as Thierry Laurion from [Insurgo][1], -Tom Hiller aka Thrilleratplay, Daniel Maslowski aka CyReVolt, Piotr Kubaj, -Andrew Cooper, Felix Singer, David Hendricks, and many others whom I forgot to -mention (sorry!) - or who preferred to stay anonymous and participate via chat. +was an honour to be visited by such rockstars as Thierry Laurion from +[Insurgo][1], Tom Hiller aka Thrilleratplay, Daniel Maslowski aka CyReVolt, +Piotr Kubaj, Andrew Cooper, Felix Singer, David Hendricks, and many others whom +I forgot to mention (sorry!) - or who preferred to stay anonymous and +participate via chat. We've also had some surprise guests: despite being the relative newcomers to our cosy community, they have managed to ignite quite an interesting discussion! -Alexey Vazhnov [described][2] how tricky could it be to get merged the coreboot docs, -and we've thought about how to improve this workflow & make this process easier. +Alexey Vazhnov [described][2] how tricky could it be to get merged the coreboot +docs, and we've thought about how to improve this workflow & make this process +easier. -In addition to the fresh coreboot forks like heads & oreboot and [new nice GUIs][3], -we've tried to figure out how to promote the coreboot for its official support -by the PC manufacturers - at least for those with new AMD-based motherboards! -And now we know, how we can - even if not "bring a coreboot to every house" - -but to significantly spread its' popularity by wisely doing our joint activism. +In addition to the fresh coreboot forks like heads & oreboot and +[new nice GUIs][3], we've tried to figure out how to promote the coreboot for +its official support by the PC manufacturers - at least for those with new +AMD-based motherboards! And now we know, how we can - even if not "bring a +coreboot to every house" - but to significantly spread its' popularity by wisely +doing our joint activism. Also, we've talked a lot about the open hardware: for example, two attractive -boards from Crowdsupply - [ULX3S][4] and [Qomu][5] - have a small FPGA for which an -opensource toolchain is available. Also, we've explored the firmware freedom in -a "world without x86", [Talos II][6] workstation with a CPU(s) of POWER9 arch, could -POWER10 become as libre as POWER9 regarding the firmware - or would suffer from -the extra binary blob [for D-DIMM RAM support][7] created by Synopsys, and much more! +boards from Crowdsupply - [ULX3S][4] and [Qomu][5] - have a small FPGA for which +an opensource toolchain is available. Also, we've explored the firmware freedom +in a "world without x86", [Talos II][6] workstation with a CPU(s) of POWER9 +arch, could POWER10 become as libre as POWER9 regarding the firmware - or would +suffer from the extra binary blob [for D-DIMM RAM support][7] created by +Synopsis, and much more! Someone indeed brought a real beer! - although, for others, a cup of tea was enough. Our meeting was such interesting and exciting we haven't noticed how @@ -53,14 +57,15 @@ almost 12 hours have passed - "party till the morning!" However, we started getting sleepy - so decided to have a 2nd vPub the next quarter. You're welcome! If you are interested in those topics, feel free to reach us out by writing to - and [sign up to our newsletter][8]. If you would like a live chat, -write to @mikebdp2 on Wire messenger - and I will add you to our OSF vPub group. + and [sign up to our newsletter][8]. If you would like a live +chat, write to @mikebdp2 on Wire messenger - and I will add you to our OSF vPub +group. - [1]: https://insurgo.ca/ - [2]: https://www.reddit.com/r/coreboot/comments/lm7jh8/my_pain_with_documentation_contribution_in/ - [3]: https://asciinema.org/a/374013?cols=101 - [4]: https://www.crowdsupply.com/radiona/ulx3s - [5]: https://www.crowdsupply.com/quicklogic/qomu - [6]: https://www.raptorcs.com/TALOSII/ - [7]: https://www.devever.net/~hl/omi - [8]: https://eepurl.com/doF8GX +[1]: https://insurgo.ca/ +[2]: https://www.reddit.com/r/coreboot/comments/lm7jh8/my_pain_with_documentation_contribution_in/ +[3]: https://asciinema.org/a/374013?cols=101 +[4]: https://www.crowdsupply.com/radiona/ulx3s +[5]: https://www.crowdsupply.com/quicklogic/qomu +[6]: https://www.raptorcs.com/TALOSII/ +[7]: https://www.devever.net/~hl/omi +[8]: https://newsletter.3mdeb.com/subscription/PW6XnCeK6 diff --git a/blog/content/post/2021-03-12-SW_attack.md b/blog/content/post/2021-03-12-SW_attack.md index f4fb7423..ced5c4d3 100644 --- a/blog/content/post/2021-03-12-SW_attack.md +++ b/blog/content/post/2021-03-12-SW_attack.md @@ -94,15 +94,15 @@ high-profile attack on SolarWinds and Mebromi rootkit make several things clear: - even the most secure government agencies can become victims of cyberattacks, - unsecured supply chains are be vulnerable to attacks, - the attackers avoid targeting governments or organizations directly. Their -target is set on victims' platforms to gather information and data while staying -unnoticed for a long period. + target is set on victims' platforms to gather information and data while + staying unnoticed for a long period. - Access to some security systems in the organization's infrastructure may be -caused by the takeover of a particular identity certificate by attackers, -allowing forging other identification and other data in the system. -- On account of the extensible nature of the modern UEFI, malicious module can be -added to the existing firmware and be delivered to the target PC via access into -the company's internal network (using vulnerabilities at other PC's UEFI -network-related components) or through access to a select PC. + caused by the takeover of a particular identity certificate by attackers, + allowing forging other identification and other data in the system. +- On account of the extensible nature of the modern UEFI, malicious module can + be added to the existing firmware and be delivered to the target PC via access + into the company's internal network (using vulnerabilities at other PC's UEFI + network-related components) or through access to a select PC. In the next blog post I will cover reasons of the supply chain attacks and the list of necessary steps that may help us to protect our firmware against @@ -112,6 +112,7 @@ cybercrime. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-03-15-fwupd-bsd-packages-and-ci.md b/blog/content/post/2021-03-15-fwupd-bsd-packages-and-ci.md index fb9f8ba4..a8c90da4 100644 --- a/blog/content/post/2021-03-15-fwupd-bsd-packages-and-ci.md +++ b/blog/content/post/2021-03-15-fwupd-bsd-packages-and-ci.md @@ -21,89 +21,88 @@ categories: - Firmware --- -If you haven’t read previous blog posts from the fwupd for the BSD series, -I strongly encourage you to catch up on them. The best way is to search under -the [fwupd-for-BSD tag](https://blog.3mdeb.com/tags/fwupd-for-bsd/). -In this blog post, we will present how to build packages for FreeBSD, DragonFlyBSD, -NetBSD, and OpenBSD. Also, we will show you how to create CI for FreeBSD -distribution with the use of GitHub action. -Our first attempt was to create a universal package, that will be buildable on -each BSD distribution. Differences between BSD distributions make us -give up this idea. We decided to adjust the fwupd port to each distribution. -We achieved that goal, but you have to remember that is the early WIP stage, -and only basic functionalities works (get-plugins, get-version, get-devices). -So let's take a look at the FreeBSD package manager. - -# Providing package for FreeBSD + +If you haven’t read previous blog posts from the fwupd for the BSD series, I +strongly encourage you to catch up on them. The best way is to search under the +[fwupd-for-BSD tag](https://blog.3mdeb.com/tags/fwupd-for-bsd/). In this blog +post, we will present how to build packages for FreeBSD, DragonFlyBSD, NetBSD, +and OpenBSD. Also, we will show you how to create CI for FreeBSD distribution +with the use of GitHub action. Our first attempt was to create a universal +package, that will be buildable on each BSD distribution. Differences between +BSD distributions make us give up this idea. We decided to adjust the fwupd port +to each distribution. We achieved that goal, but you have to remember that is +the early WIP stage, and only basic functionalities works (get-plugins, +get-version, get-devices). So let's take a look at the FreeBSD package manager. + +## Providing package for FreeBSD The FreeBSD ports are based on pkg, which is a package management tool. It is used to manage local packages installed from ports and install/upgrade packages -from remote repositories. For debugging reasons, it is important to -use repository *Latest*, instead of *Quarterly*. To swap the remote repository -copy the `/etc/pkg/FreeBSD.conf` to `/usr/local/etc/pkg/repos/FreeBSD.conf`, -and change the repo URL to: +from remote repositories. For debugging reasons, it is important to use +repository _Latest_, instead of _Quarterly_. To swap the remote repository copy +the `/etc/pkg/FreeBSD.conf` to `/usr/local/etc/pkg/repos/FreeBSD.conf`, and +change the repo URL to: -``` +```bash url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest", ``` -Now you have to fetch the port sources. Go to the `/usr` directory and clone -our freebsd-ports fork: +Now you have to fetch the port sources. Go to the `/usr` directory and clone our +freebsd-ports fork: -``` -# git clone git@github.com:3mdeb/freebsd-ports.git -b fwupd-port ports +```bash +## git clone git@github.com:3mdeb/freebsd-ports.git -b fwupd-port ports ``` The one thing you have to do before building the package is updating the `libtasn1` library. The 4.16.0 version of this library is built with `-02` optimization flag. Because of that it has broken certificate parse -functionality. The 4.16.0_1 version of this library is built with `-01` -clang flag optimization with fixes the problem: +functionality. The 4.16.0_1 version of this library is built with `-01` clang +flag optimization with fixes the problem: -``` -# pkg upgrade libtasn1 +```bash +## pkg upgrade libtasn1 ``` Now it's time to build and install fwupd package. Change directory to `/usr/ports/sysutils/fwupd`: -``` -$ cd /usr/ports/sysutils/fwupd +```bash +cd /usr/ports/sysutils/fwupd ``` Now you if you want, you can manually install dependencies: -``` +```bash pkg install glib meson pkgconf gobject-introspection vala gtk-doc json-glib gpgme gnutls sqlite3 curl gcab libarchive ``` -Or you can skip the previous step and build everything from the source. -It could take a couple of hours depending on your hardware configuration. -Finally, you can build and install the fwupd package: +Or you can skip the previous step and build everything from the source. It could +take a couple of hours depending on your hardware configuration. Finally, you +can build and install the fwupd package: -``` -# make install +```bash +## make install ``` If you want to test your fwupd package, you have to enable D-Bus. You can achieve that by setting: -``` +```bash dbus_enable="YES" ``` in the `/etc/rc.conf`. To apply the configuration you need to reboot the system. The second option is to run the D-Bus service: -``` -# service dbus onestart +```bash +## service dbus onestart ``` -Now you can run fwupd daemon and test basic functionalities. -The build logs are similar for each system and were presented in the previous -blog. +Now you can run fwupd daemon and test basic functionalities. The build logs are +similar for each system and were presented in the previous blog. -# Providing fwupd support for DragonFlyBSD and building package +## Providing fwupd support for DragonFlyBSD and building package DragonFlyBSD ports are based on the FreeBSD pkg. The most challenging part was setting up the operating system for ports compilation. I agree with DPort @@ -112,40 +111,40 @@ encouraged. It is suggested to use the official pre-built binaries instead.* So in the first part of this chapter, I will show you how to set up your DragonFly to build the DPort packages. There are two main problems with that. -The first problem is connected to the `sh` version. The older version of `sh` -is not able to set the pipefail option. To check if your DragonFly is capable -to do that, run the following command: +The first problem is connected to the `sh` version. The older version of `sh` is +not able to set the pipefail option. To check if your DragonFly is capable to do +that, run the following command: -``` -# sh -c 'set -o pipefail' +```bash +## sh -c 'set -o pipefail' ``` If it ends with 0 status you are a lucky guy. If it is not, you need a couple of hours to update your `sh` from the system source. At first, go to `/usr` directory and download `src`: -``` -# make src +```bash +## make src ``` Then go to `/usr/src` and build all userland programs: -``` -# make buildworld +```bash +## make buildworld ``` Now you can take your time and drink some coffee (it will take a bunch of hours). Once it is done you can install the programs: -``` -# make installworld +```bash +## make installworld ``` -Reboot your system and check if you can set properly the pipefail option. -The second problem is pkg upgrade. Once it is upgraded from 1.14.x to 1.16.x, -you'll get the following error: +Reboot your system and check if you can set properly the pipefail option. The +second problem is pkg upgrade. Once it is upgraded from 1.14.x to 1.16.x, you'll +get the following error: -``` +```bash pkg: Failed to execute lua script: [string "-- args: etc/pkg.conf.sample..."]:12: attempt to call a nil value (field 'stat') @@ -155,88 +154,87 @@ No active remote repositories configured. To fix the pkg remote simply copy the sample mirror config file over: -``` -# cp /usr/local/etc/pkg/repos/df-latest.conf.sample \ +```bash +## cp /usr/local/etc/pkg/repos/df-latest.conf.sample \ /usr/local/etc/pkg/repos/df-latest.conf ``` And now you are ready to build the package. At first move to `/usr` directory and fetch the source: -``` -# git clone git@github.com:3mdeb/DPorts.git -b fwupd-port +```bash +## git clone git@github.com:3mdeb/DPorts.git -b fwupd-port ``` Then go to `/usr/dports/sysutils/fwupd` and install the package: -``` +```bash make install ``` Run D-Bus: -``` -# service dbus onestart +```bash +## service dbus onestart ``` And now you can test basic functionalities. -# Providing fwupd support for NetBSD +## Providing fwupd support for NetBSD NetBSD package is based on pkgsrc and it was forked from the FreeBSD ports collection in 1997. It mainly supports the NetBSD distribution but some ports are buildable on different BSD distros. Our first thought was to create the -pkgsrc port, that would run on every BSD distro, but because the dependencies -do not build properly on DragonFly and OpenBSD, we have decided to create -four not so different ports for every distro. +pkgsrc port, that would run on every BSD distro, but because the dependencies do +not build properly on DragonFly and OpenBSD, we have decided to create four not +so different ports for every distro. Like before, go to the `/usr` directory and fetch the pkgsrc: -``` +```bash git clone git@github.com:NetBSD/pkgsrc.git ``` Run the bootstrap in the `/usr/pkgsrc/bootstrap`: -``` +```bash ./bootstrap ``` Go back to the `/usr/pkgsrc` and clone wip pkgs. -``` +```bash git clone git@github.com:3mdeb/pkgsrc-wip.git -b fwupd-wip wip ``` Now move to the `/usr/pkgsrc/wip/fwupd` and install the package: -``` +```bash /usr/pkg/bin/bmake install ``` -It will build and install fwupd and its dependencies. Once it's done -run D-Bus: +It will build and install fwupd and its dependencies. Once it's done run D-Bus: -``` +```bash service dbus start ``` And now you can check basic functionalities. -# Providing fwupd support for OpenBSD +## Providing fwupd support for OpenBSD -The OpenBSD pkg_* utilities are written by Marc Espie and OpenBSD ports are +The OpenBSD pkg\_\* utilities are written by Marc Espie and OpenBSD ports are based on the separate port tree. At first go to `/usr` directory and fetch the ports source: -``` +```bash git clone git@github.com:3mdeb/ports.git -b fwupd-port ports ``` Set up the `/etc/mk.conf`: -``` +```bash WRKOBJDIR=/usr/obj/ports DISTDIR=/usr/distfiles PACKAGE_REPOSITORY=/usr/packages @@ -244,7 +242,7 @@ PACKAGE_REPOSITORY=/usr/packages You can install manually dependencies to save your time. -``` +```bash pkg_add pkgconf pkgconf intltool pkgconf vala gettext-tools \ gobject-introspection gtk-doc glib2 json-glib gpgme gnutls \ sqlite3 curl gcab libarchive libgpg-error libusb-compat dbus @@ -252,75 +250,74 @@ pkg_add pkgconf pkgconf intltool pkgconf vala gettext-tools \ Go to the `/usr/ports/sysutils/fwupd` and build and install the package: -``` +```bash make install ``` Run D-Bus: -``` +```bash /etc/rc.d/messagebus start ``` Now you can test basic functionalities. -# Conclusions about BSD package systems +## Conclusions about BSD package systems The BSD port managers are pretty similar, but each distro comes up with its own idea of how to solve the problem of the ports. The main difference which -generates the biggest number of problems was libusb which differs -from distro to distro. +generates the biggest number of problems was libusb which differs from distro to +distro. -# Continuous Integration for FreeBSD package +## Continuous Integration for FreeBSD package -Running CI/CD scripts on FreeBSD is not the most common DevOps tasks, that's -why we were lucky to find out that Github Actions already had a way to run -something in FreeBSD without setting up your own local runner. It was also -already used by fwupd upstream for performing build on multiple distros, -fuzzing and verifying ABI. +Running CI/CD scripts on FreeBSD is not the most common DevOps tasks, that's why +we were lucky to find out that Github Actions already had a way to run something +in FreeBSD without setting up your own local runner. It was also already used by +fwupd upstream for performing build on multiple distros, fuzzing and verifying +ABI. However, the way in which we are able to use this FreeBSD on a shared runner is very interesting. We used [vmactions/freebsd-vm](https://github.com/vmactions/freebsd-vm) which itself is -based on MacOS shared runner which is the OS chosen in CI code. MacOS is used -here to start virtualbox in which FreeBSD machine is running. The commands we +based on MacOS shared runner which is the OS chosen in CI code. MacOS is used +here to start virtualbox in which FreeBSD machine is running. The commands we specify for the continuous integration script are executed through SSH and then -the resulting output files are rsync'ed back to MacOS runner. Even though it's +the resulting output files are rsync'ed back to MacOS runner. Even though it's based on workarounds it performs it task ok. MacOS runners have 3 CPU cores and 14GB of RAM which is the best spec available for the shared GA runners. This is enough to build fwupd itself from ports in acceptable amount of time, however trying to build it with all the dependencies using pkgsrc would take ages. Lucky thing about this runner is that it's free -for Open Source projects. For private repositories it costs 10 times as much -per minute as Linux runner and virtualbox itself takes few minutes to get -running. +for Open Source projects. For private repositories it costs 10 times as much per +minute as Linux runner and virtualbox itself takes few minutes to get running. As opposed to pkgsrc based build which we tried to implement in the CI before ports based build uses dependencies from binary packages available from `pkg` and there is no need to build or manually cache dependencies. Next thing we needed to do was obtain the up-to-date ports sources with fwupd. As a temporary -workaround, until fwupd will be available in the freebsd ports upstream we -clone our fork and use it as a base to build the package. The Makefile is made -for the tagged release version, so there is a slight complication. To get past -it we needed to `sed` through the file setting github related parameters -accordingly with the branch from which CI was started. +workaround, until fwupd will be available in the freebsd ports upstream we clone +our fork and use it as a base to build the package. The Makefile is made for the +tagged release version, so there is a slight complication. To get past it we +needed to `sed` through the file setting github related parameters accordingly +with the branch from which CI was started. -# References +## References -* FreeBSD port: https://github.com/3mdeb/freebsd-ports/pull/1 -* OpenBSD port: https://github.com/3mdeb/ports/pull/1 -* NetBSD port: https://github.com/3mdeb/pkgsrc-wip/pull/1 -* DragonflyBSD port: https://github.com/3mdeb/DPorts/pull/1 -* fwupd upstream PR: https://github.com/fwupd/fwupd/pull/2874 -* Continuous integration PR: https://github.com/fwupd/fwupd/pull/3031 -* Successful CI job: https://www.youtube.com/watch?v=-j20jQ_hpzo +- FreeBSD port: +- OpenBSD port: +- NetBSD port: +- DragonflyBSD port: +- fwupd upstream PR: +- Continuous integration PR: +- Successful CI job: -Note that the ports will change after the merge of fwupd upstream PR. -After that, we will start the upstream to the official CVS of each distro. +Note that the ports will change after the merge of fwupd upstream PR. After +that, we will start the upstream to the official CVS of each distro. ## Summary -If you have any questions, suggestions, or ideas, feel free to share them in -the comment section. If you are interested in similar content, I encourage you -to [sign up for our newsletter](http://eepurl.com/doF8GX). +If you have any questions, suggestions, or ideas, feel free to share them in the +comment section. If you are interested in similar content, I encourage you to +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2021-03-25-SW_attack2.md b/blog/content/post/2021-03-25-SW_attack2.md index 17d51abe..4c900e14 100644 --- a/blog/content/post/2021-03-25-SW_attack2.md +++ b/blog/content/post/2021-03-25-SW_attack2.md @@ -52,14 +52,14 @@ intended and nothing suspicious has been added. The necessary steps and good practice that may help you to protect your organization against cybercrime: -- **Raise cybersecurity awareness** - every employee must be aware of how they play - a part in keeping their organizations safe. If there are any changes to +- **Raise cybersecurity awareness** - every employee must be aware of how they + play a part in keeping their organizations safe. If there are any changes to platforms, processes, or procedures, they must consider and communicate the impact on their digital and cyber exposure. -- **Backup your information** - have your primary systems protected and backed up. - Apply the same defenses to your secondary data sources. Consider your entire - digital footprint and put protection around everything. +- **Backup your information** - have your primary systems protected and backed + up. Apply the same defenses to your secondary data sources. Consider your + entire digital footprint and put protection around everything. - **Secure your social media accounts** - ensure that social media policies, procedures, and defenses are in place. @@ -82,9 +82,9 @@ organization against cybercrime: debugging, flashing firmware, controlling GPIOs, and Device Under Test's power management. -- **Take care of your platform's stability and security** - use the products that - help provide scalable, modular, easy to combine Open Source BIOS, UEFI, and - Firmware solutions, ex. [Dasharo](https://dasharo.com/). +- **Take care of your platform's stability and security** - use the products + that help provide scalable, modular, easy to combine Open Source BIOS, UEFI, + and Firmware solutions, ex. [Dasharo](https://dasharo.com/). - **Update your operating systems** - statistics and facts show that outdated systems are a weakness that cybercriminals will exploit. @@ -103,9 +103,9 @@ organization against cybercrime: - **Try the benefits of coreboot** - since it's much smaller than a proprietary UEFI, coreboot has a smaller attack surface by default. -- **Base your cryptography on PGP.** The best way to completely protect your keys is - to move them to a specialized hardware device capable of smartcard operations. - Encrypting the firmware in transit ensures your integrity. +- **Base your cryptography on PGP.** The best way to completely protect your + keys is to move them to a specialized hardware device capable of smartcard + operations. Encrypting the firmware in transit ensures your integrity. Recent study found that 67% of companies reported that the organization's security has decreased because of the inability to control risks created by the @@ -146,7 +146,7 @@ and spread the knowledge to you for your security. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-04-14-OSFC-2020-part2.md b/blog/content/post/2021-04-14-OSFC-2020-part2.md index 7a702b0d..80bb9844 100644 --- a/blog/content/post/2021-04-14-OSFC-2020-part2.md +++ b/blog/content/post/2021-04-14-OSFC-2020-part2.md @@ -17,6 +17,7 @@ categories: - Firmware --- + ### Day 2 ## Intro @@ -26,82 +27,80 @@ In previous post we have presented some thoughts that evolved during the OSFC because this post is a continuation of our shares around day 2 and 3. Remember, presented descriptions are only our humble opinion, not official statements of presenters. To watch the full video and get your own opinion, click the chosen -title. +title. -* [Marvell Octeon TX2 CN913x fully open source - firmware](https://vimeo.com/488149573) by [Marcin - Wojtas](https://cfp.osfc.io/osfc2020/speaker/UY88NG/) +- [Marvell Octeon TX2 CN913x fully open source firmware](https://vimeo.com/488149573) + by [Marcin Wojtas](https://cfp.osfc.io/osfc2020/speaker/UY88NG/) Marcin explained how to port edk2 for Armada8k allowed for being adapted on new platforms and presented firmware development goals for high-end ARM-based hardware (SBSA/SBBR, SystemReady ES), as it provides a sufficient interface to boot most operating systems (Fedora, Debian, Centos, FreeBSD, OpenBSD and VMware). During the discussion after the presentation, we realized that boards -based on Marvel Armada 8k like [SolidRun ClearFog -8k](https://www.solid-run.com/embedded-networking/marvell-armada-family/clearfog-gt-8k/) +based on Marvel Armada 8k like +[SolidRun ClearFog 8k](https://web.archive.org/web/20220626044743/https://www.solid-run.com/embedded-networking/marvell-armada-family/clearfog-gt-8k/) or [Marvell MACCHIATObin](http://macchiatobin.net/) are S-CRTM (aka Secure Boot aka Verified Boot) capable. In 2021 we definitely want to look more into that. -FOSDEM 2021 talk from Maciej can be a good excuse ["Overview of Secure Boot -state in the ARM-based -SoCs"](https://fosdem.org/2021/schedule/event/tee_arm_secboot/) +FOSDEM 2021 talk from Maciej can be a good excuse +["Overview of Secure Boot state in the ARM-based SoCs"](https://fosdem.org/2021/schedule/event/tee_arm_secboot/) -* [An open-source SPDM implementation for secure device - communication](https://vimeo.com/488130792) by [Jiewen - Yao](https://cfp.osfc.io/osfc2020/speaker/YMDVAF/), [Xiaoyu - Ruan](https://cfp.osfc.io/osfc2020/speaker/RPMDGJ/) +- [An open-source SPDM implementation for secure device communication](https://vimeo.com/488130792) + by [Jiewen Yao](https://cfp.osfc.io/osfc2020/speaker/YMDVAF/), + [Xiaoyu Ruan](https://cfp.osfc.io/osfc2020/speaker/RPMDGJ/) Interesting talk about Security Protocol and Data Model standard (1.0 and 1.1) and openspdm with it's design and specification. Explicitly presented communication between Requester and Responder, Transport Layer Binding, and features, finished with demo covering init connection, challeng/auth, session creation and secured message. We recognize SPDM as an important part of Platform -Firmware Resiliency as described in [NIST 800-193](TBD). We would love to dive -deeper, but the tight schedule keeps us away from this technology. Maybe 2021 -can bring commercial projects related to that matter. +Firmware Resiliency as described in [NIST 800-193](https://csrc.nist.gov/pubs/sp/800/193/final). +We would love to dive deeper, but the tight schedule keeps us away from this +technology. Maybe 2021 can bring commercial projects related to that matter. -* [POWER9 support in coreboot](https://vimeo.com/488133382) by [Michał - Żygowski](https://twitter.com/_miczyg_) and [Piotr - Król](https://twitter.com/pietrushnic) +- [POWER9 support in coreboot](https://vimeo.com/488133382) by + [Michał Żygowski](https://twitter.com/_miczyg_) and + [Piotr Król](https://twitter.com/pietrushnic) The talk proudly held by our team. It described the plans of porting the POWER9 architecture to coreboot along with Talos II and Talos II Lite machines. We also presented details of coreboot port for POWER9 will covering hostboot, skiboot and petitboot and how they fit into coreboot firmware model. We have briefly described use cases, the project's development roadmap, the next steps within -[Dasharo](dasharo.com) project, seamless integration of Intel FSP or AMD AGESA -with UEFI-compliant and legacy OS interface. +[Dasharo](https://dasharo.com) project, seamless integration of Intel FSP or AMD +AGESA with UEFI-compliant and legacy OS interface. [Contributions](https://opensource.3mdeb.com/projects/coreboot.html). For those who want to dive deeper, or join the forces we hold a community call every 2 weeks about port progress and publish minutes [here](https://pad.riseup.net/p/r.bf2bf1fac6cac16bc23e38b77a5ac7eb). -* [Trusted Execution Environment on OpenBMC](https://vimeo.com/488146312) by - [Vernon Mauery](https://twitter.com/vmauery), [Zhikui - Ren](https://cfp.osfc.io/osfc2020/speaker/SVSWZA/) +- [Trusted Execution Environment on OpenBMC](https://vimeo.com/488146312) by + [Vernon Mauery](https://twitter.com/vmauery), + [Zhikui Ren](https://cfp.osfc.io/osfc2020/speaker/SVSWZA/) BMC firmware for Intel. Interested improvements for ipmi password, ARM security (TEE) for protecting the password, and initial secret and safe/trusted execution environment. Widely discussed hardware requirements, boot requirements, and other prerequisites that are necessary for secure storage on the BMC. Presenters showed also planned improvements and the next steps of the development. 3mdeb, -despite being proficient in Yocto, as the official [Yocto -Participants](https://www.yoctoproject.org/ecosystem/participants/) have a hard -time to enter BMC development. Maybe OpenPOWER or some Dasharo Server projects -will bring our Embedded Linux expertise to the OSF world. +despite being proficient in Yocto, as the official +[Yocto Participants](https://www.yoctoproject.org/ecosystem/participants/) have +a hard time to enter BMC development. Maybe OpenPOWER or some Dasharo Server +projects will bring our Embedded Linux expertise to the OSF world. -* [AMD's Journey towards Open Source OpenBMC firmware](https://vimeo.com/488132697) +- [AMD's Journey towards Open Source OpenBMC firmware](https://vimeo.com/488132697) by [Supreeth Venkatesh](https://cfp.osfc.io/osfc2020/speaker/RSCYCX/) The talk went through the main features implemented in meta-amd for OpenBMC, enabling it on AMD customer reference boards and upstream support for AMD system interfaces. Very detailed and exciting journey. Kudos to [AMD](https://www.amd.com/en) for your work. Definitely worth to mention at -FOSDEM 2021 ["Open Source Firmware status on AMD platforms -2021"](https://fosdem.org/2021/schedule/event/firmware_osfsoap2/) talk. +FOSDEM 2021 +["Open Source Firmware status on AMD platforms 2021"](https://fosdem.org/2021/schedule/event/firmware_osfsoap2/) +talk. -* [Introducing open firmware development model for the Programmable Service - Engine's in Intel Atom x6000E Series](https://vimeo.com/488148045) by [Loo - Tung Lun](https://cfp.osfc.io/osfc2020/speaker/8DGVWR/) +- [Introducing open firmware development model for the Programmable Service + Engine's in Intel Atom x6000E Series](https://vimeo.com/488148045) + by [Loo Tung Lun](https://cfp.osfc.io/osfc2020/speaker/8DGVWR/) Session described Internal CPU based on ARM Cortex M7 core, introduced in Elkhart Lake. Mentioned iotg-fbu to support PSE development. Overall, the @@ -113,9 +112,9 @@ weird processing unit as part of our platform. From a business point, feature can be beneficial for various embedded use cases, where remote access is huge problem. -* [Open Source firmware testing with ConTest](https://vimeo.com/488148599) by - [Christian Walter](https://twitter.com/nablahero), [Andrea - Barberio](@insomniacslk) +- [Open Source firmware testing with ConTest](https://vimeo.com/488148599) by + [Christian Walter](https://twitter.com/nablahero), + [Andrea Barberio](https://twitter.com/insomniacslk) The presenters described ConTest - a modular framework aimed at automating system testing workflows and building board-specific testing infrastructure on @@ -124,12 +123,12 @@ presenting ConTest as a major framework for OCP (Scenario OCP Deltalake). What is very important about this presentation that it tries to highlight the effort of creating a validation framework and services for OSF community. 3mdeb will definitely take part in that especially that we have long-standing (5+ years) of -experience with firmware validation, which we productize as part of [Dasharo -Compatibility module](https://dasharo.com/pages/learn.html). Kudos for sharing! - +experience with firmware validation, which we productize as part of +[Dasharo Compatibility module](https://dasharo.com/pages/learn/). Kudos for +sharing! -* [pure open source on an AMD Zen](https://vimeo.com/488147337) by [Ronald g. - Minnich](https://twitter.com/coreboot) +- [pure open source on an AMD Zen](https://vimeo.com/488147337) by + [Ronald g. Minnich](https://twitter.com/coreboot) Very Rust talk dedicated to the project X aimed at existing binary blobs from the x86 part of Zen CPUs. Ron presented oreboot on the AMD Fam17h. He discussed @@ -139,17 +138,19 @@ installable, redistributable firmware, the approaches to it, and the next steps. Some of the key points of that are: 1. Not everyone can get/borrow AMD EPYC CRB -2. There are some hw platforms on market, but are those without vendor lock-in? -3. Also expensive for OSF vendor without justified business -4. Code initializes minimal set of low-speed interfaces to boot Linux -5. To fully utilize platform using OSF there is way more work, which probably +1. There are some hw platforms on market, but are those without vendor lock-in? +1. Also expensive for OSF vendor without justified business +1. Code initializes minimal set of low-speed interfaces to boot Linux +1. To fully utilize platform using OSF there is way more work, which probably would be hard to do without correct™ coordination -More information can be found in the [FOSDEM'21 3mdeb's presentation](https://fosdem.org/2021/schedule/event/firmware_osfsoap2/attachments/slides/4669/export/events/attachments/firmware_osfsoap2/slides/4669/Open_Source_Firmware_status_on_AMD_platforms_2021.pdf) -and [Reddit post](https://www.reddit.com/r/Amd/comments/kfqni7/osfc_2020_open_source_firmware_conference_pure/ggmqd8j/?utm_source=share&utm_medium=web2x&context=3). +More information can be found in the +[FOSDEM'21 3mdeb's presentation](https://fosdem.org/2021/schedule/event/firmware_osfsoap2/attachments/slides/4669/export/events/attachments/firmware_osfsoap2/slides/4669/Open_Source_Firmware_status_on_AMD_platforms_2021.pdf) +and +[Reddit post](https://www.reddit.com/r/Amd/comments/kfqni7/osfc_2020_open_source_firmware_conference_pure/ggmqd8j/?utm_source=share&utm_medium=web2x&context=3). -* [Linuxboot on HPE platform where do we stand](https://vimeo.com/488143135) by - [Jean-Marie Verdun](https://twitter.com/@vejmarie) +- [Linuxboot on HPE platform where do we stand](https://vimeo.com/488143135) by + [Jean-Marie Verdun](https://twitter.com/vejmarie) The important status of the project that aims at porting LinuxBoot on HPE platforms. A brief description of a live demo with the approached challenges, @@ -157,9 +158,9 @@ proof of concept, and next steps. What seems to be interesting HPE seems to provide LinuxBoot-enabled Facebook servers – "private customer." Thanks [HPE](https://www.hpe.com/us/en/home.html) for the status. -* [TrenchBoot DRTM features for AMD platforms](https://vimeo.com/488140434) by - [Michał Żygowski](https://twitter.com/_miczyg_) and [Piotr - Król](https://twitter.com/pietrushnic) +- [TrenchBoot DRTM features for AMD platforms](https://vimeo.com/488140434) by + [Michał Żygowski](https://twitter.com/_miczyg_) and + [Piotr Król](https://twitter.com/pietrushnic) The second talk of our team describing the progress of the [TrenchBoot](https://opensource.3mdeb.com/projects/trenchboot.html) project. @@ -168,16 +169,16 @@ Startup. Presenters described the most key changes introduced into the project: the DRTM event log and the possibility to boot Xen Hypervisor with measured launch. Interestingly there was a quite long discussion with [Eugene](https://www.platformsecuritysummit.com/2018/speaker/myers/) and -[Jeremiah](linkedin.com/in/bluescreen/) about the importance of open-source +[Jeremiah](https://linkedin.com/in/bluescreen/) about the importance of open-source implementation of D-RTM that works across the platforms. More to that we -received information that open-sourcing [AMD SMM -Supervisor](https://community.amd.com/t5/amd-business-blog/amd-and-microsoft-secured-core-pc/ba-p/418204#:~:text=AMD%20SMM%20Supervisor%20resides%20in,SMM%20code%20at%20run%20time) +received information that open-sourcing +[AMD SMM Supervisor](https://community.amd.com/t5/amd-business-blog/amd-and-microsoft-secured-core-pc/ba-p/418204#:~:text=AMD%20SMM%20Supervisor%20resides%20in,SMM%20code%20at%20run%20time) is planned. ### Day 3 -* [oreboot status report](https://vimeo.com/488139577) by Ryan O'Leary, [Ronald - g. Minnich](https://twitter.com/coreboot) +- [oreboot status report](https://vimeo.com/488139577) by Ryan O'Leary, + [Ronald g. Minnich](https://twitter.com/coreboot) oreboot is a downstream fork of coreboot, with all C removed, and all code written in Rust. Since we spoke of oreboot a year ago, a lot has happened, and @@ -185,17 +186,16 @@ we want to go over the status. We've got a few interesting facts: -* oreboot works on booting TockOS (Rust) -* it can be tried on QEMU -* works with OpenTITAN chips (FPGA) +- oreboot works on booting TockOS (Rust) +- it can be tried on QEMU +- works with OpenTITAN chips (FPGA) Another great project, which we would happy to triage if only there would be enough resources in our pocket. -* [Zephyr as an open platform for Google's embedded - controllers](https://vimeo.com/488150463) by [Paul - Fagerburg](https://cfp.osfc.io/osfc2020/speaker/ZZDUXC/), [Jack - Rosenthal](https://cfp.osfc.io/osfc2020/speaker/H3RYF8/) +- [Zephyr as an open platform for Google's embedded controllers](https://vimeo.com/488150463) + by [Paul Fagerburg](https://cfp.osfc.io/osfc2020/speaker/ZZDUXC/), + [Jack Rosenthal](https://cfp.osfc.io/osfc2020/speaker/H3RYF8/) Interesting facts about the benefits of moving to a community-driven RTOS instead of using our custom kernel, presentation of ChromiumOS Embedded @@ -205,9 +205,9 @@ firmware development for quite some time. You can check our blog posts about it [here](https://blog.3mdeb.com/tags/zephyr/). We looking for a commercial assignment that involves Zephyr-based EC. -* [Arm SystemReady and the UEFI firmware ecosystem](https://vimeo.com/488131661) - by [Samer El-Haj-Mahmoud](https://cfp.osfc.io/osfc2020/speaker/3DPRVF/), [Dong - Wei](https://cfp.osfc.io/osfc2020/speaker/8FY7QG/) +- [Arm SystemReady and the UEFI firmware ecosystem](https://vimeo.com/488131661) + by [Samer El-Haj-Mahmoud](https://cfp.osfc.io/osfc2020/speaker/3DPRVF/), + [Dong Wei](https://cfp.osfc.io/osfc2020/speaker/8FY7QG/) The Arm SystemReady (Arm SR) program was explained in the first half of the presentation. It is an extension of the Arm ServerReady program that tries to @@ -223,11 +223,11 @@ NXP LS1046A FRWY/RDB). Just a few keynotes: -* BBR consist of in SBBR (Server BBR), EBBR (embedded BBR) and LBBR (using +- BBR consist of in SBBR (Server BBR), EBBR (embedded BBR) and LBBR (using LinuxBoot) -* additional BBSR (BaseBoot Secure Requirements) which is for secure boot and +- additional BBSR (BaseBoot Secure Requirements) which is for secure boot and firmware update -* there is no ISV ecosystem that Arm endorse for certification +- there is no ISV ecosystem that Arm endorse for certification ## Summary @@ -241,7 +241,7 @@ and trust. If you think we can help in improving the security of your firmware or you are looking for a training that can boost your team of developers inside UEFI, -coreboot or Yocto area, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX) +coreboot or Yocto area, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-04-22-what-is-yocto.md b/blog/content/post/2021-04-22-what-is-yocto.md index 0bd06a70..8dd4451e 100644 --- a/blog/content/post/2021-04-22-what-is-yocto.md +++ b/blog/content/post/2021-04-22-what-is-yocto.md @@ -25,7 +25,7 @@ categories: The project provides a flexible set of tools and a space where embedded developers worldwide can share technologies, software stacks, configurations, and best practices that can be used to create tailored Linux images for embedded -and IOT devices, or anywhere a customized Linux OS is needed.   +and IOT devices, or anywhere a customized Linux OS is needed. ~ yoctoproject.com @@ -34,8 +34,8 @@ devices. It provides the infrastructure Build Tools for creating fully customized operating systems, that can be adjusted to your hardware and it's purpose. The customization is based on a Layer Model that allows for combining related metadata and isolate information for multiple architecture builds -according to their related functionality that can be furhter added flexibly, as -required. +according to their related functionality that can be further added flexibly, as +required. ## Why Yocto Project is the solution? @@ -60,7 +60,7 @@ will allow you to save costs. If you need a customized Yocto distribution with a maintenance support for your platform, we can provide you a Yocto Base Image. Created basic system image can -be further expanded with improvements and updates (OTA). Within a *10 days we +be further expanded with improvements and updates (OTA). Within a \*10 days we will provide you with a ready-to-use binary image file supported with documentation and the source code on the MIT licence. @@ -91,16 +91,16 @@ your device. You will likely not use the Dasharo Reference OS in a product directly. Instead, you can use it to verify all of the Dasharo features. It can serve as a reference point of porting those features to your custom OS. You can also always -ask us to the work for you. +ask us to the work for you. ## Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). More about Dasharo you can read on our website [dasharo.com](https://dasharo.com/) and on dedicated MkDocs site diff --git a/blog/content/post/2021-04-30-right_to_repair.md b/blog/content/post/2021-04-30-right_to_repair.md index 722e7e1e..a3a5cc97 100644 --- a/blog/content/post/2021-04-30-right_to_repair.md +++ b/blog/content/post/2021-04-30-right_to_repair.md @@ -21,8 +21,9 @@ categories: ## Struggles of today's repairman Any electronic device, regardless of its brand name, could break down eventually + - and getting a new one isn't always wise. What are the options if an owner -wants to repair his device by replacing or fixing its' internal components? + wants to repair his device by replacing or fixing its' internal components? Let's say we would like to repair by replacing the components - which is more accessible to an unskilled person. Usually, a manufacturer doesn't let the users @@ -78,18 +79,19 @@ plenty of time to get these laws passed because of the lobbying by corporations. For those who aren't willing to wait or buy an older used device with a higher repairability: there are some companies - who, despite not being obliged by law, are voluntarily providing the "Right to repair" in an attempt to win the hearts -of customers. One of such companies is [3mdeb][1]: the [licensed provider][2] for quality -coreboot consulting services and Open Source Firmware Vendor (OSFV) relying on -[Dasharo][3] to deliver scalable, modular, easy to combine Open Source BIOS, -UEFI, and Firmware solutions. When we have the board schematics and our hands -are not tied by the NDAs - we happily provide these schematics to our customers, -and intend to continue doing so with our upcoming products as well. +of customers. One of such companies is [3mdeb][1]: the [licensed provider][2] +for quality coreboot consulting services and Open Source Firmware Vendor (OSFV) +relying on [Dasharo][3] to deliver scalable, modular, easy to combine Open +Source BIOS, UEFI, and Firmware solutions. When we have the board schematics and +our hands are not tied by the NDAs - we happily provide these schematics to our +customers, and intend to continue doing so with our upcoming products as well. If you are interested in these topics, feel free to reach us out by writing to -, [sign up to our newsletter][4] and check our other [blogposts][5]. +, [sign up to our newsletter][4] and check our other +[blogposts][5]. - [1]: https://3mdeb.com/ - [2]: https://3mdeb.com/about-us/ - [3]: https://dasharo.com/ - [4]: https://eepurl.com/doF8GX - [5]: https://blog.3mdeb.com/ +[1]: https://3mdeb.com/ +[2]: https://3mdeb.com/about-us/ +[3]: https://dasharo.com/ +[4]: https://newsletter.3mdeb.com/subscription/PW6XnCeK6 +[5]: https://blog.3mdeb.com/ diff --git a/blog/content/post/2021-05-06-first-impressions-beaglev.md b/blog/content/post/2021-05-06-first-impressions-beaglev.md index 0d194045..00543ba6 100644 --- a/blog/content/post/2021-05-06-first-impressions-beaglev.md +++ b/blog/content/post/2021-05-06-first-impressions-beaglev.md @@ -1,6 +1,6 @@ --- title: "First impressions on the beta BeagleV - affordable RISC-V SBC" -abstract: "BeagleV is the first affordable RISC-V SBC deisgned to run Linux. It +abstract: "BeagleV is the first affordable RISC-V SBC designed to run Linux. It is fully open-source with open-source software, open hardware design and RISC-V open architecture. This blog post presents the basic functionality of the first batch of the available beta samples @@ -31,24 +31,23 @@ Linux. It is fully open-source with open-source software, open hardware design and RISC-V open architecture. It is a joint effort by Seeed Studio, BeagleBoard.org® and StarFive. -The BeagleV hardware beta program already started as around 300 samples -shipped to developers all over the world. Please note that this post describes -the beta version of the BeagleV board and the experience of the final hardware -may be different. Please follow -[the official page](https://beagleboard.org/beaglev) for the latest information -about the public release. +The BeagleV hardware beta program already started as around 300 samples shipped +to developers all over the world. Please note that this post describes the beta +version of the BeagleV board and the experience of the final hardware may be +different. Please follow [the official page](https://beagleboard.org/beaglev) +for the latest information about the public release. ### Specification -The BeagleV uses RISC-V SiFive U74 Dual-Core 64-bit RV64GC ISA SoC running at 1.5GHz. -It can have 4GB or 8GB LPDDR4 RAM, but the beta batch has 8GB only. It provides -various other peripherals, including USB3.0, Ethernet, and a 40-pin GPIO header. -The full specification can be found in the +The BeagleV uses RISC-V SiFive U74 Dual-Core 64-bit RV64GC ISA SoC running at +1.5GHz. It can have 4GB or 8GB LPDDR4 RAM, but the beta batch has 8GB only. It +provides various other peripherals, including USB3.0, Ethernet, and a 40-pin +GPIO header. The full specification can be found in the [wiki pages](https://rvboards.org/single-blog-1.php?id=93#specifications). The board is running the beta version (`JH7100`) of the target SoC (`JH7110`). -There is a set of known performance and thermal issues with the beta chip, -which is described in the +There is a set of known performance and thermal issues with the beta chip, which +is described in the [FAQ section](https://rvboards.org/single-blog-1.php?id=93#what-is-jh7100-and-jh7110). ### Unboxing @@ -65,8 +64,8 @@ The rather big heatsink with an active fan is what stands out at a first glance. ### First boot To get started, you should connect the USB-UART converter and power supply via -USB-C at minimum. Additionally, you can plug in an Ethernet cable and power on the -fan attached to the heatsink. The +USB-C at minimum. Additionally, you can plug in an Ethernet cable and power on +the fan attached to the heatsink. The [Getting started with BeagleV - StarLight page](https://rvboards.org/single-blog-1.php?id=93) describes the hardware setup in much detail. @@ -75,7 +74,7 @@ describes the hardware setup in much detail. The board comes with the `OpenSBI` and `U-Boot` already flashed on the on-board SPI flash. The boot log looks like below: -``` +```bash bootloader version:210209-4547a8d ddr 0x00000000, 1M test ddr 0x00100000, 2M test @@ -151,15 +150,15 @@ There is a To use it, we can simply download it, uncompress and flash it into uSD card. The uncompressed image has 9GB and it takes around 15 minutes to flash it. -``` -$ wget https://files.beagle.cc/file/beagleboard-public-2021/images/Fedora-riscv64-vic7100-dev-raw-image-Rawhide-20210419121453.n.0-sda.raw.zst -$ zstd -d Fedora-riscv64-vic7100-dev-raw-image-Rawhide-20210419121453.n.0-sda.raw.zst -$ sudo bmaptool copy --nobmap Fedora-riscv64-vic7100-dev-raw-image-Rawhide-20210419121453.n.0-sda.raw /dev/sde +```bash +wget https://files.beagle.cc/file/beagleboard-public-2021/images/Fedora-riscv64-vic7100-dev-raw-image-Rawhide-20210419121453.n.0-sda.raw.zst +zstd -d Fedora-riscv64-vic7100-dev-raw-image-Rawhide-20210419121453.n.0-sda.raw.zst +sudo bmaptool copy --nobmap Fedora-riscv64-vic7100-dev-raw-image-Rawhide-20210419121453.n.0-sda.raw /dev/sde ``` It takes around 2-3 minutes to boot if from the uSD card for the first time. -``` +```bash fedora-starfive login: riscv Password: starfive @@ -186,13 +185,13 @@ Swap: 0B 0B 0B Some more first impressions are written below. -First of all, I needed to re-plug the Ethernet cable after each boot, so the IP address from -DHCP is assigned. Such issue is +First of all, I needed to re-plug the Ethernet cable after each boot, so the IP +address from DHCP is assigned. Such issue is [already reported](https://github.com/starfive-tech/beaglev_fedora/issues/2). The kernel crashes when trying to reboot from OS: -``` +```bash [ 383.143050] systemd-shutdown[1]: Rebooting. [ 383.181539] reboot: Restarting system [ 383.539221] mmc0: card 0007 removed @@ -270,7 +269,7 @@ The kernel crashes when trying to reboot from OS: Or when trying to run `iperf3` test: -``` +```bash [riscv@fedora-starfive ~]$ iperf3 -c 192.168.40.248 Connecting to host 192.168.40.248, port 5201 [ 5] local 192.168.40.80 port 50328 connected to 192.168.40.248 port 5201 @@ -297,12 +296,12 @@ Connecting to host 192.168.40.248, port 5201 [ 519.335651] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- ``` -The next `iperf3` test worked, but with limited speed. The Ethernet speed is -one of the +The next `iperf3` test worked, but with limited speed. The Ethernet speed is one +of the [known limitations](https://rvboards.org/single-blog-1.php?id=93#why-ethernet-speed-does-not-reach-up-to-1gbps) of this beta SoC. -``` +```bash [riscv@fedora-starfive ~]$ iperf3 -c 192.168.40.248 Connecting to host 192.168.40.248, port 5201 [ 5] local 192.168.40.80 port 39478 connected to 192.168.40.248 port 5201 @@ -326,16 +325,16 @@ Connecting to host 192.168.40.248, port 5201 ### Next steps We will continue experimenting with the BeagleV and hopefully contribute to -improving the software support in some way. We are mostly interested in the areas -of coreboot, edk2, U-Boot, Linux, and Yocto support. Please let us know in the -comments what kind of test or software support would you like to see on the +improving the software support in some way. We are mostly interested in the +areas of coreboot, edk2, U-Boot, Linux, and Yocto support. Please let us know in +the comments what kind of test or software support would you like to see on the BeagleV. ## Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our newsletter](http://eepurl.com/doF8GX). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2021-06-01-optiplex_part2.md b/blog/content/post/2021-06-01-optiplex_part2.md index 4036d010..dd923212 100644 --- a/blog/content/post/2021-06-01-optiplex_part2.md +++ b/blog/content/post/2021-06-01-optiplex_part2.md @@ -22,26 +22,26 @@ categories: --- -# Introduction +## Introduction 3mdeb Embedded Systems Consulting is a company that evangelizes open-source software on all levels. That includes the firmware, bootloaders, hypervisors, operating systems, and more. As befits a company promoting open-source, it should utilize open-source in daily lives. That is our hardware should run open and secure software whenever and wherever possible. Since the center of our -daily work is a workstation, it should meet our requirements in the first -place. Most of the employees' PCs in 3mdeb are either HP Compaq 8200 / 8300 -(Elite) or Dell OptiPlex 7010 / 9010. Because our company is a -[licensed coreboot consultant](https://www.coreboot.org/consulting.html), -it would be a shame for us to not have our hardware running coreboot. -While the [HP workstations are supported in coreboot](https://doc.coreboot.org/mainboard/hp/compaq_8200_sff.html) -the Dell machines are not (or rather weren't in 2018 when I started my work -with them). This post will take you into my journey of porting the Dell -OptiPlex 7010/9010 to coreboot. If you did not read the first part, I highly -encourage you to do so [here](https://blog.3mdeb.com/2020/2020-06-24-dell-optiplex-port/). +daily work is a workstation, it should meet our requirements in the first place. +Most of the employees' PCs in 3mdeb are either HP Compaq 8200 / 8300 (Elite) or +Dell OptiPlex 7010 / 9010. Because our company is a +[licensed coreboot consultant](https://www.coreboot.org/consulting.html), it +would be a shame for us to not have our hardware running coreboot. While the +[HP workstations are supported in coreboot](https://doc.coreboot.org/mainboard/hp/compaq_8200_sff.html) +the Dell machines are not (or rather weren't in 2018 when I started my work with +them). This post will take you into my journey of porting the Dell OptiPlex +7010/9010 to coreboot. If you did not read the first part, I highly encourage +you to do so [here](https://blog.3mdeb.com/2020/2020-06-24-dell-optiplex-port/). So let's start were we left last time. -# Super I/O chips +## Super I/O chips In the previous post I mentioned that one day a power cut occurred and the machine lost the AC power. When I tried to power the platform on, it was no @@ -49,13 +49,13 @@ longer booting. I kept wondering what has gone wrong. Of course there are lots of power management related registers out there in the main processor which could ruin my day when configured incorrectly. So I began looping through them in the datasheet and looking for issues in the coreboot code, however I could -only come up with [this patch](https://review.coreboot.org/c/coreboot/+/40347) -A minor fix that addresses differences between mobile an desktop platforms -which in final result did not resolve my problem. I had experience with the -codebase used on the Dell OptiPlex 9010 already because it uses the same code a -Lenovo Thinkpad laptops, especially x220 which I flashed with coreboot long -time ago and is working without issues. So the only thing that could break is -the Super I/O chip. +only come up with [this patch](https://review.coreboot.org/c/coreboot/+/40347) A +minor fix that addresses differences between mobile an desktop platforms which +in final result did not resolve my problem. I had experience with the codebase +used on the Dell OptiPlex 9010 already because it uses the same code a Lenovo +Thinkpad laptops, especially x220 which I flashed with coreboot long time ago +and is working without issues. So the only thing that could break is the Super +I/O chip. ![Unknown chip](/img/uknown_chip.png) @@ -65,65 +65,65 @@ system. Back in 80's or 90's floppy, PS/2, printer port, RS232 ports were quite common and popular in PC systems. However these peripherals became deprecated and called legacy. Super I/O are designed to expand the x86 system peripherals with such legacy devices and features. By default they are connected to the LPC -interface (a modern version of [ISA bus](https://en.wikipedia.org/wiki/Industry_Standard_Architecture)). Among +interface (a modern version of +[ISA bus](https://en.wikipedia.org/wiki/Industry_Standard_Architecture)). Among others the TPM or the post card can be connected to LPC interface which can be -exposed as a debug header to read the BIOS post codes. Back in the first part -of the series I have told that the driver for the Super I/O chip has been -developed for the SMSC SCH5545. At this point I had the serial port working -along with the PS/2 keyboard and mouse. However the serial port stopped working -whenever the machine lost the AC power. Noticing this small issue took me many -days and on the first glance shouldn't prevent the board from booting, right?? -Well, the answer is: NO! +exposed as a debug header to read the BIOS post codes. Back in the first part of +the series I have told that the driver for the Super I/O chip has been developed +for the SMSC SCH5545. At this point I had the serial port working along with the +PS/2 keyboard and mouse. However the serial port stopped working whenever the +machine lost the AC power. Noticing this small issue took me many days and on +the first glance shouldn't prevent the board from booting, right?? Well, the +answer is: NO! -**First of all, why it took me so many days to figure it out?** +### First of all, why it took me so many days to figure it out? -No matter how dumb it may sound like, but my builds were always with the -onboard serial port enabled for debugging. Because why should I ever get rid of -my main debugging method?? Of course there are other methods like USB debug -dongle, but what for I have already a serial port... What is more I have -verified it is working (at the beginning I had no idea it stops working after -AC loss). +No matter how dumb it may sound like, but my builds were always with the onboard +serial port enabled for debugging. Because why should I ever get rid of my main +debugging method?? Of course there are other methods like USB debug dongle, but +what for I have already a serial port... What is more I have verified it is +working (at the beginning I had no idea it stops working after AC loss). -**Secondly, I have interpreted the symptomes incorrectly** +### Secondly, I have interpreted the symptomes incorrectly After the AC loss, the first thing I have noticed is that the led on the power button is not shining white. For clarification SCH5545 has a two-color LED driver that allows to change its colors based on the register initialization. Apparently the OptiPlex 9010 power button is equipped with an orange and white led. When the white led shines, it means the BIOS has started fetching and -executing the code (which is good). However, if the registers are not -configured correctly the power button was shining in orange color giving some -error signal (the led was shining in intervals). My first conclusion was that -the machine is not even starting after AC loss, because I had the code written -for the leds to set them white and executed very early. +executing the code (which is good). However, if the registers are not configured +correctly the power button was shining in orange color giving some error signal +(the led was shining in intervals). My first conclusion was that the machine is +not even starting after AC loss, because I had the code written for the leds to +set them white and executed very early. Another symptome was the fan which started to run on full speed after a few seconds after I pressed power button. I thought initially, no big deal, if the machine is not starting it does not probably retrieve temperature from CPU or something. -Summing up all those issues together I was almost certain it has something to -do with the Super I/O and it prevents the board from booting. Of course the +Summing up all those issues together I was almost certain it has something to do +with the Super I/O and it prevents the board from booting. Of course the coreboot had not implemented all functionalities yet, but the bug was so severe that the board was not booting. I have looked into the datasheet of SCH5627 and noticed there is an Embedded Memory Interface (EMI) there which implements -access to the Envrionmental Controller internal memory. "That must be it" I +access to the Environmental Controller internal memory. "That must be it" I thought... -![That chip...](/img/sch5545_yelling.jpg) +### It is everything your fault -
    __*It is everything your fault!*__
    +![That chip...](/img/sch5545_yelling.jpg) Typically Super I/O chips are not that complex in design and operation, however -those from SMSC stand out very much. There is no standardized access to -hardware monitoring registers like temperature, fan tachometers and PWM for fan -control (unlike the chips from ITE for example). So basically the manufacturer -left the door wide open to developers and let them design the Environmental -Controller firmware to perform the hardware monitoring and implement any -communication protocol they want through the EMI. That doesn't sound good for -me since I will have to go through reverse engineering path... Congratulations -to Dell engineering team for well-designed and complex interface to the -environmental controller. It gave me a worthy challenge. +those from SMSC stand out very much. There is no standardized access to hardware +monitoring registers like temperature, fan tachometers and PWM for fan control +(unlike the chips from ITE for example). So basically the manufacturer left the +door wide open to developers and let them design the Environmental Controller +firmware to perform the hardware monitoring and implement any communication +protocol they want through the EMI. That doesn't sound good for me since I will +have to go through reverse engineering path... Congratulations to Dell +engineering team for well-designed and complex interface to the environmental +controller. It gave me a worthy challenge. Based on EU Directive 2009/24/EC Article 6 to achieve interoperability of the SCH5545 driver with coreboot I had to obtain necessary information by @@ -132,7 +132,7 @@ these software components work together in the correct way. I did the reverse engineering because of interoperability issues with coreboot. It was done in my personal unpaid time for the benefit of community. -# Reverse Engineering of the EC +## Reverse Engineering of the EC Since I didn't have almost any experience with reverse engineering before and additionally I was not in favor of UEFI, it was quite hard for me at the @@ -140,32 +140,34 @@ beginning to reverse EFI files. Finding the best working environment is the first and foremost step to begin the reverse engineering. There are a few notable frameworks to work with: radare2, Ghidra, IDA and Binary Ninja. -![](/img/re_tools_comp.jpg) - -
    __*Source: https://twitter.com/securelyfitz/status/1143213013484232704/photo/1*__
    +![img](/img/re_tools_comp.jpg) +**Source: ** I decided to give Ghidra a try since it is free and also has some good firmware -utilities for [EFI binaries](https://github.com/al3xtjames/ghidra-firmware-utils) -that were developed by a student on GSoC. Note the tool was developed by NSA, -so if you have any doubts when using it, consider other tools or [Qubes OS disposable VM](https://www.qubes-os.org/doc/disposablevm/) for isolation. +utilities for +[EFI binaries](https://github.com/al3xtjames/ghidra-firmware-utils) that were +developed by a student on GSoC. Note the tool was developed by NSA, so if you +have any doubts when using it, consider other tools or +[Qubes OS disposable VM](https://www.qubes-os.org/doc/disposablevm/) for +isolation. The Ghidra firmware utilities are very good to start with, since they parse the PE header, look for known GUIDs etc. Additionally it provides EDK2 datatypes integration to name variables, structures and interfaces. For example: -![](/img/ghidra_overview.png) +![img](/img/ghidra_overview.png) As you can see the window is divided into code listing and the decompiler. As you probably guessed already, the decompiler is our main weapon. Thanks to the integrated EDK2 datatypes from UEFI specification we already see the human-readable code: -```C +```bashC EFI_STATUS __cdecl _ModuleEntryPoint(EFI_HANDLE ImageHandle,EFI_PEI_SERVICES **PeiServices) { EFI_STATUS EVar1; - + ec_clear_interrupts_low(); EVar1 = (*(*PeiServices)->InstallPpi)(PeiServices,&EFI_PEI_PPI_DESCRIPTOR_fff75ad0); return EVar1; @@ -173,11 +175,11 @@ EFI_STATUS __cdecl _ModuleEntryPoint(EFI_HANDLE ImageHandle,EFI_PEI_SERVICES **P ``` There is also a script that translates some known structures and names -automatically. This helps a lot in obtaining some understandable code -initially. Note must be taken since the script translates the types from UEFI -DXE modules (which run from system RAM) and does not recognize PEI modules -(which run from SPI flash directly in cache). So for example I was making a -stupid mistake and reversing PEI modules with +automatically. This helps a lot in obtaining some understandable code initially. +Note must be taken since the script translates the types from UEFI DXE modules +(which run from system RAM) and does not recognize PEI modules (which run from +SPI flash directly in cache). So for example I was making a stupid mistake and +reversing PEI modules with `_ModuleEntryPoint(EFI_HANDLE ImageHandle,EFI_SYSTEM_TABLE *SystemTable)` which is only true for DXE and UEFI executables. So it is not always good that a script does something automatically for you. @@ -187,22 +189,22 @@ related to the SCH5545 and EMI. I spent a lot of time on that and I still have got zero clues what to do next. This wasn't however wasted time, because I had to do it sooner or later. -# Final conclusion +## Final conclusion Many days passed without any action on my side. Then, one morning I have been enlightened. "What if the board actually starts but does not give any signs of -life?" and then... Yesss... After the AC loss the Environmental Controller -might lost its configuration and that also means other functions may not work -as well. Before the AC loss, I did not have to configure Environment Controller -and fan control. The fan was working silently. However just after the AC was -lost, the fan started to spin at full speed when the board was powered on. It -is possible that the Environmental Controller keeps its configuration as long -as standby power is supplied. So taking it into consideration and all my -previous conclusions I have decided to enable the USB dongle debug instead of -the onboard serial port. Why? Look at this +life?" and then... Yesss... After the AC loss the Environmental Controller might +lost its configuration and that also means other functions may not work as well. +Before the AC loss, I did not have to configure Environment Controller and fan +control. The fan was working silently. However just after the AC was lost, the +fan started to spin at full speed when the board was powered on. It is possible +that the Environmental Controller keeps its configuration as long as standby +power is supplied. So taking it into consideration and all my previous +conclusions I have decided to enable the USB dongle debug instead of the onboard +serial port. Why? Look at this ([source](https://github.com/coreboot/coreboot/blob/4.13/src/drivers/uart/uart8250io.c#L9)): -```C +```bashC /* Should support 8250, 16450, 16550, 16550A type UARTs */ /* Expected character delay at 1200bps is 9ms for a working UART @@ -211,19 +213,19 @@ the onboard serial port. Why? Look at this * * Estimated that inb() from UART takes 1 microsecond. */ -#define SINGLE_CHAR_TIMEOUT (50 * 1000) -#define FIFO_TIMEOUT (16 * SINGLE_CHAR_TIMEOUT) +#define SINGLE_CHAR_TIMEOUT (50 * 1000) +#define FIFO_TIMEOUT (16 * SINGLE_CHAR_TIMEOUT) static int uart8250_can_tx_byte(unsigned int base_port) { - return inb(base_port + UART8250_LSR) & UART8250_LSR_THRE; + return inb(base_port + UART8250_LSR) & UART8250_LSR_THRE; } static void uart8250_tx_byte(unsigned int base_port, unsigned char data) { - unsigned long int i = SINGLE_CHAR_TIMEOUT; - while (i-- && !uart8250_can_tx_byte(base_port)); - outb(data, base_port + UART8250_TBR); + unsigned long int i = SINGLE_CHAR_TIMEOUT; + while (i-- && !uart8250_can_tx_byte(base_port)); + outb(data, base_port + UART8250_TBR); } ``` @@ -235,18 +237,17 @@ characters. So a quick calculation: 50000 * 50ms = 2500000 ms = 2500s ~ 42min. So the whole boot process would take over 40 minutes, no wondering that I have assumed that the board is not starting at all. This is the first time I have encountered such issue with Super I/O where the serial port is not working -despite having a known good driver. Just in case I stopped producing builds -with onboard serial port as the main debug method. I bought FT232H which is -supported by coreboot and used it as EHCI USB debug dongle. I was able to get -the debug output from coreboot without worrying about AC loss or whatsoever. +despite having a known good driver. Just in case I stopped producing builds with +onboard serial port as the main debug method. I bought FT232H which is supported +by coreboot and used it as EHCI USB debug dongle. I was able to get the debug +output from coreboot without worrying about AC loss or whatsoever. -## Summary +### Summary -So the issue with board not booting after AC loss has been resolved, or at -least located. It took me enormous amount of time to figure it out. But don't -feel sorry, it's a daily firmware developer job to debug for many hours just to -find a simple fix. And I kind of like it. It is a professional deviation I -could say. +So the issue with board not booting after AC loss has been resolved, or at least +located. It took me enormous amount of time to figure it out. But don't feel +sorry, it's a daily firmware developer job to debug for many hours just to find +a simple fix. And I kind of like it. It is a professional deviation I could say. In the next post I will disclose more details how I implemented the Environmental Controller driver for the Dell OptiPlex 9010. It should show some @@ -255,8 +256,12 @@ implementation level which is available in upstream coreboot repository. Also you will see how far one has to go to achieve a goal in firmware development. Stay tuned. -If you have a problem with the Environmental Controller (EC) of your platform, looking to -write EC debugging or updating utilities, we are one to discuss. Also, since [EC firmware ecosystem shifts to Zephyr](https://cfp.osfc.io/osfc2020/talk/SXYUQD/) -and we are huge fans of Zephyr. We would be glad to implement Firmware or even Open Source Firmware for your EC. If you are interested, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +If you have a problem with the Environmental Controller (EC) of your platform, +looking to write EC debugging or updating utilities, we are one to discuss. +Also, since +[EC firmware ecosystem shifts to Zephyr](https://cfp.osfc.io/osfc2020/talk/SXYUQD/) +and we are huge fans of Zephyr. We would be glad to implement Firmware or even +Open Source Firmware for your EC. If you are interested, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-06-10-OSF_vs_OCP_OSF.md b/blog/content/post/2021-06-10-OSF_vs_OCP_OSF.md index e0e9796f..a4d5ea4d 100644 --- a/blog/content/post/2021-06-10-OSF_vs_OCP_OSF.md +++ b/blog/content/post/2021-06-10-OSF_vs_OCP_OSF.md @@ -18,27 +18,30 @@ categories: --- -The [Open Compute Project (OCP)][1] is a rapidly growing community with a mission -to design and enable the delivery of the most efficient server, storage and -data-centre hardware designs available for scalable computing. OCP has been +The [Open Compute Project (OCP)][1] is a rapidly growing community with a +mission to design and enable the delivery of the most efficient server, storage +and data-centre hardware designs available for scalable computing. OCP has been [embraced][2] by the top tier tech giants: IBM, ARM, Google, Facebook, Alibaba, Intel, Nvidia and even Microsoft - are already the OCP Platinum members. And over 200 companies have jumped aboard, of course not for the sake of "one more certification": their customers want to have complete control over their -hardware and its' low-level software *(firmware)*: having the source helps to +hardware and its' low-level software _(firmware)_: having the source helps to prolong their lifecycle by expanding the capabilities, to fix the bugs for -reducing the long-term maintenance fees, and to do their own security audit. -And these customers are willing to pay an extra for the OCP-certified products. +reducing the long-term maintenance fees, and to do their own security audit. And +these customers are willing to pay an extra for the OCP-certified products. -**OCP Technology Segment Data, 2019 and 2024** ***(Revenues are in US$ billions)*** +**OCP Technology Segment Data, 2019 and 2024** ***(Revenues are in US$ +billions)*** -| Market | 2019 Revenue | 2019 Market Share | 2024 Revenue | 2024 Market Share | 2019-2024 Compound Annual Growth Rate | -| -------------:|:-------------:|:-----------------:|:------------:|:-----------------:|:-------------- | -| Compute | $13.25 | 83.1% | $28.07 | 83.0% | 16.2% | -| Storage | $2.45 | 16.9% | $5.73 | 17.0% | 18.5% | -| **Total** | **$15.70** | **100.0%** | **$33.80** | **100.0%** | **16.6%** | +| Market | 2019 Revenue | 2019 Market Share | 2024 Revenue | 2024 Market Share | +2019-2024 Compound Annual Growth Rate | | +-------------:|:-------------:|:-----------------:|:------------:|:-----------------:|:-------------- +| | Compute | $13.25 | 83.1% | $28.07 | 83.0% | 16.2% | | Storage | $2.45 | +16.9% | $5.73 | 17.0% | 18.5% | | **Total** | **$15.70** | **100.0%** | +**$33.80** | **100.0%** | **16.6%** | -*Source: IDC Worldwide Open Compute Project Compute and Storage Infrastructure Market Forecast, May 2020.* +*Source: IDC Worldwide Open Compute Project Compute and Storage Infrastructure +Market Forecast, May 2020.* The OCP Open System Firmware project is aiming to allow system firmware like [BIOS][3] and [BMC][4] to be modified and their source code shared - according @@ -48,39 +51,42 @@ to a [OSF Checklist][5] - with the owners of OCP-certified hardware. Since March Unfortunately, a lot of data-centre hardware vendors are slow at open-sourcing the firmware of their products, which hinders customers' ability to improve this firmware and to harden its security. In turn, the security-conscious customers -and the advocates of [right-to-repair][6] - prefer to stay away from such products. -In such a situation the OCP OSF term is really confusing, since it can not describe -the actual openness of a firmware; and the Open Source Firmware (OSF) term is -much better - since it openly states and guarantees the openness of firmware. +and the advocates of [right-to-repair][6] - prefer to stay away from such +products. In such a situation the OCP OSF term is really confusing, since it can +not describe the actual openness of a firmware; and the Open Source Firmware +(OSF) term is much better - since it openly states and guarantees the openness +of firmware. Luckily, some of the more-conscious ecosystem partners - have already decided to implement such Open Source Firmware (OSF) as coreboot for the Open System Firmware architecture of their OCP products, with the help of such Open Source -Firmware Vendors (OSFV) as [3mdeb][7]. They did it because having a source code helps -to adapt the firmware to the needs of even the most demanding clients by fixing -the firmware bugs and expanding the device's feature set - at a reduced cost - -which allows making the most out of both your existing and future products by -extending their lifecycle and bringing them to the new previously unthought-of -markets. Another reason is that full control over firmware helps in long-term -hardware maintenance and removes the dependency on external companies, which at -the time of the incident may or may not have the resources to provide support. +Firmware Vendors (OSFV) as [3mdeb][7]. They did it because having a source code +helps to adapt the firmware to the needs of even the most demanding clients by +fixing the firmware bugs and expanding the device's feature set - at a reduced +cost - which allows making the most out of both your existing and future +products by extending their lifecycle and bringing them to the new previously +unthought-of markets. Another reason is that full control over firmware helps in +long-term hardware maintenance and removes the dependency on external companies, +which at the time of the incident may or may not have the resources to provide +support. ![Embedded software market](/img/Embedded_Software_Market.png) Just being open-source - by itself is not enough for the firmware to meet the OCP certification: the extra requirements are mentioned in a [OSF Checklist][8]. The source code should be easily buildable by a native (ideally the open-source) -toolchain and the flashing utility should be either open-source like [flashrom][9] -or at least documented well enough for an open-source implementation to be -written. The key Open System Firmware components have to be open-source at new -OCP products, and although it is allowed to include some closed-source components -*(aka binary blobs)* to Open System Firmware when there is no other choice - there -should be a valid justification for them to be approved, such as "containing -silicon IP": i.e. a blob has been provided by your SV (Silicon Vendor) like -Intel to set up their chip during boot, which is needed for your device to run. -So the Open System Firmware has to be as close to being the Open Source Firmware -as it is possible - for the mutual benefit of a vendor and a customer - and all -the documentation should be good enough and distributable without NDAs. +toolchain and the flashing utility should be either open-source like +[flashrom][9] or at least documented well enough for an open-source +implementation to be written. The key Open System Firmware components have to be +open-source at new OCP products, and although it is allowed to include some +closed-source components _(aka binary blobs)_ to Open System Firmware when there +is no other choice - there should be a valid justification for them to be +approved, such as "containing silicon IP": i.e. a blob has been provided by your +SV (Silicon Vendor) like Intel to set up their chip during boot, which is needed +for your device to run. So the Open System Firmware has to be as close to being +the Open Source Firmware as it is possible - for the mutual benefit of a vendor +and a customer - and all the documentation should be good enough and +distributable without NDAs. ![OSF features](/img/OSF_features.png) @@ -89,58 +95,60 @@ fundamental features to the more advanced ones are depicted from left to right and 1st to 3rd are essential. 1. Chip Initialization and Integration: the firmware components for the initial -setup of the motherboard's key chips - like the chips themselves - are usually -provided by the Silicon Vendors, sometimes in a binary-only form *(without the* -*source code)* like Intel FSP and later AMD AGESA. We at [3mdeb][10] can audit the -source code either available publicly or accessible to us thanks to our NDAs & -close cooperative relationships with Silicon Vendors like Intel and AMD. When -the sources aren't available, we can reverse-engineer a binary-only component to -create a higher quality open-source replacement with fewer bugs and more features, -or isolate from its' vulnerabilities & shortcomings with technology like [D-RTM][11] -(Dynamic Root of Trust for Measurement) that we are [highly-experienced][12] with. - -2. Board Customization: in addition to the chip initialization, there should -be a board-specific setup for the things like GPIO, PCIe bifurcation and BMC -interface. In a coreboot, these could be configured at the mainboard files. - -3. System Table Generation: system tables like SMBIOS and ACPI tables have to -be generated by Open Source Firmware to provide access to various management -features for an OS. - -4. IPMI Integration: IPMI is a popular interface for BMC out-of-band management -control. The basic IPMI driver is already integrated into coreboot firmware. - -5. Security Features: verified boot and Intel TXT integration are examples of -security features that use the hardware capabilities for advanced protection. - -6. RAS Features: Reliability, Availability and Serviceability are essential -for data-centre operation. These features depend on the SMM handler readiness. + setup of the motherboard's key chips - like the chips themselves - are + usually provided by the Silicon Vendors, sometimes in a binary-only form + _(without the_ _source code)_ like Intel FSP and later AMD AGESA. We at + [3mdeb][10] can audit the source code either available publicly or accessible + to us thanks to our NDAs & close cooperative relationships with Silicon + Vendors like Intel and AMD. When the sources aren't available, we can + reverse-engineer a binary-only component to create a higher quality + open-source replacement with fewer bugs and more features, or isolate from + its' vulnerabilities & shortcomings with technology like [D-RTM][11] (Dynamic + Root of Trust for Measurement) that we are [highly-experienced][12] with. + +1. Board Customization: in addition to the chip initialization, there should be + a board-specific setup for the things like GPIO, PCIe bifurcation and BMC + interface. In a coreboot, these could be configured at the mainboard files. + +1. System Table Generation: system tables like SMBIOS and ACPI tables have to be + generated by Open Source Firmware to provide access to various management + features for an OS. + +1. IPMI Integration: IPMI is a popular interface for BMC out-of-band management + control. The basic IPMI driver is already integrated into coreboot firmware. + +1. Security Features: verified boot and Intel TXT integration are examples of + security features that use the hardware capabilities for advanced protection. + +1. RAS Features: Reliability, Availability and Serviceability are essential for + data-centre operation. These features depend on the SMM handler readiness. As you can expect, even just creating the Open Source Firmware for your product is a great challenge that only a few companies in the world can complete, let alone to maintain it in good shape and to meet all the OCP OSF certification -requirements to enter this new [rapidly growing market][13]. However: we at [3mdeb][14] - -being the [licensed provider][15] for quality coreboot consulting services and -Open Source Firmware Vendor (OSFV) relying on [Dasharo][16] to deliver scalable, -modular, easy to combine Open Source BIOS, UEFI, and Firmware solutions - are -surely more than capable of helping your company to pull this off! Feel free to -[book a call with us][17] or drop us an e-mail at , and -we will do our best to help your company to reach new heights. - - [1]: https://www.opencompute.org/ - [2]: https://www.opencompute.org/membership/membership-organizational-directory - [3]: https://en.wikipedia.org/wiki/BIOS - [4]: https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface#Baseboard_management_controller - [5]: https://www.opencompute.org/wiki/Open_System_Firmware/Checklist - [6]: https://blog.3mdeb.com/2021/2021-04-30-right_to_repair/ - [7]: https://3mdeb.com/ - [8]: https://www.opencompute.org/wiki/Open_System_Firmware/Checklist - [9]: https://www.flashrom.org/Flashrom - [10]: https://3mdeb.com/ - [11]: https://blog.3mdeb.com/2020/2020-03-28-trenchboot-nlnet-introduction/ - [12]: https://blog.3mdeb.com/tags/trenchboot/ - [13]: https://www.opencompute.org/marketplace - [14]: https://3mdeb.com/ - [15]: https://3mdeb.com/about-us/ - [16]: https://dasharo.com/ - [17]: https://calendly.com/3mdeb/consulting-remote-meeting +requirements to enter this new [rapidly growing market][13]. However: we at +[3mdeb][14] - being the [licensed provider][15] for quality coreboot consulting +services and Open Source Firmware Vendor (OSFV) relying on [Dasharo][16] to +deliver scalable, modular, easy to combine Open Source BIOS, UEFI, and Firmware +solutions - are surely more than capable of helping your company to pull this +off! Feel free to [book a call with us][17] or drop us an e-mail at +, and we will do our best to help your company to reach new +heights. + +[1]: https://www.opencompute.org/ +[2]: https://www.opencompute.org/membership/membership-organizational-directory +[3]: https://en.wikipedia.org/wiki/BIOS +[4]: https://en.wikipedia.org/wiki/Intelligent_Platform_Management_Interface#Baseboard_management_controller +[5]: https://www.opencompute.org/wiki/Open_System_Firmware/Checklist +[6]: https://blog.3mdeb.com/2021/2021-04-30-right_to_repair/ +[7]: https://3mdeb.com/ +[8]: https://www.opencompute.org/wiki/Open_System_Firmware/Checklist +[9]: https://www.flashrom.org +[10]: https://3mdeb.com/ +[11]: https://blog.3mdeb.com/2020/2020-03-28-trenchboot-nlnet-introduction/ +[12]: https://blog.3mdeb.com/tags/trenchboot/ +[13]: https://www.opencompute.org/marketplace +[14]: https://3mdeb.com/ +[15]: https://3mdeb.com/about-us/ +[16]: https://dasharo.com/ +[17]: https://calendly.com/3mdeb/consulting-remote-meeting diff --git a/blog/content/post/2021-06-14-fwupd-freebsd-status.md b/blog/content/post/2021-06-14-fwupd-freebsd-status.md index 9454c261..10b62ada 100644 --- a/blog/content/post/2021-06-14-fwupd-freebsd-status.md +++ b/blog/content/post/2021-06-14-fwupd-freebsd-status.md @@ -18,11 +18,11 @@ categories: --- -This is the third entry in the series documenting porting fwupd to *BSD +This is the third entry in the series documenting porting fwupd to \*BSD distributions. If you haven't read the [previous](https://blog.3mdeb.com/2021/2021-02-16-fwupd-compilation-under-freebsd/) -[entries](https://blog.3mdeb.com/2021/2021-03-15-fwupd-bsd-packages-and-ci/), -I encourage you to do so. +[entries](https://blog.3mdeb.com/2021/2021-03-15-fwupd-bsd-packages-and-ci/), I +encourage you to do so. --- @@ -41,10 +41,10 @@ FreeBSD port: ## Identifying available updates One difference between Linux and FreeBSD 12.2, on which we started development, -is the lack of `memfd_create(),` a function that creates an anonymous, -temporary file in memory and returns a file descriptor. This is an alternative -to creating a temporary file and having to manage it manually, and fwupd -utilizes it for handling downloads. +is the lack of `memfd_create(),` a function that creates an anonymous, temporary +file in memory and returns a file descriptor. This is an alternative to creating +a temporary file and having to manage it manually, and fwupd utilizes it for +handling downloads. Older (pre-13.0) versions of FreeBSD and other BSD distributions do not have an equivalent API - so we had to emulate it by creating a temporary unlinked file. @@ -58,33 +58,33 @@ updates for our machine - in this case, a Dell XPS 15 9560. ## Applying USB updates -Next, we encountered a problem with USB device updates: We tried to update -the firmware of a ColorHug2, and after rebooting it to the device's bootloader mode, +Next, we encountered a problem with USB device updates: We tried to update the +firmware of a ColorHug2, and after rebooting it to the device's bootloader mode, it didn't return to the operating system. -fwupd uses the libgusb library, a GLib wrapper around libusb. The usual flow -of an update is as follows: +fwupd uses the libgusb library, a GLib wrapper around libusb. The usual flow of +an update is as follows: -1. Issue command to the device to enter bootloader mode - in the case of ColorHug2, -a custom HID-based flashing mode -2. Write an update to the device -3. Upon successful update, return the device to runtime mode +1. Issue command to the device to enter bootloader mode - in the case of + ColorHug2, a custom HID-based flashing mode +1. Write an update to the device +1. Upon successful update, return the device to runtime mode -The issue occurred after the first step - we were unable to reattach the device to -the host. After issuing a command to reset the device back to normal operation, -the OS would not recognize and reattach it - it would stay gone. +The issue occurred after the first step - we were unable to reattach the device +to the host. After issuing a command to reset the device back to normal +operation, the OS would not recognize and reattach it - it would stay gone. -Because libgusb uses libusb's asynchronous API, fwupd would close a -device after an update before all events had been processed. Upon processing -such an event, libusb would detect that the device is gone and mark it with -a `device_is_gone` flag. This meant that on all future requests, libusb would -fail with a `LIBUSB_ERROR_NO_DEVICE` error. +Because libgusb uses libusb's asynchronous API, fwupd would close a device after +an update before all events had been processed. Upon processing such an event, +libusb would detect that the device is gone and mark it with a `device_is_gone` +flag. This meant that on all future requests, libusb would fail with a +`LIBUSB_ERROR_NO_DEVICE` error. -This turned out to be another difference between the Linux and FreeBSD APIs. -The way fwupd utilizes the libusb API was legal under the Linux version of -libusb. Therefore, we decided to change FreeBSD's behavior to more closely match -that of Linux. We did so by making it so that a device can only be marked as -gone if it's currently open. +This turned out to be another difference between the Linux and FreeBSD APIs. The +way fwupd utilizes the libusb API was legal under the Linux version of libusb. +Therefore, we decided to change FreeBSD's behavior to more closely match that of +Linux. We did so by making it so that a device can only be marked as gone if +it's currently open. The patch was submitted and accepted into the FreeBSD tree and is available [here](https://cgit.freebsd.org/src/commit/?id=6847ea50196f1a685be408a24f01cb8d407da19c). @@ -100,35 +100,34 @@ implementing this functionality for FreeBSD was a priority. There were a couple of parts that would need to be implemented in order to make it work: - UEFI ESRT table support in FreeBSD, and support for it in fwupd -- FreeBSD efivar backend for fwupd - on Linux, efivar support is implemented -via a `sysfs` interface, while FreeBSD has a C API +- FreeBSD efivar backend for fwupd - on Linux, efivar support is implemented via + a `sysfs` interface, while FreeBSD has a C API - `bsdisks` support in fwupd - adding support in an `fwupd` daemon plugin - the UEFI update capsule plugin UEFI ESRT (EFI System Resource Table) is a standard interface for firmware updates available since UEFI 2.5. It exposes, among other data, information -about the currently installed firmware versions and the status of last -update attempt. It's used by fwupd for detection and matching available -updates. Support for these tables was missing in FreeBSD - so we added it. -Upstream patches available [here](https://reviews.freebsd.org/D30104). +about the currently installed firmware versions and the status of last update +attempt. It's used by fwupd for detection and matching available updates. +Support for these tables was missing in FreeBSD - so we added it. Upstream +patches available [here](https://reviews.freebsd.org/D30104). fwupd applies firmware updates by installing a small EFI binary along with the -update capsule into the ESP and setting the EFI bootnext variable to point to it. -The machine reboots and launches the EFI binary which then calls -`UpdateCapsule()`, which in turn tells the UEFI to apply the capsule. The -actual flashing is handled by the UEFI implementation itself. - -This requires efivar support, and FreeBSD has a different, programmatic -API, so support for it had to be added in fwupd. Furthermore, since FreeBSD has -a disk management API that differs slightly from the Linux standard UDisks2 API, +update capsule into the ESP and setting the EFI bootnext variable to point to +it. The machine reboots and launches the EFI binary which then calls +`UpdateCapsule()`, which in turn tells the UEFI to apply the capsule. The actual +flashing is handled by the UEFI implementation itself. + +This requires efivar support, and FreeBSD has a different, programmatic API, so +support for it had to be added in fwupd. Furthermore, since FreeBSD has a disk +management API that differs slightly from the Linux standard UDisks2 API, support for it also had to be added. The patches ( [1](https://github.com/fwupd/fwupd/pull/3330), -[2](https://github.com/fwupd/fwupd/pull/3318) -) were accepted by upstream. +[2](https://github.com/fwupd/fwupd/pull/3318) ) were accepted by upstream. -With these patches, it is currently possible to install a UEFI update - but -keep in mind that this is an early implementation and bugs are more than likely -to occur. Bug reports are welcome. +With these patches, it is currently possible to install a UEFI update - but keep +in mind that this is an early implementation and bugs are more than likely to +occur. Bug reports are welcome. [![asciicast](https://asciinema.org/a/EG2W6t13jeyxyoQIxzc4dmgeQ.svg)](https://asciinema.org/a/EG2W6t13jeyxyoQIxzc4dmgeQ) @@ -136,6 +135,7 @@ to occur. Bug reports are welcome. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](http://eepurl.com/doF8GX) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-07-01-OSF_vPub_02.md b/blog/content/post/2021-07-01-OSF_vPub_02.md index f1002ff6..fe276a0e 100644 --- a/blog/content/post/2021-07-01-OSF_vPub_02.md +++ b/blog/content/post/2021-07-01-OSF_vPub_02.md @@ -37,13 +37,13 @@ we at 3mdeb will try to invite more such prominent guests to our future events. Also there was a lot of exciting talk about [LibreSOC][1], [ULX3S board][2], [Chips4Makers][3], [Coriolis][4], [Skywater PDK][5], [Sandsifter][6], -[OpenBook][7], [PowerPC Notebook][8], [Precursor][9], [Open Security -Training][10], [OpenXT][11], [OpenBMC][12], [Pinephone][13] and many other -wonderful projects that can be surely of your interest (please check the -links!). Overall, our gathering was a great opportunity not just to spend a nice -time in a cosy atmosphere, but also to learn more about the open/libre software, -firmware and hardware, - and the security benefits these projects are bringing -to the people. +[OpenBook][7], [PowerPC Notebook][8], [Precursor][9], +[Open Security Training][10], [OpenXT][11], [OpenBMC][12], [Pinephone][13] and +many other wonderful projects that can be surely of your interest (please check +the links!). Overall, our gathering was a great opportunity not just to spend a +nice time in a cosy atmosphere, but also to learn more about the open/libre +software, firmware and hardware, - and the security benefits these projects are +bringing to the people. In addition, we have analyzed the results of our "Ideal platform for coreboot training" survey. Many people believe that such a platform should be affordable, @@ -54,22 +54,22 @@ necessarily x86 considering its limitations and the emerging new architectures. If you are interested in those topics, or would like to contribute your own topics for the 3rd vPub (i.e. about your project related to OSF/OSHW/Open ISA): feel free to reach us out by writing to . And to avoid -missing the next events, [sign up to our newsletter][14] or visit [3mdeb events -calendar][15]. If you would like a live chat, write to @mikebdp2 on Wire -messenger - and I will add you to our OSF vPub group. +missing the next events, [sign up to our newsletter][14] or visit +[3mdeb events calendar][15]. If you would like a live chat, write to @mikebdp2 +on Wire messenger - and I will add you to our OSF vPub group. - [1]: https://libre-soc.org/ - [2]: https://www.crowdsupply.com/radiona/ulx3s - [3]: https://chips4makers.io/ - [4]: http://coriolis.lip6.fr/ - [5]: https://github.com/google/skywater-pdk - [6]: https://github.com/Battelle/sandsifter - [7]: https://openbook.net/ - [8]: https://www.powerpc-notebook.org/ - [9]: https://www.crowdsupply.com/sutajio-kosagi/precursor - [10]: https://www.opensecuritytraining.info/ - [11]: https://openxt.org/ - [12]: https://github.com/openbmc/openbmc - [13]: https://www.pine64.org/pinephone/ - [14]: https://newsletter.3mdeb.com/subscription/PW6XnCeK6 - [15]: https://3mdeb.com/events/ +[1]: https://libre-soc.org/ +[2]: https://www.crowdsupply.com/radiona/ulx3s +[3]: https://chips4makers.io/ +[4]: http://coriolis.lip6.fr/ +[5]: https://github.com/google/skywater-pdk +[6]: https://github.com/Battelle/sandsifter +[7]: https://web.archive.org/web/20120119102501/https://openbook.net/ +[8]: https://www.powerpc-notebook.org/ +[9]: https://www.crowdsupply.com/sutajio-kosagi/precursor +[10]: https://www.opensecuritytraining.info/ +[11]: https://openxt.org/ +[12]: https://github.com/openbmc/openbmc +[13]: https://www.pine64.org/pinephone/ +[14]: https://newsletter.3mdeb.com/subscription/PW6XnCeK6 +[15]: https://3mdeb.com/events/ diff --git a/blog/content/post/2021-08-26-cicd-tools-comparison.md b/blog/content/post/2021-08-26-cicd-tools-comparison.md index feb85433..c3a5aa88 100644 --- a/blog/content/post/2021-08-26-cicd-tools-comparison.md +++ b/blog/content/post/2021-08-26-cicd-tools-comparison.md @@ -18,7 +18,7 @@ categories: --- -![](/covers/ci-cd-icon.png) +![img](/covers/ci-cd-icon.png) As continuous integration/continuous delivery workflow has grown in popularity in recent years a multitude of tools intended for simplifying this task has @@ -29,12 +29,12 @@ multitude of proprietary tools. ## [Drone.io](https://www.drone.io/) -![](/img/drone-io-logo.png) +![img](/img/drone-io-logo.png) -* [GitHub](https://github.com/drone/drone) stars: 23.7k -* Written in Go -* Natively handles secrets -* yaml configuration +- [GitHub](https://github.com/drone/drone) stars: 23.7k +- Written in Go +- Natively handles secrets +- yaml configuration Drone uniqueness comes from its approach to the execution of functionality. Every step runs as a separate container and is isolated from others. This allows @@ -50,32 +50,32 @@ support autoscaling. ## [Buildbot](https://buildbot.net/) -![](/img/buildbot-logo.png) +![img](/img/buildbot-logo.png) -* [GitHub](https://github.com/buildbot/buildbot) stars: 4.7k -* Written in Python -* Project with long history -* Python configuration +- [GitHub](https://github.com/buildbot/buildbot) stars: 4.7k +- Written in Python +- Project with long history +- Python configuration Buildbot is a project with a long history, as the first release dates back to -2003. Initially, it was designed as a build test automation tool. While its +2003\. Initially, it was designed as a build test automation tool. While its popularity is much lower than Jenkins it was adopted in many notable projects such as the Yocto Project. Buildbots configuration is written in Python, so while it adds complexity it also gives much greater power to the user. It describes itself as a job scheduling system. It is not a specific application that allows to fill in specific details and works well until something not envisioned by the authors is needed to be done. It is a powerful framework that -can grow as necessary in more complex cases. [It is used in many -projects](https://github.com/buildbot/buildbot/wiki/SuccessStories) such as the -`Yocto Project`, `Python`, `Blender` or `GDB (GNU Debugger)` +can grow as necessary in more complex cases. +[It is used in many projects](https://github.com/buildbot/buildbot/wiki/SuccessStories) +such as the `Yocto Project`, `Python`, `Blender` or `GDB (GNU Debugger)` ## [Concourse](https://concourse-ci.org/) -![](/img/concourse-logo.png) +![img](/img/concourse-logo.png) -* [GitHub](https://github.com/concourse/concourse) stars: 5.8k -* Written in Go -* yaml configuration +- [GitHub](https://github.com/concourse/concourse) stars: 5.8k +- Written in Go +- yaml configuration Concourse just as Drone is a more recent tool (first released in 2014). It has a steep learning curve, but according to the devs, the goal of this project is for @@ -89,10 +89,10 @@ assumptions that may cause a problem with understanding the workflow. ## [Tekton](https://tekton.dev/) -![](/img/tekton-logo.png) +![img](/img/tekton-logo.png) -* [GitHub](https://github.com/tektoncd/pipeline) stars: 6.5k -* CI/CD framework for Kubernetes +- [GitHub](https://github.com/tektoncd/pipeline) stars: 6.5k +- CI/CD framework for Kubernetes Tekton is a part of cd.foundation - a Linux Foundation project which greatly raises its significance for us. It describes itself as a cloud-native solution @@ -106,14 +106,14 @@ on-premise setup. ## Summary While Jenkins became the CI standard through time, security and scaling issues -may lead us to consider alternatives. There is no lack of available free and +may lead us to consider alternatives. There is no lack of available free and open options for hosting your own CI/CD server. You can choose between new and innovative solutions coming fresh to the market or time-tested ones. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with -us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us email to -`contact3mdebcom`. If you are interested in similar content feel free -to [sign up to our -newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-09-09-amd-milan-osf.md b/blog/content/post/2021-09-09-amd-milan-osf.md index 43d4149c..fa11a4ca 100644 --- a/blog/content/post/2021-09-09-amd-milan-osf.md +++ b/blog/content/post/2021-09-09-amd-milan-osf.md @@ -21,7 +21,7 @@ categories: --- -# Introduction +## Introduction Do you remember times when AMD was actively supporting open source firmware? Back in the 2008 AMD was delivering the AGESA silicon initialization code and @@ -31,14 +31,14 @@ and many platforms emerged in coreboot. You may know those platform under various names like PC Engines ALIX and APU1. They benefit still from fully open source implementation. However since 2014 AMD started to deliver the AGESA in binary form only. And that situation is maintained till today with some -exceptions (after AMD Steppe Eagle there were no AGESA binary releases -anymore). Google encouraged the AMD to work on FSP compatible interface for -AGESA for their Chromebooks and today we have a AMD Picasso support in -coreboot. If you want to know more about Open Source Firmware on AMD history, -please refer to our FOSDEM presentations: +exceptions (after AMD Steppe Eagle there were no AGESA binary releases anymore). +Google encouraged the AMD to work on FSP compatible interface for AGESA for +their Chromebooks and today we have a AMD Picasso support in coreboot. If you +want to know more about Open Source Firmware on AMD history, please refer to our +FOSDEM presentations: -* [Status of AMD platforms in coreboot](https://video.fosdem.org/2020/K.4.401/coreboot_amd.mp4) -* [Open Source Firmware status on AMD platforms 2021](https://video.fosdem.org/2021/D.firmware/firmware_osfsoap2.mp4) +- [Status of AMD platforms in coreboot](https://video.fosdem.org/2020/K.4.401/coreboot_amd.mp4) +- [Open Source Firmware status on AMD platforms 2021](https://video.fosdem.org/2021/D.firmware/firmware_osfsoap2.mp4) Everybody hopes that AMD server will get open source firmware too. According to rumors something is moving into that direction. See @@ -46,7 +46,7 @@ rumors something is moving into that direction. See > When AMD gets to server chips, they should engage since there’s probably > overlap through FSP - +> > AMD: Apparently Zen scales up and down so the Zen mobile code might be > reusable for server stuff (multi-socket might take some work) @@ -54,47 +54,47 @@ However, in this blog post I will describe the real current situation. ## OSF on AMD Milan -Since the Ron Minnich talk about [pure open source on an AMD Zen](https://vimeo.com/488147337) -we have been getting more requests for open source firmware on AMD based -servers like Rome or Milan. While this isn't surprising, many people seem to be -missing a few important points and get the wrong idea (by the way big kudos to -Ron for attempting and showing it on OSFC2020). The number of issues -encountered by Ron is enormous (and not all has been shown) and typically -related to very basic thing like timers. Only those tightly related to firmware -development can understand that this is only the beginning of the road full of -obstacles. There are many more undocumented registers that are set by AGESA and -many more issues to find out yet. One may forget to use advanced features -without AGESA. One more important thing is that the presentation noted that SMP -is not yet well understood. That means only one main core is running, while the -rest is not initialized, where on server platforms is basically a killer -performance limitation. +Since the Ron Minnich talk about +[pure open source on an AMD Zen](https://vimeo.com/488147337) we have been +getting more requests for open source firmware on AMD based servers like Rome or +Milan. While this isn't surprising, many people seem to be missing a few +important points and get the wrong idea (by the way big kudos to Ron for +attempting and showing it on OSFC2020). The number of issues encountered by Ron +is enormous (and not all has been shown) and typically related to very basic +thing like timers. Only those tightly related to firmware development can +understand that this is only the beginning of the road full of obstacles. There +are many more undocumented registers that are set by AGESA and many more issues +to find out yet. One may forget to use advanced features without AGESA. One more +important thing is that the presentation noted that SMP is not yet well +understood. That means only one main core is running, while the rest is not +initialized, where on server platforms is basically a killer performance +limitation. ## OSF development on AMD server processors -Let's move to the development now from typically BIOS/firmware provider -company, different from 3 major IBVs. First of all, the server initialization -code is not distributed to other companies than IBVs, so there is no chance to -integrated it or even provide BIOS/firmware for a customer platform. Similar -situation is present in Intel. The server market is the most confidential and -protected one. Code aside, but what with the hardware? - -Ron Minnich told on his presentation that "AMD was very kind and willing to -ship us the CRB". Silicon vendors have different policies about borrowing CRBs -and they may depend on various factors, like project details. Sometimes you -need to have a use-case or customer. Typical questions that sometimes -influence the decision: what product (processors, chipset) is going to be used -on the customer platform, what is estimated annual volume, product application, -etc. For example if your volume is lower, your chance are most likely -decreased. - -Some OEMs/ODMs also believe they can support coreboot on their platform, -because it was shown on OSFC and they have an AGESA compatible with FSP. This -is not true. The only FSP compatible AGESAs currently are those developed for -Chromebooks, i.e. the mobile processors like Picasso, Cezanne (incoming). If -you are an OEM or ODM you may simply check whether you have a FSP compatible -AGESA. Simply searching keyword FSP through the code will not give any -meaningful results: `mfspr` or `FSPS` (which stands for -`Memory Feature Online Spare` `FixSocPstate`). +Let's move to the development now from typically BIOS/firmware provider company, +different from 3 major IBVs. First of all, the server initialization code is not +distributed to other companies than IBVs, so there is no chance to integrated it +or even provide BIOS/firmware for a customer platform. Similar situation is +present in Intel. The server market is the most confidential and protected one. +Code aside, but what with the hardware? + +Ron Minnich told on his presentation that "AMD was very kind and willing to ship +us the CRB". Silicon vendors have different policies about borrowing CRBs and +they may depend on various factors, like project details. Sometimes you need to +have a use-case or customer. Typical questions that sometimes influence the +decision: what product (processors, chipset) is going to be used on the customer +platform, what is estimated annual volume, product application, etc. For example +if your volume is lower, your chance are most likely decreased. + +Some OEMs/ODMs also believe they can support coreboot on their platform, because +it was shown on OSFC and they have an AGESA compatible with FSP. This is not +true. The only FSP compatible AGESAs currently are those developed for +Chromebooks, i.e. the mobile processors like Picasso, Cezanne (incoming). If you +are an OEM or ODM you may simply check whether you have a FSP compatible AGESA. +Simply searching keyword FSP through the code will not give any meaningful +results: `mfspr` or `FSPS` (which stands for `Memory Feature Online Spare` +`FixSocPstate`). ## Current possibilities @@ -104,16 +104,16 @@ few options for an open source firmware provider company like 3mdeb: 1. Offer few times higher pricing than IBV for developing the integration of AGESA the customer obtained to an open source firmware framework (probably EDK2, because it is the only supported framework for AGESA). -2. Advise the customer to go to IBV for the firmware, then offer training or +1. Advise the customer to go to IBV for the firmware, then offer training or customization services to address customer's specific needs for firmware features. -We already have tried the approach number 1 and encountered tons of problems -and bugs in the EDK2 code as well as AGESA code. One of the main, most painful -bugs are: +We already have tried the approach number 1 and encountered tons of problems and +bugs in the EDK2 code as well as AGESA code. One of the main, most painful bugs +are: -* improper GDT setup code in EDK2 CPU package -* function definition mismatches in AGESA code that do not conform to UEFI +- improper GDT setup code in EDK2 CPU package +- function definition mismatches in AGESA code that do not conform to UEFI specification (missing or unnecessary `EFIAPI` directives before function declarations which causes mixing the function calling conventions) @@ -133,19 +133,19 @@ should know and how the process looks like: 1. Ensure you have the AGESA code for you platform. Depending on your selected framework you may need the FSP compatible AGESA for e.g. coreboot. For EDK2 this may be any form. -2. Contact an open source firmware vendor like 3mdeb. - State your requirements, be ready to provide a hardware BOM and eventually - schematics. Sign NDA if required. -3. Depending on the selected framework we can offer following options: +1. Contact an open source firmware vendor like 3mdeb. State your requirements, + be ready to provide a hardware BOM and eventually schematics. Sign NDA if + required. +1. Depending on the selected framework we can offer following options: - EDK2 integration, based on our work with V1000/R1000 processors - - coreboot integration if AGESA is FSP compatible, otherwise it may take - tons of work and huge amount of time and funds + - coreboot integration if AGESA is FSP compatible, otherwise it may take tons + of work and huge amount of time and funds - ~~go to IBV~~ (please don't, you will make the open source firmware more far away) -4. We provide an estimation costs with the description of product and features +1. We provide an estimation costs with the description of product and features included in the project and their cost. -5. Customer may negotiate which features to be included. -6. We agree on the conditions and start to work. +1. Customer may negotiate which features to be included. +1. We agree on the conditions and start to work. ## Summary @@ -157,6 +157,8 @@ with the firmware solutions present nowadays. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2021-10-08-ftpm-vs-dtpm.md b/blog/content/post/2021-10-08-ftpm-vs-dtpm.md index 4d2d6daf..daa13fd1 100644 --- a/blog/content/post/2021-10-08-ftpm-vs-dtpm.md +++ b/blog/content/post/2021-10-08-ftpm-vs-dtpm.md @@ -37,8 +37,8 @@ much more functional than a smartcard. In 2003, IBM joined up with various companies including HP, Intel, and Microsoft and established the Trusted Computing Platform Alliance (TCPA), later known as -the Trusted Computing Group (TCG). The TCPA defined the TPM standard, which -has continuously evolved over the years, picking up adoption especially in +the Trusted Computing Group (TCG). The TCPA defined the TPM standard, which has +continuously evolved over the years, picking up adoption especially in enterprise and business use. The TPM's primary functions are to store secrets in isolation from the host OS @@ -48,10 +48,10 @@ every component in the boot process and allows the establishment of a trusted computing platform. While TPMs began as dedicated security chips, as they picked up adoption, -silicon vendors started implementing them in chipsets and eventually in firmware. -A firmware-based implementation is commonly called a Firmware TPM, or fTPM for -short, runs in the CPU's trusted execution environment, doesn't take up any -extra space on the board which is great for space-constrained boards, and is +silicon vendors started implementing them in chipsets and eventually in +firmware. A firmware-based implementation is commonly called a Firmware TPM, or +fTPM for short, runs in the CPU's trusted execution environment, doesn't take up +any extra space on the board which is great for space-constrained boards, and is drastically cheaper to implement than a dedicated chip. A hardware-based implementation in a discrete package is now called Discrete TPM, or dTPM. @@ -65,12 +65,12 @@ to virtual machines, and it depends on the hypervisor for adequate isolation. One might be inclined to say that dTPM is more secure because it's a dedicated device, but it's not that simple and what will work best for you depends on a -variety of factors. A discrete TPM is designed to be tamper-resistant, -provides a higher degree of isolation, and can be certified by TCG (in fact -most of them are). It is, however, slower than other implementations -(though that is by design) and is commonly connected to the LPC bus which can be -sniffed. Side-channel attacks are also potentially easier to perform when -the TPM is located on a separate chip. It's worth mentioning here that the TPM +variety of factors. A discrete TPM is designed to be tamper-resistant, provides +a higher degree of isolation, and can be certified by TCG (in fact most of them +are). It is, however, slower than other implementations (though that is by +design) and is commonly connected to the LPC bus which can be sniffed. +Side-channel attacks are also potentially easier to perform when the TPM is +located on a separate chip. It's worth mentioning here that the TPM specification defines a standard for transport encryption, but it is rarely used. @@ -89,28 +89,27 @@ would require debugging the CPU with JTAG or even physically decapping it to access internal traces. We also have to consider the particular functions provided by TPM. For example, -how is secure storage implemented? dTPMs have tamper-resistant NVRAM, while -with fTPMs there are a couple of possibilities: +how is secure storage implemented? dTPMs have tamper-resistant NVRAM, while with +fTPMs there are a couple of possibilities: - TrustZone relies on trusted storage provisions in eMMC controllers -- Intel PTT can store secrets in an encrypted portion of the SPI -flash +- Intel PTT can store secrets in an encrypted portion of the SPI flash Then we have to consider the memory security facilities: - ARM TrustZone defines a separate region for the "normal world" in which the -usual software is run and "secure world" which runs security-critical code + usual software is run and "secure world" which runs security-critical code - Intel SGX can be used to define protected, encrypted regions (enclaves) with -restricted access -- AMD has memory encryption and the fTPM itself runs on an ARM coprocessor -which implements TrustZone + restricted access +- AMD has memory encryption and the fTPM itself runs on an ARM coprocessor which + implements TrustZone ## Summary Clearly, the answer to the question of whether dTPM or fTPM is more secure is not as clear-cut as one may think, and we have to take into account a lot of -variables. If you want to explore this topic further, here are some documents -to get you started: +variables. If you want to explore this topic further, here are some documents to +get you started: - [fTPM: A Firmware-based TPM 2.0 Implementation](https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/msr-tr-2015-84.pdf), - [fTPM: A Software-Only Implementation of a TPM Chip](https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_raj.pdf). @@ -126,6 +125,8 @@ to get you started: If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-10-28-fobnail-promotion.md b/blog/content/post/2021-10-28-fobnail-promotion.md index d3cf5910..fbfa3529 100644 --- a/blog/content/post/2021-10-28-fobnail-promotion.md +++ b/blog/content/post/2021-10-28-fobnail-promotion.md @@ -21,16 +21,17 @@ categories: --- -# Introduction +## Introduction -System boot security has been gaining more and more attention and importance -due to forever increasing complexity of attacks on the software and firmware. -Firmware vendors are incorporating more and more security features into the -BIOS and UEFI, but let's be honest: +System boot security has been gaining more and more attention and importance due +to forever increasing complexity of attacks on the software and firmware. +Firmware vendors are incorporating more and more security features into the BIOS +and UEFI, but let's be honest: - due to UEFI complexity it has been often proved that the implementation of such features may be buggy and provide wider attacks surface, e.g. - BootGuardDxe flaw presented by Alex Matrosov at [BlackHat USA 2017](https://www.blackhat.com/docs/us-17/wednesday/us-17-Matrosov-Betraying-The-BIOS-Where-The-Guardians-Of-The-BIOS-Are-Failing.pdf) + BootGuardDxe flaw presented by Alex Matrosov at + [BlackHat USA 2017](https://www.blackhat.com/docs/us-17/wednesday/us-17-Matrosov-Betraying-The-BIOS-Where-The-Guardians-Of-The-BIOS-Are-Failing.pdf) - even if the firmware offers high-level security features it is still pretty hard to leverage it out-of-the-box in a user-friendly manner - closed source nature of the firmware limits its auditability (and security as @@ -39,7 +40,8 @@ BIOS and UEFI, but let's be honest: Because of the above reasons many entities fail to correctly secure the boot process and protects the consumers hardware from the attackers. That is why companies like Microsoft are pushing the silicon, hardware and firmware vendors -to enhance the platform security by establishing [Secured Core PC](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers) +to enhance the platform security by establishing +[Secured Core PC](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers) standard and requiring TPM2.0 for Windows 11. For example one of the requirements of the Secured Core PC is the use of Dynamic Root of Trust for Measurement technology in order to measure the operating system software in the @@ -47,55 +49,56 @@ processor trusted execution environment impenetrable from external attack vectors. With such measurements one may use remote attestation to ensure the software that is running on the machine has not been tampered with, without relying on the possibly buggy firmware. What is more important Secured Core PCs -aim to provide such high level security out-of-the-box as much as possible. -This is very important because the security is still hard to achieve in an easy -and straightforward way. To eliminate such hardships and obstacles open source +aim to provide such high level security out-of-the-box as much as possible. This +is very important because the security is still hard to achieve in an easy and +straightforward way. To eliminate such hardships and obstacles open source projects emerged to simplify boot process hardening: - [safeboot](https://safeboot.dev/) - leverages firmware Static Root of Trust for Measurement to secure the boot process of Linux OS with UEFI Secure Boot -- [heads](https://osresearch.net/) - leverages firmware Static Root of Trust - for Measurement and Linux kernel as a part of open source boot firmware to - perform verification of the software components of the operating system with - the helps of TPM and USB security tokens. Thanks to open source boot firmware - the risk of buggy firmware implementation is significantly reduced. +- [heads](https://osresearch.net/) - leverages firmware Static Root of Trust for + Measurement and Linux kernel as a part of open source boot firmware to perform + verification of the software components of the operating system with the helps + of TPM and USB security tokens. Thanks to open source boot firmware the risk + of buggy firmware implementation is significantly reduced. But do those projects solve all the problems? What to do with those measurements? The short answer is "remote attestation". There is a need of a trusted entity that will tell the machine owner that the measured software has the approved cryptographic footprints (measurements). At 3mdeb we aim to create -an open hardware USB security token called -[Fobnail](https://fobnail.3mdeb.com/) which will act as a axiomatically trusted -device and provide attestation services to avoid the use of network and -potentially untrusted attestation servers or man-in-the-middle network attacks. -In the long run we plan to [combine Fobnail and Dasharo](https://twitter.com/Dasharo_com/status/1393535274689384449) +an open hardware USB security token called [Fobnail](https://fobnail.3mdeb.com/) +which will act as a axiomatically trusted device and provide attestation +services to avoid the use of network and potentially untrusted attestation +servers or man-in-the-middle network attacks. In the long run we plan to +[combine Fobnail and Dasharo](https://twitter.com/Dasharo_com/status/1393535274689384449) to securely deploy, provision and attest D-RTM capable systems. The project -became possible thanks to the sponsorship of the [NLnet Foundation](https://nlnet.nl/project/Fobnail). +became possible thanks to the sponsorship of the +[NLnet Foundation](https://nlnet.nl/project/Fobnail). -## safeboot +### safeboot Before we start explaining how Fobnail may improve the security of the boot -process lets' review and compare the open source boot process hardening -projects starting with safeboot. +process lets' review and compare the open source boot process hardening projects +starting with safeboot. First of all safeboot is a set of scripts and wrappers that help automate and speed up provisioning of the machine to leverage TPM and UEFI Secure Boot full potential. In short it packs Linux kernel, initial ramdisk (with safeboot scripts) and commandline parameters into a single EFI file and creates two -copies of it for normal boot flow and recovery. Additionally the root -filesystem encrypted with the password sealed to the TPM and Static Root of -Trust measurements. The boot flow is presented on the diagram below: +copies of it for normal boot flow and recovery. Additionally the root filesystem +encrypted with the password sealed to the TPM and Static Root of Trust +measurements. The boot flow is presented on the diagram below: -![](/img/safeboot-boot-flow.png) +![img](/img/safeboot-boot-flow.png) So how does this work? When UEFI firmware finishes the platform initialization and is ready to boot the OS it executes EFI file with the packed Linux kernel and initial ramdisk, but this file is being signed with custom Secure Boot keys generated during the provisioning process. During the provisioning phase these keys' certificates are enrolled into the firmware and the private parts are -migrated to a USB HSM key in order to protect the key from leakage. This USB -key is later used for signing the EFI files used in the boot process. Moreover -the operating system root filesystem is protected with disk encryption. The +migrated to a USB HSM key in order to protect the key from leakage. This USB key +is later used for signing the EFI files used in the boot process. Moreover the +operating system root filesystem is protected with disk encryption. The decryption password is being sealed inside TPM to the pre-calculated measurements of the firmware and the packed Linux+ramdisk in an EFI file. So basically if the firmware and Linux components have not been tampered with, the @@ -107,7 +110,7 @@ second time, by extending one of TPM's PCRs once again (the unsealing policy will fail and the secret is not unsealed by TPM) However the whole security model is as secure as the firmware itself. If the -firmware get's compromised or tampered with, it may fake the firmware +firmware gets compromised or tampered with, it may fake the firmware measurements and keep a persistent malware module in the firmware storage. That is why a strong Static Core Root of Trust is needed like Intel Boot Guard, etc. But where all this leads us? Well at the end of the boot process of course we @@ -117,7 +120,7 @@ or the network connection secure? What should one do without a network connection? The Fobnail USB token can answer all these question, but we will discuss it later in the post. -## heads +### heads heads is a project that wraps up the build system for the firmware and Linux kernel together in order to produce a single binary with open source firmware @@ -127,7 +130,7 @@ supported open source firmware implementation is currently with the use of USB security token without a pre-boot firmware verification technology: -![](/img/boot_flow_heads.png) +![img](/img/boot_flow_heads.png) Similarly as in the safeboot case, the firmware is doing measurements of the executed components and extends the TPM PCRs. In the coreboot's last stage the @@ -136,18 +139,18 @@ heads uses multiple keys and secrets to protect the machine, e.g. TPM TOTP secret, LUKS encryption key and disk encryption key. We won't go into much details how each key is used, what is really important is how TPM TOTP is related to the firmware. TPM TOTP is a one-time 6 digit code generated from a -secret and a current timestamp. Such a code is typically only valid for 30 or -60 seconds, then a new one is generated with newer timestamp. Alternatively a -HOTP scenario may be used where USB token verifies that its secret and host's -secret is the same and the counters on both sides are the equal (incremented -each time the secret is compared). heads unlocks the secret if and only if the -firmware measurements match the policy to which the secret has been sealed in -TPM. If all checks are passed and keys are unsealed, the disk is decrypted and -the target operating system kernel is kexeced. Now imagine the malicious -firmware replacement if the bootblock is not protected (so there is no Core -Root of Trust to verify other firmware components): - -![](/img/boot_flow_heads_compromised.png) +secret and a current timestamp. Such a code is typically only valid for 30 or 60 +seconds, then a new one is generated with newer timestamp. Alternatively a HOTP +scenario may be used where USB token verifies that its secret and host's secret +is the same and the counters on both sides are the equal (incremented each time +the secret is compared). heads unlocks the secret if and only if the firmware +measurements match the policy to which the secret has been sealed in TPM. If all +checks are passed and keys are unsealed, the disk is decrypted and the target +operating system kernel is kexeced. Now imagine the malicious firmware +replacement if the bootblock is not protected (so there is no Core Root of Trust +to verify other firmware components): + +![img](/img/boot_flow_heads_compromised.png) Malicious firmware has performed the measurement replay attack, by extending TPM PCRs with the same values as trusted firmware would. In such case the TOTP/HOTP @@ -159,12 +162,12 @@ ensure that the firmware has really changed. Instead of trusting the firmware to do the job right, one could simply use Dynamic Root of Trust for Measurement to let the silicon create the secure -enclave and measure the operating system components. Only based on such -securely created measurements we may be sure (by performing remote attestation) -that the software we want to run is correct. But again the risk of untrusted -network connection or attestation server arises. +enclave and measure the operating system components. Only based on such securely +created measurements we may be sure (by performing remote attestation) that the +software we want to run is correct. But again the risk of untrusted network +connection or attestation server arises. -## Fobnail +### Fobnail Summing it up we have uncovered a few problems with the current boot hardening projects and attestation: @@ -182,16 +185,18 @@ system. To make this determination, Fobnail functions as an attestor capable of validating attestation assertions made by the system. As an independent device, Fobnail provides a high degree of assurance that an infected system cannot influence Fobnail as it inspects the attestations made by the system. The -architecture is based on the IEFT specification - Remote ATtestation -ProcedureS ([RATS](https://datatracker.ietf.org/doc/draft-ietf-rats-architecture/)) -and the attestation procedure on Reference Interaction Model for -Challenge-Response-based Remote Attestation ([CHARRA](https://tools.ietf.org/id/draft-birkholz-rats-reference-interaction-model-00.html)). +architecture is based on the IEFT specification - Remote ATtestation ProcedureS +([RATS](https://datatracker.ietf.org/doc/draft-ietf-rats-architecture/)) and the +attestation procedure on Reference Interaction Model for +Challenge-Response-based Remote Attestation +([CHARRA](https://web.archive.org/web/20211115144539/https://tools.ietf.org/id/draft-birkholz-rats-reference-interaction-model-00.html)). So in short, the main principles of Fobnail are: -- to make the attestation as simple as possible (e.g. by using LED indicators - to inform a user about the decision of trustworthiness) -- act as the axiomatically trusted device (an [iTurtle](https://www.usenix.org/legacy/event/hotsec07/tech/full_papers/mccune/mccune_html/index.html)) +- to make the attestation as simple as possible (e.g. by using LED indicators to + inform a user about the decision of trustworthiness) +- act as the axiomatically trusted device (an + [iTurtle](https://www.usenix.org/legacy/event/hotsec07/tech/full_papers/mccune/mccune_html/index.html)) for the attestation process - provide attestation services without network connection @@ -206,12 +211,12 @@ Secondly if we do not trust that the firmware is bug-free and provides reliable measurements one may use D-RTM when booting the target Linux kernel and perform the attestation based on D-TM measurements with Fobnail. -Thirdly when we look at TOTP/HOTP the whole decision process of secret -unsealing is done on the platform, also the platform is responsible to display -or send the 6 digit code to the display or USB token. This creates a potential -risk that the code has been faked and the measurements aren't really reliable. -Fobnail removes such risk by moving the platform state evaluation on the token -side. Before the Fobnail token becomes usable it must be provisioned first with: +Thirdly when we look at TOTP/HOTP the whole decision process of secret unsealing +is done on the platform, also the platform is responsible to display or send the +6 digit code to the display or USB token. This creates a potential risk that the +code has been faked and the measurements aren't really reliable. Fobnail removes +such risk by moving the platform state evaluation on the token side. Before the +Fobnail token becomes usable it must be provisioned first with: - Reference Integrity Measurement (RIM) Database (approved set of platform measurements) @@ -223,35 +228,34 @@ side. Before the Fobnail token becomes usable it must be provisioned first with: So Fobnail knows about all the known good platform states. The host responsibility in the attestation process is to provide the TPM quote (set of -platform integrity measurements, event logs, etc.) signed by the attestation -key to the token for evaluation. Then the decision is returned to the host and +platform integrity measurements, event logs, etc.) signed by the attestation key +to the token for evaluation. Then the decision is returned to the host and indicated to the platform owner with a physical or digital response. Fobnail is -also a flexible architecture which allows to perform the attestation of -multiple devices (by using multiple RIMs and policies). +also a flexible architecture which allows to perform the attestation of multiple +devices (by using multiple RIMs and policies). -As you can see the decision process is now done in the secure environment -unlike the example heads boot flow. This doesn't however resolve the problem of +As you can see the decision process is now done in the secure environment unlike +the example heads boot flow. This doesn't however resolve the problem of reliable measurements if the Static Root of Trust measurements are used. There -is still the risk that the measurement have been faked because firmware has -been tampered with or was not protected. With the help comes the D-RTM. Imagine -compromised heads boot flow but this time the USB token is compliant -with Fobnail architecture: +is still the risk that the measurement have been faked because firmware has been +tampered with or was not protected. With the help comes the D-RTM. Imagine +compromised heads boot flow but this time the USB token is compliant with +Fobnail architecture: -![](/img/boot_flow_heads_fobnail_compromised.png) +![img](/img/boot_flow_heads_fobnail_compromised.png) As you can see the firmware measurements may be replayed if the firmware is not protected and we cannot avoid this, but still we may use D-RTM to securely -perform the measurements of operating system components and use these to -perform attestation to get a trustworthy decision about platform software -state. +perform the measurements of operating system components and use these to perform +attestation to get a trustworthy decision about platform software state. -## Summary +### Summary Fobnail token is the future of the remote attestation attestation. This project funded by the NLnet is only the beginning. We believe in open source and by -making the Fobnail open hardware and open software we hope it may be improved -by community and integrated by many USB security token vendors. Currently we -are looking for early adopters in area of: +making the Fobnail open hardware and open software we hope it may be improved by +community and integrated by many USB security token vendors. Currently we are +looking for early adopters in area of: - security hardware companies (USB token providers) - network appliance manufacturers @@ -262,6 +266,7 @@ which would like to integrate or offer Fobnail as a part of their products/services. In return 3mdeb offers commercial support and associated marketing for the adopters. If you think Fobnail may enhance your products or security of your devices do not hesitate to contact us. Feel free to -[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-11-19-nezha-riscv-sbc-first-impression.md b/blog/content/post/2021-11-19-nezha-riscv-sbc-first-impression.md index 55fe4e95..9766c590 100644 --- a/blog/content/post/2021-11-19-nezha-riscv-sbc-first-impression.md +++ b/blog/content/post/2021-11-19-nezha-riscv-sbc-first-impression.md @@ -27,36 +27,37 @@ categories: Nezha board is a development board that is designed by an AWOL. This project uses a D1 SoC from Allwinner which is used for the first time by the general public. Probably this board is the **first massive** produced and available SBC -based at RISC-V architecture taking in mind a fact that [BeagleV™](https://blog.3mdeb.com/2021/2021-05-06-first-impressions-beaglev/) +based at RISC-V architecture taking in mind a fact that +[BeagleV™](https://blog.3mdeb.com/2021/2021-05-06-first-impressions-beaglev/) was canceled in august this year after the pilot program with version beta of the board. The Nezha board can be acquired at Aliexpress from -[PerfXLab Store](https://www.aliexpress.com/item/1005003565054561.html?spm=a2g0o.productlist.0.0.354924810Df6mL&algo_pvid=88942876-9d76-4423-a810-4a8cbc420498&algo_exp_id=88942876-9d76-4423-a810-4a8cbc420498-2&pdp_ext_f=%7B%22sku_id%22%3A%2212000026307794408%22%7D) +[PerfXLab Store](https://www.aliexpress.com/item/1005002856721588.html) or from -[Sipeed Store](https://www.aliexpress.com/item/1005002856721588.html?spm=a2g0o.productlist.0.0.69c47eb8wYH0H8&algo_pvid=7832a07e-6881-446d-a910-20ed9546c700&algo_exp_id=7832a07e-6881-446d-a910-20ed9546c700-0&pdp_ext_f=%7B%22sku_id%22%3A%2212000022485490245%22%7D). +[Sipeed Store](https://www.aliexpress.com/item/1005002856721588.html). -This article is such an opening to the series of posts about Neza D1 where -the basic facts, specification and firmware stack of this SBC are described and +This article is such an opening to the series of posts about Neza D1 where the +basic facts, specification and firmware stack of this SBC are described and present. ## Background -The name of this board is taken from a fictional character from Chinese literature. -"Nezha" also means "The third prince" and he is a God which was fighting with -dragons and snakes. His sign can be found on the board: +The name of this board is taken from a fictional character from Chinese +literature. "Nezha" also means "The third prince" and he is a God which was +fighting with dragons and snakes. His sign can be found on the board: ![nezha logo](/img/nezha-logo.png) ## Specification The Nezha uses Allwinner D1 SoC with single-core XuanTie C906 64-bit RISC-V -processor running at 1.0GHz. This SoC has also a blocks as HiFi4 DSP or -G2D 2D graphics accelerators. It has 1GB DDR3 RAM memory and 256MB SPI NAND -flash. As massive storage also a microSD card can be used. Board has also a -various of the peripheries such as Ethernet, WiFi & Bluetooth module, HDMI, -type-c USB OTG, type-a USB HOST, and dedicated header for serial communication -(UART) which at the board is described as `DEBUG`. To power up this board the -5V/2A power adapter will be needed. For full specification please -refer to the [official site](https://d1.docs.aw-ol.com/en/d1_dev/). +processor running at 1.0GHz. This SoC has also a blocks as HiFi4 DSP or G2D 2D +graphics accelerators. It has 1GB DDR3 RAM memory and 256MB SPI NAND flash. As +massive storage also a microSD card can be used. Board has also a various of the +peripheries such as Ethernet, WiFi & Bluetooth module, HDMI, type-c USB OTG, +type-a USB HOST, and dedicated header for serial communication (UART) which at +the board is described as `DEBUG`. To power up this board the 5V/2A power +adapter will be needed. For full specification please refer to the +[official site](https://d1.docs.aw-ol.com/en/d1_dev/). ![nezha logo](/img/nezha-board-layout.png) @@ -73,28 +74,28 @@ USB-UART converter, 2xUSB type-c cables, and screws. For now, the D1 Nezha development board comes with `Tina` Linux system which is a fork of the `OpenWRT`. You can find information about it -[here](https://d1.docs.aw-ol.com/en/study/study_1tina/). -It supports kernels such as Linux3.4, Linux3.10, Linux4.4, Linux4.9, Linux5.4, -and others. There are also other distributions available such as Debian -(`Sipeed` and `PerfXLab` versions) and Fedora. All of them can be found and -download [here](https://ovsienko.info/D1/). +[here](https://d1.docs.aw-ol.com/en/study/study_1tina/). It supports kernels +such as Linux3.4, Linux3.10, Linux4.4, Linux4.9, Linux5.4, and others. There are +also other distributions available such as Debian (`Sipeed` and `PerfXLab` +versions) and Fedora. All of them can be found and download +[here](https://ovsienko.info/D1/). On the other hand boot firmware on D1 consists of three parts, which largely correspond to the components used by 64-bit ARM SoCs: ![nezha boot flow](/img/nezha-boot-flow.png) -* `boot0` - it is modified for this board and used as SPL due to features such +- `boot0` - it is modified for this board and used as SPL due to features such as enabling the T-HEAD ISA and MMU extensions. -* `OpenSBI` - supervisor which is an interface between too less privileged modes +- `OpenSBI` - supervisor which is an interface between too less privileged modes boot0 and TPL bootloader. -* `U-Boot` - TPL bootloader which initializes additional hardware and loads +- `U-Boot` - TPL bootloader which initializes additional hardware and loads kernel from storage or the network. -More information can be found at [linux-sunxi](https://linux-sunxi.org/Allwinner_Nezha) -wiki. +More information can be found at +[linux-sunxi](https://linux-sunxi.org/Allwinner_Nezha) wiki. ## First boot @@ -105,10 +106,10 @@ this version: [![asciicast](https://asciinema.org/a/450115.svg)](https://asciinema.org/a/450115?speed=1.5) As you can see first two lines come from `boot0` and then further are `OpenSBI` -and `U-Boot`. If you analyze logs you should manage that kernel and rootfs -are loaded from `NAND`: +and `U-Boot`. If you analyze logs you should manage that kernel and rootfs are +loaded from `NAND`: -```shell +```bash device nand0 , # parts = 4 ``` @@ -121,7 +122,7 @@ After `Tina` starts up, the green LED blinks. There are two available distros of Debian. In this section let's take a look at one of them prepared by the **PerfXLab**. -```shell +```bash [104]HELLO! BOOT0 is starting! [107]BOOT0 commit : 27369ab [109]set pll start @@ -246,7 +247,7 @@ As you can see bootlog is different than for the `Tina Linux`. Basically, this difference is visible in logs from `boot0` where we can read the information that this time the `SDCard` is detected and start to read data from it. -```shell +```bash Debian GNU/Linux 11 RVBoards ttyS0 RVBoards login: root @@ -274,32 +275,35 @@ after 5 seconds. Now let's test a WiFi connection. For this purpose, it is needed to do some preparations: -* bring up the wireless interface, +- bring up the wireless interface, -* create `wpa_supplicant.conf` which contain information about the network we +- create `wpa_supplicant.conf` which contain information about the network we want to be connected, -* start a new instance of `wpa_supplicant` after we close existing processes, +- start a new instance of `wpa_supplicant` after we close existing processes, -* use `dhclient` to receive IP address, +- use `dhclient` to receive IP address, -* install `iperf3` at the Nezha board and your host machine. +- install `iperf3` at the Nezha board and your host machine. After these steps we are prepared to proceed with a test as follows: -* run `iperf` server at the host - ```shell - $ iperf3 -s +- run `iperf` server at the host + + ```bash + iperf3 -s ``` -* test connection between client and server - ```shell +- test connection between client and server + + ```bash # iperf3 -c ``` -As result, we receive information about sender and receiver speed. The board -was connected to `2.4GHz` network: -``` +As result, we receive information about sender and receiver speed. The board was +connected to `2.4GHz` network: + +```bash # iperf3 -c 192.168.1.234 Connecting to host 192.168.1.234, port 5201 [ 5] local 192.168.1.171 port 35790 connected to 192.168.1.234 port 5201 @@ -337,6 +341,8 @@ and what should we check? If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact@3mdeb.com`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact@3mdeb.com`. If you are interested in similar content +feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2021-11-26-optiplex-dasharo.md b/blog/content/post/2021-11-26-optiplex-dasharo.md index 403943e4..d8f3d384 100644 --- a/blog/content/post/2021-11-26-optiplex-dasharo.md +++ b/blog/content/post/2021-11-26-optiplex-dasharo.md @@ -18,17 +18,17 @@ categories: --- -# Introduction +## Introduction -Dell OptiPlex 7010 / 9010 is the majority of machines used in 3mdeb office by the -engineers and developers. It is only natural for a company promoting open +Dell OptiPlex 7010 / 9010 is the majority of machines used in 3mdeb office by +the engineers and developers. It is only natural for a company promoting open source firmware (OSFW) to utilize their own product in daily work. The process of porting coreboot on the machine took significant amount of free time (which you may read about in [other blog posts](https://blog.3mdeb.com/tags/optiplex/) by the way) but it was definitely worth it. It opened a path for developing a firmware that would squeeze out the full potential of the platform. You may be -wondering what else a platform may do that OEM didn't implement. But I will -tell you this, with open source firmware almost anything is possible and with +wondering what else a platform may do that OEM didn't implement. But I will tell +you this, with open source firmware almost anything is possible and with [Dasharo firmware](https://dasharo.com/) we make it a reality. ## ME neutralization @@ -38,52 +38,57 @@ chipsets and SoCs due to its capabilities and features. One of the most fearful features is the remote management and connectivity. Intel ME is able to utilize network via dedicated network controller on vPro machines without any awareness of the operating system software. It is used for software like Intel Active -Management Technology ([AMT](https://www.intel.co.uk/content/www/uk/en/architecture-and-technology/intel-active-management-technology.html)) -or [Computrace](https://i.dell.com/sites/content/business/solutions/brochures/en/Documents/absolute-overview.pdf) +Management Technology +([AMT](https://www.intel.co.uk/content/www/uk/en/architecture-and-technology/intel-active-management-technology.html)) +or +[Computrace](https://i.dell.com/sites/content/business/solutions/brochures/en/Documents/absolute-overview.pdf) ([with cooperation of Intel Anti-theft Technology](https://media9.connectedsocialmedia.com/intel/06/4470/Intel_Anti_Theft_Technology_Computrace_WhitePaper.pdf) -which seems to be a [service running on Intel ME](https://community.intel.com/t5/Intel-vPro-Platform/How-to-disable-Intel-Anti-Theft-service-in-Intel-ME-Status/m-p/472962/thread-id/5789?attachment-id=13594)). +which seems to be a +[service running on Intel ME](https://community.intel.com/t5/Intel-vPro-Platform/How-to-disable-Intel-Anti-Theft-service-in-Intel-ME-Status/m-p/472962/thread-id/5789?attachment-id=13594)). Such features and capabilities often raises doubts and concerns about privacy. Moreover it is a few megabytes of proprietary closed source firmware of unknown quality with uncertain other impacts on the system. Many people often want to disable ME or even neutralize it to reduce the attack surface. This is what we -offer with Dasharo firmware on Dell OptiPlex 7010 / 9010, [me_cleaner](https://github.com/corna/me_cleaner) -is being applied on the firmware image which can be flashed on the board. From -a 6MB of unknown firmware only dozens of kilobytes are left. me_cleaner has -been created based on researching and reversing of the Intel ME which is -prohibited according to its license agreement. Decompilation however, may be -allowed according to [some EU courts](https://osfw.slack.com/archives/C9ZLS0U4F/p1633701873113300). -See also [Article 6](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0024&from=EN). +offer with Dasharo firmware on Dell OptiPlex 7010 / 9010, +[me_cleaner](https://github.com/corna/me_cleaner) is being applied on the +firmware image which can be flashed on the board. From a 6MB of unknown firmware +only dozens of kilobytes are left. me_cleaner has been created based on +researching and reversing of the Intel ME which is prohibited according to its +license agreement. Decompilation however, may be allowed according to +[some EU courts](https://osfw.slack.com/archives/C9ZLS0U4F/p1633701873113300). +See also +[Article 6](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32009L0024&from=EN). But IANAL. ## RAM support As engineers we often encounter situation that the same board comes in a few SKUs (stock keeping units) which may be distinguished by the used processor for -example. Such a procedure is often utilized to reduce the cost of the product -or rather offer a product less or more equipped to make it more affordable on -the market. Also as engineers doing open source firmware we want to know how -many differences they are, whether we may unify support of the variants or even -use the same binary to support multiple boards. But in the cases where the -mainboard is essentially identical and the OEM offers it with different -hardware capabilities, one question comes to the mind immediately: what is -going on? It happens for the 7010 and 9010 variants in the +example. Such a procedure is often utilized to reduce the cost of the product or +rather offer a product less or more equipped to make it more affordable on the +market. Also as engineers doing open source firmware we want to know how many +differences they are, whether we may unify support of the variants or even use +the same binary to support multiple boards. But in the cases where the mainboard +is essentially identical and the OEM offers it with different hardware +capabilities, one question comes to the mind immediately: what is going on? It +happens for the 7010 and 9010 variants in the [specsheet](https://www.dell.com/support/manuals/en-us/optiplex-7010/opti7010_usff/specifications?guid=guid-157e8495-34d3-4efa-ab61-1d9efba4c90e). -``` +```bash Maximum memory: - OptiPlex 7010 16 GB - OptiPlex 9010 32 GB + OptiPlex 7010 16 GB + OptiPlex 9010 32 GB ``` Why would maximum RAM be limited by the variant? The number of memory slots and the used processors are the same so there should not be any difference. However with the Dasharo firmware we ensure that you are not limited to vendor -restrictions and 32GB memory may be populated on both 7010 and 9010. -Fortunately putting 32GB of RAM into Dell OptiPlex 7010 with Dell firmware does -not limit the memory reported to the operating system. Summing it up, the -limitation of maximum RAM is just business differentiation of the offered -machines, i.e. "the higher model number is the better are the parameters -offered". That's it (fortunately). +restrictions and 32GB memory may be populated on both 7010 and 9010. Fortunately +putting 32GB of RAM into Dell OptiPlex 7010 with Dell firmware does not limit +the memory reported to the operating system. Summing it up, the limitation of +maximum RAM is just business differentiation of the offered machines, i.e. "the +higher model number is the better are the parameters offered". That's it +(fortunately). ## ECC support @@ -91,13 +96,15 @@ It occurred that the mainboard design allows the usage of ECC memory modules. The memory module ECC lanes are connected to the CPU socket. However there is one caveat. The Intel Q77 chipset used on the machine doesn't support CPUs with ECC (currently only Xeon CPUs and some embedded ones support ECC). The CPU -compatibility of the chipset may be checked on [Intel ARK](https://ark.intel.com/content/www/us/en/ark/products/64027/intel-q77-express-chipset.html). +compatibility of the chipset may be checked on +[Intel ARK](https://ark.intel.com/content/www/us/en/ark/products/64027/intel-q77-express-chipset.html). But no risk no fun. A decent Xeon CPU matching the board could be bought for -less than $100. So we did a quick test and... [it worked!](https://twitter.com/Dasharo_com/status/1435161914896748547?s=20). +less than $100. So we did a quick test and... +[it worked!](https://twitter.com/Dasharo_com/status/1435161914896748547?s=20). We have a ECC capable CPU, now all we need is a ECC DIMM. Be aware though. A typical server memory will not work here. We need an unbuffered ECC DIMM with -lower latencies (registered memory will only work on servers). However this -time it didn't work. +lower latencies (registered memory will only work on servers). However this time +it didn't work. According to the investigations of the coreboot logs the CPU did not report the ECC capability. The real question is why? There are a few pointers: @@ -110,10 +117,11 @@ In some depths of a sensitive black hole I have found an information that the chipset and CPU is "autonegotiating" the supported features according based on the SKUs before the BIOS executes. So basically the CPU features may be limited by the chipset based on supported processors. So even though you may be -successful in booting ECC capable Xeon CPU, if you don't have a C-series -chipset (C216 in this case) you will not be able to utilize ECC. Linus Torvalds -has expressed his deep dissatisfaction how Intel phased off the ECC support on -consumer chipsets in [this article](https://www.extremetech.com/computing/318832-linus-tovalds-blames-intel-for-killing-ecc-ram-in-consumer-systems) +successful in booting ECC capable Xeon CPU, if you don't have a C-series chipset +(C216 in this case) you will not be able to utilize ECC. Linus Torvalds has +expressed his deep dissatisfaction how Intel phased off the ECC support on +consumer chipsets in +[this article](https://www.extremetech.com/computing/318832-linus-tovalds-blames-intel-for-killing-ecc-ram-in-consumer-systems) Maybe if we know a little bit more about how the autonegotiation works or if ME firmware may force the ECC support, it will be possible to override the current state. @@ -123,30 +131,31 @@ state. Dasharo firmware enables support for booting from PCIe NVMe drives unlike the original Dell firmware. Back in 2013 the first NVMe drives have actually been manufactured (Samsung XS1715) so the technology was not so popular when the -machine is launched. However even after 5 years of [BIOS update -releases](https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=90dd2&driverid=90dd2&lwp=rt) -this lovely machine did not live to see NVMe support. These machines have a -PCIe x4 slot which is perfect for a NVMe disk, just need a few bucks to buy an +machine is launched. However even after 5 years of +[BIOS update releases](https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=90dd2&driverid=90dd2&lwp=rt) +this lovely machine did not live to see NVMe support. These machines have a PCIe +x4 slot which is perfect for a NVMe disk, just need a few bucks to buy an adapter like [this one](https://www.aliexpress.com/item/1005003114626058.html). -With Dasharo firmware it is possible to boot from such NVMe disk without -issues. +With Dasharo firmware it is possible to boot from such NVMe disk without issues. ## Intel TXT support and TrenchBoot Intel Trusted Execution Technology is a feature of Intel CPUs and chipsets to perform trusted measurement of the operation system software defined in Trusted -Computing Group [D-RTM architecture specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf). -Although Dell firmware supports TXT and it is nothing new for Dasharo to -support it as well. And [we did it](https://review.coreboot.org/q/topic:sandybridge_txt) +Computing Group +[D-RTM architecture specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf). +Although Dell firmware supports TXT and it is nothing new for Dasharo to support +it as well. And [we did it](https://review.coreboot.org/q/topic:sandybridge_txt) (you will be able to read more about this achievement in the incoming blog post). Moreover we aim to support [TrenchBoot](https://trenchboot.org/) on this machine. A very good use case of Intel TXT was presented by Qubes OS [Anti Evil Maid (AEM)](https://github.com/QubesOS/qubes-antievilmaid/). By the -way we have been working on enabling AMD CPUs and TPM 2.0 as well in AEM. -In an ideal case Dell OptiPlex will come with TXT and TrenchBoot support and -use AEM to securely measure Qubes OS and perform a remote attestation using +way we have been working on enabling AMD CPUs and TPM 2.0 as well in AEM. In an +ideal case Dell OptiPlex will come with TXT and TrenchBoot support and use AEM +to securely measure Qubes OS and perform a remote attestation using [Fobnail](https://fobnail.3mdeb.com/). To protect the user even further we also -plan to integrate [Intel STM](https://software.intel.com/content/www/us/en/develop/articles/smi-transfer-monitor-stm.html) +plan to integrate +[Intel STM](https://software.intel.com/content/www/us/en/develop/articles/smi-transfer-monitor-stm.html) to avoid System Management Mode attacks to which Intel TXT is vulnerable. ## Open Security Training 2 @@ -161,20 +170,20 @@ used as a reference machine in the [OpenSecurityTraining2](https://ost2.fyi/) private beta testing). And that class then leads into the "Architecture 4031: x86-64 Reset Vector: coreboot" class, and future coreboot classes which are under development, such as "Architecture 4032: coreboot Hardware Hands-On" -(where you will be able to experience flashing the firmware on the Dell -OptiPlex 7010). +(where you will be able to experience flashing the firmware on the Dell OptiPlex +7010). ## How to get it? Of course 3mdeb offers the OST2 reference setups of Dell OptiPlex 7010 / 9010 to -be purchased [here](https://3mdeb.com/shop/open-source-hardware/dasharo-dell-optiplex-7010-sff-i3-i7-8gb-32gb-ram-copy/). +be purchased +[here](https://3mdeb.com/shop/open-source-hardware/dasharo-dell-optiplex-7010-sff-i3-i7-8gb-32gb-ram-copy/). -The machine setup is configurable where you may choose the fully featured -option with 32GB RAM, NVMe with M.2 adapter, ME neutering and of course the -Dasharo firmware. If you like games you may even put some Nvidia GTX/RTX -graphics card (must be low profile, half height) if you like, the PCIe x16 port -(blue) is available for such extension. Onboard TPM 1.2 is supported out-of-the -box. +The machine setup is configurable where you may choose the fully featured option +with 32GB RAM, NVMe with M.2 adapter, ME neutering and of course the Dasharo +firmware. If you like games you may even put some Nvidia GTX/RTX graphics card +(must be low profile, half height) if you like, the PCIe x16 port (blue) is +available for such extension. Onboard TPM 1.2 is supported out-of-the box. ## Summary @@ -186,6 +195,8 @@ OptiPlex so stay tuned and watch for new blog posts and Dasharo releases. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-12-03-rockchip-secure-boot.md b/blog/content/post/2021-12-03-rockchip-secure-boot.md index d9e6e0d0..fb6d5594 100644 --- a/blog/content/post/2021-12-03-rockchip-secure-boot.md +++ b/blog/content/post/2021-12-03-rockchip-secure-boot.md @@ -72,12 +72,13 @@ Tool (Windows), eFUSE burning is done using eFUSE Tool. Since eFUSE Tool is Windows exclusive, I had to set up Windows box side-by-side my Linux workstation. -I checked out latest revisions of RockChip [tools](https://github.com/rockchip-linux/rknn-toolkit) -and [rkbin](https://github.com/rockchip-linux/rkbin) repos. +I checked out latest revisions of RockChip +[tools](https://github.com/rockchip-linux/rknn-toolkit) and +[rkbin](https://github.com/rockchip-linux/rkbin) repos. First, I had to generate keys for code signing. -```shell +```bash tools/linux/rk_sign_tool/rk_sign_tool cc --chip 3288 linux/rk_sign_tool/rk_sign_tool kk --out keys ``` @@ -88,22 +89,21 @@ different algorithm. ## Signing code -eFUSE Tool accepts only a signed binary as its input, from which it extracts -the public key. The binary used here is the same binary we pass to -`rkdeveloptool` when flashing firmware to eMMC. I will call it loader from now -on. +eFUSE Tool accepts only a signed binary as its input, from which it extracts the +public key. The binary used here is the same binary we pass to `rkdeveloptool` +when flashing firmware to eMMC. I will call it loader from now on. Loader can be quickly assembled using tools and config files from `rkbin/RKBOOT`. For example, to build loader for RK3288, run the following command (from `rkbin` directory) -```shell +```bash tools/boot_merger RKBOOT/RK3288MINIALL.ini ``` I signed generated loader binary using `rk_sign_tool` without any problems. -```shell +```bash $ ../tools/linux/rk_sign_tool/rk_sign_tool sl --key ../keys/privateKey.pem --pubkey ../keys/publicKey.pem --loader rk3288_loader_v1.09.258.bin start to sign rk3288_loader_v1.09.258.bin path = /hdd/rk-secure-boot/tools/linux/rk_sign_tool/temp/loader @@ -136,21 +136,21 @@ That was an extremely helpful message. To find out what's wrong, I've done a quick analysis of unsigned and signed binary and discovered that the signed version has a different header - this is how the unsigned version looks like. -``` +```bash 00000000 42 4f 4f 54 66 00 3a 02 00 00 00 00 00 01 e5 07 |BOOTf.:.........| 00000010 0a 1c 10 15 00 41 30 32 33 01 66 00 00 00 39 01 |.....A023.f...9.| ``` And this is the signed version. -``` +```bash 00000000 4c 44 52 20 66 00 3a 02 00 00 00 00 00 01 e5 07 |LDR f.:.........| 00000010 0a 1c 10 15 24 41 30 32 33 02 66 00 00 00 39 01 |....$A023.f...9.| ``` Secure Boot Tool has support for signing loader binary, but it is disabled when program starts. I had to dig through RockChip documentation to find out how to -enable it. Hint: press Ctrl+r+k. +enable it. Hint: press **Ctrl**+**r**+**k**. ![Secure Boot Tool](/img/rk_secure_boot_tool.png) @@ -194,7 +194,7 @@ accidentally tear apart. Before loading binary into eFUSE Tool, I verified whether that binary works by using: -``` +```bash rkdeveloptool db RK3288_Loader_signed.bin ``` @@ -217,7 +217,7 @@ eFUSE Tool didn't say anything useful. Actually, it didn't say anything at all (no logs either). I've got some information dumped on the serial console, but still not very helpful. -``` +```bash EfuseWriteData 0 100 3100d00 0 write efuse: 03100d00 + 0x0:0x00,0x01,0x00,0x01,0x00,0x01,0x00,0x01,0x01,0x01,0x01,0x00,0x01,0x01,0x00,0x00, write efuse: 03100d00 + 0x10:0x00,0x01,0x00,0x01,0x01,0x01,0x01,0x01,0x01,0x00,0x00,0x01,0x00,0x01,0x00,0x00, @@ -309,7 +309,7 @@ Board got into MaskROM mode, and I successfully ran a signed loader using `rkdeveloptool db`. Messages from the serial console show that secure mode is active. -``` +```bash DDR Version 1.09 20201119 In Channel a: DDR3 400MHz @@ -349,7 +349,7 @@ it for yourself on the following video: Loader can be flashed onto eMMC using the following commands. Note that this flashes only loader, without U-Boot itself. -``` +```bash rkdeveloptool db RK3288_Loader_signed.bin rkdeveloptool ul RK3288_Loader_signed.bin ``` @@ -362,7 +362,7 @@ image from SPL. These two topics will be covered in the next post. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to -[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-12-14-secure-jtag-on-imx-soc.md b/blog/content/post/2021-12-14-secure-jtag-on-imx-soc.md index bc256053..deaa7e3c 100644 --- a/blog/content/post/2021-12-14-secure-jtag-on-imx-soc.md +++ b/blog/content/post/2021-12-14-secure-jtag-on-imx-soc.md @@ -19,6 +19,7 @@ categories: - Manufacturing --- + ## Introduction JTAG port is an important feature that helps a lot of engineers during product @@ -34,93 +35,89 @@ publicly available. ## Requirements - **Development board**: Any i.MX6 devkit with available JTAG port. It can be -[Sabre lite i.MX6](https://eu.mouser.com/ProductDetail/Boundary-Devices/BD-SL-iMX6?qs=rR5xxs6mnkwfzDTJZE5SUg%3D%3D) -from Boundary Devices (218,66 EUR). + [Sabre lite i.MX6](https://eu.mouser.com/ProductDetail/Boundary-Devices/BD-SL-iMX6?qs=rR5xxs6mnkwfzDTJZE5SUg%3D%3D) + from Boundary Devices (218,66 EUR). -- **SoC reference manual**: Setting JTAG in secure mode is a dangerous -operation - if you miss something or will be wrong with any fusebit name or -the address you can enable unexcepted options. Always work with documentation - -here is -[application note](https://www.nxp.com/docs/en/application-note/AN4686.pdf) -about JTAG modes. +- **SoC reference manual**: Setting JTAG in secure mode is a dangerous operation + \- if you miss something or will be wrong with any fusebit name or the address + you can enable unexcepted options. Always work with documentation - here is + [application note](https://www.nxp.com/docs/en/application-note/AN4686.pdf) + about JTAG modes. - **crucible tool**: JTAG mode and access key are saved in fuse bits - we need -software to manipulate fuses in userspace. -[crucible](https://github.com/f-secure-foundry/crucible/) tool can be used for -that - it is the best of free and open-source tools with a huge database of fuse -fields. With that tool we can burn fuses using their names - it is more safety -than counting banks and words. - -- **JTAG compatible with OpenOCD**: On -[NXP sites](https://www.nxp.com/docs/en/application-note/AN4686.pdf) we can read -that Secure JTAG is supported only by the Lauterbach environment and ARM-DS5 IDE -with DSTREAM debugger. In 3mdeb we are always trying to use open-source -software. Unfortunately, OpenOCD doesn't officially support Secure JTAG in i.MX -SoC's, but we found not accepted yet -[patch](https://review.openocd.org/c/openocd/+/2148/) from 2014 which adds -support for work with SJC (System JTAG controller) in a secure mode. Required -patch work on OpenOCD from -[official repository](git://git.code.sf.net/p/openocd/code) if you checkout code -with `970a12aef` hash. There is a chance to apply patch in the actual version of -OpenOCD, but it needs some code changes. As hardware, we used -[ARM-USB-OCD-H](https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/) -(54,95 EUR) from Olimex. + software to manipulate fuses in userspace. + [crucible](https://github.com/f-secure-foundry/crucible/) tool can be used for + that - it is the best of free and open-source tools with a huge database of + fuse fields. With that tool we can burn fuses using their names - it is more + safety than counting banks and words. + +- **JTAG compatible with OpenOCD**: On + [NXP sites](https://www.nxp.com/docs/en/application-note/AN4686.pdf) we can + read that Secure JTAG is supported only by the Lauterbach environment and + ARM-DS5 IDE with DSTREAM debugger. In 3mdeb we are always trying to use + open-source software. Unfortunately, OpenOCD doesn't officially support Secure + JTAG in i.MX SoC's, but we found not accepted yet + [patch](https://review.openocd.org/c/openocd/+/2148/) from 2014 which adds + support for work with SJC (System JTAG controller) in a secure mode. Required + patch work on OpenOCD from + [official repository](git://git.code.sf.net/p/openocd/code) if you checkout + code with `970a12aef` hash. There is a chance to apply patch in the actual + version of OpenOCD, but it needs some code changes. As hardware, we used + [ARM-USB-OCD-H](https://www.olimex.com/Products/ARM/JTAG/ARM-USB-OCD-H/) + (54,95 EUR) from Olimex. The simplest way to use OpenOCD with SJC patch is to use our fork. You only need clone our repository, build and install OpenOCD: -```shell -$ git clone https://github.com/3mdeb/openocd.git -$ cd openocd -$ ./bootstrap -$ ./configure -$ make -j$(nproc) -$ sudo make install +```bash +git clone https://github.com/3mdeb/openocd.git +cd openocd +./bootstrap +./configure +make -j$(nproc) +sudo make install ``` - **System image**: Any Linux image for your i.MX6 platform with kernel module -`nvmem-imx-ocotp` for modifying OTP memory. You can add this module in -menuconfig by enabling the option `CONFIG_NVMEM`. NVMEM driver can be built as a -module and loaded only when you want to burn fuses. + `nvmem-imx-ocotp` for modifying OTP memory. You can add this module in + menuconfig by enabling the option `CONFIG_NVMEM`. NVMEM driver can be built as + a module and loaded only when you want to burn fuses. ## How it works SoC's from i.MX family offers JTAG in three modes - **No debug** - security on the highest level, but after disabling debug -possibilities development and debugging via JTAG port will be unavailable -permanently on used device + possibilities development and debugging via JTAG port will be unavailable + permanently on used device - **Secure JTAG** - mode described in this article, the best compromise between -security and development possibilities - only person with an access key can use -JTAG + security and development possibilities - only person with an access key can + use JTAG - **Enabled JTAG** - default mode, enabled for anyone who has physical access to -JTAG pins + JTAG pins Secure JTAG mode is based on a challenge/response mechanism. SoC has a unique challenge key saved during manufacturing. User can generate their response 56-bit key and burn it in JTAG fuse named `SJC_RESP`. While trying to access the JTAG port, SJC gives a unique for any device challenge key. Now user should pass the response key which is compared with the response stored in SoC fuse bits. If -keys are the same, JTAG is enabled. Below, you can see a diagram describing -the challenge/response mechanism. +keys are the same, JTAG is enabled. Below, you can see a diagram describing the +challenge/response mechanism. ![Secure JTAG - how it works](/img/secure_jtag.png) JTAG mode can be set in `JTAG_SMODE` fuse by values -| Mode | JTAG_SMODE | -|-------------|------------| -| JTAG enable | 0x0 | -| JTAG secure | 0x1 | -| No debug | 0x2 | +| Mode | JTAG_SMODE | |-------------|------------| | JTAG enable | 0x0 | | JTAG +secure | 0x1 | | No debug | 0x2 | These fuses still can be overwritten until we do not block this possibility - the response key can be locked by writing `0x1` to `SJC_RESP_LOCK`, and JTAG mode with all other fuses from `BOOT` group by writing `0x3` to `BOOT_CFG_LOCK`. Now JTAG fuses should be protected from writing and overriding. There is an -option to set this to locking only override - look at the reference manual or +option to set this to locking only override - look at the reference manual or [application note](https://usermanual.wiki/m/bb676916d740bdd5d4e8ba43c1ba41673c242f2cefc59f03e014ea7314314f62.pdf) for more information about fuse overriding feature. @@ -138,7 +135,8 @@ give access to execute binary file. Run `crucible` on your target and check that you have access to fuse bits from userspace -``` + +```bash # ./crucible -m IMX6UL -r 1 -b 16 read JTAG_SMODE soc:IMX6UL ref:1 otp:JTAG_SMODE op:read addr:0x18 off:22 len:2 val:0x0 ``` @@ -147,7 +145,7 @@ We can see that JTAG is set in default mode - JTAG enabled for everyone. Now let's try to set secure mode. We generate a random response key: `0x00574c200308fad77` and save it into `SJC_RESP` -``` +```bash # ./crucible -m IMX6UL -r 1 -b 16 -e big blow SJC_RESP 0x00574c200308fad77 �█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█ @@ -171,7 +169,8 @@ addr:0x80 off:0 len:56 val:0x00574c20308fad77 res:0x77a0 ``` Now we can change the mode to secure JTAG -``` + +```bash # ./crucible -m IMX6UL -r 1 -b 16 -e big blow JTAG_SMODE 0x1 �█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█�█ @@ -196,7 +195,8 @@ addr:0x18 off:22 len:2 val:0x1 res:0x00004000 OpenOCD with i.MX secure SJC patch use `imx6_sjcauth.txt` file to store access keys. We can get the challenge key during the first try of connection. Let's try -``` + +```bash $ sudo openocd -f interface/ftdi/olimex-arm-usb-ocd-h.cfg -f target/imx6.cfg Open On-Chip Debugger 0.9.0-dev-00019-g970a12aef-dirty (2021-10-11-14:19) Licensed under GNU GPL v2 @@ -226,17 +226,18 @@ Info : imx6.cpu.0 cluster 0 core 0 multi core ``` Works fine, now a response key is required to access JTAG. It looks like we can -lock JTAG releated fuses: mode and key. They should be unavailable to override +lock JTAG related fuses: mode and key. They should be unavailable to override now. -``` +```bash # ./crucible -m IMX6UL -r 1 -b 16 -e big blow JTAG_SMODE 0x3 # ./crucible -m IMX6UL -r 1 -b 16 -e big blow BOOT_CFG_LOCK 0x3 ``` It is time to verify our solution - remove line with key from `imx6_sjcauth.txt` and try to connect again: -``` + +```bash $ sudo openocd -f interface/ftdi/olimex-arm-usb-ocd-h.cfg -f target/imx6.cfg Open On-Chip Debugger 0.9.0-dev-00019-g970a12aef-dirty (2021-10-11-14:19) Licensed under GNU GPL v2 @@ -275,24 +276,24 @@ cannot authenticate and connect to the SoC. There is a possibility to fuse JTAG from U-boot shell - for that `fuse prog` command can be used. You will need to build bootloader with enabled `CONFIG_CMD_FUSE` config. More description of fuse functionality is -[here](https://source.denx.de/u-boot/u-boot/-/blob/master/doc/README.fuse). -It is a more common solution, but you need to use banks and words numbers -instead of fields names. If you enter incorrect numbers you may brick device, so -we recommend using `crucible`. +[here](https://source.denx.de/u-boot/u-boot/-/blob/master/doc/README.fuse). It +is a more common solution, but you need to use banks and words numbers instead +of fields names. If you enter incorrect numbers you may brick device, so we +recommend using `crucible`. ## Summary Secure JTAG mode is a very useful feature, which should be implemented in every device where security is important. JTAG can be an open door for whole system -architecture: while debugging device adversary can dump memory of program -which can be critical for your system infrastructure. If you do not pay -attention to encryption and other safeguards someone can read important and -confidential data like passwords and addresses. +architecture: while debugging device adversary can dump memory of program which +can be critical for your system infrastructure. If you do not pay attention to +encryption and other safeguards someone can read important and confidential data +like passwords and addresses. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to -[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2021-12-15-fobnail_2nd_phase.md b/blog/content/post/2021-12-15-fobnail_2nd_phase.md index 770d1723..97c73d95 100644 --- a/blog/content/post/2021-12-15-fobnail_2nd_phase.md +++ b/blog/content/post/2021-12-15-fobnail_2nd_phase.md @@ -21,19 +21,19 @@ categories: --- -# About the Fobnail project +## About the Fobnail project Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system -before performing any sensitive operation. This project was founded by [NlNet -Foundation](https://nlnet.nl/). More information about the project can be found -in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make sure to -read other posts related to this project by visiting +before performing any sensitive operation. This project was founded by +[NlNet Foundation](https://nlnet.nl/). More information about the project can be +found in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make +sure to read other posts related to this project by visiting [fobnail](https://blog.3mdeb.com/tags/fobnail/) tag. -# Communication in CHARRA +## Communication in CHARRA [CHARRA](https://github.com/Fraunhofer-SIT/charra) is a "Challenge/Response Remote Attestation" interaction model of the IETF RATS Reference Interaction @@ -42,13 +42,12 @@ attester and verifier communicate with themselves using libcoap. In order to achieve that we need to implement Ethernet over USB on the Fobnail Token. We decided to use Rust so [nrf-hal](https://github.com/nrf-rs/nrf-hal) project provides us with a USB driver, and the conducted -[research](https://fobnail.3mdeb.com/eth-over-usb-research/) -allowed us to determine that EEM will be the most appropriate protocol -implementing Ethernet over USB. Additionally, we use -[smoltcp](https://github.com/smoltcp-rs/smoltcp) which is an interesting project -that provides an implementation of TCP/IP stack. +[research](https://fobnail.3mdeb.com/eth-over-usb-research/) allowed us to +determine that EEM will be the most appropriate protocol implementing Ethernet +over USB. Additionally, we use [smoltcp](https://github.com/smoltcp-rs/smoltcp) +which is an interesting project that provides an implementation of TCP/IP stack. -# The Fobnail SDK +## The Fobnail SDK We started our work on Fobnail SDK. This is a Docker container containing all tools essential for building and flashing Fobnail firmware. You can build the @@ -56,7 +55,7 @@ SDK in a few minutes. [![asciicast](https://asciinema.org/a/MeSZmWaIPXsfpV3hR5cvS9RaG.svg)](https://asciinema.org/a/MeSZmWaIPXsfpV3hR5cvS9RaG?speed=1.5) -# Building applications for Fobnail +## Building applications for Fobnail With Fobnail SDK ready we moved on to running the `hello-world` example using Rust nrf-hal. It turns out that the repository is missing an example for the @@ -64,17 +63,17 @@ nRF52840 which we use as a Fobnail prototype. We have to port the `blinky-demo` and the needed code can be found on [Fobnail's](https://github.com/fobnail/nrf-hal/tree/blinky-demo-nrf52840/examples/blinky-demo-nrf52840) fork of nrf-hal project. The full process is described in the -[documentation](https://fobnail.3mdeb.com/flashing_samples/). +[documentation](https://fobnail.3mdeb.com/flashing_preparation/). The next step was to implement EEM protocol and integrate it with smoltcp. The code can be found [here](https://github.com/fobnail/usbd-ethernet/tree/main/src). Like in the -`hello-world` example, here we also use [dockerized Fobnail -SDK](https://github.com/fobnail/fobnail-sdk) which allows building Rust -applications. During the development, we encountered some +`hello-world` example, here we also use +[dockerized Fobnail SDK](https://github.com/fobnail/fobnail-sdk) which allows +building Rust applications. During the development, we encountered some [problems](https://fobnail.3mdeb.com/implementing-eth-over-usb/#encountered-problems) -and the [status of the current -implementation](https://fobnail.3mdeb.com/implementing-eth-over-usb/#status-of-current-implementation) +and the +[status of the current implementation](https://fobnail.3mdeb.com/implementing-eth-over-usb/#status-of-current-implementation) can be found in Fobnail documentation. The last step was to prepare a Fobnail firmware example, which for now is an @@ -86,29 +85,30 @@ and it requires only a single command (once the repo is cloned). [![asciicast](https://asciinema.org/a/iCNHrba1D3N5a2LNbhltDunF3.svg)](https://asciinema.org/a/iCNHrba1D3N5a2LNbhltDunF3?speed=1.25) -# Running Fobnail firmware +## Running Fobnail firmware -Running the Fobnail demo on the [nRF52840 -dongle](https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dongle) +Running the Fobnail demo on the +[nRF52840 dongle](https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dongle) is really straightforward if only the -[environment](https://fobnail.3mdeb.com/environment/) was correctly prepared. -[Tests](https://fobnail.3mdeb.com/implementing-eth-over-usb/#testing) results -have been made publicly available. Firmware running is also handled by +[environment](https://fobnail.3mdeb.com/archive/environment/) was correctly +prepared. [Tests](https://fobnail.3mdeb.com/implementing-eth-over-usb/#testing) +results have been made publicly available. Firmware running is also handled by `build.sh` which automatically builds firmware (if needed), flashes it to target device and spawns RTT console (used for debugging). The example presented below was executed with the dongle attached to PC USB port. [![asciicast](https://asciinema.org/a/JTVLHLSGazKQgGzcpTolXBOOy.svg)](https://asciinema.org/a/JTVLHLSGazKQgGzcpTolXBOOy?speed=1.25) -The Fobnail firmware can also run directly on PC (see [Developing firmware on -PC](https://fobnail.3mdeb.com/local_development/)), thanks to that it is -possible to develop firmware without any additional hardware. +The Fobnail firmware can also run directly on PC (see +[Developing firmware on PC](https://fobnail.3mdeb.com/archive/local_development/)), +thanks to that it is possible to develop firmware without any additional +hardware. -## Summary +### Summary As part of the described phase, we were able to implement Ethernet over USB and -properly run it on [nRF52840 -dongle](https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dongle). +properly run it on +[nRF52840 dongle](https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dongle). It is also worth paying attention to the provided code that allows you to use this implementation in isolation from the hardware layer - without using the USB standard. This will allow you to work on CHARRA functionality in the future @@ -117,6 +117,8 @@ presented in subsequent blog posts. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-01-18-porting_edk2_to_a13_tablet.md b/blog/content/post/2022-01-18-porting_edk2_to_a13_tablet.md index b4085b5e..5ea912da 100644 --- a/blog/content/post/2022-01-18-porting_edk2_to_a13_tablet.md +++ b/blog/content/post/2022-01-18-porting_edk2_to_a13_tablet.md @@ -21,7 +21,7 @@ categories: --- -# Introduction +## Introduction I have an old cheap Allwinner A13 tablet with low memory and a weak CPU; it's slow even for internet browsing, so I've been using it primarily for @@ -125,11 +125,10 @@ My long term goals include: ## Building and booting UEFI You can get BSP source code from -[my GitHub repo](https://github.com/arturkow2000/SunxiPlatformPkg). It has been -tested with EDK II v2021.02, which you can obtain from -[TianoCore GitHub repo](https://github.com/tianocore/edk2/). +my GitHub repo. It has been tested with EDK II v2021.02, which you can obtain +from [TianoCore GitHub repo](https://github.com/tianocore/edk2/). -``` +```bash git clone --depth=1 https://github.com/tianocore/edk2 --branch edk2-stable202102 cd edk2 git submodule update --init --recursive @@ -138,7 +137,7 @@ git submodule add https://github.com/arturkow2000/SunxiPlatformPkg If you want LCD support, you need to switch branch: -``` +```bash git checkout display_support ``` @@ -146,7 +145,7 @@ You can build it directly on your host system. Note that this was tested on Ubuntu 20.04 with GCC 9.2.1 and may not work on other distros with either too old or too new compiler. -``` +```bash make -C BaseTools/Source/C . edksetup.sh env GCC5_ARM_PREFIX=arm-none-eabi- build -a ARM -p SunxiPlatformPkg/XW711.dsc -t GCC5 @@ -155,7 +154,7 @@ env GCC5_ARM_PREFIX=arm-none-eabi- build -a ARM -p SunxiPlatformPkg/XW711.dsc -t Alternatively, you can use 3mdeb's Docker container, which provides a stable build environment independent of your distro. -``` +```bash $ docker run --rm -it -w /home/edk2/edk2 -v $PWD:/home/edk2/edk2 3mdeb/edk2 /bin/bash (docker)$ make -C BaseTools (docker)$ . edksetup.sh @@ -165,9 +164,9 @@ $ docker run --rm -it -w /home/edk2/edk2 -v $PWD:/home/edk2/edk2 3mdeb/edk2 /bin This builds two files: `SUNXI_SPL.fd` and `SUNXI_EFI.fd`. For `sunxi-fel` to accept SPL, you have to patch its header. A tool for this purpose is written in Rust, so if you don't have Rust installed already, you can get it from -https://rustup.rs. +. -``` +```bash cd Build/XW711/DEBUG_GCC5/FV/ cargo install --git https://github.com/arturkow2000/sunxiboot sunxiboot checksum SUNXI_SPL.fd @@ -192,11 +191,12 @@ required: power off instantly, this isn't related to UEFI itself, yet still, it's causing problems. It can be caused by a bug in FDT or the driver itself, or XW711 and Q8 aren't so similar, and I'm just using the wrong FDT -```shell + +```bash echo 'blacklist axp20x_adc' >> /etc/modprobe.d/blacklist.conf ``` -{{< youtube PjRC6vXxlpY >}} +{{\< youtube PjRC6vXxlpY >}} ## Summary @@ -210,4 +210,5 @@ If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of used hardware platform, feel free to book a call with us or drop us email to `contact3mdebcom`. If you are interested in similar content feel free -to sign up to our [newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). +to sign up to our +[newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2022-02-03-kgpe_D16_status.md b/blog/content/post/2022-02-03-kgpe_D16_status.md index caaea4a1..9a20d64e 100644 --- a/blog/content/post/2022-02-03-kgpe_D16_status.md +++ b/blog/content/post/2022-02-03-kgpe_D16_status.md @@ -21,7 +21,7 @@ categories: --- -# Introduction +## Introduction Today's computing systems and processors are becoming more and more efficient but closed as well. Closed in terms of documentation, closed in terms of free @@ -33,10 +33,10 @@ means to run open firmware on their products. The openness and possibilities to run open firmware is gradually decreasing over time as vendors create more and more binary blobs, offload various operation to another entities (e.g. AMD PSP or Intel ME). These entities are often fed with more firmware and blobs, often -closed and proprietary with source code being the vendor's restricted secret. -In the light of this threat we turn our eyes to older platforms that were free -from firmware blobs, embedded secondary microcontrollers in chipsets with ring -\-3 capabilities and were truly user-controllable, respecting the freedom and +closed and proprietary with source code being the vendor's restricted secret. In +the light of this threat we turn our eyes to older platforms that were free from +firmware blobs, embedded secondary microcontrollers in chipsets with ring -3 +capabilities and were truly user-controllable, respecting the freedom and privacy. We just hope the days of open specifications and trustworthy computing on x86 architecture (which were present not so long ago - just over 10 years ago) will be back once. One of the most performant and still blobfree platforms @@ -44,9 +44,9 @@ you will read in this post is ASUS KGPE-D16, dual socket AMD Opteron server/workstation board released in 2009, [FSF RYF](https://ryf.fsf.org/) certified. -# KGPE-D16 history +## KGPE-D16 history -![](/img/kgpe_d16.png) +![img](/img/kgpe_d16.png) KGPE-D16 is a dual socket, powerful AMD server/workstation board with SP5100/SR5690 southbridge/northbridge supporting AMD Opteron 6100 (family10h) @@ -55,13 +55,15 @@ Opteron 6287SE with 16 cores/threads clocks up to 3.5 GHz in turbo is still impressive, but also energy-hungry as well which may not be acceptable for current performance per dollar expectations, but there is always some tradeoff. What is best about these processors is that 6100 and 6200 series Opteron CPUs -run very well without microcode, there is no PSP and the graphics -initialization is done without VBIOS option ROM. Everything in the firmware may -be handled by pure open-source code. +run very well without microcode, there is no PSP and the graphics initialization +is done without VBIOS option ROM. Everything in the firmware may be handled by +pure open-source code. The open-source BIOS for ASUS KGPE-D16 has been implemented by Timothy Pearson -from Raptor Engineering in 2017 by [crowdfunding](https://review.coreboot.org/q/topic:raptor-asus-kgpe-d16). -The same was done for [OpenBMC](https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-offer.php) +from Raptor Engineering in 2017 by +[crowdfunding](https://review.coreboot.org/q/topic:raptor-asus-kgpe-d16). The +same was done for +[OpenBMC](https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-offer.php) in the same year. The initial source code is still available at [Raptor Engineering's site](https://www.raptorengineering.com/coreboot/kgpe-d16-bmc-port-status.php). @@ -73,10 +75,10 @@ features to enable the modern platform development. As a result the board support could not be kept on the main branch due to insufficient interest and maintainership of the platform. Additionally the code upstreamed was not the best quality, most likely because Raptor did not gather the required funds to -clean up and improve the code. It has been merged as is with insufficient -review which led to a code drop few years later. +clean up and improve the code. It has been merged as is with insufficient review +which led to a code drop few years later. -# To the rescue of KGPE-D16 +## To the rescue of KGPE-D16 It has been a huge blow for the community believing in privacy and liberty of the hardware. Thus 3mdeb tried to answer on the community requests and needs to @@ -84,22 +86,24 @@ bring back the platform. To prevent the board from dropping (half a year before the 4.12 release at the end of 2019, where the deprecation has been announced) 3mdeb has applied for funding to [NLnet Foundation](https://nlnet.nl/), unfortunately the project to improve the quality of board support has been -rejected. The application can be found on [3mdeb's GitHub](https://github.com/3mdeb/kgpe-osf/blob/master/docs/nlnet-application.md) +rejected. The application can be found on +[3mdeb's GitHub](https://github.com/3mdeb/kgpe-osf/blob/master/docs/nlnet-application.md) The hope was almost lost. In the meantime 3mdeb propagated the need to protect the libre hardware like KGPE-D16 on various events like, e.g. FOSDEM: -* [FOSDEM'20](https://archive.fosdem.org/2020/schedule/event/coreboot_amd/) -* [FOSDEM'21](https://archive.fosdem.org/2021/schedule/event/firmware_osfsoap2/) +- [FOSDEM'20](https://archive.fosdem.org/2020/schedule/event/coreboot_amd/) +- [FOSDEM'21](https://archive.fosdem.org/2021/schedule/event/firmware_osfsoap2/) -![](/img/fosdem_logo.png) +![img](/img/fosdem_logo.png) -And fortunately our screams have been heard... [Vikings](Vikings.net) donated -two KGPE-D16 boards for the development and [Immunefi](https://immunefi.com/) -has offered to sponsor the effort of bringing back the KGPE-D16 to coreboot -main tree. For the details visit [heads issue on GitHub](https://github.com/osresearch/heads/issues/719). +And fortunately our screams have been heard... [Vikings](https://vikings.net) +donated two KGPE-D16 boards for the development and [Immunefi](https://immunefi.com/) +has offered to sponsor the effort of bringing back the KGPE-D16 to coreboot main +tree. For the details visit +[heads issue on GitHub](https://github.com/osresearch/heads/issues/719). -# KGPE-D16 revival +## KGPE-D16 revival 3mdeb started the code refactoring and improving efforts in September 2021. But the scope was not only to bring the code quality to coreboot's current @@ -115,25 +119,27 @@ releases and Dasharo firmware quality. Do not hesitate and try it if you have a KGPE-D16 board, you will love it. The pre-built binaries can be found on [Dasharo documentation page](https://docs.dasharo.com/variants/asus_kgpe_d16/releases/) -![](/img/dasharo-sygnet.svg) +![img](/img/dasharo-sygnet.svg) Besides coreboot improvements, the project charter also included upstreaming of -the [flashrom patches](https://review.coreboot.org/c/flashrom/+/59713) for -write protection and OTP memory management. These were especially intended for -use with KGPE-D16 platform and the non-standard flashes to form a Static Root -of Trust with immutable coreboot's bootblock and provide best security possible -on this platform. - -The refreshed code for ASUS KGPE-D16 may be found on [Dasharo GitHub](https://github.com/Dasharo/coreboot/tree/asus_kgpe-d16/develop) -and will be upstreamed to the main coreboot branch soon. If you want to be up -to date with recent news and status please join [Matrix Dasharo space](https://matrix.to/#/#dasharo:matrix.org) -where we publish the most recent announcements about events or releases and are -available for discussing and supporting the project. +the [flashrom patches](https://review.coreboot.org/c/flashrom/+/59713) for write +protection and OTP memory management. These were especially intended for use +with KGPE-D16 platform and the non-standard flashes to form a Static Root of +Trust with immutable coreboot's bootblock and provide best security possible on +this platform. + +The refreshed code for ASUS KGPE-D16 may be found on +[Dasharo GitHub](https://github.com/Dasharo/coreboot/tree/asus_kgpe-d16/develop) +and will be upstreamed to the main coreboot branch soon. If you want to be up to +date with recent news and status please join +[Matrix Dasharo space](https://matrix.to/#/#dasharo:matrix.org) where we publish +the most recent announcements about events or releases and are available for +discussing and supporting the project. ## Summary -If you have an old platform like ASUS KCMA-D8 or Supermicro H8SCM and would -like to have it supported by the most recent coreboot code, do not hesitate to +If you have an old platform like ASUS KCMA-D8 or Supermicro H8SCM and would like +to have it supported by the most recent coreboot code, do not hesitate to contact us (drop us email to `contact3mdebcom`). All we need is some hardware and funds to quickly bring back those platform to life, because they use the same chipset and CPU as KGPE-D16. @@ -143,11 +149,12 @@ Be sure to attend this years' FOSDEM'22 where I will be talking about current (including KGPE-D16) in open source firmware in the Open Source Firmware, BMC and bootloader devroom. -Also feel invited for the [FOSDEM'22 after-party](https://3mdeb.com/events/#fosdem-22) -organized right after the devroom track where we will be discussing various -aspects of related to firmware and bootloaders. 3mdeb is also organizing a -[vPub](https://vpub.dasharo.com) on the 17th of February, don't -miss this occasion to talk with us, share your ideas, thoughts and projects. +Also feel invited for the +[FOSDEM'22 after-party](https://3mdeb.com/events/#fosdem-22) organized right +after the devroom track where we will be discussing various aspects of related +to firmware and bootloaders. 3mdeb is also organizing a +[vPub](https://vpub.dasharo.com) on the 17th of February, don't miss this +occasion to talk with us, share your ideas, thoughts and projects. If you are interested in similar content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-02-16-talos2_coreboot_status.md b/blog/content/post/2022-02-16-talos2_coreboot_status.md index 24d4e85e..7a095e5c 100644 --- a/blog/content/post/2022-02-16-talos2_coreboot_status.md +++ b/blog/content/post/2022-02-16-talos2_coreboot_status.md @@ -28,44 +28,46 @@ Description of OpenPOWER boot process and coreboot's place in it can be found in previous post under [OpenPOWER tag](https://blog.3mdeb.com/tags/openpower/). > \*) there is already a target for `qemu-power8` that compiles successfully, -but it executes just a single instruction: `b .`, that is, CPU is kept in an -infinite loop. +> but it executes just a single instruction: `b .`, that is, CPU is kept in an +> infinite loop. ## State of coreboot code List of initialization steps which are already implemented and seem to work as expected: -* Nest initialization - SoC internal stuff like enabling power and clocks to +- Nest initialization - SoC internal stuff like enabling power and clocks to chiplets -* PCIe initialization - lane configuration and reset de-assert only, training is +- PCIe initialization - lane configuration and reset de-assert only, training is actually done by Skiboot -* Memory controllers setup -* DRAM training - DDR4 RDIMM -* DRAM initial write - ECC requires this to keep ECC syndromes in sync with data -* OCC complex initialization - core power management -* TOD - time of day, timer that keeps timers of individual cores in sync with +- Memory controllers setup +- DRAM training - DDR4 RDIMM +- DRAM initial write - ECC requires this to keep ECC syndromes in sync with data +- OCC complex initialization - core power management +- TOD - time of day, timer that keeps timers of individual cores in sync with each other Other implemented components that are not initialization per se, but are used by it: -* a lot of code and documentation was modified to work also for big endian +- a lot of code and documentation was modified to work also for big endian platforms (mostly around CBFS and FMAP), more fixes are yet to be done (CBMEM) -* XSCOM - virtually all of the configuration is done through SCOM registers, +- XSCOM - virtually all of the configuration is done through SCOM registers, XSCOM is one of ways of doing it -* LPC - serial output, reading from flash -* I2C drivers - used to access RDIMMs RCD (registering clock driver) and EEPROM +- LPC - serial output, reading from flash +- I2C drivers - used to access RDIMMs RCD (registering clock driver) and EEPROM (SPD, VPD) -* multiple timekeeping functions, mostly for delays and timeouts -* FDT creation - prepares data consumed by Skiboot -* IPMI BT driver - used to kick BMC watchdog +- multiple timekeeping functions, mostly for delays and timeouts +- FDT creation - prepares data consumed by Skiboot +- IPMI BT driver - used to kick BMC watchdog -There are some [known issues and TODOs](https://github.com/Dasharo/dasharo-issues/labels/raptor-cs_talos-2) +There are some +[known issues and TODOs](https://github.com/Dasharo/dasharo-issues/labels/raptor-cs_talos-2) that may require additional work, but Talos II based on coreboot is already able -to boot all the way to target OS. It even does it [faster than Hostboot](https://youtu.be/toLV9d7H6Q0?t=388), -although such preliminary comparison has to be taken with a grain of salt -- -there are still places for optimization ;) +to boot all the way to target OS. It even does it +[faster than Hostboot](https://youtu.be/toLV9d7H6Q0?t=388), although such +preliminary comparison has to be taken with a grain of salt -- there are still +places for optimization ;) [![asciicast](https://asciinema.org/a/zkQV1KhxY4n6IrlzssuvFHHS5.svg)](https://asciinema.org/a/zkQV1KhxY4n6IrlzssuvFHHS5?t=20) @@ -78,11 +80,13 @@ quiet. Most recent, not thoroughly tested version of the code can be obtained from [develop branch on Dasharo's fork of coreboot](https://github.com/Dasharo/coreboot/tree/raptor-cs_talos-2/develop), -but unless you want to test it, we suggest to stick to the [release branch](https://github.com/Dasharo/coreboot/tree/raptor-cs_talos-2/release), +but unless you want to test it, we suggest to stick to the +[release branch](https://github.com/Dasharo/coreboot/tree/raptor-cs_talos-2/release), or, if you don't want to have to build it yourself, you can just use binaries [compiled by us](#links). -We also are currently in process of [upstreaming QEMU target](https://review.coreboot.org/q/topic:%22QEMU+POWER9+target%22), +We also are currently in process of +[upstreaming QEMU target](https://review.coreboot.org/q/topic:%22QEMU+POWER9+target%22), but it takes time. If you are able to review that please do, we are impatiently waiting with pushing Talos II code until all issues with POWER9 skeleton are resolved and patches merged. @@ -93,17 +97,21 @@ Changes to Heads also introduced another processor architecture. As it was first non-x86 platform, it required modifications to the build system in which x86 had been previously pretty much hardcoded. Another difference is that kernel image file for PPC64 is called `zImage` instead of `bzImage`. These two changes alone -gave [429 added and 196 removed lines](https://github.com/osresearch/heads/pull/1009). +gave +[429 added and 196 removed lines](https://github.com/osresearch/heads/pull/1009). OpenPOWER's PNOR layout and support in Skiboot requires that initramfs is bundled into kernel image itself and coreboot is build with separate file for bootblock due to HBB partition size. Separate PR was created for these two -features because they can be used by other boards, it is [already merged](https://github.com/osresearch/heads/pull/1011). +features because they can be used by other boards, it is +[already merged](https://github.com/osresearch/heads/pull/1011). -The biggest PR is [all-in-one that adds mainboard](https://github.com/osresearch/heads/pull/1002). +The biggest PR is +[all-in-one that adds mainboard](https://github.com/osresearch/heads/pull/1002). It has some of the changes introduced in PRs mentioned above for the sake of CI. Even though there are more than 3k lines added, almost a third of that are -patches to Linux kernel [created specifically for Talos II by Raptor CS](https://git.raptorcs.com/git/talos-op-build/tree/openpower/linux). +patches to Linux kernel +[created specifically for Talos II by Raptor CS](https://git.raptorcs.com/git/talos-op-build/tree/openpower/linux). All of listed PRs are either approved or already merged, so it is just a question of testing and time before they land in Heads' repository. @@ -117,17 +125,20 @@ As with coreboot, instead of building Heads from scratch you can also use Due to our limited experience with PPC64 architecture, as well as limited number of hardware configurations we can test, we ask you to test the code in everyday -tasks. In case of any problems [file an issue](https://github.com/Dasharo/dasharo-issues/issues) -and we promise to do our best to fix it. +tasks. In case of any problems +[file an issue](https://github.com/Dasharo/dasharo-issues/issues) and we promise +to do our best to fix it. -#### Links +### Links All required binaries, along with their hashes and signatures, can be found on [Talos II releases page on Dasharo website](https://docs.dasharo.com/variants/talos_2/releases/). -There you can also subscribe to the [release newsletter](https://newsletter.3mdeb.com/subscription/w2Y2G4Rrj) -or read [how to build images yourself](https://docs.dasharo.com/variants/talos_2/building-manual/). +There you can also subscribe to the +[release newsletter](https://newsletter.3mdeb.com/subscription/w2Y2G4Rrj) or +read +[how to build images yourself](https://docs.dasharo.com/variants/talos_2/building-manual/). -#### Modified PNOR partitions +### Modified PNOR partitions Because coreboot replaces Hostboot and is much smaller than it, we can reuse Hostboot's partitions. Skiboot's partition is left untouched, however for the @@ -143,11 +154,11 @@ work, if they don't feel free to issue a bug report. Summing up, these are the only changes to PNOR contents: -* coreboot's bootblock after adding ECC is written to `HBB`, -* coreboot's CBFS after adding ECC is written to `HBI`, -* Heads is written to `BOOTKERNEL`. +- coreboot's bootblock after adding ECC is written to `HBB`, +- coreboot's CBFS after adding ECC is written to `HBI`, +- Heads is written to `BOOTKERNEL`. -#### Testing without actual flashing +### Testing without actual flashing It is possible to test new firmware images without flashing the physical flash device. This makes testing and switching between two versions (e.g. Hostboot and @@ -159,100 +170,100 @@ already located in `/tmp/` on BMC. Platform name and version numbers were stripped from filenames for convenience. > Keep in mind that `tmpfs` size is limited and exceeding that limit may result -in unresponsive BMC, which in most severe cases requires hard power cycle. -Unfortunately, `/home/` doesn't have nearly enough space to hold all of required -files. +> in unresponsive BMC, which in most severe cases requires hard power cycle. +> Unfortunately, `/home/` doesn't have nearly enough space to hold all of +> required files. **All of the following has to be run on BMC, not host system**. 1. Read original flash into a file that will be modified in next steps: - ```bash - root@talos:~# pflash -r /tmp/talos.pnor - ``` + ```bash + root@talos:~# pflash -r /tmp/talos.pnor + ``` 1. Next step is "flashing" modified partition, which is similar to flashing real -device with two changes: no need to erase the flash and target file must be -specified. New command looks like this: - - ```bash - root@talos:~# pflash -P -p -F /tmp/talos.pnor - ``` - - This has to be confirmed by writing `yes`. Example commands and output for - flashing coreboot: - - ```bash - root@talos:~# pflash -P HBB -p /tmp/bootblock.signed.ecc -F /tmp/flash.pnor - About to program "/tmp/bootblock.signed.ecc" at 0x00205000..0x0020c002 ! - WARNING ! This will modify your HOST flash chip content ! - Enter "yes" to confirm:yes - Programming & Verifying... - [==================================================] 100% - Updating actual size in partition header... - root@talos:~# pflash -P HBI -p /tmp/coreboot.rom.signed.ecc -F /tmp/flash.pnor - About to program "/tmp/coreboot.rom.signed.ecc" at 0x00425000..0x00666200 ! - WARNING ! This will modify your HOST flash chip content ! - Enter "yes" to confirm:yes - Programming & Verifying... - [==================================================] 100% - Updating actual size in partition header... - ``` - - To write Heads: - - ```bash - root@talos:~# pflash -P BOOTKERNEL -p /tmp/zImage.bundled -F /tmp/flash.pnor - About to program "/tmp/zImage.bundled" at 0x022a1000..0x02e06158 ! - WARNING ! This will modify your HOST flash chip content ! - Enter "yes" to confirm:yes - Programming & Verifying... - [==================================================] 100% - Updating actual size in partition header... - ``` + device with two changes: no need to erase the flash and target file must be + specified. New command looks like this: + + ```bash + root@talos:~# pflash -P -p -F /tmp/talos.pnor + ``` + + This has to be confirmed by writing `yes`. Example commands and output for + flashing coreboot: + + ```bash + root@talos:~# pflash -P HBB -p /tmp/bootblock.signed.ecc -F /tmp/flash.pnor + About to program "/tmp/bootblock.signed.ecc" at 0x00205000..0x0020c002 ! + WARNING ! This will modify your HOST flash chip content ! + Enter "yes" to confirm:yes + Programming & Verifying... + [==================================================] 100% + Updating actual size in partition header... + root@talos:~# pflash -P HBI -p /tmp/coreboot.rom.signed.ecc -F /tmp/flash.pnor + About to program "/tmp/coreboot.rom.signed.ecc" at 0x00425000..0x00666200 ! + WARNING ! This will modify your HOST flash chip content ! + Enter "yes" to confirm:yes + Programming & Verifying... + [==================================================] 100% + Updating actual size in partition header... + ``` + + To write Heads: + + ```bash + root@talos:~# pflash -P BOOTKERNEL -p /tmp/zImage.bundled -F /tmp/flash.pnor + About to program "/tmp/zImage.bundled" at 0x022a1000..0x02e06158 ! + WARNING ! This will modify your HOST flash chip content ! + Enter "yes" to confirm:yes + Programming & Verifying... + [==================================================] 100% + Updating actual size in partition header... + ``` 1. To mount the file as flash device (on powered down platform): - ```bash - root@talos:~# mboxctl --backend file:/tmp/flash.pnor - ``` + ```bash + root@talos:~# mboxctl --backend file:/tmp/flash.pnor + ``` - > Partitions can be "flashed" while the file is mounted, as long as host - platform doesn't try to access it simultaneously. + > Partitions can be "flashed" while the file is mounted, as long as host + > platform doesn't try to access it simultaneously. - Occasionally this command may fail (`Failed to post message: Connection - timed out` or `Failed to post message: No route to host`), in that case - repeat it until it succeeds (`SetBackend: Success`). Optionally, success can - be tested with: + Occasionally this command may fail + (`Failed to post message: Connection timed out` or + `Failed to post message: No route to host`), in that case repeat it until it + succeeds (`SetBackend: Success`). Optionally, success can be tested with: - ```bash - root@talos:~# mboxctl --lpc-state - LPC Bus Maps: BMC Memory - ``` + ```bash + root@talos:~# mboxctl --lpc-state + LPC Bus Maps: BMC Memory + ``` - `BMC Memory` means emulated flash is used instead of real one. Host doesn't - see any difference (except different access times and reported erase - granularity), it still reads and writes PNOR the same way as with physical - device. + `BMC Memory` means emulated flash is used instead of real one. Host doesn't + see any difference (except different access times and reported erase + granularity), it still reads and writes PNOR the same way as with physical + device. 1. Start host now, it should boot to newly "flashed" firmware instead of the old -one. + one. - > When BMC boots for the next time firmware from physical flash device is - used. This makes this approach safe against power failures or corrupted - images being flashed. + > When BMC boots for the next time firmware from physical flash device is + > used. This makes this approach safe against power failures or corrupted + > images being flashed. 1. To get back to real PNOR one can use: - ```bash - root@talos:~# mboxctl --backend vpnor - Failed to post message: Connection timed out - root@talos:~# mboxctl --lpc-state - LPC Bus Maps: Flash Device - ``` + ```bash + root@talos:~# mboxctl --backend vpnor + Failed to post message: Connection timed out + root@talos:~# mboxctl --lpc-state + LPC Bus Maps: Flash Device + ``` - Even though this command reports failure, it maps LPC back to flash device. - This can be tested with `mboxctl --lpc-state`. + Even though this command reports failure, it maps LPC back to flash device. + This can be tested with `mboxctl --lpc-state`. ## Summary @@ -264,5 +275,4 @@ Hostboot but didn't? Let us know, either below in the comment or by creating an issue on [Dasharo Issues](https://github.com/Dasharo/dasharo-issues). > If you are interested, in this video Piotr mentions some of challenges we had -to overcome: -{{< youtube toLV9d7H6Q0 >}} +> to overcome: {{\< youtube toLV9d7H6Q0 >}} diff --git a/blog/content/post/2022-03-17-optiplex-txt.md b/blog/content/post/2022-03-17-optiplex-txt.md index a98cf169..e9ac7d65 100644 --- a/blog/content/post/2022-03-17-optiplex-txt.md +++ b/blog/content/post/2022-03-17-optiplex-txt.md @@ -24,17 +24,20 @@ categories: --- -# Introduction +## Introduction Intel Trusted Execution Technology is a feature of Intel CPUs and chipsets to perform trusted measurement of the operating system software defined in Trusted -Computing Group [D-RTM architecture specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf). +Computing Group +[D-RTM architecture specification](https://trustedcomputinggroup.org/wp-content/uploads/TCG_D-RTM_Architecture_v1-0_Published_06172013.pdf). Dell OptiPlex 7010 / 9010 is Intel TXT capable. All you need is an Intel TXT capable CPU (you may quickly check the Intel Trusted Execution Technology -capability on [Intel ARK](https://ark.intel.com/content/www/us/en/ark.html#@Processors) -for your processor). +capability on +[Intel ARK](https://ark.intel.com/content/www/us/en/ark.html#@Processors) for +your processor). -You may also want to read [previous blog posts about Dell OptiPlex 7010 / 9010](https://blog.3mdeb.com/tags/optiplex/). +You may also want to read +[previous blog posts about Dell OptiPlex 7010 / 9010](https://blog.3mdeb.com/tags/optiplex/). ## DRTM rationale @@ -50,25 +53,26 @@ has malformed the firmware on your platform, they may install key loggers and spying software to steal your data, passwords, etc. How to prevent that? How to ensure the operating system software was not tampered with? The answer is DRTM (Dynamic Root of Trust for Measurement). It can provide both load-time and -runtime integrity of the software. Load-time integrity is when a trusted -entity, i.e. an entity with assumed integrity takes an action to assess an -entity being loaded into memory before it is used. Runtime integrity is when a -trusted entity makes an assessment of another entity after that entity at an -arbitrary time after execution of the assessed entity has begun. Often the -load-time integrity of an operating system's user-space, or operating -environment, is often confused as runtime integrity since it is an integrity -assessment of the "runtime" software. Since the dynamic launch is not tied to a -power event like the static launch, this enables a dynamic launch to be -initiated at any time and multiple times during a single power life cycle. +runtime integrity of the software. Load-time integrity is when a trusted entity, +i.e. an entity with assumed integrity takes an action to assess an entity being +loaded into memory before it is used. Runtime integrity is when a trusted entity +makes an assessment of another entity after that entity at an arbitrary time +after execution of the assessed entity has begun. Often the load-time integrity +of an operating system's user-space, or operating environment, is often confused +as runtime integrity since it is an integrity assessment of the "runtime" +software. Since the dynamic launch is not tied to a power event like the static +launch, this enables a dynamic launch to be initiated at any time and multiple +times during a single power life cycle. ## Intel TXT deep dive -The below diagram represents the typical boot flow of an Intel TXT enabled machine -with the measured launch. +The below diagram represents the typical boot flow of an Intel TXT enabled +machine with the measured launch. ![Intel TXT boot timeline](/img/txt_launch1.jpg) -> Source: *[A Practical Guide to TPM 2.0](https://link.springer.com/book/10.1007/978-1-4302-6584-9)* +> Source: +> *[A Practical Guide to TPM 2.0](https://link.springer.com/book/10.1007/978-1-4302-6584-9)* First, the BIOS is starting execution from the reset vector. It is responsible to initialize the Intel TXT to be used by the operating system bootloader. For @@ -83,7 +87,8 @@ measured launch of the operating system by calling the SINIT ACM: ![Breakout of measured launch details](/img/txt_launch2.jpg) -> Source: *[A Practical Guide to TPM 2.0](https://link.springer.com/book/10.1007/978-1-4302-6584-9)* +> Source: +> *[A Practical Guide to TPM 2.0](https://link.springer.com/book/10.1007/978-1-4302-6584-9)* Currently, there are two methods of executing SINIT ACM to perform measured launch: @@ -97,51 +102,51 @@ launch: The above diagram represents the tboot case. The approach taken by tboot was to provide an exokernel that could handle the launch protocol implemented by Intel's special loader, the SINIT ACM and remained in memory to manage the SMX -CPU mode that a dynamic launch would put a system. Tboot is responsible here -for checking all the prerequisites necessary to launch SINIT ACM and whether -the BIOS did properly set up the Intel TXT (otherwise the measured launch will -fail and we may anticipate something is wrong with the machine/firmware in such +CPU mode that a dynamic launch would put a system. Tboot is responsible here for +checking all the prerequisites necessary to launch SINIT ACM and whether the +BIOS did properly set up the Intel TXT (otherwise the measured launch will fail +and we may anticipate something is wrong with the machine/firmware in such case). If all checks pass tboot loads a SINIT ACM, specifies the memory ranges containing the operating system software to be measured and executed the SINIT -ACM using GETSEC\[SENTER\] instruction. Again the ACM signature is validated -and ACM is being executed in an AC RAM (special secured RAM for ACM execution) -to ensure nothing will tamper with the execution or measurement process. The -ACM calculate the hashes of the operating system software and sends them to the -TPM Platform Configuration Registers (PCRs) which hold the hashes of the -measured software. But they do not hold the hash itself, they combine the -current register value and the hash of the software into a new hash which is -saved into the register as a new value. This prevents easy faking of the PCRs -(in order to achieve the same register value, all the measurements sent to the -TPM must be done in the same order). BIOS does the same with BIOS code/modules, -but how it is different in the case of TXT? +ACM using GETSEC\[SENTER\] instruction. Again the ACM signature is validated and +ACM is being executed in an AC RAM (special secured RAM for ACM execution) to +ensure nothing will tamper with the execution or measurement process. The ACM +calculate the hashes of the operating system software and sends them to the TPM +Platform Configuration Registers (PCRs) which hold the hashes of the measured +software. But they do not hold the hash itself, they combine the current +register value and the hash of the software into a new hash which is saved into +the register as a new value. This prevents easy faking of the PCRs (in order to +achieve the same register value, all the measurements sent to the TPM must be +done in the same order). BIOS does the same with BIOS code/modules, but how it +is different in the case of TXT? 1. There are 24 PCRs inside TPM in total. BIOS can only extend PCRs 0 to 16 and PCR 23. PCRs 17 to 22 can be only enabled by hardware, no software code can initialize them, e.g. the microcode when launching the Intel TXT. Before the PCR 17 to 22 are initialized their values are set to FFs (-1). This is - achieved by Intel TXT opening the TPM's locality 4, the only locality able - to reset the PCRs 17-22, which is inaccessible by software. -2. SINIT ACM is being measured into PCR 17 as soon as TPM enters locality 4 via - GETSEC\[SENTER\] instruction execution. Altering this process is not - possible without a physical attack on the TPM. -3. PCRs 0-16 can be only reset by system/TPM reset which will zero out these - PCRs and set the DRTM PCRs 17-22 to FFs (-1). PCRs 17-22 can be only reset - by GETSEC\[SENTER\] instruction which forces the SINIT ACM to be loaded and + achieved by Intel TXT opening the TPM's locality 4, the only locality able to + reset the PCRs 17-22, which is inaccessible by software. +1. SINIT ACM is being measured into PCR 17 as soon as TPM enters locality 4 via + GETSEC\[SENTER\] instruction execution. Altering this process is not possible + without a physical attack on the TPM. +1. PCRs 0-16 can be only reset by system/TPM reset which will zero out these + PCRs and set the DRTM PCRs 17-22 to FFs (-1). PCRs 17-22 can be only reset by + GETSEC\[SENTER\] instruction which forces the SINIT ACM to be loaded and perform a new measured launch. -Due to the above reasons, the DRTM PCRs are always securely extended by -hardware and thus can be trusted, despite firmware being tampered with. Also -Intel TXT is blocking all interrupts, DMAs, and System Management Interrupts -(SMIs) to provide a safe environment for the operating system software -measurement. Example view of PCRs after tboot execution: +Due to the above reasons, the DRTM PCRs are always securely extended by hardware +and thus can be trusted, despite firmware being tampered with. Also Intel TXT is +blocking all interrupts, DMAs, and System Management Interrupts (SMIs) to +provide a safe environment for the operating system software measurement. +Example view of PCRs after tboot execution: ![DRTM PCRs](/img/tboot_pcr.png) -Additionally, Intel TXT offers user policies that can prevent launching -software which measurement isn't approved. It is called a Launch Control Policy -a user-generated structure which defines various requirements to be fulfilled -to consider the software/platform trusted, e.g. define the hashes of the -operating system software that is allowed to boot. +Additionally, Intel TXT offers user policies that can prevent launching software +which measurement isn't approved. It is called a Launch Control Policy a +user-generated structure which defines various requirements to be fulfilled to +consider the software/platform trusted, e.g. define the hashes of the operating +system software that is allowed to boot. ## Intel TXT on Dell OptiPlex 7010 / 9010 with coreboot @@ -151,27 +156,27 @@ Bridge platforms in several bugs and missing pieces in the Intel TXT driver developed by 9elements: - Some of them included deprecated APIs which caused the platform to jump to a - random RAM location: https://review.coreboot.org/c/coreboot/+/59515 -- Some implied the SINIT ACM is always included in the coreboot image and - failed to pass the correct information to tboot: - https://review.coreboot.org/c/coreboot/+/59519 + random RAM location: +- Some implied the SINIT ACM is always included in the coreboot image and failed + to pass the correct information to tboot: + - Incorrectly checked information about the production or debug chipset: - https://review.coreboot.org/c/coreboot/+/59514/ + It also took some debugging of the registers whether they are set correctly and fixing any wrong assumptions about the requirements for calling an ACM. When everything was in place and fixed it took roughly 70 lines of code to add support for the OptiPlex 7010 / 9010 chipset code.: -- https://review.coreboot.org/c/coreboot/+/59512 -- https://review.coreboot.org/c/coreboot/+/59523 +- +- Simple as it may sound, but in fact, it wasn't. My first attempt at enabling Intel TXT was over a year ago which were also presented on [QubesOS and 3mdeb minisummit](https://www.youtube.com/watch?v=YE2FbFlszI4). -To use the Intel TXT, you will need the BIOS ACM and the SINIT ACM. The -latter is available for download from +To use the Intel TXT, you will need the BIOS ACM and the SINIT ACM. The latter +is available for download from [Intel](https://www.intel.com/content/www/us/en/developer/articles/tool/intel-trusted-execution-technology.html) while the former can be obtained by NDA only. @@ -180,9 +185,10 @@ coreboot to use Intel TXT: [![asciicast](https://asciinema.org/a/449501.svg)](https://asciinema.org/a/449501?speed=1) -One of the most interesting uses of Intel TXT is the [QubesOS Anti Evil Maid](https://github.com/QubesOS/qubes-antievilmaid/). -As the name suggests it prevents Evil Maid attacks. It is pretty easy to set up -using the guide from the repository. Here is an example of running Anti Evil Maid +One of the most interesting uses of Intel TXT is the +[QubesOS Anti Evil Maid](https://github.com/QubesOS/qubes-antievilmaid/). As the +name suggests it prevents Evil Maid attacks. It is pretty easy to set up using +the guide from the repository. Here is an example of running Anti Evil Maid tboot to boot QubesOS: [![asciicast](https://asciinema.org/a/449387.svg)](https://asciinema.org/a/449387?speed=1) @@ -194,36 +200,38 @@ DRTM to perform the attestation. There is implementation of the "Challenge/Response Remote Attestation" interaction model of the IETF RATS done by Fraunhofer Institute. 3mdeb also works on an attestation USB token which will free the user from using doubtful attestation -servers and the global network by implementing the attestation services based -on CHARRA inside a USB dongle. For more information please visit the +servers and the global network by implementing the attestation services based on +CHARRA inside a USB dongle. For more information please visit the [Fobnail page](https://fobnail.3mdeb.com/). ## TrenchBoot support ![TrenchBoot](/img/trenchboot_logo.svg) -TrenchBoot is a framework that allows individuals and projects to build -security engines to perform launch integrity actions for their systems. It -leverages the Intel TXT and AMD Secure Startup for this purpose. On the day of -writing this post TrenchBoot support in GRUB2 does not yet implement TPM 1.2 -for Intel TXT path. Dell OptiPlex 7010 / 9010 can use the TPM 1.2 only with the -Intel TXT. The TPM1.2 support will be implemented soon. +TrenchBoot is a framework that allows individuals and projects to build security +engines to perform launch integrity actions for their systems. It leverages the +Intel TXT and AMD Secure Startup for this purpose. On the day of writing this +post TrenchBoot support in GRUB2 does not yet implement TPM 1.2 for Intel TXT +path. Dell OptiPlex 7010 / 9010 can use the TPM 1.2 only with the Intel TXT. The +TPM1.2 support will be implemented soon. Watch my presentation at Linux Secure Launch - TrenchBoot Summit 2021 about [DRTM as a modern Root of Trust in OSF](https://www.youtube.com/watch?v=xZoCtNV8Qs0&t=1017s) ## Summary -Intel TXT support will be included in the official releases of Dasharo -firmware Dell OptiPlex 7010 / 9010. It will be fully tested with the automated -deployment procedures to integrate all the features Dasharo has to offer. Join -the Dasharo community on [Dasharo Matrix space](https://matrix.to/#/#dasharo:matrix.org) +Intel TXT support will be included in the official releases of Dasharo firmware +Dell OptiPlex 7010 / 9010. It will be fully tested with the automated deployment +procedures to integrate all the features Dasharo has to offer. Join the Dasharo +community on [Dasharo Matrix space](https://matrix.to/#/#dasharo:matrix.org) where you can find the most recent information about the Dasharo ecosystem and discussions about open-source firmware. Join the community of hardware and open-source firmware enthusiasts today! If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of the used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in -similar content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of the used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-03-21-fobnail_3rd_phase.md b/blog/content/post/2022-03-21-fobnail_3rd_phase.md index 1ccf3062..a19cce7e 100644 --- a/blog/content/post/2022-03-21-fobnail_3rd_phase.md +++ b/blog/content/post/2022-03-21-fobnail_3rd_phase.md @@ -21,30 +21,30 @@ categories: --- -# About the Fobnail project +## About the Fobnail project Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system -before performing any sensitive operation. This project was founded by [NlNet -Foundation](https://nlnet.nl/). More information about the project can be found -in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make sure to -read other posts related to this project by visiting +before performing any sensitive operation. This project was founded by +[NlNet Foundation](https://nlnet.nl/). More information about the project can be +found in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make +sure to read other posts related to this project by visiting [fobnail](https://blog.3mdeb.com/tags/fobnail/) tag. -# Keys used in communication between Fobnail Token and attester +## Keys used in communication between Fobnail Token and attester In current phase two key pairs are used during communication, those are AIK and EK. Both belong to TPM installed on attester and their private parts should never leave TPM. > There is one exception where a private part leaves TPM, that is as an output -of `TPM2_Create` command. It is used in `TPM2_Load` and immediately purged from -RAM. This path is taken only if AIK isn't already in persistent TPM memory. -Newer versions of TPM specification added mandatory `TPM2_CreateLoaded` command -to skip exposing private key to host, but this isn't supported by all TPMs so we -went with separate commands. +> of `TPM2_Create` command. It is used in `TPM2_Load` and immediately purged +> from RAM. This path is taken only if AIK isn't already in persistent TPM +> memory. Newer versions of TPM specification added mandatory +> `TPM2_CreateLoaded` command to skip exposing private key to host, but this +> isn't supported by all TPMs so we went with separate commands. ### AIK @@ -70,12 +70,13 @@ handle `0x8100F0BE`. In most cases RSA EK certificate can be read from TPM NVRAM (index `0x01C00002`) but sometimes it is absent (fTPM, simulated TPM). Because this certificate is used by Fobnail Token for verification against trusted CA certificate chains, -we've created [a script for "manufacturing" it](https://github.com/fobnail/fobnail-attester/blob/main/tools/tpm_manufacture.sh) +we've created +[a script for "manufacturing" it](https://github.com/fobnail/fobnail-attester/blob/main/tools/tpm_manufacture.sh) whenever it is absent. The only use of EK right now is proving that AIK comes from the same TPM. -# Tying AIK with EK +## Tying AIK with EK TPM has to have access to EK in order to load and use AIK, but this doesn't imply that external party can test that AIK lives indeed inside TPM, or if it @@ -95,7 +96,7 @@ Because `TPM2_ActivateCredential()` just proves that _an object_ is associated with a credential, Verifier has to check whether AIK is indeed a key with appropriate properties, like ability to sign and protection policy. -# Metadata and RIM +## Metadata and RIM Metadata is just a set of identifiers used to differentiate between platforms. Currently it consists of platform's MAC address, manufacturer, product name and @@ -117,7 +118,7 @@ changes we basically created another standard: [![Standards](https://imgs.xkcd.com/comics/standards.png)](https://xkcd.com/927/) -# Building +## Building Build system was updated for easier and faster development. It now includes packages required to build TPM simulator. This opens up a possibility of @@ -127,31 +128,34 @@ separately. ### Cloning ```bash -$ git clone https://github.com/fobnail/fobnail-sdk.git -$ git clone https://github.com/fobnail/fobnail-attester.git --recurse-submodules -$ git clone https://github.com/fobnail/fobnail.git --recurse-submodules +git clone https://github.com/fobnail/fobnail-sdk.git +git clone https://github.com/fobnail/fobnail-attester.git --recurse-submodules +git clone https://github.com/fobnail/fobnail.git --recurse-submodules ``` Components should always work with each other when all repositories are cloned at the same time, but for extra safety, these are commits used at the time of writing this blog post: -* SDK: `53f19086c993 2022-03-08|Fix build problems on nRF target` -* Attester: `85e8ab442e9f 2022-03-17|docker.sh: review fixes; +- SDK: `53f19086c993 2022-03-08|Fix build problems on nRF target` +- Attester: + `85e8ab442e9f 2022-03-17|docker.sh: review fixes; docker/entrypoint.sh: fix permissions issue` -* Fobnail: `9a8a404f9e5f 2022-03-16|tools/lfs/src/main.rs: add option to format - flash before doing command` +- Fobnail: + `9a8a404f9e5f 2022-03-16|tools/lfs/src/main.rs: add option + to format flash before doing command` ### Building and installing SDK Fobnail SDK is used to build code for Fobnail token, i.e. Verifier part of -attestation process. It is [published on GHCR](https://github.com/fobnail/fobnail-sdk/pkgs/container/fobnail-sdk) +attestation process. It is +[published on GHCR](https://github.com/fobnail/fobnail-sdk/pkgs/container/fobnail-sdk) and latest version of it is automatically pulled when needed, user needs only the `run-fobnail-sdk.sh` script installed in PATH. ```bash $ cd fobnail-sdk -# Feel free to use different directory or name, as long as it is in $PATH +## Feel free to use different directory or name, as long as it is in $PATH $ ln -s $(readlink -f ./run-fobnail-sdk.sh) ~/bin/run-fobnail-sdk.sh ``` @@ -187,7 +191,7 @@ $ ./docker.sh build-lfs $ ./docker.sh run-tmux ``` -# Demo +## Demo [![asciicast](https://asciinema.org/a/OJ1YWyKhexSztmbfNVS79eGbo.svg)](https://asciinema.org/a/OJ1YWyKhexSztmbfNVS79eGbo?speed=1) @@ -206,6 +210,8 @@ platform. Support for attestation is planned for the next phase, so stay tuned. If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-03-23-kgpe-d16-testing-update.md b/blog/content/post/2022-03-23-kgpe-d16-testing-update.md index 75e9864b..84cb5a2c 100644 --- a/blog/content/post/2022-03-23-kgpe-d16-testing-update.md +++ b/blog/content/post/2022-03-23-kgpe-d16-testing-update.md @@ -21,7 +21,7 @@ categories: --- -# Introduction +## Introduction Software testing is very important in every type of project to ensure the quality reaches the desired level and the product is in a production state. @@ -29,11 +29,11 @@ Unlike software testing, firmware testing does not only verify whether the code behaves as it is supposed to, but also covers functional verification if the hardware works as it should. It makes firmware validation much harder than any software application as we may face many unexpected and not always reproducible -issues. The firmware industry constantly tries to improve itself in the field -of validation and quality assurance, so is Dasharo. This time we made a huge -leap in ASUS KGPE-D16 testing. +issues. The firmware industry constantly tries to improve itself in the field of +validation and quality assurance, so is Dasharo. This time we made a huge leap +in ASUS KGPE-D16 testing. -# New tests +## New tests One may check the testing results for each release in the [spreadsheet](https://docs.google.com/spreadsheets/d/1rsJECHmYrpkPSByTyt7jmMuQnExE20zW7Zk6c8oMk6E/edit#gid=0). @@ -43,26 +43,26 @@ The new tests have the 23.03.2022 date appended in the header. The scope has been extended with the following tests: -* [Dasharo Security: Verified Boot](https://docs.dasharo.com/unified-test-documentation/dasharo-security/201-verified-boot/) +- [Dasharo Security: Verified Boot](https://docs.dasharo.com/unified-test-documentation/dasharo-security/201-verified-boot/) booting from slot A -* [Dasharo Compatibility: Platform Suspend and Resume](https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31M-platform-suspend-and-resume/) -* [Dasharo Compatibility: Flash Write protection](https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31P-flash-write-protection/) -* [Dasharo Performance: Boot measure](https://docs.dasharo.com/unified-test-documentation/dasharo-performance/400-coreboot-boot-measure/) +- [Dasharo Compatibility: Platform Suspend and Resume](https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31M-platform-suspend-and-resume/) +- [Dasharo Compatibility: Flash Write protection](https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31P-flash-write-protection/) +- [Dasharo Performance: Boot measure](https://docs.dasharo.com/unified-test-documentation/dasharo-performance/400-coreboot-boot-measure/) -## Verified boot +### Verified boot The basic tests conducted earlier simply checked if vboot is enabled and the platform boots. It missed the verification of real vboot functionality. So the tests have been extended to check whether vboot selects firmware partition A to boot from. It tells us whether vboot verified the firmware correctly and it has not been tampered with. Additionally, we have simulated the attack on firmware -partition A by modifying it inside the flash. In such a case vboot should -detect tampering with the firmware and request recovery mode. Unfortunately, it -does not happen, the platform is stuck in a boot loop unable to request the -recovery mode. The issue has been described +partition A by modifying it inside the flash. In such a case vboot should detect +tampering with the firmware and request recovery mode. Unfortunately, it does +not happen, the platform is stuck in a boot loop unable to request the recovery +mode. The issue has been described [here](https://github.com/Dasharo/dasharo-issues/issues/66) -## Platform suspend resume +### Platform suspend resume Our validation also covers testing of the ACPI S3 suspend/resume. The platform performs 30 cycles of suspend and resume to OS from RAM. ACPI S3 resume follows @@ -70,35 +70,37 @@ a slightly different boot path than normal boot and different issues may be detected in the process. Fortunately, the platform passes the test without issues. -## Flash Write protection +### Flash Write protection Our KGPE-D16 setups contain DIP8 to SOIC8 flash adapters with a header for WP -pin jumper. It allows us to set a write protection range and lock it by -shorting the WP pin with a jumper. Our tests automate the process of setting -the protected ranges. However, the configuration with W25Q128FV 16MB flash -failed the test probably due to a missing or buggy implementation of the write +pin jumper. It allows us to set a write protection range and lock it by shorting +the WP pin with a jumper. Our tests automate the process of setting the +protected ranges. However, the configuration with W25Q128FV 16MB flash failed +the test probably due to a missing or buggy implementation of the write protection for this particular chip in flashrom. The issue has been described [here](https://github.com/Dasharo/dasharo-issues/issues/67). The W25Q64FV 8MB -flash works well. Locking the flash part allows creating a Static Root of -Trust. +flash works well. Locking the flash part allows creating a Static Root of Trust. -## Measuring boot time +### Measuring boot time coreboot has a built-in mechanism to gather timestamps from the platform initialization steps and calculate the booting time. Our test automates the process of extracting those timestamps/measurements and calculates the total booting time. These values are pretty high right now (25s) since the serial -console debug output is enabled. The BMC also takes a few seconds to be -detected as non-functional (our setups do not have the BMC firmware module). +console debug output is enabled. The BMC also takes a few seconds to be detected +as non-functional (our setups do not have the BMC firmware module). -## Summary +### Summary In total, we have increased the number of conducted tests by 16 (8 on each platform setup) of which 12 passed and 4 failed. Specifications of these have -also been prepared which may always be found on the [Dasharo documentation page](https://docs.dasharo.com/unified-test-documentation/overview/). +also been prepared which may always be found on the +[Dasharo documentation page](https://docs.dasharo.com/unified-test-documentation/overview/). If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of the used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of the used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-04-06-fobnail_attestation_phase.md b/blog/content/post/2022-04-06-fobnail_attestation_phase.md index 5c32f08e..977388df 100644 --- a/blog/content/post/2022-04-06-fobnail_attestation_phase.md +++ b/blog/content/post/2022-04-06-fobnail_attestation_phase.md @@ -23,23 +23,23 @@ categories: --- -# About the Fobnail project +## About the Fobnail project Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system -before performing any sensitive operation. This project was founded by [NlNet -Foundation](https://nlnet.nl/). More information about the project can be found -in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make sure to -read other posts related to this project by visiting +before performing any sensitive operation. This project was founded by +[NlNet Foundation](https://nlnet.nl/). More information about the project can be +found in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make +sure to read other posts related to this project by visiting [fobnail](https://blog.3mdeb.com/tags/fobnail/) tag. -# Scope of current phase +## Scope of current phase This phase was mostly about implementing attestation. It includes splitting the -current implementation of Fobnail (aka Verifier) code into separate modules. -A module for previous phase (platform provisioning) is started only if Fobnail +current implementation of Fobnail (aka Verifier) code into separate modules. A +module for previous phase (platform provisioning) is started only if Fobnail doesn't have platform-specific artifacts saved in flash. A module for attestation is always started, either as first stage or immediately after provisioning, to test if provisioning succeeded. @@ -51,10 +51,11 @@ verified) implementation of Fobnail. For definitions of roles and artifacts mentioned throughout the post, see [Remote Attestation Procedures Architecture](https://datatracker.ietf.org/doc/draft-ietf-rats-architecture/) -and [our documentation](https://fobnail.3mdeb.com/architecture/#fobnail-components) +and +[our documentation](https://fobnail.3mdeb.com/architecture/#fobnail-components) that maps those to Fobnail components. -# Attestation +## Attestation Attestation is a process during which Verifier (Fobnail Token) asks Attester (host platform) for Evidence (in our case this is signed TPM quote), and based @@ -65,12 +66,12 @@ this is binary _good_/_bad_ output. ![Diagram of Fobnail attestation flow](/img/Fobnail-flows-attestation.png) -## Implementation +### Implementation Reference Values in form of RIM were created and passed to Fobnail Token in -[previous phase](../2022-03-21-fobnail_3rd_phase). A per-platform Appraisal -Policy is expected to be installed during remote platform provisioning. In case -of local provisioning, a default policy is used. +[previous phase](https://blog.3mdeb.com/2022/2022-03-21-fobnail_3rd_phase/). +A per-platform Appraisal Policy is expected to be installed during remote +platform provisioning. In case of local provisioning, a default policy is used. Default policy for Fobnail includes comparison of hashes of PCRs 0-7 and 17-18, for SHA256 bank. It is checked by using `TPM2_Quote()` command, for which @@ -97,20 +98,20 @@ implicit assumptions: attestation, Fobnail Token checks signatures of received data against this saved copy. -# Building +## Building -[Previous build instructions](../2022-03-21-fobnail_3rd_phase#building) still -apply. These are commits that were used at the time of writing this post: +[Previous build instructions](https://blog.3mdeb.com/2022/2022-03-21-fobnail_3rd_phase/#building) +still apply. These are commits that were used at the time of writing this post: -* SDK: `53f19086c993 2022-03-08|Fix build problems on nRF target` -* Attester: `0b7085ff80a3 2022-04-06|docker.sh: display tmux pane names` -* Fobnail: `be92a104c3b1 2022-04-06|Fix misleading error message` +- SDK: `53f19086c993 2022-03-08|Fix build problems on nRF target` +- Attester: `0b7085ff80a3 2022-04-06|docker.sh: display tmux pane names` +- Fobnail: `be92a104c3b1 2022-04-06|Fix misleading error message` -# Demo +## Demo [![asciicast](https://asciinema.org/a/VgEAAH0V0YzXKWZJ7vT9ze9my.svg)](https://asciinema.org/a/VgEAAH0V0YzXKWZJ7vT9ze9my?speed=1) -# Running Fobnail on real hardware +## Running Fobnail on real hardware During early development, we used [nRF52840 Dongle](https://www.nordicsemi.com/Products/Development-hardware/nrf52840-dongle) @@ -119,7 +120,7 @@ as a device for running Fobnail firmware (tested both on with USB, we started running Fobnail as a Linux application during the previous phase. The time has come to fix this. -## Fixing USB +### Fixing USB Plugging Fobnail Token into a USB socket didn't work all the time correctly – details in [issue](https://github.com/fobnail/usbd-ethernet/issues/2). We have @@ -132,13 +133,13 @@ packets not arriving to host. Starting by checking USB interrupt handler, we very quickly found that interrupts didn't fire right in time after initializing USB, and delays were up to 85 ms. -This turned out to be the direct -cause of USB failure. At first, we tried profiling USB driver interrupt handler -and critical sections, and both were taking less than 1ms delay. Eventually, we -discovered that the problem lies not in the USB driver but in the NVMC driver, -which we use for storing persistent data in flash memory. When writing to flash, -NVMC will stop CPU while writing, and erasing a single 4K flash page takes -exactly 85 ms. This is documented as `t_ERASEPAGE` in +This turned out to be the direct cause of USB failure. At first, we tried +profiling USB driver interrupt handler and critical sections, and both were +taking less than 1ms delay. Eventually, we discovered that the problem lies not +in the USB driver but in the NVMC driver, which we use for storing persistent +data in flash memory. When writing to flash, NVMC will stop CPU while writing, +and erasing a single 4K flash page takes exactly 85 ms. This is documented as +`t_ERASEPAGE` in [nRF52840 specification](https://infocenter.nordicsemi.com/pdf/nRF52840_PS_v1.7.pdf). Fortunately, nRF52840 has a feature called partial erase, which allows us to @@ -151,7 +152,7 @@ implemented this on our own and opened Implementing partial erase and a few other smaller fixes (described in [commit history](https://github.com/fobnail/fobnail/pull/24/commits)) fixed USB. -## Fixing LittleFS +### Fixing LittleFS We have a problem with LittleFS [corrupting](https://github.com/fobnail/fobnail/issues/12) itself, usually @@ -161,7 +162,7 @@ located in Rust bindings to LittleFS since it doesn't occur with equivalent written in C. The problem is described more in-depth [here](https://github.com/trussed-dev/littlefs2/issues/16). -## Signaling provisioning and attestation result +### Signaling provisioning and attestation result We implemented LED driver, now Fobnail will signal attestation (and provisioning) result using either red or green LED. Provisioning status is @@ -173,13 +174,16 @@ for 10 seconds. Right now Fobnail blinks with red LED, because we don't have support for installing certificates into flash (we support this but only for emulated flash on PC). We will implement this during the next phase. Until then, you can -comment out [code](https://github.com/fobnail/fobnail/blob/86e3f22edba3e07f2eb54156e16a660d8c7254f6/src/certmgr/verify.rs#L45) +comment out +[code](https://github.com/fobnail/fobnail/blob/86e3f22edba3e07f2eb54156e16a660d8c7254f6/src/certmgr/verify.rs#L45) responsible for certificate verification. -## Summary +### Summary If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-04-12-talos2_2nd_cpu_and_testing.md b/blog/content/post/2022-04-12-talos2_2nd_cpu_and_testing.md index 8734ec9d..def96190 100644 --- a/blog/content/post/2022-04-12-talos2_2nd_cpu_and_testing.md +++ b/blog/content/post/2022-04-12-talos2_2nd_cpu_and_testing.md @@ -24,8 +24,9 @@ test suite. ## Links to binaries and installation instructions -Binaries and their signatures can be found on [Talos II release page](https://docs.dasharo.com/variants/talos_2/releases/). -In [installation instructions](https://docs.dasharo.com/variants/talos_2/initial-deployment/) +Binaries and their signatures can be found on +[Talos II release page](https://docs.dasharo.com/variants/talos_2/releases/). In +[installation instructions](https://docs.dasharo.com/variants/talos_2/initial-deployment/) you can find steps needed both for permanent flashing as well as for temporary use of different firmware image. @@ -75,51 +76,42 @@ simple repetition was not enough, most notably: In addition to various initialization steps, we had to update device tree passed to Skiboot to include information about new CPU and devices it adds. We also switched away from FIT payload and started using ELF. Main motivation for this -change was fact that [FIT decompression code does not work as expected](https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/6EZWU7YPUJE564GNCV7U32IXWPFTV7FB/) +change was fact that +[FIT decompression code does not work as expected](https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/6EZWU7YPUJE564GNCV7U32IXWPFTV7FB/) in coreboot. With payload compressed with LZMA, flash memory footprint of whole coreboot and Skiboot has shrunk to just below 700 KB. For comparison, Hostboot takes about 30 MB of space. ## New tests -In order to achive greater reliability of the firmware and to avoid bugs test +In order to achieve greater reliability of the firmware and to avoid bugs test base on the Talos II platform has been improved. Currently, before each firmware release, the following test suites will be performed: -- [Dasharo compatibility: coreboot base port][CBP], which contains test cases + +- [Dasharo compatibility: coreboot base port][cbp], which contains test cases for checking correctness of coreboot porting on the device. -- [Dasharo compatibility: Petitboot payload support][PBT], which contains test +- [Dasharo compatibility: Petitboot payload support][pbt], which contains test cases for checking Petitboot availabity and functionality. -- [Dasharo compatibility: Heads bootloader support][HDS], which contains test +- [Dasharo compatibility: Heads bootloader support][hds], which contains test cases for checking Heads bootloader availabity. -- [Dasharo compatibility: USB detection][USB], which contains test cases for +- [Dasharo compatibility: USB detection][usb], which contains test cases for checking correctness of USB detection after coldboot, warmboot and system reboot. -- [Dasharo compatibility: USB booting][UBB], which contains tests cases for +- [Dasharo compatibility: USB booting][ubb], which contains tests cases for checking correctness of booting from USB after coldboot, warmboot and system reboot. -- [Dasharo compatibility: Debian Stable and Ubuntu LTS support][LBT], which +- [Dasharo compatibility: Debian Stable and Ubuntu LTS support][lbt], which contains test cases for checking correctness of installing and booting into installed OS. -- [Dasharo compatibility: Device Tree][DVT], which contains test cases for +- [Dasharo compatibility: Device Tree][dvt], which contains test cases for checking correctness of coreboot presentation in Device Tree. -- [Dasharo compatibility: CPU status][CPU], which contains test cases for +- [Dasharo compatibility: CPU status][cpu], which contains test cases for checking correctness of CPU work. -All test cases documentation is available under this [link][Tests]. -Full test matrix for Talos II is available under this [link][Matrix] - -[CBP]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/100-coreboot-base-port/ -[PBT]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31V-petitboot-payload-support/ -[HDS]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31U-heads-bootloader-support/ -[USB]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31O-usb-detect/ -[UBB]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31N-usb-boot/ -[LBT]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/308-debian-stable-and-ubuntu-lts-support/ -[DVT]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31W-device-tree/ -[CPU]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31T-cpu-status/ -[Tests]: https://docs.dasharo.com/unified-test-documentation/overview/ -[Matrix]: https://docs.dasharo.com/variants/talos_2/test-matrix/ +All test cases documentation is available under this [link][tests]. Full test +matrix for Talos II is available under this [link][matrix] ## Summary @@ -130,6 +122,19 @@ researching what it would take to add TPM support. If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) + +[cbp]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/100-coreboot-base-port/ +[cpu]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31T-cpu-status/ +[dvt]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31W-device-tree/ +[hds]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31U-heads-bootloader-support/ +[lbt]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/308-debian-stable-and-ubuntu-lts-support/ +[matrix]: https://docs.dasharo.com/variants/talos_2/test-matrix/ +[pbt]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31V-petitboot-payload-support/ +[tests]: https://docs.dasharo.com/unified-test-documentation/overview/ +[ubb]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31N-usb-boot/ +[usb]: https://docs.dasharo.com/unified-test-documentation/dasharo-compatibility/31O-usb-detect/ diff --git a/blog/content/post/2022-04-14-tigerlake-osf.md b/blog/content/post/2022-04-14-tigerlake-osf.md index 8907cd28..cdb84479 100644 --- a/blog/content/post/2022-04-14-tigerlake-osf.md +++ b/blog/content/post/2022-04-14-tigerlake-osf.md @@ -20,14 +20,14 @@ categories: --- -# Introduction +## Introduction -If somebody would tell 7 years ago that Intel will support open source -firmware, he would be laughed at instantly. If we recall time, like 15 years -ago where the datasheets were more open and were sufficient to write open -source firmware, today it is not possible. Silicon vendors are hiding the -intellectual property contained in the processors. It would seem like the open -source firmware is doomed, but... +If somebody would tell 7 years ago that Intel will support open source firmware, +he would be laughed at instantly. If we recall time, like 15 years ago where the +datasheets were more open and were sufficient to write open source firmware, +today it is not possible. Silicon vendors are hiding the intellectual property +contained in the processors. It would seem like the open source firmware is +doomed, but... Thankfully there are companies and Intel employees that try to make impact and change this situation. For example Google supporting the coreboot project on @@ -46,11 +46,11 @@ source firmware community members from Intel: present on various open source firmware events on communities, few examples of their contribution:: -* [OSCF2018 Keynote](https://youtu.be/3VVaCOCCiD8) -* [OSFC2019 Intel Open Platform Enabling Plans](https://www.youtube.com/watch?v=d2aKDVuFaX8) -* [OSFC2019 Hardening Firmware Components with Host-based Analysis Tools](https://www.youtube.com/watch?v=cd80acwTYLY) +- [OSCF2018 Keynote](https://youtu.be/3VVaCOCCiD8) +- [OSFC2019 Intel Open Platform Enabling Plans](https://www.youtube.com/watch?v=d2aKDVuFaX8) +- [OSFC2019 Hardening Firmware Components with Host-based Analysis Tools](https://www.youtube.com/watch?v=cd80acwTYLY) -# OSF on Tiger Lake platform +## OSF on Tiger Lake platform Tiger Lake is the codename of the 11th generation Intel processors. We had the pleasure to get the Tiger Lake Reference Validation Platform (RVP) and test the @@ -60,75 +60,79 @@ Lake RVP should be ready. This however is different from EDK2 MinPlatform. The open board implementation is released some time after FSP. But let's start form the beginning. -## coreboot +### coreboot Tiger Lake implementation in coreboot was the first we have tried before going with MinPlatform because the latter wasn't available yet. For reasonably -experienced engineer it is quite simple to configure the build, since almost -all the options are in place when selecting the TigerLake RVP platform. -However, one may miss the microcode binary when building coreboot. Typically -one extract the microcode blob from the original BIOS binary shipped with the -platform if the microcode is not disclosed or publicly available. When -extracted simply change the configuration options to include microcode external -binaries and point to the path with extracted microcode, done. - -I will omit the build process here since I would like focus more on problems -and their possible solutions. If you are interested in building coreboot for -RVP platform please refer to [Booting coreboot on Intel Comet Lake S RVP8 blog post](https://blog.3mdeb.com/2020/2020-08-31-booting-coreboot-on-cometlake/) +experienced engineer it is quite simple to configure the build, since almost all +the options are in place when selecting the TigerLake RVP platform. However, one +may miss the microcode binary when building coreboot. Typically one extract the +microcode blob from the original BIOS binary shipped with the platform if the +microcode is not disclosed or publicly available. When extracted simply change +the configuration options to include microcode external binaries and point to +the path with extracted microcode, done. + +I will omit the build process here since I would like focus more on problems and +their possible solutions. If you are interested in building coreboot for RVP +platform please refer to +[Booting coreboot on Intel Comet Lake S RVP8 blog post](https://blog.3mdeb.com/2020/2020-08-31-booting-coreboot-on-cometlake/) The first challenge I have encountered is that the platform did not print any output on any of the serial consoles, although it is capable of printing it according to the schematics. Thankfully the RVP platforms have 7-segment displays for post codes which makes it easy to debug instructions after reset -vector. It occurred that it stops in the cache as RAM setup. At this point -there is not much one can do without support or bug history. So I have sent an -email to coreboot mailing list and got a reply that +vector. It occurred that it stops in the cache as RAM setup. At this point there +is not much one can do without support or bug history. So I have sent an email +to coreboot mailing list and got a reply that [older microcode revisions had problem with new CAR setup](https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/7YHWASZX3CQ5U3L7D5CVJCDZSMRNCCXK/). -I have followed the [Tim Wawrzynczak](https://www.linkedin.com/in/tim-wawrzynczak-0011315/) -advise and turned off the `INTEL_CAR_NEM_ENHANCED` (thank you Tim for the hint -by the way). I did the trick and I could see the serial output on the console. -"Now it is a piece of cake" I thought... Then I saw the +I have followed the +[Tim Wawrzynczak](https://www.linkedin.com/in/tim-wawrzynczak-0011315/) advise +and turned off the `INTEL_CAR_NEM_ENHANCED` (thank you Tim for the hint by the +way). I did the trick and I could see the serial output on the console. "Now it +is a piece of cake" I thought... Then I saw the `FSP memory init returned an error`. Great, now what? Second challenge is the memory initialization and configuration. After investigating the source code I noted the Tiger Lake RVP mainboard has LPDDR4 configuration. But wait, my platform has 2 DDR4 SODIMMs... That explains the error. The typical difference between LPDDR and DDR memory is that the former -requires an exact mapping of memory signal from CPU to DRAM to be passed to -FSP. So simply zeroing this configuration should be enough. Also the memory -initialization was called by `meminit_lpddr4x` which was not suited for DDR4, -so I had to change it to `meminit_ddr4` with appropriate parameters for SMBus -SPD addresses. After these modifications I could past through the memory +requires an exact mapping of memory signal from CPU to DRAM to be passed to FSP. +So simply zeroing this configuration should be enough. Also the memory +initialization was called by `meminit_lpddr4x` which was not suited for DDR4, so +I had to change it to `meminit_ddr4` with appropriate parameters for SMBus SPD +addresses. After these modifications I could past through the memory initialization. Another challenge faced was the CPU initialization in coreboot. I was getting board resets during MCE (Machine Check Error registers) clearing which I have -written about [here on coreboot mailing list](https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/MW44TIEMFMVDWPVCAFPE2QUFXXGZYYAX/). - -Till today I haven't got any response, however, I managed to resolve the -problem as well. When investigating the logs I noticed that the microcode is -not automatically loaded before the reset vector (wait, what?! how?!). For -reminder, the microcode is being loaded through FIT table before reset vector -since Haswell (4th generation) processors. This could be due to the processor -being engineering sample (which is common for RVP platforms). I had placed an -explicit call to update microcode in the coreboot's bootblock (the very first -stage executed after reset vector) then I got past the PCI enumeration phase. +written about +[here on coreboot mailing list](https://mail.coreboot.org/hyperkitty/list/coreboot@coreboot.org/thread/MW44TIEMFMVDWPVCAFPE2QUFXXGZYYAX/). + +Till today I haven't got any response, however, I managed to resolve the problem +as well. When investigating the logs I noticed that the microcode is not +automatically loaded before the reset vector (wait, what?! how?!). For reminder, +the microcode is being loaded through FIT table before reset vector since +Haswell (4th generation) processors. This could be due to the processor being +engineering sample (which is common for RVP platforms). I had placed an explicit +call to update microcode in the coreboot's bootblock (the very first stage +executed after reset vector) then I got past the PCI enumeration phase. Right after the PCI enumeration phase I was hit with FSP notify error. No idea what could cause this issue, since the notify phases typically do not do much, but yet I managed to hit an error. To this point I haven't been able to figure -out what is wrong. Trying to narrow it down with debug FSP binary didn't help -as well, because the FSP asserts in Thunderbolt/USB type C initialization. I +out what is wrong. Trying to narrow it down with debug FSP binary didn't help as +well, because the FSP asserts in Thunderbolt/USB type C initialization. I finally ended up disabling Thunderbolt. I am still not close to booting an operating system and what is most -frightening, I had to disable most I/O devices (USB, SATA, PCIe), yet those -that were enabled refused to work, so I have no media to boot an OS from... -At this point I decided to try a different path, that is EDK2 MinPlatform. -You may find all the modifications on [Dasharo coreboot repository](https://github.com/Dasharo/coreboot/tree/tgl_rvp). +frightening, I had to disable most I/O devices (USB, SATA, PCIe), yet those that +were enabled refused to work, so I have no media to boot an OS from... At this +point I decided to try a different path, that is EDK2 MinPlatform. You may find +all the modifications on +[Dasharo coreboot repository](https://github.com/Dasharo/coreboot/tree/tgl_rvp). -## EDK2 +### EDK2 EDK2 besides the open source common modules for UEFI compliant firmware also contains the platform code hosted in a separate repository called @@ -141,13 +145,13 @@ almost immediately with hope it will give better results. Unfortunately I stumbled upon another challenge. As a fellow open source enthusiast I have been compiling EDK2 with Linux using GCC. Although EDK2 is supposed to support GCC5 and newer versions, it occurred it is not always true. -The freshly published code was not buildable with GCC when trying with the -3mdeb [edk2-docker](https://github.com/3mdeb/edk2-docker). When giving it a -little thought it is not surprising. Visual Studio compiler is the one that -dominates the ecosystem of firmware. Intel, AMD and IBVs (Independent BIOS -Vendors) use Windows and Microsoft compilers to build EDK2. Thus I think it was -not tested with GCC compilers when published. The list of encountered problems -is posted on [TianoCore Bugzilla](https://bugzilla.tianocore.org/show_bug.cgi?id=3220). +The freshly published code was not buildable with GCC when trying with the 3mdeb +[edk2-docker](https://github.com/3mdeb/edk2-docker). When giving it a little +thought it is not surprising. Visual Studio compiler is the one that dominates +the ecosystem of firmware. Intel, AMD and IBVs (Independent BIOS Vendors) use +Windows and Microsoft compilers to build EDK2. Thus I think it was not tested +with GCC compilers when published. The list of encountered problems is posted on +[TianoCore Bugzilla](https://bugzilla.tianocore.org/show_bug.cgi?id=3220). Thankfully Intel engineers were very helpful and responsive on these bugs. The fixes for GCC toolchain were committed quickly (in just one week) to the Tiger @@ -157,10 +161,10 @@ In the mean time (before the fixes landed into repositories) I have fixed all compilation issues for GCC locally, I noticed that the packages contain support for LPDDR4 platform, again... The EDK2 FSP integration can work in two modes: -* FSP API mode - the bootloader simply calls the entry point of the FSP module +- FSP API mode - the bootloader simply calls the entry point of the FSP module by parsing the FSP header. The bootloader is also responsible for providing a pointer to UPD values that have to be patched per platform. -* FSP dispatch mode - this mode is dedicated for UEFI compliant bootloader +- FSP dispatch mode - this mode is dedicated for UEFI compliant bootloader because the FSP acts as a standard Firmware Volume detectable by PEI dispatcher. PEI dispatcher detects the FSP modules and evaluates the dependency expressions of particular PE files and decides about the order of @@ -170,21 +174,22 @@ for LPDDR4 platform, again... The EDK2 FSP integration can work in two modes: Switching between them is simply a build flag change. Gave a try to both, but unfortunately without success. The `FSP memory init returned error`, again... -Changing the DDR memory signals routing as in coreboot did not help. Currently -I am stuck at this problem which I have reported to the [Bugzilla](https://bugzilla.tianocore.org/show_bug.cgi?id=3219). -Apparently the A0 stepping (which is an engineering sample) cannot work with -the published code. It seems I have reached a dead end. - -## Possible solutions - -One of the obvious solutions that would be necessary is to add the build -targets for TigerLake UP3 RVP DDR4 by Intel. To get rid of build issue under -different toolchains a simple CI/CD would be more than enough to build test the -reference platform with supported toolchains. I believe EDK2 has CI integration -which could be extended to cover edk2-platforms repository. coreboot already -has the build testing of the patchsets sent for review with Jenkins for a long -time. It could be also great if Intel would publish validation results for FSP -and open board packages (Dasharo does it as part of its transparent validation +Changing the DDR memory signals routing as in coreboot did not help. Currently I +am stuck at this problem which I have reported to the +[Bugzilla](https://bugzilla.tianocore.org/show_bug.cgi?id=3219). Apparently the +A0 stepping (which is an engineering sample) cannot work with the published +code. It seems I have reached a dead end. + +### Possible solutions + +One of the obvious solutions that would be necessary is to add the build targets +for TigerLake UP3 RVP DDR4 by Intel. To get rid of build issue under different +toolchains a simple CI/CD would be more than enough to build test the reference +platform with supported toolchains. I believe EDK2 has CI integration which +could be extended to cover edk2-platforms repository. coreboot already has the +build testing of the patchsets sent for review with Jenkins for a long time. It +could be also great if Intel would publish validation results for FSP and open +board packages (Dasharo does it as part of its transparent validation philosophy). As far as I know, Intel publishes only the memory HCL (Hardware Compatibility List) for the FSP and microarchitectures. 3mdeb is working on [Dasharo Transparent Validation System](https://github.com/Dasharo/transparent-validation) @@ -192,28 +197,31 @@ to improve the state of firmware and its features test coverage and results reporting. If you are interested how are we testing the supported hardware please read [this blog post](https://blog.3mdeb.com/2021/2021-02-18-testing/). -## Summary +### Summary Silicon vendor contributions to open source firmware still lacks in some aspects. But it is understandable. The BIOS reference code provided to IBVs is -well tested, while the open source support equivalents are just a subsets of -the BIOS reference code providing bare hardware initialization just enough to -boot the platform. This code comes in a form of FSP and the open board package -to EDK2. Somewhere between this transition some human error may occur. Also it -is important to have similar testing configuration. As you can see engineering +well tested, while the open source support equivalents are just a subsets of the +BIOS reference code providing bare hardware initialization just enough to boot +the platform. This code comes in a form of FSP and the open board package to +EDK2. Somewhere between this transition some human error may occur. Also it is +important to have similar testing configuration. As you can see engineering sample and production SKU behavior with the same code changes dramatically. The situation is similar if not more difficult when it comes to coreboot. The open board package integration has to be rewritten in coreboot style and to coreboot -interfaces/APIs. This process is tedious and error prone, it is like -reinventing a wheel. Thus the community should actively support silicon vendors -in testing and feedback of new microarchitectures integration. +interfaces/APIs. This process is tedious and error prone, it is like reinventing +a wheel. Thus the community should actively support silicon vendors in testing +and feedback of new microarchitectures integration. Most of the challenges and issues describes in this post can be mitigated or -addressed with through extensive testing suggested in the [Possible solutions section](#possible-solutions). -Testing on target hardware is still a challenge, ideally we want to do it -remotely. 3mdeb is advanced in that matter and is testing firmware on real -hardware on automated tests stands with [RTE](https://docs.dasharo.com/transparent-validation/rte/introduction/) -in an own laboratory. If you need extensive testing or a good maintenance for -your firmware, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). +addressed with through extensive testing suggested in the +[Possible solutions section](#possible-solutions). Testing on target hardware is +still a challenge, ideally we want to do it remotely. 3mdeb is advanced in that +matter and is testing firmware on real hardware on automated tests stands with +[RTE](https://docs.dasharo.com/transparent-validation/rte/introduction/) in an +own laboratory. If you need extensive testing or a good maintenance for your +firmware, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2022-05-12-meta-nezha.md b/blog/content/post/2022-05-12-meta-nezha.md index 094c4c19..183f29c2 100644 --- a/blog/content/post/2022-05-12-meta-nezha.md +++ b/blog/content/post/2022-05-12-meta-nezha.md @@ -23,23 +23,25 @@ categories: ## Introduction -As it was mentioned in first [post](https://blog.3mdeb.com/2021/2021-11-19-nezha-riscv-sbc-first-impression/) +As it was mentioned in first +[post](https://blog.3mdeb.com/2021/2021-11-19-nezha-riscv-sbc-first-impression/) We are interested in support for this board in Yocto Project, and this post will show you what we have achieved in this field. Previous blog post made a lot of noise and was appreciated by people from RISC-V -International. Now it is also available on their [site](https://riscv.org/news/2022/01/first-impression-on-nezha-risc-v-sbc-3mdeb/). +International. Now it is also available on their +[site](https://riscv.org/news/2022/01/first-impression-on-nezha-risc-v-sbc-3mdeb/). -Whole code of the meta layer you can find at [github](https://github.com/Cezarus27/meta-nezha). -It should be mentioned that `meta-nezha` is really early support so -the recipe's code isn't that clear and for now, it isn't prepared to be -upstreamed. +Whole code of the meta layer you can find at +[github](https://github.com/Cezarus27/meta-nezha). It should be mentioned that +`meta-nezha` is really early support so the recipe's code isn't that clear and +for now, it isn't prepared to be upstreamed. ## Nezha D1 meta layer First of all, it is important to say what exactly the Yocto Project and it's -meta layers are. Yocto is a project which is hosted by the Linux Foundation -and gives you templates, methods, and set of interoperable tools for creating OS +meta layers are. Yocto is a project which is hosted by the Linux Foundation and +gives you templates, methods, and set of interoperable tools for creating OS images for embedded Linux systems. Secondly, the Yocto project is used by many mainstream embedded Linux providers and offers thousands of packages that are available through layers. What are they? @@ -56,40 +58,40 @@ footprint size, and remove and/or add components to get the features you want. Nezha D1 layer is using the following Yocto Project meta layers in `hardknott` version: -* [poky](https://github.com/yoctoproject/poky) +- [poky](https://github.com/yoctoproject/poky) -* [meta-openembedded](https://git.openembedded.org/meta-openembedded) +- [meta-openembedded](https://git.openembedded.org/meta-openembedded) -* [meta-riscv](https://github.com/riscv/meta-riscv.git) +- [meta-riscv](https://github.com/riscv/meta-riscv.git) The structure of a `meta-nezha` is divided into two main parts: ![nezha layers structure](/img/meta-nezha-structure.png) -* `meta-nezha-bsp` - this layer contains recipes for `boot0`, `u-boot`, +- `meta-nezha-bsp` - this layer contains recipes for `boot0`, `u-boot`, `OpenSBI` and `linux kernel`. It also contains machine configuration which set/unset or enable/disable the key features of the board, -* `meta-nezha-distro` - contain a recipe for the minimal image, configuration of the - system eg. what init manager is used and `wks` file which is used to create - image file which can be flashed to the SD card. +- `meta-nezha-distro` - contain a recipe for the minimal image, configuration of + the system eg. what init manager is used and `wks` file which is used to + create image file which can be flashed to the SD card. -This layer was splitted because it is nice to separate the **Board Support -Package (BSP)** from application layer. BSP layer is a collection of information -that defines how to support a particular hardware device, set of devices, or -hardware platform. +This layer was split because it is nice to separate the **Board Support Package +(BSP)** from application layer. BSP layer is a collection of information that +defines how to support a particular hardware device, set of devices, or hardware +platform. Key repositories used by `meta-nezha-bsp` recipes are forks of repositories patched / created by **[smaeul](https://github.com/smaeul)**: -* [OpenSBI](https://github.com/Cezarus27/opensbi/tree/d1-wip): `d1-wip` branch +- [OpenSBI](https://github.com/Cezarus27/opensbi/tree/d1-wip): `d1-wip` branch -* [u-boot](https://github.com/Cezarus27/u-boot/tree/d1-wip): `d1-wip` branch +- [u-boot](https://github.com/Cezarus27/u-boot/tree/d1-wip): `d1-wip` branch -* [Linux](https://github.com/Cezarus27/linux/tree/riscv/d1-wip): `riscv/d1-wip` +- [Linux](https://github.com/Cezarus27/linux/tree/riscv/d1-wip): `riscv/d1-wip` branch -* [boot0](https://github.com/Cezarus27/sun20i_d1_spl): `mainline` branch +- [boot0](https://github.com/Cezarus27/sun20i_d1_spl): `mainline` branch > Note: It was decided to fork the `smaeul` repositories because the original > repos are often updated and rebased to the newest branches from upstream @@ -97,11 +99,12 @@ patched / created by **[smaeul](https://github.com/smaeul)**: > image. Main work to do was to adopt the bootflow of Nezha to the Yocto Project which -was described in [previous](https://blog.3mdeb.com/2021/2021-11-19-nezha-riscv-sbc-first-impression/) -blog post. In this process, the `boot0` recipe was created from the ground. -That wasn't so smooth to integrate its compilation flow with the Yocto build -engine due to missing some headers in `workdir`. So the patch for `boot0` -Makefile was provided also and it is applied during the building process. +was described in +[previous](https://blog.3mdeb.com/2021/2021-11-19-nezha-riscv-sbc-first-impression/) +blog post. In this process, the `boot0` recipe was created from the ground. That +wasn't so smooth to integrate its compilation flow with the Yocto build engine +due to missing some headers in `workdir`. So the patch for `boot0` Makefile was +provided also and it is applied during the building process. It wasn't enough because a lot of work had to be done to compile `U-Boot` for the D1 chip. `u-boot-nezha` recipe contains procedures of creating the TOC1 @@ -121,11 +124,14 @@ building system two configuration files with kernel options that enable `autofs4` and `cgroups`. Enabling these options was necessary because, without them, kernel can not be booted which is signaled with the following error: -```log +```bash [ 3.293088] systemd[1]: System time before build time, advancing clock. -[ 3.324933] systemd[1]: Failed to look up module alias 'autofs4': Function not implemented -[ 3.336302] systemd[1]: Failed to mount tmpfs at /sys/fs/cgroup: No such file or directory -[ 3.346366] systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: No such file or directory +[ 3.324933] systemd[1]: Failed to look up module alias 'autofs4': Function +not implemented +[ 3.336302] systemd[1]: Failed to mount tmpfs at /sys/fs/cgroup: No such +file or directory +[ 3.346366] systemd[1]: Failed to mount cgroup at /sys/fs/cgroup/systemd: +No such file or directory [!!!!!!] Failed to mount API filesystems. ``` @@ -144,7 +150,8 @@ In `meta-nezha` you can find a formal description of the structure in **[nezha.wks](https://github.com/Cezarus27/meta-nezha/blob/master/meta-nezha-distro/wic/nezha.wks)** file. -> Note: More information about it you can find [here](https://linux-sunxi.org/Allwinner_Nezha). +> Note: More information about it you can find +> [here](https://linux-sunxi.org/Allwinner_Nezha). ## Nezha Yocto system startup @@ -156,13 +163,14 @@ So it really works! ### rng-tools -This package contains many tools. One of them is *Random Numbers Generator -daemon* - `rngd`. This daemon feeds data from a random number generator to the +This package contains many tools. One of them is _Random Numbers Generator +daemon_ - `rngd`. This daemon feeds data from a random number generator to the kernel's random number entropy pool, after first checking the data to ensure that it is properly random. For some reason it crushes during start with `SIGSEGV` in `libc-2.33.so`: -```log + +```bash [ 10.792295] rngd[139]: unhandled signal 11 code 0x2 at 0x0000003fc72e1378 in libc-2.33.so[3fc727e000+fd000] [ 10.948096] CPU: 0 PID: 139 Comm: rngd Not tainted 5.14.0-rc4-nezha #1 ``` @@ -174,6 +182,8 @@ the build. If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of a used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of a used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-05-25-fobnail_provisioning.md b/blog/content/post/2022-05-25-fobnail_provisioning.md index 4dc824ea..31783a91 100644 --- a/blog/content/post/2022-05-25-fobnail_provisioning.md +++ b/blog/content/post/2022-05-25-fobnail_provisioning.md @@ -19,19 +19,19 @@ categories: --- -# About the Fobnail project +## About the Fobnail project Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system -before performing any sensitive operation. This project was founded by [NlNet -Foundation](https://nlnet.nl/). More information about the project can be found -in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make sure to -read other posts related to this project by visiting +before performing any sensitive operation. This project was founded by +[NlNet Foundation](https://nlnet.nl/). More information about the project can be +found in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make +sure to read other posts related to this project by visiting [fobnail](https://blog.3mdeb.com/tags/fobnail/) tag. -# Scope of current phase +## Scope of current phase This phase is about provisioning Fobnail Token itself. The closing point of that process is creating a certificate for Token that can be used later after @@ -39,7 +39,7 @@ attestation, only if attestation finishes successfully. Before that happens, Fobnail Token must verify that Platform Owner can be trusted, and prepare an input for that certificate. -## Assumptions and flow of Fobnail provisioning +### Assumptions and flow of Fobnail provisioning It is assumed that provisioning is performed in a secure environment, over a secure channel, and encryption of data sent between Platform Owner and Fobnail @@ -55,7 +55,8 @@ of the three flows (Fobnail provisioning, platform provisioning or attestation) it should follow. First resource that Fobnail Token asks for during its provisioning is a Platform -Owner certificate chain. It has a [strictly defined format](https://fobnail.3mdeb.com/keys_and_certificates/#platform-owner-certificate-chain) +Owner certificate chain. It has a +[strictly defined format](https://fobnail.3mdeb.com/keys_and_certificates/#platform-owner-certificate-chain) and its root must be provided to the token during compilation. Fobnail validates this chain, but because it has neither timekeeping nor (secure) networking capabilities, it isn't able to check validity periods or CRLs. @@ -67,23 +68,24 @@ chain received in previous step and saved in non-volatile memory for later use. ![Diagram of Fobnail provisioning flow](/img/Fobnail-flows-fobnail-provisioning.png) -## Fobnail Token's key +### Fobnail Token's key There are no good crates for generating RSA keys on Cortex-M, and in our tests using universal implementation wasn't able to generate 2048-bit key in 5 hours. We also couldn't use ARM TrustZone CryptoCell 310 which is included in nRF52840 for this purpose because it doesn't have open-sourced libraries. Thus, currently -Fobnail Token generates Curve25519 key, with help of [Trussed](https://trussed.dev/). +Fobnail Token generates Curve25519 key, with help of +[Trussed](https://trussed.dev/). It was originally designed to be used in Diffie–Hellman method to generate symmetric encryption key for communication between owners of two separate Curve25519 keys. Ed25519 is a signature scheme using Curve25519, which adds the ability to sign and verify data, including certificates. Unfortunately, -Curve25519 can't be used as encryption key pair. This is [a problem that will -have to be resolved](https://github.com/fobnail/fobnail/issues/40) to unlock -full power of Fobnail Token. +Curve25519 can't be used as encryption key pair. This is +[a problem that will have to be resolved](https://github.com/fobnail/fobnail/issues/40) +to unlock full power of Fobnail Token. -## Possible uses of Fobnail certificate +### Possible uses of Fobnail certificate Fobnail architecture doesn't impose use of key for which certificate is being made. The only restriction that should be followed is that created certificate @@ -111,56 +113,58 @@ Obviously, support on Fobnail side is required to expose API that uses private key accordingly to the usage specified in the certificate, based on attestation result. This is not done in this phase. -## Building and running +### Building and running Since we've changed the way EK certificate chain is obtained, Attester can no longer be run on simulated TPM as easy as before. Chain is now downloaded during platform provisioning, but for cases when Internet connection can't be trusted -we plan to add option to [use certificate chain from file](https://github.com/fobnail/fobnail-attester/issues/37). +we plan to add option to +[use certificate chain from file](https://github.com/fobnail/fobnail-attester/issues/37). Because TPM simulator is not used, Fobnail Token is also started separately. -There is also a new application for Platform Owner, which should be started -on a separate, secure machine, but for testing can also be run on the same -system as the other components. +There is also a new application for Platform Owner, which should be started on a +separate, secure machine, but for testing can also be run on the same system as +the other components. -### Platform Owner +#### Platform Owner To build Platform Owner application, just run `make`: -```shell -$ git clone https://github.com/fobnail/fobnail-platform-owner.git --recurse-submodules -$ cd fobnail-platform-owner -$ make +```bash +git clone https://github.com/fobnail/fobnail-platform-owner.git --recurse-submodules +cd fobnail-platform-owner +make ``` It takes certificate chain and private key used for signing Fobnail Token's certificate on input: -```shell -$ ./bin/fobnail-platform-owner path/to/chain.pem path/to/key.priv +```bash +./bin/fobnail-platform-owner path/to/chain.pem path/to/key.priv ``` -Proper key and chain can be generated by following [these instructions](https://fobnail.3mdeb.com/keys_and_certificates/#creating-platform-owner-certificate-chain-with-openssl). +Proper key and chain can be generated by following +[these instructions](https://fobnail.3mdeb.com/keys_and_certificates/#creating-platform-owner-certificate-chain-with-openssl). `chain.pem` is a concatenation of all certificates, starting with root: -```shell -$ cat root.crt ca1.crt ca2.crt > chain.pem +```bash +cat root.crt ca1.crt ca2.crt > chain.pem ``` -### Attester +#### Attester Attester is built similarly to Platform Owner: -```shell -$ git clone https://github.com/fobnail/fobnail-attester.git --recurse-submodules -$ cd fobnail-attester -$ make +```bash +git clone https://github.com/fobnail/fobnail-attester.git --recurse-submodules +cd fobnail-attester +make ``` It must be started as privileged user, in order to access TPM and SMBIOS: -```shell -$ sudo ./bin/fobnail-attester +```bash +sudo ./bin/fobnail-attester ``` Currently Attester must have physical NIC because its MAC is used as part of @@ -168,106 +172,106 @@ metadata. This is a known issue that makes it unusable on platforms that don't have one, such as virtual machines, wireless-only devices or controllers for which kernel doesn't have a driver. -### Fobnail Token +#### Fobnail Token -[Fobnail SDK](../2022-03-21-fobnail_3rd_phase#building-and-installing-sdk) must -be installed before building Fobnail Token software. After that, clone Fobnail's -repository: +[Fobnail SDK](https://blog.3mdeb.com/2022/2022-03-21-fobnail_3rd_phase/#building-and-installing-sdk) +must be installed before building Fobnail Token software. After that, +clone Fobnail's repository: -```shell -$ git clone https://github.com/fobnail/fobnail.git --recurse-submodules -$ cd fobnail +```bash +git clone https://github.com/fobnail/fobnail.git --recurse-submodules +cd fobnail ``` To build, flash and run on nRF52840: -```shell -$ env FOBNAIL_PO_ROOT=path/to/PO/root.crt ./build.sh -t nrf --run +```bash +env FOBNAIL_PO_ROOT=path/to/PO/root.crt ./build.sh -t nrf --run ``` To build and run on PC: -```shell -$ env FOBNAIL_PO_ROOT=path/to/PO/root.crt ./build.sh -t pc --run +```bash +env FOBNAIL_PO_ROOT=path/to/PO/root.crt ./build.sh -t pc --run ``` In both cases, `root.crt` must be located somewhere in `fobnail` directory. This is limitation of Docker. -### Running the whole shebang +#### Running the whole shebang > When physical USB token is used, it must be assigned IP address -(169.254.0.1/16) after it is plugged in. This can be done automatically by -adding appropriate configuration to `udev`, `systemd` and/or another daemon used -for network configuration. Refer to your distro's documentation on how to do -this or assign IP address manually. This inconvenience will be addressed in -further releases. +> (169.254.0.1/16) after it is plugged in. This can be done automatically by +> adding appropriate configuration to `udev`, `systemd` and/or another daemon +> used for network configuration. Refer to your distro's documentation on how to +> do this or assign IP address manually. This inconvenience will be addressed in +> further releases. 1. Start Platform Owner application - As mentioned, this should be running on another computer, but for testing it - can be the same as attested platform (it is not secure in this case). Leave - the application running until Fobnail provisioning is done. + As mentioned, this should be running on another computer, but for testing it + can be the same as attested platform (it is not secure in this case). Leave + the application running until Fobnail provisioning is done. -2. Insert Fobnail Token (or start its simulation) into Platform Owner's machine +1. Insert Fobnail Token (or start its simulation) into Platform Owner's machine - Platform Owner application will print the progress, it should end with dump - of newly created certificate in PEM format. If hardware Token was used, this - part reports success with _red_ diode blinking 3 times. Fobnail Token is - considered provisioned at this point. + Platform Owner application will print the progress, it should end with dump + of newly created certificate in PEM format. If hardware Token was used, this + part reports success with _red_ diode blinking 3 times. Fobnail Token is + considered provisioned at this point. -3. Start Attester application on target platform +1. Start Attester application on target platform - On first run, it will create AIK and store it in TPM nonvolatile memory for - later use. Time that is required for this step depends on TPM, but it - shouldn't take more than a couple of seconds. + On first run, it will create AIK and store it in TPM nonvolatile memory for + later use. Time that is required for this step depends on TPM, but it + shouldn't take more than a couple of seconds. -4. Remove Token from Platform Owner's machine and insert it into target platform +1. Remove Token from Platform Owner's machine and insert it into target platform - Target platform is assumed to be in secure state at this point. Its PCR - values will be used as reference measurements. In case of simulated Fobnail - Token, Platform Owner application is stopped instead (Ctrl+C). + Target platform is assumed to be in secure state at this point. Its PCR + values will be used as reference measurements. In case of simulated Fobnail + Token, Platform Owner application is stopped instead (Ctrl+C). -5. Wait for platform provisioning and test attestation +1. Wait for platform provisioning and test attestation - Attester prints messages exchanged during this step with Fobnail Token, - along with some other information. As part of this process, a certificate - chain for EK is downloaded. Successful platform provisioning is reported - with three blinks of green LED. Immediately after that, test attestation - takes place, for which success is reported with longer, constant green - light. + Attester prints messages exchanged during this step with Fobnail Token, along + with some other information. As part of this process, a certificate chain for + EK is downloaded. Successful platform provisioning is reported with three + blinks of green LED. Immediately after that, test attestation takes place, + for which success is reported with longer, constant green light. -6. At this point platform is provisioned +1. At this point platform is provisioned - Further attestations can be performed by connecting Fobnail Token while - Attester application is running. + Further attestations can be performed by connecting Fobnail Token while + Attester application is running. -### Unprovisioning +#### Unprovisioning Fobnail Token can be returned to its original state by: - Reprogramming nRF52840 by rerunning `build.sh` + - Holding SW1 switch on nRF52840 while it is plugged in for 10 seconds - Acknowledgment is reported by three short green blinks. Give it a second or - two after that to actually clear its memory. + Acknowledgment is reported by three short green blinks. Give it a second or + two after that to actually clear its memory. In case of PC simulation, remove `target/flash.bin` from `fobnail` directory. AIK and _copy_ of EK can be cleared from TPM with following set of commands: -```shell -# Enable Owner authorisation +```bash +## Enable Owner authorisation tpm2_changeauth -c o ownerauth -# Remove AIK +## Remove AIK tpm2_evictcontrol -C o -c 0x8100F0BA -P ownerauth -# Remove EK (it can always be recreated from seed) +## Remove EK (it can always be recreated from seed) tpm2_evictcontrol -C o -c 0x8100F0BE -P ownerauth -# Disable Owner authorisation +## Disable Owner authorisation tpm2_changeauth -c o -p ownerauth ``` -## Demo +### Demo All phases required for provisioning and attestation are already in place, so following video shows whole process. This includes steps done by administrator @@ -276,28 +280,34 @@ for given platform, repeated only if reference measurements change, e.g. after sanctioned firmware update. Attestation is repeated each time user has to attest the state of his/her platform. -{{< youtube _WYtvEg_nLs >}} +{{\< youtube \_WYtvEg_nLs >}} For those with keen eye, TSS error and warning is printed during platform provisioning and attestation. They come from a bug in TSS that was reported -[here](https://github.com/tpm2-software/tpm2-tss/issues/1522) and fixed [here](https://github.com/tpm2-software/tpm2-tss/pull/1531). -Since most currently used distributions use older packages, it is not available -in them just yet. This can and is [worked around by the code](https://github.com/fobnail/fobnail-attester/commit/0f15f460a7934375e682763244bbf22670fd5402), +[here](https://github.com/tpm2-software/tpm2-tss/issues/1522) and fixed +[here](https://github.com/tpm2-software/tpm2-tss/pull/1531). Since most +currently used distributions use older packages, it is not available in them +just yet. This can and is +[worked around by the code](https://github.com/fobnail/fobnail-attester/commit/0f15f460a7934375e682763244bbf22670fd5402), but there is no way of silencing those lines. ## Summary With whole process tested at once, multiple issues became apparent. Those which are limited to one of the components are listed in specific repository -([Fobnail Token](https://github.com/fobnail/fobnail/issues), [Platform Owner](https://github.com/fobnail/fobnail-platform-owner/issues) -and [Attester](https://github.com/fobnail/fobnail-attester/issues)), and if it -applies to whole project, it landed in [documentation repository](https://github.com/fobnail/docs/issues). -There, we also want to build a list of possible use cases with guides for -expected policies and certificates. If there is something we missed, feel free -to add a new item to those lists. +([Fobnail Token](https://github.com/fobnail/fobnail/issues), +[Platform Owner](https://github.com/fobnail/fobnail-platform-owner/issues) and +[Attester](https://github.com/fobnail/fobnail-attester/issues)), and if it +applies to whole project, it landed in +[documentation repository](https://github.com/fobnail/docs/issues). There, we +also want to build a list of possible use cases with guides for expected +policies and certificates. If there is something we missed, feel free to add a +new item to those lists. If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-06-23-fobnail_minimal_os.md b/blog/content/post/2022-06-23-fobnail_minimal_os.md index 65f0431b..f947a98c 100644 --- a/blog/content/post/2022-06-23-fobnail_minimal_os.md +++ b/blog/content/post/2022-06-23-fobnail_minimal_os.md @@ -30,23 +30,23 @@ Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system -before performing any sensitive operation. This project was founded by [NlNet -Foundation](https://nlnet.nl/). More information about the project can be found -in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make sure to -read other posts related to this project by visiting +before performing any sensitive operation. This project was founded by +[NlNet Foundation](https://nlnet.nl/). More information about the project can be +found in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make +sure to read other posts related to this project by visiting [fobnail](https://blog.3mdeb.com/tags/fobnail/) tag. ## Scope of current phase This phase was carried out to look at how the Fobnail Token can be used in everyday use and to analyze other elements of the Fobnail Project, such as -minimal operating system. A system image was prepared using the [Yocto -Project](https://www.yoctoproject.org/) and tested on PC Engines apu2. Its -functionalities include: +minimal operating system. A system image was prepared using the +[Yocto Project](https://www.yoctoproject.org/) and tested on PC Engines apu2. +Its functionalities include: -* commissioning in the Dynamically Launched Measured Environment, -* integration with Fobnail Token, -* kexec integration, the ability to run other operating systems. +- commissioning in the Dynamically Launched Measured Environment, +- integration with Fobnail Token, +- kexec integration, the ability to run other operating systems. Any tests are described in this post or in additional documents to which links are provided. As part of this phase, we also conducted a research on other @@ -72,19 +72,19 @@ versions of OS for each platform. As a teaser we include here a table that summarize our research. -| OS | USB host driver | USB EEM driver | Network stack | TPM driver | OS portability | Bootloader capabilities | C library | Microkernel | CPU Architecture support | Bootable by SKL | License | Score | -| ------- | ---------------- | ---------------- | ----------------- | ----------------- | -------------- | ----------------------- | -------------| ----------- | ------------------------ | --------------- | ------- | ----- | -| Zephyr | Yes (+2) | Yes (+2) | Yes (+2) | PoC available (0) | Limited (-1) | No (0) | Yes (+2) | No (0) | Good (+1) | No (0) | OK (0) | 8 | -| Xous | No (0) | No (0) | Yes (+2) | No (0) | Limited (-1) | No (0) | No (0) | Yes (+1) | RISC-V only (-1) | No (0) | OK (0) | 1 | -| seL4 | No (0) | No (0) | Yes (+2) | No (0) | Limited (-1) | No (0) | Yes (+2) | Yes (+1) | Good (+1) | Yes (+2) | OK (but problematic with Genode) (0) | 7 | -| Linux | Yes (+2) | Yes (+2) | Yes (+2) | Yes (+2) | Yes (+1) | Yes (kexec) (+2) | Yes (+2) | No (0) | Good (+1) | Yes (+2) | OK (0) | 16 | -| LK | No (0) | No (0) | Limited (-2) | No (0) | Yes (+1) | No (0) | Limited (-2) | No (0) | Good (+1) | No (0) | OK (0) | -2 | -| Fuchsia | Limited (0) | No (0) | Yes (+2) | Limited (0) | Yes (+1) | Yes (mexec) (+2) | Yes (+2) | Yes (+1) | Good (+1) | No (0) | OK (0) | 7 | +| OS | USB host driver | USB EEM driver | Network stack | TPM driver | OS portability | Bootloader capabilities | C library | Microkernel | CPU Architecture support | Bootable by SKL | License | Score | +|----------|-----------------|-----------------|---------------|-------------------|-----------------|-------------------------|-------------|---------------|--------------------------|-----------------|---------|-------| +| Zephyr | Yes (+2) | Yes (+2) | Yes (+2) | PoC available (0) | Limited (-1) | No (0) | Yes (+2) | No (0) | Good (+1) | No (0) | OK (0) | 8 | +| Xous | No (0) | No (0) | Yes (+2) | No (0) | Limited (-1) | No (0) | No (0) | Yes (+1) | RISC-V only (-1) | No (0) | OK (0) | 1 | +| seL4 | No (0) | No (0) | Yes (+2) | No (0) | Limited (-1) | No (0) | Yes (+2) | Yes (+1) | Good (+1) | Yes (+2) | OK (0) | 7 | +| Linux | Yes (+2) | Yes (+2) | Yes (+2) | Yes (+2) | Yes (+1) | Yes (kexec) (+2) | Yes (+2) | No (0) | Good (+1) | Yes (+2) | OK (0) | 16 | +| LK | No (0) | No (0) | Limited (-2) | No (0) | Yes (+1) | No (0) | Limited (-2)| No (0) | Good (+1) | No (0) | OK (0) | -2 | +| Fuchsia | Limited (0) | No (0) | Yes (+2) | Limited (0) | Yes (+1) | Yes (mexec) (+2) | Yes (+2) | Yes (+1) | Good (+1) | No (0) | OK (0) | 7 | As we can see, multiple OSes were taken into account and a lot of requirements. -If you are interested in the meanings of the numbers here, please check the -full [report](https://fobnail.3mdeb.com/minimal-os-for-fobnail/) available on -Fobnail Project official website. +If you are interested in the meanings of the numbers here, please check the full +[report](https://fobnail.3mdeb.com/minimal-os-for-fobnail/) available on Fobnail +Project official website. ## Why Linux? @@ -94,15 +94,15 @@ In the future, we may use another OS. ## Reference minimal OS for Fobnail Project -We build a minimal OS image for Fobnail Project by using [Yocto -Project](https://www.yoctoproject.org/), our +We build a minimal OS image for Fobnail Project by using +[Yocto Project](https://www.yoctoproject.org/), our [meta-fobnail](https://github.com/fobnail/meta-fobnail) layer and [kas](https://github.com/siemens/kas) container. It is based on -[TrenchBoot](https://trenchboot.org/) project and releated meta layers: +[TrenchBoot](https://trenchboot.org/) project and related meta layers: [meta-pcengines](https://github.com/3mdeb/meta-pcengines) to provide board support package for PC Engines apu2 and [meta-security](https://git.yoctoproject.org/meta-security/) to use additional -usefull software like `tpm-tools` package. +useful software like `tpm-tools` package. ### meta-fobnail layer @@ -121,18 +121,18 @@ The process of generating minimal OS is not complicated. In our case, we were using a PC running Ubuntu 20.04. Firstly, we need to download the latest `kas container`: -``` -$ mkdir ~/bin -$ wget -O ~/bin/kas-container https://raw.githubusercontent.com/siemens/kas/3.0.2/kas-container -$ chmod +x ~/bin/kas-container +```bash +mkdir ~/bin +wget -O ~/bin/kas-container https://raw.githubusercontent.com/siemens/kas/3.0.2/kas-container +chmod +x ~/bin/kas-container ``` With that we can build a minimal OS from `meta-fobnail` repository: -``` -$ mkdir fobnail-yocto && cd fobnail-yocto -$ git clone https://github.com/fobnail/meta-fobnail.git -$ kas-docker build meta-fobnail/kas-debug.yml +```bash +mkdir fobnail-yocto && cd fobnail-yocto +git clone https://github.com/fobnail/meta-fobnail.git +kas-docker build meta-fobnail/kas-debug.yml ``` It may take a while (up to a few hours). If building will be finished, the @@ -140,7 +140,7 @@ system image should be available in `build/tmp/deploy/images/fobnail-machine/`. It was prepared to run from SD card. We need to use `bmaptool` to flash image on the card: -``` +```bash $ bmaptool copy --bmap fobnail-base-image-debug-fobnail-machine.wic.bmap \ fobnail-base-image-debug-fobnail-machine.wic.gz /dev/sdX ``` @@ -172,68 +172,67 @@ flashed on pendrive. 1. Boot [meta-fobnail](https://github.com/fobnail/meta-fobnail) image in DLME - this was described [here](https://fobnail.3mdeb.com/meta-fobnail-in-dlme/). -2. Log into the platform, the server should be started on boot, to see logs, +1. Log into the platform, the server should be started on boot, to see logs, please run the following command. -``` -# journalctl -fu fobnail-attester --- Journal begins at Tue 2022-06-07 15:04:57 UTC. -- -Jun 07 15:05:14 tb systemd[1]: Started Fobnail Attester service. -``` + ```bash + # journalctl -fu fobnail-attester + -- Journal begins at Tue 2022-06-07 15:04:57 UTC. -- + Jun 07 15:05:14 tb systemd[1]: Started Fobnail Attester service. + ``` -3. Connect Fobnail Token to PC Engines apu2. If the device is detected properly +1. Connect Fobnail Token to PC Engines apu2. If the device is detected properly system should print following information -``` -[ 42.108151] usb 2-2: new full-speed USB device number 2 using xhci_hcd -[ 42.334313] cdc_eem 2-2:1.0 usb0: register 'cdc_eem' at usb-0000:00:10.0-2, CDC EEM Device, 5e:f9:bb:9b:dd:06 -[ 42.355332] usbcore: registered new interface driver cdc_eem -``` + ```bash + [ 42.108151] usb 2-2: new full-speed USB device number 2 using xhci_hcd + [ 42.334313] cdc_eem 2-2:1.0 usb0: register 'cdc_eem' at usb-0000:00:10.0-2, CDC EEM Device, 5e:f9:bb:9b:dd:06 + [ 42.355332] usbcore: registered new interface driver cdc_eem + ``` -4. Wait a few seconds for provisioning and attestation. During this procedure +1. Wait a few seconds for provisioning and attestation. During this procedure `Fobnail Attester` should print information about received data -``` -Received message: ek -Received message: aik -Received message: challenge -Received message: metadata -MAC: 0: D:B9:53:D2:50 -SMBIOSv2 -Manufacturer >PC Engines< -Product Name >apu2< -Serial Number >1373268< -Received message: rim -Received message: metadata -MAC: 0: D:B9:53:D2:50 -SMBIOSv2 -Manufacturer >PC Engines< -Product Name >apu2< -Serial Number >1373268< -Received message: quote -``` - -5. The attestation was finished successfully when a green LED constantly lit on + ```bash + Received message: ek + Received message: aik + Received message: challenge + Received message: metadata + MAC: 0: D:B9:53:D2:50 + SMBIOSv2 + Manufacturer >PC Engines< + Product Name >apu2< + Serial Number >1373268< + Received message: rim + Received message: metadata + MAC: 0: D:B9:53:D2:50 + SMBIOSv2 + Manufacturer >PC Engines< + Product Name >apu2< + Serial Number >1373268< + Received message: quote + ``` + +1. The attestation was finished successfully when a green LED constantly lit on Fobnail Token for 10 seconds - see image below + ![Fobnail token LEDs](/img/token-led.jpg) -![Fobnail token LEDs](/img/token-led.jpg) - -6. Now we can assume that we are in secure environment, so we will execute +1. Now we can assume that we are in secure environment, so we will execute Ubuntu from external memory by using `kexec` -``` -# mkdir /mnt/usb -# mount /dev/sda -o ro /mnt/usb -# cd /mnt/usb + ```bash + # mkdir /mnt/usb + # mount /dev/sda -o ro /mnt/usb + # cd /mnt/usb -# kexec -l casper/vmlinuz --initrd=casper/initrd --command-line="$( cat /proc/cmdline )" -# kexec -e -[ 133.109546] kexec_core: Starting new kernel -``` + # kexec -l casper/vmlinuz --initrd=casper/initrd --command-line="$( cat /proc/cmdline )" + # kexec -e + [ 133.109546] kexec_core: Starting new kernel + ``` After a minute you should be able to login into the Ubuntu shell: -``` +```bash [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. Starting Set console scheme... @@ -246,6 +245,8 @@ Welcome to Ubuntu 22.04 LTS (GNU/Linux 5.15.0-25-generic x86_64) If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2022-07-04-xen-debugging-and-development-environment.md b/blog/content/post/2022-07-04-xen-debugging-and-development-environment.md index 5fd50a29..cd7d115c 100644 --- a/blog/content/post/2022-07-04-xen-debugging-and-development-environment.md +++ b/blog/content/post/2022-07-04-xen-debugging-and-development-environment.md @@ -24,11 +24,11 @@ categories: --- -# Intro +## Intro -In the 2018th [OSFC](https://2018.osfc.io), we were presented AMD IOMMU enabling -for PC Engines apuX (GX-412TC) platforms. You can watch the presentation video -[here](https://www.youtube.com/watch?v=5JoEuh9qXx0&list=PLJ4u8GLmFVmoRCX_gFXV6fhWmsOQ5cmuj&index=14) +In the 2018th [OSFC](https://www.osfc.io/2018/talks/), we were presented AMD +IOMMU enabling for PC Engines apuX (GX-412TC) platforms. You can watch the +presentation video [here](https://www.youtube.com/watch?v=5JoEuh9qXx0&list=PLJ4u8GLmFVmoRCX_gFXV6fhWmsOQ5cmuj&index=14) Our hypervisor of choice was Xen and we used it to verify the PCI pass-through feature. Unfortunately, the booting process was not exactly stable and the platform from time to time hung on the same log: @@ -50,7 +50,7 @@ CPUs`, so suspicious code is probably right after [this log](https://xenbits.xen We started to write that post quite long ago, but because recent Xen 4.16.1 release we decide to get back to the problem and see what is the current state. -# Debugging environment considerations +## Debugging environment considerations Because of that, I decided to debug Xen, but first I had to get through the compilation and deployment procedure. In general, I saw a couple of options for @@ -70,29 +70,40 @@ The third option was the only option for me to build Xen. Here is the step-by-step instruction on how to build and install Xen from the source: 1. Install build essential: + ```bash - $ sudo apt-get install build-essential + sudo apt-get install build-essential ``` + 2. Enable source code in the `software-properties-gtk` 3. Install the python config package + ```bash - $ pip3 install python-config + pip3 install python-config ``` + 4. Clone Xen source + ```bash - $ git clone git@github.com:xen-project/xen.git + git clone git@github.com:xen-project/xen.git ``` + 5. Configure project + ```bash - $ cd xen && ./configure + cd xen && ./configure ``` + 6. Build Xen + ```bash - $ make build-xen + make build-xen ``` + 7. Install Xen + ```bash - $ sudo make install-xen + sudo make install-xen ``` More to that all of the methods can be applied through frameworks. @@ -102,31 +113,32 @@ which should build only what we need. The last option is good for production, but development may be hard in a limited environment that Yocto produces by default. -## Xen dockerized building environment +### Xen dockerized building environment I chose the second option for that purpose. I have prepared a Docker container with all required packages ([3mdeb/xen-docker](https://github.com/3mdeb/xen-docker)): ```bash -$ git clone git@github.com:3mdeb/xen-docker.git -$ cd xen-docker -$ docker build -t 3mdeb/xen-docker . +git clone git@github.com:3mdeb/xen-docker.git +cd xen-docker +docker build -t 3mdeb/xen-docker . ``` I cloned the Xen source and I run the docker container. ```bash -$ git clone git@github.com:xen-project/xen.git -$ cd xen -$ docker run --rm -it -v $PWD:/home/xen -w /home/xen 3mdeb/xen-docker /bin/bash +git clone git@github.com:xen-project/xen.git +cd xen +docker run --rm -it -v $PWD:/home/xen -w /home/xen 3mdeb/xen-docker /bin/bash ``` + Then I built the Xen package: -``` +```bash (docker-container)$ git checkout (docker-container)$ ./configure --enable-githttp --enable-systemd -# there is time now to customize .config +## there is time now to customize .config (docker-container)$ make debball ``` @@ -149,7 +161,7 @@ After whole this effort, I was able to boot my freshly built Xen on apu2c4 with Debian host and Debian guest OS. Now that I have prepared the developing procedure I can start narrowing down all the issues. -## Possible use cases +### Possible use cases The ability to build Xen with custom changes opens the door to creating [custom solutions and products](https://3mdeb.com/hypervisors-development/). @@ -177,10 +189,10 @@ at the date of this blog post is 4.17). We plan to improve the transparent validation infrastructure for [Dasharo-compatible](https://dasharo.com/) products soon. -## Summary +### Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features of the used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or drop us an email to `contact3mdebcom`. If you are interested in -similar content feel free to [sign up for our newsletter](http://eepurl.com/gfoekD). +similar content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). diff --git a/blog/content/post/2022-10-05-qubes-os-summit-2022.md b/blog/content/post/2022-10-05-qubes-os-summit-2022.md index 0f23c58c..cc2d7ad7 100644 --- a/blog/content/post/2022-10-05-qubes-os-summit-2022.md +++ b/blog/content/post/2022-10-05-qubes-os-summit-2022.md @@ -20,7 +20,7 @@ categories: --- -# Qubes OS summit 2022 +## Qubes OS summit 2022 In the first half of September, Invisible Things Lab with 3mdeb organized the next edition of the Qubes OS summit. In the last years, the @@ -32,7 +32,7 @@ we have exchanged loads of knowledge and expertise. ![Qubes-poster-2022.png](/img/Qubes-poster-2022.png) -## Day 1 +### Day 1 The first day started with the [Welcome to Qubes OS summit 2022](https://youtu.be/hkWWz3xGqS8?t=882) @@ -40,28 +40,29 @@ presentation held by Piotr Król. Piotr said about Qubes OS Summit history and what changed since the last event. The next presentation held by Marek Marczykowski-Górecki was a -[Qubes OS development status update](https://youtu.be/hkWWz3xGqS8?t=2365). -In this talk, Marek did a summary of the Qubes project. Also, he presented the +[Qubes OS development status update](https://youtu.be/hkWWz3xGqS8?t=2365). In +this talk, Marek did a summary of the Qubes project. Also, he presented the current work of his team and a rough roadmap for Qubes OS 4.2. -The next presentation was [Building secure applications with Qubes OS](https://youtu.be/hkWWz3xGqS8?t=4719) +The next presentation was +[Building secure applications with Qubes OS](https://youtu.be/hkWWz3xGqS8?t=4719) held by Michael Z. He presented SecureDrop Workstation which is a new and improved front-end for journalists using SecureDrop. It was built on top of -Qubes OS and relies heavily on its features and security properties. -In this talk, Michael introduced the system and discussed some lessons -learned by treating Qubes OS as a framework for secure multi-VM applications. +Qubes OS and relies heavily on its features and security properties. In this +talk, Michael introduced the system and discussed some lessons learned by +treating Qubes OS as a framework for secure multi-VM applications. After the short break Frédéric Pierret presented the -[Next generation of Qubes OS builder](https://youtu.be/hkWWz3xGqS8?t=7994) -In this talk, Frédéric presented the second generation of the Qubes OS builder. +[Next generation of Qubes OS builder](https://youtu.be/hkWWz3xGqS8?t=7994) In +this talk, Frédéric presented the second generation of the Qubes OS builder. This new builder leverages container or disposable qube isolation to perform every stage of the build and release process. From fetching sources to building them, everything is executed inside a "cage" (either a disposable or a container) with the help of what we call an "executor." For every command that needs to perform an action on sources, like cloning and verifying Git repos, -rendering a SPEC file, generating SRPM or Debian source packages, a new cage -is used. Frédéric presented the global architecture and demonstrated how -to use this new build system. +rendering a SPEC file, generating SRPM or Debian source packages, a new cage is +used. Frédéric presented the global architecture and demonstrated how to use +this new build system. Jan Suhr presented the next interesting topic, which was [Tailoring Qubes for Enterprises](https://youtu.be/hkWWz3xGqS8?t=10228). @@ -75,98 +76,102 @@ a Windows VM within Qubes OS. After the lunch break, Marta Marczykowska-Górecka presented a new [Qubes OS Policy: Adventures in UX/UI Design](https://youtu.be/hkWWz3xGqS8?t=15275). Marta gave a brief overview of the current state of Qubes OS policy tools, the -in-development graphical policy editor/configuration editor, the process -of simplifying the complexities of policy configuration, and design and -implementation challenges. As a continuation of last year's redesign of -the [Application Menu](https://www.youtube.com/watch?v=Wyi560JiJDI), Marta has -been working on making Qubes more accessible for non-expert users and on -creating GUI tools for system configuration that would be friendlier and -easier to use than existing tools. This time, Marta took on the challenge of -creating a graphical editor for various policy files. In this talk, she covered -the results of user research, the challenges encountered during design and -implementation, and showed off the tools created as a result of this research. - -The next presentation was [GPU Virtual Machine (GVM)](https://youtu.be/hkWWz3xGqS8?t=17671) held by -Arthur Rasmusson. GVM is a GPU Virtual Machine built by the OpenMdev Project -for IOMMU-capable computers such as x86 and ARM. -In this talk OpenMdev developers, Arthur Rasmusson and Michael Buchel -gave an overview of GPU Virtual Machine (GVM) and how it works to allow virtual -machine guests to run unmodified GPU drivers (non-paravirtual) on ordinary GPUs -such as those in laptops, desktops, embedded devices, and servers. They also -took some time to talk about ongoing efforts to improve support for -devices and areas of collaboration where we might best provide support to -QubesOS for integrating OpenMdev tools like GVM for enhanced GPU virtualization. - -Puck Meerburg talked about [Isolating GUIs with the power of Wayland](https://youtu.be/hkWWz3xGqS8?t=19969) +in-development graphical policy editor/configuration editor, the process of +simplifying the complexities of policy configuration, and design and +implementation challenges. As a continuation of last year's redesign of the +[Application Menu](https://www.youtube.com/watch?v=Wyi560JiJDI), Marta has been +working on making Qubes more accessible for non-expert users and on creating GUI +tools for system configuration that would be friendlier and easier to use than +existing tools. This time, Marta took on the challenge of creating a graphical +editor for various policy files. In this talk, she covered the results of user +research, the challenges encountered during design and implementation, and +showed off the tools created as a result of this research. + +The next presentation was +[GPU Virtual Machine (GVM)](https://youtu.be/hkWWz3xGqS8?t=17671) held by Arthur +Rasmusson. GVM is a GPU Virtual Machine built by the OpenMdev Project for +IOMMU-capable computers such as x86 and ARM. In this talk OpenMdev developers, +Arthur Rasmusson and Michael Buchel gave an overview of GPU Virtual Machine +(GVM) and how it works to allow virtual machine guests to run unmodified GPU +drivers (non-paravirtual) on ordinary GPUs such as those in laptops, desktops, +embedded devices, and servers. They also took some time to talk about ongoing +efforts to improve support for devices and areas of collaboration where we might +best provide support to QubesOS for integrating OpenMdev tools like GVM for +enhanced GPU virtualization. + +Puck Meerburg talked about +[Isolating GUIs with the power of Wayland](https://youtu.be/hkWWz3xGqS8?t=19969) She tried to answer the question if Qubes OS could replace its custom GUI -isolation protocol with Wayland while staying as performant and secure. -With the advent of Wayland, many strides have been made in the desktop -Linux space, limiting the effects a malicious application can have. -Gone are the days of every application being able to snoop on every keypress. -This presentation dived into the differences between X and Wayland, -and why it makes for a great fit in isolating operating systems like Qubes OS -and Spectrum. - -The next presentation was [PipeWire and Qubes Video Companion](https://youtu.be/hkWWz3xGqS8?t=22258) -held by Demi Marie Obenour. Her talk was about replacing the legacy -PulseAudio-based solution with a modern PipeWire-based one and replacing -camera pass-through with Qubes Video Companion. As Demi refereed Qubes OS -currently has poor support for audio and video capture. Audio capture -works if used properly, but is easy to misuse and its latency is excessive. -Video capture is not supported except via device pass-through, which raises -serious security concerns. +isolation protocol with Wayland while staying as performant and secure. With the +advent of Wayland, many strides have been made in the desktop Linux space, +limiting the effects a malicious application can have. Gone are the days of +every application being able to snoop on every keypress. This presentation dived +into the differences between X and Wayland, and why it makes for a great fit in +isolating operating systems like Qubes OS and Spectrum. + +The next presentation was +[PipeWire and Qubes Video Companion](https://youtu.be/hkWWz3xGqS8?t=22258) held +by Demi Marie Obenour. Her talk was about replacing the legacy PulseAudio-based +solution with a modern PipeWire-based one and replacing camera pass-through with +Qubes Video Companion. As Demi refereed Qubes OS currently has poor support for +audio and video capture. Audio capture works if used properly, but is easy to +misuse and its latency is excessive. Video capture is not supported except via +device pass-through, which raises serious security concerns. At the end of day one, there was a [Design session: graphical subsystem (GPU, Wayland)](https://youtu.be/hkWWz3xGqS8?t=24465) hosted by Marek Marczykowski-Górecki. During the design session, summit -participants discussed common problems connected to the graphical subsystem -and proposed the solutions and PoC that were checked during the hackathon on -day 3. +participants discussed common problems connected to the graphical subsystem and +proposed the solutions and PoC that were checked during the hackathon on day 3. -## Day 2 +### Day 2 -Day two started with [Welcome to Qubes OS Summit 2022 - Day 2](https://youtu.be/A9GrlQsQc7Q?t=418). -It was a short introduction held by Piotr Król who sum up the first day -and showed the agenda for the second day. +Day two started with +[Welcome to Qubes OS Summit 2022 - Day 2](https://youtu.be/A9GrlQsQc7Q?t=418). +It was a short introduction held by Piotr Król who sum up the first day and +showed the agenda for the second day. The first speaker of the second day was Wessel Klein Snakenborg who presented [How Dasharo coreboot-based firmware helps NovaCustom's customers](https://youtu.be/A9GrlQsQc7Q?t=1578). NovaCustom has previously experienced a number of problems related to the proprietary firmware of the laptop. In this talk, Wessel presented three cases in which Dasharo open-source coreboot-based firmware has played an important -role. The first case is about the desire for a modified fan curve. -The second case study concerns an application where the customer asked whether -it is possible to disable certain CPU options, which turned out to be necessary -for audio production. The third case is about the implementation of an own -startup logo in the firmware. - -In addition, there will be an explanation of the security aspects of the -Dasharo firmware that NovaCustom has recently started using. Thanks to the -growing active Dasharo community, the firmware can be increasingly optimized -to the needs of our users. Although Qubes OS already has a number of certified -laptop models, its hardware is often quite old. The need for newer hardware -that is fully compatible with Qubes OS is there, and this is where NovaCustom -could play a role with certified hardware and firmware that is fully adapted -with the Qubes OS operating system. - -The next presentation was [Qubes User Support Stories](https://youtu.be/A9GrlQsQc7Q?t=3148) -held by nestire. Nestire tried to answer the following questions during his +role. The first case is about the desire for a modified fan curve. The second +case study concerns an application where the customer asked whether it is +possible to disable certain CPU options, which turned out to be necessary for +audio production. The third case is about the implementation of an own startup +logo in the firmware. + +In addition, there will be an explanation of the security aspects of the Dasharo +firmware that NovaCustom has recently started using. Thanks to the growing +active Dasharo community, the firmware can be increasingly optimized to the +needs of our users. Although Qubes OS already has a number of certified laptop +models, its hardware is often quite old. The need for newer hardware that is +fully compatible with Qubes OS is there, and this is where NovaCustom could play +a role with certified hardware and firmware that is fully adapted with the Qubes +OS operating system. + +The next presentation was +[Qubes User Support Stories](https://youtu.be/A9GrlQsQc7Q?t=3148) held by +nestire. Nestire tried to answer the following questions during his presentation: -* What are the most common problems? -* Where lying the biggest security traps for users? -* What needs to be done to enable a user who really should use Qubes? + +- What are the most common problems? +- Where lying the biggest security traps for users? +- What needs to be done to enable a user who really should use Qubes? After a short break, Tobias Killer presented his presentation about -[Qubes OS Documentation Localization](https://youtu.be/A9GrlQsQc7Q?t=5741). -The presentation covered the steps already taken, the current status, and the -future tasks connected to the Qubes OS documentation localization. -Tobias gave a brief look at the tech stack and the tools used to build -the proposed localization workflow. Tobias concluded with perspectives, the next -steps, and an invitation to participate in his project. -The ultimate goal of this endeavor is the continuous localization, -and therefore the rapid and reliable delivery of high-quality translations. - -Michał Żygowski talked about [Qubes OS on modern Alder Lake desktop](https://youtu.be/A9GrlQsQc7Q?t=8152) +[Qubes OS Documentation Localization](https://youtu.be/A9GrlQsQc7Q?t=5741). The +presentation covered the steps already taken, the current status, and the future +tasks connected to the Qubes OS documentation localization. Tobias gave a brief +look at the tech stack and the tools used to build the proposed localization +workflow. Tobias concluded with perspectives, the next steps, and an invitation +to participate in his project. The ultimate goal of this endeavor is the +continuous localization, and therefore the rapid and reliable delivery of +high-quality translations. + +Michał Żygowski talked about +[Qubes OS on modern Alder Lake desktop](https://youtu.be/A9GrlQsQc7Q?t=8152) There are very few desktop platforms that are user-controllable through open-source firmware. Moreover, they haven't necessarily been tested with Qubes OS. However, the recent initiative to port a modern Alder Lake desktop to @@ -174,12 +179,13 @@ coreboot opened a new door for privacy and security respecting machines capable of running Qubes OS. In this presentation, Michał showed a demo of Dasharo distribution compatible with Alder Lake-S desktop MSI PRO Z690-A WIFI DDR4 running Qubes OS. He also described new updates to Dasharo firmware and -challenges awaiting future development. Michał also presented how Dasharo -plans to meet the future Qubes certification requirements and approaches -the openness of the firmware based on the Dasharo Openness Score of various -supported platforms. +challenges awaiting future development. Michał also presented how Dasharo plans +to meet the future Qubes certification requirements and approaches the openness +of the firmware based on the Dasharo Openness Score of various supported +platforms. -The next presentation was [Qubes OS: Towards Being a Reasonably Learnable System](https://youtu.be/A9GrlQsQc7Q?t=14609) +The next presentation was +[Qubes OS: Towards Being a Reasonably Learnable System](https://youtu.be/A9GrlQsQc7Q?t=14609) held by Deeplow. It was following up on last year's presentation. Deeplow presented the final work for his contribution proposal for an integrated onboarding tutorial for Qubes OS. @@ -187,8 +193,8 @@ onboarding tutorial for Qubes OS. [TrenchBoot - the only AEM-way to boot Qubes OS](https://youtu.be/A9GrlQsQc7Q?t=17441) was a second presentation held by Michał Żygowski. The presentation described the project plan of improving and extending the Qubes OS AEM with TrenchBoot -covering both Intel and AMD hardware, TPM 1.2 and 2.0. The goal is to unify -the D-RTM early launch and Anti Evil Maid software to secure the Qubes OS boot +covering both Intel and AMD hardware, TPM 1.2 and 2.0. The goal is to unify the +D-RTM early launch and Anti Evil Maid software to secure the Qubes OS boot process for basically any hardware device (as long as it supports the required technologies). The presenter will give a detailed overview of project phases and tasks to be fulfilled as well as the cost outline. In the end, a short demo of @@ -197,43 +203,45 @@ TPM1.2 will be shown. After the short break Brent Cowing was talking about [Secure hardware for a secure operating system](https://youtu.be/A9GrlQsQc7Q?t=19620). -In this session, Brent discussed why we should care about open source -firmware and the ways we can reduce the risk of firmware persistent malware. -As the world is evermore consumed by detecting and preventing ransomware and -other financially damaging attacks on systems and organizations, far too little +In this session, Brent discussed why we should care about open source firmware +and the ways we can reduce the risk of firmware persistent malware. As the world +is evermore consumed by detecting and preventing ransomware and other +financially damaging attacks on systems and organizations, far too little attention has been paid to an attack surface common to every single vulnerability - firmware. It’s time for the firmware to be open source and secure. The last presentation was held by Michał Kopeć who was talking about [Dasharo vs vendor firmware performance on QubesOS - a comparison](https://youtu.be/A9GrlQsQc7Q?t=25694). -The presentation compared performance between Dasharo and Vendor BIOSes -on Dasharo-supported platforms, in the context of QubesOS usage. Michał -attempted to present the most significant differences that an end user -will see when installing Dasharo over the original proprietary firmware. -In this presentation, Michał showed the differences in performance as measured -by a set of benchmarks, and talk about what causes them and what challenges -there are to bring performance to a state that is competitive with the vendor -BIOS. Michał also discussed how these differences may impact QubesOS users. +The presentation compared performance between Dasharo and Vendor BIOSes on +Dasharo-supported platforms, in the context of QubesOS usage. Michał attempted +to present the most significant differences that an end user will see when +installing Dasharo over the original proprietary firmware. In this presentation, +Michał showed the differences in performance as measured by a set of benchmarks, +and talk about what causes them and what challenges there are to bring +performance to a state that is competitive with the vendor BIOS. Michał also +discussed how these differences may impact QubesOS users. During the second day, Marek Marczykowski-Górecki hosted the [Design session: hardware requirements, firmware security](https://youtu.be/A9GrlQsQc7Q?t=21769). -During this design session, participants discussed the requirements of the -Qubes OS certification for new platforms. +During this design session, participants discussed the requirements of the Qubes +OS certification for new platforms. -## Hackathon +### Hackathon The last day was the time to talk and code projects connected to the topics -discussed during the design sessions. The topics were split into themes: -GPU, and Qubes OS certifications requirements for the software and for -the hardware. It was a productive time that allows us to exchange our -experiences. If you're interested in what we've done during this session I encourage you to take -a look at [the Hackathon highlights](https://youtu.be/gnWHjv-9_YM?t=109). +discussed during the design sessions. The topics were split into themes: GPU, +and Qubes OS certifications requirements for the software and for the hardware. +It was a productive time that allows us to exchange our experiences. If you're +interested in what we've done during this session I encourage you to take a look +at [the Hackathon highlights](https://youtu.be/gnWHjv-9_YM?t=109). -## Summary +### Summary If you think we can help in improving the security of your firmware or you looking for someone who can boost your product by leveraging advanced features -of the used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us an email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of the used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us an email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2023-01-30-3mdeb-insights-winter-2023.md b/blog/content/post/2023-01-30-3mdeb-insights-winter-2023.md index 8565ab41..c20c0812 100644 --- a/blog/content/post/2023-01-30-3mdeb-insights-winter-2023.md +++ b/blog/content/post/2023-01-30-3mdeb-insights-winter-2023.md @@ -25,8 +25,8 @@ categories: This blog post will provide an in-depth look at upcoming plans and events for the near future. In the next quarter, we have several exciting events planned for the 3mdeb community. Our events aim to provide a platform for members to -connect, share knowledge, and stay informed about the latest developments in -the open-source ecosystem. +connect, share knowledge, and stay informed about the latest developments in the +open-source ecosystem. ## Upcoming events @@ -34,116 +34,113 @@ the open-source ecosystem. ### FOSDEM 2023 -FOSDEM is a large, annual event for open-source software developers that -takes place in Brussels, Belgium on February 4th and 5th. It is an opportunity -for developers from all over the world to come together, share ideas, and -learn about the latest open-source technologies. This year, together with -Daniel Kiper from Oracle, 3mdeb will co-host an "Open Source Firmware, BMC, -and Bootloader Devroom" to showcase their contributions to the open-source -ecosystem and connect with other developers. Additionally, 3mdeb engineers -will be present to share their knowledge with attendees. +FOSDEM is a large, annual event for open-source software developers that takes +place in Brussels, Belgium on February 4th and 5th. It is an opportunity for +developers from all over the world to come together, share ideas, and learn +about the latest open-source technologies. This year, together with Daniel Kiper +from Oracle, 3mdeb will co-host an "Open Source Firmware, BMC, and Bootloader +Devroom" to showcase their contributions to the open-source ecosystem and +connect with other developers. Additionally, 3mdeb engineers will be present to +share their knowledge with attendees. [Maciej Pijanowski](https://twitter.com/macpijan) will discuss the [TwTPM project](https://twpm.dasharo.com/), which aims to increase the -trustworthiness of TPM modules by providing open-source firmware compliant -with TCG PC Client Specification. TPMs enable security features such as -measured boot and verified boot, but the market is dominated by proprietary -firmware. The presentation will detail the project's goals, design, -challenges, and status, also extend the -[existing community](https://matrix.to/#/#twpm:matrix.org), and exchange ideas. - -[Tomasz Żyjewski](https://twitter.com/tomzy_0) will provide an overview of -the Secure Boot feature on ARM SoCs, which is a BootROM feature that allows -for the verification of loaded binaries before execution to prevent -untrusted code from running on the platform. This talk is a follow-up to -previous Maciej's FOSDEM talk: +trustworthiness of TPM modules by providing open-source firmware compliant with +TCG PC Client Specification. TPMs enable security features such as measured boot +and verified boot, but the market is dominated by proprietary firmware. The +presentation will detail the project's goals, design, challenges, and status, +also extend the [existing community](https://matrix.to/#/#twpm:matrix.org), and +exchange ideas. + +[Tomasz Żyjewski](https://twitter.com/tomzy_0) will provide an overview of the +Secure Boot feature on ARM SoCs, which is a BootROM feature that allows for the +verification of loaded binaries before execution to prevent untrusted code from +running on the platform. This talk is a follow-up to previous Maciej's FOSDEM +talk: [Overview of Secure Boot state in the ARM-based SoCs](https://archive.fosdem.org/2021/schedule/event/tee_arm_secboot/). The approach is similar across vendors, but the Secure Boot feature on ARM SoCs -has no standardization. We will check the status of the Secure Boot feature -from a year ago and expand on it by describing examples on Rockchip and -Mediatek-based boards. This talk will help developers integrate Secure Boot -into their platforms for increased security in embedded devices. - -[Michał Żygowski](https://twitter.com/_miczyg_) will be presenting -the highly-anticipated "AMD Open-Source Firmware Report" at FOSDEM 2023. -This annual talk unofficially referred to as the annual AMD open-source firmware -report from 3mdeb, has long been a tradition in the open-source firmware -community and is eagerly awaited by developers and enthusiasts alike. -This could be confirmed by several Phoronix publications from previous years +has no standardization. We will check the status of the Secure Boot feature from +a year ago and expand on it by describing examples on Rockchip and +Mediatek-based boards. This talk will help developers integrate Secure Boot into +their platforms for increased security in embedded devices. + +[Michał Żygowski](https://twitter.com/_miczyg_) will be presenting the +highly-anticipated "AMD Open-Source Firmware Report" at FOSDEM 2023. This annual +talk unofficially referred to as the annual AMD open-source firmware report from +3mdeb, has long been a tradition in the open-source firmware community and is +eagerly awaited by developers and enthusiasts alike. This could be confirmed by +several Phoronix publications from previous years ([2020](https://www.phoronix.com/news/AMD-Coreboot-In-Early-2020), [2021](https://www.phoronix.com/news/Open-Source-AMD-FW-2021), [2022](https://www.phoronix.com/news/AMD-OSF-2022)) which covered the event. -During the talk, Michał will reveal the latest updates and developments in -the field of open-source firmware for AMD platforms, including the history -of AMD's cooperation in coreboot projects, and the current state of support -for modern mobile Ryzen chips on Chromebook devices. He will also unveil -a plan for long-term, stable, and sustainable support for older platforms. -Additionally, the talk will highlight the efforts of 3mdeb to support the -AMD platforms and the situation of maintaining PC Engines platforms. -This is a must-attend event for anyone interested in open-source firmware, -BMC, and bootloader development. +During the talk, Michał will reveal the latest updates and developments in the +field of open-source firmware for AMD platforms, including the history of AMD's +cooperation in coreboot projects, and the current state of support for modern +mobile Ryzen chips on Chromebook devices. He will also unveil a plan for +long-term, stable, and sustainable support for older platforms. Additionally, +the talk will highlight the efforts of 3mdeb to support the AMD platforms and +the situation of maintaining PC Engines platforms. This is a must-attend event +for anyone interested in open-source firmware, BMC, and bootloader development. ![dasharo-logo](/img/Dasharo-logo.svg) ### Dasharo User Group (DUG) #1 -The Dasharo User Group (DUG) is an important forum for users of Dasharo to -come together, share their knowledge, and stay informed about the latest -developments in the Dasharo ecosystem. The DUG is a platform for users to -connect and learn about new features and updates that are coming to Dasharo. -The first DUG event will take place in early March and will include a variety -of discussions on different topics related to Dasharo. The agenda for the event -will be shared in the next month. The event will be a great opportunity for -Dasharo users to meet other users, learn new things, and share their -knowledge and experience with others. +The Dasharo User Group (DUG) is an important forum for users of Dasharo to come +together, share their knowledge, and stay informed about the latest developments +in the Dasharo ecosystem. The DUG is a platform for users to connect and learn +about new features and updates that are coming to Dasharo. The first DUG event +will take place in early March and will include a variety of discussions on +different topics related to Dasharo. The agenda for the event will be shared in +the next month. The event will be a great opportunity for Dasharo users to meet +other users, learn new things, and share their knowledge and experience with +others. ### Dasharo Developers vPub 0x6 -The Dasharo Developers vPub will be a follow-up event to DUG#1 and will -provide a space for developers to engage in more informal conversations -and discussions that may not have been covered during DUG#1. The vPub is -designed to be a less structured, more relaxed environment where developers -can discuss topics that are of interest to them. This can include off-topic -discussions, technical challenges they are facing, and ideas for new features -or improvements. - -It all started with a small meeting after the virtual FOSDEM in 2021. -The ongoing pandemic had forced conferences to be held online and pub talks -were a thing of the past. But a group of open-source enthusiasts saw an -opportunity to come together and create something new. They organized -a small event to fill the void left by the lack of in-person gatherings. -Fast forward to 2023, and that small event has grown into a thriving community. -3mdeb has hosted five events that have brought together experts and enthusiasts -from all over the world. Each event has been a chance for the community to -come together, share knowledge, and learn about the latest developments in the -field of open-source firmware. +The Dasharo Developers vPub will be a follow-up event to DUG#1 and will provide +a space for developers to engage in more informal conversations and discussions +that may not have been covered during DUG#1. The vPub is designed to be a less +structured, more relaxed environment where developers can discuss topics that +are of interest to them. This can include off-topic discussions, technical +challenges they are facing, and ideas for new features or improvements. + +It all started with a small meeting after the virtual FOSDEM in 2021. The +ongoing pandemic had forced conferences to be held online and pub talks were a +thing of the past. But a group of open-source enthusiasts saw an opportunity to +come together and create something new. They organized a small event to fill the +void left by the lack of in-person gatherings. Fast forward to 2023, and that +small event has grown into a thriving community. 3mdeb has hosted five events +that have brought together experts and enthusiasts from all over the world. Each +event has been a chance for the community to come together, share knowledge, and +learn about the latest developments in the field of open-source firmware. The vPub is open to all who are interested in Dasharo and want to learn more -about the platform. If you're curious about what was discussed in -previous vPubs, you can find a list of past topics on the Dasharo vPub -[page](https://vpub.dasharo.com). This will give you an idea -of the types of conversations that take place during the vPub and help you -decide if it's something you would like to participate in. +about the platform. If you're curious about what was discussed in previous +vPubs, you can find a list of past topics on the Dasharo vPub +[page](https://vpub.dasharo.com). This will give you an idea of the types of +conversations that take place during the vPub and help you decide if it's +something you would like to participate in. Overall, the Dasharo Developers vPub is an excellent opportunity to learn more about Dasharo and connect with others. Whether you're an experienced developer -or just an open-source enthusiast, the vPub is open to everyone and provides -a valuable forum for learning and collaboration. +or just an open-source enthusiast, the vPub is open to everyone and provides a +valuable forum for learning and collaboration. ## Summary -Unlock the power of your hardware and protect your firmware with the -experts at 3mdeb. Join us at our upcoming events and share your knowledge -with like-minded individuals in the -[Dasharo space on Matrix](https://matrix.to/#/#dasharo:matrix.org). -Don't miss out on the latest developments and insights - +Unlock the power of your hardware and protect your firmware with the experts at +3mdeb. Join us at our upcoming events and share your knowledge with like-minded +individuals in the +[Dasharo space on Matrix](https://matrix.to/#/#dasharo:matrix.org). Don't miss +out on the latest developments and insights - [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) to stay informed. Ready to take your product to the next level? Let our team of experts help you unlock the full potential of your hardware and secure your firmware. [Book a consulting call](https://calendly.com/3mdeb/consulting-remote-meeting) -with us or drop us an email at `contact3mdebcom` to start unlocking -the hidden benefits of your hardware. Don't settle for just any solution, -choose 3mdeb for the best results! +with us or drop us an email at `contact3mdebcom` to start unlocking the +hidden benefits of your hardware. Don't settle for just any solution, choose +3mdeb for the best results! diff --git a/blog/content/post/2023-01-31-trenchboot-aem-for-qubesos.md b/blog/content/post/2023-01-31-trenchboot-aem-for-qubesos.md index a25c74da..319cbe69 100644 --- a/blog/content/post/2023-01-31-trenchboot-aem-for-qubesos.md +++ b/blog/content/post/2023-01-31-trenchboot-aem-for-qubesos.md @@ -32,7 +32,7 @@ categories: --- -# Introduction +## Introduction As Qubes OS users, promoters, and developers, we understand how essential it is to be aware of the latest developments in maintaining the security of your @@ -41,8 +41,8 @@ TrenchBoot Project into Qubes OS's new Anti-Evil Maid (AEM) implementation. As you may know, traditional firmware security measures like UEFI Secure Boot and measured boot, even with a Static Root of Trust (SRT), may only sometimes be enough to ensure a completely secure environment for your operating system. -Compromised firmware may allow for the injection of malicious software into -your system, making it difficult to detect. To overcome these limitations, many +Compromised firmware may allow for the injection of malicious software into your +system, making it difficult to detect. To overcome these limitations, many silicon vendors have started implementing Dynamic Root of Trust (DRT) technologies to establish a secure environment for operating system launch and integrity measurements. We're excited to take advantage of these advancements @@ -50,7 +50,8 @@ through integration with the [TrenchBoot Project](https://trenchboot.org/). The usage of DRT technologies like Intel Trusted Execution Technology (TXT) or AMD Secure Startup is becoming more and more significant; for example, Dynamic -Root of Trust for Measurement (DRTM) requirements of [Microsoft Secured Core PCs](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure#what-makes-a-secured-core-pc). +Root of Trust for Measurement (DRTM) requirements of +[Microsoft Secured Core PCs](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure#what-makes-a-secured-core-pc). DRTM has yet to find its place in open-source projects, but that gradually changes. The demand for having firmware-independent Roots of Trust is increasing, and projects that satisfy this demand are growing TrenchBoot is a @@ -73,9 +74,9 @@ implementation by default. The post will present the TrenchBoot solution for Qubes OS AEM replacing the current TPM 1.2 and Intel TXT-only implementation. The advantage of TrenchBoot -solution over existing [Trusted Boot](https://sourceforge.net/p/tboot/wiki/Home/) -is the easier future integration of AMD platform support, as well as TPM 2.0 -and UEFI mode support. +solution over existing +[Trusted Boot](https://sourceforge.net/p/tboot/wiki/Home/) is the easier future +integration of AMD platform support, as well as TPM 2.0 and UEFI mode support. Before we dive into the technical details, it is important to highlight that this achievement was made possible through the generous contributions of Qubes @@ -85,31 +86,30 @@ system. To continue supporting Qubes OS, please consider donating through [OpenCollective page](https://opencollective.com/qubes-os). Thank you for your continued support! -# Modificationts to original Qubes OS AEM +## Modificationts to original Qubes OS AEM -To replace the original implementation of Qubes OS AE -there weren't any AEM scripts modifications necessary. What actually had to -change is GRUB and Xen Hypervisor (and Trusted Boot - to be removed). Why? one -may ask... First of all, one must understand the role of a Trusted Boot -(TBOOT). +To replace the original implementation of Qubes OS AE there weren't any AEM +scripts modifications necessary. What actually had to change is GRUB and Xen +Hypervisor (and Trusted Boot - to be removed). Why? one may ask... First of all, +one must understand the role of a Trusted Boot (TBOOT). -## Trusted Boot DRTM flow +### Trusted Boot DRTM flow ![Breakout of measured launch details](/img/txt_launch2.jpg) -> Source: *[A Practical Guide to TPM 2.0](https://link.springer.com/book/10.1007/978-1-4302-6584-9)* +> Source: +> *[A Practical Guide to TPM 2.0](https://link.springer.com/book/10.1007/978-1-4302-6584-9)* The main role of Trusted Boot was to prepare a platform to be launched with Intel TXT (Intel's DRTM technology) in an operating system agnostic way. It has been achieved by loading a tboot kernel with Multiboot protocol and the other -system components as the modules. That way, TBOOT is the main kernel that -starts first and prepares the platform for TXT launch. When the platform is -ready, then tboot performs the TXT launch. The control is passed to SINIT -Authenticated Code Module (ACM), a binary signed and provided by Intel designed -for DRTM technology. SINIT ACM uses TXT to measure the operating system -components in a secure manner. Then the control is handed back to the tboot -kernel, which checks if the operation was successful and boots the target -operating system. +system components as the modules. That way, TBOOT is the main kernel that starts +first and prepares the platform for TXT launch. When the platform is ready, then +tboot performs the TXT launch. The control is passed to SINIT Authenticated Code +Module (ACM), a binary signed and provided by Intel designed for DRTM +technology. SINIT ACM uses TXT to measure the operating system components in a +secure manner. Then the control is handed back to the tboot kernel, which checks +if the operation was successful and boots the target operating system. Although the tboot tried to be as OS agnostic as possible, some tboot presence awareness from the operating system is needed because the application processor @@ -120,28 +120,29 @@ which OS must call into to start the processor cores. Only then OS may initialize the processor per its own requirements. As one can see, the process is complex in the case of Intel TXT. Migration of -all tboot responsibilities was not trivial and has been divided into the work -on both GRUB and Xen Hypervisor side of Qubes OS. +all tboot responsibilities was not trivial and has been divided into the work on +both GRUB and Xen Hypervisor side of Qubes OS. -## GRUB modifications +### GRUB modifications -![](/img/grub_logo.png) +![img](/img/grub_logo.png) -In order to fulfill the same role as tboot, GRUB had to learn how to prepare -the platform and perform the TXT launch. Most of the work for that particular -part has been done by [Oracle Team working on TrenchBoot for GRUB](https://www.mail-archive.com/grub-devel@gnu.org/msg30167.html). +In order to fulfill the same role as tboot, GRUB had to learn how to prepare the +platform and perform the TXT launch. Most of the work for that particular part +has been done by +[Oracle Team working on TrenchBoot for GRUB](https://www.mail-archive.com/grub-devel@gnu.org/msg30167.html). That work, however, covered the Linux kernel TXT launch only. What still had to be done was the Multiboot2 protocol support in GRUB to be able to TXT launch a Xen Hypervisor. The patches have been prepared for the respective Qubes GRUB [package](https://github.com/3mdeb/qubes-grub2/pull/2). -## Xen modifications +### Xen modifications -![](/img/xen_project_logo.png) +![img](/img/xen_project_logo.png) -Analogically to GRUB, Xen had to take over some responsibilities from tboot. -Due to the Intel TXT requirements for the boot process, a new entry point had -to be developed to which SINIT ACM will return control. The new entry point was +Analogically to GRUB, Xen had to take over some responsibilities from tboot. Due +to the Intel TXT requirements for the boot process, a new entry point had to be +developed to which SINIT ACM will return control. The new entry point was responsible for saving information that a TXT launch happened and cleaning up the processor state so that the booting of the Xen kernel could continue with the standard Multiboot2 path. Among others, if Xen detected TXT launch, it had @@ -150,22 +151,25 @@ from TrenchBoot Linux patches to Xen native code) and measure external components before using them (that is the Xen parameters, Dom0 Linux kernel, initrd and Dom0 parameters). Xen also had to reserve the memory regions used by Intel TXT, as when tboot was used. The relevant source code for the respective -Qubes Xen package is available [here](https://github.com/3mdeb/qubes-vmm-xen/pull/1). +Qubes Xen package is available +[here](https://github.com/3mdeb/qubes-vmm-xen/pull/1). -# Installation and verification of TrenchBoot AEM on Qubes OS +## Installation and verification of TrenchBoot AEM on Qubes OS For a seamless deployment and installation of TrenchBoot AEM, the modifications Qubes OS components compilation. Those patches have been presented earlier with have been converted to patches which are applied to projects' sources during -links to Pull Requests. It allows building ready-to-use RPM packages that can -be installed directly on an installed Qubes OS system. The pre-built packages -can be downloaded from [here](https://3mdeb.com/open-source-firmware/QubesOS/trenchboot_aem_poc/). -The packages have been covered with SHA512 sums signed with 3mdeb's -`Qubes OS TrenchBoot AEM open-source software release 0.x signing key` -available on [3mdeb-secpack repository](https://github.com/3mdeb/3mdeb-secpack/blob/master/open-source-software/qubes-os-trenchboot-aem-open-source-software-release-0.x-signing-key.asc). +links to Pull Requests. It allows building ready-to-use RPM packages that can be +installed directly on an installed Qubes OS system. The pre-built packages can +be downloaded from +[here](https://3mdeb.com/open-source-firmware/QubesOS/trenchboot_aem_poc/). The +packages have been covered with SHA512 sums signed with 3mdeb's +`Qubes OS TrenchBoot AEM open-source software release 0.x signing key` available +on +[3mdeb-secpack repository](https://github.com/3mdeb/3mdeb-secpack/blob/master/open-source-software/qubes-os-trenchboot-aem-open-source-software-release-0.x-signing-key.asc). To verify the RPM packages, fetch the key with the following command: -``` +```bash gpg --fetch https://raw.githubusercontent.com/3mdeb/3mdeb-secpack/master/open-source-software/qubes-os-trenchboot-aem-open-source-software-release-0.x-signing-key.asc ``` @@ -204,19 +208,21 @@ Note, in order to use the TrenchBoot AEM for Qubes OS, you have to own a TXT-capable platform with TXT-enabled firmware offering legacy boot. Such platform can be Dell OptiPlex 7010. You can visit [Dasharo with Intel TXT support blog post](https://blog.3mdeb.com/2022/2022-03-17-optiplex-txt/) -to learn more about such hardware and firmware. If you want to get OptiPlex -with Dasharo pre-installed, you can get one from +to learn more about such hardware and firmware. If you want to get OptiPlex with +Dasharo pre-installed, you can get one from [3mdeb shop](https://3mdeb.com/shop/open-source-hardware/dasharo-dell-optiplex-7010-sff-i3-i7-8gb-32gb-ram-copy/). -## Building Xen and GRUB packages +### Building Xen and GRUB packages -If you are not interested in compilation, skip to the [next section](#installing-xen-and-grub-packages). +If you are not interested in compilation, skip to the +[next section](#installing-xen-and-grub-packages). -To not make the post excessively long, the procedure for building packages -has been put into [TrenchBoot SDK documentation](https://github.com/TrenchBoot/trenchboot-sdk/blob/3d56ca7b27bb038629fd838819a1050006725a1e/Documentation/build_qubes_packages.md). +To not make the post excessively long, the procedure for building packages has +been put into +[TrenchBoot SDK documentation](https://github.com/TrenchBoot/trenchboot-sdk/blob/3d56ca7b27bb038629fd838819a1050006725a1e/Documentation/build_qubes_packages.md). Follow the instructions in the file to build the TrenchBoot AEM packages. -## Installing Xen and GRUB packages +### Installing Xen and GRUB packages The following process was carried out and tested on [Qubes OS 4.2](https://openqa.qubes-os.org/tests/55506#downloads). @@ -225,78 +231,89 @@ In order to install the packages one has to send the Xen and GRUB RPMs to the Dom0. Please note that moving any external files or data to Dom0 is potentially dangerous. Ensure that your environment is safe and the RPMs have the right checksums after copying them to Dom0. If you don't know how to copy files to -Dom0, refer to the [Qubes OS documentation](https://www.qubes-os.org/doc/how-to-copy-from-dom0/#copying-to-dom0). +Dom0, refer to the +[Qubes OS documentation](https://www.qubes-os.org/doc/how-to-copy-from-dom0/#copying-to-dom0). 1. Even before installing packages, it is required to enable the `current-testing` repository to avoid the need to install additional dependencies: - ```bash - sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing - ``` + ```bash + sudo qubes-dom0-update --enablerepo=qubes-dom0-current-testing + ``` -2. If the RPMs are inside Dom0, install them with the following command +1. If the RPMs are inside Dom0, install them with the following command (assuming you downloaded all of them to one directory): - ```bash - sudo dnf update \ - python3-xen-4.17.0-3.fc32.x86_64.rpm \ - xen-4.17.0-3.fc32.x86_64.rpm \ - xen-hypervisor-4.17.0-3.fc32.x86_64.rpm \ - xen-libs-4.17.0-3.fc32.x86_64.rpm \ - xen-licenses-4.17.0-3.fc32.x86_64.rpm \ - xen-runtime-4.17.0-3.fc32.x86_64.rpm \ - grub2-common-2.06-1.fc32.noarch.rpm \ - grub2-pc-modules-2.06-1.fc32.noarch.rpm \ - grub2-pc-2.06-1.fc32.x86_64.rpm \ - grub2-tools-2.06-1.fc32.x86_64.rpm \ - grub2-tools-extra-2.06-1.fc32.x86_64.rpm \ - grub2-tools-minimal-2.06-1.fc32.x86_64.rpm - ``` - -3. Invoke `sudo grub2-install /dev/sdX`, where X is the letter representing the + ```bash + sudo dnf update \ + python3-xen-4.17.0-3.fc32.x86_64.rpm \ + xen-4.17.0-3.fc32.x86_64.rpm \ + xen-hypervisor-4.17.0-3.fc32.x86_64.rpm \ + xen-libs-4.17.0-3.fc32.x86_64.rpm \ + xen-licenses-4.17.0-3.fc32.x86_64.rpm \ + xen-runtime-4.17.0-3.fc32.x86_64.rpm \ + grub2-common-2.06-1.fc32.noarch.rpm \ + grub2-pc-modules-2.06-1.fc32.noarch.rpm \ + grub2-pc-2.06-1.fc32.x86_64.rpm \ + grub2-tools-2.06-1.fc32.x86_64.rpm \ + grub2-tools-extra-2.06-1.fc32.x86_64.rpm \ + grub2-tools-minimal-2.06-1.fc32.x86_64.rpm + ``` + +1. Invoke `sudo grub2-install /dev/sdX`, where X is the letter representing the disk with `/boot` partition. -4. Additionally, you will have to download SINIT ACM and place it in `/boot` + +1. Additionally, you will have to download SINIT ACM and place it in `/boot` partition/directory so that GRUB will be able to pick it up. Note it is only - necessary if your firmware/BIOS does not include/place SINIT ACM in the - Intel TXT region. You may obtain all SINIT ACMs as described + necessary if your firmware/BIOS does not include/place SINIT ACM in the Intel + TXT region. You may obtain all SINIT ACMs as described [here](https://github.com/QubesOS/qubes-antievilmaid/blob/7561a4d724b9b0df8ba48d8f2735d3754961f87b/README#L177). Copy the SINIT ACM suitable for your platform to `/boot` directory. In the case of Dell OptiPlex it will be `SNB_IVB_SINIT_20190708_PW.bin`. -5. Install Qubes AEM packages with the following command because Qubes OS 4.2 + +1. Install Qubes AEM packages with the following command because Qubes OS 4.2 lacks AEM packages: - ```bash - qubes-dom0-update --enablerepo=qubes-dom0-current-testing anti-evil-maid - ``` - -6. Enter the SeaBIOS TPM menu (hotkey `t`) and choose the clear TPM option. - Then activate and enable the TPM by selecting the appropriate options. If in - any case you are using proprietary firmware, clear the TPM and then enable - and activate it in the firmware setup application. -7. Follow the steps in [set up TPM for AEM](https://github.com/QubesOS/qubes-antievilmaid/blob/7561a4d724b9b0df8ba48d8f2735d3754961f87b/README#L147). -8. The anti-evil-maid script may not work with LUKS2 in its current state, so - make a fix according to this [Pull Request](https://github.com/QubesOS/qubes-antievilmaid/pull/41/files) + ```bash + qubes-dom0-update --enablerepo=qubes-dom0-current-testing anti-evil-maid + ``` + +1. Enter the SeaBIOS TPM menu (hotkey `t`) and choose the clear TPM option. Then + activate and enable the TPM by selecting the appropriate options. If in any + case you are using proprietary firmware, clear the TPM and then enable and + activate it in the firmware setup application. + +1. Follow the steps in + [set up TPM for AEM](https://github.com/QubesOS/qubes-antievilmaid/blob/7561a4d724b9b0df8ba48d8f2735d3754961f87b/README#L147). + +1. The anti-evil-maid script may not work with LUKS2 in its current state, so + make a fix according to this + [Pull Request](https://github.com/QubesOS/qubes-antievilmaid/pull/41/files) if needed. -9. Now it is possible to [setup Qubes OS AEM device](https://github.com/QubesOS/qubes-antievilmaid/blob/7561a4d724b9b0df8ba48d8f2735d3754961f87b/README#L202). + +1. Now it is possible to + [setup Qubes OS AEM device](https://github.com/QubesOS/qubes-antievilmaid/blob/7561a4d724b9b0df8ba48d8f2735d3754961f87b/README#L202). This will create the AEM entry in Qubes GRUB, but this entry is using tboot. -10. You will need to edit the grub configuration file (`/boot/grub2/grub.cfg`) - by copying the standard Qubes OS entry (without AEM) and adding: - ```bash - slaunch - slaunch_module / - ``` +1. You will need to edit the grub configuration file (`/boot/grub2/grub.cfg`) by + copying the standard Qubes OS entry (without AEM) and adding: + + ```bash + slaunch + slaunch_module / + ``` - before the `multiboot2` directive, which loads Xen Hypervisor. Name the - entry differently, e.g. `Qubes OS with TrenchBoot AEM`. Also, you will need - to copy the AEM parameters for the Linux kernel: e.g.: + before the `multiboot2` directive, which loads Xen Hypervisor. Name the entry + differently, e.g. `Qubes OS with TrenchBoot AEM`. Also, you will need to copy + the AEM parameters for the Linux kernel: e.g.: - ```txt - aem.uuid=38474da6-7b2d-410d-95e6-8683005fb23f rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no - ``` - We are still working on automating this step, so please bear with the - manual file edition for now. + ```bashtxt + aem.uuid=38474da6-7b2d-410d-95e6-8683005fb23f rd.luks.key=/tmp/aem-keyfile rd.luks.crypttab=no + ``` + + We are still working on automating this step, so please bear with the manual + file edition for now. Example GRUB entry: @@ -332,41 +349,41 @@ the TrenchBoot AEM entry in case `grub2-mkconfig` will be called to overwrite Linux, and initrd updates which may include security fixes. Making the `grub.cfg` seamless for TrenchBoot is still in progress. -## Verifying TrenchBoot AEM for Qubes OS +### Verifying TrenchBoot AEM for Qubes OS The moment of truth has come. If the installation has been performed successfully, it is time to try out the TXT launch. So reboot the platform and -choose the newly created entry with TrenchBoot. If it succeeds, you should get -a TPM SRK and LUKS password prompts. +choose the newly created entry with TrenchBoot. If it succeeds, you should get a +TPM SRK and LUKS password prompts. -After the system boots, one may check if DRTM PCRs (17 and 18, 19 is not used -by TrenchBoot for now) have been populated: +After the system boots, one may check if DRTM PCRs (17 and 18, 19 is not used by +TrenchBoot for now) have been populated: -``` -cat /sys/class/tpm/tpm0/pcrs -PCR-00: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 -PCR-01: 4D E4 B0 42 71 50 E4 B1 DE C0 D7 F1 A0 29 A2 65 11 30 72 FD -PCR-02: CE EA EC 0A 01 D5 7B A3 55 5A 4C 02 59 4A EE A1 C9 41 78 FB -PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 -PCR-04: 01 7A 3D E8 2F 4A 1B 77 FC 33 A9 03 FE F6 AD 27 EE 92 BE 04 -PCR-05: BF 4E 38 B0 A7 7A 7A 4D 1A A9 B5 0F 59 D8 E5 F7 A6 46 8E 48 -PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 -PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 -PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-10: 9A 51 66 4D EB 1C B9 72 91 87 59 C4 89 AC 9A FF 7F 10 BF B3 -PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-13: 10 78 D0 16 8C 85 85 3A 7E 0A A1 D7 56 02 A7 05 D4 7F 22 64 -PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-17: 2A C9 64 F2 E2 96 50 B3 1D B7 2F 77 C4 7C A6 5D AA C8 4E E7 -PCR-18: 84 4D D5 8D 95 EB 96 F6 CE 92 51 9C FD E2 33 45 71 C3 87 92 -PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +```bash +cat /sys/class/tpm/tpm0/pcrs +PCR-00: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 +PCR-01: 4D E4 B0 42 71 50 E4 B1 DE C0 D7 F1 A0 29 A2 65 11 30 72 FD +PCR-02: CE EA EC 0A 01 D5 7B A3 55 5A 4C 02 59 4A EE A1 C9 41 78 FB +PCR-03: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 +PCR-04: 01 7A 3D E8 2F 4A 1B 77 FC 33 A9 03 FE F6 AD 27 EE 92 BE 04 +PCR-05: BF 4E 38 B0 A7 7A 7A 4D 1A A9 B5 0F 59 D8 E5 F7 A6 46 8E 48 +PCR-06: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 +PCR-07: 3A 3F 78 0F 11 A4 B4 99 69 FC AA 80 CD 6E 39 57 C3 3B 22 75 +PCR-08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-10: 9A 51 66 4D EB 1C B9 72 91 87 59 C4 89 AC 9A FF 7F 10 BF B3 +PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-13: 10 78 D0 16 8C 85 85 3A 7E 0A A1 D7 56 02 A7 05 D4 7F 22 64 +PCR-14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-17: 2A C9 64 F2 E2 96 50 B3 1D B7 2F 77 C4 7C A6 5D AA C8 4E E7 +PCR-18: 84 4D D5 8D 95 EB 96 F6 CE 92 51 9C FD E2 33 45 71 C3 87 92 +PCR-19: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-21: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +PCR-22: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 PCR-23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ``` @@ -375,9 +392,9 @@ the secret you will have to perform the following steps after a successful boot with TrenchBoot: 1. Re-seal the secret `sudo anti-evil-maid-seal ""`. -2. Reboot the machine and notice that the anti-evil-maid service no longer - fails during boot. The secret should be displayed on the screen, indicating - the machine boots correctly and unseals the secret. +1. Reboot the machine and notice that the anti-evil-maid service no longer fails + during boot. The secret should be displayed on the screen, indicating the + machine boots correctly and unseals the secret. ## Summary @@ -389,6 +406,8 @@ to TrenchBoot (which seemed to not be possible with tboot only). If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in -similar content, feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content, feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2023-03-02-msi_ms7d25_v1.1.1_release.md b/blog/content/post/2023-03-02-msi_ms7d25_v1.1.1_release.md index eee6071b..5fd1eb59 100644 --- a/blog/content/post/2023-03-02-msi_ms7d25_v1.1.1_release.md +++ b/blog/content/post/2023-03-02-msi_ms7d25_v1.1.1_release.md @@ -16,10 +16,9 @@ tags: categories: - Firmware - --- -# Introduction +## Introduction Firstly, kudos to everybody who contributed to this release (in random order): [zirblazer](https://github.com/zirblazer), @@ -31,190 +30,191 @@ Dasharo Team. New year and new exciting news. Dasharo Team has just released a new version of Dasharo firmware compatible with MSI PRO Z690-A. Last v1.1.0 version was -released on 22th of November 2022, and after three months, the time has come -for v1.1.1. Let's see what's new. +released on 22th of November 2022, and after three months, the time has come for +v1.1.1. Let's see what's new. -## Why v1.1.1 and not v1.2.0? +### Why v1.1.1 and not v1.2.0? Last time we bumped the minor version from v1.0.0 to v1.1.0, it was dictated by the coreboot base revision change, which could make a significant impact on the -platform operation. Despite a huge changelog of the v1.1.0 version, the -coreboot revision change was the main reason why the minor version of the -release was updated. This time we did not change the coreboot base revision and -introduced fixes and features to the existing base. Thus only the patch version -has been updated from v1.1.0 to v1.1.1. We expect the next minor version change -to v1.2.0 when the coreboot base revision is updated to contain Raptor Lake-S -support in the near future. - -# Key changes in the new release - -The past three months were mostly spent on debugging and resolving issues reported -by the community on Matrix and +platform operation. Despite a huge changelog of the v1.1.0 version, the coreboot +revision change was the main reason why the minor version of the release was +updated. This time we did not change the coreboot base revision and introduced +fixes and features to the existing base. Thus only the patch version has been +updated from v1.1.0 to v1.1.1. We expect the next minor version change to v1.2.0 +when the coreboot base revision is updated to contain Raptor Lake-S support in +the near future. + +## Key changes in the new release + +The past three months were mostly spent on debugging and resolving issues +reported by the community on Matrix and [GitHub](https://github.com/Dasharo/dasharo-issues/issues/new/choose). By the -way, if you haven't joined our [Matrix Dasharo space](https://matrix.to/#/#dasharo:matrix.org) -yet, do it quickly! There are over 100 people in the `General` channel, and -still growing. This is where all interesting stuff happens, like various -technical discussions, hardware setups, firmware configurations, and -encountered issues. +way, if you haven't joined our +[Matrix Dasharo space](https://matrix.to/#/#dasharo:matrix.org) yet, do it +quickly! There are over 100 people in the `General` channel, and still growing. +This is where all interesting stuff happens, like various technical discussions, +hardware setups, firmware configurations, and encountered issues. Let's have a look at the changelog. -## Added +### Added -### [Early boot DMA protection menu option](https://github.com/Dasharo/dasharo-issues/issues/275) - - Many people reported various issues when DMA protection was introduced in - v1.1.0. Apparently, certain GPU cards contain broken OptionROMs which cause - DMA errors and display initialization problems. Thus the firmware setup will - now contain an option to enable/disable the DMA protection on-demand (with - the default state being disabled to avoid problems with dGPUs). Additionally, - an option to keep IOMMU enabled during OS control hand-off (actually during - the UEFI Exit Boot Services) has been added. This setting may be especially - interesting for people seeking the most secure configuration of the firmware. - But keep in mind that Windows will not boot if you enable this option! Refer - to our [firmware setup documentation](https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/#dasharo-security-options) - for more details. - -### ACPI PCI interrupt routing for CPU PCIe Root Ports - - The CPU PCI Express root ports had no interrupt routing information reported - in ACPI. Just a small fix. - -### OC Watchdog ACPI device as in MSI firmware - - Original MSI firmware has been reporting an ACPI device describing the - overclocking watchdog. This watchdog has been used by overclocking platforms - since the 6th generation of Intel Core processors. The same ACPI device has - been added to Dasharo to keep consistency. Possibly Windows overclocking - tools may depend on it. - -## Changed - -### [Updated SMMSTORE driver to upstream version in UEFI Payload](https://github.com/Dasharo/dasharo-issues/issues/303) - - An update to the driver serving as a backend to write variables to the SPI - flash from UEFI Payload. The change was introduced due to problems with - variable updates on other Dasharo platforms. The advantage of the update is a - cleaned-up code with better quality. It also resulted in better reliability - of `efibootmgr` calls under QubesOS. - -### [Improved visual comfort in the boot manager](https://github.com/Dasharo/dasharo-issues/issues/286) - - One of the laptop users who could not distinguish the entries in the Boot - Manager boot device selection window reported a minor visual improvement - suggestion. Now the currently selected device is indicated by an arrow and - highlighted with blue color. - -## Fixed - -### [MSI PRO Z690-A WIFI DDR4 doesn't initialize IGP on certain Processors models](https://github.com/Dasharo/dasharo-issues/issues/274) - - This fix is a crucial one in this release. Many users reported non-working - on-board displays with different CPUs than those which were tested in 3mdeb - lab. All Alder Lake-S graphics devices should be initialized properly now and - give firmware output on the screen. If you are unable to boot the DTS to - provide [HCL report](https://docs.dasharo.com/dasharo-tools-suite/documentation/#hcl-report), - then try using [fwdump-docker](https://github.com/3mdeb/fwdump-docker) image - or `cbmem` from the [following guides](https://docs.dasharo.com/common-coreboot-docs/dumping_logs/). - -### [MSI PRO Z690-A WIFI DDR4 with two Video Cards (2x Radeon 5600XT) has issues related to MMIO resource allocation](https://github.com/Dasharo/dasharo-issues/issues/245) - - A quite specific issue with board configuration overloaded with GPU cards in - the community. As such configuration is uncommon, the debugging involved the - issue reporter cooperation by flashing custom binaries and providing debug - logs from Dasharo firmware. It happened that the memory requested by both of - the cards was too big to fit into the 32-bit space. The fix for this one - required reserving much more room for devices' memory in the 32-bit space by - shifting some of the usable RAM from 32-bit space to 64-bit space. Such - change let the firmware allocate all memory resources required by both GPUs. - -### [Suspend doesn't work in Qubes OS with v1.1.0](https://github.com/Dasharo/dasharo-issues/issues/271) - - Another issue discovered by the community. One of Dasharo Team members' - changes introduced a regression in the suspend/resume feature. All OSes were - affected. Fix has been applied, and the suspend/resume should now work on all - OSes. The tests have also been extended with multiple suspend/resume cycles - to avoid such problems in the future. - -### [Intel XTU on Windows reports "The platform does not support overclocking" on the MSI PRO Z690-A WIFI DDR4 with a K-series Processor](https://github.com/Dasharo/dasharo-issues/issues/159) - - The issue was reported by community in the first days after v1.0.0 release. - Surprisingly the Intel XTU utility reported that the platform does not - support overclocking, despite the fact that all components had all the - overclocking capabilities. The culprit was the OC lock bit being set by - default in FSP, which prevented Intel XTU from modifying any settings from - the Windows level, so it reported the platform as unsupported. The OC lock - changes the initialization path inside FSP, so you may encounter unexpected - CPU configuration changes compared to the previous release. Please do not - hesitate to report them using [GitHub issues system](https://github.com/Dasharo/dasharo-issues/issues/new/choose) - or providing [Dasharo HCL report via DTS](https://docs.dasharo.com/dasharo-tools-suite/documentation/#features). - One of such unexpected changes was an override of CPU turbo limits and - causing the CPU frequency to be lower than the maximum default value (and so - the performance was degraded). - -### [SATA ports malfunction or Hot-Plug function disabled](https://github.com/Dasharo/dasharo-issues/issues/315) - - A feature request from the community to enable SATA hot-plug functionality. - -### Platform sometimes automatically powers on after power off - - Noticed by one of the Dasharo Team developers when dGPUs are plugged in. It - happened that the dGPUs were sending ACPI SCI interrupts which are not - currently handled by ACPI code, and it resulted in the instant wake up of the - board when powering off. The SCI interrupts have been disabled on all PCI - Express Root Ports until proper handling of SCI is implemented to fix the - problem. - -### GPIO controller ACPI device yellow bang in Windows device manager - - Despite previous attempts to fix the yellow bang of the GPIO controller in - Windows Device Manager, the issue persisted. The ACPI GPIO controller - device had all the definitions of GPIOs for Alder Lake-S, but apparently, - Windows was unable to properly initialize the GPIO because of the silent - dependency on the ACPI path of the device in the Windows GPIO driver. While - Linux had no problems with the previous ACPI path, but Windows could not properly - load drivers in the correct sequence. Thus the ACPI path had to be changed from - `\_SB.PCI0.GPIO` to `\_SB.GPIO` so that Windows will not depend on - enumeration and initialization of `\_SB.PCI0` ACPI device. Similar issues - were observed with the TPM2 device ACPI path. If set wrong, the Windows 11 - installer would not work. Now the yellow bang in Device Manager should be - gone for good. - -### Resource conflicts with chipset internal P2SB PCI device being incorrectly defined and initialized in coreboot - - Issue observed during the 2x dGPU memory allocation problems and GPIO - allocation problems. It occurred that coreboot did not reserve proper memory - range for one of the chipset's internal PCI devices resulting in resource - conflicts and issues with the overall operation of conflicting devices. The - issue could have been detected earlier if not the FSP which hides this - internal device during the silicon initialization phase. The hidden device - could not be detected by coreboot resource allocator, and thus the reserved - memory for this device was not accounted for. - -### Reset button hanging the platform for up to 2 minutes due to watchdog bug - - Noticed by the Dasharo Team developer and also reported by the Qubes OS - community. Not exactly a regression, but a bug in the OC watchdog hardware - which did not allow setting a small timeout to expire the watchdog after an - unexpected reset (a reset button press, for example). Initially, the OC - watchdog was designed to detect unstable overclocking configurations. When - such a board unexpectedly reset, the BIOS was supposed to detect it and act - per policy to restore safe configuration. Dasharo intended to use it in the - same way, but the timeout not updating bug in the watchdog hardware caused - the firmware to wait whole 2 minutes for watchdog expiration after the reset - button press. Now Dasharo firmware does not detect unexpected resets and - simply initializes the watchdog by programming the timeout. Tge watchdog - expiration is not handled in any way. - -# Current state of Qubes OS R4.1.2 on MSI PRO Z690-A with Dasharo firmware - -Here is a short demo of Qubes OS R4.1.2-rc1 running on the newest Dasharo -v1.1.1 compatible with MSI PRO Z690-A. This Qubes OS instance has the -`kernel-latest` package installed to make suspend/resume working properly, -because the Linux kernel installed by default does not have the latest Intel -graphics driver. In the dmesg you can notice: - -```txt +#### [Early boot DMA protection menu option](https://github.com/Dasharo/dasharo-issues/issues/275) + +Many people reported various issues when DMA protection was introduced in +v1.1.0. Apparently, certain GPU cards contain broken OptionROMs which cause DMA +errors and display initialization problems. Thus the firmware setup will now +contain an option to enable/disable the DMA protection on-demand (with the +default state being disabled to avoid problems with dGPUs). Additionally, an +option to keep IOMMU enabled during OS control hand-off (actually during the +UEFI Exit Boot Services) has been added. This setting may be especially +interesting for people seeking the most secure configuration of the firmware. +But keep in mind that Windows will not boot if you enable this option! Refer to +our +[firmware setup documentation](https://docs.dasharo.com/dasharo-menu-docs/dasharo-system-features/#dasharo-security-options) +for more details. + +#### ACPI PCI interrupt routing for CPU PCIe Root Ports + +The CPU PCI Express root ports had no interrupt routing information reported in +ACPI. Just a small fix. + +#### OC Watchdog ACPI device as in MSI firmware + +Original MSI firmware has been reporting an ACPI device describing the +overclocking watchdog. This watchdog has been used by overclocking platforms +since the 6th generation of Intel Core processors. The same ACPI device has been +added to Dasharo to keep consistency. Possibly Windows overclocking tools may +depend on it. + +### Changed + +#### [Updated SMMSTORE driver to upstream version in UEFI Payload](https://github.com/Dasharo/dasharo-issues/issues/303) + +An update to the driver serving as a backend to write variables to the SPI flash +from UEFI Payload. The change was introduced due to problems with variable +updates on other Dasharo platforms. The advantage of the update is a cleaned-up +code with better quality. It also resulted in better reliability of `efibootmgr` +calls under QubesOS. + +#### [Improved visual comfort in the boot manager](https://github.com/Dasharo/dasharo-issues/issues/286) + +One of the laptop users who could not distinguish the entries in the Boot +Manager boot device selection window reported a minor visual improvement +suggestion. Now the currently selected device is indicated by an arrow and +highlighted with blue color. + +### Fixed + +#### [MSI PRO Z690-A WIFI DDR4 doesn't initialize IGP on certain Processors models](https://github.com/Dasharo/dasharo-issues/issues/274) + +This fix is a crucial one in this release. Many users reported non-working +on-board displays with different CPUs than those which were tested in 3mdeb lab. +All Alder Lake-S graphics devices should be initialized properly now and give +firmware output on the screen. If you are unable to boot the DTS to provide +[HCL report](https://docs.dasharo.com/dasharo-tools-suite/documentation/#hcl-report), +then try using [fwdump-docker](https://github.com/3mdeb/fwdump-docker) image or +`cbmem` from the +[following guides](https://docs.dasharo.com/common-coreboot-docs/dumping_logs/). + +#### [MSI PRO Z690-A WIFI DDR4 with two Video Cards (2x Radeon 5600XT) has issues related to MMIO resource allocation](https://github.com/Dasharo/dasharo-issues/issues/245) + +A quite specific issue with board configuration overloaded with GPU cards in the +community. As such configuration is uncommon, the debugging involved the issue +reporter cooperation by flashing custom binaries and providing debug logs from +Dasharo firmware. It happened that the memory requested by both of the cards was +too big to fit into the 32-bit space. The fix for this one required reserving +much more room for devices' memory in the 32-bit space by shifting some of the +usable RAM from 32-bit space to 64-bit space. Such change let the firmware +allocate all memory resources required by both GPUs. + +#### [Suspend doesn't work in Qubes OS with v1.1.0](https://github.com/Dasharo/dasharo-issues/issues/271) + +Another issue discovered by the community. One of Dasharo Team members' changes +introduced a regression in the suspend/resume feature. All OSes were affected. +Fix has been applied, and the suspend/resume should now work on all OSes. The +tests have also been extended with multiple suspend/resume cycles to avoid such +problems in the future. + +#### [Intel XTU on Windows reports "The platform does not support overclocking" on the MSI PRO Z690-A WIFI DDR4 with a K-series Processor](https://github.com/Dasharo/dasharo-issues/issues/159) + +The issue was reported by community in the first days after v1.0.0 release. +Surprisingly the Intel XTU utility reported that the platform does not support +overclocking, despite the fact that all components had all the overclocking +capabilities. The culprit was the OC lock bit being set by default in FSP, which +prevented Intel XTU from modifying any settings from the Windows level, so it +reported the platform as unsupported. The OC lock changes the initialization +path inside FSP, so you may encounter unexpected CPU configuration changes +compared to the previous release. Please do not hesitate to report them using +[GitHub issues system](https://github.com/Dasharo/dasharo-issues/issues/new/choose) +or providing +[Dasharo HCL report via DTS](https://docs.dasharo.com/dasharo-tools-suite/documentation/#features). +One of such unexpected changes was an override of CPU turbo limits and causing +the CPU frequency to be lower than the maximum default value (and so the +performance was degraded). + +#### [SATA ports malfunction or Hot-Plug function disabled](https://github.com/Dasharo/dasharo-issues/issues/315) + +A feature request from the community to enable SATA hot-plug functionality. + +#### Platform sometimes automatically powers on after power off + +Noticed by one of the Dasharo Team developers when dGPUs are plugged in. It +happened that the dGPUs were sending ACPI SCI interrupts which are not currently +handled by ACPI code, and it resulted in the instant wake up of the board when +powering off. The SCI interrupts have been disabled on all PCI Express Root +Ports until proper handling of SCI is implemented to fix the problem. + +#### GPIO controller ACPI device yellow bang in Windows device manager + +Despite previous attempts to fix the yellow bang of the GPIO controller in +Windows Device Manager, the issue persisted. The ACPI GPIO controller device had +all the definitions of GPIOs for Alder Lake-S, but apparently, Windows was +unable to properly initialize the GPIO because of the silent dependency on the +ACPI path of the device in the Windows GPIO driver. While Linux had no problems +with the previous ACPI path, but Windows could not properly load drivers in the +correct sequence. Thus the ACPI path had to be changed from `\_SB.PCI0.GPIO` to +`\_SB.GPIO` so that Windows will not depend on enumeration and initialization of +`\_SB.PCI0` ACPI device. Similar issues were observed with the TPM2 device ACPI +path. If set wrong, the Windows 11 installer would not work. Now the yellow bang +in Device Manager should be gone for good. + +#### Resource conflicts: Chipset's P2SB PCI device incorrectly defined in coreboot + +Issue observed during the 2x dGPU memory allocation problems and GPIO allocation +problems. It occurred that coreboot did not reserve proper memory range for one +of the chipset's internal PCI devices resulting in resource conflicts and issues +with the overall operation of conflicting devices. The issue could have been +detected earlier if not the FSP which hides this internal device during the +silicon initialization phase. The hidden device could not be detected by +coreboot resource allocator, and thus the reserved memory for this device was +not accounted for. + +#### Reset button hanging the platform for up to 2 minutes due to watchdog bug + +Noticed by the Dasharo Team developer and also reported by the Qubes OS +community. Not exactly a regression, but a bug in the OC watchdog hardware which +did not allow setting a small timeout to expire the watchdog after an unexpected +reset (a reset button press, for example). Initially, the OC watchdog was +designed to detect unstable overclocking configurations. When such a board +unexpectedly reset, the BIOS was supposed to detect it and act per policy to +restore safe configuration. Dasharo intended to use it in the same way, but the +timeout not updating bug in the watchdog hardware caused the firmware to wait +whole 2 minutes for watchdog expiration after the reset button press. Now +Dasharo firmware does not detect unexpected resets and simply initializes the +watchdog by programming the timeout. Tge watchdog expiration is not handled in +any way. + +## Current state of Qubes OS R4.1.2 on MSI PRO Z690-A with Dasharo firmware + +Here is a short demo of Qubes OS R4.1.2-rc1 running on the newest Dasharo v1.1.1 +compatible with MSI PRO Z690-A. This Qubes OS instance has the `kernel-latest` +package installed to make suspend/resume working properly, because the Linux +kernel installed by default does not have the latest Intel graphics driver. In +the dmesg you can notice: + +```bashtxt i915 0000:00:02.0: Your graphics device 4680 is not properly supported by the driver in this kernel version. To force driver probe anyway, use i915.force_probe=4680 ``` @@ -229,34 +229,35 @@ sudo qubes-dom0-update kernel-latest Then reboot the device and boot with the latest kernel. You should then see a kernel version of 6.x in the output of the `uname -sr` command, e.g.: -```txt +```bashtxt Linux 6.1.12-1.qubes.fc32.x86_64 ``` -{{< youtube 7iQpSpt_6xk >}} +{{\< youtube 7iQpSpt_6xk >}} -# How to get the firmware update? +## How to get the firmware update? -Please refer to the [Firmware Update documentation](https://docs.dasharo.com/variants/msi_z690/firmware-update/) +Please refer to the +[Firmware Update documentation](https://docs.dasharo.com/unified/msi/firmware-update/) and follow the instructions. Usage of automatic update via DTS is RECOMMENDED. -# GPU compatibility in open-source firmware +## GPU compatibility in open-source firmware Issues described above (and also a few issues resolved before, e.g. -[this one](https://github.com/Dasharo/dasharo-issues/issues/181)) showed us -that GPU compatibility in open-source firmware is a serious problem. +[this one](https://github.com/Dasharo/dasharo-issues/issues/181)) showed us that +GPU compatibility in open-source firmware is a serious problem. So one of the Dasharo Team members, [miczyg](https://github.com/miczyg1), -equipped himself with two additional GPUs to test more hardware and detect -other possible issues lurking out there. But these GPUs were selected with care -and balance in mind. And there is no better balance in the world and in the -universe than RGB! So the choice was: +equipped himself with two additional GPUs to test more hardware and detect other +possible issues lurking out there. But these GPUs were selected with care and +balance in mind. And there is no better balance in the world and in the universe +than RGB! So the choice was: - MSI Radeon RX 6500 XT MECH 2X OC 4GB GDDR6 - MSI GeForce RTX 3060 GAMING Z TRIO LHR 12GB GDDR6 - and the integrated Intel graphics for perfect balance :) -![](/img/rgb_perfectly_balanced.jpg) +![img](/img/rgb_perfectly_balanced.jpg) RGB as in red/green/blue, the three basic colors, ingredients that can create any other possible color; RGB as the pixel layout in graphics framebuffers; RGB @@ -265,20 +266,20 @@ altogether creates a white light, a sunlight; and sunlight means life... Ok enough poetry... To prove that these are not empty words, here's a photo of the mentioned setup: -**WARNING: LOTS OF RAINBOWZZZZZ** +### WARNING: LOTS OF RAINBOWZZZZZ -![](/img/rainbowzzz.jpg) +![img](/img/rainbowzzz.jpg) The Nvidia RTX 3060 is sooo big that it covered the AMD Radeon RX 6500 XT, which is connected underneath. Sometimes bigger means beefier: -![](/img/big_and_small_gpu.jpg) +### But size doesn't matter, right? ... Right?! :) -**But size doesn't matter, right? ... Right?! :)** +![img](/img/big_and_small_gpu.jpg) -# Summary +### Summary -### Open project tracking on GitHub +#### Open project tracking on GitHub Dasharo v1.1.1 is definitely not the last release for the MSI PRO Z690-A platform. If you would like to track what is planned for the next release, @@ -288,24 +289,24 @@ An example project in such fashion has already been prepared for Supermicro X11SSH board, which you can check out [here](https://github.com/Dasharo/dasharo-issues/projects/6). -### Dasharo User Group Community Call (DUG) & Developers vPub +#### Dasharo User Group Community Call (DUG) & Developers vPub Join us for the upcoming [Dasharo User Group Community Call (DUG) & Developers vPub](https://vpub.dasharo.com/e/1/dasharo-user-group-1) on March 16th at 5 PM UTC! During the call, you'll have the opportunity to -connect with other community members, ask questions, and provide feedback on -our current activities. You'll also be the first to hear about exciting updates -and new developments around MSI PRO Z690-A, what are the plans for next -features, etc. +connect with other community members, ask questions, and provide feedback on our +current activities. You'll also be the first to hear about exciting updates and +new developments around MSI PRO Z690-A, what are the plans for next features, +etc. -### Interested in our services? +#### Interested in our services? -Unlock the full potential of your hardware and secure your firmware with -the experts at 3mdeb! If you're looking to boost your product's performance -and protect it from potential security threats, our team is here to help. +Unlock the full potential of your hardware and secure your firmware with the +experts at 3mdeb! If you're looking to boost your product's performance and +protect it from potential security threats, our team is here to help. [Schedule a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us an email at `contact3mdebcom` to start unlocking the -hidden benefits of your hardware. And if you want to stay up-to-date on all -things firmware security and optimization, be sure to +or drop us an email at `contact3mdebcom` to start unlocking the hidden +benefits of your hardware. And if you want to stay up-to-date on all things +firmware security and optimization, be sure to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). Don't let your hardware hold you back, work with 3mdeb to achieve more! diff --git a/blog/content/post/2023-04-27-3mdeb-open-source-contribution.md b/blog/content/post/2023-04-27-3mdeb-open-source-contribution.md index 4d886947..2fe599d7 100644 --- a/blog/content/post/2023-04-27-3mdeb-open-source-contribution.md +++ b/blog/content/post/2023-04-27-3mdeb-open-source-contribution.md @@ -34,7 +34,7 @@ projects. Our primary focus revolved around [coreboot](https://blog.3mdeb.com/tags/coreboot/), a firmware framework we have worked with since 2015. We also dedicated efforts to the advancement of [fwupd](https://blog.3mdeb.com/tags/fwupd/) and -[flashrom](https://www.flashrom.org/Flashrom), contributed to overall +[flashrom](https://www.flashrom.org), contributed to overall improvements in firmware update ecosystems. Our dedication to platform security didn't stop there — we actively developed [Trenchboot](https://blog.3mdeb.com/tags/trenchboot/), enabling dynamic @@ -54,66 +54,64 @@ continuing our open-source contributions in the future. ## Our Valued Contributors -To begin with, we want to express our appreciation for the dedicated efforts -of our contributors, who persistently endeavor to improve many open-source +To begin with, we want to express our appreciation for the dedicated efforts of +our contributors, who persistently endeavor to improve many open-source projects: -* [Michał Żygowski](https://twitter.com/_miczyg_) -* [Sergii Dmytruk](https://github.com/SergiiDmytruk) -* [Karol Zmyslowski](https://www.linkedin.com/in/karolzet/) -* [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/) -* [Yaroslav Kurlaev](https://www.linkedin.com/in/ykurlaev/) -* [Kacper Stojek](https://www.linkedin.com/in/kacper-stojek-5108a7237/) -* [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200) -* [Norbert Kamiński](https://twitter.com/asiderr) -* [Tomasz Żyjewski](https://twitter.com/tomzy_0) -* [Cezary Sobczak](https://www.linkedin.com/in/cezary-sobczak) -* [Maciej Pijanowski](https://twitter.com/macpijan) +- [Michał Żygowski](https://twitter.com/_miczyg_) +- [Sergii Dmytruk](https://github.com/SergiiDmytruk) +- [Karol Zmyslowski](https://www.linkedin.com/in/karolzet/) +- [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/) +- [Yaroslav Kurlaev](https://www.linkedin.com/in/ykurlaev/) +- [Kacper Stojek](https://www.linkedin.com/in/kacper-stojek-5108a7237/) +- [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200) +- [Norbert Kamiński](https://twitter.com/asiderr) +- [Tomasz Żyjewski](https://twitter.com/tomzy_0) +- [Cezary Sobczak](https://www.linkedin.com/in/cezary-sobczak) +- [Maciej Pijanowski](https://twitter.com/macpijan) ## Significant Updates and Features ![coreboot logo](/covers/coreboot-logo.svg) -[coreboot](https://www.coreboot.org/) -is an open-source firmware that provides a lightweight, secure, -and fast boot experience for PCs, laptops, servers, and embedded devices. -In that time frame, we contributed over 150 patches adding 12k SLOC and removing -over 38k SLOC. It would be tough to mention every possible contribution or -even list those patches, so we choose to group those and highlight the most -important one: - -* **inteltool extension with modern architecture support** - we added support - for [Tiger Lake](https://review.coreboot.org/c/coreboot/+/56171), [Elkhart - Lake](https://review.coreboot.org/c/coreboot/+/68474) and [Alder Lake - P](https://review.coreboot.org/c/coreboot/+/66825) chips detection and GPIOs. - Those changes should simplify further work on porting new mainboards - supporting mentioned microarchitectures to coreboot. -* **Support for Intel Alder Lake** - we added support for Intel Alder Lake P - and S SoC, as patch series concerning [GPIO definitions for - PCH-S](https://review.coreboot.org/c/coreboot/+/63467), [ADL-S - devices](https://review.coreboot.org/c/coreboot/+/63785), [support for HSPHY - firmware loading](https://review.coreboot.org/c/coreboot/+/64074) and many - other features of this Intel microarchitecture. -* **TPM TCG log format support** - we [redesigned TPM - API](https://review.coreboot.org/c/coreboot/+/68991) and [made CRTM log - format agnostic](https://review.coreboot.org/c/coreboot/+/69445), what - required a couple of other patches - ([[1](https://review.coreboot.org/c/coreboot/+/68746)],[[2](https://review.coreboot.org/c/coreboot/+/69445)],[[3](https://review.coreboot.org/c/coreboot/+/69445)]) +[coreboot](https://www.coreboot.org/) is an open-source firmware that provides a +lightweight, secure, and fast boot experience for PCs, laptops, servers, and +embedded devices. In that time frame, we contributed over 150 patches adding 12k +SLOC and removing over 38k SLOC. It would be tough to mention every possible +contribution or even list those patches, so we choose to group those and +highlight the most important one: + +- **inteltool extension with modern architecture support** - we added support + for [Tiger Lake](https://review.coreboot.org/c/coreboot/+/56171), + [Elkhart Lake](https://review.coreboot.org/c/coreboot/+/68474) and + [Alder Lake P](https://review.coreboot.org/c/coreboot/+/66825) chips detection + and GPIOs. Those changes should simplify further work on porting new + mainboards supporting mentioned microarchitectures to coreboot. +- **Support for Intel Alder Lake** - we added support for Intel Alder Lake P and + S SoC, as patch series concerning + [GPIO definitions for PCH-S](https://review.coreboot.org/c/coreboot/+/63467), + [ADL-S devices](https://review.coreboot.org/c/coreboot/+/63785), + [support for HSPHY firmware loading](https://review.coreboot.org/c/coreboot/+/64074) + and many other features of this Intel microarchitecture. +- **TPM TCG log format support** - we + [redesigned TPM API](https://review.coreboot.org/c/coreboot/+/68991) and + [made CRTM log format agnostic](https://review.coreboot.org/c/coreboot/+/69445), + what required a couple of other patches + (\[[1](https://review.coreboot.org/c/coreboot/+/68746)\],\[[2](https://review.coreboot.org/c/coreboot/+/69445)\],\[[3](https://review.coreboot.org/c/coreboot/+/69445)\]) to clean up. -* We added support for [MSI - Z690](https://review.coreboot.org/c/coreboot/+/63463), [Dell Precision - T1650](https://review.coreboot.org/c/coreboot/+/62212) and [QEMU POWER9 - mainboard](https://review.coreboot.org/c/coreboot/+/57079). +- We added support for + [MSI Z690](https://review.coreboot.org/c/coreboot/+/63463), + [Dell Precision T1650](https://review.coreboot.org/c/coreboot/+/62212) and + [QEMU POWER9 mainboard](https://review.coreboot.org/c/coreboot/+/57079). -We described the most recent coreboot contributions in detail in the +We described the most recent coreboot contributions in detail in the [4.20 release blog post](https://blog.3mdeb.com/2023/2023-05-18-our_contribution_to_coreboot_4_20_release/). -If you want to improve your devices' security while reducing -your dependence on proprietary firmware, you could benefit from using coreboot. -We can also help you reduce time-to-market by simplifying the firmware -development process. As well, if you want user-friendly and well-documented -firmware, then coreboot-based -[Dasharo firmware](https://www.dasharo.com/pages/contact/) is a solution -for you. +If you want to improve your devices' security while reducing your dependence on +proprietary firmware, you could benefit from using coreboot. We can also help +you reduce time-to-market by simplifying the firmware development process. As +well, if you want user-friendly and well-documented firmware, then +coreboot-based [Dasharo firmware](https://www.dasharo.com/pages/contact/) is a +solution for you. --- @@ -127,98 +125,101 @@ date. Changes to fwupd can be divided into several areas: -* **Support for Qubes OS** - The biggest challange when updating firmware in - the case of Qubes OS is the hard separation of the hardware layer from the - network layer. Hence, to update the firmware, it is necessary to download the - update in a virtual machine that has access to the network and then verify - and pass the files to the virtual machine administrating the system (DOM0), - which for security reason has no network access. Initially fwupd had no - support for such update model changes we developed address that problem and - allow firmware updates from within reasonably secure operating systems. +- **Support for Qubes OS** - The biggest challenge when updating firmware in the + case of Qubes OS is the hard separation of the hardware layer from the network + layer. Hence, to update the firmware, it is necessary to download the update + in a virtual machine that has access to the network and then verify and pass + the files to the virtual machine administrating the system (DOM0), which for + security reason has no network access. Initially fwupd had no support for such + update model changes we developed address that problem and allow firmware + updates from within reasonably secure operating systems. [Norbert Kamiński](https://twitter.com/asiderr) was responsible for these changes. -* **Support for FreeBSD** - These changes made it possible to open fwupd to the + +- **Support for FreeBSD** - These changes made it possible to open fwupd to the group of BSD operating systems. BSD operating systems are often used in - networking applications (routers, firewalls etc.) These changes lay the groundwork for - supporting fwupd in networking applications. Details were described in our - earlier [blog posts](https://blog.3mdeb.com/tags/fwupd-for-bsd/). These - changes were worked on by [Michał - Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200), [Sergii - Dmytruk](https://github.com/SergiiDmytruk), and [Norbert - Kamiński](https://twitter.com/asiderr). - -* **flashrom support for [TUXEDO laptops][tuxedo]** - These changes were tied -to firmware and EC updates. Thanks to them, owners of TUXEDO laptops may enjoy -a simple and intuitive firmware update on their hardware. - -Our team can help you seamlessly [integrate into the -fwupd](https://3mdeb.com/shop/services/basic-firmware-update-integration/) + networking applications (routers, firewalls etc.) These changes lay the + groundwork for supporting fwupd in networking applications. Details were + described in our earlier + [blog posts](https://blog.3mdeb.com/tags/fwupd-for-bsd/). These changes were + worked on by + [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200), + [Sergii Dmytruk](https://github.com/SergiiDmytruk), and + [Norbert Kamiński](https://twitter.com/asiderr). + +- **flashrom support for [TUXEDO laptops][tuxedo]** - These changes were tied to + firmware and EC updates. Thanks to them, owners of TUXEDO laptops may enjoy a + simple and intuitive firmware update on their hardware. + +Our team can help you seamlessly +[integrate into the fwupd](https://3mdeb.com/shop/services/basic-firmware-update-integration/) ecosystem across a variety of platforms and operating systems. Say goodbye to clunky update processes and hello to a streamlined, hassle-free experience with fwupd! -### Contribution details - -* [Sergii Dmytruk](https://github.com/SergiiDmytruk) (29): - * [plugins/flashrom: manage flashrom context at plugin level](https://github.com/fwupd/fwupd/commit/e1d708a4ff21) - * [plugins/flashrom: create separate device for ME region](https://github.com/fwupd/fwupd/commit/2bac03eee1a6) - * [plugins/flashrom: enable for 2 Tuxedo laptops](https://github.com/fwupd/fwupd/commit/ddf4e10d7b14) - * [plugins/flashrom: add flashrom-specific GUIDs](https://github.com/fwupd/fwupd/commit/e65cb98cc833) - * [plugins/flashrom/fu-flashrom-device.c: create layout on open](https://github.com/fwupd/fwupd/commit/e9f765dc477c) - * [plugins/flashrom: make region we're flashing a property](https://github.com/fwupd/fwupd/commit/523ed0d7b4d6) - * [plugins/intel-spi: mark ME region device locked if it's RO](https://github.com/fwupd/fwupd/commit/b678170ee75d) - * [plugins/superio: don't leak chiplet property of device](https://github.com/fwupd/fwupd/commit/dce73cbffb0a) - * [trivial: plugins/superio: include prj_name in IT55's to_string](https://github.com/fwupd/fwupd/commit/294bd648ea1e) - * [fu-util: pull device flags after unlocking](https://github.com/fwupd/fwupd/commit/500dd2c9c475) - * [trivial: libfwupd,libfwupdplugin: fix typos in several comments](https://github.com/fwupd/fwupd/commit/4795ab3122e8) - * [trivial: plugins/superio: don't add same flag twice](https://github.com/fwupd/fwupd/commit/028740204be3) - * [Add support for SuperIO IT5570](https://github.com/fwupd/fwupd/commit/d8a5c7968d21) - * [Load hwinfo on fwupdtool firmware-dump command](https://github.com/fwupd/fwupd/commit/744e17f68fe3) - * [Switch from sysctl to ioctl for ESRT on FreeBSD](https://github.com/fwupd/fwupd/commit/c0d0ce4e1ab5) - * [Depend on libefivar in uefi-capsule](https://github.com/fwupd/fwupd/commit/9c21e4e1358d) - * [Corrections for fu-efivar-freebsd.c](https://github.com/fwupd/fwupd/commit/c16602d688c3) - * [Fix formatting in fu_common_get_block_devices ()](https://github.com/fwupd/fwupd/commit/817c3701ae02) - * [Fix two off-by-one errors in uefi-capsule plugin](https://github.com/fwupd/fwupd/commit/4f8753198e6e) - * [Correct error msg in fu_common_get_block_devices](https://github.com/fwupd/fwupd/commit/c885fb322500) - * [Handle bsdisks' UDisks2 implementation on FreeBSD](https://github.com/fwupd/fwupd/commit/080129fc43a0) - * [Fix formatting in fu_common_get_block_devices ()](https://github.com/fwupd/fwupd/commit/8d5784192f12) - * [Fix two off-by-one errors in uefi-capsule plugin](https://github.com/fwupd/fwupd/commit/4558e5f317fa) - * [Correct error msg in fu_common_get_block_devices](https://github.com/fwupd/fwupd/commit/1e5aec4eb157) - * [Improve error message in fu-uefi-backend-freebsd](https://github.com/fwupd/fwupd/commit/cac4f984205a) - * [Don't fail if memfd_create() is not available](https://github.com/fwupd/fwupd/commit/d01603c2f966) - * [Handle missing defaults in fu-uefi-devpath.c](https://github.com/fwupd/fwupd/commit/113a91985bde) - * [Branch explicitly per OS type](https://github.com/fwupd/fwupd/commit/1a328fd3ad81) - * [Include <efivar-dp.h> explicitly](https://github.com/fwupd/fwupd/commit/3d0e624ed3f2) -* [Norbert Kamiński](https://twitter.com/asiderr) (24): - * [qubes: Add qubes-fwupdmgr.py to src folder and...](https://github.com/fwupd/fwupd/commit/303b39ba9a7f) - * [trivial: contrib/qubes: Delete test for unexisting method](https://github.com/fwupd/fwupd/commit/66b592993ec2) - * [fwupd.spec.in: Drop fwupd_usbvm_validate.py from qubes-vm package](https://github.com/fwupd/fwupd/commit/70eb21f764e4) - * [trivial: contrib/qubes: Add missing import](https://github.com/fwupd/fwupd/commit/4d12239ccbee) - * [qubes/src/heads: Update Heads versioning](https://github.com/fwupd/fwupd/commit/c81094f0ba69) - * [qubes/test/fwupdmgr: Update cabinets checksums and URLs](https://github.com/fwupd/fwupd/commit/7e6b77e12c24) - * [contrib/README.md: Fix Qubes related Docker commands](https://github.com/fwupd/fwupd/commit/b39b66f1dfd4) - * [fu-uefi-common.h: Fix efivar compatibility with FreeBSD](https://github.com/fwupd/fwupd/commit/7fdf7c60ee68) - * [freebsd/Makefile: Disable gudev based plugins](https://github.com/fwupd/fwupd/commit/a580de81bad7) - * [Revert "trivial: Disable FreeBSD CI again"](https://github.com/fwupd/fwupd/commit/b6fac03b57a8) - * [main.yml: Install protobuf-c as fwupd dependency in the FreeBSD job](https://github.com/fwupd/fwupd/commit/d0af777b1455) - * [main.yml: Bump GitHub Action freebsd-vm](https://github.com/fwupd/fwupd/commit/30700d52e177) - * [Revert "trivial: Disable the FreeBSD CI action as it's been failing f…](https://github.com/fwupd/fwupd/commit/ea12ce69b1fe) - * [build_freebsd_package.sh: Build package with generated pkg-plist](https://github.com/fwupd/fwupd/commit/3fe782cdddd4) - * [freebsd-ci: Change FreeBSD artifact extension](https://github.com/fwupd/fwupd/commit/c1f06b6b82a0) - * [Add FreeBSD package to the CI matrix](https://github.com/fwupd/fwupd/commit/dbece574ee91) - * [meson.build: Change python version check order](https://github.com/fwupd/fwupd/commit/1b396215d939) - * [fu-smbios.c: Add kenv support](https://github.com/fwupd/fwupd/commit/80ba3f07f26b) - * [fu-tool.c: Use traditional UNIX record locks if OFD is not available](https://github.com/fwupd/fwupd/commit/58fbbc2939bc) - * [fu-engine.c: Fix undeclared variable for *BSDs builds](https://github.com/fwupd/fwupd/commit/a863e6a84ef9) - * [fwupd port for BSD distros](https://github.com/fwupd/fwupd/commit/76e19930a89d) - * [libxmlb.wrap: Bump revision](https://github.com/fwupd/fwupd/commit/6c8417b5af79) - * [contrib/qubes: Add Qubes wrapper source and create packages](https://github.com/fwupd/fwupd/commit/60e84c617f79) - * [contrib/README.md: Update instructions for distribution packages](https://github.com/fwupd/fwupd/commit/ea70435d7202) -* [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200) (4): - * [plugins/flashrom/flashrom.quirk: update NovaCustom GUIDs](https://github.com/fwupd/fwupd/commit/d3ce827f967d) - * [plugins/flashrom: add quirk for NovaCustom NV4x](https://github.com/fwupd/fwupd/commit/ab06e034c35a) - * [libfwupdplugin: Implement fu-efivar-freebsd.c](https://github.com/fwupd/fwupd/commit/d678b755d03c) - * [Obtain firmware major and minor versions from SMBIOS](https://github.com/fwupd/fwupd/commit/0f75f55c72dc) +### Contribution details - fwupd + +- [Sergii Dmytruk](https://github.com/SergiiDmytruk) (29): + - [plugins/flashrom: manage flashrom context at plugin level](https://github.com/fwupd/fwupd/commit/e1d708a4ff21) + - [plugins/flashrom: create separate device for ME region](https://github.com/fwupd/fwupd/commit/2bac03eee1a6) + - [plugins/flashrom: enable for 2 Tuxedo laptops](https://github.com/fwupd/fwupd/commit/ddf4e10d7b14) + - [plugins/flashrom: add flashrom-specific GUIDs](https://github.com/fwupd/fwupd/commit/e65cb98cc833) + - [plugins/flashrom/fu-flashrom-device.c: create layout on open](https://github.com/fwupd/fwupd/commit/e9f765dc477c) + - [plugins/flashrom: make region we're flashing a property](https://github.com/fwupd/fwupd/commit/523ed0d7b4d6) + - [plugins/intel-spi: mark ME region device locked if it's RO](https://github.com/fwupd/fwupd/commit/b678170ee75d) + - [plugins/superio: don't leak chiplet property of device](https://github.com/fwupd/fwupd/commit/dce73cbffb0a) + - [trivial: plugins/superio: include prj_name in IT55's to_string](https://github.com/fwupd/fwupd/commit/294bd648ea1e) + - [fu-util: pull device flags after unlocking](https://github.com/fwupd/fwupd/commit/500dd2c9c475) + - [trivial: libfwupd,libfwupdplugin: fix typos in several comments](https://github.com/fwupd/fwupd/commit/4795ab3122e8) + - [trivial: plugins/superio: don't add same flag twice](https://github.com/fwupd/fwupd/commit/028740204be3) + - [Add support for SuperIO IT5570](https://github.com/fwupd/fwupd/commit/d8a5c7968d21) + - [Load hwinfo on fwupdtool firmware-dump command](https://github.com/fwupd/fwupd/commit/744e17f68fe3) + - [Switch from sysctl to ioctl for ESRT on FreeBSD](https://github.com/fwupd/fwupd/commit/c0d0ce4e1ab5) + - [Depend on libefivar in uefi-capsule](https://github.com/fwupd/fwupd/commit/9c21e4e1358d) + - [Corrections for fu-efivar-freebsd.c](https://github.com/fwupd/fwupd/commit/c16602d688c3) + - [Fix formatting in fu_common_get_block_devices ()](https://github.com/fwupd/fwupd/commit/817c3701ae02) + - [Fix two off-by-one errors in uefi-capsule plugin](https://github.com/fwupd/fwupd/commit/4f8753198e6e) + - [Correct error msg in fu_common_get_block_devices](https://github.com/fwupd/fwupd/commit/c885fb322500) + - [Handle bsdisks' UDisks2 implementation on FreeBSD](https://github.com/fwupd/fwupd/commit/080129fc43a0) + - [Fix formatting in fu_common_get_block_devices ()](https://github.com/fwupd/fwupd/commit/8d5784192f12) + - [Fix two off-by-one errors in uefi-capsule plugin](https://github.com/fwupd/fwupd/commit/4558e5f317fa) + - [Correct error msg in fu_common_get_block_devices](https://github.com/fwupd/fwupd/commit/1e5aec4eb157) + - [Improve error message in fu-uefi-backend-freebsd](https://github.com/fwupd/fwupd/commit/cac4f984205a) + - [Don't fail if memfd_create() is not available](https://github.com/fwupd/fwupd/commit/d01603c2f966) + - [Handle missing defaults in fu-uefi-devpath.c](https://github.com/fwupd/fwupd/commit/113a91985bde) + - [Branch explicitly per OS type](https://github.com/fwupd/fwupd/commit/1a328fd3ad81) + - [Include \ explicitly](https://github.com/fwupd/fwupd/commit/3d0e624ed3f2) +- [Norbert Kamiński](https://twitter.com/asiderr) (24): + - [qubes: Add qubes-fwupdmgr.py to src folder and...](https://github.com/fwupd/fwupd/commit/303b39ba9a7f) + - [trivial: contrib/qubes: Delete test for unexisting method](https://github.com/fwupd/fwupd/commit/66b592993ec2) + - [fwupd.spec.in: Drop fwupd_usbvm_validate.py from qubes-vm package](https://github.com/fwupd/fwupd/commit/70eb21f764e4) + - [trivial: contrib/qubes: Add missing import](https://github.com/fwupd/fwupd/commit/4d12239ccbee) + - [qubes/src/heads: Update Heads versioning](https://github.com/fwupd/fwupd/commit/c81094f0ba69) + - [qubes/test/fwupdmgr: Update cabinets checksums and URLs](https://github.com/fwupd/fwupd/commit/7e6b77e12c24) + - [contrib/README.md: Fix Qubes related Docker commands](https://github.com/fwupd/fwupd/commit/b39b66f1dfd4) + - [fu-uefi-common.h: Fix efivar compatibility with FreeBSD](https://github.com/fwupd/fwupd/commit/7fdf7c60ee68) + - [freebsd/Makefile: Disable gudev based plugins](https://github.com/fwupd/fwupd/commit/a580de81bad7) + - [Revert "trivial: Disable FreeBSD CI again"](https://github.com/fwupd/fwupd/commit/b6fac03b57a8) + - [main.yml: Install protobuf-c as fwupd dependency in the FreeBSD job](https://github.com/fwupd/fwupd/commit/d0af777b1455) + - [main.yml: Bump GitHub Action freebsd-vm](https://github.com/fwupd/fwupd/commit/30700d52e177) + - [Revert "trivial: Disable the FreeBSD CI action as it's been failing f…](https://github.com/fwupd/fwupd/commit/ea12ce69b1fe) + - [build_freebsd_package.sh: Build package with generated pkg-plist](https://github.com/fwupd/fwupd/commit/3fe782cdddd4) + - [freebsd-ci: Change FreeBSD artifact extension](https://github.com/fwupd/fwupd/commit/c1f06b6b82a0) + - [Add FreeBSD package to the CI matrix](https://github.com/fwupd/fwupd/commit/dbece574ee91) + - [meson.build: Change python version check order](https://github.com/fwupd/fwupd/commit/1b396215d939) + - [fu-smbios.c: Add kenv support](https://github.com/fwupd/fwupd/commit/80ba3f07f26b) + - [fu-tool.c: Use traditional UNIX record locks if OFD is not available](https://github.com/fwupd/fwupd/commit/58fbbc2939bc) + - [fu-engine.c: Fix undeclared variable for \*BSDs builds](https://github.com/fwupd/fwupd/commit/a863e6a84ef9) + - [fwupd port for BSD distros](https://github.com/fwupd/fwupd/commit/76e19930a89d) + - [libxmlb.wrap: Bump revision](https://github.com/fwupd/fwupd/commit/6c8417b5af79) + - [contrib/qubes: Add Qubes wrapper source and create packages](https://github.com/fwupd/fwupd/commit/60e84c617f79) + - [contrib/README.md: Update instructions for distribution packages](https://github.com/fwupd/fwupd/commit/ea70435d7202) +- [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200) + (4): + - [plugins/flashrom/flashrom.quirk: update NovaCustom GUIDs](https://github.com/fwupd/fwupd/commit/d3ce827f967d) + - [plugins/flashrom: add quirk for NovaCustom NV4x](https://github.com/fwupd/fwupd/commit/ab06e034c35a) + - [libfwupdplugin: Implement fu-efivar-freebsd.c](https://github.com/fwupd/fwupd/commit/d678b755d03c) + - [Obtain firmware major and minor versions from SMBIOS](https://github.com/fwupd/fwupd/commit/0f75f55c72dc) --- @@ -235,118 +236,120 @@ workstation Board Management Controller software stack. Our engineers have added fixes to some of Yocto's most popular layers: -* **Support for the Dunfell version of `meta-openwrt`** - Those changes allow -building OpenWrt, a Linux-based router distribution, using Yocto. The solution -was tested and run on the [PC Engines apu2](https://www.pcengines.ch/apu2.htm). -More details description you can find in [Tomasz's -presentation](https://www.youtube.com/watch?v=2gACMkjBRyM) at Yocto Project -Summit 2021.05. Changes contributed by [Tomasz -Żyjewski](https://twitter.com/tomzy_0). - -* **Support for python3-binwalk and python3-uefi-firmware in the -`meta-openembedded` layer** - Those are the tools needed to develop and debug -firmware solutions in Python. Thanks to [Tomasz -Żyjewski](https://twitter.com/tomzy_0) for contributing those changes. - -* **Support for the Nezha Allwinner D1 in the `meta-riscv` layer** - You have -all the details about porting this platform in [Cezary's -presentation](https://www.youtube.com/watch?v=QdBG6HUeE6w) from Yocto Project -Summit 2022.05. Changes made by [Cezary -Sobczak](https://www.linkedin.com/in/cezary-sobczak). - -* **Minor fixes for the `meta-sunxi` layer** - Changes made by [Maciej -Pijanowski](https://twitter.com/macpijan). +- **Support for the Dunfell version of `meta-openwrt`** - Those changes allow + building OpenWrt, a Linux-based router distribution, using Yocto. The solution + was tested and run on the + [PC Engines apu2](https://www.pcengines.ch/apu2.htm). More details description + you can find in + [Tomasz's presentation](https://www.youtube.com/watch?v=2gACMkjBRyM) at Yocto + Project Summit 2021.05. Changes contributed by + [Tomasz Żyjewski](https://twitter.com/tomzy_0). + +- **Support for python3-binwalk and python3-uefi-firmware in the + `meta-openembedded` layer** - Those are the tools needed to develop and debug + firmware solutions in Python. Thanks to + [Tomasz Żyjewski](https://twitter.com/tomzy_0) for contributing those changes. + +- **Support for the Nezha Allwinner D1 in the `meta-riscv` layer** - You have + all the details about porting this platform in + [Cezary's presentation](https://www.youtube.com/watch?v=QdBG6HUeE6w) from + Yocto Project Summit 2022.05. Changes made by + [Cezary Sobczak](https://www.linkedin.com/in/cezary-sobczak). + +- **Minor fixes for the `meta-sunxi` layer** - Changes made by + [Maciej Pijanowski](https://twitter.com/macpijan). By partnering with our team, we can help you leverage the power of Yocto and build a custom Linux distribution that fully aligns with your vision. From -feature-rich IoT devices to mission-critical servers, we've got you covered. -Let us create a personalized solution that meets your specifications and takes -your device's capabilities to the next level. - -### Contribution details - -* [Maciej Pijanowski](https://twitter.com/macpijan) (24): - * [u-boot: rebase nanopi_neo_air emmc patch](https://github.com/linux-sunxi/meta-sunxi/commit/58d382d59892) - * [Revert "u-boot: rebase nanopi_neo_air emmc patch"](https://github.com/linux-sunxi/meta-sunxi/commit/11052ea20e35) - * [conf: sunxi.inc: add wks file for arm](https://github.com/linux-sunxi/meta-sunxi/commit/9f622c70b898) - * [machine: nanopi-m1: add config](https://github.com/linux-sunxi/meta-sunxi/commit/9773647ff4c1) - * [linux-beaglev: sync dts from u-boot](https://github.com/riscv/meta-riscv/commit/62721a1e296b) - * [beaglev: add 1st on-hardware test results](https://github.com/riscv/meta-riscv/commit/d31a8ed0aefb) - * [preliminary beaglev support](https://github.com/riscv/meta-riscv/commit/9b31efa4ab7c) - * [beaglev.md: add basic readme](https://github.com/riscv/meta-riscv/commit/51d571ef99c5) - * [opensbi-beaglev: w/a for do_deploy failure](https://github.com/riscv/meta-riscv/commit/89d3bfd5d8bf) - * [beaglev: rename BSP components from -beaglev to -stafive](https://github.com/riscv/meta-riscv/commit/9d3df1e16496) - * [linux-beaglev: explain dts sync patch](https://github.com/riscv/meta-riscv/commit/562bbf0f7420) - * [beaglev-starlight-jh7100.conf: add wic.bmap IMAGE_FSTYPE](https://github.com/riscv/meta-riscv/commit/631ea77d4ab2) - * [linux-starfive: rename LINUX_VERSION_EXTENSION to -starfive](https://github.com/riscv/meta-riscv/commit/f0225ee57ead) - * [beaglev-starlight-jh7100.conf: remove leftovers from freedom-u540.conf](https://github.com/riscv/meta-riscv/commit/4c4c29aeeb30) - * [linux-beaglev: update LIC_FILES_CHKSUM](https://github.com/riscv/meta-riscv/commit/643f03b3d08f) - * [beaglev-starlight-jh7100.conf: remove comment about SBI_PAYLOAD](https://github.com/riscv/meta-riscv/commit/0e5a6d0cc7f2) - * [hostapd: update 300-noscan.patch to 2.9 version](https://github.com/kraj/meta-openwrt/commit/5762fda5a1f2) - * [ipset: use BPN in SRC_URI](https://github.com/kraj/meta-openwrt/commit/0aecaa4c1e09) - * [procd: Inherit update-alternatives](https://github.com/kraj/meta-openwrt/commit/0d3b94439cac) - * [cdrkit: split into more packages](https://github.com/openembedded/meta-openembedded/commit/167592e6359e) - * [cdrkit: add native to BBCLASSEXTEND](https://github.com/openembedded/meta-openembedded/commit/586c62727644) -* [Tomasz Żyjewski](https://twitter.com/tomzy_0) (24): - * [python3-uefi-firmware: add recipe for version 1.9](https://github.com/openembedded/meta-openembedded/commit/3e70428db7b4) - * [python3-binwalk: add recipe for version 2.3.3](https://github.com/openembedded/meta-openembedded/commit/7ea0e04aaee1) - * [ppp: adopt to use with OpenWRT](https://github.com/kraj/meta-openwrt/commit/12f19a196d0d) - * [collectd: adopt to use with OpenWRT](https://github.com/kraj/meta-openwrt/commit/fe937f1b64f4) - * [luci: expand cmake patch to install more mods](https://github.com/kraj/meta-openwrt/commit/38abdd8157d0) - * [hostapd: apply patches from OpenWRT](https://github.com/kraj/meta-openwrt/commit/c910e4fb9fcb) - * [comgt: add recipe to control gsm interface](https://github.com/kraj/meta-openwrt/commit/91e29428c1c3) - * [dropbear: adopt to use with OpenWRT](https://github.com/kraj/meta-openwrt/commit/53885307c783) - * [coova-chilli: add recipe to provide coova-chilli package](https://github.com/kraj/meta-openwrt/commit/6951c41e1c39) - * [daemon: add recipe as rdepends of coova-chilli](https://github.com/kraj/meta-openwrt/commit/2d8073a14e33) - * [liblucihttp: add recipe](https://github.com/kraj/meta-openwrt/commit/2460c2f759b0) - * [haserl: add recipe as rdepends of coova-chilli](https://github.com/kraj/meta-openwrt/commit/0e4b6c8d282d) - * [luci: set DEPENDS and INSANE_SKIP variables](https://github.com/kraj/meta-openwrt/commit/9d8ef3240409) - * [luci: add do_configure prepend to copy plural_formula files](https://github.com/kraj/meta-openwrt/commit/f03025cd8589) - * [luci: add plural_formula files to SRC_URI](https://github.com/kraj/meta-openwrt/commit/7d14d9b08960) - * [hostapd: correctly set FILES variable](https://github.com/kraj/meta-openwrt/commit/a3f0a2547bc6) - * [hostapd: install ppp.sh script](https://github.com/kraj/meta-openwrt/commit/3b2b24fb7653) - * [luci: build from openwrt-19.07 branch](https://github.com/kraj/meta-openwrt/commit/a13ffc02cec0) - * [luci: add liblucihttp as RDEPENDS](https://github.com/kraj/meta-openwrt/commit/86993d096f32) - * [netifd: build from openwrt-19.07 branch](https://github.com/kraj/meta-openwrt/commit/fc28e89709ba) - * [hostpad: install missing mac80211.sh script](https://github.com/kraj/meta-openwrt/commit/529559dffb78) - * [hostpad: install missing hostapd.sh script](https://github.com/kraj/meta-openwrt/commit/d06611a9278f) - * [procd: disable warning as error for array-bounds and unused-results](https://github.com/kraj/meta-openwrt/commit/38aef8f68476) - * [busybox: remove merged patch](https://github.com/kraj/meta-openwrt/commit/0697f29ab2c7) -* [Cezary Sobczak](https://www.linkedin.com/in/cezary-sobczak) (15): - * [opensbi: add patches for Nezha board](https://github.com/riscv/meta-riscv/commit/03bcb870e7ec) - * [boot0: add patch for Makefile to fit it with yocto build environment](https://github.com/riscv/meta-riscv/commit/0d1c2fb125ad) - * [nezha-allwinner-d1.conf: add machine configuration for Nezha board](https://github.com/riscv/meta-riscv/commit/42a5479dbcc4) - * [u-boot-nezha: add patch which fix build with binutils 2.28](https://github.com/riscv/meta-riscv/commit/c3966f6d9c7c) - * [nezha.yml: add file used with kas-docker](https://github.com/riscv/meta-riscv/commit/da702b4533b8) - * [linux-nezha: add patch which fix build with binutils 2.28](https://github.com/riscv/meta-riscv/commit/74162186df1c) - * [boot0: add patch which fix build with binutils 2.28](https://github.com/riscv/meta-riscv/commit/94a8a881a0c7) - * [u-boot-nezha: add recipe with patches for Nezha board](https://github.com/riscv/meta-riscv/commit/42384057560d) - * [boot0: add recipe of the Nezha SPL](https://github.com/riscv/meta-riscv/commit/6192951a5022) - * [linux-nezha-dev: use custom version of kernel with paches for D1 chip](https://github.com/riscv/meta-riscv/commit/8957d43a659b) - * [u-boot-nezha: add patch which increase the CONFIF_SYS_BOOTM_LEN](https://github.com/riscv/meta-riscv/commit/3b2a050de629) - * [opensbi: update mainline with patches to fit Nezha board](https://github.com/riscv/meta-riscv/commit/ff5e85cb6f2a) - * [nezha.wks: description of SD card image for Nezha D1 dev board](https://github.com/riscv/meta-riscv/commit/812ffc4068a3) - * [toc.cfg: add configuration file of TOC1 U-Boot image](https://github.com/riscv/meta-riscv/commit/2e545ae6cc26) - * [uEnv-nezha.txt: U-Boot bootargs for Nezha board](https://github.com/riscv/meta-riscv/commit/863373eae4e7) +feature-rich IoT devices to mission-critical servers, we've got you covered. Let +us create a personalized solution that meets your specifications and takes your +device's capabilities to the next level. + +### Contribution details - Yocto + +- [Maciej Pijanowski](https://twitter.com/macpijan) (24): + - [u-boot: rebase nanopi_neo_air emmc patch](https://github.com/linux-sunxi/meta-sunxi/commit/58d382d59892) + - [Revert "u-boot: rebase nanopi_neo_air emmc patch"](https://github.com/linux-sunxi/meta-sunxi/commit/11052ea20e35) + - [conf: sunxi.inc: add wks file for arm](https://github.com/linux-sunxi/meta-sunxi/commit/9f622c70b898) + - [machine: nanopi-m1: add config](https://github.com/linux-sunxi/meta-sunxi/commit/9773647ff4c1) + - [linux-beaglev: sync dts from u-boot](https://github.com/riscv/meta-riscv/commit/62721a1e296b) + - [beaglev: add 1st on-hardware test results](https://github.com/riscv/meta-riscv/commit/d31a8ed0aefb) + - [preliminary beaglev support](https://github.com/riscv/meta-riscv/commit/9b31efa4ab7c) + - [beaglev.md: add basic readme](https://github.com/riscv/meta-riscv/commit/51d571ef99c5) + - [opensbi-beaglev: w/a for do_deploy failure](https://github.com/riscv/meta-riscv/commit/89d3bfd5d8bf) + - [beaglev: rename BSP components from -beaglev to -stafive](https://github.com/riscv/meta-riscv/commit/9d3df1e16496) + - [linux-beaglev: explain dts sync patch](https://github.com/riscv/meta-riscv/commit/562bbf0f7420) + - [beaglev-starlight-jh7100.conf: add wic.bmap IMAGE_FSTYPE](https://github.com/riscv/meta-riscv/commit/631ea77d4ab2) + - [linux-starfive: rename LINUX_VERSION_EXTENSION to -starfive](https://github.com/riscv/meta-riscv/commit/f0225ee57ead) + - [beaglev-starlight-jh7100.conf: remove leftovers from freedom-u540.conf](https://github.com/riscv/meta-riscv/commit/4c4c29aeeb30) + - [linux-beaglev: update LIC_FILES_CHKSUM](https://github.com/riscv/meta-riscv/commit/643f03b3d08f) + - [beaglev-starlight-jh7100.conf: remove comment about SBI_PAYLOAD](https://github.com/riscv/meta-riscv/commit/0e5a6d0cc7f2) + - [hostapd: update 300-noscan.patch to 2.9 version](https://github.com/kraj/meta-openwrt/commit/5762fda5a1f2) + - [ipset: use BPN in SRC_URI](https://github.com/kraj/meta-openwrt/commit/0aecaa4c1e09) + - [procd: Inherit update-alternatives](https://github.com/kraj/meta-openwrt/commit/0d3b94439cac) + - [cdrkit: split into more packages](https://github.com/openembedded/meta-openembedded/commit/167592e6359e) + - [cdrkit: add native to BBCLASSEXTEND](https://github.com/openembedded/meta-openembedded/commit/586c62727644) +- [Tomasz Żyjewski](https://twitter.com/tomzy_0) (24): + - [python3-uefi-firmware: add recipe for version 1.9](https://github.com/openembedded/meta-openembedded/commit/3e70428db7b4) + - [python3-binwalk: add recipe for version 2.3.3](https://github.com/openembedded/meta-openembedded/commit/7ea0e04aaee1) + - [ppp: adopt to use with OpenWRT](https://github.com/kraj/meta-openwrt/commit/12f19a196d0d) + - [collectd: adopt to use with OpenWRT](https://github.com/kraj/meta-openwrt/commit/fe937f1b64f4) + - [luci: expand cmake patch to install more mods](https://github.com/kraj/meta-openwrt/commit/38abdd8157d0) + - [hostapd: apply patches from OpenWRT](https://github.com/kraj/meta-openwrt/commit/c910e4fb9fcb) + - [comgt: add recipe to control gsm interface](https://github.com/kraj/meta-openwrt/commit/91e29428c1c3) + - [dropbear: adopt to use with OpenWRT](https://github.com/kraj/meta-openwrt/commit/53885307c783) + - [coova-chilli: add recipe to provide coova-chilli package](https://github.com/kraj/meta-openwrt/commit/6951c41e1c39) + - [daemon: add recipe as rdepends of coova-chilli](https://github.com/kraj/meta-openwrt/commit/2d8073a14e33) + - [liblucihttp: add recipe](https://github.com/kraj/meta-openwrt/commit/2460c2f759b0) + - [haserl: add recipe as rdepends of coova-chilli](https://github.com/kraj/meta-openwrt/commit/0e4b6c8d282d) + - [luci: set DEPENDS and INSANE_SKIP variables](https://github.com/kraj/meta-openwrt/commit/9d8ef3240409) + - [luci: add do_configure prepend to copy plural_formula files](https://github.com/kraj/meta-openwrt/commit/f03025cd8589) + - [luci: add plural_formula files to SRC_URI](https://github.com/kraj/meta-openwrt/commit/7d14d9b08960) + - [hostapd: correctly set FILES variable](https://github.com/kraj/meta-openwrt/commit/a3f0a2547bc6) + - [hostapd: install ppp.sh script](https://github.com/kraj/meta-openwrt/commit/3b2b24fb7653) + - [luci: build from openwrt-19.07 branch](https://github.com/kraj/meta-openwrt/commit/a13ffc02cec0) + - [luci: add liblucihttp as RDEPENDS](https://github.com/kraj/meta-openwrt/commit/86993d096f32) + - [netifd: build from openwrt-19.07 branch](https://github.com/kraj/meta-openwrt/commit/fc28e89709ba) + - [hostpad: install missing mac80211.sh script](https://github.com/kraj/meta-openwrt/commit/529559dffb78) + - [hostpad: install missing hostapd.sh script](https://github.com/kraj/meta-openwrt/commit/d06611a9278f) + - [procd: disable warning as error for array-bounds and unused-results](https://github.com/kraj/meta-openwrt/commit/38aef8f68476) + - [busybox: remove merged patch](https://github.com/kraj/meta-openwrt/commit/0697f29ab2c7) +- [Cezary Sobczak](https://www.linkedin.com/in/cezary-sobczak) (15): + - [opensbi: add patches for Nezha board](https://github.com/riscv/meta-riscv/commit/03bcb870e7ec) + - [boot0: add patch for Makefile to fit it with yocto build environment](https://github.com/riscv/meta-riscv/commit/0d1c2fb125ad) + - [nezha-allwinner-d1.conf: add machine configuration for Nezha board](https://github.com/riscv/meta-riscv/commit/42a5479dbcc4) + - [u-boot-nezha: add patch which fix build with binutils 2.28](https://github.com/riscv/meta-riscv/commit/c3966f6d9c7c) + - [nezha.yml: add file used with kas-docker](https://github.com/riscv/meta-riscv/commit/da702b4533b8) + - [linux-nezha: add patch which fix build with binutils 2.28](https://github.com/riscv/meta-riscv/commit/74162186df1c) + - [boot0: add patch which fix build with binutils 2.28](https://github.com/riscv/meta-riscv/commit/94a8a881a0c7) + - [u-boot-nezha: add recipe with patches for Nezha board](https://github.com/riscv/meta-riscv/commit/42384057560d) + - [boot0: add recipe of the Nezha SPL](https://github.com/riscv/meta-riscv/commit/6192951a5022) + - [linux-nezha-dev: use custom version of kernel with patches for D1 chip](https://github.com/riscv/meta-riscv/commit/8957d43a659b) + - [u-boot-nezha: add patch which increase the CONFIF_SYS_BOOTM_LEN](https://github.com/riscv/meta-riscv/commit/3b2a050de629) + - [opensbi: update mainline with patches to fit Nezha board](https://github.com/riscv/meta-riscv/commit/ff5e85cb6f2a) + - [nezha.wks: description of SD card image for Nezha D1 dev board](https://github.com/riscv/meta-riscv/commit/812ffc4068a3) + - [toc.cfg: add configuration file of TOC1 U-Boot image](https://github.com/riscv/meta-riscv/commit/2e545ae6cc26) + - [uEnv-nezha.txt: U-Boot bootargs for Nezha board](https://github.com/riscv/meta-riscv/commit/863373eae4e7) --- ![Trenchboot logo](/img/trenchboot_logo.svg) -[TrenchBoot](https://trenchboot.org/) is a framework that -allows individuals and projects to build security engines to perform launch -integrity actions for their systems. The framework builds upon Boot Integrity -Technologies (BITs) that establish one or more Roots of Trust (RoT) from which -a degree of confidence that the adversary did not subvert integrity actions is derived. +[TrenchBoot](https://trenchboot.org/) is a framework that allows individuals and +projects to build security engines to perform launch integrity actions for their +systems. The framework builds upon Boot Integrity Technologies (BITs) that +establish one or more Roots of Trust (RoT) from which a degree of confidence +that the adversary did not subvert integrity actions is derived. The most significant changes took place in the landing-zone component: -* **support for the Xen hypervisor** - This change adds support for the -[Xen](https://blog.3mdeb.com/tags/xen/) Hypervisor separates the hardware layer -from the programs running on the platform. Thanks to these changes, the landing -zone can measure all hypervisor components. -* **multiboot2 support for the GRUB2 bootloader** - Support for multiboot in -[GRUB2](https://blog.3mdeb.com/tags/grub2/) allows you to measure all the -components used during system boot when using multiboot2. + +- **support for the Xen hypervisor** - This change adds support for the + [Xen](https://blog.3mdeb.com/tags/xen/) Hypervisor separates the hardware + layer from the programs running on the platform. Thanks to these changes, the + landing zone can measure all hypervisor components. +- **multiboot2 support for the GRUB2 bootloader** - Support for multiboot in + [GRUB2](https://blog.3mdeb.com/tags/grub2/) allows you to measure all the + components used during system boot when using multiboot2. The author of these changes is [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/). @@ -358,55 +361,55 @@ enhance your devices' boot security, Trenchboot is the solution you've been searching for. Let us help you safeguard your computing device stack with advanced hardware security technologies. - -* [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/) (14): - * [Parse bootloader data in the form of tags](https://github.com/TrenchBoot/landing-zone/commit/a6f2f98431f6) - * [main: do not do STGI for MB2, also do not clear VM_CR_R_INIT](https://github.com/TrenchBoot/landing-zone/commit/a83df90dd736) - * [Add Multiboot2 support](https://github.com/TrenchBoot/landing-zone/commit/681b8b262087) - * [main: use one entry point for all protocols, implement stack overflow…](https://github.com/TrenchBoot/landing-zone/commit/33e9ef166713) - * [multiboot2.h: drop unused structures, add ELF headers, clean up typedefs](https://github.com/TrenchBoot/landing-zone/commit/1cbd62824343) - * [main.c: get proper MBI size, get kernel size from ELF headers](https://github.com/TrenchBoot/landing-zone/commit/dbc30868b2ee) - * [util: add script for measuring extended PCR values for Multiboot](https://github.com/TrenchBoot/landing-zone/commit/37cdc6721b7d) - * [extend_multiboot.sh: use section headers instead of program headers](https://github.com/TrenchBoot/landing-zone/commit/b1e0c8da7eef) - * [iommu.c: fix order of outb() arguments](https://github.com/TrenchBoot/landing-zone/commit/8c6d9e98c9ba) - * [event_log: add code for initializing and filling the DRTM TPM event log](https://github.com/TrenchBoot/landing-zone/commit/ca49de2d1b2b) - * [event_log.c: make the log format compatible with TXT](https://github.com/TrenchBoot/landing-zone/commit/c090a7df5fd8) - * [event_log: add fields for hash of LZ to the lz_header](https://github.com/TrenchBoot/landing-zone/commit/f9deeabb6405) - * [main: log PCR extend operations in DRTM TPM event log](https://github.com/TrenchBoot/landing-zone/commit/459b2ed40d2d) - * [iommu: Implementation of early IOMMU](https://github.com/TrenchBoot/landing-zone/commit/d8b79be69103) +- [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/) (14): + - [Parse bootloader data in the form of tags](https://github.com/TrenchBoot/landing-zone/commit/a6f2f98431f6) + - [main: do not do STGI for MB2, also do not clear VM_CR_R_INIT](https://github.com/TrenchBoot/landing-zone/commit/a83df90dd736) + - [Add Multiboot2 support](https://github.com/TrenchBoot/landing-zone/commit/681b8b262087) + - [main: use one entry point for all protocols, implement stack overflow…](https://github.com/TrenchBoot/landing-zone/commit/33e9ef166713) + - [multiboot2.h: drop unused structures, add ELF headers, clean up typedefs](https://github.com/TrenchBoot/landing-zone/commit/1cbd62824343) + - [main.c: get proper MBI size, get kernel size from ELF headers](https://github.com/TrenchBoot/landing-zone/commit/dbc30868b2ee) + - [util: add script for measuring extended PCR values for Multiboot](https://github.com/TrenchBoot/landing-zone/commit/37cdc6721b7d) + - [extend_multiboot.sh: use section headers instead of program headers](https://github.com/TrenchBoot/landing-zone/commit/b1e0c8da7eef) + - [iommu.c: fix order of outb() arguments](https://github.com/TrenchBoot/landing-zone/commit/8c6d9e98c9ba) + - [event_log: add code for initializing and filling the DRTM TPM event log](https://github.com/TrenchBoot/landing-zone/commit/ca49de2d1b2b) + - [event_log.c: make the log format compatible with TXT](https://github.com/TrenchBoot/landing-zone/commit/c090a7df5fd8) + - [event_log: add fields for hash of LZ to the lz_header](https://github.com/TrenchBoot/landing-zone/commit/f9deeabb6405) + - [main: log PCR extend operations in DRTM TPM event log](https://github.com/TrenchBoot/landing-zone/commit/459b2ed40d2d) + - [iommu: Implementation of early IOMMU](https://github.com/TrenchBoot/landing-zone/commit/d8b79be69103) ## Upcoming events -Don't forget to mark your calendars for [Dasharo User Group #2](https://vpub.dasharo.com/e/7/dasharo-user-group-2), -which will take place on July 6th, 2023. DUG events are an excellent -opportunity to learn more about open-source projects and 3mdeb's open-source -contributions and connect with Dasharo developers. +Don't forget to mark your calendars for +[Dasharo User Group #2](https://vpub.dasharo.com/e/7/dasharo-user-group-2), +which will take place on July 6th, 2023. DUG events are an excellent opportunity +to learn more about open-source projects and 3mdeb's open-source contributions +and connect with Dasharo developers. The Dasharo User Group (DUG) is a forum for users of Dasharo to come together, share their knowledge, and stay informed about the latest developments in the Dasharo ecosystem. The DUG is a platform for users to connect and learn about -new features and updates coming to Dasharo. The first DUG event will take -place in early March and will include a variety of discussions on different -topics related to Dasharo. We will share the agenda for the event in the next -month. The event will be an excellent opportunity for Dasharo users meet other -users, learn new things, and share their knowledge and experience with others. +new features and updates coming to Dasharo. The first DUG event will take place +in early March and will include a variety of discussions on different topics +related to Dasharo. We will share the agenda for the event in the next month. +The event will be an excellent opportunity for Dasharo users meet other users, +learn new things, and share their knowledge and experience with others. Dasharo vPub 0x7 is a follow-up event to DUG#2 and will provide a space to engage in more informal conversations and discussions that we may not cover during DUG#2. The vPub is a less structured, more relaxed environment where the community can discuss topics that interest them. During the event, you can -experience discussions about open-source firmware, open-source hardware and -open instruction set architecture, technical challenges they are facing, and -ideas for new features or improvements. +experience discussions about open-source firmware, open-source hardware and open +instruction set architecture, technical challenges they are facing, and ideas +for new features or improvements. The Dasharo User Group (DUG#1) and vPub 0x6 event achieved great success, offering insightful presentations and engaging discussions on topics related to open-source firmware, hardware, and security. Key highlights encompassed Dasharo's roadmap, the groundbreaking potential of NovaCustom's hardware and -open-source firmware for enhancing the laptop experience, the Dasharo Tool -Suite roadmap, notable Dasharo Community Support ports like Supermciro X11SSH -support and RPL-S CPU, the summary of PC Engines' post-EOL firmware survey, and -much more. +open-source firmware for enhancing the laptop experience, the Dasharo Tool Suite +roadmap, notable Dasharo Community Support ports like Supermciro X11SSH support +and RPL-S CPU, the summary of PC Engines' post-EOL firmware survey, and much +more. We express our appreciation to the speakers who shared their expertise and perspectives during both DUG#1 and vPub vol.6. These remarkable individuals @@ -416,9 +419,9 @@ Marczykowski-Górecki from Invisible Things Lab/Qubes OS, and Thierry Laurion from Insurgo Technologies Libres/Heads. For those unable to attend the event or interested in revisiting the sessions, -recorded videos are available on YouTube via the [following -link](https://www.youtube.com/watch?v=fUfjWyljKNs). Furthermore, you can -access event slides at: +recorded videos are available on YouTube via the +[following link](https://www.youtube.com/watch?v=fUfjWyljKNs). Furthermore, you +can access event slides at: [vpub.dasharo.com](https://vpub.dasharo.com/e/1/dasharo-user-group-1). ## Summary @@ -427,8 +430,8 @@ These are just a selection of our contributions to open-source. Since its inception, 3mdeb has contributed changes to more than 100,000 lines of code in open-source projects. So if you're looking for expert guidance on open-source projects such as coreboot, fwupd, Yocto, and Trenchboot, our team is here to -help. [We'd love to discuss the details](https://3mdeb.com/contact/) we can -work together to bring your project to the next level. +help. [We'd love to discuss the details](https://3mdeb.com/contact/) we can work +together to bring your project to the next level. If you are passionate about these topics, we also welcome you to join our recruitment process and become a part of our team. diff --git a/blog/content/post/2023-05-18-our_contribution_to_coreboot_4_20_release.md b/blog/content/post/2023-05-18-our_contribution_to_coreboot_4_20_release.md index d420c81c..1b1cd566 100644 --- a/blog/content/post/2023-05-18-our_contribution_to_coreboot_4_20_release.md +++ b/blog/content/post/2023-05-18-our_contribution_to_coreboot_4_20_release.md @@ -32,101 +32,100 @@ need to know about the changes in this release. Firstly, we'd like to acknowledge the hard work of our contributors, who continuously strive to enhance the coreboot project: -* [Michał Żygowski](https://twitter.com/_miczyg_) -* [Sergii Dmytruk](https://github.com/SergiiDmytruk) -* [Karol Zmyslowski](https://www.linkedin.com/in/karolzet/) -* [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/) -* [Kacper Stojek](https://www.linkedin.com/in/kacper-stojek-5108a7237/) -* [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200) - -They've made significant contributions to various aspects of this project. -Their input ranges from fine-tuning and debugging existing features to -implementing new ones and revamping core aspects of the firmware. We express -our gratitude for their efforts. +- [Michał Żygowski](https://twitter.com/_miczyg_) +- [Sergii Dmytruk](https://github.com/SergiiDmytruk) +- [Karol Zmyslowski](https://www.linkedin.com/in/karolzet/) +- [Krystian Hebel](https://www.linkedin.com/in/krystian-hebel-b48424205/) +- [Kacper Stojek](https://www.linkedin.com/in/kacper-stojek-5108a7237/) +- [Michał Kopeć](https://www.linkedin.com/in/micha%C5%82-kope%C4%87-a8b216200) + +They've made significant contributions to various aspects of this project. Their +input ranges from fine-tuning and debugging existing features to implementing +new ones and revamping core aspects of the firmware. We express our gratitude +for their efforts. ## Significant Updates and Features While there's a myriad of changes in the coreboot 4.20 release, you can find -details in [release -notes](https://doc.coreboot.org/releases/coreboot-4.20-relnotes.html), a few -stand out due to their potential value for the community. - -3mdeb has actively contributed to this release as part of [Dasharo Support -Package](https://docs.dasharo.com/osf-trolling-list/jsm_documentation/#dasharo-support-package) -product and [Dasharo Community -Support](https://docs.dasharo.com/osf-trivia-list/dasharo/#dasharo-professional-support) -sponsored through [Dasharo newsletter -subscription](https://3mdeb.com/?s=%22year+Dasharo+Supporters+Entrance%22&post_type=product&dgwt_wcas=1) -and [merchandise](https://3mdeb.com/product-category/merchandise/), as seen in -the number of commits, mainly through our work in: - -* Mainboard and SoC Support: We added and improved support for Protectli - mainboards based on Intel Elkhart Lake, Alder Lake SoCs. Added support to - dump GPIOs on Jasper Lake SoC. -* Documentation: coreboot's documentation was updated, particularly in the +details in +[release notes](https://web.archive.org/web/20230203140857/https://doc.coreboot.org/releases/coreboot-4.20-relnotes.html), +a few stand out due to their potential value for the community. + +3mdeb has actively contributed to this release as part of +[Dasharo Support Package](https://docs.dasharo.com/osf-trolling-list/jsm_documentation/#dasharo-support-package) +product and +[Dasharo Community Support](https://docs.dasharo.com/osf-trivia-list/dasharo/#dasharo-professional-support) +sponsored through +[Dasharo newsletter subscription](https://3mdeb.com/?s=%22year+Dasharo+Supporters+Entrance%22&post_type=product&dgwt_wcas=1) +and [merchandise](https://shop.3mdeb.com/product-category/merchandise/), +as seen in the number of commits, mainly through our work in: + +- Mainboard and SoC Support: We added and improved support for Protectli + mainboards based on Intel Elkhart Lake, Alder Lake SoCs. Added support to dump + GPIOs on Jasper Lake SoC. +- Documentation: coreboot's documentation was updated, particularly in the Dasharo description and Trusted Platform Module (TPM) options. -* TPM Security: New log formats compliant with the 2.0 and 1.2 specs and +- TPM Security: New log formats compliant with the 2.0 and 1.2 specs and Kconfig-configurable PCR usage. -* VT-d: The VT-d subsystem now has a new DMA protection API, which we - integrated into Alder Lake's functionality. -* EDK2 Payload: Users can now clone the edk2-platforms repository. -* Bug Fixes: Multiple fixes in different areas, such as Intel Elkhart Lake's +- VT-d: The VT-d subsystem now has a new DMA protection API, which we integrated + into Alder Lake's functionality. +- EDK2 Payload: Users can now clone the edk2-platforms repository. +- Bug Fixes: Multiple fixes in different areas, such as Intel Elkhart Lake's GPIO and Makefiles. -* Power9: We refactored the code to enhance readability and maintainability. -* Additional features: A speaker beep function and updated USB port macros. +- Power9: We refactored the code to enhance readability and maintainability. +- Additional features: A speaker beep function and updated USB port macros. ## Contribution details -* Kacper Stojek (3) - * [mainboard/protectli/vault_ehl: Add initial structure](https://review.coreboot.org/c/coreboot/+/72407) - * [Documentation/external_docs.md: Add information about ost2](https://review.coreboot.org/c/coreboot/+/70853) - * [Documentation/distributions.md: Update Dasharo description](https://review.coreboot.org/c/coreboot/+/70852) -* Karol Zmysłowski (1) - * [util/inteltool: Add support for Jasper Lake](https://review.coreboot.org/c/coreboot/+/73934) -* Krystian Hebel (1) - * [arch/ppc64/rom_media.c: move to mainboard/emulation/qemu-power*](https://review.coreboot.org/c/coreboot/+/67061) -* Michał Kopeć (1) - * [soc/intel/elkhartlake/fsp_params.c: wire up remaining ddc params](https://review.coreboot.org/c/coreboot/+/72405) -* Michał Żygowski (19) - * [mb/protectli/vault_cml: Add Comet Lake 6 port board support](https://review.coreboot.org/c/coreboot/+/67940) - * [intelblocks/vtd: Add VT-d block with DMA protection API](https://review.coreboot.org/c/coreboot/+/68449) - * [intelblocks/cse: Add functions to check and change PTT state](https://review.coreboot.org/c/coreboot/+/68919) - * [mb/protectli/vault_cml: Disable PTT and SPI TPM](https://review.coreboot.org/c/coreboot/+/68920) - * [payloads/external/edk2: Add option to clone edk2-platforms repo](https://review.coreboot.org/c/coreboot/+/68872) - * [soc/intel/elkhartlake/romstage/fsp_params.c: separate debug params](https://review.coreboot.org/c/coreboot/+/72404) - * [soc/intel/alderlake/hsphy.c: Handle case with DMA protection](https://review.coreboot.org/c/coreboot/+/68556) - * [pc80/i8254: Add speaker beep function](https://review.coreboot.org/c/coreboot/+/68100) - * [mb/msi/ms7d25: Update USB port macros](https://review.coreboot.org/c/coreboot/+/69820) - * [Makefile.inc: fix multiple jobs build issue](https://review.coreboot.org/c/coreboot/+/69819) - * [soc/intel/alderlake: Hook up P2SB PCI ops](https://review.coreboot.org/c/coreboot/+/69949) - * [soc/intel/alderlake: Hook the VT-d DMA protection option](https://review.coreboot.org/c/coreboot/+/68450) - * [soc/intel/elkhartlake/gpio.c: Fix GPD reset map](https://review.coreboot.org/c/coreboot/+/72406) - * [soc/intel/alderlake/iomap: Fix the PCR BAR size on ADL-S](https://review.coreboot.org/c/coreboot/+/69948) - * [soc/intel/elkhartlake: Define DIMM_SPD_SIZE in SoC Kconfig](https://review.coreboot.org/c/coreboot/+/73933) - * [soc/intel/common/block/graphics: Hook up all ADL-S IGD PCI IDs](https://review.coreboot.org/c/coreboot/+/70101) - * [soc/intel/alderlake/{chipset.cb,chipset_pch_s.cb}: Set P2SB as hidden](https://review.coreboot.org/c/coreboot/+/69950) - * [Update vboot submodule to upstream main](https://review.coreboot.org/c/coreboot/+/74401) - * [soc/intel/elkhartlake: Increase BSP stack size by 1 KiB to 193 KiB](https://review.coreboot.org/c/coreboot/+/73820) - * [soc/intel/alderlake: Select SOC_INTEL_COMMON_BLOCK_VTD](https://review.coreboot.org/c/coreboot/+/72069) -* Sergii Dmytruk (5) - * [security/tpm: add TPM log format as per 2.0 spec](https://review.coreboot.org/c/coreboot/+/68748) - * [security/tpm: add TPM log format as per 1.2 spec](https://review.coreboot.org/c/coreboot/+/68747) - * [Documentation/measured_boot.md: document new TPM options](https://review.coreboot.org/c/coreboot/+/68752) - * [Documentation/measured_boot.md: fix SRTM/DRTM explanations](https://review.coreboot.org/c/coreboot/+/68751) - * [security/tpm: make usage of PCRs configurable via Kconfig](https://review.coreboot.org/c/coreboot/+/68750) - * [src/cpu/power9: move part of scom.h to scom.c](https://review.coreboot.org/c/coreboot/+/67055) +- Kacper Stojek (3) + - [mainboard/protectli/vault_ehl: Add initial structure](https://review.coreboot.org/c/coreboot/+/72407) + - [Documentation/external_docs.md: Add information about ost2](https://review.coreboot.org/c/coreboot/+/70853) + - [Documentation/distributions.md: Update Dasharo description](https://review.coreboot.org/c/coreboot/+/70852) +- Karol Zmysłowski (1) + - [util/inteltool: Add support for Jasper Lake](https://review.coreboot.org/c/coreboot/+/73934) +- Krystian Hebel (1) + - [arch/ppc64/rom_media.c: move to mainboard/emulation/qemu-power\*](https://review.coreboot.org/c/coreboot/+/67061) +- Michał Kopeć (1) + - [soc/intel/elkhartlake/fsp_params.c: wire up remaining ddc params](https://review.coreboot.org/c/coreboot/+/72405) +- Michał Żygowski (19) + - [mb/protectli/vault_cml: Add Comet Lake 6 port board support](https://review.coreboot.org/c/coreboot/+/67940) + - [intelblocks/vtd: Add VT-d block with DMA protection API](https://review.coreboot.org/c/coreboot/+/68449) + - [intelblocks/cse: Add functions to check and change PTT state](https://review.coreboot.org/c/coreboot/+/68919) + - [mb/protectli/vault_cml: Disable PTT and SPI TPM](https://review.coreboot.org/c/coreboot/+/68920) + - [payloads/external/edk2: Add option to clone edk2-platforms repo](https://review.coreboot.org/c/coreboot/+/68872) + - [soc/intel/elkhartlake/romstage/fsp_params.c: separate debug params](https://review.coreboot.org/c/coreboot/+/72404) + - [soc/intel/alderlake/hsphy.c: Handle case with DMA protection](https://review.coreboot.org/c/coreboot/+/68556) + - [pc80/i8254: Add speaker beep function](https://review.coreboot.org/c/coreboot/+/68100) + - [mb/msi/ms7d25: Update USB port macros](https://review.coreboot.org/c/coreboot/+/69820) + - [Makefile.inc: fix multiple jobs build issue](https://review.coreboot.org/c/coreboot/+/69819) + - [soc/intel/alderlake: Hook up P2SB PCI ops](https://review.coreboot.org/c/coreboot/+/69949) + - [soc/intel/alderlake: Hook the VT-d DMA protection option](https://review.coreboot.org/c/coreboot/+/68450) + - [soc/intel/elkhartlake/gpio.c: Fix GPD reset map](https://review.coreboot.org/c/coreboot/+/72406) + - [soc/intel/alderlake/iomap: Fix the PCR BAR size on ADL-S](https://review.coreboot.org/c/coreboot/+/69948) + - [soc/intel/elkhartlake: Define DIMM_SPD_SIZE in SoC Kconfig](https://review.coreboot.org/c/coreboot/+/73933) + - [soc/intel/common/block/graphics: Hook up all ADL-S IGD PCI IDs](https://review.coreboot.org/c/coreboot/+/70101) + - [soc/intel/alderlake/{chipset.cb,chipset_pch_s.cb}: Set P2SB as hidden](https://review.coreboot.org/c/coreboot/+/69950) + - [Update vboot submodule to upstream main](https://review.coreboot.org/c/coreboot/+/74401) + - [soc/intel/elkhartlake: Increase BSP stack size by 1 KiB to 193 KiB](https://review.coreboot.org/c/coreboot/+/73820) + - [soc/intel/alderlake: Select SOC_INTEL_COMMON_BLOCK_VTD](https://review.coreboot.org/c/coreboot/+/72069) +- Sergii Dmytruk (5) + - [security/tpm: add TPM log format as per 2.0 spec](https://review.coreboot.org/c/coreboot/+/68748) + - [security/tpm: add TPM log format as per 1.2 spec](https://review.coreboot.org/c/coreboot/+/68747) + - [Documentation/measured_boot.md: document new TPM options](https://review.coreboot.org/c/coreboot/+/68752) + - [Documentation/measured_boot.md: fix SRTM/DRTM explanations](https://review.coreboot.org/c/coreboot/+/68751) + - [security/tpm: make usage of PCRs configurable via Kconfig](https://review.coreboot.org/c/coreboot/+/68750) + - [src/cpu/power9: move part of scom.h to scom.c](https://review.coreboot.org/c/coreboot/+/67055) ## Summary Maximize your hardware's capabilities and secure your firmware with 3mdeb's expert services. Our team is dedicated to enhancing your product's performance and safeguarding it from security vulnerabilities. By opting for our services, -you unlock myriad benefits that your hardware holds. Whether it's about -firmware optimization or security, we've got you covered. Don't let your -hardware limit your potential; instead, let's work together to push the -boundaries of what's possible. Ready to take the leap? [Reach out to -us](https://3mdeb.com/contact/) for a consultation and stay informed by -subscribing to [our -newsletter](https://newsletter.3mdeb.com/subscription/wwL90UkXP). Let's +you unlock myriad benefits that your hardware holds. Whether it's about firmware +optimization or security, we've got you covered. Don't let your hardware limit +your potential; instead, let's work together to push the boundaries of what's +possible. Ready to take the leap? [Reach out to us](https://3mdeb.com/contact/) +for a consultation and stay informed by subscribing to +[our newsletter](https://newsletter.3mdeb.com/subscription/wwL90UkXP). Let's revolutionize your firmware security and performance together. Choose Dasharo, choose 3mdeb. Take the first step today! diff --git a/blog/content/post/2023-05-19-fobnail_application.md b/blog/content/post/2023-05-19-fobnail_application.md index d58f5dab..37da1843 100644 --- a/blog/content/post/2023-05-19-fobnail_application.md +++ b/blog/content/post/2023-05-19-fobnail_application.md @@ -20,19 +20,19 @@ categories: --- -# About the Fobnail project +## About the Fobnail project Fobnail is a project that aims to provide a reference architecture for building offline integrity measurement verifiers on the USB device (Fobnail Token) and attesters running in Dynamically Launched Measured Environments (DLME). It allows the Fobnail owner to verify the trustworthiness of the running system -before performing any sensitive operation. This project was founded by [NlNet -Foundation](https://nlnet.nl/). More information about the project can be found -in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make sure to -read other posts related to this project by visiting +before performing any sensitive operation. This project was founded by +[NlNet Foundation](https://nlnet.nl/). More information about the project can be +found in the [Fobnail documentation](https://fobnail.3mdeb.com/). Also, make +sure to read other posts related to this project by visiting [fobnail](https://blog.3mdeb.com/tags/fobnail/) tag. -# Scope of current phase +## Scope of current phase This phase focused on using Fobnail in a real-life use case, namely using it to access LUKS2 decryption key if and only if the PCR measurements are valid. In @@ -40,12 +40,13 @@ this post only high-level usage will be described, if you want to know what happens under the hood or want to modify it to your needs see [documentation](https://fobnail.3mdeb.com/examples/disk_encryption/). -# Changes +## Changes In this phase we completely switched the architecture around. Now the CoAP -server is located on Fobnail Token, instead of each of PC applications. This -way we could implement [API endpoints](https://fobnail.3mdeb.com/fobnail-api/), -including [Fobnail Token Services (FTS)](https://fobnail.3mdeb.com/fobnail-api/#fobnail-token-services), +server is located on Fobnail Token, instead of each of PC applications. This way +we could implement [API endpoints](https://fobnail.3mdeb.com/fobnail-api/), +including +[Fobnail Token Services (FTS)](https://fobnail.3mdeb.com/fobnail-api/#fobnail-token-services), which allows for more elaborate applications without having to re-flash Token firmware each time. @@ -60,8 +61,8 @@ and one without. Former should be used just for initial provisioning, and the latter for normal use. We hope that by simplifying more frequently used form of Attester (that is, the application used just for attestation, not provisioning) we can reduce the surface of attack. It also helps with rare cases when users -inadvertently plugged in unprovisioned Token - in that case Token would also -lit _all-good_ green LED in the end, making it indistinguishable from normal +inadvertently plugged in unprovisioned Token - in that case Token would also lit +_all-good_ green LED in the end, making it indistinguishable from normal attestation. For the same reason we also gave up on the idea of unprovisioning the token by holding the button - neighboring USB device could potentially keep the button pressed @@ -73,12 +74,14 @@ for longer signals like attestation result. We took advantage of that forced change to [expand and standardize](https://fobnail.3mdeb.com/blink-codes/) blink codes produced by Fobnail Token. -## Building and running +### Building and running -Building hasn't change much since [last time](https://blog.3mdeb.com/2022/2022-05-25-fobnail_provisioning/#building-and-running). +Building hasn't change much since +[last time](https://blog.3mdeb.com/2022/2022-05-25-fobnail_provisioning/#building-and-running). There are some changes done to produce `fobnail-attester-with-provisioning` along with non-provisioning version, but instructions for building didn't -change. The process is now [part of Fobnail documentation](https://fobnail.3mdeb.com/building/). +change. The process is now +[part of Fobnail documentation](https://fobnail.3mdeb.com/building/). Ubuntu LTS 22.04 and tools from official packages included in that distribution were used for writing and testing of this blog post. This includes building, @@ -96,7 +99,7 @@ be already running when Fobnail Token is being plugged in. Attester changed a bit more, it now can take arguments which use Fobnail Token Services. Description of those can be obtained by starting Attester with `--help`: -``` +```bash Usage: fobnail-attester [CMD]... @@ -126,7 +129,7 @@ order in which they appear on the command line. Attestation is performed only once. If any of the commands fails, further commands are not executed. ``` -## Preparing encrypted disk image for use with Fobnail +### Preparing encrypted disk image for use with Fobnail Some preparations have to be done during provisioning by administrator to make user's life as easy as possible. Following steps were performed on Ubuntu 22.04 @@ -140,7 +143,7 @@ properly assigned IP address. It can be added through `*.link` file and permanent `NetworkManager` connection (see how it's done for Attester below), but since this is one-time operation it can also be assigned temporarily with: -``` +```bash sudo nmcli con add save no con-name Fobnail ifname enp0s26u1u1 type ethernet \ ip4 169.254.0.8/16 ipv6.method disabled ``` @@ -150,7 +153,7 @@ OS, its configuration, presence of other USB Ethernet adapters or even USB port to which the Token is plugged in. To obtain it, run `sudo dmesg | grep cdc_eem`. In my case this was the result: -``` +```bash [54.928687] cdc_eem 1-1.1:1.0 usb0: register 'cdc_eem' at usb-0000:00:1a.0-1.1, CDC EEM Device, f6:82:61:5e:71:2a [55.052471] cdc_eem 1-1.1:1.0 enp0s26u1u1: renamed from usb0 [55.153313] cdc_eem 1-1.1:1.0 enp0s26u1u1: unregister 'cdc_eem' usb-0000:00:1a.0-1.1, CDC EEM Device @@ -165,7 +168,8 @@ phases of Fobnail project: fobnail-platform-owner path/to/chain.pem path/to/issuer_ca_priv.key ``` -Refer to [documentation](https://fobnail.3mdeb.com/keys_and_certificates/#platform-owner-certificate-chain) +Refer to +[documentation](https://fobnail.3mdeb.com/keys_and_certificates/#platform-owner-certificate-chain) for description and example OpenSSL configuration for Platform Owner certificate chain, if you haven't prepared whole chain during the build process. @@ -174,16 +178,17 @@ further steps easier, start by making the interface name persistent and assign an IP address to it. Create file `/etc/systemd/network/10-fobnail.link` with following content: -``` +```bash [Match] -# Match against Fobnail VID and PID, this requires SystemD v243 or newer +## Match against Fobnail VID and PID, this requires SystemD v243 or newer Property=ID_MODEL_ID=4321 ID_VENDOR_ID=1234 [Link] Name=fobnail ``` -This file can also be found in [fobnail-attester repository](https://github.com/fobnail/fobnail-attester/tree/main/scripts/10-fobnail.link). +This file can also be found in +[fobnail-attester repository](https://github.com/fobnail/fobnail-attester/tree/main/scripts/10-fobnail.link). Now we can add persistent network configuration for new interface name: ```bash @@ -215,48 +220,48 @@ run with `sudo`: ```bash #!/bin/bash -# Some configuration variables common to provisioning and attestation, they must -# be the same in 'fobnail.cfg' created later +## Some configuration variables common to provisioning and attestation, they must +## be the same in 'fobnail.cfg' created later DISK_IMG="/usr/share/fobnail/disk.img" MNT_DIR="/media/fobnail" MAPPER_DEV=c1 FOBNAIL_KEY_FNAME=luks_key -# Configuration variables used only by this script. Assuming this script is -# started from fobnail-attester directory, change path if not: +## Configuration variables used only by this script. Assuming this script is +## started from fobnail-attester directory, change path if not: ATTESTER_PROV=./bin/fobnail-attester-with-provisioning DISK_SIZE_MB=128 TMP_KEY=/tmp/keyfile.bin -# Get user name, regardless of whether script is started with sudo or not +## Get user name, regardless of whether script is started with sudo or not DISK_USER=${SUDO_USER:-$USER} -# Create disk image and mount is as loop device +## Create disk image and mount is as loop device mkdir -p `dirname $DISK_IMG` dd if=/dev/zero of=$DISK_IMG bs=1M count=$DISK_SIZE_MB LOOP_DEV=`losetup -f --show $DISK_IMG` -# Create encryption key and LUKS partition +## Create encryption key and LUKS partition dd bs=512 count=2 if=/dev/urandom of=$TMP_KEY cryptsetup luksFormat --type luks2 $LOOP_DEV $TMP_KEY -# Create filesystem on the partition +## Create filesystem on the partition cryptsetup luksOpen -d $TMP_KEY $LOOP_DEV $MAPPER_DEV mke2fs -j /dev/mapper/$MAPPER_DEV -# Mount partition and change the owner of root directory +## Mount partition and change the owner of root directory mkdir -p "$MNT_DIR" mount /dev/mapper/${MAPPER_DEV} "$MNT_DIR" chown -R $DISK_USER:$DISK_USER "$MNT_DIR" -# Optionally fill the partition with secret stuff -# cp top_secret_file.odt "${MNT_DIR}" +## Optionally fill the partition with secret stuff +## cp top_secret_file.odt "${MNT_DIR}" umount "$MNT_DIR" -# Close LUKS partition and underlying loop device +## Close LUKS partition and underlying loop device cryptsetup close $MAPPER_DEV losetup -d $LOOP_DEV -# Write key to Fobnail Token and securely erase it from host +## Write key to Fobnail Token and securely erase it from host $ATTESTER_PROV --write-file $TMP_KEY:$FOBNAIL_KEY_FNAME && \ dd if=/dev/urandom of=$TMP_KEY bs=$(stat -c %s $TMP_KEY) count=1 && \ rm $TMP_KEY && echo "Platform was provisioned successfully" && exit @@ -273,28 +278,29 @@ can be found in [the documentation](https://fobnail.3mdeb.com/blink-codes/). Platform is now provisioned and encryption key can be read by calling `fobnail-attester --read-file luks_key:keyfile.bin`. For better user experience we can automate day-to-day use as well with set of relatively simple scripts and -configuration files from [fobnail-attester repository](https://github.com/fobnail/fobnail-attester/tree/main/scripts): +configuration files from +[fobnail-attester repository](https://github.com/fobnail/fobnail-attester/tree/main/scripts): - `fobnail-mount.service` is to be installed in `/lib/systemd/system` or another -directory searched by `systemd`. It contains paths to files listed below, you -can change it in the service file or use defaults. + directory searched by `systemd`. It contains paths to files listed below, you + can change it in the service file or use defaults. - `fobnail.cfg` by default is expected to be located in `/etc` directory. It -holds paths and filenames used by Attester, change those if required. Note that -it should use the same values as were used during provisioning, unless any of -files pointet to by configuration were manually moved. + holds paths and filenames used by Attester, change those if required. Note + that it should use the same values as were used during provisioning, unless + any of files pointet to by configuration were manually moved. - `mount.sh` and `umount.sh` should be installed in `/usr/share/fobnail` by -default, create this directory if it doesn't exist. + default, create this directory if it doesn't exist. - `99-fobnail.rules` is the file that instructs `udev` (which is now part of -`systemd`) to automatically start the service when Token is plugged in to the -platform. Copy this file to `/etc/udev/rules.d` directory. + `systemd`) to automatically start the service when Token is plugged in to the + platform. Copy this file to `/etc/udev/rules.d` directory. - `10-fobnail.link` was already created before platform provisioning. This file -doesn't have configurable location, it always have to live in -`/etc/systemd/network` directory. Note that key used in `[Match]` section -requires `systemd` in version 243 or newer. If you want to use it with older -`systemd` you have to use another key, otherwise this file will be matched by -_every_ link, even `loopback` interface. This would most likely break your -Internet connection. Refer to your version of `man systemd.link` for alternative -keys for `[Match]` if you want to use it with older `systemd`. + doesn't have configurable location, it always have to live in + `/etc/systemd/network` directory. Note that key used in `[Match]` section + requires `systemd` in version 243 or newer. If you want to use it with older + `systemd` you have to use another key, otherwise this file will be matched by + _every_ link, even `loopback` interface. This would most likely break your + Internet connection. Refer to your version of `man systemd.link` for + alternative keys for `[Match]` if you want to use it with older `systemd`. To install all mentioned files in their default location with proper permissions go to `fobnail-attester/scripts` directory and execute in terminal: @@ -304,7 +310,7 @@ sudo install -m 644 fobnail-mount.service -t /lib/systemd/system/ sudo install -m 644 fobnail.cfg /etc/ sudo install -D *.sh -t /usr/share/fobnail/ sudo install -m 644 99-fobnail.rules -t /etc/udev/rules.d/ -# This one should already be done, leaving it here for completeness: +## This one should already be done, leaving it here for completeness: sudo install -m 644 10-fobnail.link -t /etc/systemd/network/ sudo install -m 755 ../bin/fobnail-attester /usr/bin/ ``` @@ -317,7 +323,7 @@ with: sudo systemctl reload-or-restart systemd-udevd ``` -#### Use +##### Use Just plug in the Token, wait few seconds (up to few dozen) for green light and voila! You should now have access to all your secrets, mounted in directory @@ -330,11 +336,11 @@ will fail and access to your secrets will still be possible. Keep in mind that it also applies to terminals with `MNT_DIR` or any of its sub-directories being their current working directory. -## Demo +### Demo -{{< youtube O4A83zNtioY >}} +{{\< youtube O4A83zNtioY >}} -## Known issues +### Known issues Encryption keys bigger than 1KB are not supported. This is a side effect of making Token firmware use less RAM. We had to compromise between ability to @@ -348,10 +354,12 @@ other application can use TPM together with Attester, including another instance of Attester. `timeout` is used to work around potential issue with Attester, for example when it can't access the Token and gets stuck. -## Summary +### Summary If you think we can help in improving the security of your firmware or you are looking for someone who can boost your product by leveraging advanced features -of used hardware platform, feel free to [book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us email to `contact3mdebcom`. If you are interested in similar -content feel free to [sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) +of used hardware platform, feel free to +[book a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) or +drop us email to `contact3mdebcom`. If you are interested in similar +content feel free to +[sign up to our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6) diff --git a/blog/content/post/2023-07-28-optimizing-spi-on-stm32.md b/blog/content/post/2023-07-28-optimizing-spi-on-stm32.md index 7853464b..3f97ec48 100644 --- a/blog/content/post/2023-07-28-optimizing-spi-on-stm32.md +++ b/blog/content/post/2023-07-28-optimizing-spi-on-stm32.md @@ -34,8 +34,6 @@ categories: --- -# - STM32 MCUs come with various peripherals, one of them is SPI (Serial Peripheral Interface) which is a simple serial bus interface commonly used for short-distance communication between various devices. SPI is one of the @@ -94,39 +92,39 @@ The application just transmits a static sequence of bytes: ```c const struct device *spi_dev = NULL; struct spi_config spi_cfg = { - .frequency = 25000000, - .operation = SPI_WORD_SET(8) | SPI_TRANSFER_MSB | SPI_OP_MODE_SLAVE, + .frequency = 25000000, + .operation = SPI_WORD_SET(8) | SPI_TRANSFER_MSB | SPI_OP_MODE_SLAVE, }; const uint8_t testdata[32] = { - 0x3d, 0x7f, 0x85, 0xc3, 0x86, 0x2f, 0x14, 0x2a, 0xa2, 0x67, 0x1d, 0xd7, 0xfa, 0xa8, 0x3a, 0x42, - 0xf8, 0x12, 0xd2, 0xa1, 0x04, 0xcc, 0xe2, 0xc6, 0x78, 0x73, 0x09, 0xe6, 0xd8, 0xc5, 0x0e, 0xba, + 0x3d, 0x7f, 0x85, 0xc3, 0x86, 0x2f, 0x14, 0x2a, 0xa2, 0x67, 0x1d, 0xd7, 0xfa, 0xa8, 0x3a, 0x42, + 0xf8, 0x12, 0xd2, 0xa1, 0x04, 0xcc, 0xe2, 0xc6, 0x78, 0x73, 0x09, 0xe6, 0xd8, 0xc5, 0x0e, 0xba, }; void main(void) { - spi_dev = device_get_binding(DEVICE_DT_NAME(DT_NODELABEL(spi2))); - if (!device_is_ready(spi_dev)) { - printk("SPI controller is not ready!\n"); - return; - } - - struct spi_buf spi_tx_buf = { - .buf = (void *)testdata, - .len = sizeof testdata, - }; - - struct spi_buf_set spi_tx_buf_set = { - .buffers = &spi_tx_buf, - .count = 1, - }; - - while (true) { - int ret = spi_write(spi_dev, &spi_cfg, &spi_tx_buf_set); - if (ret < 0) - printk("spi_write failed: %d\n", ret); - else - printk("spi transfer complete\n"); - } + spi_dev = device_get_binding(DEVICE_DT_NAME(DT_NODELABEL(spi2))); + if (!device_is_ready(spi_dev)) { + printk("SPI controller is not ready!\n"); + return; + } + + struct spi_buf spi_tx_buf = { + .buf = (void *)testdata, + .len = sizeof testdata, + }; + + struct spi_buf_set spi_tx_buf_set = { + .buffers = &spi_tx_buf, + .count = 1, + }; + + while (true) { + int ret = spi_write(spi_dev, &spi_cfg, &spi_tx_buf_set); + if (ret < 0) + printk("spi_write failed: %d\n", ret); + else + printk("spi transfer complete\n"); + } } ``` @@ -143,24 +141,24 @@ And configure DMA channels: ```shell &dma1 { - status = "okay"; + status = "okay"; }; &spi1 { - status = "disabled"; + status = "disabled"; }; &spi2 { - /* - * See https://docs.zephyrproject.org/3.0.0/reference/devicetree/bindings/dma/st%2Cstm32-dma-v2.html - */ - dmas = <&dma1 5 1 0x20440>, - <&dma1 4 1 0x20480>; - dma-names = "tx", "rx"; + /* + * See https://docs.zephyrproject.org/3.0.0/reference/devicetree/bindings/dma/st%2Cstm32-dma-v2.html + */ + dmas = <&dma1 5 1 0x20440>, + <&dma1 4 1 0x20480>; + dma-names = "tx", "rx"; }; &spi3 { - status = "disabled"; + status = "disabled"; }; ``` @@ -189,14 +187,14 @@ function in `spi_ll_stm32.c`. The original function looks like this: ```c static int wait_dma_rx_tx_done(const struct device *dev) { - struct spi_stm32_data *data = dev->data; - int res = -1; - - while (1) { - res = k_sem_take(&data->status_sem, K_MSEC(1000)); - if (res != 0) { - return res; - } + struct spi_stm32_data *data = dev->data; + int res = -1; + + while (1) { + res = k_sem_take(&data->status_sem, K_MSEC(1000)); + if (res != 0) { + return res; + } ... ``` @@ -242,7 +240,7 @@ as we don't know size (and direction) of data payload. Each TPM frame starts with a 4 byte header which tells us what is the size of transfer and what is the direction (read from or write to a register): -![](/img/tpm2_spi_protocol.png) +![img](/img/tpm2_spi_protocol.png) After we read the header, we disable SPI, causing a few things: @@ -261,10 +259,9 @@ Full-Duplex Slave, configuring NSS (Chip Select) pin as input, setting 8-bit frame length (as required by TPM spec), and setting up DMA channels. All other settings are left at their defaults. +![img](/img/stm32cube_spi2_setup.png) -![](/img/stm32cube_spi2_setup.png) - -![](/img/stm32cube_spi_setup_dma.png) +![img](/img/stm32cube_spi_setup_dma.png) STM32CubeMX generates code that performs hardware initialization, and we are ready to do SPI transactions using the `HAL_SPI_TransmitReceive_DMA` function. @@ -410,7 +407,7 @@ causes other problems described in > when it is disabled. The SPI signals float if they are not supported by > external resistor and if they are not reconfigured and they are kept at > alternate function configuration. - +> > At principle, the SPI must not be disabled before the communication is fully > completed and it should be as short as possible at slave, especially between > sessions, to avoid missing any communication. @@ -439,35 +436,35 @@ static uint8_t rx_buf[4] = {0}; static void rxdma_complete(DMA_HandleTypeDef *hdma) { - SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)rx_buf, 4); + SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)rx_buf, 4); } static void txdma_complete(DMA_HandleTypeDef *hdma) { - SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)tx_buf, (uint32_t)&hspi->Instance->DR, 4); + SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)tx_buf, (uint32_t)&hspi->Instance->DR, 4); } void app_main() { - SPI_HandleTypeDef *hspi = &hspi2; + SPI_HandleTypeDef *hspi = &hspi2; - // Initialize callbacks - hspi->hdmatx->XferCpltCallback = txdma_complete; - hspi->hdmarx->XferCpltCallback = rxdma_complete; + // Initialize callbacks + hspi->hdmatx->XferCpltCallback = txdma_complete; + hspi->hdmarx->XferCpltCallback = rxdma_complete; - // One-time SPI configuration - // Clear SPI_RXFIFO_THRESHOLD to trigger DMA on each byte available. - CLEAR_BIT(hspi->Instance->CR2, SPI_RXFIFO_THRESHOLD); + // One-time SPI configuration + // Clear SPI_RXFIFO_THRESHOLD to trigger DMA on each byte available. + CLEAR_BIT(hspi->Instance->CR2, SPI_RXFIFO_THRESHOLD); - // Start the transfer - SET_BIT(hspi->Instance->CR2, SPI_CR2_RXDMAEN); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)rx_buf, 4); + // Start the transfer + SET_BIT(hspi->Instance->CR2, SPI_CR2_RXDMAEN); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)rx_buf, 4); - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)tx_buf, (uint32_t)&hspi->Instance->DR, 4); - SET_BIT(hspi->Instance->CR2, SPI_CR2_TXDMAEN); + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)tx_buf, (uint32_t)&hspi->Instance->DR, 4); + SET_BIT(hspi->Instance->CR2, SPI_CR2_TXDMAEN); - __HAL_SPI_ENABLE(hspi); + __HAL_SPI_ENABLE(hspi); } ``` @@ -479,7 +476,7 @@ I'm using a bit different initialization sequence than HAL: HAL enables `RXDMAEN` after programming the channel and `TXDMAEN` after enabling SPI. Our code follows the sequence described in the STM32 Programming Manual (**rm0351**). -![](/img/rm0351_spi_dma_enable_procedure.png) +![img](/img/rm0351_spi_dma_enable_procedure.png) For testing purposes, I'm using Raspberry PI 3B as SPI host. Configuration is pretty straightforward, you can enable `spidev` by uncommenting @@ -586,62 +583,62 @@ static uint32_t transfer_length = 0; static void update_state(SPI_HandleTypeDef *hspi) { - b_rxdma_complete = false; - b_txdma_complete = false; + b_rxdma_complete = false; + b_txdma_complete = false; - switch (state) { - case STATE_WAIT_HEADER: - // We don't care what host sends during wait state, but we start DMA anyway to avoid overrun errors. - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)trash, sizeof trash); - // Wait state got inserted while reading header. - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_cancel, (uint32_t)&hspi->Instance->DR, sizeof waitstate_cancel); + switch (state) { + case STATE_WAIT_HEADER: + // We don't care what host sends during wait state, but we start DMA anyway to avoid overrun errors. + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)trash, sizeof trash); + // Wait state got inserted while reading header. + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_cancel, (uint32_t)&hspi->Instance->DR, sizeof waitstate_cancel); // This follows a real TPM protocol, except we ignore addr currently. - transfer_is_read = !!(header[0] & (1 << 7)); - transfer_length = (header[0] & 0x3f) + 1; + transfer_is_read = !!(header[0] & (1 << 7)); + transfer_length = (header[0] & 0x3f) + 1; // Remaining bytes contain TPM register offset. Currently we have only one // "register" so we just ignore that. - state = STATE_WAIT_STATE_LAST; - break; + state = STATE_WAIT_STATE_LAST; + break; - case STATE_WAIT_STATE_LAST: - if (transfer_is_read) { - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)scratch_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)ff_buffer, transfer_length); - } else { - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)ff_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)scratch_buffer, transfer_length); - } + case STATE_WAIT_STATE_LAST: + if (transfer_is_read) { + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)scratch_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)ff_buffer, transfer_length); + } else { + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)ff_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)scratch_buffer, transfer_length); + } - state = STATE_PAYLOAD_TRANSFER; - break; + state = STATE_PAYLOAD_TRANSFER; + break; - case STATE_PAYLOAD_TRANSFER: - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)header, sizeof header); - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_insert, (uint32_t)&hspi->Instance->DR, sizeof waitstate_insert); + case STATE_PAYLOAD_TRANSFER: + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)header, sizeof header); + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_insert, (uint32_t)&hspi->Instance->DR, sizeof waitstate_insert); - state = STATE_WAIT_HEADER; - break; - } + state = STATE_WAIT_HEADER; + break; + } } static void rxdma_complete(DMA_HandleTypeDef *hdma) { - SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); - if (b_txdma_complete) - update_state(hspi); - else - b_rxdma_complete = true; + SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); + if (b_txdma_complete) + update_state(hspi); + else + b_rxdma_complete = true; } static void txdma_complete(DMA_HandleTypeDef *hdma) { - SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); - if (b_rxdma_complete) - update_state(hspi); - else - b_txdma_complete = true; + SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); + if (b_rxdma_complete) + update_state(hspi); + else + b_txdma_complete = true; } ``` @@ -681,7 +678,7 @@ def test_read(): After running the test code, I immediately got an error, the logic analyzer showing: -![](/img/stm32-spi-failure.png) +![img](/img/stm32-spi-failure.png) There are two problems here. The first problem is that the CS pin goes high between the header, wait states, and payload. This was my oversight, but fixing @@ -698,8 +695,8 @@ replicate the transfer sequence: ```c struct pattern { - uint8_t *data; - uint8_t len; + uint8_t *data; + uint8_t len; }; #define ARRAY_SIZE(x) (sizeof((x)) / sizeof((x)[0])) @@ -707,37 +704,37 @@ struct pattern { static uint8_t pattern_0[] = {0xff, 0xff, 0xff, 0xfe}; static uint8_t pattern_1[] = {1}; static uint8_t pattern_2[] = { - 0x3e, 0x60, 0xc3, 0x4f, 0x35, 0x2e, 0xa6, 0xaa, 0xa6, 0x61, 0x64, 0xcb, - 0x10, 0xd7, 0x45, 0x35, 0x82, 0xc9, 0x91, 0xbc, 0x35, 0x43, 0xbb, 0xe1, - 0xea, 0x08, 0xdf, 0xdd, 0x4d, 0xd8, 0xd5, 0x94, 0x71, 0x75, 0xfd, 0x23, - 0x24, 0xf8, 0x95, 0x85, 0x7b, 0x11, 0xf9, 0xdd, 0xa0, 0xaa, 0x60, 0xc5, - 0xd2, 0x07, 0x6b, 0x3a, 0xd4, 0xd2, 0xac, 0xac, 0x1b, 0x54, 0xfe, 0x2f, - 0xa2 + 0x3e, 0x60, 0xc3, 0x4f, 0x35, 0x2e, 0xa6, 0xaa, 0xa6, 0x61, 0x64, 0xcb, + 0x10, 0xd7, 0x45, 0x35, 0x82, 0xc9, 0x91, 0xbc, 0x35, 0x43, 0xbb, 0xe1, + 0xea, 0x08, 0xdf, 0xdd, 0x4d, 0xd8, 0xd5, 0x94, 0x71, 0x75, 0xfd, 0x23, + 0x24, 0xf8, 0x95, 0x85, 0x7b, 0x11, 0xf9, 0xdd, 0xa0, 0xaa, 0x60, 0xc5, + 0xd2, 0x07, 0x6b, 0x3a, 0xd4, 0xd2, 0xac, 0xac, 0x1b, 0x54, 0xfe, 0x2f, + 0xa2 }; static struct pattern patterns[] = { - { .data = pattern_0, .len = sizeof pattern_0 }, - { .data = pattern_1, .len = sizeof pattern_1 }, - { .data = pattern_2, .len = sizeof pattern_2 }, + { .data = pattern_0, .len = sizeof pattern_0 }, + { .data = pattern_1, .len = sizeof pattern_1 }, + { .data = pattern_2, .len = sizeof pattern_2 }, }; int current_pattern = 1; static void txdma_complete(DMA_HandleTypeDef *hdma) { - SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)patterns[current_pattern].data, (uint32_t)&hspi->Instance->DR, patterns[current_pattern].len); + SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)patterns[current_pattern].data, (uint32_t)&hspi->Instance->DR, patterns[current_pattern].len); - if (++current_pattern == ARRAY_SIZE(patterns)) - current_pattern = 0; + if (++current_pattern == ARRAY_SIZE(patterns)) + current_pattern = 0; } void app_main() { - hspi->hdmatx->XferCpltCallback = txdma_complete; + hspi->hdmatx->XferCpltCallback = txdma_complete; - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)pattern_0, (uint32_t)&hspi->Instance->DR, sizeof pattern_0); - SET_BIT(hspi->Instance->CR2, SPI_CR2_TXDMAEN); + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)pattern_0, (uint32_t)&hspi->Instance->DR, sizeof pattern_0); + SET_BIT(hspi->Instance->CR2, SPI_CR2_TXDMAEN); - __HAL_SPI_ENABLE(hspi); + __HAL_SPI_ENABLE(hspi); } ``` @@ -769,11 +766,12 @@ for i in range(100000): The code works just fine (100k iterations) -``` +```bash ... iter 99999 test [255, 255, 255, 254] == [255, 255, 255, 254] iter 99999 test [1] == [1] -iter 99999 test [62, 96, 195, 79, 53, 46, 166, 170, 166, 97, 100, 203, 16, 215, 69, 53, 130, 201, 145, 188, 53, 67, 187, 225, 234, 8, 223, 221, 77, 216, 213, 148, 113, 117, 253, 35, 36, 248, 149, 133, 123, 17, 249, 221, 160, 170, 96, 197, 210, 7, 107, 58, 212, 210, 172, 172, 27, 84, 254, 47, 162] == [62, 96, 195, 79, 53, 46, 166, 170, 166, 97, 100, 203, 16, 215, 69, 53, 130, 201, 145, 188, 53, 67, 187, 225, 234, 8, 223, 221, 77, 216, 213, 148, 113, 117, 253, 35, 36, 248, 149, 133, 123, 17, 249, 221, 160, 170, 96, 197, 210, 7, 107, 58, 212, 210, 172, 172, 27, 84, 254, 47, 162] +iter 99999 test [62, 96, 195, 79, 53, 46, 166, 170, 166, 97, 100, 203, 16, 215, 69, 53, 130, 201, 145, 188, 53, 67, 187, 225, 234, 8, 223, 221, 77, 216, 213, 148, 113, 117, 253, 35, 36, 248, 149, 133, 123, 17, 249, 221, +160, 170, 96, 197, 210, 7, 107, 58, 212, 210, 172, 172, 27, 84, 254, 47, 162] == [62, 96, 195, 79, 53, 46, 166, 170, 166, 97, 100, 203, 16, 215, 69, 53, 130, 201, 145, 188, 53, 67, 187, 225, 234, 8, 223, 221, 77, 216, 213, 148, 113, 117, 253, 35, 36, 248, 149, 133, 123, 17, 249, 221, 160, 170, 96, 197, 210, 7, 107, 58, 212, 210, 172, 172, 27, 84, 254, 47, 162] ``` The main difference is that the full code performs reading and writing, contrary @@ -786,45 +784,45 @@ TX and polling for RX (tests showed that TX DMA usually completes first). ```c static void txdma_complete(DMA_HandleTypeDef *hdma) { - SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); - - switch (state) { - case STATE_WAIT_HEADER: - // Wait state got inserted while reading header. - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_cancel, (uint32_t)&hspi->Instance->DR, sizeof waitstate_cancel); - - // We don't care what host sends during wait state, but we start DMA anyway to avoid overrun errors. - HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)trash, sizeof trash); - - transfer_is_read = !!(header[0] & (1 << 7)); - transfer_length = (header[0] & 0x3f) + 1; - - state = STATE_WAIT_STATE_LAST; - break; - - case STATE_WAIT_STATE_LAST: - if (transfer_is_read) { - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)scratch_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); - HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)ff_buffer, transfer_length); - } else { - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)ff_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); - HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)scratch_buffer, transfer_length); - } - - state = STATE_PAYLOAD_TRANSFER; - break; - - case STATE_PAYLOAD_TRANSFER: - HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_insert, (uint32_t)&hspi->Instance->DR, sizeof waitstate_insert); - HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); - HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)header, sizeof header); - - state = STATE_WAIT_HEADER; - break; - } + SPI_HandleTypeDef *hspi = (SPI_HandleTypeDef *)(((DMA_HandleTypeDef *)hdma)->Parent); + + switch (state) { + case STATE_WAIT_HEADER: + // Wait state got inserted while reading header. + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_cancel, (uint32_t)&hspi->Instance->DR, sizeof waitstate_cancel); + + // We don't care what host sends during wait state, but we start DMA anyway to avoid overrun errors. + HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)trash, sizeof trash); + + transfer_is_read = !!(header[0] & (1 << 7)); + transfer_length = (header[0] & 0x3f) + 1; + + state = STATE_WAIT_STATE_LAST; + break; + + case STATE_WAIT_STATE_LAST: + if (transfer_is_read) { + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)scratch_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); + HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)ff_buffer, transfer_length); + } else { + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)ff_buffer, (uint32_t)&hspi->Instance->DR, transfer_length); + HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)scratch_buffer, transfer_length); + } + + state = STATE_PAYLOAD_TRANSFER; + break; + + case STATE_PAYLOAD_TRANSFER: + HAL_DMA_Start_IT(hspi->hdmatx, (uint32_t)waitstate_insert, (uint32_t)&hspi->Instance->DR, sizeof waitstate_insert); + HAL_DMA_PollForTransfer(hspi->hdmarx, HAL_DMA_FULL_TRANSFER, HAL_MAX_DELAY); + HAL_DMA_Start_IT(hspi->hdmarx, (uint32_t)&hspi->Instance->DR, (uint32_t)header, sizeof header); + + state = STATE_WAIT_HEADER; + break; + } } ``` @@ -839,7 +837,7 @@ random data of random lengths, then read the data back and check whether it is as expected. I already got shorter cables - 10 cm instead of 20 cm, and I have stable communication at 24 MHz: -![](/img/stm32-spi-connections.jpg) +![img](/img/stm32-spi-connections.jpg) I started with something simple @@ -851,7 +849,7 @@ assert x == [1,2,3,4,5,6,7,8] and failed. The first transfer succeeded, but the second did not: -![](/img/stm32-spi-failed-second-transfer.png) +![img](/img/stm32-spi-failed-second-transfer.png) I hooked the debugger and saw that app was still polling for RX DMA completion. Looking again at the original code, I found that I incorrectly cleared @@ -872,14 +870,14 @@ SET_BIT(hspi->Instance->CR2, SPI_RXFIFO_THRESHOLD); solved the problem, however I got another one. -![](/img/stm32-spi-readback-wrong-data.png) +![img](/img/stm32-spi-readback-wrong-data.png) The wait state is properly inserted and terminated, but the payload is invalid. I split the test into two to pause the app between write and read from the register. Peeking at the `scratch_buffer` reveals that DMA went wrong, as the first three bytes were lost entirely. -![](/img/stm32-scratch-state.png) +![img](/img/stm32-scratch-state.png) Moreover, we are again stuck polling for DMA completion (DMA is still waiting for the remaining three bytes). The issue could be caused by too high delays diff --git a/blog/content/post/YYYY-MM-DD-template-post.md b/blog/content/post/YYYY-MM-DD-template-post.md index 982133ec..b81ce6aa 100644 --- a/blog/content/post/YYYY-MM-DD-template-post.md +++ b/blog/content/post/YYYY-MM-DD-template-post.md @@ -26,37 +26,32 @@ categories: Your post content -> any special characters (e.q. hashtags) in the post title and abstract should be - wrapped in the apostrophes - +> any special characters (e.q. hashtags) in the post title and abstract should +> be wrapped in the apostrophes > avoid using quotation marks in the title, because search-engine will broke - > post abstract in the header is required for the posts summary in the blog list - and must contain from 3 to 5 sentences, please note that abstract would be used - for social media and because of that should be focused on keywords/hashtags - -> post cover image should be located in `blog/static/covers/` directory or may be - linked to `blog/static/img/` if image is used in post content - +> and must contain from 3 to 5 sentences, please note that abstract would be +> used for social media and because of that should be focused on +> keywords/hashtags +> post cover image should be located in `blog/static/covers/` directory or may +> be linked to `blog/static/img/` if image is used in post content > author meta-field MUST be strictly formatted (lowercase, non-polish letters): -``` +```bash author: name.surname ``` > if post has multiple authors, author meta-field MUST be strictly formatted: -``` +```bash author: - name.surname - name.surname ``` > remove unused categories - > remember about newlines before lists, tables, quotes blocks (>) and blocks of - text (\`\`\`) - +> text (\`\`\`) > copy all post images to `blog/static/img` directory. Example usage: ![alt-text](/img/file-name.jpg) @@ -67,19 +62,19 @@ author: > embed responsive YouTube player (copy the address after `v=`): -{{< youtube UQ-6rUPhBQQ >}} +{{\< youtube UQ-6rUPhBQQ >}} > embed vimeo player (extract the `ID` from the video’s URL): -{{< vimeo 146022717 >}} +{{\< vimeo 146022717 >}} > embed Instagram post (you only need the photo’s `ID`): -{{< instagram BWNjjyYFxVx >}} +{{\< instagram BWNjjyYFxVx >}} > embed Twitter post (you need the `URL` of the tweet): -{{< tweet user="3mdeb_com" id="1247072310324080640" >}} +{{\< tweet user="3mdeb_com" id="1247072310324080640" >}} ## Summary @@ -87,12 +82,12 @@ Summary of the post. OPTIONAL ending (may be based on post content): -Unlock the full potential of your hardware and secure your firmware with -the experts at 3mdeb! If you're looking to boost your product's performance -and protect it from potential security threats, our team is here to help. +Unlock the full potential of your hardware and secure your firmware with the +experts at 3mdeb! If you're looking to boost your product's performance and +protect it from potential security threats, our team is here to help. [Schedule a call with us](https://calendly.com/3mdeb/consulting-remote-meeting) -or drop us an email at `contact3mdebcom` to start unlocking the -hidden benefits of your hardware. And if you want to stay up-to-date on all -things firmware security and optimization, be sure to +or drop us an email at `contact3mdebcom` to start unlocking the hidden +benefits of your hardware. And if you want to stay up-to-date on all things +firmware security and optimization, be sure to [sign up for our newsletter](https://newsletter.3mdeb.com/subscription/PW6XnCeK6). Don't let your hardware hold you back, work with 3mdeb to achieve more! diff --git a/blog/data/authors/artur.kowalski.json b/blog/data/authors/artur.kowalski.json index 81084f28..64833e92 100644 --- a/blog/data/authors/artur.kowalski.json +++ b/blog/data/authors/artur.kowalski.json @@ -2,4 +2,4 @@ "name": "Artur Kowalski", "bio": "Junior embedded developer at 3mdeb. Interested in low-level development ranging from microcontroller programming to hypervisor and kernel development. In free time working on various personal open-source projects.", "image": "/authors/artur.kowalski.jpg" -} \ No newline at end of file +} diff --git a/blog/data/authors/piotr.nowoslawski.json b/blog/data/authors/piotr.nowoslawski.json index e37dbdac..1b745d64 100644 --- a/blog/data/authors/piotr.nowoslawski.json +++ b/blog/data/authors/piotr.nowoslawski.json @@ -2,4 +2,4 @@ "name": "Piotr Nowosławski", "bio": "Junior Web Engineer at 3mdeb - Embedded Systems Consulting. I like JavaScript and its entire ecosystem. I am mainly interested in frontend technologies because appearance matters.", "image": "/authors/piotr.nowoslawski.png" -} \ No newline at end of file +} diff --git a/blog/static/.htaccess b/blog/static/.htaccess index ef2d4e7a..fe97274a 100644 --- a/blog/static/.htaccess +++ b/blog/static/.htaccess @@ -1,2 +1,2 @@ ErrorDocument 404 https://blog.3mdeb.com/404 -ErrorDocument 500 https://blog.3mdeb.com/404 \ No newline at end of file +ErrorDocument 500 https://blog.3mdeb.com/404 diff --git a/blog/static/covers/coreboot-logo.svg b/blog/static/covers/coreboot-logo.svg index 0cf6a174..dfc39a2a 100644 --- a/blog/static/covers/coreboot-logo.svg +++ b/blog/static/covers/coreboot-logo.svg @@ -1,3 +1,3 @@ - \ No newline at end of file + diff --git a/blog/static/covers/dasharo-sygnet.svg b/blog/static/covers/dasharo-sygnet.svg index 14e7bca4..73f29048 100644 --- a/blog/static/covers/dasharo-sygnet.svg +++ b/blog/static/covers/dasharo-sygnet.svg @@ -1 +1 @@ - \ No newline at end of file + diff --git a/blog/static/img/Armbian_load&mem_usage_chart.svg b/blog/static/img/Armbian_load&mem_usage_chart.svg index 13058705..789f020b 100644 --- a/blog/static/img/Armbian_load&mem_usage_chart.svg +++ b/blog/static/img/Armbian_load&mem_usage_chart.svg @@ -1 +1 @@ - \ No newline at end of file + diff --git a/blog/static/img/Yocto_load&mem_usage_chart.svg b/blog/static/img/Yocto_load&mem_usage_chart.svg index dc36f2aa..fc09d868 100644 --- a/blog/static/img/Yocto_load&mem_usage_chart.svg +++ b/blog/static/img/Yocto_load&mem_usage_chart.svg @@ -1 +1 @@ - \ No newline at end of file + diff --git a/blog/static/img/dasharo-sygnet.svg b/blog/static/img/dasharo-sygnet.svg index 14e7bca4..73f29048 100644 --- a/blog/static/img/dasharo-sygnet.svg +++ b/blog/static/img/dasharo-sygnet.svg @@ -1 +1 @@ - \ No newline at end of file + diff --git a/blog/static/img/rockchip-secure-boot-diagram.svg b/blog/static/img/rockchip-secure-boot-diagram.svg index 77dc398b..173c3f98 100644 --- a/blog/static/img/rockchip-secure-boot-diagram.svg +++ b/blog/static/img/rockchip-secure-boot-diagram.svg @@ -1,4 +1,4 @@ -HostHostTargetTargetGenerate RSA keypairSign RockChip loader binary with generated keySend signed binary using eFUSE ToolExtract public key, store key hash in eFUSE and enable Secure ModeSend statusPrepare firmware image with a signed TPL+SPLSend previously signed RockChip loader binary, but using rkdeveloptoolVerify binary against key stored in eFUSEExecute DDR init binary, unlock MaskROM to allow firmware flashingSend statusSend firmwareFlash received firmwareSend statusIssue reboot commandIf the key got fused properly and firmware is properly signed,device should boot flashed firmware. \ No newline at end of file + +PlantUML version 1.2018.13(Mon Nov 26 18:11:51 CET 2018) +(GPL source distribution) +Java Runtime: OpenJDK Runtime Environment +JVM: OpenJDK 64-Bit Server VM +Java Version: 11.0.11+9-Ubuntu-0ubuntu2.20.04 +Operating System: Linux +OS Version: 5.11.0-41-generic +Default Encoding: UTF-8 +Language: pl +Country: PL +--> diff --git a/blog/static/img/sam_g55_xpro.png b/blog/static/img/sam_g55_xpro.png new file mode 100644 index 00000000..0d626592 Binary files /dev/null and b/blog/static/img/sam_g55_xpro.png differ diff --git a/blog/themes/3mdeb/README.md b/blog/themes/3mdeb/README.md index b08a160d..21bc7923 100644 --- a/blog/themes/3mdeb/README.md +++ b/blog/themes/3mdeb/README.md @@ -1,20 +1,23 @@ # HUGO blog theme by @JeffProd -A free blog theme for [HUGO](https://gohugo.io/), with tags, archives, last posts... Using [Bulma CSS framework](https://bulma.io/). +A free blog theme for [HUGO](https://gohugo.io/), with tags, archives, last +posts... Using [Bulma CSS framework](https://bulma.io/). ![HUGO blog theme by JeffProd.com](images/screenshot.png) -# Install +## Install Install HUGO () then : -``` +```bash hugo new site myblog cd myblog git clone https://github.com/Tazeg/hugo-blog-jeffprod.git themes/jeffprod ``` + In the file `config.toml` add the lines : -``` + +```bashtoml theme = "jeffprod" [permalinks] @@ -25,32 +28,36 @@ theme = "jeffprod" archive = "archives" ``` -### Write blog posts +## Write blog posts -``` +```bash hugo new post/my-first-post.md ``` -And edit this new file `content/post/my-first-post.md`. You can use [HUGO shortcodes](https://gohugo.io/content-management/shortcodes/) and [Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet). -### Render +And edit this new file `content/post/my-first-post.md`. You can use +[HUGO shortcodes](https://gohugo.io/content-management/shortcodes/) and +[Markdown](https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet). -``` +## Render + +```bash hugo server ``` + Then go to -### Create the web site +## Create the web site -``` +```bash hugo ``` All files to publish are in `public/` directory. -# Donate +## Donate -# Credits +## Credits -Background image by https://pixabay.com +Background image by diff --git a/blog/themes/3mdeb/content/about.md b/blog/themes/3mdeb/content/about.md index 77adcf16..9dc62de3 100644 --- a/blog/themes/3mdeb/content/about.md +++ b/blog/themes/3mdeb/content/about.md @@ -4,15 +4,15 @@ date = "2014-04-09" menu = "main" +++ -Hugo is the **world’s fastest framework for building websites**. It is written in Go. +Hugo is the **world’s fastest framework for building websites**. It is written +in Go. It makes use of a variety of open source projects including: -* https://github.com/russross/blackfriday -* https://github.com/alecthomas/chroma -* https://github.com/muesli/smartcrop -* https://github.com/spf13/cobra -* https://github.com/spf13/viper +- +- +- +- +- Learn more and contribute on [GitHub](https://github.com/gohugoio). - diff --git a/blog/themes/3mdeb/layouts/_default/baseof.html b/blog/themes/3mdeb/layouts/_default/baseof.html index bda429b4..6e0f4470 100644 --- a/blog/themes/3mdeb/layouts/_default/baseof.html +++ b/blog/themes/3mdeb/layouts/_default/baseof.html @@ -6,4 +6,4 @@ -{{ partial "footer.html" . }} \ No newline at end of file +{{ partial "footer.html" . }} diff --git a/blog/themes/3mdeb/layouts/authors/list.html b/blog/themes/3mdeb/layouts/authors/list.html index 16899159..50f67eab 100644 --- a/blog/themes/3mdeb/layouts/authors/list.html +++ b/blog/themes/3mdeb/layouts/authors/list.html @@ -130,4 +130,4 @@

    Articles ({{ $quantity }})

    -{{ end }} \ No newline at end of file +{{ end }} diff --git a/blog/themes/3mdeb/layouts/authors/terms.html b/blog/themes/3mdeb/layouts/authors/terms.html index 17a65be7..03d9e162 100644 --- a/blog/themes/3mdeb/layouts/authors/terms.html +++ b/blog/themes/3mdeb/layouts/authors/terms.html @@ -7,14 +7,14 @@
    {{ range $paginator.Pages }} - +
    - + {{ $pageAuthor := .Params.identifier}}
    - +

    {{ .Params.name }}

    {{ $quantity := 0 }} @@ -28,7 +28,7 @@

    Articles ({{ $qua {{ end }}

    - +
    {{ end }}
    @@ -59,4 +59,4 @@

    Articles ({{ $qua

    -{{ end }} \ No newline at end of file +{{ end }} diff --git a/blog/themes/3mdeb/layouts/partials/footer.html b/blog/themes/3mdeb/layouts/partials/footer.html index bdd6bbc3..1cd291f3 100644 --- a/blog/themes/3mdeb/layouts/partials/footer.html +++ b/blog/themes/3mdeb/layouts/partials/footer.html @@ -138,14 +138,14 @@

    Follow us

    }); // Vue $(function(){ // alert(12345) - + $(document).on('click','.bigmenu .mainMenuIcon',function(e){ if(screen.width <= 1100){ e.preventDefault(); $('.submenu').slideUp(); $('.svg-inline--fa').css('transform','rotate(0deg)') - + if ($(this).closest('li').find('ul').is(':visible')){ $(this).find('svg').css('transform','rotate(0deg)') $(this).closest('li').find('ul').slideUp("slow"); @@ -160,7 +160,7 @@

    Follow us

    } }); - + $(document).on('click','.bigmenu .dropdown a',function(e){ if(screen.width <= 1100){ $(this).css('color','#fff'); diff --git a/blog/themes/3mdeb/layouts/partials/header.html b/blog/themes/3mdeb/layouts/partials/header.html index 6e241108..f5089da9 100755 --- a/blog/themes/3mdeb/layouts/partials/header.html +++ b/blog/themes/3mdeb/layouts/partials/header.html @@ -6,6 +6,7 @@ {{ .Site.Title }} {{ with .Title }} | {{ . }}{{ end }} + @@ -80,12 +81,12 @@
    • Product diff --git a/blog/themes/3mdeb/layouts/partials/widget-donate.html b/blog/themes/3mdeb/layouts/partials/widget-donate.html index 2e2a0da0..1d2c4752 100755 --- a/blog/themes/3mdeb/layouts/partials/widget-donate.html +++ b/blog/themes/3mdeb/layouts/partials/widget-donate.html @@ -5,7 +5,7 @@

      Donate

      - + diff --git a/blog/themes/3mdeb/layouts/partials/widget-recent.html b/blog/themes/3mdeb/layouts/partials/widget-recent.html index 92428dd8..04c5a8d8 100644 --- a/blog/themes/3mdeb/layouts/partials/widget-recent.html +++ b/blog/themes/3mdeb/layouts/partials/widget-recent.html @@ -7,4 +7,3 @@

      {{ .Title }}

      {{ end }} - \ No newline at end of file diff --git a/blog/themes/3mdeb/layouts/partials/widget-related.html b/blog/themes/3mdeb/layouts/partials/widget-related.html index fcbf2775..9a01dad4 100644 --- a/blog/themes/3mdeb/layouts/partials/widget-related.html +++ b/blog/themes/3mdeb/layouts/partials/widget-related.html @@ -14,4 +14,3 @@

      {{ .Title }}

      {{ end }} - diff --git a/blog/themes/3mdeb/layouts/tags/list.html b/blog/themes/3mdeb/layouts/tags/list.html index 1008eb41..79879fb6 100644 --- a/blog/themes/3mdeb/layouts/tags/list.html +++ b/blog/themes/3mdeb/layouts/tags/list.html @@ -23,8 +23,8 @@

      Available tags

      {{ $currentTagCount := len $value.Pages }} {{ $currentFontSize := (add $smallestFontSize (mul (sub $currentTagCount $min) $fontStep) ) }} {{ $count := len $value.Pages }} - {{ $weigth := div (sub (math.Log $count) (math.Log $min)) (sub (math.Log $max) (math.Log $min)) }} - {{ $currentFontSize := (add $smallestFontSize (mul (sub $largestFontSize $smallestFontSize) $weigth) ) }} + {{ $weight := div (sub (math.Log $count) (math.Log $min)) (sub (math.Log $max) (math.Log $min)) }} + {{ $currentFontSize := (add $smallestFontSize (mul (sub $largestFontSize $smallestFontSize) $weight) ) }}
      {{ $key }}
      diff --git a/blog/themes/3mdeb/static/css/blog.css b/blog/themes/3mdeb/static/css/blog.css index 1ee930ec..808d0c95 100755 --- a/blog/themes/3mdeb/static/css/blog.css +++ b/blog/themes/3mdeb/static/css/blog.css @@ -340,7 +340,7 @@ body { width : 200px; margin-left: 5%; } - + .header .newBigMenu{ max-height : 600px; height: auto; @@ -383,7 +383,7 @@ body { transition: 0.5s; }*/ - + .bigmenu li a::before{ content: ''; position: absolute; @@ -507,7 +507,7 @@ body { outline: none; } - + } diff --git a/scripts/new-post.sh b/scripts/new-post.sh index 1330bc45..65ab55ae 100755 --- a/scripts/new-post.sh +++ b/scripts/new-post.sh @@ -64,4 +64,4 @@ else done fi -echo -e "\nPost template succesfully created at:\n${filepath}" \ No newline at end of file +echo -e "\nPost template successfully created at:\n${filepath}"