Messages

Hi all,
as I previously mentioned in other threads, we are glad to announce that 3mdeb continue its mission to promote Open Source Firmware for network appliance hardware. We partner Protectli to enable Open Source Firmware based on coreboot. We start with FW2B and FW4B Intel Braswell platforms.

Quality of OPNsense support in that firmware is our top priority, so if anyone has the capability (skills, SPI flash programmer or RTE) to support the testing effort we would be glad to cooperate.

In the following weeks we should publish all patches, submit them to coreboot community for review and provide documentation so anyone who wants can flash his/her hardware.

If you want to get more information feel free to follow us on social media.

Hi tillsense,
of course, 3mdeb will be there with exciting stuff and demos, booth 3-563:

1. New network appliance supporting Open Source Firmware - still waiting for the customer to confirm I can openly speak about that.
2. 2 demos of Open Source Firmware fast boot
3. Cool hypervisor and firmware tricks

More information will be published on our twitter so stay tuned :)

Hi till,
thank you. Definitely, this is a great thread with a reasonable statistic. I agree that firmware is underestimated - IMO especially in security and advanced hardware features (e.g. virtualization). My dream would be to form a movement that can convince network appliance vendors to use Open Source Firmware that is compiled in a reproducible way, has recent security patches and state of the art performance, deployed in a way convenient to users (e.g. LVFS/fwupd) as well as open for contribution.

If you see any vendor who would be a good candidate for Open Source Firmware please let us know, if there would be big enough movement we may be able to enable more hardware platforms.

Unfortunately, we face a neverending battle with silicon vendors who just seem to care about sales figures. Good documentation and support are rather not on their agenda. We see a lot of changes in approach to the firmware (FSP license change, Project Mu, Slim Bootloader) - I can't say AMD keep up to recent trends. We rather spent times on working around issues in vendor code, then extending or improving coreboot support.

Hi newsense,

Thank you for clarifying 3mdeb relationship with PCEngines, it was definitely a surprise to learn about it after using their hardware for a few years.

Please note that we started work on PC Engines firmware in January 2016.

I would appreciate if you could let me know where can I find either a GPG signature or a SHA-256 digest for the ROMs --- if they exist. Access to the source code and reproducible builds are a great thing to have yet everyone should be able to independently validate in an easy way that the downloaded binary file is identical with the one published on the site.

I'm working on making that clear if you can advise best practice I would appreciate that. We definitely have to improve the website to make things clear. At this point SHA256 and detached signature for it you can find in newsletter or  blog post - definitely we have to improve that. Please note there is asciinema which can help in faster verification since you just copy paste commands. All keys can be found on 3mdeb-secpack repo inspired by QubesOS approach. My key also can be found on keybase.io/pietrushnic. I tried to push everything to SKS pool but I failed. Please note we are not crypto pros, so if you have seen anything problematic in whole process just let me know and we will try align to best practice.

Please note that there is still a problem with reproducible builds which we track here.

Also, with ECC recently enabled in 4.0.23 on the Legacy branch, is there anything in the works for the Mainline one ? I'll have to upgrade the firmware on an APU4C4 in a few days and I'm still a bit puzzled in terms of which branch is more appropriate for the time being.

I'm not sure if I understand the question correctly. ECC was first enabled in mainline v4.8.0.5. It is very hard to claim one branch is better than other. Mainline is bleeding edge, we rebase continuously on coreboot master and use most recent code from SeaBIOS, iPXE and other payloads included - those changes can introduce bugs. Because of that, we provide regression test results here. Using the most recent version in production without a clear reason is a bad idea, if version of firmware that you using right now works for you and there is no bug or features that you need from newer version I would not go with updating that. If there is a fix that you would like to have you should probably analyze test results and make a decision. I know the expectation is to get a clear answer, but TBH there is no clear answer to question what is better - YMMV. The number of configurations that have to be validated is beyond our capabilities.

Last but not least, linking only the pfSense installation tutorial on the of the pcengines.github.io page could very well hint that opnsense is an unsupported platform...which clearly is not the case.

Understood, I will make sure this will be addressed in the next release cycle.

Hi all,
my name is Piotr Król and I'm the founder of 3mdeb Embedded Systems Consulting company. As stated here 3mdeb maintains PC Engines Open Source Firmware on behalf of PC Engines. Please note we are a licensed provider of coreboot consulting services. If you are doing some high-end security stuff with hardware please let us know - we are very interested in TPM, secure/verified boot, Xen, virtualization, SRTM/DRTM, and other things. We sometimes write about that on our blog .

We are working on our mission of Open Source Firmware for a network appliance. Soon you should hear about another known brand of a network appliance to switch to Open Source Firmware. Stay tuned.

I would like to thank tillsense, miroco and others for keeping this thread and exchanging valuable information related to PC Engines hardware and firmware.

Our goal is to provide open and healthy discussion about firmware quality, priorities and what can be improved. It would be great to get feedback from OPNsense community and understand your needs. We will be glad to address problems if there would be enough resources. We are committed to long term support and monthly releases.

P.S. Please note that there is some report about v4.9.0.2 instability here. This is because we enabled CPU Performance Boost, which in some workloads may give 20% boost - problem is that we can't validate all possible configuration so there may be some problems in the field. If some can afford to test we would appreciate your feedback.