PCENGINES APU[1-7] Coreboot SeaBIOS Open Source Firmware

[Northguy]

What happens if you reload WAN interface settings if you have a DHCP enabled WAN?

I am experiencing the following issue: https://github.com/opnsense/core/issues/3200

[loredo]

No issues as far as i can tell

[tillsense]

Hi all,

for interested 4.9.0.1 is available.

cheers
till

[tillsense]

Hi,

first dev apu1 with OPNsense 19.1.x and Bios 4.9.0.1 has been running stable for a week now.

cheers
till

[tillsense]

Here's an important note for OPNsense 19.1 and apu4 Users with fix to Bios 4.0.23 (Legacy releases):
https://forum.opnsense.org/index.php?topic=11472
https://github.com/opnsense/core/issues/3180

cheers till

[miroco]

The most recent BIOS versions for the APU1 trough APU5 platforms are out.

v4.9.0.2 - Mainline
v4.0.24 - Legacy

https://pcengines.github.io


miroco

[newsense]

Appears to have been pulled:

The requested URL /file/apu1_v4.9.0.2.rom.tar.gz was not found on this server.

All links give the same error message it appears.

[miroco]

It was perhaps a glich or an outage of some sort. However, all five BIOS-versions are/was accessable as of 13:00 CET.


miroco

[tillsense]

Hi,

is the download (from v4.9.0.2) of a third domain (3mdeb.com) here officially approved by PCengines? I did not read anything about it from the manufacturer.

cheers
till

[miroco]

Hi till,

As far as I can tell, 3mdeb is a company specialized in embedded systems, particular firmwares. The lightly scenario is that PCengines contracted 3mdeb for the development of firmares for their APU series products.

http://www.pcengines.info/forums/?page=post&id=4C472C95-E846-42BF-BC41-43D1C54DFBEA&fid=6D8DBBA4-9D40-4C87-B471-80CB5D9BD945&pageindex=2

https://calendly.com/3mdeb


miroco

[pietrushnic]

Hi all,
my name is Piotr Król and I'm the founder of 3mdeb Embedded Systems Consulting company. As stated here 3mdeb maintains PC Engines Open Source Firmware on behalf of PC Engines. Please note we are a licensed provider of coreboot consulting services. If you are doing some high-end security stuff with hardware please let us know - we are very interested in TPM, secure/verified boot, Xen, virtualization, SRTM/DRTM, and other things. We sometimes write about that on our blog .

We are working on our mission of Open Source Firmware for a network appliance. Soon you should hear about another known brand of a network appliance to switch to Open Source Firmware. Stay tuned.

I would like to thank tillsense, miroco and others for keeping this thread and exchanging valuable information related to PC Engines hardware and firmware.

Our goal is to provide open and healthy discussion about firmware quality, priorities and what can be improved. It would be great to get feedback from OPNsense community and understand your needs. We will be glad to address problems if there would be enough resources. We are committed to long term support and monthly releases.

P.S. Please note that there is some report about v4.9.0.2 instability here. This is because we enabled CPU Performance Boost, which in some workloads may give 20% boost - problem is that we can't validate all possible configuration so there may be some problems in the field. If some can afford to test we would appreciate your feedback.

[newsense]

Hi pietrushnic,

Thank you for clarifying 3mdeb relationship with PCEngines, it was definitely a surprise to learn about it after using their hardware for a few years.

I would appreciate if you could let me know where can I find either a GPG signature or a SHA-256 digest for the ROMs --- if they exist. Access to the source code and reproducible builds are a great thing to have yet everyone should be able to independently validate in an easy way that the downloaded binary file is identical with the one published on the site.

Also, with ECC recently enabled in 4.0.23 on the Legacy branch, is there anything in the works for the Mainline one ? I'll have to upgrade the firmware on an APU4C4 in a few days and I'm still a bit puzzled in terms of which branch is more appropriate for the time being.

Last but not least, linking only the pfSense installation tutorial on the of the pcengines.github.io page could very well hint that opnsense is an unsupported platform...which clearly is not the case.

[pietrushnic]

Hi newsense,

Thank you for clarifying 3mdeb relationship with PCEngines, it was definitely a surprise to learn about it after using their hardware for a few years.

Please note that we started work on PC Engines firmware in January 2016.

I would appreciate if you could let me know where can I find either a GPG signature or a SHA-256 digest for the ROMs --- if they exist. Access to the source code and reproducible builds are a great thing to have yet everyone should be able to independently validate in an easy way that the downloaded binary file is identical with the one published on the site.

I'm working on making that clear if you can advise best practice I would appreciate that. We definitely have to improve the website to make things clear. At this point SHA256 and detached signature for it you can find in newsletter or  blog post - definitely we have to improve that. Please note there is asciinema which can help in faster verification since you just copy paste commands. All keys can be found on 3mdeb-secpack repo inspired by QubesOS approach. My key also can be found on keybase.io/pietrushnic. I tried to push everything to SKS pool but I failed. Please note we are not crypto pros, so if you have seen anything problematic in whole process just let me know and we will try align to best practice.

Please note that there is still a problem with reproducible builds which we track here.

Also, with ECC recently enabled in 4.0.23 on the Legacy branch, is there anything in the works for the Mainline one ? I'll have to upgrade the firmware on an APU4C4 in a few days and I'm still a bit puzzled in terms of which branch is more appropriate for the time being.

I'm not sure if I understand the question correctly. ECC was first enabled in mainline v4.8.0.5. It is very hard to claim one branch is better than other. Mainline is bleeding edge, we rebase continuously on coreboot master and use most recent code from SeaBIOS, iPXE and other payloads included - those changes can introduce bugs. Because of that, we provide regression test results here. Using the most recent version in production without a clear reason is a bad idea, if version of firmware that you using right now works for you and there is no bug or features that you need from newer version I would not go with updating that. If there is a fix that you would like to have you should probably analyze test results and make a decision. I know the expectation is to get a clear answer, but TBH there is no clear answer to question what is better - YMMV. The number of configurations that have to be validated is beyond our capabilities.

Last but not least, linking only the pfSense installation tutorial on the of the pcengines.github.io page could very well hint that opnsense is an unsupported platform...which clearly is not the case.

Understood, I will make sure this will be addressed in the next release cycle.

[lattera]

Hi all,
my name is Piotr Król and I'm the founder of 3mdeb Embedded Systems Consulting company. As stated here 3mdeb maintains PC Engines Open Source Firmware on behalf of PC Engines. Please note we are a licensed provider of coreboot consulting services. If you are doing some high-end security stuff with hardware please let us know - we are very interested in TPM, secure/verified boot, Xen, virtualization, SRTM/DRTM, and other things. We sometimes write about that on our blog .

We are working on our mission of Open Source Firmware for a network appliance. Soon you should hear about another known brand of a network appliance to switch to Open Source Firmware. Stay tuned.

I would like to thank tillsense, miroco and others for keeping this thread and exchanging valuable information related to PC Engines hardware and firmware.

Our goal is to provide open and healthy discussion about firmware quality, priorities and what can be improved. It would be great to get feedback from OPNsense community and understand your needs. We will be glad to address problems if there would be enough resources. We are committed to long term support and monthly releases.

P.S. Please note that there is some report about v4.9.0.2 instability here. This is because we enabled CPU Performance Boost, which in some workloads may give 20% boost - problem is that we can't validate all possible configuration so there may be some problems in the field. If some can afford to test we would appreciate your feedback.

Very rarely do I see such quality transparent collaboration and communication. I don't really have anything technical to add, but I'd like to say thank you, Piotr, for supporting PC Engines. I absolutely love these little APU devices. Firmware work tends to be underappreciated, but it's hard work and I would like to thank you for your efforts.

Putting my HardenedBSD and OPNsense hats on: if there's anything HardenedBSD and/or OPNsense can do to support PC Engines and 3mdeb, please let me know.

[tillsense]

Hi pietrushnic,

i simply join the words of lattera here and a warm welcome Piotr. When I started this thread 2 years ago I could not imagine such an interest and its development. I used PC Engines hardware since the times of Alix with m0n0wall, t1t1 and various and also I think that the firmware topic is still completely underestimated. With OPNsense and from 19.1 HardenedBSD as base and 3mdeb as licensed coorebot provider for PC Engines hardware this seems to take on a completely new quality. I am really impressed.

cheers
till