Coreboot Update for APU1

stephenw10

Right but how is, for example, Spectre/Meltdown actually impacting you?

Do you have multiple users on your firewall?

Are you running bhyve VMs or jails on your firewall?

What risk are you actually trying to mitigate?

IMO you're probably actually risking more by upgrading to a newer BIOS than by remaining on the existing BIOS. You are obviously free to do so though. And it went smoothly for me.

Steve

interessierter

I want to close this risk simply
howto is available?

thanks

stephenw10

Ok, to be completely clear this is unnecessary in my opinion and although it ran fine for me it may not for you.
If this bricks your APU I assume you have something you can replace it with and a backup of your config.
This is what I did:

Download the bios file from here.
Extract the .rom and .md5 files and copy them to the root directory on the APU. I used SCP to do that. You could also fetch the file and extract it directly at the command line on the firewall.
Check the file checksum matches the MD5:

[2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: md5 apu1_v4.8.0.1.rom
MD5 (apu1_v4.8.0.1.rom) = dc5591bb2c9ff34608152bd4c7c806f7
[2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: cat apu1_v4.8.0.1.rom.md5 
dc5591bb2c9ff34608152bd4c7c806f7  apu1_v4.8.0.1.rom

Backup the existing rom:

[2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E -r backup.rom
flashrom v1.0 on FreeBSD 11.2-RELEASE (amd64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
coreboot table found at 0xdfd79000.
Found chipset "AMD SB7x0/SB8x0/SB9x0".
Enabling flash write... OK.
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Reading flash... done.

Copy that off the firewall.

Write the new rom to the flash:

[2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E -w apu1_v4.8.0.1.rom
flashrom v1.0 on FreeBSD 11.2-RELEASE (amd64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
coreboot table found at 0xdfd79000.
Found chipset "AMD SB7x0/SB8x0/SB9x0".
Enabling flash write... OK.
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

Reboot and hope nothing went wrong! It probably won't but subtle differences in hardware can come into play. I've done it twice now to get those console logs and had no issue.

Steve

stephenw10

@stephenw10 said in Coreboot Update for APU1:

The only anomaly I see is the console output is doubled before the kernel loads. I did read something about that in notes....

That was here: https://github.com/pcengines/apu2-documentation/blob/master/docs/pfSense-install-guide.md#pfsense-image

jahonix

@interessierter said in Coreboot Update for APU1:

howto is available?

ja, das steht alles auf den Seiten von PCengines. Einfach dort nachlesen, ist nicht so schwierig.
(with that nic you can surely read & understand German).

jahonix

@stephenw10 This is all I get from within FreeBSD no matter if I put the "-c" parameter there or not

flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E
flashrom v1.0 on FreeBSD 11.1-RELEASE-p10 (amd64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
coreboot table found at 0xdfd79000.
Found chipset "AMD SB7x0/SB8x0/SB9x0".
Enabling flash write... OK.]
No EEPROM/flash device found.
Note: flashrom can never write if the flash chip isn't found automatically.

However, using the TinyCore installer with a dedicated USB stick worked on both these boards. But I don't recall which flash chip was actually found on my APU1s.

stephenw10

I had to pull out a torch and check manually. I could believe they used different chips during the build life.

I was using 2.4.4 also. I don't believe flashrom is any different there but...

Steve

VAMike

It's an AMD CPU, it was never affected by meltdown and there is no firmware fix for meltdown. The spectre mitigations require both an updated CPU microcode as well as OS support. AFAIK this combination doesn't exist for pfsense and the T40E in the APU. (If it did, the OS is capable of loading the microcode update regardless of the firmware.)

Short answer: you're wasting your time.

interessierter

thats a good one
thank you

jahonix

@vamike said in Coreboot Update for APU1:

Short answer: you're wasting your time.

I did the update myself and, as noted before, there are severe benefits for doing so. Booting from previously unsupported mSATA drives for example.
For me it was absolutely worth it.

VAMike

@jahonix said in Coreboot Update for APU1:

@vamike said in Coreboot Update for APU1:

Short answer: you're wasting your time.

I did the update myself and, as noted before, there are severe benefits for doing so. Booting from previously unsupported mSATA drives for example.
For me it was absolutely worth it.

Sure, if you need functionality in a newer version then go for it. If you're doing it for vague reasons of "security", no.

stephenw10

Just updating this, I upgraded to v4.10.0.0 on the APU1 as sold by Netgate. No problems thus far with the Coreboot code.

BUT! I updated using flashrom directly from pfSense 2.5 and it did not go smoothly:

[2.5.0-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E -w apu1_v4.10.0.0.rom 
flashrom v1.0 on FreeBSD 12.0-RELEASE-p8 (amd64)
flashrom is free software, get the source code at https://flashrom.org

Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
coreboot table found at 0xdfd79000.
Found chipset "AMD SB7x0/SB8x0/SB9x0".
Enabling flash write... OK.
Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
Reading old flash chip contents... done.
Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2
Something else is accessing the flash chip and causes random corruption.
Please stop all applications and drivers and IPMI which access the flash chip.
RDSR failed!
AMD SPI FIFO pointer corruption! Pointer is 1, wanted 0
Something else is accessing the flash chip and causes random corruption.
Please stop all applications and drivers and IPMI which access the flash chip.
spi_nbyte_program failed during command execution at address 0x1eb9
Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 1, wanted 3
Something else is accessing the flash chip and causes random corruption.
Please stop all applications and drivers and IPMI which access the flash chip.
Can't read anymore! Aborting.
FAILED!
Uh oh. Erase/write failed. Checking if anything has changed.
Reading current flash chip contents... done.
Apparently at least some data has changed.
Your flash chip is in an unknown state.
Get help on IRC at chat.freenode.net (channel #flashrom) or
mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!
-------------------------------------------------------------------------------
DO NOT REBOOT OR POWEROFF!

Ultimately I was able to recover by reflashing my backup image after several attempts.

I did manage to update using flashrom from single user mode, that seemed to go through no problem.

I would not recommend updating Coreboot from a 2.5 snapshot at this time.

Steve