Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Coreboot Update for APU1

    Hardware
    5
    25
    2788
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      interessierter last edited by stephenw10

      Hello all

      after update to the lastest version of pfsense, the last step to come up2date is the firmware. I m not really sure what firmware I have to use. I have bought a mini appliance some years ago. pfsense show my the folllowing details:

      System Netgate APU
      Netgate Device ID:
      BIOS Vendor: coreboot
      Version: SageBios_PCEngines_APU-45
      Release Date: Sat Apr 5 2014
      Version 2.4.3-RELEASE (amd64)
      built on Mon Mar 26 18:02:04 CDT 2018
      FreeBSD 11.1-RELEASE-p7
      CPU Type AMD G-T40E Processor
      2 CPUs: 1 package(s) x 2 core(s)
      AES-NI CPU Crypto: No
      Kernel PTI Disabled

      SammyWoo 1 Reply Last reply Reply Quote 0
      • stephenw10
        stephenw10 Netgate Administrator last edited by

        That is already the current production version of Coreboot for the APU:
        https://www.pcengines.ch/apu1d4.htm

        There is a Beta version you can run but I'm not aware of anything it offers that you might want. You should only upgrade a BIOS when it is necessary.

        Steve

        jahonix 1 Reply Last reply Reply Quote 0
        • SammyWoo
          SammyWoo @interessierter last edited by

          @interessierter ^what he says. If things are working, leave things alone.

          1 Reply Last reply Reply Quote 0
          • jahonix
            jahonix @stephenw10 last edited by

            @stephenw10 said in Firmware Update for coreboot BIOS:

            That is already the current production version of Coreboot for the APU:

            Well, not exactly. I think they just don't update these pages often.
            If you head to their Github repo you'll find Mainline binaries v4.8.0.1 for APU1 - APU5:
            https://pcengines.github.io/#mr-11
            which contain

            • coreboot v4.8.0.1
            • SeaBIOS rel-1.11.0.5
            • sortbootorder v4.6.9
            • ipxe
            • memtest86+ v5.0.1

            I'm usually the guy who doesn't update when not necessary. I had three APUs with really old firmware so I gave it a shot, always having one of these units as spare if things go wrong. But updates went smoothly.

            1 Reply Last reply Reply Quote 0
            • stephenw10
              stephenw10 Netgate Administrator last edited by

              Ah, that's interesting. Had no idea those were there.

              I assume you used the apu1 binary?

              Did you use 4.8.0.1? Did you have to disable MSI? That seems unclear, since it's newer that 4.6.7....

              Steve

              jahonix 1 Reply Last reply Reply Quote 0
              • jahonix
                jahonix @stephenw10 last edited by jahonix

                @stephenw10 Surely I used the APU1 file.
                Flashed it with the TinyCore Installer from a dedicated USB stick. I had to use the "forced board mismatch" option, though.
                Rebooted straight into my mSATA based pfSense install on both productive devices afterwards without enabling/disabling/changing anything.
                0_1531493319238_APU1 screenshot.png

                BTW: Infos (about repo etc.) taken from their site.

                1 Reply Last reply Reply Quote 0
                • jahonix
                  jahonix last edited by

                  I was able to install pfSense onto 2 different mSATA disks within these patched APU1s which wasn't possible previously. Both booted immediately without having to change anything. FWIW

                  1 Reply Last reply Reply Quote 1
                  • I
                    interessierter last edited by

                    Hello all

                    First thanks for the answers. I don t want to leave the BIOS alone. As we all know, there where several security problems in CPU, and so updates to the Microcode available. So I think it s the total wrong approach to leave the bios on a Firewall box with potential security problems alone, but keep the pfsense software up2date.

                    Can someone guide me to the right firmware here? I m afraid to destroy the board

                    thanks

                    1 Reply Last reply Reply Quote 0
                    • stephenw10
                      stephenw10 Netgate Administrator last edited by

                      It's good to be aware of security risk certainly. But when you find an issue you need to assess what actual risk that poses and how it impacts your particular situation.
                      What exactly do you think you will gain by updating Coreboot?

                      If you are trying to boot an undetectable device that is detected by later versions that's a good reason to update. IMO at least.

                      Also note that PCEngines suggest here:
                      For FreeBSD based OS like OPNSense and pfSense please use the legacy versions.

                      There is no legacy version listed for apu1.

                      Steve

                      I 1 Reply Last reply Reply Quote 0
                      • stephenw10
                        stephenw10 Netgate Administrator last edited by

                        I have now tested this. I can afford to be without the APU had it failed to come back up.

                        I flashed it using flashrom from within pfSense (2.4.4a). I had to force the board override and specify the chip type.

                        It did come back up fine at 4.8.0.1.

                        The only anomaly I see is the console output is doubled before the kernel loads. I did read something about that in notes....

                        Steve

                        jahonix stephenw10 2 Replies Last reply Reply Quote 0
                        • jahonix
                          jahonix @stephenw10 last edited by jahonix

                          @stephenw10 How did you do that?
                          For me flashrom wasn't able to find the flashable chip and exited, no matter what I tried. But I was on the initial firmware years old when I tried.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10
                            stephenw10 Netgate Administrator last edited by stephenw10

                            Nothing special I installed it and it found the chip but couldn't determine the exact type, I had to use the -c parameter to do so. It's a MX25L1606E on my board.
                            Needs to be flashrom 1.0 maybe? That's in 2.4.3 but I am running 2.4.4a .

                            [2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E
                            flashrom v1.0 on FreeBSD 11.2-RELEASE (amd64)
                            flashrom is free software, get the source code at https://flashrom.org
                            
                            Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
                            coreboot table found at 0xdfd79000.
                            Found chipset "AMD SB7x0/SB8x0/SB9x0".
                            Enabling flash write... OK.
                            Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
                            No operations were specified.
                            

                            Steve

                            jahonix 1 Reply Last reply Reply Quote 0
                            • I
                              interessierter @stephenw10 last edited by

                              @stephenw10 For me it was driven my the Intel Architecture security problem however, I think I can only be safe when I use the latest and greatest bits. In a dangerous online world, it works so leave it alone is a wrong way on a firewall applicance. Just my two cents on this.

                              Is there a guide available to do it?
                              thanks

                              1 Reply Last reply Reply Quote 0
                              • stephenw10
                                stephenw10 Netgate Administrator last edited by

                                Right but how is, for example, Spectre/Meltdown actually impacting you?

                                Do you have multiple users on your firewall?

                                Are you running bhyve VMs or jails on your firewall?

                                What risk are you actually trying to mitigate?

                                IMO you're probably actually risking more by upgrading to a newer BIOS than by remaining on the existing BIOS. You are obviously free to do so though. And it went smoothly for me.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • I
                                  interessierter last edited by

                                  I want to close this risk simply
                                  howto is available?

                                  thanks

                                  jahonix 1 Reply Last reply Reply Quote 0
                                  • stephenw10
                                    stephenw10 Netgate Administrator last edited by

                                    Ok, to be completely clear this is unnecessary in my opinion and although it ran fine for me it may not for you.
                                    If this bricks your APU I assume you have something you can replace it with and a backup of your config.
                                    This is what I did:

                                    Download the bios file from here.
                                    Extract the .rom and .md5 files and copy them to the root directory on the APU. I used SCP to do that. You could also fetch the file and extract it directly at the command line on the firewall.
                                    Check the file checksum matches the MD5:

                                    [2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: md5 apu1_v4.8.0.1.rom
                                    MD5 (apu1_v4.8.0.1.rom) = dc5591bb2c9ff34608152bd4c7c806f7
                                    [2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: cat apu1_v4.8.0.1.rom.md5 
                                    dc5591bb2c9ff34608152bd4c7c806f7  apu1_v4.8.0.1.rom
                                    

                                    Backup the existing rom:

                                    [2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E -r backup.rom
                                    flashrom v1.0 on FreeBSD 11.2-RELEASE (amd64)
                                    flashrom is free software, get the source code at https://flashrom.org
                                    
                                    Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
                                    coreboot table found at 0xdfd79000.
                                    Found chipset "AMD SB7x0/SB8x0/SB9x0".
                                    Enabling flash write... OK.
                                    Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
                                    Reading flash... done.
                                    

                                    Copy that off the firewall.

                                    Write the new rom to the flash:

                                    [2.4.4-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E -w apu1_v4.8.0.1.rom
                                    flashrom v1.0 on FreeBSD 11.2-RELEASE (amd64)
                                    flashrom is free software, get the source code at https://flashrom.org
                                    
                                    Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
                                    coreboot table found at 0xdfd79000.
                                    Found chipset "AMD SB7x0/SB8x0/SB9x0".
                                    Enabling flash write... OK.
                                    Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
                                    Reading old flash chip contents... done.
                                    Erasing and writing flash chip... Erase/write done.
                                    Verifying flash... VERIFIED.
                                    

                                    Reboot and hope nothing went wrong! 😉 It probably won't but subtle differences in hardware can come into play. I've done it twice now to get those console logs and had no issue.

                                    Steve

                                    1 Reply Last reply Reply Quote 1
                                    • stephenw10
                                      stephenw10 Netgate Administrator @stephenw10 last edited by

                                      @stephenw10 said in Coreboot Update for APU1:

                                      The only anomaly I see is the console output is doubled before the kernel loads. I did read something about that in notes....

                                      That was here: https://github.com/pcengines/apu2-documentation/blob/master/docs/pfSense-install-guide.md#pfsense-image

                                      1 Reply Last reply Reply Quote 0
                                      • jahonix
                                        jahonix @interessierter last edited by

                                        @interessierter said in Coreboot Update for APU1:

                                        howto is available?

                                        ja, das steht alles auf den Seiten von PCengines. Einfach dort nachlesen, ist nicht so schwierig.
                                        (with that nic you can surely read & understand German).

                                        1 Reply Last reply Reply Quote 0
                                        • jahonix
                                          jahonix @stephenw10 last edited by

                                          @stephenw10 This is all I get from within FreeBSD no matter if I put the "-c" parameter there or not

                                          flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E
                                          flashrom v1.0 on FreeBSD 11.1-RELEASE-p10 (amd64)
                                          flashrom is free software, get the source code at https://flashrom.org
                                          
                                          Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
                                          coreboot table found at 0xdfd79000.
                                          Found chipset "AMD SB7x0/SB8x0/SB9x0".
                                          Enabling flash write... OK.]
                                          No EEPROM/flash device found.
                                          Note: flashrom can never write if the flash chip isn't found automatically.
                                          

                                          However, using the TinyCore installer with a dedicated USB stick worked on both these boards. But I don't recall which flash chip was actually found on my APU1s.

                                          1 Reply Last reply Reply Quote 0
                                          • stephenw10
                                            stephenw10 Netgate Administrator last edited by

                                            I had to pull out a torch and check manually. I could believe they used different chips during the build life.

                                            I was using 2.4.4 also. I don't believe flashrom is any different there but...

                                            Steve

                                            1 Reply Last reply Reply Quote 0
                                            • V
                                              VAMike last edited by

                                              It's an AMD CPU, it was never affected by meltdown and there is no firmware fix for meltdown. The spectre mitigations require both an updated CPU microcode as well as OS support. AFAIK this combination doesn't exist for pfsense and the T40E in the APU. (If it did, the OS is capable of loading the microcode update regardless of the firmware.)

                                              Short answer: you're wasting your time.

                                              jahonix 1 Reply Last reply Reply Quote 1
                                              • I
                                                interessierter last edited by

                                                thats a good one
                                                thank you

                                                1 Reply Last reply Reply Quote 0
                                                • jahonix
                                                  jahonix @VAMike last edited by

                                                  @vamike said in Coreboot Update for APU1:

                                                  Short answer: you're wasting your time.

                                                  I did the update myself and, as noted before, there are severe benefits for doing so. Booting from previously unsupported mSATA drives for example.
                                                  For me it was absolutely worth it.

                                                  V 1 Reply Last reply Reply Quote 0
                                                  • V
                                                    VAMike @jahonix last edited by

                                                    @jahonix said in Coreboot Update for APU1:

                                                    @vamike said in Coreboot Update for APU1:

                                                    Short answer: you're wasting your time.

                                                    I did the update myself and, as noted before, there are severe benefits for doing so. Booting from previously unsupported mSATA drives for example.
                                                    For me it was absolutely worth it.

                                                    Sure, if you need functionality in a newer version then go for it. If you're doing it for vague reasons of "security", no.

                                                    1 Reply Last reply Reply Quote 0
                                                    • stephenw10
                                                      stephenw10 Netgate Administrator last edited by

                                                      Just updating this, I upgraded to v4.10.0.0 on the APU1 as sold by Netgate. No problems thus far with the Coreboot code.

                                                      BUT! I updated using flashrom directly from pfSense 2.5 and it did not go smoothly:

                                                      [2.5.0-DEVELOPMENT][root@apu.stevew.lan]/root: flashrom -p internal -c MX25L1605A/MX25L1606E/MX25L1608E -w apu1_v4.10.0.0.rom 
                                                      flashrom v1.0 on FreeBSD 12.0-RELEASE-p8 (amd64)
                                                      flashrom is free software, get the source code at https://flashrom.org
                                                      
                                                      Using clock_gettime for delay loops (clk_id: 4, resolution: 70ns).
                                                      coreboot table found at 0xdfd79000.
                                                      Found chipset "AMD SB7x0/SB8x0/SB9x0".
                                                      Enabling flash write... OK.
                                                      Found Macronix flash chip "MX25L1605A/MX25L1606E/MX25L1608E" (2048 kB, SPI) mapped at physical address 0x00000000ffe00000.
                                                      Reading old flash chip contents... done.
                                                      Erasing and writing flash chip... AMD SPI FIFO pointer corruption! Pointer is 0, wanted 2
                                                      Something else is accessing the flash chip and causes random corruption.
                                                      Please stop all applications and drivers and IPMI which access the flash chip.
                                                      RDSR failed!
                                                      AMD SPI FIFO pointer corruption! Pointer is 1, wanted 0
                                                      Something else is accessing the flash chip and causes random corruption.
                                                      Please stop all applications and drivers and IPMI which access the flash chip.
                                                      spi_nbyte_program failed during command execution at address 0x1eb9
                                                      Reading current flash chip contents... AMD SPI FIFO pointer corruption! Pointer is 1, wanted 3
                                                      Something else is accessing the flash chip and causes random corruption.
                                                      Please stop all applications and drivers and IPMI which access the flash chip.
                                                      Can't read anymore! Aborting.
                                                      FAILED!
                                                      Uh oh. Erase/write failed. Checking if anything has changed.
                                                      Reading current flash chip contents... done.
                                                      Apparently at least some data has changed.
                                                      Your flash chip is in an unknown state.
                                                      Get help on IRC at chat.freenode.net (channel #flashrom) or
                                                      mail flashrom@flashrom.org with the subject "FAILED: <your board name>"!
                                                      -------------------------------------------------------------------------------
                                                      DO NOT REBOOT OR POWEROFF!
                                                      

                                                      Ultimately I was able to recover by reflashing my backup image after several attempts.

                                                      I did manage to update using flashrom from single user mode, that seemed to go through no problem.

                                                      I would not recommend updating Coreboot from a 2.5 snapshot at this time.

                                                      Steve

                                                      1 Reply Last reply Reply Quote 1
                                                      • First post
                                                        Last post

                                                      Products

                                                      • Platform Overview
                                                      • TNSR
                                                      • pfSense Plus
                                                      • Appliances

                                                      Services

                                                      • Training
                                                      • Professional Services

                                                      Support

                                                      • Subscription Plans
                                                      • Contact Support
                                                      • Product Lifecycle
                                                      • Documentation

                                                      News

                                                      • Media Coverage
                                                      • Press
                                                      • Events

                                                      Resources

                                                      • Blog
                                                      • FAQ
                                                      • Find a Partner
                                                      • Resource Library
                                                      • Security Information

                                                      Company

                                                      • About Us
                                                      • Careers
                                                      • Partners
                                                      • Contact Us
                                                      • Legal
                                                      Our Mission

                                                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                      Subscribe to our Newsletter

                                                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                      © 2021 Rubicon Communications, LLC | Privacy Policy