PC Engines apu2 experiences

jwt

@Veldkornet:

What does this 4K,NCQ_TRIM_BROKEN mean exactly in normal English?

4k means "TRIM only works on 4096 byte requests that are 4096 byte aligned".

NCQ_TRIM means TRIM doesn't work if you send it as a queued request.  For some drives, the SSD stops working with first trim request is issued from the filesystem (UFS or ZFS).

There is a bug that is fixed in 11.1-RELEASE.  These quirks keep your drive working.

If you're running pfSense 2.4.x you can re-enable 4K sectors and TRIM by clearing the quirks with:

kern.cam.ada.0.quirks="0x0"

in /boot/loader.conf

or, if you need 4k quirks but want to drop NCQ_TRIM one:
    kern.cam.ada.0.quirks="0x1"

4k one is bit0 (0x1), and NCQ_TRIM one is bit1 (0x2).

Or you can wait for pfSense 2.4.3, which will contain a software fix.

PiBa

@Veldkornet:

On a sidenote, does anyone else have 2x haproxy services?

I havn't seen that before..you should only have the lowercase 'haproxy' service.. Probably need to edit the config.xml to remove the wrong service tag.. (backup>edit>restore)or the more tricky:(edit /conf/config.xml,delete /tmp/config.cache) just make sure to keep the xml format valid..

pvoigt

I am using an APU2C4 with BIOS version 4.0.7.

It looks like PC Engines no longer maintains their web pages under
https://www.pcengines.ch/apu2c4.htm

I am unable to find any binaries for latest versions 4.0.x and 4.6.x and appreciate any hints on that.

All I can find are related release infos/changelogs
https://github.com/pcengines/release_manifests/blob/coreboot-4.6.x/CHANGELOG.md

and source codes of coreboot
https://github.com/pcengines/coreboot/releases

Peter

software

I see some ROMs on the github:
https://github.com/pcengines/apu2-documentation

APU2 ROM should be there in legacy and mainline mode

pvoigt

@software:

I see some ROMs on the github:
https://github.com/pcengines/apu2-documentation

APU2 ROM should be there in legacy and mainline mode

Yeah, thanks a lot. Nevertheless, these are not the latest versions. I would have never searched for binaries in the documentation folder ;-).

valnar

Wow, I'm running 4.07.  Any reason to go higher for pfSense?  What's the recommended BIOS?

kevindd992002

I thought 4.07 is the latest?

pvoigt

@kevindd992002:

I thought 4.07 is the latest?

No, development is going on. Unfortunately, version schema is confusing and PC Engines does not update their corresponding web page. Moreover, binaries are at least for me, difficult to find.

What I have understood so far: There are two actively developed branches: 4.0.x denoted as "legacy" and a "mainline" 4.5.x/4.6.x. Latest versions are 4.0.14 and 4.6.6, respectively. Latest binary downloads for APU2 are available as 4.0.11 and 4.6.1.

One thing that I have just become aware of: coreboot determines the version number of the APU2 BIOS ROM but the APU2 ROM consists of several other components with its own version numbers like e.g. seabios and ipxe.

valnar

I guess I should have read outside of the PCEngines website!  Thanks for that info.

OK, so has everyone successfully run 4.6.6 or should I just go to 4.0.11?

kevindd992002

@pvoigt:

@kevindd992002:

I thought 4.07 is the latest?

No, development is going on. Unfortunately, version schema is confusing and PC Engines does not update their corresponding web page. Moreover, binaries are at least for me, difficult to find.

What I have understood so far: There are two actively developed branches: 4.0.x denoted as "legacy" and a "mainline" 4.5.x/4.6.x. Latest versions are 4.0.14 and 4.6.6, respectively. Latest binary downloads for APU2 are available as 4.0.11 and 4.6.1.

One thing that I have just become aware of: coreboot determines the version number of the APU2 BIOS ROM but the APU2 ROM consists of several other components with its own version numbers like e.g. seabios and ipxe.

Oh I see. So everything is on github? I remember choosing between 4.0.x and 4.5.x before and many people we're having problems with 4.5.x for some reason. And this is why I chose to go with 4.0.7. Did this change now? Would it be recommended to go with the mainline this time?

@valnar:

I guess I should have read outside of the PCEngines website!  Thanks for that info.

OK, so has everyone successfully run 4.6.6 or should I just go to 4.0.11?

Me too! All along I thought their website was updated.

valnar

I just went to 4.0.11 and it's working fine.  I didn't see anything listed in the bios's after 4.0.11 that was relevant to APU2 boards.

I also noticed that PC Engines recommends the 4.0x track here:
http://pcengines.ch/howto.htm#bios

Veldkornet

FYI, anyone updating to the 4.5.x or 4.6.x mainline firmware (https://github.com/pcengines/apu2-documentation), you need to edit the /boot/loader.conf and add the following:

hint.ahci.0.msi="0"

Otherwise it reboots every 4-5 hours.

The rest of the items that they mention here were all already added on my system by default.

I'm now running 4.6.1 without any problems.

Veldkornet

@doktornotor:

@Veldkornet:

@Jailer:

Mine still says PC Engines APU2 after the update to 2.3.4.

Yeah, mine did too. I more meant after the latest firmware update.

Can you post the output of

/bin/kenv -q smbios.system.product
/bin/kenv -q smbios.system.maker

with the 4.0.7 FW.

FYI, This has changed again…. below the output from firmware 4.6.1:

/bin/kenv -q smbios.system.product -> PC Engines apu2
/bin/kenv -q smbios.system.maker -> PC Engines

Veldkornet

@PiBa:

@Veldkornet:

On a sidenote, does anyone else have 2x haproxy services?

I havn't seen that before..you should only have the lowercase 'haproxy' service.. Probably need to edit the config.xml to remove the wrong service tag.. (backup>edit>restore)or the more tricky:(edit /conf/config.xml,delete /tmp/config.cache) just make sure to keep the xml format valid..

Thanks! :)

Veldkornet

Question, should I see the serial number of my PC Engines on the pfSense dashboard?

Reason I ask is because one of the PC Engines firmwares made the serial number show random characters. However, in doing so, the serial number field all of a sudden showed up on the dashboard

However, once I got the next firmware, the field was gone again from the dashboard.

The below command gives an actual output:

/bin/kenv -q smbios.system.serial

However, it’s not shown on the dashboard.

Is this intentional? Or should it be shown?

stephenw10

It's not expected to show in 2.4.3p1.

The input validation on that field was improved since it was first introduced. It should only appear now on devices that expose a real serial number via ACPI in the correct field.

I think the new forum code may have cut-off your kenv output.

Looking on an APU here it does seem to be present so perhaps the validation there could be tweaked.

It's not an issue with your board though, that's the expected behaviour currently.

Steve

kevindd992002

I have a site-to-site VPN using an OpenVPN tunnel between two APU2C4's with pfSense on them (2.4.3-RELEASE-p1 (amd64)). I've been reading a few hours now on how to really have OpenVPN utilize hardware AES-NI as the CPU supports it. There are several threads about this but not one is clear enough to really explain how pfSense uses this.

So, if I want to use hardware AES-NI, do I need to choose AES-NI CPU-based Acceleration under System > Advanced > Miscellaneous > Cryptographic Hardware? Or should I set it to None (no module loaded) and OpenVPN will use the AES-NI natively from the hardware without any module conflicts from the pfSense BSD OS?

If I choose the former, under the OpenVPN Server/Client settings the only selection I have for Hardware Crypto is No Hardware Crypto Acceleration. The only time I have an extra option in the Client settings is when I choose BSD Crypto Device (cryptodev) under Miscellaneous. So which is which? I'm starting to have a headache because of the confusing pfSense GUI :)

Veldkornet

I'm also curious as to what the "correct" settings are... I can say that I did a couple of tests wrt speed, and I eventually settled on (apart from a bunch of other tweaks) enabling AES-NI CPU-based Acceleration under System > Advanced > Miscellaneous > Cryptographic Hardware, and then in the OpenVPN Server/Client settings the only selection I have No Hardware Crypto Acceleration.

I know a while back, in the OpenVPN settings you could choose between AES-NI and cryptodev, but after some update the cryptodev disappeard.

Additionally, I think that the best speeds were achieved when both AES-NI CPU-based Acceleration and cryptodev were enabled, which is now the default if you have AES-NI CPU-based Acceleration enabled on the system.
So, I've just assumed that it doesn't matter anymore about the setting in OpenVPN since the system is already using all it can.

kevindd992002

@veldkornet said in PC Engines apu2 experiences:
Additionally, I think that the best speeds were achieved when both AES-NI CPU-based Acceleration and cryptodev were enabled, which is now the default if you have AES-NI CPU-based Acceleration enabled on the system.
So, I've just assumed that it doesn't matter anymore about the setting in OpenVPN since the system is already using all it can.

Enabling both where? Let's call both places Miscellaneous settings and Client settings to avoid confusion. Like I said, I don't have any options for a cryptodev Client setting IF I keep the Miscellaneous settings to AES-NI. All I have is the No Hardware Crypto Acceleration option.

Veldkornet

My mistake, I actually have the Miscellaneous set to AES-NI and BSD Crypto Device (aesni, cryptodev).
This is the update that I referred to in my previous post where both are enabled.

OpenVPN Client & Server:

And these are the options available to me within OpenVPN: