PC Engines apu2 experiences

kevindd992002

@fireodo said in PC Engines apu2 experiences:

@kevindd992002 said in PC Engines apu2 experiences:

Does this mean that "AES-NI CPU-based acceleration" is better than the "AES-NI and BSD Crypto Device" option? I'm still confused what the difference between those two are.

Yes! The Apu2 does not have a dedicated Crypto-Device, the Crypto-Functions are integrated in the CPU (much faster). IMHO

I see. But won't it use AES-NI anyway if the latter option is selected?

Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?

fireodo

@kevindd992002 said in PC Engines apu2 experiences:

I see. But won't it use AES-NI anyway if the latter option is selected?

Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.

Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?

I admit I dont know. Sorry.

daemonix

@fireodo said in PC Engines apu2 experiences:

@kevindd992002 said in PC Engines apu2 experiences:

I see. But won't it use AES-NI anyway if the latter option is selected?

Freebsd will look for the Crypto-Device wich is not existent and will not fallback to AES-NI CPU based.

Also, in the OpenVPN settings you should chhose None in the Hardware Acceleration field, correct?

I admit I dont know. Sorry.

Yes this is it. I did all the possible test combinations.
Indeed ONLY AES-NI should be selected

stephenw10

Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.

Steve

Qinn

@stephenw10 said in PC Engines apu2 experiences:

Yes, the only thing to avoid here is enabling both aes-ni and bsd crypto. Doing that will cause the aes device to register for crypto acceleration via the framework which adds a load of additional steps. It's much faster to use the available CPU instructions directly. As long as it's enabled in the BIOS openssl, and hence openvpn, should use aes-ni.

Steve

So you have to select AES-NI in pfSense and not in OpenVPN, then why is this option (Hardware crypto) present in OpenVPN config within pfSense? Could you please clarify this?

Cheers Qinn

stephenw10

I have personally never used that setting. But I have also never had a device with a specifically supported hardware crypto device which is where I would expect it to apply.
In testing I did when we went to OpenVPN 2.4 it was better to leave that set to None in every case.

Steve

Qinn

@stephenw10 kudos for clearing that one up!

jahonix

@stephenw10 said in PC Engines apu2 experiences:

But I have also never had a device with a specifically supported hardware crypto device which ...

Don't want to crush this topic (and can't PM you) but lemme ask how far crypto in the SG-1100 has come? Last thing I know is that HW is present and waits for the software to follow. Anything changed in this regard?

stephenw10

That is still basically the status. I'm not sure how far along that work is, I did see some discussion of it a few days ago.

But that's a good point. On the SG-3100 where the crypto hardware is supported via the CESA driver I am currently running with BSD Crypto device set in both OpenVPN and as the system crypto device.

Steve

Qinn

Although it is not downloadable at the moment, did anyone tried the new v4.10.0.0?

https://pcengines.github.io/

fireodo

@Qinn said in PC Engines apu2 experiences:

Although it is not downloadable at the moment, did anyone tried the new v4.10.0.0?

https://pcengines.github.io/

There isnt any 4.10.0.0 version - look here:
https://3mdeb.com/open-source-firmware/pcengines/

Veldkornet

Here it is: https://pcengines.github.io/#mr-25

v4.10.0.0

Release date: '2019-08-09'

Fixed/added:
- rebased with official coreboot repository commit 2a20d13
- enable basic ACPI support for GPIOs

fireodo

@Veldkornet said in PC Engines apu2 experiences:

Here it is: https://pcengines.github.io/#mr-25

v4.10.0.0

Release date: '2019-08-09'

Fixed/added:
- rebased with official coreboot repository commit 2a20d13
- enable basic ACPI support for GPIOs

Have you download it?

kevindd992002

Do you guys have any issues with the download links for v4.10.0.0? They're all "404 page not found" for me. Or were they removed intentionally?

Qinn

@kevindd992002 Yes, I don't think it's build

https://github.com/pcengines/coreboot/compare/v4.9.0.7...v4.10.0.0

psp

Just updated. Link is properly working. No issues so far.

fireodo

@psp said in PC Engines apu2 experiences:

Just updated. Link is properly working. No issues so far.

Thanks!

Qinn

@psp said in PC Engines apu2 experiences:

Just updated. Link is properly working. No issues so far.

Yup thanks

logan5247

New APU2 user here. Recently upgraded from an EdgeRouter Lite to the APU2D4. So far, loving pfSense, it's much more flexible than the ERL.

The BIOS it shipped with was 20170228 and I was able to press F10 to access the boot menu and perform a memtest.

PCEngines apu2
coreboot build 20170228
4080 MB ECC DRAM


SeaBIOS (version rel-1.10.0.1)




Press F10 key now for boot menu




Select boot device:




1. USB MSC Drive Kingston DataTraveler 3.0 PMAP


2. ata0-0: Samsung SSD 860 EVO mSATA 250GB ATA-11 Hard-Disk (2


3. Payload [memtest]


4. Payload [setup]

I upgraded the BIOS to 20190808 (v4.10.0.0) using flashrom and now when I press F10, I get the message "Booting from Hard Disk..." and it just starts to boot via the internal SSD. How can I access memtest again?

PC Engines apu2
coreboot build 20190808
BIOS version v4.10.0.0
4080 MB ECC DRAM

SeaBIOS (version rel-1.12.1.3-0-g300e8b7)

Press F10 key now for boot menu

Booting from Hard Disk...
/boot/config: -S115200 -h
Consoles: serial port  
BIOS drive C: is disk0
BIOS 639kB/3405392kB available memory

FreeBSD/x86 bootstrap loader, Revision 1.1
(Wed Nov 21 08:03:01 EST 2018 root@buildbot2.nyi.netgate.com)
...
...
Boot continues here
...
...

EDIT: Also, how do I enter the BIOS to adjust settings? It seems that option is missing as well.

VAMike

my first guess would be that the APU doesn't like what your terminal client is sending as F10. I'd try looking for options about what escape sequences are sent for F keys, or try a different client.