-
Notifications
You must be signed in to change notification settings - Fork 691
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand docs and hardware support for recent Intel NUCs #5609
Expand docs and hardware support for recent Intel NUCs #5609
Comments
Still awaiting hardware - deferring for current sprint/1.5.0, we'll see where we are mid-sprint. |
Hardware obtained. For the 8/20-9/2 sprint, @zenmonkeykstop committed to step through and document the install procedure on Ubuntu 16.04, in the second half of the sprint. |
Initial testing done against NUC10i5FNH, Ubuntu 16.04.6 server install:
|
Discussed in sprint planning today. We've got NUC8s on order and will test those in late September. The NUC7s are still available in retail (including online: Amazon, Newegg, etc.) but getting stale. |
I have a NUC8 and have (briefly) gone over the initial testing with @zenmonkeykstop. I'll plan to step through and document results as well during the coming sprint. |
Per above @rocodes will do some testing on the NUC8 during the sprint, but we're not aiming to QA 1.6.0 on it yet. |
Partial update on NUC8 hardware testing:
|
Unfortunately, even after building a new 5.4.68 kernel based on a new kernel config provided by @emkll today, I'm unable to boot into it on the NUC8, though I can boot into it on a Xenial qube, same as with the kernel I built yesterday. I do notice the following console output when installing the kernel: Some quick searching tells me this is grub trying to be clever, however, a) the kernel still shows up in the grub menu and b) this message is also displayed in the Xenial qube when installing the kernel, which then goes on to boot just fine. Stay tuned folks... Sorry it's not a happier update. |
@rocodes and @zenmonkeykstop will continue their work on this in the 10/1-10/15 sprint, aiming for no more than 16 person hours total time spent during this sprint. Our goal right now is to get the NUC8s running on a 4.14 series grsec kernel, so we can potentially ship support in a point release or 1.7.0. Additional 5.4 testing is out scope for now, but we'll revisit 5.4+ kernel support as part of the Focal migration (#4768) at the latest. |
At @emkll's suggestion I tried compiling a 4.14 series kernel without grsec patches to see if it would boot on the NUC8, thereby helping us determine whether the issue is with the grsec patches or not. Unfortunately, a 4.14.188 kernel without grsec patches does boot successfully on the NUC8, while the 4.14.188 kernel from the apt repo that includes grsecurity patches does not. But wait there's more! In both cases (the kernel that successfully boots and the one that does not), during installation I see the following warning:
However, installing the appropriate drivers has not enabled the grsec kernel to boot. |
tested on the NUC8i5BEK as provided by @rocodes:
tried out an SD install with the dongle:
With a working USB adaptor, it looks like the NUC8s are a viable install option, though it would be worth going through a full install run as above to verify and document the process. (One thing to note, paxtest tests pass but one meltdown test (for the Foreshadow SGX vulnerability mitigation) fails.) |
(Per most recent findings it sounds like only docs additions may be needed fro NUC8 support, so migrated to securedrop-docs repo.) |
IMO this should move back to SD core - NUC10 support will require a kernel build. |
(Retitled and checklist updated for clarity.) |
One observation from NUC10s is that the BIOS instructions now recommend downloading a CAP file for the F7 update method, not a BIO file as stated in our docs. I've added a checkbox to the epic to ensure that we update this as warranted. |
Except for the above minor detail, no issues migrating an Ubuntu 16.04 instance on Mac Minis to Ubuntu 20.04 on NUC10s 🎉 |
The NUC8i5s in our hardware docs were officially discontinued on Oct 2020 (https://www.intel.ca/content/www/ca/en/support/articles/000016234/intel-nuc.html), although they'll get security updates til Oct 2023. A further round of NUC8s were discontinued Feb 2021, getting security updates til early 2024. Would be great to add NUC10s (and LIbrems?) to our hardware recommendations to get a bit ahead of this. |
I ran the testinfra tests from Conor's #5848 branch (i.e. including Glory to testinfra
|
meltdown results on NUC10 looking good, detailed output below. Seeing the same test failure reported in #5040, likely for the same reason (also seeing the grsec meltdown deetsSpectre and Meltdown mitigation detection tool v0.44+Checking for vulnerabilities on current system Hardware check
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
Need more detailed information about mitigation options? Use --explain |
Beyond that, I see three |
Description
7-series NUCs were discontinued in mid-April and are no longer officially available from Intel (tho probably still sporadically available at retail for a while). The recommended hardware list should be updated to include NUC models that can be reasonably expected to be available long-term. Given that 10-series NUCs are now available, it may make sense to add both 8-series and 10-series NUCs to recommendations.
The last update had issues with Ethernet chipset support in the kernel. The 8- and 10-series NUCs use the same chipset (Intel i219-v) as the 7-series, so this will probably work, but hardware testing is still required to be safe..
Tasks
User Research Evidence
(Feedback from folks looking into setting up instances)
The text was updated successfully, but these errors were encountered: