Re: [gentoo-user] New Intel CPU flaws discovered

[taii...@gmx.com]

On 05/15/2019 01:26 AM, Adam Carter wrote:
> Here we go again;
> https://mdsattacks.com/
>
> I notice a microcode update for skylake came through yesterday after being
> unchanged since the late June 2018, so i'm guessing this is patched for
> this issue. Just waiting for the gentoo sources ebuild to be bumped to
> 5.1.2 to try it out.
>
> Sounds like AMD not affected.

x86 isn't the only game in town.

There's also the raptorcs OpenPOWER systems which is the only new high
performance hardware that is owner controlled, has foss firmware and no
PSP/ME DRM.

The new amd x86 are just as problematic due to having the PSP (AMD's ME)
and all the problems that come with that.

I don't include RISC-V since it is just as expensive as OpenPOWER for
much less features and performance and it currently doesn't have an IOMMU.

For laptops the only decent non-intel IOMMU having option right now is
the G505S which has an IOMMU and supports coreboot with open cpu/ram
init (note many companies sell shady "open source firmware coreboot"
systems that have an entirely blobbed hw init process) Heres to hoping
for a POWER or RISC-V+IOMMU laptop!

A libre-firmware OpenPOWER Blackbird system is less expensive than a
fully pimped libre-firmware KGPE-D16 and is many times faster even with
just the base 4 core cpu (4 threads per core :D) and has the IBM version
of OpenBMC which is better than the facebook version that was ported to
the KCMA-D8/KGPE-D16's less powerful BMC.

POWER is also the only high performance general computing CPU that is
made in usa so you support jobs that pay a living wage at a fab that
isn't messed around with by the PRC.
Raptor claims their boards are us made as well although that is a lofty
claim claim in the technology sector as the legal standard is "all or
virtually all" components and many companies get shady like a certain
one that claims their "linux focused" system is "us made" but the only
part made here is the metal case.

I would say the best and most secure setup would be:
OpenPOWER Blackbird workstation
KCMA-D8 for VM gaming (POWER only has a few indie games right now not
anything commercial) which can max out the latest games in a VM at 1080p
with a 4386 cpu and a RX590.
G505S laptop for mobile computing running qubes

Ideally you wouldn't run any programs on bare metal and everything would
be done in a VM which is what I do even for gaming, watching movies etc.


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] SATA drive controller and Linux driver.

[taii...@gmx.com]

Ahh didn't see your reply.

Hook it up via your motherboards sata ports to check.

Those no name china brand controllers are almost always really shitty if
you want a nice but affordable HBA for SAS/SATA get on with an LSI 2008
chipset you got ripped off paying almost $40 for that junk I paid only
$30 for my LSI 2008 chipset HBA and it is great it also supports SATA
expanders. Look at the servethehome LSI 2008 topic for ebay keywords.

Re: [gentoo-user] Sata hard drive speed question

[taii...@gmx.com]

Here are some theories.

* You gotta properly align the sectors for 4K advanced format
* USB doesn't have NCQ which really slows things down.
* Copying many small files is almost always slow since they are located
on various parts of the drive not in a contiguous block (again see NCQ)
* System is set to use IDE not AHCI thus no NCQ etc
* You are using a secondary SATA chip such as the terrible ones from
JMicron or what not instead of what is on your systems northbridge or a
quality PCI-e HBA.

Re: [gentoo-user] Re: CPU upgrade and LVM questions.

[taii...@gmx.com]

On 12/10/2018 05:54 PM, Dale wrote:
> Neil Bothwick wrote:
>> On Mon, 10 Dec 2018 16:33:10 -0500, taii...@gmx.com wrote:
>>
>>>> Not sure which country would be a reliable location though, I
>>>> wouldn't trust Western European countries either.  
>>> USA is currently the best option since there have never been proven
>>> backdoors in made in usa hardware but plenty in chinese made hardware
>>> such as the recent motherboard hack chip scandal.
>> So that proves that US manufacturers are better at hiding their back
>> doors?
>>
>> Or is it a numbers game, there are a hell of a lot more systems made in
>> China, so the chances of a backdoor being discovered is higher.
>>
>> Either way, lack of evidence of insecurity is not proof of security.
>>

So tell us what is your perfect country for hardware manufacturing?

Name one other country on earth besides america where you can say no to
a governmental request for a backdoor in your hardware or software
products and not end up in prison.

In the mean time will you continue to buy chinese products with proven
backdoors since getting that is somehow better than something that is
only almost perfect?

The amd bulldozer and piledriver CPU's like the FX-8350 and its opteron
counterparts are made in germany (the packaging is done in china but at
that point afaik there isn't much that can be done to fuck with it) but
that still wouldn't satisfy you since germany doesn't have anything like
the constitution - they have no freedom of speech.

The future of freedom computing is OpenPOWER and RISC-V since they are
the only owner controlled archs that have real performance and features,
in other words they have juice.

Re: [gentoo-user] Re: CPU upgrade and LVM questions.

[taii...@gmx.com]

On 12/09/2018 01:57 PM, J. Roeleveld wrote:
> On December 9, 2018 6:23:07 PM UTC, "taii...@gmx.com"  wrote:
>> On 12/07/2018 06:47 PM, Nikos Chantziaras wrote:
>>> On 07/12/2018 09:30, Dale wrote:
>>>> Nikos Chantziaras wrote:
>>>>> If you want to see all of the installed packages that are affected,
>>>>> you need to set CPU_FLAGS_X86 to an empty string:
>>>>>
>>>>>    CPU_FLAGS_X86=""
>>>>>
>>>>> and then do "emerge -puDN --with-bdeps=y @world". This is because
>>>>> CPU_FLAGS_X86 is not empty by default. It contains sse and sse2 by
>>>>> default, because these are supported by all 64-bit CPUs.
>>>>>
>>>>
>>>> What I did, I commented out the whole line and ran it that way.
>>>
>>> If you comment it out, it will have default values. If you set it to
>> an
>>> empty string, you should be able to see which packages make use of
>> the
>>> default flags (like sse and sse2.)
>>>
>>> Note it's a pretend emerge (-p). Just to check which packages you
>> have
>>> installed that make use of these flags.
>>>
>>>
>>>> One last question for anyone who has done this recently.  When
>> finished,
>>>> I'll have a FX-8350 CPU with 8 cores at 4.0/4.2GHz, 32GBs of memory
>> all
>>>> on a Gigabyte 970 series mobo.  Would there be any point in
>> upgrading to
>>>> a whole new rig or is what I have about as fast is reasonable to
>> build?
>>>> I don't do gaming or anything.  Even the GTX 650 video card is
>> likely
>>>> overkill for what I do here.  The older 200 series card is working
>> just
>>>> fine.  On one hand, my current build is several years old.  On the
>>>> other, computers seem to have reached their peak.  I'm sure there is
>>>> more powerful systems out there but would I be any better off with
>> one?
>>
>> Since the AM3+ and its C32/G34 Opteron counterparts are the last and
>> best x86 cpus without ME/PSP I would say you are better off with what
>> you have - the best piledriver cpus like the FX-8350+ are still able to
>> play the latest games and in a VM via IOMMU-GFX if you want.
>>
>> In any case I would consider a OpenPOWER (ppc64/ppc64le) arch system
>> (like the blackbird or talos 2) as an upgrade path instead of any
>> futher
>> x86 stuff as there aren't any black boxes, there is
>> documentation+firmware sources and the cpus are made in usa.
> 
> Made in USA isn't necessarily a good thing when talking about not wanting any 
> hidden back doors.

Hell of a lot better than buying black box hardware from china.

x86 is definitely backdoored due to the ME/PSP and various other DRM
features that mean you no longer own your x86 computer.

In the US you aren't going to prison for telling the government you
won't put a backdoor in your hardware whereas in china and many others
you would go to jail without even a trial even in western europe people
are jailed for saying the wrong things on the internet. It is currently
the hardest place for an authority figure to lean on you.

Since the only users of POWER are fortune 500's and the government
itself it needs to be secure and not fucked around with, ironically the
chinese government is buying OpenPOWER now as they want a secure, owner
controlled, highly documented and non-x86 high performance CPU (there is
absolutely no hardware code signing not even for the cpu microcode and
no blobs are required for hardware initiation unlike with new x86 stuff)

One doesn't have to put an actual func_backdoor backdoor in a CPU since
something so complex will have exploitable bugs that even the
manufacturer doesn't know about such as the (fixed via microcode) 2014
AMD Piledriver NMI to root exploit where you could get root and SMM
access from a tiny userspace script and that was in there for years
without anyone noticing.

> Not sure which country would be a reliable location though, I wouldn't trust 
> Western European countries either.

USA is currently the best option since there have never been proven
backdoors in made in usa hardware but plenty in chinese made hardware
such as the recent motherboard hack chip scandal.

Re: [gentoo-user] Re: CPU upgrade and LVM questions.

[taii...@gmx.com]

On 12/07/2018 06:47 PM, Nikos Chantziaras wrote:
> On 07/12/2018 09:30, Dale wrote:
>> Nikos Chantziaras wrote:
>>> If you want to see all of the installed packages that are affected,
>>> you need to set CPU_FLAGS_X86 to an empty string:
>>>
>>>    CPU_FLAGS_X86=""
>>>
>>> and then do "emerge -puDN --with-bdeps=y @world". This is because
>>> CPU_FLAGS_X86 is not empty by default. It contains sse and sse2 by
>>> default, because these are supported by all 64-bit CPUs.
>>>
>>
>> What I did, I commented out the whole line and ran it that way.
> 
> If you comment it out, it will have default values. If you set it to an
> empty string, you should be able to see which packages make use of the
> default flags (like sse and sse2.)
> 
> Note it's a pretend emerge (-p). Just to check which packages you have
> installed that make use of these flags.
> 
> 
>> One last question for anyone who has done this recently.  When finished,
>> I'll have a FX-8350 CPU with 8 cores at 4.0/4.2GHz, 32GBs of memory all
>> on a Gigabyte 970 series mobo.  Would there be any point in upgrading to
>> a whole new rig or is what I have about as fast is reasonable to build?
>> I don't do gaming or anything.  Even the GTX 650 video card is likely
>> overkill for what I do here.  The older 200 series card is working just
>> fine.  On one hand, my current build is several years old.  On the
>> other, computers seem to have reached their peak.  I'm sure there is
>> more powerful systems out there but would I be any better off with one?

Since the AM3+ and its C32/G34 Opteron counterparts are the last and
best x86 cpus without ME/PSP I would say you are better off with what
you have - the best piledriver cpus like the FX-8350+ are still able to
play the latest games and in a VM via IOMMU-GFX if you want.

In any case I would consider a OpenPOWER (ppc64/ppc64le) arch system
(like the blackbird or talos 2) as an upgrade path instead of any futher
x86 stuff as there aren't any black boxes, there is
documentation+firmware sources and the cpus are made in usa.

Re: [gentoo-user] I want a low-end usb laser printer with minimal config hassle

[taii...@gmx.com]

On 12/07/2018 01:46 PM, Manuel McLure wrote:

> The main thing you want to look for is PCL and/or PostScript compatibility.
> And I'd highly recommend getting a networked printer that supports Port
> 9100 instead of a USB one - this allows you to use the same printer for all
> of your systems.

Seconded!

You will get a lot more milage out of a network pcl/ps printer than one
that isn't for instance my printer no longer works with USB as drivers
aren't made for newer os but I can still use network pcl/ps to print.

My advice is to buy a used HP laserjet 4300 which is a nice usb/network
pcl/ps printer and get third party toner carts.

hp 4300 model names explained:
d = duplexer
s = stapler/stacker (2nd output tray with an automatic stapler)
t = 2nd tray
n = network
(dtns is the highest end model as it has all 4 upgrades but they can
also be bought individually)


Buying new printers especially the cheap models is a suckers bet due to
the high consumables costs, the printers themselves being cheaply made
and sold for less than the cost of production with the money being made
back with overpriced ink and toner - newer models also frequently have a
"security" feature that prevents the use of "dangerous" third party
toner/ink.

[gentoo-user] RaptorCS Blackbird - Owner controlled, open source firmware system on the POWER ppc64/ppc64le arch - a less expensive mATX TALOS 2

[taii...@gmx.com]

This is a much less expensive mATX variant of the TALOS 2 from the same
people.

It runs both little and big endian so both ppc64 and ppc64le.

https://www.phoronix.com/scan.php?page=news_item=Blackbird-POWER9-Pre-Orders
https://raptorcs.com/content/BK1B01/intro.html

The only binary blob is the NIC firmware[1], otherwise it is fully open
source and has no hardware code signing enforcement so it is entirely
yours unlike modern x86 stuff which can't ever be free[2] and has the
impossible to disable ME/PSP doing god knows what.

OpenPOWER9 CPU's are Made in USA and the board is Made in the USA from
US and foreign components so it is much more trustworthy.

In terms of speed POWER9 is superior to the offerings from intel/amd or
equivilant without x86's spectre/meltdown protections enabled which
intel usually dishonestly performs in their benchmarks.

[1]It was the best alternative to using an intel nic as there is a large
amount of documentation available, people are working on freeing it and
the first one to do so gets a free TALOS 2 workstation.

[2]New x86 hardware has none of the documentation published that is
required to write firmware and it has a variety of black boxes like
ME/PSP, boot guard etc designed to prevent you from owning and
controlling your hardware.

Re: [gentoo-user] SR-IOV on a LSI Broadcom HBA/RAID SAS2008/SAS3008 card

[taii...@gmx.com]

On 10/17/2018 10:37 AM, J. Roeleveld wrote:
> The SAS2008 is quite old. Are you sure it actually supports this?

It does yes, lspci reports SR-IOV support and the marketing literature
touts it along with the SAS 2308 and 3008 etc.

[gentoo-user] SR-IOV on a LSI Broadcom HBA/RAID SAS2008/SAS3008 card

[taii...@gmx.com]

LSI/Broadcom lists it in their marketing literature, the idea that you
can assign drives to a VF and then that VF to a VM however it turns out
they do not publish the code that makes it work.

I was able to find some for MPT3 SAS3008 on an old repo but I can't find
any for MPT2 for SAS2008 and I was wondering if anyone has it or knows
more information about this very useful system.

Re: [gentoo-user] disable Intel Mgr Engine

[taii...@gmx.com]

Impossible - ME can't be disabled.

Me cleaner only nerfs it by removing various modules, either BUP (init)
still runs or the kernel still runs plus any option/mask roms.

If you want a PC without black boxes either buy a pre-PSP amd board like
KGPE-D16/KCMA-D8, g505s laptop and install coreboot/libreboot+openbmc or
get a non-x86 device like the brand new/fast OpenPOWER9 TALOS 2
(https://raptorcs.com) which is currently selling for less than
equivilant x86 hardware.

The only owner controlled CPU arch now is OpenPOWER.



0xDF372A17.asc
Description: application/pgp-keys

[gentoo-user] Anyone using gentoo on POWER?

[taii...@gmx.com]

It is my understanding that both little and big endian work on the
regular "linux" POWER9 machines so that you can use gentoo which is
ppc64 not ppc64le for some reason - and I was wondering what peoples
experiences are with this? what is package availability like? any
problems? etc etc.

Thanks!


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] Re: Update circle

[taii...@gmx.com]

On 08/23/2018 10:27 AM, Grant Edwards wrote:
> On 2018-08-22, Zoltán Kócsi  wrote:
>> I have a Gentoo machine, which has not been updated for a while. Quite
>> a long while, actually.
> 
>> It seems that I'm kind of stuck. Wiping the disk and rebuilding the
>> system from scratch is absolutely not an option, the existing (and
>> running) system must be updated somehow.
> 
> Doing a reinstall will probably be far less work and less disruption
> for the machines user's.  You don't have to "wipe the disk" to do a
> re-install.

Yeah.

I would suggest after the back up then you simply clone the disk and
perform the re-install on another computer or in a VM so that you can
fiddle with things and then just swap out the drives vs having down-time
for your users potentially for days if something goes wrong on the
actual server.

It is what I do for situations like this and it works great.

[gentoo-user] The TALOS 2 Lite is now for sale - a very affordable OpenPOWER9 owner controlled workstation with open source firmware/hw init and documentation

[taii...@gmx.com]

In case anyone is interested I thought I would share.

https://www.phoronix.com/scan.php?page=news_item=Raptor-Talos-2-Lite
https://raptorcs.com/TALOSIILITE/

They're really making strides for making high performance owner
controlled, open source firmware systems very affordable - now they are
much less than a proprietary single socket x86 system of equivilant
performance.

The regular dual socket TALOS 2 is already a good price for server
hardware in its class but this is even better for those who don't need
dual socket or many PCI-e slots (although you can always use a PCI-e PLX
switch based expansion system if you later want more)

I find it simply incredible that a brand new open source firmware
OpenPOWER9 system now costs less than the last and best open source
firmware owner controlled x86 motherboards (KCMA-D8 and KGPE-D16) where
even buying used CPU's you would be spending more money than this to get
worse performance.

Re: [gentoo-user] AMD microcode problem - Fam15h ( FYI )

[taii...@gmx.com]

On 05/26/2018 07:51 AM, Corbin Bird wrote:

> On 05/25/2018 08:50 PM, Adam Carter wrote:
>> > For me dmesg says;
>> > [    1.538275] microcode: CPU0: patch_level=0x06000852
>> >
>> > but i still have lwp in /proc/cpuinfo. Are you at 0x06000852 ?
>> .
>> This is my dmesg output :
>> .
>> [    1.111448] microcode: microcode updated early to new
>> patch_level=0x06000852
>>
>>
>> Ok then it looks like the mno-lwp is responsible for lwp's absence in
>> your /proc/cpuinfo.
>>
>> FWIW, no stability problems for me so far. (FX-8350 + 4.16.11).
>>
> .
> I should have clarified ... the '-mno-lwp' was added as a result of the
> comparison of the two /proc/cpuinfo files.I was very curious about WHAT
> exactly the microcode update did.
>
> The CPU I am using is a FX-9590.
>
> Question : Is there a PSP in your CPU?

Bulldozer/piledriver CPUs like the FX series and their corresponding
G34/C32 opterons don't have PSP - they are the last and best owner
controlled x86_64 CPU's and for now can still play the latest games at
max settings (even supports playing in a VM via IOMMU :D)
The 8350 and 93xx CPU's are pretty much the same the niners are just
better binned to support the uber OC's

You can have a 100% blob free owner controlled libre firmware
workstation/server with the KGPE-D16/KCMA-D8 which is the best option
for those who need to run x86 and thus can't get a talos or some other
power workstation.


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] Where are the AMD microcode updates for spectre?

[taii...@gmx.com]

The fam15h microcode update adds IBPB

  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES
    * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)

The question is what about the other stuff? IRBS, STIBP? This is very
confusing due to zero documentation...Why don't they have those in this
update?


0xDF372A17.asc
Description: application/pgp-keys

[gentoo-user] Where are the AMD microcode updates for spectre?

[taii...@gmx.com]

^title
AMD has released them for all of the recent CPU's and I simply must have
them.

It seems the last update to amd-ucode on linux-firmware was in 2016,
does anyone know whom I would contact about this who has the juice to do
it? I need fam15h.

AMD is being annoying and not releasing them to the plebians only OEM
partners - I assume perhaps to encourage people to buy new hardware as
most OEM's won't release BIOS updates for older boards.

Thanks.


0xDF372A17.asc
Description: application/pgp-keys

[gentoo-user] AMD Opteron microcode updates for spectre

[taii...@gmx.com]

When is gentoo going to receive these?



0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] Gentoo Hardened vs Kali Linux

[taii...@gmx.com]

/* loading hacking tools /*

I met someone who said he games on kaliwhy? all the elite hackers
use it - it is a very powerful linux that is perfect for dual-booting
with windows 10 due to its high level of security.

Re: [gentoo-user] Re: [TOT: Total offtopic]

[taii...@gmx.com]

I have one from almost 10 years ago, whats the difference :[? how can
you tell?

I still like it though >:[


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] [TOT: Total offtopic]

[taii...@gmx.com]

If you are unable to fix it yourself (but I think you can :D) Unicomp
offers parts and repairs for Model M's (along with their kentucky usa
made Model M's - they use the original tooling)


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] Firefox and addons no longer supported question

[taii...@gmx.com]

I am sticking with ice-cat aka firefox 52 stable long term support but I
do not know what I shall do when the long terms term is up.maybe
switch to waterfox and hope their dev team is skilled enough to make a
quality product (of course anyone with the skills should assist)

Mozilla is really bad these days they have became almost like microsoft
making changes that no one wants and stealthily forcing
advertising/tracking on people - there really needs to be a professional
fork similar to the devuan/debian split over the evil SystemD. (How come
almost every distro adapted it suddenly overnight? entirely not
suspicious at all)

Damn everything good these days is declared "legacy" and thrown away,
soon a modern laptop won't have any ports at all and will be entirely
wireless like the macbook wheel parody.


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] How to flash an LSI SAS controller from IR to IT mode on linux with sas2flsh

[taii...@gmx.com]

On 03/21/2018 04:44 PM, Corbin Bird wrote:

> Curious ... you cannot use 'FreeDOS' even as a bootable cdrom?
> Its very easy to open the image, tuck in two files and one new
> directory, then close and burn the image.
I have not figured out where to place them on the iso so that they are
accessible nor alternatively how to load the drivers and mount a cdrom.
Do you know how?


0xDF372A17.asc
Description: application/pgp-keys

Re: [gentoo-user] Re: A new AMD CPU weakness?

[taii...@gmx.com]

On 03/21/2018 11:55 AM, R0b0t1 wrote:

> On Sun, Mar 18, 2018 at 4:40 PM, taii...@gmx.com <taii...@gmx.com> wrote:
>> On 03/18/2018 05:33 PM, R0b0t1 wrote:
>>
>>> On Sun, Mar 18, 2018 at 4:24 PM, taii...@gmx.com <taii...@gmx.com> wrote:
>>>> Everyone please remember this is simply an exploit to obtain data off of
>>>> AMD's version of ME which is a DRM mechanism added for hollywood and it
>>>> requires physical access to reprogram the firmware thus this exploit has
>>>> zero impact on anyone who doesn't profit off of DRM.
>>>>
>>> Except if it's anything like the Intel ME exploit, physical access can
>>> be faked using a compromized USB device.
>> You mean the skylake debug port?
>>>> ME/PSP are evil - don't buy computers that have them - you have choices!
>>> No we don't.
>> Yes we do.
>> TALOS 2? g505s laptop? kgpe-d16? novena?
>>
>> I play new games at max settings on a pre-PSP AMD system KGPE-D16 where I
>> have installed a libre firmware for the board and the BMC via the recent
>> OpenBMC port (the facebook version of OpenBMCless features than the IBM
>> version but still quite nice)
>>
>> The TALOS 2 costs less than a brand new xeon system with similar performance
>> and it has better features such as IBM's OpenBMC, PCI-e 4.0, SMT4 etc.
>> The stars have aligned and given us a libre firmware server/workstation that
>> is brand new and very very fast.
>>
> The x86 parts are slowly going out of stock to the point where they
> are expensive *when* I have found them.
There are still a few sites selling the KGPE-D16 brand new for the
original MSRP of $415, and you can obtain a used CPU from ebay for a
reasonable price that is capable of having two people maxing out the
latest games on a dual gaming VM setup.
> The TALOS 2 is the cheapest POWER system available, but is still many 
> thousands of dollars more
> than a consumer computer (though much higher performance).
Trying to sell libre computers that compete with grandmas $499 dell is
an impossible proposition - competing in the professional workstation
market is however practical and attainable.
> ARM based computers are not comparable in performance to common consumer
> systems. Self hosting on a performant ARM processor is not a
> reasonable proposition. High dollar ARM servers have closed
> motherboard firmware.
>
> Sure, if you devote all of a good salary's disposable income to a
> mostly open hardware computer you can buy one. Most people don't make
> that much.
The idea behind the TALOS 2 is that you spend $2.5K (plus case, ram,
etc) on a computer every 5-10 years rather than $500-$1K on a computer
every year or two.
High performance costs real money, otherwise you can buy one of the
older libre laptops, a kgpe-d16 with a cheap $10 CPU etc.

The Talos 2 is entirely owner controlled, it has libre firmware for the
board and BMC plus various documentation is available even if you aren't
a member of the OpenPOWER foundation.
The only firmware required is for the broadcom nic but there is a
project to remove that and it is behind the IOMMU - this was viewed as
better than supporting intel by purchasing their NIC ASICs.
https://git.raptorcs.com/git/ in case you want to examine some code
https://wiki.raptorcs.com/wiki/Category:Documentation the currently
available public documentation
> The bigger issue than that is all main manufacturers do not
> want to remove their backdoors, and so ever so slowly, there will come
> to be absolutely no choice at all, even for inordinate amounts of
> money.
Yeah, but IBM is luckily becoming more open rather than less open and
they also accept input from the smaller members of the OpenPOWER foundation.
POWER is the way forward for the high performance sector and IBM's only
real way of differentiating themselves is being owner controlled, sure
POWER is faster than x86 for the same price and it has more threads per
core and more cores per CPU but a compelling reason is needed for the
average business to take the time to port their software.

Re: [gentoo-user] How to flash an LSI SAS controller from IR to IT mode on linux with sas2flsh

[taii...@gmx.com]

On 03/19/2018 08:02 PM, mad.scientist.at.la...@tutanota.com wrote:

A virtual machine is useful largely because it isolates the VM from the real 
hardware, therefore it's not likely you can update firmware from a VM (you 
really shouldn't be able to).
Actually you can update firmware from a VM, I have done it many times on 
many different PCI-e cards and I already updated the IR mode firmware to 
the latest version in a linux VM (but you need DOS to go IR>IT)


It is part of the reason as to why SR-IOV was created besides the 
performance benefits you also get security benefits with restricted 
registers and the inability to flash a malicious firmware from a guest 
if you attach a VF to the VM instead of the PF.


I don't have any UEFI machines as I hate UEFI (all my machines run 
coreboot with the grub payload)

The reason they still want us to upgrade with dos is it's a lowest common 
denominator, i.e. every one has it or can get it (freedos).  it also helps that 
it's a minimal enviroment.

In any case, I suggest you run a REAL freedos on a Real machine, so that you 
can update real not virtual firmware.  i.e. no Virtual Machine.
The issue is not being able to use linux as well and having a bare metal 
freedos won't help my disk driver issue there still won't be a way to 
load the files.

[gentoo-user] How to flash an LSI SAS controller from IR to IT mode on linux with sas2flsh

[taii...@gmx.com]

I am told to create a DOS usb flash drive with windows but I am un-able 
to do that.
I have tried getting the required files in to a VM FreeDOS installation 
but I haven't been able to figure out how to do that, there is no actual 
way to load the cdrom drivers.


Jesus christ it is 2018 and they still want us to use dos to flash 
hardware >:'[

Re: [gentoo-user] Re: A new AMD CPU weakness?

[taii...@gmx.com]

On 03/18/2018 05:33 PM, R0b0t1 wrote:


On Sun, Mar 18, 2018 at 4:24 PM, taii...@gmx.com <taii...@gmx.com> wrote:

Everyone please remember this is simply an exploit to obtain data off of
AMD's version of ME which is a DRM mechanism added for hollywood and it
requires physical access to reprogram the firmware thus this exploit has
zero impact on anyone who doesn't profit off of DRM.


Except if it's anything like the Intel ME exploit, physical access can
be faked using a compromized USB device.

You mean the skylake debug port?

ME/PSP are evil - don't buy computers that have them - you have choices!

No we don't.

Yes we do.
TALOS 2? g505s laptop? kgpe-d16? novena?

I play new games at max settings on a pre-PSP AMD system KGPE-D16 where 
I have installed a libre firmware for the board and the BMC via the 
recent OpenBMC port (the facebook version of OpenBMCless features 
than the IBM version but still quite nice)


The TALOS 2 costs less than a brand new xeon system with similar 
performance and it has better features such as IBM's OpenBMC, PCI-e 4.0, 
SMT4 etc.
The stars have aligned and given us a libre firmware server/workstation 
that is brand new and very very fast.

Re: [gentoo-user] Re: A new AMD CPU weakness?

[taii...@gmx.com]

Everyone please remember this is simply an exploit to obtain data off of 
AMD's version of ME which is a DRM mechanism added for hollywood and it 
requires physical access to reprogram the firmware thus this exploit has 
zero impact on anyone who doesn't profit off of DRM.


ME/PSP are evil - don't buy computers that have them - you have choices!

Re: [gentoo-user] A new AMD CPU weakness?

[taii...@gmx.com]

Here is a non-shortened link.
https://it.slashdot.org/story/18/03/13/1558221/researchers-find-critical-vulnerabilities-in-amds-ryzen-and-epyc-processors-but-they-gave-the-chipmaker-only-24-hours-before-making-the-findings-public

All the more reason to avoid the ME/PSP garbage and instead buy the 
equivalently priced, owner controlled and higher performance OpenPOWER 
arch systems such as the libre firmware TALOS 2.


Pretty much someone found a bug in AMD's version of ME which *how 
terrible* in other words you can use this to defeat hollywoods AMD PSP 
DRM which is the true reason of existence for ME/PSP, to prevent people 
from owning and controlling their devices.


I can't believe the new normal is not being able to really buy a 
mainstream computer because you don't own it and everyone in the tech 
press and so called experts says its a good thing, oh it is to "keep you 
safe from hackers" and they pretend like it has always been this way as 
if it wasn't just a recent change that for some reason all the major 
OEM's did at the exact same timeI wonder why.


"The corporate sector asked for this" - MYTH - They already had it, it 
is a BMC/LOM chip and it was owner controlled. I doubt any company with 
IP worth something wants a super insecure black box supervisor processor 
that they don't control on every computer of theirs.



If you need secure remote management you can use OpenBMC which is 
present on the TALOS 2 (IBM OpenBMC) and also the KCMA-D8 and KGPE-D16 
pre-PSP x86 boards (you can replace the crappy non-free ASUS firmware on 
the ASMB module with the facebook version of OpenBMC which was recently 
ported to it via crowdfunding)

Re: [gentoo-user] A new AMD CPU weakness?

[taii...@gmx.com]

On 03/13/2018 08:54 PM, Ian Zimmerman wrote:


https://v.gd/PZkiuR

Does anyone know more details?


A shortened link? really? not clicking that.

Re: [gentoo-user] How to use SR-IOV on a LSI RAID controller

[taii...@gmx.com]

On 03/08/2018 06:55 PM, R0b0t1 wrote:


https://wiki.archlinux.org/index.php/PCI_passthrough_via_OVMF
https://wiki.installgentoo.com/index.php/PCI_passthrough
https://www.kernel.org/doc/Documentation/vfio.txt

The one sticking point is that you need to figure out the layout of
your PCIe lanes to share multiple devices without conflicts.

Cheers,
  R0b0t1

No not cheers :< that is not what I am asking for.

Again please I know how to assign devices and my board has excellent 
IOMMU groups that is not the issue - I want to know how to create the 
SR-IOV virtual functions and assign drives to them to use the same 
controller on more than one VM concurrently.

Re: [gentoo-user] How to use SR-IOV on a LSI RAID controller

[taii...@gmx.com]

On 03/07/2018 09:02 PM, R0b0t1 wrote:


On Wed, Mar 7, 2018 at 7:52 PM, taii...@gmx.com <taii...@gmx.com> wrote:

I bought a LSI-9211-8i / SAS 2008 controller which reports support for
SR-IOV in lspci and I am wondering how I can use it.

There is no info on the internet about this not even for their newer
controllers where there is a lot of advertising about SR-IOV.

The idea is that you can assign a RAID array, individual hard drive, etc to
a VF which is then assigned to a VM via IOMMU providing better almost native
performance vs emulated disks.

Thanks!

If it supports SR-IOV you can pass it to a guest with VFIO. If it did
not support SR-IOV it would not support VFIO.
I know - my question is how do I create the virtual functions and assign 
the drives to them instead of simply attaching the entire controller?


According to LSI's press release you could have for instance 5 different 
RAID's assigned to 5 different VM's via virtual functions - not simply 
all of them assign to one VM via assigning the controller like a non 
SR-IOV device

[gentoo-user] How to use SR-IOV on a LSI RAID controller

[taii...@gmx.com]

I bought a LSI-9211-8i / SAS 2008 controller which reports support for 
SR-IOV in lspci and I am wondering how I can use it.


There is no info on the internet about this not even for their newer 
controllers where there is a lot of advertising about SR-IOV.


The idea is that you can assign a RAID array, individual hard drive, etc 
to a VF which is then assigned to a VM via IOMMU providing better almost 
native performance vs emulated disks.


Thanks!

Re: [gentoo-user] USB ports reset/restart

[taii...@gmx.com]

On 03/05/2018 08:40 PM, the...@sys-concept.com wrote:


Is there a way to reinitialize USB ports without restarting the computer?

You can issue an FLR/function level reset if the hardware supports it.

I am not sure how to do this but I know it is done when one assigns a 
device to a VM.

Re: [gentoo-user] Re: Best *SIMPLE* firewall?

[taii...@gmx.com]

Is there a windows style application layer firewall? I get that it 
doesn't stop truly malicious programs but I am simply wanting to stop 
random programs doing connections without my consent which due to the 
lennart potterings's of the world now are not just a windows freeware 
problem.

[gentoo-user] Is anyone using a TALOS 2 or any OpenPOWER machine?

[taii...@gmx.com]

I am of curious as to peoples experiences with OpenPOWER machines and 
gentoo - is it as simple as using the ppc64 arch iso instead of x86_64?
If anyone uses it for a workstation, what apps do you have? is there 
anything normal missing? (ie: that one would have on an x86_64 workstation)


I noticed that gentoo only has big endian isos instead of little endian 
and I am also wondering what this means for software availability as I 
have never heard of endianness before a few months ago.


Info:
https://en.wikipedia.org/wiki/POWER9 (POWER is now the only high 
performance arch that is owner controlled now that AMD has its ME analog 
PSP)
http://raptorcs.com/ (The T2 is a modified "romulus" reference board 
made available to the general public with libre firmware)

Re: [gentoo-user] Re: gcc 7.3 + kernel 4.15 = spectre_v2 fixed

[taii...@gmx.com]

On 01/31/2018 04:16 AM, Nikos Chantziaras wrote:


On 30/01/18 23:43, Rich Freeman wrote:

If you had some program that listened on a socket and accepted a
length and a string and then did a bounds check using the length, it
might be exploitable if a local process could feed it data. Even if
the process only listened for outside connections it might be
vulnerable if a local process colluded with a remote host to make that
connection.


Well, if you're running a local process that is trying to attack you, 
you've been compromised already, imo.


Local processes are always trusted. If Spectre is a vulnerability that 
can be exploited by trusted code, it's not really a vulnerability. 
Trusted code is called "trusted" for a reason.
I wouldn't classify for instance running a multiplayer game in a VM as 
"trusted" code, the whole point of hardware virtualization is that you 
don't have to trust what is being executed there.


Not to mention the issue with most websites requiring javascript for no 
reason to function properly.

Re: [gentoo-user] [off topic] Opteron CPU missing chips on the bottom

[taii...@gmx.com]

On 01/30/2018 09:43 AM, Peter Humphrey wrote:


On Tuesday, 30 January 2018 13:51:31 GMT taii...@gmx.com wrote:

I purchased a used g34 opteron off of fleabay (sold as working with no
mention of this) and I noticed that it is missing some of the bits on
the bottom

Do you mean the pins that mate with the socket?


... and that most of them are crooked,

Send it back! Don't even touch it. Any attempt to straighten a pin will snap
it off, as like as not.

Not the pins (which on socket g34 are on the motherboard)

It is the little IC components on the bottom of the CPU.

[gentoo-user] [off topic] Opteron CPU missing chips on the bottom

[taii...@gmx.com]

I purchased a used g34 opteron off of fleabay (sold as working with no 
mention of this) and I noticed that it is missing some of the bits on 
the bottom and that most of them are crooked, I haven't tried it in my 
system yet and I am wondering should return it? or if there isn't any 
much risk of it damaging my (expensive kgpe-d16) motherboard and I 
should see if it works?


Igot it for half the usual priceguess I should have asked for photos.

I noticed many CPU's sold on ebay have this issue (in those cases they 
mentioned it) but I can't understand how it happens, for instance I 
noticed a 6386 for sale where they mentioned that it was missing a few 
and because of that it doesn't work in a dual socket configuration.

Re: [gentoo-user] Opinions on DVR/PVR backend?

[taii...@gmx.com]

So you know the RPI is not open source as the RPI foundation doesn't 
provide firmware sources.
Proprietary firmware is required to boot and fully use the device as the 
RPI foundation only cares about open source when it is convenient to them.


I would consider purchasing another device, of which legitimately open 
source low power ARM devices are a dime a dozen (vs the high performance 
realm where POWER's TALOS 2 or rare developer boards are the only choice)

Re: [gentoo-user] Microcode updates for "old" Intel CPU's

[taii...@gmx.com]

On 01/13/2018 12:50 PM, Mick wrote:


Thank you Taiidan for taking time to respond.

Always man!

On Friday, 12 January 2018 17:21:19 GMT you wrote:

AMD says they are releasing microcode updates for their previous
generation CPU's (Opteron, FX, etc) next week.
So much better than intel throwing older CPU owners to the wolves.

Indeed, this is one more reason I will not look at Intel ever again!



In terms of what CPU to get - I would get either an AMD G34/C32 Opteron
(pre-PSP) with a compatible libre firmware board (KGPE-D16 or KCMA-D8)
or if you can afford it a POWER9 system as IBM quickly released updates
for POWER to solve this issue and if they ever stopped due to
considering your system "too old" POWER9 is owner controlled and
documented so the community could theoretically patch its own microcode.

You can make a C32 libre firmware gaming system for around 500-700, so
that is quite affordable.

The problem with KGPE-D16 and KCMA-D8 is that I can't find these new in the
UK.  All I find is stripped down second hand MoBos in ebay from businesses
shuttering and repossessions.  Also, they do not appear to come with modern
niceties for a desktop like HDMI or DP ports?
You have to install a graphics card - like with any other 
server/workstation motherboard the onboard graphics are crappy.


I would order one from the US if you can't find a UK retailer, these are 
the most easily obtainable and affordable owner controlled boards.

Power9 appear to be quite new and again I can't find a place that sells them
or provides a price for them ...

https://raptorcs.com
The TALOS 2 - made by the same folks who did the coreboot ports for the 
D8 and D16 boards
It is pending RYF certification, is 100% owner controlled and it has 
libre firmware from the factory.
POWER is the only owner controlled performance CPU out there, IBM 
publishes a lot of documentation and there is absolutely no hardware 
code signing enforcement not even for the microcode.


Please note that 5K is an average price for server hardware in that 
performance class, there are a variety of lower end owner controlled 
options if that is too much/if you don't need something that fast.

We don't do any gaming with our PCs.  General office suite applications, heavy
browsing/emails and some media transcoding.

The market has been cornered by the near monopoly of Intel, especially on
laptops.  The last PC I built was a relatively cheap and cheerful AMD
A10-7850K on an ASUS MoBo, which sadly comes loaded with its own hardwired PSP
rootkit.  :-(

You can install a FM2 CPU on that, the plus has PSP the regular doesn't.

Any ideas for places I could look for a power9 workstation - assuming it is
affordable, or are there are any other CPU/MoBos I could look at?

Define affordable?
People have gotten used to intel's cheap CPU's that they don't really 
own - even just 15 years ago computers used to cost significantly more.
I remember when the P4 was just released and crappy pre-builds were 
going for 2K+.

Re: [gentoo-user] Microcode updates for "old" Intel CPU's

[taii...@gmx.com]

On 01/12/2018 02:06 PM, Rich Freeman wrote:



It shouldn't be.  I'm not sure if Ryzen has anything equivalent to the
Intel Management Engine.

It does, it is called AMD PSP.

Like ME it is closed source and it can't be disabled - no matter what 
people might claim.

Re: [gentoo-user] Microcode updates for "old" Intel CPU's

[taii...@gmx.com]

AMD says they are releasing microcode updates for their previous 
generation CPU's (Opteron, FX, etc) next week.

So much better than intel throwing older CPU owners to the wolves.

In terms of what CPU to get - I would get either an AMD G34/C32 Opteron 
(pre-PSP) with a compatible libre firmware board (KGPE-D16 or KCMA-D8) 
or if you can afford it a POWER9 system as IBM quickly released updates 
for POWER to solve this issue and if they ever stopped due to 
considering your system "too old" POWER9 is owner controlled and 
documented so the community could theoretically patch its own microcode.


You can make a C32 libre firmware gaming system for around 500-700, so 
that is quite affordable.

[gentoo-user] Microcode updates for "old" Intel CPU's

[taii...@gmx.com]

I have several sandy/ivybridge CPU's and I was wondering if anyone knows 
as to if intel is releasing microcode updates for them.


It sure would be funny if intel wanted you to buy a new CPU to fix a 
problem that was their fault to begin with.

Re: [gentoo-user] Re: [was: What can cause printer to crop top of page?] /etc/papersize is ignored

[taii...@gmx.com]

For the record I would also like to add that using the duplexer on some 
poorly designed printers cuts off the bottom or top of the page without 
any type of notification.

Re: [gentoo-user] Re: How to harden a system

[taii...@gmx.com]

On 12/25/2017 06:33 PM, Ian Zimmerman wrote:


On 2017-12-24 14:44, taii...@gmx.com wrote:


POWER 9: TALOS 2 (server/workstation, brand new and very high
performance - the only brand new hardware that is legitimately libre)

This is interesting, but can it run gentoo?  There's a handbook edition
for PPC64, but that's not quite the same, is it?

It is.
PPC64 is big endian, PPC64LE is little endian.

POWER8/9 are Bi-Endian so you can use both (most linux distros only 
support little)


PPC64 compile covers PowerPC and POWER.


TALOS 2 is an end user obtainable derivative of the Romulus POWER 9 
development board, there are a variety of modifications and it is more 
open source than Romulus - you can also pay for it with bitcoin.
It supports dual sforza CPU's which have up to 24 cores per socket with 
SMT4 (4 threads at the same time per core)

Re: [gentoo-user] How to harden a system

[taii...@gmx.com]

I would also consider purchasing a system with libre firmware and 
without ME/PSP such as:


POWER 9:
TALOS 2 (server/workstation, brand new and very high performance - the 
only brand new hardware that is legitimately libre)


x86-64:
(older, pre-PSP AMD - the best CPU's for C32/G34 are equivilant to one 
FX-8310 for the 8 core or almost two FX-8310 for the 16 core)

KGPE-D16 (server)
KCMA-D8 (workstation)
Lenovo G505S (laptop)

It is truly disturbing to think that someone with an ME exploit could 
hack 80% of the computers on the planet.

Re: [gentoo-user] Re: Is gnome becoming obligatory?

[taii...@gmx.com]

On 12/09/2017 05:45 AM, Mick wrote:

On Saturday, 9 December 2017 10:34:32 GMT Nikos Chantziaras wrote:

On 09/12/17 11:51, Mick wrote:

I've seen gnome-base/gnome-common pulled in on more than one systems, all
of>
which have USE="-gnome" set:
   # emerge -uaNDvt world

These are the packages that would be merged, in reverse order:
[...]
Calculating dependencies... done!
[ebuild  N ]  gnome-base/gnome-common-3.18.0-r1:3::gentoo
USE="autoconf-archive" 153 KiB
[...]

All systems are on profile:  default/linux/amd64/17.0/desktop/plasma

Why is gnome-base/gnome-common needed?

It's an extremely lightweight package. There seem to be some packages
that need files from it. The package itself only installs these files:

$ qlist gnome-common
/usr/bin/gnome-autogen.sh
/usr/share/aclocal/gnome-common.m4
/usr/share/aclocal/gnome-compiler-flags.m4
/usr/share/aclocal/gnome-code-coverage.m4
/usr/share/doc/gnome-common-3.18.0-r1/ChangeLog.bz2
/usr/share/doc/gnome-common-3.18.0-r1/README.bz2

So basically it only copies some small text files to /usr. It doesn't
build anything.

Thank you all for detailed and clear replies.  You'd forgive me for being (a
little) paranoid about Poettering's fingers getting anywhere near my systems.
:-p


For now, only a few text files - tomorrow - many more.

You give poettering an inch he will take hundred miles.

Re: [gentoo-user] is multi-core really worth it?

[taii...@gmx.com]

On my 16 core opteron I have to do -j32 or sometimes -j64 to be using 
everything all the time, is this normal? If I don't do this it won't be 
pegged at 100% all the time.


I assume using a ramdisk would help with this? I wouldn't want to do a 
SSD as I assume it would excessively wear by doing compiles.

Re: [gentoo-user] Looking for a pre-compiled Linux distribution

[taii...@gmx.com]

On 11/23/2017 12:11 PM, Helmut Jarausch wrote:


Hi,

I'd like to recommend a Linux distribution to someone who needs an as 
simple Linux distribution as possible.
Since I am going to help that person from time to time, it should be 
as similar as possible to Gentoo.


Which distribution would you recommend.

Maybe sabayon?

Re: [gentoo-user] Intel ucode updates for ME issues?

[taii...@gmx.com]

On 11/23/2017 12:47 AM, R0b0t1 wrote:


I think the information I outlined is a pretty good argument for assuming the ME
can not be disabled.

Even if true, there's not much to be done about it anyway
Yeah it certainly can't be disabled (I argue this point on a regular 
basis to no avail), as in non functional as it is involved in the 
pre-BIOS-boot process.
A certain low-morals company claims that they "disable" it with 
me_cleaner (they also infer they made it) but that is impossible.


To me disabled is no electricity flowing through it/physically 
disconnected and that couldn't be the case without enough money and 
resources to the point where one could simply make a POWER laptop with 
the current lot of POWER9 CPU's (ie: downclock and do some power saving 
engineering) - so de-facto impossible.

Re: [gentoo-user] Intel ucode updates for ME issues?

[taii...@gmx.com]

On 11/22/2017 11:16 PM, R0b0t1 wrote:


Does anyone have more information on this? Has anything been
published? I'm interested in exploiting my own computers so I can
control the ME.
It seems that it is the same people who figured out HAP mode but they 
haven't made a blog update I would ask on the coreboot mailinglist, 
there are some very smart people there.


Although I doubt you will find any real information anywhere at all due 
to the recent "white hat" tendency to restrict the real nuts and bolts 
info and utilities to wealthy corporations instead of us peons who 
*gasp* might do something "bad" with it/don't have lots of money to pay 
for a "premier" support account.


I am curious as to why you wish to do this, considering you can buy a 
libre firmware owner controlled motherboard with better functionality 
(ex: OpenBMC) than any me/psp board for only $250 and $100 for a FX-8310 
equivalent cpu.


On 11/22/2017 11:18 PM, R0b0t1 wrote:


On Wed, Nov 22, 2017 at 6:03 PM, taii...@gmx.com <taii...@gmx.com> wrote:

Using ME cleaner would also solve the issue and you wouldn't need any more
firmware updates when the next "bug" comes around.


Intel ME has been found to remain active after being disabled, and
some motherboards that do not ship as "vPro enabled" and consequently
haven't had the licensing paid for certain features have been found
with those same features enabled. I own an Asus laptop which is
affected. Some Asus forum post reported that there's a Java-based SOAP
webserver listening on the port associated with Intel ME. Intel ME is
not visible to the BIOS, and so it can't be turned any more "off."
I understand the limitations of me_cleaner, although in this case it 
would in fact solve the problems as all the currently *publicly* 
discovered "bugs" are all ME feature exploits (and the features are 
removed by me_cleaner) rather than exploits of the ME kernel although I 
am certain that one is on the way.


Believe me I know what I am talking about, I regularly provide support 
on the coreboot mailinglist and I own a variety of devices that are 
owner controlled with libre firmware (and of course no ME/PSP).

Re: [gentoo-user] Intel ucode updates for ME issues?

[taii...@gmx.com]

On 11/22/2017 12:42 AM, Adam Carter wrote:


I notice that an update for sys-firmware/intel-microcode just come through
on ~amd64, does that address the ME issues?

http://www.zdnet.com/article/intel-weve-found-severe-bugs-in-secretive-management-engine-affecting-millions/

Or will my NUC need a firmware update?

That would be "solved"[1] via a firmware update, microcode update is 
microcode - only for the cpu.
If you don't get one for your hardware due to the vendor saying it is 
"too old" (to scam you to buy a new motherboard for no reason) you can 
bisect the BIOS update and add it yourself (ask on the coreboot 
mailinglist how to do this for more info) not too difficult.


Using ME cleaner would also solve the issue and you wouldn't need any 
more firmware updates when the next "bug" comes around.



[1] Intel ME/AMD PSP will always be full of security "bugs" as they are 
designed to be an uber backdoor for god knows who - one can avoid this 
via getting either a slightly older x86-64 setup such as 
KCMA-D8/KGPE-D16 opteron motherboards (RYF libre firmware and a libre 
bmc firmware is available for them they also don't need microcode updats 
for series 2 CPU's), a g505S laptop (open source init firmware 
available) or a TALOS 2 server/workstation (POWER9, very very high 
performance high end server hardware with the usual price for that level 
of performance but you get libre firmware AND libre hardware RYF 
certification pending on release)

Re: [gentoo-user] #gentoo experiences

[taii...@gmx.com]

On 11/19/2017 11:37 AM, Daniel Frey wrote:

The way it's worded makes me think feedback was requested on the irc 
channels, but maybe I am wrong?

Ha oh boy.

Most people of my generation refer to things as a hashtag on "social" 
media, such as I just purchased a #brandX computer.
I just woke up so I wasn't yet capable of nuance enough to notice that 
it was IRC instead :[ silly me.


Sorry for the misunderstanding folks!

Re: [gentoo-user] #gentoo experiences

[taii...@gmx.com]

On 11/19/2017 07:56 AM, Michael Palimaka wrote:


Hi all,

I'm collecting information about people's experiences in #gentoo.

Thanks!

I'm interested in both good and bad experiences, with users, developers,
and operators. Basically, anything that anyone would care to share would
be much appreciated.
The lack of an ncurses setup gui/an express setup option is a major PITA 
which is why I haven't yet used gentoo as dom0 in a production 
environment, If something goes wrong and I am forced to re-install it 
will take long enough for the boss to think I am bad at my job and it 
isn't the type of thing one should do late at night.


Same for home too - when I get back I want to start my movie 
watching/gaming VM and kick back.
I would really enjoy some type of basic ncurses management gui to assist 
with the configuration of the litany of options to make things go 
faster, and to help prevent 2AM mistakes.


I like using a CLI, but I also know that it is not always best.

Feel free to contact me off-list if you'd rather not reply here (if so,
please let me know if you'd like your response kept totally private -
otherwise there is a chance that I might anonymise and share it).
Like most people I hated using gentoo until I got my first 16 core CPU 
to ease the compile time suffering, compiling with an average dual or 
quad core was shockingly slow when I first started using it.


Maybe put a list of cheap but high performance CPU's somewhere with a 
warning to get folks ready for the compile times (ex: the opteron 6386SE 
$130 used for 16 cores and it doesn't have ME/PSP)

Re: [gentoo-user] Linux USB security holes.

[taii...@gmx.com]

You can forward your USB controllers to a VM
OR
Disable them in the BIOS

It is very easy to re-write a USB drive firmware via another virus on a 
poorly secured different computer so this doesn't really need physical 
access not that it would be difficult to simply have someone cause a 
scene and then have someone else walk by and insert a drive in to your 
laptop for a few seconds while you were distracted if you were a high 
profile target (politician, ceo, lawyer etc)

Re: [gentoo-user] Dual booting with Windows 10

[taii...@gmx.com]

On 09/15/2017 05:03 AM, Radoje Stojisic wrote:


Hi all,

I am interested in doing something too. Do you talk about GPU 
Pass-through? Few months ago I wanted to try it myself but I own a 
Ryzen 1800x and just one GPU. Is there a way with only one GPU?

I am always willing to assist with complex technical problems.

Or do I really need 2GPUs and 2 Keyboard/Mouse?
Yeah you do as it is very difficult to re-map the BAR's of an an in-use 
graphics device.
Obviously one can use a single keyboard and mouse with a KVM, but the 
multi GPU part is mandatory.


You can buy a video card that doesn't need an additional power 
connection for only $30 or so, plus if you only have one USB controller 
you would need a USB PCI-e card one for $20 - TOTAL $50 very affordable.

Re: [gentoo-user] Dual booting with Windows 10

[taii...@gmx.com]

Install it in a VM!

If your system supports IOMMU for graphics devices here is something 
special you can do:


I would instead consider purchasing an additional PCI-e graphics device 
and a PCI-e usb card then installing Windows in a VM with IOMMU-GFX, 
this way you can have your cake and eat it too.


I play my games in a windows VM on my libre coreboot workstation, it 
works great and I highly recommend it
Another reason a VM is much better is that windows doesn't get access to 
your bare metal hardware unless you forward a device so it can't send 
serial numbers back to MS for their spying/marketing database, such as 
your HDD serial number or NIC mac address, and one can avoid a bad virus 
as you can simply restore a previous VM snapshot.


[1] (for the VM's keyboard and mouse if you don't have more than one usb 
controller onboard)

Re: [gentoo-user] What do you think about Firefox 57?

[taii...@gmx.com]

To me it seems as though it is more so a political change not so much a 
change done for some technical improvement (there aren't any).


Mozilla is closer and closer with google, as evidenced by making 
telemetry opt-out rather than opt-in [1] and all the "safe" browsing and 
downloading "features" which sends a list and hashes of all the files 
you download to google for inspection.


This is going to break a variety of beloved addons as the new method 
can't support heavy modification of firefox.



[1] as if anyone WANTS to be spied on, the average user has no idea what 
telemetry is and or would believe mozillas bullshit reasoning of "we do 
this to make the browser better, trust us!" I myself have noticed it 
mysteriously turned back on a variety of times similar to windows not to 
mention the annoying practice of allowing addons to randomly open 
windows every update without permission (10 addons 10 windows to inform 
of random changes no one cares about, and now my ISP knows what addons I 
use as it loads their websites - yay)

Re: [gentoo-user] SR-IOV for RAID/HBA's? anyone tried it?

[taii...@gmx.com]

On 07/03/2017 12:24 AM, J. Roeleveld wrote:


On July 2, 2017 7:36:02 PM GMT+02:00, "taii...@gmx.com" <taii...@gmx.com> wrote:

On 07/02/2017 02:51 AM, J. Roeleveld wrote:


On July 1, 2017 11:23:06 PM GMT+02:00, "taii...@gmx.com"

<taii...@gmx.com> wrote:

I am wondering if anyone has tried this, apparently several LSI
controllers support portioning out drives to VF's so the guest sees

a

controller with those drives attached to it.

What was your experience like? and what controllers did you use?


- Thanks

I am wondering when I would want this?

So you only need one HBA/RAID card per system if you want more than one

VM with quality performance.
It'll always be faster than an emulated disk.

Never noticed any performance issues. Using Xen and raw disk format to the VMs.

http://semiaccurate.com/2009/09/30/lsi-virtualizes-storage-hardware/
For me I have 3/4 the native copy speed, and the I/O for example 
extracting a zip is terrible.



Either the VM needs a fraction of a single disk. Or it needs multiple

disks.

For the latter case, I prefer to pass an entire HBA.

Which one do you have and does yours support FLR?

Using a Supermicro card based on a LSI3008 chipset and dual expander backplane.
I can always add a second HBA of I need more bandwidth.

What is FLR? Googling that gives me a lot of non IT related results.
Function level reset, it is required to be able to assign devices to 
VM's without annoyance.

The 3K series supports SR-IOV so you probably have it.

Could you run # lspci -vv?
Thank you

Re: [gentoo-user] SR-IOV for RAID/HBA's? anyone tried it?

[taii...@gmx.com]

On 07/02/2017 02:51 AM, J. Roeleveld wrote:


On July 1, 2017 11:23:06 PM GMT+02:00, "taii...@gmx.com" <taii...@gmx.com> 
wrote:

I am wondering if anyone has tried this, apparently several LSI
controllers support portioning out drives to VF's so the guest sees a
controller with those drives attached to it.

What was your experience like? and what controllers did you use?


- Thanks

I am wondering when I would want this?
So you only need one HBA/RAID card per system if you want more than one 
VM with quality performance.

It'll always be faster than an emulated disk.

Either the VM needs a fraction of a single disk. Or it needs multiple disks.

For the latter case, I prefer to pass an entire HBA.

Which one do you have and does yours support FLR?

[gentoo-user] SR-IOV for RAID/HBA's? anyone tried it?

[taii...@gmx.com]

I am wondering if anyone has tried this, apparently several LSI 
controllers support portioning out drives to VF's so the guest sees a 
controller with those drives attached to it.


What was your experience like? and what controllers did you use?


- Thanks

Re: [gentoo-user] Gentoo vs Raspbian on Raspberry Pi 3?

[taii...@gmx.com]

I would advise to buy an open source device such as beaglebone not a 
closed source RPI, bb also has higher performance options and is a 
better company.


I was not at all pleased with the transfer speed of an RPI I tried out, 
the low end arm stuff is garbage (high end like appliedmicro is decent tho)


If you want a decent fileserver I would advise getting a KCMA-D8 with a 
35W opteron and installing the libre version of coreboot on it, dual 
onboard gigabit ethernet will satisfy you for sure.

Re: [gentoo-user] Re: Issues with AMD_IOMMU

[taii...@gmx.com]

Worse, ideally you wouldn't be using SWIOTLB but I don't know how to 
disable this without re-compiling the kernel.



On 05/21/2017 07:12 PM, Adam Carter wrote:




[0.991863] iommu: Adding device :06:00.0 to group 12
[0.991982] iommu: Adding device :07:04.0 to group 12
[1.063849] AMD-Vi: Found IOMMU at :00:00.2 cap 0x40
[1.063962] AMD-Vi: Interrupt remapping enabled
[1.064145] AMD-Vi: Lazy IO/TLB flushing enabled
[1.065331] perf: AMD NB counters detected

q
I'm similar, but have a couple of extra entries. I've read a little bit
about them, but so far am unable to determine if their existence indicates
a better or worse kernel config.

[1.036309] AMD-Vi: Lazy IO/TLB flushing enabled
[1.036419] PCI-DMA: Using software bounce buffering for IO (SWIOTLB)
[1.036529] software IO TLB [mem 0xba61a000-0xbe61a000] (64MB) mapped at
[a3b87a61a000-a3b87e619fff]
[1.036744] perf: AMD NB counters detected

And the Linux AGP Driver ( in-kernel ) is working now.

Now this is showing properly with lspci :
00:00.2 IOMMU: Advanced Micro Devices, Inc. [AMD/ATI] RD890S/RD990 I/O
Memory Management Unit (IOMMU)


Same.

Re: [gentoo-user] Re: Issues with AMD_IOMMU

[taii...@gmx.com]

FYI:
IOMMU=pt means pass-through, as in no DMA protection.

AMD_IOMMU is for the bulldozer and piledriver based systems, v2 is for 
the newer excavator and beyond stuff that has vAPIC




On 05/16/2017 10:33 AM, Corbin Bird wrote:

On 05/15/2017 09:59 PM, taii...@gmx.com wrote:

On 05/15/2017 12:58 AM, Ian Zimmerman wrote:


The 990FX / 790FX Chipset doesn't have a GART / AGP Aperature or IOMMU
in it.  The CPU contains the original K8 IOMMU ( v1 ) engineered /
converted from a GART.


The 8 and 9 series (not 7) does have an IOMMU, AMD-Vi v1.26.

I have two 890 series (but the server flavor - SR5690 chipset) boards
with an IOMMU and it works great, I play games in a VM with an attached
graphics card on my libre firmware KGPE-D16 and devices are DMA restricted.

Most consumer boards don't properly implement this feature, in fact I
have never seen one that did which is why I bought my coreboot (libre
init variant) D16.
It wouldn't be that difficult to port coreboot to your board if you want
this to work FYI.


Thank you for that info.

Corrections based on fact are appreciated.

http://support.amd.com/TechDocs/43869.pdf
Hell yeah dude, this documentation backs up the fact that the IOMMU is 
on the northbridge - not the CPU.


---

How does one 'port' coreboot?

Last time I went to the coreboot site, I didn't see anything really
helpful to me.
The documentation really sucks, its DIY or die - but I have never 
programmed anything before in my life and I figured out how to port boards.

Doesn't the 'CPU voltage table firmware blob' require signing NDA's?
Naah you don't need that on most *good* systems, and 
bulldozer/piledriver era AMD was cool with releasing documentation.



Corbin

https://www.coreboot.org/Developer_Manual
https://www.coreboot.org/Motherboard_Porting_Guide
You would start with the KCMA-D8, as it is the closest board - then 
change the superio, irq mappings, acpi etc. It takes some figuring out 
for yourself as there isn't really a detailed guide for it.

Re: [gentoo-user] Re: Issues with AMD_IOMMU

[taii...@gmx.com]

On 05/15/2017 10:59 PM, taii...@gmx.com wrote:


On 05/15/2017 12:58 AM, Ian Zimmerman wrote:


The 990FX / 790FX Chipset doesn't have a GART / AGP Aperature or IOMMU
in it.  The CPU contains the original K8 IOMMU ( v1 ) engineered /
converted from a GART.


The 8 and 9 series (not 7) does have an IOMMU, AMD-Vi v1.26.

I have two 890 series (but the server flavor - SR5690 chipset) boards 
with an IOMMU and it works great, I play games in a VM with an 
attached graphics card on my libre firmware KGPE-D16 and devices are 
DMA restricted.


Most consumer boards don't properly implement this feature, in fact I 
have never seen one that did which is why I bought my coreboot (libre 
init variant) D16.
It wouldn't be that difficult to port coreboot to your board if you 
want this to work FYI.



To be clear, it is present on the northbridge chipset not the CPU - AMD 
documentation backs this up.

Re: [gentoo-user] Re: Issues with AMD_IOMMU

[taii...@gmx.com]

On 05/15/2017 12:58 AM, Ian Zimmerman wrote:


The 990FX / 790FX Chipset doesn't have a GART / AGP Aperature or IOMMU
in it.  The CPU contains the original K8 IOMMU ( v1 ) engineered /
converted from a GART.


The 8 and 9 series (not 7) does have an IOMMU, AMD-Vi v1.26.

I have two 890 series (but the server flavor - SR5690 chipset) boards 
with an IOMMU and it works great, I play games in a VM with an attached 
graphics card on my libre firmware KGPE-D16 and devices are DMA restricted.


Most consumer boards don't properly implement this feature, in fact I 
have never seen one that did which is why I bought my coreboot (libre 
init variant) D16.
It wouldn't be that difficult to port coreboot to your board if you want 
this to work FYI.

Re: [gentoo-user] Issues with AMD_IOMMU

[taii...@gmx.com]

On 05/14/2017 01:31 AM, Adam Carter wrote:


Tried kernels 4.10.13 and 4.11, with
CONFIG_GART_IOMMU=y
CONFIG_IOMMU_HELPER=y
CONFIG_IOMMU_API=y
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_IOVA=y
CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_V2=m
Chipset is 990FX, and AFAICT the V2 is for the APU (bdver3 and 4 vintage).

When I enable the IOMMU in the BIOS I get stack traces. Is anyone using
AMD_IOMMU successfully? If so, any tips?


Is this a gentoo kernel or one from kernel.org?

What are the exact errors you are getting? random? can you post?
On 05/14/2017 11:06 AM, Alan Grimes wrote:

Adam Carter wrote:

Tried kernels 4.10.13 and 4.11, with
CONFIG_GART_IOMMU=y
CONFIG_IOMMU_HELPER=y
CONFIG_IOMMU_API=y
CONFIG_IOMMU_SUPPORT=y
CONFIG_IOMMU_IOVA=y
CONFIG_AMD_IOMMU=y
CONFIG_AMD_IOMMU_V2=m
Chipset is 990FX, and AFAICT the V2 is for the APU (bdver3 and 4 vintage).

When I enable the IOMMU in the BIOS I get stack traces. Is anyone
using AMD_IOMMU successfully? If so, any tips?

On a Phenom II?Yeah, I just retired mine a month ago. On that
system, the IOMMU hardware was kinda a legacy orphan thingy, I had to go
through all kinds of gyrations on the kernel command line in order to
initialize it correctly. I think I had it off in the bios, then enabled
it using a bunch of kernel commands.
990FX would probably be an AMD FX CPU such as the 8350, it usually works 
fine and is enabled by default on most distros.

Re: [gentoo-user] scanning using the sheet feeder (HP 8600 + xsane)

[taii...@gmx.com]

I am curious do you have the issue where the scanner light returns back 
to the docking area after every page scanned via ADF? it takes so long 
to scan with that problem and it wears down the gears.


- Thanks

Re: [gentoo-user] switching adapter - power supply

[taii...@gmx.com]

On 03/20/2017 01:36 PM, the...@sys-concept.com wrote:


I have a small box "VIA Eden Processor 1200MHz" it runs my asterisk and
hylafax but it is powered by those external 12V adapters (12V 5A).

They don't usually last long, max 2-years or less.  I have a spare unit:
Switching Adapter Power Supply.
The box is in remote location so if it goes down due to PS I have to
there and restart it, it shut down twice on me this morning; I think
this adapter is going slowly.

If find/connect 12V adapter with higher Amps 10A or 15A will it help
extend the live of the these external power supplies?

Or take one of the old PS from an old case and solder the tip to 12V
line is better solution?

I have something like that which I purchased from mini-box, it gets 
incredibly hot but it still works after a few years - maybe you could 
get something from them?


I would buy another one with higher amps, replace the components inside 
with better ones and fabricate a metal case for it with a heat-sink so 
it lasts longer.


The lifespan you stated is expected for cheap chinese capacitors, they 
only last 2000/hrs at 80C which is seriously pathetic. (so 6000 hours at 
the probable 20C you have) Get yourself some better long life japanese 
made ones.

Re: [gentoo-user] ISP extorsion - how to negate / get around?

[taii...@gmx.com]

On 03/10/2017 02:50 PM, Corbin Bird wrote:


Have a serious problem, might cost me any Internet access.

My ISP ( Charter ) merged with Time-Warner. New name "Spectrum"

1 # : Now I have intermittent connectivity.

2 # : And with the death of FCC privacy rules, the new ISP is forcing me
to update their records ( for sale-of purposes ). This includes phone (
all ), SSN, bank account numbers, and credit card numbers.
Tell them you are a foreigner and thus you don't have an SSN, offer to 
provide a deposit.


3 # : the ISP attempting to force agreement to "no communications
allowed with the FCC". Also is attempting to force agreement to
"Arbitration with the ISP as the Arbiter" for all complaints.

Ask your local public utilities commission if this is allowed.


4 # : billing is only online now. Not allowed to see a Account
Statement, or receive any "receipt for payment" until I comply with ISP
demands.

5 # : external e-mail clients ( Thunderbird, Claws-Mail, etc. ) are now
starting to have problems. ISP solution -> must use their web based
e-mail app only ( only works with Windoze, surprise! ).

How can a web based email service only work with windows?

6 # : ISP is starting to filter customers web access. The ISP is
deciding what sites customers are allowed to see. ( look up the practice
called "ransom" ).

Get a vpn service?


7 # : no other broadband ISP in the regional area. No alternatives.

They are using a hijack technique that I don't know the name of,
attempting to force compliance.

NOTE : The ?hijack technique? will corrupt the portage trees if you use
"emerge-webrsync".

Is there any way to ... fix? work-around? ... this idiocy?



Background info :

The old cable modem suddenly stopped working. The ISP sent out a clone
of a Cisco DPC2316 ( Technicolor ), complete with hacked / trashed /
closed firmware. So I returned the rented cable modem ( bought my own ).
The Technicolor clone was using a built-in Java based "???" to
redirect / filter at the modem.

All cable modems are closed source and controlled by the ISP AFAIK.

Switched to Google Public DNS. Doesn't effect the ?hijack technique?.


You want privacy but you are using google? what?

The "uMatrix/uBlock Origin" plugins ( Firefox/ Palemoon ) stop the
?hijack technique? in the web browser. Always shows up as an ipv4
address, embedded in a "frame", that resolves to "*-charter-*".


Complain to your local utilities commission.

Re: [gentoo-user] SHA-1 has just been broken

[taii...@gmx.com]

On 03/02/2017 06:26 PM, Andrew Savchenko wrote:


On Thu, 2 Mar 2017 03:42:24 -0500 taii...@gmx.com wrote:

It is possible to have a reasonably secure system where the hard drive
firmware (or any other devices) can't fuck around with the stuff on
disk, although I highly doubt that the gentoo infrastructure (and
kernel.org, and all the source repos for all the other software) does this

Hard drive's firmware is a drive's micro OS, it can manipulate data
on the disk as it pleases. The only way to protect privacy of the
data is to write it already encrypted, so it still can be mangled
and become unusable, but privacy will be kept. But see below about
DMA.

Of course, as I stated you have to bootstrap the crypto from the 
motherboard EEPROM chip.

One way is to use a blob-free coreboot IOMMU supporting board and
bootstrap the crypto/kernel off of the board firmware EEPROM chip to
load the initial kernel thus no plaintext touches the disk and thus
nothing can mess with it.

The IOMMU (theoretically) protects the CPU and memory from rogue
devices, such as the hard drive.

No. Any DMA capable device can bypass IOMMU. IOMMU was not
designed to protect OS from device.
That isn't true, it was designed for exactly that and of course for 
assigning devices to VM's.


I get an AMD-Vi IOMMU IO_PAGE_FAULT alert in dmesg whenever a device 
tries to do something it shouldn't and the remapping hardware blocks it.


In linux the kernel/drivers configure which memory locations the devices 
are allowed to access.

In terms of ethics IBM *for now* is a way better company than Intel/AMD,
their POWER servers are owner controlled as there isn't any boot
guard/secure boot/management engine/platform "security" processor (amd's
ME) to stop you from re-writing the firmware as you please. They also
have an getting-there-almost-reasonable open source effort (OpenPOWER)

Indeed they are. But that boxes are quite expensive and hard to get.

Hard to get? You can buy them from IBM's website like any other computer.
http://www-03.ibm.com/systems/power/hardware/linux-lc.html

If you call them you may get a better price, but a credit card, 5 
minutes (and $4.5K) will get you an entry level POWER8 server (although 
the almost open source firmware "Firestone" model costs around 10K) If 
you want a Palmetto you can get one for around $3K.
They are a good deal vs intel/amd when it comes to performance/price, 
and of course the security and owner control aspects are absolutely swell.


If you insert a graphics card you could use one as a workstation.

Re: [gentoo-user] SHA-1 has just been broken

[taii...@gmx.com]

On 02/28/2017 12:05 PM, Miroslav Rovis wrote:


On 170227-21:59-0500, Rich Freeman wrote:

On Mon, Feb 27, 2017 at 8:10 PM, Miroslav Rovis
 wrote:

Apologies for my not being able to reply sooner!

On 170227-18:18+0300, Andrew Savchenko wrote:


And via a new private big business, the Github. Giving over all users to
big Github brother.

???
Github is entirely optional and is only for those who want to use it
(we have both users and devs willing so), but in no way anyone
demands its usage.

Yeah! Still, it would be great if git was used in distributed way, and
not from a central private business...


Git can pretty-much ONLY be used in a distributed way.

Correct, in that sense. But I didn't express clearly what I meant.

I really meant in this sense (invented quotations in this paragraph):

Git was intended for everyone to run their own little git server  and
pull from each other. Git was NOT invented for centralized  commercial
social networking clouds such as github!

That was from:
https://wiki.gentoo.org/wiki/Overlay:Youbroketheinternet


In the sync
workflow github is basically just a mirror.  A lot of our mirrors are
run by private businesses, and nobody knows what OS they're even
hosted on, let alone whether the firmware and CPU microcode are FOSS
along with their hard drive firmware.

I understand that. And I support any honess business. What I hate is
examples like Google, Oracle, Microsoft, IBM is a little more honest, I
think... The few at the control of those ruined so much in computing and
the internet.

GNU and FOSS, to lesser extent OSi, are good, even beautiful, socially
and philosophically.


As far as distribution goes I think github is the wrong thing to worry
about.  What you want is traceable signatures from dev to user.  Once
you have that you can download from an NSA mirror and there shouldn't
be any risk.  All a mirror does is replicate data, and if
modifications are detectable the worst they can do is a DoS.

I see.

Most of the concerns that people tend to have with github is that you
can become dependent on them for issue and pull request tracking and
then if they decide to pull the plug you lose all that data.  We try
to minimize the use of these features and not make it a core part of
the dev workflow.

Good practice!


But, we do use pull requests and in theory we could
lose those someday.  The actual code itself gets pushed to the Gentoo
infra Repo from a developer's box using plain old git after they've
inspected/tested/etc it.  So, there isn't really any way for Github to
go injecting commits into the repositories we actually use.  I guess
they could do it for anybody using our github mirrors on the
distribution side, but that's only because we don't have that all
locked down and the same issue applies with any other mirror (rsync,
etc).  Again, you really need end-to-end signature checking to make
any of these things truly safe.

Absolutely! I did figure that out since long!

--
Rich


And what I've spent some time doing today, is figuring out about the
info that I finally got from you people!

About time! My rattling was all about whether there was or wasn't a way
to do what is still in the title of that mail that I linked to, and gave
Message-ID of, to do this:

Is it safe to switch from webrsync to the git repo now?

And finally Andrew Shavchenko pointed me to gkeys !

Here's the answer to my query (ah, just the beginning of, my
implementation of it will take time):

emerge -tuDN app-crypt/gkeys app-crypt/gkeys-gen

# equery f gkeys-gen
...
/usr/share/doc/gkeys-gen-0.2/README.md.bz2
...

(
NOTE: The:
/usr/share/doc/gkeys-0.2/README.md.bz2
of the gkeys package is identical.
)

# bzcat /usr/share/doc/gkeys-gen-0.2/README.md.bz2

Gentoo Keys
---

### About

  Gentoo Keys is a Python based project that aims to manage the GPG keys used
  for validation on users and Gentoo's infrastracutre servers. Gentoo Keys will 
be able
  to verify GPG keys used for Gentoo's release media, such as installation CD's,
  Live DVD's, packages and other GPG signed documents. It will also be used by
  Gentoo infrastructure to achieve GPG signed git commits in the forthcoming git
  migration of the main CVS tree.

### License

Gentoo Keys is under GPL-2 License
#

But do I read this correctly?:

  ...Gentoo Keys will be able
  to verify GPG keys used for Gentoo's release media, such as installation CD's,
  Live DVD's, packages and other GPG signed documents.

Again, about this (syntactical) object (in the sentence), with other
objects removed:

  ...Gentoo Keys will be able
  to verify GPG keys used for ...
  ... packages...

Does that mean what I read? That with gkeys any user will be able to get
packages via git, and somehow automatically gpg -verify the signature of
each package that (s)he got when (s)he, say:

emerge -tuDN world

?

Does that mean that?

And then, to achieve true verifiability in the open (machine connected
to online, and doing 

Re: [gentoo-user] Streaming Live TV News channels

[taii...@gmx.com]

On 02/15/2017 09:36 PM, the...@sys-concept.com wrote:


I was thinking of cutting the TV cord but I think Internet TV is not yet
ready.  Even my Shaw FreeRange TV will not play any Live TV News
Channels on my Android TV box due to some kind of licensing issues.

They will stream it to cell phone but not to a box connected to internet.
I hardly watch any TV moves (some Netflix and some TV News).

Did anybody had a good experience with internet Live TV network?


Maybe get a tv tuner and an antenna?

Re: [gentoo-user] WARNING: Crucial MX300 drives SUUUUUCK!!!!

[taii...@gmx.com]

I had a crucial SSD drive too and it failed in the warranty but as I 
didn't have the receipt they refused to honor it and said I was out of 
warranty as based on the date they sold it to the store not the day the 
store sold it to me.
Apparently failures on my model were a very common thing due to a 
manufacturing defect.


Thank god for backups.

Bunch of jerks, don't buy from them.

Re: [gentoo-user] advice on a new laptop

[taii...@gmx.com]

On 02/04/2017 06:20 AM, Stefano Crocco wrote:


On Thursday, 2 February 2017 09:28:05 CET Stefano Crocco wrote:

Hello to everyone,
I need to buy a new laptop and I'd like some advice. Currently, I'm thinking
of buying an ASUS UX310UA-GL547T. Has anyone tried running Gentoo on it? If
so, how did it go? A Google search only lead me to a page hinting it should
work with linux, but didn't give any detail.

Alternatively, which other model would you suggest with similar
specifications? The ASUS UX310UA-GL547T has the following characteristics:

Screen: 13.3" - 1920x1080 Pixel - Full HD, LED, No Glare
CPU: Intel® CoreTM i3-7100U (2.4 GHZ)
RAM: 4 GB DDR4
Max RAM: 16 GB
Video Card: Intel® HD Graphics 620
Video OUT: HDMI
Hard Disk: 500 GB SATA 5400 rpm
Wireless: WiFi 802.11n (a/c)
Intel® Wireless Display (WiDi)
Bluetooth: Bluetooth 4.1
USB slots: 2x USB 2.0 - 1x USB 3.0 - 1x USB 3.1
Card Reader: SD/MMC
Size and weight: 32.3x22.3x1.84~1.90 cm / 1.45 Kg

The price should be less than 800€/$.

Thanks in advance

Stefano


Thanks to everyone who answered. I've ordered the laptop and it should arrive
next week. I'll let you know how it goes.

Stefano
I am a little bit late but for future reference there are no wireless ac 
devices that have libre firmware, they all require blobs so do the USB 3 
ports on that laptop.

The intel wi-fi chips will never be freed either.

4GB RAM and a crappy 5.4K 500gb drive was pathetic - in 2010.

The best laptop choice is the lenovo G505S, which supports (real) 
coreboot, 16gb ram and is pre-AMD PSP (amds version of ME).

Re: [gentoo-user] java replacement

[taii...@gmx.com]

On 01/25/2017 05:03 AM, Bill Kenworthy wrote:


The java 8u112 download that the latest oracle java pulls in requires an
invasive questionnaire to create an Oracle account to enable the download.

I was using iced-tea at one stage but found the android sdk didn’t work
well with it - is there a less objectionable java source than oracle
that has a compatible java?

BillK

"Why does radio-shack ask for your phone number why you buy batteries!"

Always good to not put up with this crap, I like to feed them obviously 
fake information when I need something from a place that insists on 
doing this.


I purchased some hardware (at a physical store with cash none the less) 
recently and the cashier asked for my information and was annoyingly 
insistent[1] so I gave them "John Smith at 123 1st Street" as she 
audibly sucked her teeth.


The more people put up with this stuff the more bad things will happen - 
two police officers recently were murdered in france because a terrorist 
got their address off the internet and paid them a visit.


[1]I presume they get a bonus for how many marketing emails/information 
they collect.

Re: [gentoo-user] The final of free software

[taii...@gmx.com]

On 01/08/2017 11:44 AM, Dominus Mundi wrote:

sume time ago i blessed sume gentooers with technological advantage to the 
future. I had good intentions but litel did i now that it would lead to the 
free software wars. Upon returning to my time I fund that free software was 
dead. Popular free sofware projects replaced by government controled forks. We 
held a comite at my time and concluded that it wus not posible to unscrew this 
mess without also hurting the porn industrie whish is unaceptable so we voted 
on just giving gentooers a heads up. We also considered killing Donald Trump 
before he passes the one kernel law but unfortunately due to the grandfather 
paradox and other freaky stuf past asesinations are forbiden by the 
intergalactic constitution so brace yourselfes because the free software wars 
are about to begin and it's gonna be bloody.

Our hope is that this message will trigger a reaction that will cause gentoo to 
be selected as the US Government approved distro for use in the US and 
conquered territories (whish in a short time will cover most of the planet). 
May the light that radiates from the primeval hole shine upon all gentooers!


--
Securely sent with Tutanota. Claim your encrypted mailbox today!
https://tutanota.com

Damn what drugs are you on man.

Re: [gentoo-user] New box

[taii...@gmx.com]

On 12/30/2016 11:43 AM, lee wrote:


"taii...@gmx.com" <taii...@gmx.com> writes:


On 12/30/2016 08:39 AM, lee wrote:


the...@sys-concept.com writes:


I'm putting a new system, it will be running mainly, VirtualBox,

[...]

If you want a rock solid machine with lots of cores and RAM and very
capable of powering VMs, the HP Z800 is worthwhile to check out.

[...]
You can build a system with a (new) KGPE-D16, two used 6276 processors
and used 64gb ecc ram for only around $500 which will net you a 32
core computer that can run blob free no microcode coreboot that
supports max 256GB RDIMM RAM.

Including an excellent 850W power supply, a good case, SAS RAID
controller and a graphics card?

The 6276 is a more power hungry than a Xeon and runs at only 2.3GHz
(though I don't know how that compares to the Xeon).  Power consumption
is an issue for me because electricity is way too expensive here.

Asus doesn't seem to say anything about coreboot?


There is another coreboot compatible (theoretically, but not tested)
QP max 1TB (jesus christ) RDIMM RAM G34 motherboard, so you could have
64 cores for only $20 or so per 16 cores. (plus the $30 for a cpu
cooler)

It's good to have so many options to choose from :)  Considering all
this, is there a good reason to go for an FX-8350?

Ahh good point, I was assuming he already had a case like I did. I have 
a single 6274 plus graphics card with a *quality* 500watt PSU and it 
works fine at full load.
6 cores vs 16 cores and coreboot with zero blobs or microcode, IMO the 
power consumption is greatly worth it.


Asus didn't implement coreboot on the kgpe-d16 (asus sucks), it was done 
by the firmware heroes at raptor engineering.


6276 actually runs at 2.6ghz with turbo assuming you have proper 
cooling, and 8 cores can turbo to 3.2ghz if the other 8 are in CC6.



If you care about linux you will care about free firmware, if we do not 
care one day microsoft will simply flip a switch and shut us out for 
good ("secure" boot 2.0 spec does not mandate the option to disable it)

Re: [gentoo-user] New box

[taii...@gmx.com]

On 12/30/2016 08:39 AM, lee wrote:


the...@sys-concept.com writes:


I'm putting a new system, it will be running mainly, VirtualBox,
Asterisk, Hylafax etc. (nothing graphic intensive).

- IN WIN BL631 Low Profile Micro ATX Case w/ 300W Power Supply,
- AMD FX-8350 Processor 4.0GHz w/ 16MB Cache
- Gigabyte GA-78LMT-USB3 w/ DDR3, 7.1 Audio, Gigabit Lan
- Kingston HyperX Fury 16GB DDR3-1866MHz CL10 Dual Channel Kit
- Samsung 850 EVO Series mSATA Solid State Drive, 1TB
- Asus GeForce GT 720 Silent CSM, 2GB, PCI-E w/ D-Sub VGA, DVI, HDMI

Will I have any problems installing Gentoo on this configuration, eg.
with Video Card etc.?
Do I need more RAM?

If you want a rock solid machine with lots of cores and RAM and very
capable of powering VMs, the HP Z800 is worthwhile to check out.

You can get them for good prices here from resellers/ebay, and they are
IMO currently the best you can get for your money if you want something
like that.  Technology has moved on a bit, but you'd spend about twice
the money if you buy something new that offers comparable overall
performance.  The Z820s are still rather pricey.

"Top speed" may be higher with the AMD, but I think it will have a hard
time beating the overall performance of 2 Xeons with 6x2 cores each and
48GB RAM (or whatever configuration you get) when you load it with VMs
and start compiling stuff.

IF that's an issue for you: I've measured the power consumption of a
Z800 with two X5675, 48GB RAM and a GTX770: 130W at idle, which I think
is amazing.  It can reach about 600W when compiling, with the graphics
card working hard and 6 spinning 3.5" disks.

There are no issues with temperatures or anything, and they are pretty
quiet.

The power supplies they have are impressive.  I've seen the lights go
out for like half a second or so, and I expected the machines to go
down, but they kept running as if nothing happened.

You can run Gentoo, Debian and Fedora on them.  If you run Xen on it,
limit cstates to 1 or you may see random freezes.

I wouldn't change mine for anything less than a Z820.  I used to build
my machines from parts, and I quit doing that because it isn't
worthwhile when you can just get a Z800 which offers more for half the
money.


Other than that, as others have already said, you're probably better off
with at least 32GB and a better PSU.  I also don't store data or a
system on a single disk with no redundancy, except for backups.

(A Z800 has four 3.5" bays, and you can get adapters for 2.5" disks that
plug in.  You could use 2x72GB 2.5" 15k SAS disks which you can get very
cheaply for the system, put everything else on your SSD and use a 3.5"
SATA disk for backups.)

You can build a system with a (new) KGPE-D16, two used 6276 processors 
and used 64gb ecc ram for only around $500 which will net you a 32 core 
computer that can run blob free no microcode coreboot that supports max 
256GB RDIMM RAM.


There is another coreboot compatible (theoretically, but not tested) QP 
max 1TB (jesus christ) RDIMM RAM G34 motherboard, so you could have 64 
cores for only $20 or so per 16 cores. (plus the $30 for a cpu cooler)

Re: [gentoo-user] New box

[taii...@gmx.com]

On 12/30/2016 07:54 AM, Alan McKinnon wrote:


On 30/12/2016 14:12, Neil Bothwick wrote:

On Fri, 30 Dec 2016 00:24:36 -0600, Dale wrote:


Makes me drool a bit here.  I want a 8 core CPU.  The only downside,
gkrellm won't have enough screen to show each core separately.  That's a
problem there.  lol  It already takes up the whole right side on one
desktop.  I guess I could make the thing shorter to fit them all in.

What's the problem, now you have all the justification you need for
buying a bigger monitor ;-)



I have 8 cores with krells for each, plus for procs, 2 disks and 3
interfaces. And plenty vertical space to spare.

1920x1080 monitor of course :-)


I have 16 cores.

You can get a g34 16 core 62xx or 63xx opteron for only $10-40, buy two 
and combine that with a compatible coreboot motherboard and compile 
times will at last be bearable.
Note: the 63xx series needs microcode updates for virtualization, but 
62xx works with no microcode at all.

Re: [gentoo-user] Installing Gentoo on a VPS with little RAM

[taii...@gmx.com]

On 12/26/2016 03:45 PM, Francesco Turco wrote:


Hello.

I have a Vultr VPS instance with Arch Linux but I'd like to replace it
with Gentoo Linux. The last time I tried that I couldn't build some
packages because the kernel killed gcc after a while. Please notice this
VPS instance has only 768 MiB of RAM. What can I try besides removing
-pipe from C(XX)FLAGS and setting MAKEOPTS to -j1? Should I add a swap
partition? Currently there's only a single root btrfs filesystem with @,
@boot and @home subvolumes. Btrfs doesn't support a swap file as far as
I know.

My VPS is currently used for the following things:
- Static personal website
- Shaarli (PHP application with no database)
- Tiny Tiny RSS (PHP application with database)
- ZNC server

Thanks.


How about do a distributed compile via an SSH tunnel?

Re: [gentoo-user] from Firefox52: NO pure ALSA?, WAS: Firefox 49.0 & Youtube... Audio: No

[taii...@gmx.com]

On 12/19/2016 05:50 PM, Dale wrote:


lee wrote:

Daniel Frey  writes:


On 12/19/2016 10:15 AM, lee wrote:

"Walter Dnes"  writes:


   Similarly, the vast majority of home users have a machine with one
ethernet port, and in the past it's always been eth0.

Since 10 years or so, the default is two ports.

Not in any of the computers I've built. Generally only high end or
workstation/server boards have two ports.

i.e. not what the typical home user would buy.

It is not reasonable to assume that a "typical home user" would want a
computer with a crappy board to run Linux on it (or for anything
else). If they are that cheap, they're better off buying a used one.
When they are sufficiently clueless to want something like that, what
does it matter what the network interfaces are called.


I built my current rig just a few years ago.  It has one ethernet port
on it.  Since it didn't work right, bad drivers I guess, I added a card
to have the second port.  The rig I built before that, it also had one
ethernet port.

I might add, I didn't buy a "crappy board" either.  The first was Abit
which was the top rated brand at the time and my current board is
Gigabyte, another highly rated board at the time I bought it.  As Daniel
points out, you have to get into some pretty high end boards before you
get two ethernet ports.

Just for giggles, I went and looked at Asus boards, currently highly
rated.  I had to get up around the $400 range to find two ports.  Most
computers built for home use, and even some, maybe most, business
computers, only have one port.  It's all they need.

I might also add, I have a lot of friends that give me their old
computers.  Of all the puters I have ever seen, they had one ethernet
port.  Over the past decade or so, I've likely stripped out a few dozen
computers for parts.  Not one of them had two ethernet ports.

I'm with Daniel on this one.

Dale

:-)  :-)
I too have never seen a non server board with more than one embedded 
network interface.
I have an expensive server board that features two ethernet ports but I 
really hate the removal of the ethX scheme, sometimes they get detected 
in the wrong order and ethX is way easier to type than ens1s0 or what not.


It is just another swell example of the pottering-eqsue corruption of 
the free software movement.

Re: [gentoo-user] [OT] SCSII Adapter ?

[taii...@gmx.com]

On 12/18/2016 10:28 PM, meino.cra...@gmx.de wrote:

taii...@gmx.com <taii...@gmx.com> [16-12-19 03:57]:

On 12/17/2016 11:31 PM, meino.cra...@gmx.de wrote:


Hi,

I searched for this on the Web and the only one I found, which
is available, seems to be a Windows-only product (needs Windows
drivers).

May be someone on this list knows a solution:
Is there any "something"-to-SCSII-adapter, which can be used with
Linux, and which is not a "hardisk only" one?

With "something" I mean an interface, which is common on modern
PCs like USB, SATA, Firewire...

Thank you very much for any help in advance!
Cheers
Meino


PCI-e ok?

You can pick up a cheap server pull pci-e scsi HBA off of ebay, just
check the kernel compatibility lists for that chipset.

A RAID card is also an option however some do not provide pass-through
(HBA) mode.


Hi Talidan,

PCI-e unfortunately is not an option (and I didn't mentioned it,
sorry), because there is no space in my PC anymore.
All slots are occupied - only one is free and that one is behind
the double-widthed graphics card.

Am I out of luck or are there other options?

Cheers
Meino
Uhh curious is this for a tape drive? Perhaps an autoloader? seems like 
the only reason you'd be putting so much time and effort in to this is 
for one of those.


https://web.archive.org/web/20161109002310/http://adaptec.com/en-us/support/_eol/usb_scsi/usbxchange//
http://lkml.iu.edu/hypermail/linux/kernel/0509.1/1976.html
Boom! - adaptec usbxchange
Took me 5mins to find this...
Slow, and $150 or so on ebay so pricey too.

No idea if it works with newer kernels but this is a start.

If you want more slots you can always buy an external pci-e expansion 
system such as the ones from cyclone microsystems, expensive but if you 
need em you need em and they support PCI-e ACS.

Re: [gentoo-user] [OT] SCSII Adapter ?

[taii...@gmx.com]

On 12/17/2016 11:31 PM, meino.cra...@gmx.de wrote:


Hi,

I searched for this on the Web and the only one I found, which
is available, seems to be a Windows-only product (needs Windows
drivers).

May be someone on this list knows a solution:
Is there any "something"-to-SCSII-adapter, which can be used with
Linux, and which is not a "hardisk only" one?

With "something" I mean an interface, which is common on modern
PCs like USB, SATA, Firewire...

Thank you very much for any help in advance!
Cheers
Meino


PCI-e ok?

You can pick up a cheap server pull pci-e scsi HBA off of ebay, just 
check the kernel compatibility lists for that chipset.


A RAID card is also an option however some do not provide pass-through 
(HBA) mode.

Re: [gentoo-user] from Firefox52: NO pure ALSA?, WAS: Firefox 49.0 & Youtube... Audio: No

[taii...@gmx.com]

On 12/17/2016 08:56 PM, Walter Dnes wrote:


   I'm running Pale Moon.  In an xterm, I did...

export SSLKEYLOGFILE=/dev/shm/sslkeylogfile.txt

...and launched Pale Moon manually from the commandline. nd visited a
couple of https sites.  I did get /dev/shm/sslkeylogfile.txt which
begins with the line...

# SSL/TLS secrets log file, generated by NSS

   Following that are a bunch of lines starting with...

CLIENT_RANDOM

...followed by a space, followed by 161 random hex-numeric characters
i.e. [0-9a-f].

   I also saw a line beginning with...

RSA

...followed by a space, followed by 113 random hex-numeric characters
i.e. [0-9a-f].

   If you plan to do this regularly, your program launcher will need to
launch bash scripts with seperate filenames for each profile.  Maybe
append date-time stamp to filenames to avoid multiple sessions
overwriting each other.


   As for privacy, there are the usual features, like...

* asking sites to not track (don't trust that)
* control of which sites to accept/refuse regular cookies, and 3rd-party
   cookies, from
* whether or not to clear browsing and download history
* private browsing session
random - I have always wondered why none of the "user respecting" forks 
nor mozilla have any serious efforts to thwart browser fingerprinting, 
private browsing session is simply a misnomer without it.

Re: [gentoo-user] from Firefox52: NO pure ALSA?, WAS: Firefox 49.0 & Youtube... Audio: No

[taii...@gmx.com]

On 12/17/2016 04:57 PM, Marc Joliet wrote:


On Saturday 17 December 2016 19:20:03 Heiko Baums wrote:

Am 17.12.2016 um 15:58 schrieb Rich Freeman:

[...]

If you don't think the guides on how to install Gentoo on a Pi are
good enough, then play around with it until you figure it out, and
then post an article on the Wiki.

Didn't you read my e-mail? I don't want to have Gentoo on my Pi, because
this would destroy the advantage of the Pi, its low power consumption.

Well, maybe I will install Gentoo on the Pi once, just for fun, but
that's not the question here.

Looks like somebody hasn't heard of cross-compiling!  Perhaps check out sys-
devel/crossdev and/or ask on the gentoo-embedded mailing list.  In fact, in
this particular case I *will* provide you with a link:

https://wiki.gentoo.org/wiki/Raspberry_Pi_Cross_building


I didn't ask for a howto for installing Gentoo on a Pi, I asked for a
howto for getting rid of systemd on recent versions of Arch Linux,
Debian, Raspbian, Ubuntu, Fedora etc. You said it's possible and I'm not
forced to use systemd, so I guess you know how and can explain it to me.

Aha, so it's not enough that there are distros *right now* that let you avoid
systemd (e.g., Gentoo, Funtoo, Devuan, Knoppix), it has to be one of *those
particular* distros.

[...]

Viele Grüße
Funtoo, knoppix and devuan are not serious professional grade distros, 
two of those are in beta and gentoo isn't something you want on most 
production servers.


You can't be seriously suggesting that hobbyist distros with one or two 
developers and bad security policies is a serious replacement for the 
systemd corrupted distros can you?



For some reason everyone in this thread also seems to be making this 
about sysvinit vs systemd rather than systemd vs sysvinit and openRC...

Re: [gentoo-user] from Firefox52: NO pure ALSA?, WAS: Firefox 49.0 & Youtube... Audio: No

[taii...@gmx.com]

What makes it better than icecat, iceweasel, foxcat, and so on?

On 12/17/2016 12:59 AM, Walter Dnes wrote:

On Fri, Dec 16, 2016 at 11:27:08PM +0100, Miroslav Rovis wrote


There, the few sentences, but the topic really is serious, will
Firefox, from Firefox52, in my machine, and in people who don't want
Pulseaudio, like I don't want it, be silent really from Firefox52,
as some Mozilla devs of a ...particular kind, promised, repeatedly
on that Mozilla bug page.

   An alternative to Firefox is Pale Moon, http://linux.palemoon.org/
Disclosure... I'm involved as a volunteer with the Pale Moon project.

[gentoo-user] Boot freeze/kthreadd stack trace - AMD_PMU_INIT

[taii...@gmx.com]

Specs:
blob free coreboot on a kgpe-d16 (amd opteron)


Happens with both the livecd/usb and a kernel I compiled on another 
machine (however with that one I simply get a black screen and a bootloop)

Other distros kernels work fine, it is just gentoo.
The livecd and compiled kernel work fine on all my other computers/VMM's.

Upon loading I get to amd performance counters, it freezes and 5-10 secs 
later I receive stack trace for kthreadd "hung" (amd_pmu_init - seems to 
be the primary reason) I never get to a login prompt.


It isn't microcode related as I removed the microcode packages from the 
other distros I tried.


Any ideas? Is there any additional info that would be helpful? How can I 
dump the boot text?