Re: Intel Celeron SoC support
Andrew Lemin [andrew.le...@gmail.com] wrote: > Hi, > > I am running an ASRock J4105B-ITX board and wanting to run OpenBSD on this. > https://www.asrock.com/MB/Intel/J4105B-ITX/index.asp#BIOS > > It boots up, and at the 'boot>' prompt I can use the keyboard find. > > However after it boots up, the keyboard stops working, and no disks are > found by the installer (used auto_install to send test commands). > It appears that there is no chipset support, for the Intel Celeron J4105 > CPU from what I can work out. > > To test that it was working fine and is just OpebBSD which is not working, > I installed Linux and have included the dmesg below (from Linux). > I cannot run a dmesg from the OpenBSD installer as I cannot use the > keyboard etc. > The ASRock J4205-ITX (Apollo Lake) works fine, so does the J3710-ITX (Braswell). I use them both headless, but they work fine when I plug in a USB keyboard. The J4105-ITX (Gemini Lake) is newer than either. What kind of keyboard are you using? If it's not USB, plug in a USB keyboard. Although it may not work at the boot> prompt, it will work once you are booted up. For fun, here are dmesg for the older versions of your board. They both work with USB input devices. Braswell OpenBSD 6.3-current (GENERIC.MP) #21: Fri Jun 29 17:32:47 PDT 2018 ch...@r8.nmedia.net:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 8023584768 (7651MB) avail mem = 7771283456 (7411MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xecec0 (18 entries) bios0: vendor American Megatrends Inc. version "P1.30" date 03/30/2016 bios0: ASRock J3710-ITX acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC FPDT FIDT AAFT MCFG HPET SSDT SSDT SSDT UEFI LPIT CSRT acpi0: wakeup devices UAR1(S4) XHC1(S4) HDEF(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) BRCM(S0) PWRB(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Pentium(R) CPU J3710 @ 1.60GHz, 1600.37 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN cpu0: 1MB 64b/line 16-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 79MHz cpu0: mwait min=64, max=64, C-substates=0.2.0.0.0.0.3.3, IBE cpu1 at mainbus0: apid 2 (application processor) cpu1: Intel(R) Pentium(R) CPU J3710 @ 1.60GHz, 1600.00 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN cpu1: 1MB 64b/line 16-way L2 cache cpu1: smt 0, core 1, package 0 cpu2 at mainbus0: apid 4 (application processor) cpu2: Intel(R) Pentium(R) CPU J3710 @ 1.60GHz, 1600.00 MHz cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN cpu2: 1MB 64b/line 16-way L2 cache cpu2: smt 0, core 2, package 0 cpu3 at mainbus0: apid 6 (application processor) cpu3: Intel(R) Pentium(R) CPU J3710 @ 1.60GHz, 1600.00 MHz cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,AES,RDRAND,NXE,RDTSCP,LONG,LAHF,3DNOWP,PERF,ITSC,SMEP,ERMS,SENSOR,ARAT,MELTDOWN cpu3: 1MB 64b/line 16-way L2 cache cpu3: smt 0, core 3, package 0 ioapic0 at mainbus0: apid 1 pa 0xfec0, version 20, 115 pins acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 1 (RP01) acpiprt2 at acpi0: bus 2 (RP02) acpiprt3 at acpi0: bus 3 (RP03) acpiprt4 at acpi0: bus 4 (RP04) acpiec0 at acpi0: not present acpicpu0 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 mwait.1), PSS acpicpu1 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 mwait.1), PSS acpicpu2 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 mwait.1), PSS acpicpu3 at acpi0: C3(10@1000 mwait.1@0x64), C2(10@500 mwait.1@0x58), C1(1000@1 mwait.1), PSS acpipwrres0 at acpi0: CLK0, resource for CAMD acpipwrres1 at acpi0: CLK0, resource for CAM1 acpipwrres2 at acpi0: CLK1, resource for CAM2, CAM3 acpipwrres3 at acpi0: USBC, resource
Re: FreeBSD in vmm
On Tue, Nov 20, 2018 at 06:40:50PM -0800, Philip Guenther wrote: > > Not supported yet. There will be some sort of announcement when it works. > > > Philip Guenther OK thank you. I was figuring it was me because I have gotten pretty much most of the main Linux distros to work. In fact the only one I never sorted out before this was Android-x86. Mostly just experimenting with just how much I can do with vmm. No specific need I am trying to address. Ken
Re: FreeBSD in vmm
On Tue, Nov 20, 2018 at 6:29 PM Ken M wrote: > Has anyone gotten this working? > > Just trying it as an experiment. > > I installed using qemu, serial console is working but when I boot through > vmctl > the console shows a supervisor read error, page not found which from what > I read > is indicative of bad memory. In qemu it boots fine though. Not sure what I > am > missing. > Not supported yet. There will be some sort of announcement when it works. Philip Guenther
FreeBSD in vmm
Has anyone gotten this working? Just trying it as an experiment. I installed using qemu, serial console is working but when I boot through vmctl the console shows a supervisor read error, page not found which from what I read is indicative of bad memory. In qemu it boots fine though. Not sure what I am missing. Ken
Re: I love your Emails. This one made my day!
I like turtles On Tue, Nov 20, 2018, 5:40 PM Josh Grosse Thank you! > > On November 20, 2018 2:24:55 PM EST, Nick Holland < > n...@holland-consulting.net> wrote: > >On 11/20/18 11:43, Chris Bennett wrote: > >> I am almost certainly going to be replacing with a new server for an > >> organization I am a member of. > >> With all of this mess with Meltdown, Spectre, insecure motherboard > >> chips,etc. > >> I am pretty clueless on exactly what is going to be a secure set of > >> server hardware. > >> Intel, well no. > >> AMD? I have read about problems with non-CPU chips being compromised. > >> Another architecture? I have never used anything other than > >Intel/AMD. > >> > >> The server will run httpd, mailserver, PostgreSQL and somehow a good > >way > >> for well encrypted messaging at times. > > > >all on one server? > > > >And as someone who has run a number of mail servers for a number of > >companies ... don't. Just don't. Running your own mail server is a > >good way to accomplish nothing except wasting a lot of time and making > >people hate you. > > > >> It is very likely to run out of Austin, Texas. > >> I think that having a direct connection would be best, but would a > >> proper setup make collocation OK? > > > >You are using poorly defined buzzwords. What you mean by a "direct > >connection", "proper setup", "collocation" and what I mean are likely > >very different. > > > >> This isn't going to be my server, I will just be in charge. That's > >> completely new for me. > >> Any advice is really welcome, everywhere I read anything, hardware > >seems > >> broken and insecure. > > > >Pretty much all new HW is optimized in ways that we are now learning > >(and has been known for a long time) introduce security problems. > >However, most of the problems boil down to having malicious software > >running in the control of someone else on the same physical machine > >YOUR > >code is running on. > > > >In short: No news. Really. > > > >If someone that wanted to do you evil lived in the same house as you, > >you would not be comfortable, right? What if you put up walls > >(virtualization) that have proven to to be about as robust as paper? > >That make you feel any better? Probably not. Virtualization has been > >proven -- over and over -- not terribly secure. Now we got > >cross-virtualization platforms ways of stealing data from other > >processes. Important? yes. But in the big picture, it's similar to > >Yet > >Another buffer overflow. > > > >So...split your tasks on different physical systems as much as > >possible. > >If your webserver is serving static pages, it's probably pretty robust. > > If it's running Wordpress or any other "any idiot can manage the web > >page" apps or dynamic web pages for other reasons, it should be a > >machine of its own and have no other important data on it. > >Your primary goal should be to keep the bad guys off your computer in > >every sense. And again...nothing new here. > > > >But if security is your concern, you want real hw you control in every > >sense. > > > >Unfortunately, if you have performance requirements, your choices are > >AMD and Intel. Older Intel and AMD chips aren't getting any support to > >deal with these problems, so your choices are incredibly old chips > >which > >are probably not in the most reliable hardware, and a whole bunch of > >other old, unreliable, and slow hardware platforms. But be realistic. > >Your bosses will probably mandate a VM on someone else's hw, a > >wordpress > >website, one box for everything, and that you give him the root > >password > >which he'll e-mail to himself to keep it "secure". Your most likely > >breach points will be an easily guessed password (usually, a > >manager's), > >a bug in a web content management system, or someone believing that > >"secure e-mail" is a thing. In other words, Same Old Shit. It > >probably > >won't be breached by a Spectre or Meltdown-like attack. But it MIGHT > >be. Obsessing about them is generally missing the real day-to-day > >risks. > > > >Nick. > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. >
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/20/2018 8:43 AM, Chris Bennett wrote: I am almost certainly going to be replacing with a new server for an organization I am a member of. With all of this mess with Meltdown, Spectre, insecure motherboard chips,etc. I am pretty clueless on exactly what is going to be a secure set of server hardware. Intel, well no. AMD? I have read about problems with non-CPU chips being compromised. Another architecture? I have never used anything other than Intel/AMD. The server will run httpd, mailserver, PostgreSQL and somehow a good way for well encrypted messaging at times. It is very likely to run out of Austin, Texas. I think that having a direct connection would be best, but would a proper setup make collocation OK? This isn't going to be my server, I will just be in charge. That's completely new for me. Any advice is really welcome, everywhere I read anything, hardware seems broken and insecure. Thanks a bunch for any help, Chris Bennett Personally, I'd go with a couple of Sun T-1000s, a pair of managed switches and some Cyclades (or similar) serial port servers and cram them into a half cabinet rented from a CoLo. 2 to run as firewalls, 2 for httpd, 2 for your database, and 2 to run Dovecot for your mail (Assuming just IMAP is fine for your users). You'd probably be looking at about $10,000 in hardware and a few hundred a month for renting the rack space. Although with some frugal ebay'ing, you can probably bring that hardware cost down quite a bit. But you'll get some decent hardware, and SSH-based remote access to the OOB ALOM ports of the systems. I have a similar, but much larger scale, setup sitting in an Equinix Datacenter over in San Jose.
I love your Emails. This one made my day!
Thank you! On November 20, 2018 2:24:55 PM EST, Nick Holland wrote: >On 11/20/18 11:43, Chris Bennett wrote: >> I am almost certainly going to be replacing with a new server for an >> organization I am a member of. >> With all of this mess with Meltdown, Spectre, insecure motherboard >> chips,etc. >> I am pretty clueless on exactly what is going to be a secure set of >> server hardware. >> Intel, well no. >> AMD? I have read about problems with non-CPU chips being compromised. >> Another architecture? I have never used anything other than >Intel/AMD. >> >> The server will run httpd, mailserver, PostgreSQL and somehow a good >way >> for well encrypted messaging at times. > >all on one server? > >And as someone who has run a number of mail servers for a number of >companies ... don't. Just don't. Running your own mail server is a >good way to accomplish nothing except wasting a lot of time and making >people hate you. > >> It is very likely to run out of Austin, Texas. >> I think that having a direct connection would be best, but would a >> proper setup make collocation OK? > >You are using poorly defined buzzwords. What you mean by a "direct >connection", "proper setup", "collocation" and what I mean are likely >very different. > >> This isn't going to be my server, I will just be in charge. That's >> completely new for me. >> Any advice is really welcome, everywhere I read anything, hardware >seems >> broken and insecure. > >Pretty much all new HW is optimized in ways that we are now learning >(and has been known for a long time) introduce security problems. >However, most of the problems boil down to having malicious software >running in the control of someone else on the same physical machine >YOUR >code is running on. > >In short: No news. Really. > >If someone that wanted to do you evil lived in the same house as you, >you would not be comfortable, right? What if you put up walls >(virtualization) that have proven to to be about as robust as paper? >That make you feel any better? Probably not. Virtualization has been >proven -- over and over -- not terribly secure. Now we got >cross-virtualization platforms ways of stealing data from other >processes. Important? yes. But in the big picture, it's similar to >Yet >Another buffer overflow. > >So...split your tasks on different physical systems as much as >possible. >If your webserver is serving static pages, it's probably pretty robust. > If it's running Wordpress or any other "any idiot can manage the web >page" apps or dynamic web pages for other reasons, it should be a >machine of its own and have no other important data on it. >Your primary goal should be to keep the bad guys off your computer in >every sense. And again...nothing new here. > >But if security is your concern, you want real hw you control in every >sense. > >Unfortunately, if you have performance requirements, your choices are >AMD and Intel. Older Intel and AMD chips aren't getting any support to >deal with these problems, so your choices are incredibly old chips >which >are probably not in the most reliable hardware, and a whole bunch of >other old, unreliable, and slow hardware platforms. But be realistic. >Your bosses will probably mandate a VM on someone else's hw, a >wordpress >website, one box for everything, and that you give him the root >password >which he'll e-mail to himself to keep it "secure". Your most likely >breach points will be an easily guessed password (usually, a >manager's), >a bug in a web content management system, or someone believing that >"secure e-mail" is a thing. In other words, Same Old Shit. It >probably >won't be breached by a Spectre or Meltdown-like attack. But it MIGHT >be. Obsessing about them is generally missing the real day-to-day >risks. > >Nick. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Tue, Nov 20, 2018 at 08:31:14PM +, Kaya Saman wrote: > I don't think the response was assumed as such. It just is that there are so > many issues with corporate politics and higher ups thinking they know things > that gives OpenSource software a bad rep! Even once people didn't understand > what OpenSource was and asked me what I did while 'working at OpenSource' > lol > > > As to different H/W yes there are still some different systems around... > like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own UX > capable machines are dead now; though my info could be several years out of > date as I haven't dealt with this type of system in a long time. > > > Agreed that Cloud is a lot of corporate hype in many aspects as to lower > expenditure. > > > Will you be building just the mail server or the whole infrastructure?? > As of right now, I will have to take on everything, which is an extremely daunting task. There have been three times in the past year that staff and volunteers either left on their own or a few were found to be more troublesome than helpful. Things are a real mess right now, so my first task is just to get the website, which right now is a disaster, working good enough to keep both members and volunteers communicating and an inflow of donations coming in. WordPress was an awful decision made right before I joined. But it's hard to select the right software. Having a forum is a must, and due to both trolls and crazy people deliberately making destructive types of posts, the forum has now been removed to members only to allow for reasonable and private discussions. The website is dead slow right now and that has to be fixed quickly. I don't have all the details of exactly what is or isn't installed yet. A board meeting is about to happen and then I should be able to check out the mess. I'm planning on moving to just delivering the content and who cares if it's pretty or not. As long as it's much faster. I just need some guidance along the way. RTFM these 250 manual pages is the right way, except that actions need to happen fast. This really is a case of do things sorta the wrong way and fix it ASAP, or don't do anything and then the SHTF. I want everything done in the end really well and secure, but no donations, no volunteers and no new members or no renewing members equals no organization. That's bad. Thanks for your suggestions. I didn't think other architectures would be suitable, but it was worth asking. Chris Bennett > > Virtually what you want to do is a good firewall protecting everything. > OpenBSD excels at security so definitely recommended. As to mail server, I > really think you need to research the different components first that make > up the system. > > Firstly for power reasons what type of usage do you estimate? > > Will you be needing a separate external mail gateway? > > Does your ISP offer Reverse DNS? > > > After that the best thing to do would be to setup a small lab with a test > machine and try different setups out. Like say using Sendmail, Postfix > etc for SMTP. Many people here have different opinions and takes on this > but really it is up to you to decide what you like best and also what you > need it to do - you can only find that out by testing out different things. > > Then how your users will connect... IMAP, POP, HTTP?? In todays day and age > IMAP is the preferred protocol but there of course are others - please do > not ever mention M$ Exchange as it should be obliterated! > > > Once you understand the core components necessary then you will start to > formulate specific questions of how/why is (x) needed etc... then answers > can be more specific too but for now read a lot and test out different > things to see which one fits you best :-) > > > Regards, > > > Kaya > >
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/20/18 8:11 PM, Chris Bennett wrote: On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: On 11/20/18 11:43, Chris Bennett wrote: Unfortunately, if you have performance requirements, your choices are AMD and Intel. Older Intel and AMD chips aren't getting any support to deal with these problems, so your choices are incredibly old chips which are probably not in the most reliable hardware, and a whole bunch of other old, unreliable, and slow hardware platforms. But be realistic. Your bosses will probably mandate a VM on someone else's hw, a wordpress website, one box for everything, and that you give him the root password which he'll e-mail to himself to keep it "secure". Your most likely breach points will be an easily guessed password (usually, a manager's), a bug in a web content management system, or someone believing that "secure e-mail" is a thing. In other words, Same Old Shit. It probably won't be breached by a Spectre or Meltdown-like attack. But it MIGHT be. Obsessing about them is generally missing the real day-to-day risks. Does no one at all use OpenBSD for anything but making money or looking cool? Does no one at all do any kind of work for charity? Is there some virus going around that makes everyone so hostile? Why assume that I have some idiotic boss that wants to fuck things up? Did it ever occur to you that I might be doing this work for free? Did it ever occur to you that the organization might be doing major disaster relief from all of the recent hurricanes devastating the Southern US. That they might be helping to protect first responders doing wellness checks on homes? That they might be stopping homes and businesses from being looted? That the primary members of the organization are law enforcement, paramedics and veterans? But hey, if I can't fill up my bank account, I guess the usage of OpenBSD is discouraged. I don't think the response was assumed as such. It just is that there are so many issues with corporate politics and higher ups thinking they know things that gives OpenSource software a bad rep! Even once people didn't understand what OpenSource was and asked me what I did while 'working at OpenSource' lol As to different H/W yes there are still some different systems around... like IBM PowerPC P-series based systems, Oracle SPARC, I think HP's own UX capable machines are dead now; though my info could be several years out of date as I haven't dealt with this type of system in a long time. Agreed that Cloud is a lot of corporate hype in many aspects as to lower expenditure. Will you be building just the mail server or the whole infrastructure?? Virtually what you want to do is a good firewall protecting everything. OpenBSD excels at security so definitely recommended. As to mail server, I really think you need to research the different components first that make up the system. Firstly for power reasons what type of usage do you estimate? Will you be needing a separate external mail gateway? Does your ISP offer Reverse DNS? After that the best thing to do would be to setup a small lab with a test machine and try different setups out. Like say using Sendmail, Postfix etc for SMTP. Many people here have different opinions and takes on this but really it is up to you to decide what you like best and also what you need it to do - you can only find that out by testing out different things. Then how your users will connect... IMAP, POP, HTTP?? In todays day and age IMAP is the preferred protocol but there of course are others - please do not ever mention M$ Exchange as it should be obliterated! Once you understand the core components necessary then you will start to formulate specific questions of how/why is (x) needed etc... then answers can be more specific too but for now read a lot and test out different things to see which one fits you best :-) Regards, Kaya
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On Tue, Nov 20, 2018 at 02:24:55PM -0500, Nick Holland wrote: > On 11/20/18 11:43, Chris Bennett wrote: > > I am almost certainly going to be replacing with a new server for an > > organization I am a member of. > > With all of this mess with Meltdown, Spectre, insecure motherboard > > chips,etc. > > I am pretty clueless on exactly what is going to be a secure set of > > server hardware. > > Intel, well no. > > AMD? I have read about problems with non-CPU chips being compromised. > > Another architecture? I have never used anything other than Intel/AMD. > > > > The server will run httpd, mailserver, PostgreSQL and somehow a good way > > for well encrypted messaging at times. > > all on one server? > > And as someone who has run a number of mail servers for a number of > companies ... don't. Just don't. Running your own mail server is a > good way to accomplish nothing except wasting a lot of time and making > people hate you. > The mail server is ONLY intended for members of the organization. You would have me use gmail or yahoo? The organization is suing another group for slander. > > It is very likely to run out of Austin, Texas. > > I think that having a direct connection would be best, but would a > > proper setup make collocation OK? > > You are using poorly defined buzzwords. What you mean by a "direct > connection", "proper setup", "collocation" and what I mean are likely > very different. > Well, then tell me some useful information. Correct my idiotic buzzwords. There was carefully noted in my message that I am facing new territory and need some advice. > > This isn't going to be my server, I will just be in charge. That's > > completely new for me. > > Any advice is really welcome, everywhere I read anything, hardware seems > > broken and insecure. > > Pretty much all new HW is optimized in ways that we are now learning > (and has been known for a long time) introduce security problems. > However, most of the problems boil down to having malicious software > running in the control of someone else on the same physical machine YOUR > code is running on. > > In short: No news. Really. > > If someone that wanted to do you evil lived in the same house as you, > you would not be comfortable, right? What if you put up walls > (virtualization) that have proven to to be about as robust as paper? > That make you feel any better? Probably not. Virtualization has been > proven -- over and over -- not terribly secure. Now we got > cross-virtualization platforms ways of stealing data from other > processes. Important? yes. But in the big picture, it's similar to Yet > Another buffer overflow. > To be quite frank, and I don't mean anything negative to others using virtualization, you couldn't pay me to even consider using something that idiotic for trying to make a "secure" setup. And using the "clouds" , to me, is getting just a little bit too "high". > So...split your tasks on different physical systems as much as possible. > If your webserver is serving static pages, it's probably pretty robust. > If it's running Wordpress or any other "any idiot can manage the web > page" apps or dynamic web pages for other reasons, it should be a > machine of its own and have no other important data on it. Yes, using that idiotic Wordpress crap is exactly one of many problems I am going to immediately fix. Whoever is in charge can't even make that work! > Your primary goal should be to keep the bad guys off your computer in > every sense. And again...nothing new here. > > But if security is your concern, you want real hw you control in every > sense. > Which is exactly what my silly buzzwords was trying to get a point of view on. I already assumed that having sole physical control was essential. But questions not asked are never answered. > Unfortunately, if you have performance requirements, your choices are > AMD and Intel. Older Intel and AMD chips aren't getting any support to > deal with these problems, so your choices are incredibly old chips which > are probably not in the most reliable hardware, and a whole bunch of > other old, unreliable, and slow hardware platforms. But be realistic. > Your bosses will probably mandate a VM on someone else's hw, a wordpress > website, one box for everything, and that you give him the root password > which he'll e-mail to himself to keep it "secure". Your most likely > breach points will be an easily guessed password (usually, a manager's), > a bug in a web content management system, or someone believing that > "secure e-mail" is a thing. In other words, Same Old Shit. It probably > won't be breached by a Spectre or Meltdown-like attack. But it MIGHT > be. Obsessing about them is generally missing the real day-to-day risks. > Does no one at all use OpenBSD for anything but making money or looking cool? Does no one at all do any kind of work for charity? Is there some virus going around that makes everyone so hostile? Why assume that
Re: With all this CPU/hardware mess, any advice on what to use for an organization?
On 11/20/18 11:43, Chris Bennett wrote: > I am almost certainly going to be replacing with a new server for an > organization I am a member of. > With all of this mess with Meltdown, Spectre, insecure motherboard > chips,etc. > I am pretty clueless on exactly what is going to be a secure set of > server hardware. > Intel, well no. > AMD? I have read about problems with non-CPU chips being compromised. > Another architecture? I have never used anything other than Intel/AMD. > > The server will run httpd, mailserver, PostgreSQL and somehow a good way > for well encrypted messaging at times. all on one server? And as someone who has run a number of mail servers for a number of companies ... don't. Just don't. Running your own mail server is a good way to accomplish nothing except wasting a lot of time and making people hate you. > It is very likely to run out of Austin, Texas. > I think that having a direct connection would be best, but would a > proper setup make collocation OK? You are using poorly defined buzzwords. What you mean by a "direct connection", "proper setup", "collocation" and what I mean are likely very different. > This isn't going to be my server, I will just be in charge. That's > completely new for me. > Any advice is really welcome, everywhere I read anything, hardware seems > broken and insecure. Pretty much all new HW is optimized in ways that we are now learning (and has been known for a long time) introduce security problems. However, most of the problems boil down to having malicious software running in the control of someone else on the same physical machine YOUR code is running on. In short: No news. Really. If someone that wanted to do you evil lived in the same house as you, you would not be comfortable, right? What if you put up walls (virtualization) that have proven to to be about as robust as paper? That make you feel any better? Probably not. Virtualization has been proven -- over and over -- not terribly secure. Now we got cross-virtualization platforms ways of stealing data from other processes. Important? yes. But in the big picture, it's similar to Yet Another buffer overflow. So...split your tasks on different physical systems as much as possible. If your webserver is serving static pages, it's probably pretty robust. If it's running Wordpress or any other "any idiot can manage the web page" apps or dynamic web pages for other reasons, it should be a machine of its own and have no other important data on it. Your primary goal should be to keep the bad guys off your computer in every sense. And again...nothing new here. But if security is your concern, you want real hw you control in every sense. Unfortunately, if you have performance requirements, your choices are AMD and Intel. Older Intel and AMD chips aren't getting any support to deal with these problems, so your choices are incredibly old chips which are probably not in the most reliable hardware, and a whole bunch of other old, unreliable, and slow hardware platforms. But be realistic. Your bosses will probably mandate a VM on someone else's hw, a wordpress website, one box for everything, and that you give him the root password which he'll e-mail to himself to keep it "secure". Your most likely breach points will be an easily guessed password (usually, a manager's), a bug in a web content management system, or someone believing that "secure e-mail" is a thing. In other words, Same Old Shit. It probably won't be breached by a Spectre or Meltdown-like attack. But it MIGHT be. Obsessing about them is generally missing the real day-to-day risks. Nick.
With all this CPU/hardware mess, any advice on what to use for an organization?
I am almost certainly going to be replacing with a new server for an organization I am a member of. With all of this mess with Meltdown, Spectre, insecure motherboard chips,etc. I am pretty clueless on exactly what is going to be a secure set of server hardware. Intel, well no. AMD? I have read about problems with non-CPU chips being compromised. Another architecture? I have never used anything other than Intel/AMD. The server will run httpd, mailserver, PostgreSQL and somehow a good way for well encrypted messaging at times. It is very likely to run out of Austin, Texas. I think that having a direct connection would be best, but would a proper setup make collocation OK? This isn't going to be my server, I will just be in charge. That's completely new for me. Any advice is really welcome, everywhere I read anything, hardware seems broken and insecure. Thanks a bunch for any help, Chris Bennett
Re: OpenBSD with root FS mounted read only
Hi, I'm a little late to the party, missed this for me very important topic. On Thu, 15 Nov 2018 15:26:03 +0100 jean-yves boisiaud wrote: > Now, OpenBSD needs root FS mounted RW. And, from 6.4, even if fstab > says root fs to be mounted RO, it stays RW and it is not possible to > remount it RO manually. And lsof has been retired... You can still mount rootfs RO. The trick is not to specify it as RO in fstab, but to create script in rc.conf.local which will periodically check if reorder_kernel script has finished its job, and only then remount partitions RO. More details on my [WARNING!BLATANT-SELF-PROMOTION-BELOW!] blog: [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] BUT, as I wrote there, there are problems with above setup on 6.4. I noticed tcpdump won't work when /etc is mounted RO. There is already patch available for testing, but I haven't yet found the time to get to it: [https://marc.info/?l=openbsd-bugs=154056998503006=2] I have an information that even if this patch was accepted, it won't be released as syspatch for 6.4, as it is not security-related. I am reluctant to install RO 6.4 on my production firewalls because I don't know if tcpdump is the only thing affected by unveil bug, or there are also other components of the system that will behave badly because of RO file systems. Finally, RO rootfs is unsupported by OpenBSD, but I sincerely hope devs will consider the fact that some users depend on it, and try not to break it completely down the road. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chip wood, draw water. Marko Cupać https://www.mimar.rs/
