I have been happy with my Lenovo x230 up until this point, but was really looking for a 1080p screen, NVMe support, and USB-C. Purism recently started supporting Coreboot and added an i7 processor to the 13″ model which helped sway my decision on purchasing a new laptop.
It certainly was not a cheap purchase, nevertheless I am glad that they are supporting Coreboot and working on reverse engineering Intel ME. Hopefully they will continue to contribute to open source and their work on freedom-respecting computers. I believe in voting with your dollars and want to see more current hardware supported by Coreboot in the future.
The i7 models are currently back ordered, but it sounds like my new laptop should ship sometime in August or September. I may decide to write up a simple review or comparison to the x230 once it arrives.
I have used OpenWrt in the past and had not heard of the LEDE Project until I was researching the ability to reflash Meraki gear. I picked up a couple Meraki MR24s for cheap on ebay after finding out they were supported. The hardware is a 3×3 MIMO 802.11n access point which supports up to 900 Mbps. If you are not familiar with Meraki, it is cloud based gear that is managed from the cloud and requires users to purchase a yearly license.
A GitHub user named riptidewave93 posted code and a flashing guide to liberate the Meraki and convert it to a standard access point. His work was merged into the LEDE Project, but has not made it into OpenWRT yet.
His flashing process is pretty straight forward, but doesn’t cover the UART pins which can be found here:
To open the case you need a T6 Torx bit and I used a knife to pry the metal case past the plastic.
On the other side I hooked up my USB to Serial adapter and booted into LEDE.
Some of the information was all over the place which is why I consolidated it here. The AP has been working great and it is worth the cost if you are looking for an enterprise level Wireless-N device.
As a system administrator I deal with a lot of different systems and accounts on a daily basis. Over the last six months I have been struggling with the idea of splitting work from my personal life. I would like to keep them separate, but the thought of carrying two laptops makes me cringe.
Qubes OS aims to solve this problem and many others by splitting these actives into different AppVMs. Qubes OS 3.2 was released recently and I thought now would be a good time to try switching.
After installing Qubes, I had it create the basic AppVMs. These included untrusted, personal, and work. I am a big fan of Debian so I switched all the default VMs to the debain-8 template. The last step was to configure my personal and work AppVMs which included a new LastPass account and adding some applications to the template.
Now I will work on getting used to the new work flow and plan on adding interesting information to the blog as I run across it.
At work we switched from using Puppet Enterprise to Ansible for a variety of reasons. After the switch I disabled the Puppet agents, but never got around to uninstalling all of them.
Recently, I ran into an issue where one server suddenly turned the Puppet agent back on and reverted changes that were made. I decided it was time to clean up the mess, but Puppet requires files from the server in order to uninstall the agent and my server was long gone.
The new version of Librebot was just released which brings new hardware compatibility and tons of great improvements. I am excited to update my Lenovo x200s and will make sure to update this post with a quick overview of my experience.
This is one of features that really popped out for me:
256MiB VRAM allocated on GM45 (X200, T400, T500, R400) instead of 32MiB. This is an improvement over both Lenovo BIOS and Libreboot 20150518, allowing video decoding at 1080p to be smoother. (thanks Arthur Heymans) To clarify, GM45 video performance in libreboot 20160818 is better than on the original BIOS and the previous libreboot release.
They also improved battery life across multiple models.
You can read all the changes here and download the software from their website.
I spent the last couple days pulling my hair out trying to figure out why flashrom kept failing to flash my Lenovo x220 with coreboot. I was able to get a successful backup of my firmware after shortening the cables, but for some reason writing and image kept failing. When running the command the chip would randomly not be found or sometimes acted like it disconnected during the operation. At this point my laptop was bricked and I was having trouble finding anyone else on the internet having the same problem.
I am using the BeagleBone Black as a SPI flasher and it has been successful in the past with my Lenovo x200s. The flash chip was powered with 3.3V from a cheap breadboard power supply. The Libreboot project provides a really nice guide and some troubleshooting tips.
I was suspicious that the power supply wasn’t supplying a stable 3.3V so I ordered an expensive Sparkfun model and a Teensy 3.2 as a good backup plan.
After receiving my order, the off brand and Sparkfun breadboard power supplies did show any positive improvements to my problem. However, pulling 3.3 voltage from the Teensy did. I was able to flash and boot my laptop. I believe my main issue was the fact that voltage was not stable or high enough to properly flash the chip. The chart below shows the measured voltage outputs using a decent multimeter:
5V – 2A
9V – 650mA
12V – 1A (Linksys)
This chart makes me think that my original method using the black breadboard power supply and the Linksys wall adapter should have worked. However, I am not sure how to measure voltage under draw and maybe it dropped to low when the write started. I also did not test all of the above options for flashing. It is important to note how much the power supplies are affected by different power adapters.
My theory is that I did not have problems flashing my x200s because the flash chip was older and smaller which required less voltage to write. Reading a chip might also require less voltage which is how I got a good backup and was able to build my coreboot image. I do not pretend to be an expert in electronics so please correct me in the comments if you have a better idea than me. I am just trying to provide my findings to hopefully help another person.
Next time my flash is failing the first thing I will do is pull out a multimeter and double check the voltage.
Edit (8-2-2017): I found out that a 5v adapter and the USB connection on the BeagleBone Black makes the built-in 3.3V pinout work just fine. I saw this in some other documentation recently and I am not sure if it is new or if I overlooked it before.
I have been trying to support the open source and free software communities more over the past couple years. Linux has become a big part of my job and I use free software every day instead of Windows. I was especially excited about Let’s Encrypt because they provide anyone a free and trusted certificate at zero cost. Since Let’s Encrypt became available to the public, it has issued more than five million certificates .
In the past Comodo has made some questionable decisions and most recently they tried to steal the Let’s Encrypt trademark. I imagine Comodo saw Let’s Encrypt as a threat and damaging to their business of selling certificates. Thankfully Let’s Encrypt reached out to the community and we spoke out. Long story short, Comodo backed off and removed their trademark requests. I assume most people may already know about it, but you can read a summary here.
After I saw the response from Comodo’s CEO, Melih, I contacted Namecheap who resells Comodo certificates. Melih is clearly confused and does not understand the difference between giving customers a 90-day free trial and giving certs away for free and forever. Amazingly, as of July 23, 2016, Comodo has not pulled down the forum post from their CEO , but I uploaded a backup screen shot here just in case. After this shady move, Namecheap said they appreciate the current partnership. So now it is time for me to personally stop supporting Comodo and switch to Let’s Encrypt.
I recently built a tower server to provide room for a nice GPU. I had most of the parts already because I was pulling them from a rack mount server chassis, but I knew that regular heat sinks would not be sufficient. I then discovered, the hard way, that the Cooler Master 212 EVO does not fit on server LGA1366. The screws were not able to thread into the Xeon backplate. The Cooler Master used to be my go to cooler for desktop applications. After the Cooler Masters were returned, I ordered a set of Intel Server/Workstation coolers because I knew they would be compatible. They did a decent job, but had an unbearable loud whine to them. I keep my servers in the spare bedroom next to mine and you could just hear the things screaming away through the door/walls.
After I little more research I settled on spending more money and ordering two Noctua i4 CPU Coolers. Their website clearly shows they are compatible with the LGA1366 socket and Xeon backplate. There were also some good reviews from people online saying these fans were quiet and worked well. The only bad reviews were the ones where people did not realized they were shipped a server CPU cooler and had to order the motherboard backplate separately.
I have used Plex on and off for a while. After spending some time away from home I decided to get the software set up again. Plex makes it easy for less technical people, but it feels like some control is removed from advanced users. My first pet peeve was that there is not a great way to change the port or URL. You are stuck with something that looks like http://127.0.0.1:32400/web/. Second, to enable TLS they recommend you configure Remote Access. Remote Access will allow you to log into their protected website and it will direct you to the server. It is magic, but you loose the ability to use your own domain name.
I have been using Apache proxies at work for a few projects and wanted to setup the same thing for Plex. It turns out Matt Coneybeare decided to do this in 2013. Matt’s walk through is really good and you can find it here. I wanted to take it a step further and configure https/redirection.
We are planning an upgrade to a software package called PacketFence. PacketFence calls themselves, “a fully supported, trusted, Free and Open Source network access control (NAC) solution.” I was excited for this project because I am making a push to upgrade servers to newer versions of Red Hat. However, I was extremely disappointed after reviewing their server requirements. This is 2016 and companies are still requesting that security measures such as SELinux, and in this case, even the firewall gets disabled. I understand that it is an open source product, but we pay for the commercial support. Software providers should be vigilant while protecting their users. PacketFence is certainly not the only offender of this… they were just the ones I was looking at while having the motivation for a blog post. Cough, Cough, Ellucian.The site goes on to say:
Regarding SELinux or AppArmor, even if these features may be wanted by some organizations, PacketFence will not run properly if SELinux or AppArmor are enabled.
The focus in 2016 has been on encryption and many people are calling it the Crypto Wars 2.0, but we can’t forget about enabling and pushing other security measures as well. SELinux is commonly the first thing people disable when they have problems instead of trying to understand and incorporate it into their security plan. Some banks are still using lousy security questions, not supporting strong passwords, and have no method of enabling two-factor authentication. Anyone with a Facebook account and Google can probably figure out where you went to high school.
If people are not requesting the features then they will not be added. I reached out to PacketFence on Twitter and will hopefully hear back some good news.
By the way, Red Hat released a fun coloring book to help administrators learn SELinux!