Archive

Posts Tagged ‘security’

Wanscam HW0026 720p IP Camera Goes for $9.99 (Promo)

September 18th, 2017 6 comments

Wanscam HW0026 is a 720p IP camera with night vision, motion detection, and ONVIF 2.1 support that was launched in 2015, although they seem to have updated the model since then. GearBest now has a promotion for the US version of the camera for just $9.99 shipped. The version with the EU plug is sold for $15 shipped without any deep discount.


Wanscam HW0026 IP camera features and specifications:

  • Camera
    • 720P HD resolution, 1.0MP 1/4 inch CMOS sensor, 1 – 25fps adjustable frame rate
    • 90 degree wide angle FOV, 3.6mm lens
    • Supports 10 LEDs for night vision with infrared distance up to 10m
    • Motion detection up to 10 – 15m
    • Video – H.264 codec, AVI container, NTSC or PAL standard.
  • Storage – micro SD card up to 64 GB
  • Connectivity
    • 802.11 b/g/n WiFi
    • Protocols – DDNS, DHCP, FTP, LAN, P2P, RTSP, TCP, UPNP
  • Audio – Built-in mic and speaker, supports two-way intercom
  • Power Supply – 5V / 1A
  • Dimensions – 11.70 cm x 8 cm x 8 cm
  • Weight – 104 grams

The camera can be controlled from web browsers in desktop OS like Mac OS, Windows, or Linux, as well as Android or iOS smartphones using E-view 7 app. It ships with an English user manual, an accessories kit and a power adapter. I could not find custom open source firmware, or specific hacks for the camera, but since it’s compliant with ONVIF 2.1, it should be compatible with third party programs like Xenoma, and NAS with support for surveillance cameras. The old model was based on Hisilicon Hi3518E processor, but the new version appears to be based on Ingenic T10 MIPS processor.

Thanks to Ivo for the tip

Arm Research Summit 2017 Streamed Live on September 11-13

September 11th, 2017 2 comments

The Arm Research Summit is “an academic summit to discuss future trends and disruptive technologies across all sectors of computing”, with the second edition of the even taking place now in Cambridge, UK until September 13, 2017.

Click to Enlarge

The Agenda includes various subjects such as architecture and memory, IoT, HPC, computer vision, machine learning, security, servers, biotechnology and others. You can find the full detailed schedule for each day on Arm website, and the good news is that the talks are streamed live in YouTube, so you can follow the talks that interest you from the comfort of your home/office.

Note that you can switch between rooms in the stream above by clicking on <-> icon. Audio volume is a little low…

Thanks to Nobe for the tip.

MINIX NEO Z83-4 Pro Mini PC Review – Part 2: Windows 10 Pro

September 5th, 2017 3 comments

MINIX launched NEO Z83-4 Cherry Trail mini PC last year, but the company has now launched NEO Z83-4 Pro, an updated version with a slightly faster Atom X5-Z8350 processor, Windows 10 Pro (instead of Home), and a a VESA mount kit. I’ve already checked the hardware in the first part of the review, so today I’ll report my experience with Windows 10 Pro.

Windows 10 Home vs Windows 10 Pro

My main computer runs Ubuntu 16.04, and I’m only using Windows 10 during reviews… But so far all other mini PCs I tried came with Windows 10 Home, and NEO Z83-4 Pro is my first Windows 10 Pro computer. So I had to educate myself, and Microsoft website has a comparison between the two versions of Windows 10. Windows 10 Pro supports all features of Windows 10 Home, plus the following:

  • Security
    • Windows Information Protection – Formerly Enterprise Data Protection (EDP), requires either Mobile Device Management (MDM) or System Center Configuration Manager to manage settings. Active Directory makes management easier, but is not required.
    • Bitlocker – Full disk encryption support. Requires TPM 1.2 or greater for TPM based key protection. More details here.
  • Business – Management and deployment
    • Group Policy
    • Enterprise State Roaming with Azure Active Directory – Separate subscription for Azure Active Directory Premium required
    • Windows Store for Business – Available in select markets. Functionality and apps may vary by market and device
    • Assigned Access
    • Dynamic Provisioning
    • Windows Update for Business
    • Shared PC configuration
    • Take a Test – app in Windows 10 to create the right environment for taking a test (education)
  • Windows Fundamentals
    • Domain Join
    • Azure Active Directory Domain Join, with single sign-on to cloud-hosted apps – Separate subscription for Azure Active Directory required
    • Enterprise Mode Internet Explorer (EMIE) – For compatibility issues of web apps in Internet Explorer 11 (emulates IE 8).
    • Remote Desktop
    • Client Hyper-V

If you don’t understand some of the option, you most probably don’t need then. Bitlocker works more securely if a TPM (Trusted Platform Module) chip is present in the system, so the presence of that secure chip is something I’ll have to check out during the review. AFAIK, the original MINIX NEO Z83-4 does not include any TPM.

A few days ago, I wrote about BBen MN10 TV stick available with either Windows 10 Home or Windows 10 Pro, and the former is offered for $21.39 extra, the later for $30.33, so the Pro version is only about $10 more expensive than the Home version on such entry level hardware. If you had to purchase Windows 10 Pro license by yourself, it would cost $199.99, or the same price as the complete MINIX NEO Z83-4 Pro mini PC including the Win10 Pro license… That sounds crazy/unbelievable, but apparently that’s just the way Microsoft handles licenses, and one of the main reason MINIX decided to launch this new model.

MINIX NEO Z83-4 Pro Setup & System Information

I connected a USB 3.0 hard drive to the USB 3.0 port, USB mouse and keyboard, HDMI and Ethernet cables, and started up the device by pressing the power button right after connecting the 12V power adapter.

Click to Enlarge

The first boot was a little different than what I’m accustomed to, as I was doing something, I started to hear a female voice… asking to select the region… So Microsoft has now enabled Cortana voice assistant by default in the setup Wizard. If you don’t like it you can turn it off by pressing the Volume icon on the bottom right corner.

NEO Z83-4 Pro does not come with an built-in microphone, but you have one you can answer “Yes” to go the next step while Cortana is listening. I’ve shot a short video to show what the new Windows 10 (Pro) setup wizard feels like.

The whole process is slightly different. For example, I normally do not sign-in with a Microsoft account, and used to press skip in that section, but there’s no such Skip button in the new interface, and instead you can click on Offline account button in the bottom left.

You’ll also be asked about privacy settings for location, diagnostics, speech recognition, and so on, which I cannot remember in other mini PCs I tested with Windows 10. All options are enabled by default, so if you want better privacy you should set them to off.

Click to Enlarge

Once the setup is complete Windows 10 Pro looks just like Windows 10 Home, except you’ll be informed you are running the Pro version in the System window.

Click for Original Size

That window confirms the information we already knew with Z83-4 Pro model powered by Intel Atom x5-Z8350 processor @ 1.44 GHz, with 4GB RAM, and Windows is activated..
The eMMC flash has a 28.2GB Windows drive (C:) with 16.5 GB free. The system could also detect the NTFS and exFAT partitions on my USB drive, as well as some Windows network locations.

Click to Enlarge

I’ve also taken a screenshot for the Device Manager to get more technical details, and we can also notice a Trusted Platform Module 2.0 is enabled, so that’s another feature in Z83-4 Pro that was absent from Z83-4 mini PC.

Click to Enlarge

I also started tpm.msc to get some more details about the TPM as shown above, and by default it is not enabled, but you can follow Microsoft TPM instructions to use it properly for better – hardware based – security.

Click to Enlarge

HWiNFO64 show further details about the system and processor.

I noticed the computer would turn off (not sleep) by itself after a few minutes when I ran benchmarks. I could fix that by going to Power & sleep settings and changing the 10 minutes sleep time to Never.

Click to Enlarge

MINIX NEO Z83-4 Pro Benchmarks

Z83-4 Pro was strangely slightly slower than Z83-4 mini PC in PCMark 8 Home Accelerated 3.0 with 1,445 points against 1,543 points for the latter.

Click to Enlarge

If we look at the details, we can actually see Z83-4 Pro was faster in most tests, but is 50% slower in Advanced Photo Editing Accelerated, and significantly slower in Video Chat Encoding v2 Accelerated, so there might be a driver issue with OpenCL support since those accelerated tests are supposed to leverage the GPU. You’ll find the detailed results here.

Click to Enlarge

I’ve also run the newer PCMARK 10 benchmark to have a reference point for Cherry Trail platform, and in this test Z83-4 Pro got 896 points, which compares to 1,334 points on a faster Celeron N3350 Apollo Lake mini PC.

Passmark 9.0 failed in the 3D graphics section, so I ran Passmark 8.0 instead, where the device got 698.8 points, against 656.30 points in the original Z83-4 mini PC, a results closer to expectations.

NEO Z83-4 Pro archived 20,284 and 233 points on respectively 3DMark’s Ice Storm 1.2 and Fire Strike 1.1 3D benchmarks, which compares to 16,030 points and 187 points on the older version.

Click to Enlarge

The extra boost is likely due to the higher GPU frequency on x5-Z8350 SoC.

CrystalDiskMark 5.2.1 shows roughly the same eMMC flash performance as on MINIX NEO Z83-4 model. That’s rather average but normal for 32GB parts mandated by Microsoft for a discounted license.


What’s not so good however is the sequential write speed on the NTFS partition of my USB hard drive, as it can normally achieve 90 to 100 MB/s on most hardware.
The read performance is normal however. So I repeated the test, but got the same poor write speed. I retried a few days later, and after a disk scan, but write speed only went up to around 45 MB/s. So something looks wrong here.


For that reason, I also ran the benchmark on the exFAT partition, and write benchmark is fairly normal at close to 80 MB/s, so it’s not a USB issue, and looks like some issues with NTFS or caching.

Sadly, WiFi AC testing with iperf yielded under average performance.

  • Upload:

  • Download:

Throughput in Mbps

So overall the tests show everything is mostly working as expected, except OpenCL acceleration in PCMark 8, NTFS sequential write speed, and 802.11ac WiFi performance does not look that good compared to the competition, at least with my TP-Link router.

Click to Enlarge

Finally, I’ve compared MINIX NEO Z83-4 Pro benchmark results (adjusted for easier comparison) to Atom x5-Z8300 / x5-Z8500 mini PCs including NEO Z83-4, Kangaroo Desktop, and Tronsmart Ara X5, and as one should expected, there aren’t that many differences between the devices. Z83-4 Pro is slightly faster than x5-Z8300 devices, but a bit slower than an x5-Z8500 mini PC.

Chart adjustments as follows: 3DMark Ice Storm divided by 20, 3DMark Fire Strike multiplied by 4, and storage results multiplied by 5.

MINIX NEO Z83-4 Usability and Stress Testing

I repeated the test I did for Z83-4 to see how the mini PC performs in a typical desktop use case, and check out some BIOS settings.

  • Multi-tasking – Using Firefox, Thunderbird, LibreOffice, and Gimp at the same time
  • Web Browsing
    • Loading multiple tab with CNX Software blog in Firefox
    • Playing 1080p & 4K YouTube Videos in Firefox
    • Playing Candy Crush Saga in Firefox (now smoother/faster since it’s not using Adobe Flash anymore)
  • Gaming with Asphalt 8: Airbone
  • MINIX UEFI Settings

The experience is so similar to MINIX NEO Z83-4, that I have not done another video, and if you want to get a feel about the system performance you can check out last year video.

One difference is that there’s a new MINIX option in the BIOS: USB charging that allows you to charge your phone or other device via the USB 3.0 ports even when the mini PC is turned off. That’s an addition to existing BIOS options to set earphone standard, (automatic) AC power on, Wake-on-LAN, and RTC wake up.

I used Aida64 Extreme’s system stability test for 2 hours to stress the computer in combination with HWiNFO64 to monitor CPU temperature and potential throttling, but the latter never happened, and temperature never exceeded 69°C, or a cool 34°C away from the junction temperature, with an ambient room temperature of around 30°C.

Click to Enlarge

So I’d except the mini PC to perform consistently even in hot climate / room with temperatures exceeding 35/40°C.

Finally some power consumption numbers with all USB devices connected:

  • Power off – 0.2 Watts
  • Sleep – 3.3 Watts
  • Idle – 4.2 Watts
  • Aida64 stress test – 9.4 Watts

Conclusion

If you’re one of the customers who purchased MINIX NEO Z83-4 mini PC and installed Windows 10 Pro, upgrading to NEO Z83-4 Pro for your next purchases is a no-brainer, since performance is similar – usually a bit better -, and you’ll save a nice amount of money on the Windows license. The device also includes enterprise features like a TPM 2.0 module, and ships with a VESA mount. So overall, I’m very pleased with the device, and the only issues I found are disappointing sequential write speed to external USB 3.0 storage with NTFS file system, OpenCL based tests in PCMark 8 are slower than usual for this type of hardware, and WiFi 802.11ac – as tested with iperf – is not quite as fast as on other 802.11ac platforms I’ve tested.

MINIX NEO Z83-4 Pro mini PC sells for $189.99 and up on various sites including AmazonGeekBuying, GearBest, Chinavasion, and others.

Linux 4.13 Release – Main Changes, ARM & MIPS Architectures

September 4th, 2017 6 comments

Linus Torvalds has just announced the release of Linux 4.13 and a kidney stone…:

So last week was actually somewhat eventful, but not enough to push me to delay 4.13.

Most of the changes since rc7 are actually networking fixes, the bulk of them to various drivers. With apologies to the authors of said patches, they don’t look all that interesting (which is definitely exactly what you want just before a release). Details in the appended shortlog.

Note that the shortlog below is obviously only since rc7 – the _full_4.13 log is much too big to post and nobody sane would read it. So if you’re interested in all the rest of it, get the git tree and limit the logs to the files you are interested in if you crave details.

No, the excitement was largely in the mmu notification layer, where we had a fairly last-minute regression and some discussion about the problem. Lots of kudos to Jérôme Glisse for jumping on it, and implementing the fix.

What’s nice to see is that the regression pointed out a nasty and not very well documented (or thought out) part of the mmu notifiers, and the fix not only fixed the problem, but did so by cleaning up and documenting what the right behavior should be, and furthermore did so by getting rid of the problematic notifier and actually removing almost two hundred lines in the process.

I love seeing those kinds of fixes. Better, smaller, code.

The other excitement this week was purely personal, consisting of seven hours of pure agony due to a kidney stone. I’m all good, but it sure _felt_ a lot longer than seven hours, and I don’t even want to imagine what it is for people that have had the experience drag out for longer. Ugh.

Anyway, on to actual 4.13 issues.

While we’ve had lots of changes all over (4.13 was not particularly big, but even a “solidly average” release is not exactly small), one very _small_ change merits some extra attention, because it’s one of those very rare changes where we change behavior due to security issues, and where people may need to be aware of that behavior change when upgrading.

This time it’s not really a kernel security issue, but a generic protocol security issue.

The change in question is simply changing the default cifs behavior: instead of defaulting to SMB 1.0 (which you really should not use: just google for “stop using SMB1” or similar), the default cifs mount now defaults to a rather more modern SMB 3.0.

Now, because you shouldn’t have been using SMB1 anyway, this shouldn’t affect anybody. But guess what? It almost certainly does affect some people, because they blithely continued using SMB1 without really thinking about it.

And you certainly _can_ continue to use SMB1, but due to the default change, now you need to be *aware* of it. You may need to add an explicit “vers=1.0” to your mount options in /etc/fstab or similar if you *really* want SMB1.

But if the new default of 3.0 doesn’t work (because you still use a pterodactyl as a windshield wiper), before you go all the way back to the bad old days and use that “vers=1.0”, you might want to try “vers=2.1”. Because let’s face it, SMB1 is just bad, bad, bad.

Anyway, most people won’t notice at all. And the ones that do notice can check their current situation (just look at the output of “mount” and see if you have any cifs things there), and you really should update from the default even if you are *not* upgrading kernels.

Ok, enough about that. It was literally a two-liner change top defaults – out of the million or so lines of the full 4.13 patch changing real code.

Go get the new kernel,

Linus

Two months ago, Linux 4.12 was released with initial support for AMD Radeon RX Vega GPU, BFQ (Budget Fair Queuing) and Kyber block I/O schedulers, AnalyzeBoot tool for the kernel, “hybrid consistency model” implementation for live kernel patching, but disabled the Open Sound System, and removed AVR32 support, among many other changes.

Some interesting changes in Linux 4.13 – mostly based on LWN 4.13 Merge Window part 1 & part 2 – include:

  • Support for non-blocking buffered I/O operations added at the block level, which should also improve asynchronous I/O support when used with buffered I/O.
  • AppArmor security module’s “domain labeling” code has been merged into the mainline. It was maintained by Ubuntu out of tree previously.
  • Kernel-based TLS implementation that should deliver better performance for HTTPS, and other protocol relying on TLS.
  • CIFS/SAMBA now defaults to v3.0 instead of v1.0 due to security issues
  • File System Changes – EXT-4: support for to ~2 billion files per directory with largedir option, extended attributes up to 64KB, new deduplication feature; f2fs: supports disk quotas; overlayfs union: new “index directory” feature that makes copy-up operations work without breaking hard links.

Changes specific to ARM include:

  • Rockchip:
    • Added support for RV1108 SoC for camera applications
    • Rockchip IOMMU driver is now available on ARM64
    • PCIe – configure Rockchip MPS and reorganize + use normal register bank
    • Clock driver for Rockchip RK3128 SoC
    • Rockchip pinctrl driver now supports iomux-route switching for RK3228, RK3328 and RK3399
    • Sound driver – Support for Rockchip PDM controllers
    • Device tree
      • Added RK3399-Firefly SBC
      • Added ARM Mali GPU
      • Added cru
      • Added sdmmc, sdio, emmc nodes for Rockchip RK3328
  • Amlogic
    • Updated CEC EE clock support
    • Enabled clock controller for 32-bit Meson8
    • Device tree changes
      • Meson UARTs
      • new SPI controller driver
      • HDMI & CVBS for multiple boards
      • new pinctrl pins for SPI, HDMI CEC, PWM
      • Ethernet Link and Activity LEDs pin nodes
      • SAR ADC support for Meson8 & Meson8b
    • Defconfig changes – Meson SPICC enabled as module; IR core, decoders and Meson IR device enabled;
    • New boards & devices: NanoPi K2, Libre Computer SBC, R-Box Pro
  • Samsung
    • Clock driver updated for Samsung Exynos 5420 audio clocks, and converted code to clk_hw registration APIs
    • Pinctrl drivers split per ARMv7 and ARMv8 since there’s no need to compile everything on each of them
    • ARM DT updates:
      • Add HDMI CEC to Exynos5 SoCs + needed property for CEC on Odroid U3
      • Fix reset GPIO polarity on Rinato
      • Minor cleanups and readability improvements.
    • ARM64 DT updates:
      • Remove unneeded TE interrupt gpio property
    • Defconfig changes – Some cleanups, enabled Exynos PRNG along with user-space crypto API.
  • Qualcomm
    • Clock & pinctrl drivers for Qualcomm IPQ8074
    • Add debug UART addresses for IPQ4019
    • Improve QCOM SMSM error handling
    • Defconfig
      • Enable HWSPINLOCK & RPMSG_QCOM_SMD to get some Qualcomm boards to work out of the box/again
      • Enable IPQ4019 clock and pinctrl
    • Mailbox – New controller driver for Qualcomm’s APCS IPC
    • RPMsg – Qualcomm GLINK protocol driver and DeviceTree-based modalias support, as well as a number of smaller fixes
    • Qualcomm Device Tree Changes
      • Fix IPQ4019 i2c0 node
      •  Add GSBI7 on IPQ8064
      • Add misc APQ8060 devices
      • Fixup USB related devices on APQ8064 and MSM8974
    • Qualcomm ARM64 Updates for v4.12
      • Fix APQ8016 SBC WLAN LED
      • Add MSM8996 CPU node
      • Add MSM8992 SMEM and fixed regulator
      • Fixup MSM8916 USB support
  • Mediatek
    • CPU clks for Mediatek MT8173/MT2701/MT7623 SoCs
    • Pinctrl – Serious code size cut for MT7623
    • Mediatek “scpsys” system controller support for MT6797
    • Device tree
      • Added support for MT6797 (Helio X20) mobile SoC and evaluation board
      • Extended MT7623 support significantly
      • Added MT2701 i2c device & JPEG decoder nodes
  • Other new ARM hardware platforms and SoCs:
    • STM32 – stm32h743-disco, stm32f746-disco, and stm32f769-disco boards; Drivers for digital audio interfaces, S/PDIF receiver, digital camera interfaces, HDMI CEC, watchdog timer
    • NXP – Gateworks Ventana GW5600 SBC;  Technexion Pico i.MX7D board; i.MX5/6 image processing units & camera sensor interfaces
    • Realtek – Initial support for Realtek RTD1295 SoC and Zidoo X9S set-top-box
    • Actions Semi – Initial support for Actions Semi S900 / S500, and corresponding LeMaker Guitar & Bubblegum-96 SBCs
    • Renesas – Salvator-XS and H3ULCB automotive development systems; GR-Peach board, iWave G20D-Q7 System-on-Module plus
    • Socionext- Support for Uniphier board support for LD11-global and LD20-global
    • Broadcom – Stingray communication processor and two reference boards;
    • Marvell – Linksys WRT3200ACM router
    • Texas Instruments – BeagleBone Blue
    • Microchip / Atmel – MMU-less ARM Cortex-M7 SoCs (SAME70/V71/S70/V70)

Some of the changes specific to MIPS include:

  • Boston platform support – Document DT bindings; Add CLK driver for board clocks
  • CM – Avoid per-core locking with CM3 & higher; WARN on attempt to lock invalid VP, not BUG
  • CPS – Select CONFIG_SYS_SUPPORTS_SCHED_SMT for MIPSr6; Prevent multi-core with dcache aliasing; Handle cores not powering down more gracefully; Handle spurious VP starts more gracefully
  • DSP – Add lwx & lhx missaligned access support
  • eBPF – Add MIPS support along with many supporting change to add the required infrastructure
  • Generic arch code:
    • Misc sysmips MIPS_ATOMIC_SET fixes
    • Drop duplicate HAVE_SYSCALL_TRACEPOINTS
    • Negate error syscall return in trace
    • Correct forced syscall errors
    • Traced negative syscalls should return -ENOSYS
    • Allow samples/bpf/tracex5 to access syscall arguments for sane
      traces
    • Cleanup from old Kconfig options in defconfigs
    • Fix PREF instruction usage by memcpy for MIPS R6
    • Fix various special cases in the FPU eulation
    • Fix some special cases in MIPS16e2 support
    • Fix MIPS I ISA /proc/cpuinfo reporting
    • Sort MIPS Kconfig alphabetically
    • Fix minimum alignment requirement of IRQ stack as required by ABI / GCC
    • Fix special cases in the module loader
    • Perform post-DMA cache flushes on systems with MAARs
    • Probe the I6500 CPU
    • Cleanup cmpxchg and add support for 1 and 2 byte operations
    • Use queued read/write locks (qrwlock)
    • Use queued spinlocks (qspinlock)
    • Add CPU shared FTLB feature detection
    • Handle tlbex-tlbp race condition
    • Allow storing pgd in C0_CONTEXT for MIPSr6
    • Use current_cpu_type() in m4kc_tlbp_war()
    • Support Boston in the generic kernel
  • Generic platform:
    • yamon-dt: Pull YAMON DT shim code out of SEAD-3 board;  Support > 256MB of RAM;  Use serial* rather than uart* aliases
    • Abstract FDT fixup application
    • Set RTC_ALWAYS_BCD to 0
    • Add a MAINTAINERS entry
  • core kernel – qspinlock.c: include linux/prefetch.h
  • Add support for Loongson 3
  • Perf – Add I6500 support
  • SEAD-3 – Remove GIC timer from DT; set interrupt-parent per-device, not at root node; fix GIC interrupt specifiers
  • SMP – Skip IPI setup if we only have a single CPU
  • VDSO – Make comment match reality; improvements to time code in VDSO”
  • Various fixes:
    • compressed boot: Ignore a generated .c file
    • VDSO: Fix a register clobber list
    • DECstation: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
    • Octeon: Fix recent cleanups that cleaned away a bit too much thus breaking the arch side of the EDAC and USB drivers.
    • uasm: Fix duplicate const in “const struct foo const bar[]” which GCC 7.1 no longer accepts.
    • Fix race on setting and getting cpu_online_mask
    • Fix preemption issue. To do so cleanly introduce macro to get the size of L3 cache line.
    • Revert include cleanup that sometimes results in build error
    • MicroMIPS uses bit 0 of the PC to indicate microMIPS mode. Make sure this bit is set for kernel entry as well.
    • Prevent configuring the kernel for both microMIPS and MT. There are no such CPUs currently and thus the combination is unsupported and results in build errors.
    • ralink: mt7620: Add missing header

You can read the full Linux 4.13 changelog – with comments only – generated using git log v4.12..v4.13 --stat for the full details, and eventually kernelnewsbies’s Linux 4.13 changelog will be updated with an extensive list of chances.

Embedded Linux Conference & Open Source Summit Europe 2017 Schedule

August 27th, 2017 3 comments

The Embedded Linux Conference & IoT summit 2017 took place in the US earlier this year in February, but there will soon be a similar event with the Embedded Linux Conference *& Open Source Summit Europe 2017 to take up in Europe on October 23 – 25 in Prague, Czech Republic, and the Linux Foundation has just published the schedule. It’s always useful to find out what is being discussed during such events, even if you are not going to attend, so I went through the different sessions, and compose my own virtual schedule with some of the ones I find the most interesting.

Monday, October 23

  • 11:15 – 11:55 – An Introduction to SPI-NOR Subsystem – Vignesh Raghavendra, Texas Instruments India

Modern day embedded systems have dedicated SPI controllers to support NOR flashes. They have many hardware level features to increase the ease and efficiency of accessing SPI NOR flashes and also support different SPI bus widths and speeds.

In order to support such advanced SPI NOR controllers, SPI-NOR framework was introduced under Memory Technology Devices (MTD). This presentation aims at providing an overview of SPI-NOR framework, different types of NOR flashes supported (like SPI/QSPI/OSPI) and interaction with SPI framework. It also provides an overview of how to write a new controller driver or add support for a new flash device.

The presentation then covers generic improvements done and proposed while working on improving QSPI performance on a TI SoC, challenges associated when using DMA with these controllers and other limitations of the framework.

  • 12:05 – 12:45 – Free and Open Source Software Tools for Making Open Source Hardware – Leon Anavi, Konsulko Group

The open source hardware movement is becoming more and more popular. But is it worth making open source hardware if it has been designed with expensive proprietary software? In this presentation, Leon Anavi will share his experience how to use free and open source software for making high-quality entirely open source devices: from the designing the PCB with KiCAD through making a case with OpenSCAD or FreeCAD to slicing with Cura and 3D printing. The talk will also provide information about open source hardware licenses, getting started guidelines, tips for avoiding common pitfalls and mistakes. The challenges of prototyping and low-volume manufacturing with both SMT and THT will be also discussed.

  • 14:20 – 15:00 – Introduction to SoC+FPGA – Marek Vašut, DENX Software Engineering GmbH

In this talk, Marek introduces the increasingly popular single-chip SoC+FPGA solutions. At the beginning, the diverse chip offerings from multiple vendors are introduced, ranging from the smallest IoT-grade solutions all the way to large industrial-level chips with focus on their software support. Mainline U-Boot and Linux support for such chips is quite complete, and already deployed in production. Marek demonstrates how to load and operate the FPGA part in both U-Boot and Linux, which recently gained FPGA manager support. Yet to fully leverage the potential of the FPGA manager in combination with Device Tree (DT) Overlays, patches are still needed. Marek explains how the FPGA manager and the DT Overlays work, how they fit together and how to use them to obtain a great experience on SoC+FPGA, while pointing out various pitfalls.

  • 15:10 – 15:50 – Cheap Complex Cameras – Pavel Machek, DENX Software Engineering GmbH

Cameras in phones are different from webcams: their main purpose is to take high-resolution still pictures. Running preview in high resolution is not feasible, so resolution switch is needed just before taking final picture. There are currently no applications for still photography that work with mainline kernel. (Pavel is working on… two, but both have some limitations). libv4l2 is doing internal processing in 8-bit, which is not enough for digital photography. Cell phones have 10 to 12-bit sensors, some DSLRs do 14-bit depth.

Differences do not end here. Cell phone camera can produce reasonable picture, but it needs complex software support. Auto-exposure / auto-gain is a must for producing anything but completely black or completely white frames. Users expect auto-focus, and it is necessary for reasonable pictures in macro range, requiring real-time processing.

  • 16:20 – 17:00 – Bluetooth Mesh with Zephyr OS and Linux – Johan Hedberg, Open Source Technology Center, Intel

Bluetooth Mesh is a new standard that opens a whole new wave of low-power wireless use cases. It extends the range of communication from a single peer-to-peer connection to a true mesh topology covering large areas, such as an entire building. This paves the way for both home and industrial automation applications. Typical home scenarios include things like controlling the lights in your apartment or adjusting the thermostat. Although Bluetooth 5 was released end of last year, Bluetooth Mesh can be implemented on any device supporting Bluetooth 4.0 or later. This means that we’ll likely see very rapid market adoption of the feature.

The presentation will give an introduction to Bluetooth Mesh, covering how it works and what kind of features it provides. The talk will also give an overview of Bluetooth Mesh support in Zephyr OS and Linux and how to create wireless solutions with them.

  • 17:10 – 17:50 – printk() – The Most Useful Tool is Now Showing its Age – Steven Rostedt, VMware

printk() has been the tool for debugging the Linux kernel and for being the display mechanism for Linux as long as Linux has been around. It’s the first thing one sees as the life of the kernel begins, from the kernel banner and the last message at shutdown. It’s critical as people take pictures of a kernel oops to send to the kernel developers to fix a bug, or to display on social media when that oops happens on the monitor on the back of an airplane seat in front of you.

But printk() is not a trivial utility. It serves many functionalities and some of them can be conflicting. Today with Linux running on machines with hundreds of CPUs, printk() can actually be the cause of live locks. This talk will discuss all the issues that printk() has today, and some of the possible solutions that may be discussed at Kernel Summit.

  • 18:00 – 18:45 – BoF: Embedded Linux Size – Michael Opdenacker, Free Electrons

This “Birds of a Feather” session will start by a quick update on available resources and recent efforts to reduce the size of the Linux kernel and the filesystem it uses.

An ARM based system running the mainline kernel with about 3 MB of RAM will also be demonstrated. If you are interested in the size topic, please join this BoF and share your experience, the resources you have found and your ideas for further size reduction techniques!

Tuesday, October 24

  • 10:55 – 11:35 – Introducing the “Lab in a Box” Concept – Patrick Titiano & Kevin Hilman, BayLibre

Continuous Integration (CI) has been a hot topic for long time. With the growing number of architectures and boards, it becomes impossible for maintainers to validate a patch on all configurations, making it harder and harder to keep the same quality level without leveraging CI and test automation. Recent initiatives like LAVA, KernelCI.org, Fuego, (…) started providing a first answer, however the learning curve remains high, and the HW setup part is not covered.

Baylibre, already involved in KernelCI.org, decided, as part of the AGL project, to go one step further in CI automation and has developed a turnkey solution for developers and companies willing to instantiate a LAVA lab; called “Lab in a Box”, it aims at simplifying the configuration of a board farm (HW, SW).

Motivations, challenges, benefits and results will be discussed, with a demo of a first “Lab in a Box” instantiation.

  • 11:45 – 12:25 – Protecting Your System from the Scum of the Universe – Gilad Ben-Yossef, Arm Holdings

Linux based systems have a plethora of security related mechanisms: DM-Crypt, DM-Verity, Secure Boot, the new TEE sub-system, FScrypt and IMA are just a few examples. This talk will describe these the various systems and provide a practical walk through of how to mix and match these mechanisms and design them into a Linux based embedded system in order to strengthen the system resilience to various nefarious attacks, whether the system discussed is a mobile phone, a tablet, a network attached DVR, a router, or an IOT hub in a way that makes maximum use of the sometime limited hardware resources of such systems.

  • 14:05 – 14:45 – Open Source Neuroimaging: Developing a State-of-the-Art Brain Scanner with Linux and FPGAs – Danny Abukalam, Codethink

Neuroimaging is an established medical field which is helping us to learn more about how the human brain works, the most complex human organ. This talk aims to cover neuroimaging systems, from hobbyist to professional, and how open source has been used to build state-of-the-art systems. We’ll have a look the general problem area, why open source was a good fit, and some examples of solutions including a commercial effort that we have been involved in bringing to market. Typically these solutions consist of specialist hardware, a bespoke software solutions stack, and a suite to manage and process the vast amounts of data generated during the scan. Other points of interest include how we approached building a maintainable and upgradeable system from the outset. We’ll also talk about future plans for neuroimaging, future ideas for hardware & discuss areas lacking good open source solutions.

  • 14:55 – 15:35 – More Robust I2C Designs with a New Fault-Injection Driver – Wolfram Sang, Renesas

It has its challenges to write code for certain error paths for I2C bus drivers because these errors usually don’t happen on the bus. And special I2C bus testers are expensive. In this talk, a new GPIO based driver will be presented which acts on the same bus as the bus master driver under inspection. A live demonstration will be given as well as hints how to handle bugs which might have been found. The scope and limitations of this driver will be discussed. Since it will also be analyzed what actually happens on the wires, this talk also serves as a case study how to snoop busses with only Free Software and OpenHardware (i.e. sigrok).

  • 16:05 – 16:45 – GStreamer for Tiny Devices – Olivier Crête, Collabora

GStreamer is a complete Open Source multimedia framework, and it includes hundreds of plugins, including modern formats like DASH, HLS or the first ever RTSP 2.0 implementation. The whole framework is almost 150MB on my computer, but what if you only have 5 megs of flash available? Is it a viable choice? Yes it is, and I will show you how.

Starting with simple tricks like only including the necessary plugins, all the way to statically compiling only the functions that are actually used to produce the smaller possible footprint.

  • 16:55 – 17:35 – Maintaining a Linux Kernel for 13 Years? You Must be Kidding Me. We Need at Least 30? – Agustin Benito Bethencourt, Codethink Ltd

Industrial grade solutions have a life expectancy of 30+ years. Maintaining a Linux kernel for such a long time in the open has not been done. Many claim that is not sustainable, but corporations that build power plants, railway systems, etc. are willing to tackle this challenge. This talk will describe the work done so far on the kernel maintenance and testing front at the CIP initiative.

During the talk it will be explained how we decide which parts of the kernel to cover – reducing the amount of work to be done and the risk of being unable to maintain the claimed support. The process of reviewing and backporting fixes that might be needed on an older branch will be briefly described. CIP is taking a different approach from many other projects when it comes to testing the kernel. The talk will go over it as well as the coming steps. and the future steps.

Wednesday, October 24

  • 11:05 – 11:45 – HDMI 4k Video: Lessons Learned – Hans Verkuil, Cisco Systems Norway

So you want to support HDMI 4k (3840×2160) video output and/or video capture for your new product? Then this is the presentation for you! I will describe the challenges involved in 4k video from the hardware level, the HDMI protocol level and up to the kernel driver level. Special attention will be given to what to watch out for when buying 4k capable equipment and accessories such as cables and adapters since it is a Wild, Wild West out there.

  • 11:55 – 12:35 – Linux Powered Autonomous Arctic Buoys – Satish Chetty, Hera Systems 

In my talk/presentation, I cover the technical, and design challenges in developing an autonomous Linux powered Arctic buoy. This system is a low cost, COTS based, extreme/harsh environment, autonomous sensor data gathering platform. It measures albedo, weather, water temperature and other parameters. It runs on a custom embedded Linux and is optimized for efficient use of solar & battery power. It uses a variety of low cost, high accuracy/precision sensors and satellite/terrestrial wireless communications.

I talk about using Linux in this embedded environment, and how I address and solve various issues including building a custom kernel, Linux drivers, frame grabbing issues and results from cameras, limited power challenges, clock drifts due to low temperature, summer melt challenges, failure of sensors, intermittent communication issues and various other h/w & s/w challenges.

  • 14:15 – 14:55 – Linux Storage System Bottleneck for eMMC/UFS – Bean Huo & Zoltan Szubbocsev, Micron

The storage device is considered a bottleneck to the system I/O performance. This thinking drives the need for faster storage device interfaces. Commonly used flash based storage interfaces support high throughputs, eg. eMMC 400MB/s, UFS 1GB/s. Traditionally, advanced embedded systems were focusing on CPU and memory speeds and these outpaced advances in storage speed improvements. In this presentation, we explore the parameters that impact I/O performance. We describe at a high level how Linux manages I/O requests coming from user space. Specifically, we look into system performance limitations in the Linux eMMC/UFS subsystem and expose bottlenecks caused by the software through Ftrace. We show existing challenges in getting maximum performance of flash-based high-speed storage device. by this presentation, we want to motivate future optimization work on the existing storage stack.

  • 15:05 – 15:45 – New GPIO Interface for User Space – Bartosz Golaszewski

Since Linux 4.8 the GPIO sysfs interface is deprecated. Due to its many drawbacks and bad design decisions a new user space interface has been implemented in the form of the GPIO character device which is now the preferred method of interaction with GPIOs which can’t otherwise be serviced by a kernel driver. The character device brings in many new interesting features such as: polling for line events, finding GPIO chips and lines by name, changing & reading the values of multiple lines with a single ioctl (one context switch) and many more. In this presentation, Bartosz will showcase the new features of the GPIO UAPI, discuss the current state of libgpiod (user space tools for using the character device) and tell you why it’s beneficial to switch to the new interface.

  • 16:15 – 16:55 – Replace Your Exploit-Ridden Firmware with Linux – Ronald Minnich, Google

With the WikiLeaks release of the vault7 material, the security of the UEFI (Unified Extensible Firmware Interface) firmware used in most PCs and laptops is once again a concern. UEFI is a proprietary and closed-source operating system, with a codebase almost as large as the Linux kernel, that runs when the system is powered on and continues to run after it boots the OS (hence its designation as a “Ring -2 hypervisor”). It is a great place to hide exploits since it never stops running, and these exploits are undetectable by kernels and programs.

Our answer to this is NERF (Non-Extensible Reduced Firmware), an open source software system developed at Google to replace almost all of UEFI firmware with a tiny Linux kernel and initramfs. The initramfs file system contains an init and command line utilities from the u-root project, which are written in the Go language.

  • 17:05 – 17:45 – Unikernelized Real Time Linux & IoT – Tiejun Chen, Vmware

Unikernel is a novel software technology that links an application with OS in the form of a library and packages them into a specialized image that facilitates direct deployment on a hypervisor. But why these existing unikernels have yet to gain large popularity broadly? I’ll talk what challenges Unikernels are facing, and discuss exploration of if-how we could convert Linux as Unikernel, and IoT could be a valuable one of use cases because the feature of smaller size & footprint are good for those resource-strained IoT platforms. Those existing unikernels are not designed to address those IoT characters like power consumption and real time requirement, and they also doesn’t support versatile architectures. Most existing Unikernels just focus on X86/ARM. As a paravirtualized unikenelized Linux, especially Unikernelized Real Time Linux, really makes Unikernels to succeed.


If you’d like to attend the real thing, you’ll need to register and pay a registration fee:

  • Early Registration Fee: US$800 (through August 27, 2017)
  • Standard Registration Fee: US$950 (August 28, 2017 – September 17, 2017)
  • Late Registration Fee: US$1100 (September 18, 2017 – Event)
  • Academic Registration Fee: US$200 (Student/Faculty attendees will be required to show a valid student/faculty ID at registration.)
  • Hobbyist Registration Fee: US$200 (only if you are paying for yourself to attend this event and are currently active in the community)

There’s also another option with the Hall Pass Registration ($150) if you just want to network on visit with sponsors onsite, but do not plan to attend any sessions or keynotes.

Kingston Adds 4 GB & 8 GB Capacities to DataTraveler 2000 Encrypted USB Flash Drives with Keypad

August 23rd, 2017 10 comments

Kingston DataTraveler 2000 is a USB 3.0 flash drive that stores files with hardware based AES-256 encryption, and to make sure nobody can access those, it’s also protected with a pin code thanks to a keypad on the flash drive itself. That’s news to me, but the devices have been selling since early 2016 with 16 to 64GB capacities, and you’ll find them on Amazon for $127 and up.

Click to Enlarge

However, since such high security USB flash drives are mostly used for confidential information by enterprises and governments (it’s FIPS-197 compliant), some company’s customers may have complained that 16 to 64GB storage is a bit too much for confidential data, with recent top secret documents leaks or IP thefts, so Kingston has just announced smaller 4GB and 8GB versions of the drives.

Those drives are OS agnostic with encryption occurring inside the drive, and seen buy your computer or other hardware as a normal USB drive after your enter the pin number. For extra security, the company explains “its auto-lock feature is activated when the drive is removed from the host device, and the encryption key and password are deleted after 10 invalid login attempts to thwart brute force intrusions”.

I could not see the new 4GB and 8GB DataTraveler 2000 stick for sale anywhere yet. You’ll find a few more details in the product page.

Via PC Watch (Japan) & Eddy Lab

Categories: Hardware Tags: kingston, security, storage

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

August 22nd, 2017 29 comments

I’ve been using an SSL certificate to the download subdomain of this blog running ownCloud for about 2 years, but recently my free StartSSL certificate expired, and I had troubles to renew it, and I also received an email from Google telling me that “Starting October 2017, Chrome (version 62) will show a “NOT SECURE” warning when users enter text in a form on an HTTP page, and for all HTTP pages in Incognito mode”.  So I decide to use free LetsEncrypt SSL/TLS certificates to replace the one in the download subdomain, as well as this main blog. Such SSL/TLS certificates are also very useful for the IoT gateways many of use have started using, and I found it’s even simpler than install a self-signed certificate, so there’s no reason to use those anymore.

The easiest way to install Let’s Encrypt certificate is by using Certbot with instructions for various web server or hosting platforms (nginx, apache, pleask, haproxy…) and BSD & Linux based operating systems. I’m using Ubuntu 14.04 trusty with nginx, so the instructions below are for this combination, and it took me around 2 to 3 minutes in my VPS to have the SSL/TLS certificate installed, and up and running.

Cerbot installation:

Certificate installation for nginx on download.cnx-software.com subdomain:

Done! I could now go to https://download.cnx-software.com with my freshly installed certificate. That’s it for the 2-minute installation procedure, but as with such quick and easy procedure, you can always add “wasting countless hours” steps to it, and that’s what I did, by first checking out the Qualys SSL Report as recommended in the output of the terminal above.

Grade C, not good. The certificate is mostly there to protect my login credentials, as I don’t have any important private data in that server, but let’s still try to improve this. The most critical issue is that the server is vulnerable to the POODLE attack, but luckily Nginx guys have a fix: disable SSLv3.

I just had to change a single line in the server block of the domain configuration file in /etc/nginx/sites-enabled directory to only allow for TLS connections:

I then reload the configuration with:

Ran the SSL report again, and I improved to Grade B. That was easy.

After Disabling SSLv3

The second problem is about “weak Diffle Hellman (DH) key exchange parameters”, but again there are solutions.

First I had to create a dhparams.pen files with the following command line:

then edit the domain configuration file in /etc/nginx/sites-enabled/ directory by adding the following in the server block:

After reloading nginx configuration, I had a grade A with no other problems to solve.

I checked two banking websites, and they got A-, two online shops (GearBest and GeekBuying), and they achieved Grade B, so when you share your credit card info, you are at risk, albeit likely a limited risk. Considering it’s so easy to fix some of the issues, they should do it, and I informed both companies.

Let’s Encrypt certificates expires just after 90 day, so you may want to setup automatic renewal. First check renewal works with a dry run:

If there are no errors, you can setup a cron or systemd job to run the following command regularly:

I then tried with some other domains, and I got a TLS handshake failure:

The reason was Cloudflare intercepting traffic, so I had to pause Cloudflare before running certbot, and installation went just fine, and I could use my website without any problem, until I resumed Cloudflare support, and got “too many redirects”. I started to look for solutions with come fairly complicated instructions for Certbot + Apache + Cloudflare. After a few hours trying to find a solution, I discovered my assumption that if I enable an SSL certificate on my side, I should just disable SSL in Cloudflare… Big mistake! After setting Cloudflare SSL to Full (Strict) it worked again, although I eventually just to set it to Full because Let’s Encrypt wildcard SSL certificate are not yet supported, but will be in January 2018.

So the TLS connection was working, but I tried a dry run to renew the certificate, and every domain managed through Cloudflare would fail… That’s when the “complicated instructions” above came handy… So I first installed Certbot Cloudflare plugin/add-on:

Created /etc/letscrypt/cloudflare.ini file with your email, and API key in Cloudflare (Global API Key)

and generated new certificates using that plugin:

This should overwrite the two files used for the certificates previously created with nginx option: /etc/letsencrypt/live/www.domain.com/fullchain.pem
& /etc/letsencrypt/live/www.domain.com/privkey.pem.  So normally, you don’t even need to change your nginx configuration after that, but if for some reasons the path has changed, you should edit your file in /etc/nginx/sites-enabled/ and updated the paths.

Finally, I tried the dry run to update the certificate and it worked, so I created a cron job to renew the certificates every month:

If your website is also designed to be compatible with https, then your job is done, if not, then you’ll have some work to do to remove all hardcoded http calls from your websites with the help of the developer console in web browsers such as Chrome or Firefox.

Axiomtek NA362 Network Appliance Features Intel Atom C3538/C3758 Processors, Up to 10 LAN Ports

August 19th, 2017 4 comments

We reported about GIGABYTE MA10-ST0 motherboard powered by a 16-core Intel C3958 Denverton processor earlier this week, but that also corresponded to the official launch of Intel Denverton family, and many companies made announcements for their Denverton boards, products, or COM Express modules including SuperMicro, Kontron, Portwell, and others, such as Axiomtek NA362 Network Appliance powered by Atom C3538 or C3758 processors, and offering up to 10 LAN ports with six GbE RJ-45 ports, and up to four SFP+ cages.

Axiomtek NA362 specifications:

  • SoC (one or the other)
    • Intel Atom C3538 quad core “Denverton” processor @ 2.10 GHz with 8MB cache; 15W TDP
    • Intel Atom C3758 octa core “Denverton” processor @ 2.2 GHz with 16MB cache; 25W TDP
  • System Memory – 2x or 4 x R-DIMM/U-DIMM non-buffer DDR4, up to 64/128GB
  • Storage – 1x 2.5″ SATA3 HDD; 1x mSATA
  • Ethernet
    • 6x 10/100/1000 Mbps RJ45 ports via Intel i210
    • 4x 10 GbE SFP+ cages for C3758 model only
    • One pair LAN Bypass
  • Expansion – 1x PCI Express Mini Card for optional Wi-Fi/3G/LTE
  • USB – 2x USB 2.0 port
  • Management – 1x RS-232 (RJ45) console port
  • Misc – Power & network Status LEDs, power switch
  • Power Supply – 1x 12V/5A or 1x 12V/7A power adapter (depends on CPU SKU)
  • Temperature Range – 0°C ~ +40°C
  • Dimensions –  231 x 197 x 44 mm (1U desktop form factor)
  • Weight – Net: 1.64 kg; gross: 2.54 kg with 12V/5A adapter,2.69 kg with 12V/7A adapter
  • Certifications – FCC class B, CE class B

Atom C3538 SoC is equipped with two 10 GbE interface, but Axiomtek decided not to provide any SFP+ cages on the model based on this processor with only the six RJ45 ports.

The appliance supports the Intel Data Plane Development Kit (Intel DPDK), the Yocto Project, as well as Linux, Windows Server 2012 R2, and Windows Server 2016 operating systems. The server is said to be suitable for VPN, network bandwidth controller, firewall and UTM (Unified Threat Management) applications.

Axiomtek NA362 will be available in October 2017 through two SKUs: NA362-DAMI-C3758-US (C3758, 4x DIMM, 10 LAN) and NA362-D6GI-C3538-U (C3538, 2x DIMM, 6 LAN). Check out the product page for further information.