Subject: General Tech | December 4, 2017 - 07:05 PM | Tim Verry
Tagged: system76, security, linux, Intel, IME, dell
Update 12-5-2017: Dell has provided a statement in response to the IME news which is as follows:
- "Dell has offered a configuration option to disable the Intel vPro Management Engine (ME) on select commercial client platforms for a number of years (termed Intel vPro - ME inoperable, custom order on Dell.com). Some of our commercial customers have requested such an option from us, and in response, we have provided the service of disabling the Management Engine in the factory to meet their specific needs. As this SKU can also disable other system functionality it was not previously made available to the general public.
- Recently, this option was inadvertently offered online as a configuration option for a couple of systems on Dell.com. Customers interested in purchasing this SKU should contact their sales representative as it is intended to be offered as a custom option for a select number of customers who specifically require this configuration."
(End of update.)
Niche system vendors System76 and Purism are now joined by Dell in offering laptops with Intel's Intel Management Engine (IME) blackbox disabled. The company, one of the largest laptop manfacturers, currently offers three higher-end laptops with the configuration option of "Intel vPro™ - ME Inoperable, Custom Order" where for around $20 Dell will disable IME. IME has come under fire recently due to a major vulnerability that affects many of its Core series processors and has had bugs dating back years.
IME is baked into Intel processors dating back to 2008 and operates at what is known as Ring -3 meaning that it has privileges well above that of software, drivers, OS kernel, and even UEFI. IME is an autonomous subsystem with its own processor running its own software that has full control over the computer and even has its own networking stack. Intel has obfuscated that closed source code and has made it notoriously difficult to enable while also claiming it is necessarly for the processor to hit full performance. Security researchers and companies like Google have committed to disabling it (there is a way to turn it off though Intel has not documented it). IME can be used alongside Intel AMT / vPro features (Ring -2+) for remote management, and since IME runs even when the system is off it makes it easy to roll out OS upgrades and re-image machines. Home users however do not need IME, but have traditionally been stuck with it anyway along with its security holes. (Note that AMD has its own platform management subsystem with the PSP though it has not drawn nearly the high profile reputation Intel has with the latest bugs and promised patches.)
Specificlaly Dell is offering to disable IME for a small fee on the Latitude 14 Rugged laptop, Latitude 15 E5570, and Latitude 12 Rugged tablet which all run 6th Generation Core (6000 series and Core M) processors. Purism plans to sell PCs with IME disabled going forward and System76 has promised firmware updates for disabling IME on its PCs sold within the last few years. In reading about IME online, it seems that disabling IME is a tricky endevour with the potential to brick the system, but it can be done and the more documentation these vendors do the better for Linux, open source software, and security concious consumer proponents. For now you will have to pay a small fee to disable it but if you are worried about IME the peace of mind might be worth it. Also, with Dell now on board it shouldn't be long before other vendors start offering systems sans Intel Management Engine. Hopefully they are able to offer this IME disabled feature on models with the latest Intel processors as well for those that want it as the latest round of major bugs affected Skylake, Kaby Lake, and Coffee Lake CPUs.
What are your thoughts on this? Have your systems received an IME security patch? In any case, with the IME bugs, Mac OS High Sierra secuirty hole, and iOS encrypted backup loophole it has not been a good month for security!
- Intel Patches Major Flaws in the Intel Management Engine @ ExtremeTech
Subject: Graphics Cards | November 29, 2017 - 03:20 PM | Jeremy Hellstrom
Tagged: windows 10, vega 64, RX 580, microsoft, linux 4.15, linux, amd
With a new Linux kernel out, Phoronix revisited the performance of two of AMD's new cards running on that kernel as well as the current version of Windows 10. GPU testing on Linux has gotten more interesting thanks to the upsurge in compatible games, this review encompasses the recent Deus Ex, Shadow of Mordor, F1 2017 and GRID Autosport. The tests show there is still work to be done on the Mesa Radeon graphics driver stack as in all cases the performance lagged behind on Linux even though the hardware was exactly the same.
"As we end out November, here is a fresh look at the current Windows 10 Pro Fall Creator's Update versus Ubuntu 17.10 with the latest Linux 4.15 kernel and Mesa 17.4-dev Radeon graphics driver stack as we see how various games compete under Windows 10 and Linux with these latest AMD drivers on the Radeon RX 580 and RX Vega 64 graphics cards."
Here is some more Tech News from around the web:
- Civilization VI: Rise And Fall expansion out Feb 8th @ Rock, Paper, SHOTGUN
- Absolver Review @ OCC
- Black Mesa’s Xen chapters delayed again @ Rock, Paper, SHOTGUN
- Homeword: Deserts of Kharak gets its first update in over a year, adding tactical pause @ Rock, Paper, SHOTGUN
- Half-Life 2: MMod v3 Finally Has a Release Date @ [H]ard|OCP
- Humble Racing Bundle
- Deus Ex is “waiting its turn” for a new game @ Rock, Paper, SHOTGUN
- Destiny 2's Seasoning Is Off, But There's No Shortage Of Salt @ Techgage
Subject: Storage | November 24, 2017 - 04:59 PM | Jeremy Hellstrom
Tagged: Optane, Intel, linux, 900P, Ubuntu 17.10
Phoronix installed an Optane 900P SSD into their AMD EPYC system to test the performance the new drive provides running under Ubuntu. Their results were very similar to Al's, showing that this fairly expensive 280GB SSD can justify its premium price by leaving the competition in the dust. The testing suite they used is quite different from the one here at PCPer but the proof that Optane gets along well with Linux is indisputable.
"At the end of October Intel released the Optane 900P solid-state drive as their new ultra high-end performance SSD. Windows reviews have been positive, but what about using the Optane 900P on Linux? It's working well and delivers stunning NVMe SSD performance."
Here are some more Storage reviews from around the web:
Subject: Processors | September 18, 2017 - 05:13 PM | Jeremy Hellstrom
Tagged: linux, EPYC 7601, EPYC
Phoronix have been hard at work testing out AMD's new server chip, specifically the 2.2/2.7/3.2GHz EPYC 7601 with 32 physical cores. The frequency numbers now have a third member which is the top frequency all 32 cores can hit simultaneously, for this processor that would be 2.7GHz. Benchmarking server processors is somewhat different from testing consumer CPUs, gaming performance is not as important as dealing with specific productivity applications. Phoronix started their testing of EPYC, in both NUMA and non-NUMA configurations, comparing against several Xeon models and the performance delta is quite impressive, sometimes leaving even a system with dual Xeon Gold 6138's in the dust. They also followed up with a look at how EPYC compares to Opteron, AMD's last server offerings. The evolution is something to behold.
"By now you have likely seen our initial AMD EPYC 7601 Linux benchmarks. If you haven't, check them out, EPYC does really deliver on being competitive with current Intel hardware in the highly threaded space. If you have been curious to see some power numbers on EPYC, here they are from the Tyan Transport SX TN70A-B8026 2U server. Making things more interesting are some comparison benchmarks showing how the AMD EPYC performance compares to AMD Opteron processors from about ten years ago."
Here are some more Processor articles from around the web:
Subject: Systems | August 30, 2017 - 03:42 PM | Jeremy Hellstrom
Tagged: linux, xeon, Xeon Gold 6138, dual cpu, LGA-3647, Intel
The core counts and amount of RAM on enthusiast systems is growing quickly, especially with Threadripper, but we won't be seeing a system quite like this one under our desks in the near future. The server which Phoronix tested sports dual Xeon Gold 6138 for a total of 40 physical cores and 80 threads, with each CPU having 48GB of RAM for a total of 96GB of DDR4-2666. Not only did Phoronix run this system through a variety of tests, they did so on eight different Linux distros. Can any benchmark push this thing to its limits? Was there a clear winner for the OS? Find out in the full review.
"While we routinely run various Linux distribution / operating system comparisons at Phoronix, they tend to be done on desktop class hardware and the occasional servers. This is our look at the most interesting enterprise-focused Linux distribution comparison to date as we see how Intel's Xeon Scalable platform compares on different GNU/Linux distributions when using the Tyan GT24E-B7106 paired with two Dual Xeon Gold 6138 processors."
Here are some more Systems articles from around the web:
- Guru3D Rig of the Month - August 2017
- A Look At The Xeon Gold 6138 + Tyan GT24E-B7106 1U Linux Server Performance @ Phoronix
- Origin Neuron Gaming Desktop @ Techspot
Subject: General Tech | June 14, 2017 - 01:51 PM | Jeremy Hellstrom
Tagged: linux, gaming, dawn of war III
Dawn of War 3 released its Linux version earlier this year with support for both OpenGL and Vulkan. Vulkan performance is much better in CPU bound testing with resolutions under 1080p and when gaming above that resolution it utilizes far less CPU resources than OpenGL. Overall on NVIDIA performance is the same on both APIs, with the current Radeon driver you are better off on OpenGL. As is their usual style, Phoronix tested 18 GPUs, a dozen from NVIDIA and six of AMD's cards with differing resolutions and graphics quality settings, all the way up to 4k.
"Today marks the highly anticipated debut of Dawn of War III for Linux (and macOS) ported by Feral Interactive. Here are a number of OpenGL and Vulkan benchmarks of NVIDIA GeForce and AMD Radeon graphics cards running Ubuntu Linux with this game."
Here is some more Tech News from around the web:
- Every PC game announced or trailered at E3 2017 @ Rock, Paper, SHOTGUN
- Humble Bundle E3 2017 Digital Ticket
- Saved Games: Interstate ‘76 is the game worth saving from 1997 @ Rock, Paper, SHOTGUN
- Xbox One X: A High End Console With Fixable Shortcomings @ Techgage
- Bethesda jack in for Doom VFR and Fallout 4 VR this year @ Rock, Paper, SHOTGUN
- Oculus Rift VR Benching – AMD vs. NVIDIA – Part 2 @ BabelTechReviews
- XCOM 2: War Of The Chosen coming August 29th @ Rock, Paper, SHOTGUN
- Some of the best E3 2017 PC gaming videos so far @ Hexus
- WH40K: Dawn of War 3 adding Dawn of War-ier modes @ Rock, Paper, SHOTGUN
Subject: General Tech | June 7, 2017 - 04:54 PM | Scott Michaud
Tagged: pc gaming, linux, vulkan, Intel, mesa, feral interactive
According to Phoronix, Alex Smith of Feral Interactive has just published a few changes to the open source Intel graphics driver, which allows their upcoming Dawn of War III port for Linux to render correctly on Vulkan. This means that the open-source Intel driver should support the game on day one, although drawing correctly and drawing efficiently could be two very different things -- or maybe not, we’ll see.
It’s interesting seeing things go in the other direction. Normally, graphics engineers parachute in to high-end developers and help them make the most of their software for each respective, proprietary graphics driver. In this case, we’re seeing the game studios pushing fixes to the graphics vendors, because that’s how open source rolls. It will be interesting to do a pros and cons comparison of each system one day, especially if cross-pollination results from it.
Subject: Graphics Cards | June 2, 2017 - 03:02 PM | Jeremy Hellstrom
Tagged: amd, radeon, linux
When Phoronix does a performance round up they do not mess around. Their latest look at the performance of AMD cards on Linux stretches all the way back to the HD 2900XT and encompasses almost every single GPU released between that part and the RX 580, with a pair of Firepro cards and the Fury included as well. For comparative performance numbers you will see 28 NVIDIA cards on these charts, which makes the charts some of the longest you have seen. Drop by to check out the state of AMD performance on Linux in a variety of games as well as synthetic benchmarks.
"It's that time of the year where we see how the open-source AMD Linux graphics driver stack is working on past and present hardware in a large GPU comparison with various OpenGL games and workloads. This year we go from the new Radeon RX 580 all the way back to the Radeon HD 2900XT, looking at how the mature Radeon DRM kernel driver and R600 Gallium3D driver is working for aging ATI/AMD graphics hardware. In total there were 51 graphics cards tested for this comparison of Radeon cards as well as NVIDIA GeForce hardware for reference."
Here are some more Graphics Card articles from around the web:
- PowerColor Red Devl Radeon RX 580 Video Card Review @ Hardware Asylum
- 21-Way NVIDIA Fermi/Kepler/Maxwell/Pascal OpenCL GPU Comparison @ Phoronix
- 28-Way NVIDIA GeForce GPU Comparison On Ubuntu: From GeForce 8 To GeForce 1080 @ Phoronix
- ASUS GTX 1080 ROG Strix OC 11Gbps @ Kitguru
- MSI GTX 1080 Gaming X Plus 8GB @ Kitguru
Subject: General Tech | May 28, 2017 - 07:10 PM | Tim Verry
Tagged: samba, linux, ransomware, security, networking
Last week, the development team behind Samba – popular software suite used on Linux and Unix clients and servers that uses TCP/IP protocol for file and print sharing to SMB/CIFS clients (including Microsoft Windows) – released a security advisory along with patches for a remote code execution hole that has been present in Samba for seven years since the release of Samba 3.5.0 in March 2010. The vulnerability, classified under CVE-2017-7494, allows an attacker to upload malicious code to a Samba server and get the server to run the code by sending a malformed IPC request that references the local file path. The Samba server will run the code in the malicious shared library (.so) file even though it is from an untrusted remote source.
The bad news is that this is a fairly serious flaw that could lead to an attacker successfully holding a business or home user’s files (including backups!) at ransom, stealing data, or using the now owned file server to attack other network resources that trust the file server. If not securely configured (e.g. allowing anonymous writes), the attack could even be wormable which would allow it to self-replicate across the network or Internet. Further, while various security firms have slightly different numbers, they all seem to agree that around 100,000 Internet-accessible machines are running vulnerable versions of Samba.
It is not all bad news though, and in some respects this vulnerability is not as big of an issue as the WannaCry ransomware and EternalBlue SMB vulnerability because in order to successfully exploit the Samba flaw an attacker needs to obtain credentials to upload the malicious code to the file share(s) which need to be writeable in the first place and not running as noexec under a SELinux policy. Also, attackers need to know or guess the local path name of the files on the file share to send the malformed IPC request. More importantly, the Samba team released three security releases (4.6.4, 4.5.10, and 4.4.14) for the newer branches and is working with OS distributions on providing patches for older Samba versions. For systems that cannot be updated or patched, there is also a workaround that can be implemented by modifying the global Samba config file to contain the setting “nt pipe support = no”. While this will break some expected Windows functionality (mainly machines will not be able to access null shares and will need to use the specific share path rather than just the server path), it will make it so that Samba will not accept the malicious requests.
Perhaps the most worrying aspect of this vulnerability is that security researchers estimate that up to 90% of the vulnerable Internet-connected Samba endpoints do not have a direct patch or update available yet and may not ever get one. While the enterprise hardware and even bigger consumer and SMB hardware providers will provide support for this in the form of patches or firmware updates, there is a sea of home routers, NAS boxes, file and print servers, and IoT devices running on home networks that are not open to user updates and may not ever get firmware updates. The best thing to do in this scenario according to the security advisory (if you can’t just not use it or replace it with different hardware that can be patched or isn’t affected of course) is to not expose it to the Internet. There would still be a risk of it being exploited should someone get a virus on a client machine through email, malicious downloads, or social engineering though. Considering these home NAS devices are usually used as destinations for backups, the risk of ransomware not only infecting client machines but also the main file share and network backups is scary. I have always been a fan of offline and/or cloud backups and in these modern times they are more important than ever with the rise of ransomware and other profit motivated viruses.
If you are not sure if your network is affected, there are tools being made available (including a Metasploit module, nmap scripts, and Internet scans) to help you determine that and reduce your attack surface using that information by updating to the latest security release, applying patches, updating, using SELinux policies to prevent the server from executing files itself, and preventing them from communicating with the Internet in order of effectiveness.
All that is to say don’t panic, stay vigilant, and make sure your important data is properly backed up and secured as much as possible!
Subject: Graphics Cards | April 24, 2017 - 06:08 PM | Jeremy Hellstrom
Tagged: linux, RX 580, amd, overclocking, Polaris
Phoronix have had a chance to test out the refreshed Polaris RX 580 on the Linux 4.11 kernel and Mesa 17.1-devel, initially the AMDGPU-PRO 17.10 driver update was not included thanks to interesting timing. The performance deltas are as you would expect, a slight increase in performance that is relative to the increased clock speeds, just as when run on Windows. They also had a chance to try overclocking the new card, AMD added support for overclocking GCN 1.2 and newer cards on their proprietary Linux driver in 2016. They managed to increase the core by 6% without running into stability issues however when they overclocked the memory, they saw serious performance decreases. Check out the steps they tried along with the results from the overlocked GPU here.
"Yesterday I posted the initial Radeon RX 580 Linux benchmarks while now with having more time with this "Polaris Evolved" card I've been able to try out a bit more, like the AMDGPU Linux overclocking support. Here are the ups and downs of overclocking the Radeon graphics card under Linux."
Here are some more Graphics Card articles from around the web:
- Sapphire Nitro+ Radeon RX 570 4GB @ eTeknix
- PowerColor Red Devil Radeon RX 570 4GB @ eTeknix
- XFX RX 460 4GB Slim Single Review @ OCC
- Palit GeForce GTX 1080 Ti GameRock Premium 11 GB @ techPowerUp
- MSI GeForce GTX 1080 GAMING X PLUS 8G @ Guru of 3D
- MSI GTX 1080 Gaming X Plus 11 Gbps 8 GB @ techPowerUp
- Gigabyte Aorus GTX 1080 Ti Xtreme Edition 11GB @ Kitguru
- Phanteks Glacier 1080 GPU Waterblock @ techPowerUp
- PNY GTX 1070 XLR8 OC Gaming 8GB @ eTeknix
- GIGABYTE GeForce GTX 1060 Mini ITX OC 6GB @ eTeknix