dasharo-issues
dasharo-issues copied to clipboard
Dasharo
NovaCustom NS5x/7x ADL (12th Gen) 07.04.2023 - Release v1.6.0 newsletter issues
- [x] I would like some help understanding the need for a date in the title. What is the purpose of that redundant information? Any email client showed when the email was received, and we typically offer that information
- [ ]
The function keys responsible for entering the setup and boot menu in BIOS have been changed from ESC/F12 to F2/F7- what is the background of this decision? IMHO, it isn't apparent. Are we planning to change this in the future? - [ ] We write in titles of fixed bugs
Dasharo issues #...Do we plan to point to any other issues in the future? If not, we may leave#...; most users should read it similarly. If we depend on other project issues, we still should have Dasharo issue referencing, which means external project bug references will never be used, and we are just redundant here. - [x] #420
- [ ]
Just use buttons below to download the latest firmware and signature. We always recommend to verify signature before firmware installation.- this is the third release for that product line, and the product is sold only with Dasharo. Does it really make sense for any user to download the firmware from those links in the newsletter? We see in practice, there are couple of types of users:- privacy-aware security-paranoid tech-savvy - those types of users will always go through full due diligence, they want: check the source code if nothing sniffy was added, check if the stated changes match the source code, check if the source code really produces hash we published, check if the signature of our hash is genuine up to the root private key according to seckpack, then they will take binary they compiled during reproducibility checking and flash using their preferred method (e.g. operating system of their choice, they may choose DTS if it would pass the same due diligence) and tools they compile themselves. They don't trust 3mdeb or anything between them and us.
- non-tech-savvy - those types of users are on the other side of the spectrum since they need more skill, time, or willingness, or their threat model does not require that. They don't have to go through all the complex stuff privacy-aware security-paranoid tech-savvy does, but we should give them the ability to go that path if they want. We should do even more. We should provide the ability to check things semi-automatically or automatically in between (e.g., automatically verify signatures transparently by delivering scripts and options in DTS).
- To summarize, the newsletter's
Get it while it's hot!section doesn't make sense for end users. It may make sense for NovaCustom, but many people on the list receive that newsletter, which only makes sense for some of them. The ultimate method for updating should be fwupd either with LVFS or our hosting. Meanwhile, we can think of updates provided through DTS. Anything else should be considered advanced usage and point to correct documentation.
- [ ] Test Results link does not point to the correct table and naming consistency between Dasharo Universe (
NovaCustom NS5x/NS7x ADL (12th Gen)), newsletter (NovaCustom NS5x ADL (12th Gen)) and test results spreadsheet (NS5x/7xPU?) are inconsistent. - [x] Why don't we link to test definitions in the test results spreadsheet?
- [ ] #421
- [x] hardware matrix link points to different hardware (NV4x 12th Gen)
- [ ] hardware overview does not lead to NS5x ADL (12th Gen). It leads to a page for all models, so we slightly confuse the user
- [ ] building manual
- [ ] say about NS5x ADL, but release seems to apply also for NS7x and it was validated for such. Why?
- [x] #490
- [ ] sha256 of built binary is different (
6cd4d711ac0317420f6df0989973d2584ad6c8d7ed1e2f96a492b14a2f750c0b) than what was sent in the newsletter (23069dc1f4bc0f5dff101b98b94205b82912341f0c0b130315c5595159449ab5), what should I do with that?
- [ ] release binaries
- [ ] both released firmware binaries are signed with expired key
I'm happy to mark the checkbox done when we address the topic in the discussion below if a separate bug report will be filed to address the issue, or if MR with a fix will be merged.
The function keys responsible for entering the setup and boot menu in BIOS have been changed from ESC/F12 to F2/F7 - what is the background of this decision? IMHO, it isn't apparent. Are we planning to change this in the future?
The hotkeys were broken from the start. For Tiger Lake laptops we preserved Insyde F2/F7 hotkeys for setup and boot manager. For some reason the same hotkeys were not set for Alder Lake laptops, so I decided to fix them finally to the keys they always were supposed to be. We always keep the original hotkey binding from proprietary firmware. F2/F7 combination should be preserved from now on and should never change anymore.
builds end up with warnings what I should do about it?
Yeah, warning fiesta from vboot/cbfstool and friends. Not much we can do, hide this information and you will find someone flashing incomplete image for example (without IFD and ME). Flashrom has similar problems with reporting many information and warnings that may be treated as something overly wrong.
As for the hexdump into found, I have issued a patch: https://review.coreboot.org/c/coreboot/+/68133 (if code is rebased it should be gone)
The hotkeys were broken from the start. For Tiger Lake laptops we preserved Insyde F2/F7 hotkeys for setup and boot manager. For some reason the same hotkeys were not set for Alder Lake laptops, so I decided to fix them finally to the keys they always were supposed to be. We always keep the original hotkey binding from proprietary firmware. F2/F7 combination should be preserved from now on and should never change anymore.
Great, but why we didn't let the community know about that in the correct way linked in the release notes e.g. issue, PR description?
Yeah, warning fiesta from vboot/cbfstool and friends. Not much we can do, hide this information and you will find someone flashing incomplete image for example (without IFD and ME). Flashrom has similar problems with reporting many information and warnings that may be treated as something overly wrong.
We don't have to hide, just let people know in the building manual what to expect. Clear definition of success it good enough.
As for the hexdump into found, I have issued a patch: https://review.coreboot.org/c/coreboot/+/68133 (if code is rebased it should be gone)
Great I'm very happy we work on that. What about other warnings?
/usr/bin/ld: /home/coreboot/coreboot/build/util/vboot_lib/libvboot_util.a(2crypto.o): warning: relocation in read-only section `.rodata.vb2_sig_names'
/usr/bin/ld: warning: creating DT_TEXTREL in a PIE
Yeah, warning fiesta from vboot/cbfstool and friends. Not much we can do, hide this information and you will find someone flashing incomplete image for example (without IFD and ME). Flashrom has similar problems with reporting many information and warnings that may be treated as something overly wrong.
We don't have to hide, just let people know in the building manual what to expect. Clear definition of success it good enough.
Got it.
As for the hexdump into found, I have issued a patch: https://review.coreboot.org/c/coreboot/+/68133 (if code is rebased it should be gone)
Great I'm very happy we work on that. What about other warnings?
/usr/bin/ld: /home/coreboot/coreboot/build/util/vboot_lib/libvboot_util.a(2crypto.o): warning: relocation in read-only section `.rodata.vb2_sig_names' /usr/bin/ld: warning: creating DT_TEXTREL in a PIE
Some vboot bug I think. Contribution to chromium repos probably required. Haven't analyzed it yet
@pietrushnic Where did you get commands for verification:
release binaries
both released firmware binaries are signed with [expired key](https://paste.dasharo.com/?715cad8a46298b4e#5whbWVfifL1ttnR2s8AKbL8XnJMG6kh1SByUnGcbNKss)
Link to NovaCustom key is incorrect (missing .asc in the end).
@macpijan asciinema, but the lines are wrapped, and I probably didn't copy the required line. I would suggest creating DTS automated verification (and attestation) scripts and generic documentation for such purposes.
@artur-rs please convert your checkbox into the issue, it happen again with Protectli Vault VP2420 Dasharo Release v1.1.0
Also, to be fixed: footer copyright year is 2022
changed in a template
Why don't we link to test definitions in the test results spreadsheet?
Test Results link does not point to the correct table and naming consistency between Dasharo Universe (NovaCustom NS5x/NS7x ADL (12th Gen)), newsletter (NovaCustom NS5x ADL (12th Gen)) and test results spreadsheet (NS5x/7xPU?) are inconsistent.
Consitency improvements for the next release:
Newsletter titles:
- [NVC] NovaCustom NV4x 11th Gen 30.10.2023 - Release v1.5.0
- [NVC] NovaCustom NS5x/7x 11th Gen 30.10.2023 - Release v1.5.0
- [NVC] NovaCustom NV4x 12th Gen 30.10.2023 - Release v1.7.0
- [NVC] NovaCustom NS5x/7x 12th Gen 30.10.2023 - Release v1.7.0
Chapter names in documentation:
- NV4x 11th Gen
- NS5x/7x 11th Gen
- NV4x 12th Gen
- NS5x/7x 12th Gen
Test results tabs:
- NV4x 11th Gen - results
- NS5x 11th Gen - results
- NS7x 11th Gen - results
- NV4x 12th Gen - results
- NS5x 12th Gen - results
- NS7x 12th Gen - results
Changes here: https://github.com/Dasharo/docs/pull/694/files (sections names, links to spredshet tabs).
We write in titles of fixed bugs Dasharo issues #... Do we plan to point to any other issues in the future? If not, we may leave #...; most users should read it similarly. If we depend on other project issues, we still should have Dasharo issue referencing, which means external project bug references will never be used, and we are just redundant here.
For the future releases, we are just dropping this reference entirely. This is duplication, as this is already covered in the URL itself.
Just use buttons below to download the latest firmware and signature. We always recommend to verify signature before firmware installation. - this is the third release for that product line, and the product is sold only with Dasharo. Does it really make sense for any user to download the firmware from those links in the newsletter?
My proposal of changing the Get it while it's hot section (already changed in templates):
First time Dasharo user? See how you can install Dasharo for the first time in the Initial Deployment Manual. Already a Dasharo user? See how you can update your firmware in the Firmware Update Manual. If you want to download firmware binaries manually, you will find them in the Release Documentation. In such a case, you are encouraged to verify signatures using Dasharo release signature verification procedure with this key.
hardware matrix link points to different hardware (NV4x 12th Gen)
I could not locate such an issue. The v1.6.0 NV4x HW matrix points to: https://docs.dasharo.com/variants/novacustom_nv4x_adl/hardware-matrix/
Maybe not hardware matrix, but hardware overview? It points to: https://docs.dasharo.com/unified/novacustom/overview/ which has tabs, and I am afraid we cannot open specific via link.
But that would be another issue from this ticket: hardware overview does not lead to NS5x ADL (12th Gen). It leads to a page for all models, so we slightly confuse the user
I hope this improves this confusion a bit: https://github.com/Dasharo/docs/pull/694/commits/9ddf1ea3cbb3ea8ffb3994e4cf7356b7866e6c18
building manual say about NS5x ADL, but release seems to apply also for NS7x and it was validated for such. Why?
NS5x and NS7x is the same mainboard, just bigger display (15 or 17 inches).
I hope this can help here to indicate that building manual applies for both: https://github.com/Dasharo/docs/pull/694/commits/9ddf1ea3cbb3ea8ffb3994e4cf7356b7866e6c18
@macpijan
For the future releases, we are just dropping this reference entirely. This is duplication, as this is already covered in the URL itself.
I'm ok with that. Just let's make sure issues have a meaningful title.
My proposal of changing the Get it while it's hot section (already changed in templates):
First time Dasharo user? See how you can install Dasharo for the first time in the Initial Deployment Manual. Already a Dasharo user? See how you can update your firmware in the Firmware Update Manual. If you want to download firmware binaries manually, you will find them in the Release Documentation. In such a case, you are encouraged to verify signatures using Dasharo release signature verification procedure with this key.
Agree. I hope this section will evolve in the future to cover extensive integrity and authenticity checks in DTS as well as those who would like to avoid using the network or go even further and reproduce build results themselves.
I could not locate such an issue. The v1.6.0 NV4x HW matrix points to: https://docs.dasharo.com/variants/novacustom_nv4x_adl/hardware-matrix/
This is the link I copied directly from [NVC] NovaCustom NS5x/7x ADL (12th Gen) 07.04.2023 - Release v1.6.0 newsletter I received: https://newsletter.3mdeb.com/links/ma0Gcx1rs/RJrTXDhWR/w5cSapOlr/kkzTYu4FPg - as you can see it resolves to NV4x so there was an issue in the newsletter. I don't know why it happened, but we should ensure those kinds of issues are not present in our publications.
I hope this improves this confusion a bit: https://github.com/Dasharo/docs/commit/9ddf1ea3cbb3ea8ffb3994e4cf7356b7866e6c18
I love it. This improves consistency a lot.
This is the link I copied directly from [NVC] NovaCustom NS5x/7x ADL (12th Gen) 07.04.2023 - Release v1.6.0 newsletter I received: https://newsletter.3mdeb.com/links/ma0Gcx1rs/RJrTXDhWR/w5cSapOlr/kkzTYu4FPg - as you can see it resolves to NV4x so there was an issue in the newsletter. I don't know why it happened, but we should ensure those kinds of issues are not present in our publications.
Ok then, so it was probably improved post sending already.