systemdlete | I just don't follow this. There's a serious even deadly bug in UEFI, but when I go to the link described in hacker news, it just gives me a long list of the CVEs and their scores. But no links to actual UEFI updates. So I went to gigabyte.com but there doesn't seem to be an update for my board's UEFI. Of course, my board is about a | 06:00 |
---|---|---|
systemdlete | decade behind the rest of the world :) and so maybe this disaster doesn't impact me. But I wonder how it is that this bug could affect only newer UEFIs and not the older ones. | 06:00 |
systemdlete | They INTRODUCED a serious flaw like this in a NEWER version of UEFI... | 06:01 |
systemdlete | (or maybe I am totally lost here?) | 06:01 |
systemdlete | I went to https://www.gigabyte.com/Motherboard/GA-970A-DS3P-rev-2x#ov | 06:05 |
gnarface | systemdlete: i don't really know the specific situation but i don't see any evidence that there's any legal ramifications yet for not patching grievous hardware vulnerabilities. the likely explanation is simply that it is not a popular enough device in the wild anymore for anyone to have noticed they didn't patch it | 06:25 |
gnarface | systemdlete: (anyone other than us nerds anyway) | 06:26 |
systemdlete | I couldn't care less about legal schmegal in this case: I'm concerned about security. Have you heard what they can do with this exploit? | 06:26 |
gnarface | maybe you can boot it in legacy mode to avoid the risk? | 06:26 |
gnarface | i don't know specifically what vulnerability you're talking about; UEFI has been insecure by design from the beginning | 06:27 |
systemdlete | https://thehackernews.com/2022/02/dozens-of-security-flaws-discovered-in.html | 06:27 |
gnarface | it's really heinous and no backdoor shenanigans can compare to the hideous nature of the intended functionality | 06:28 |
gnarface | i can confirm only for you that the most recent bios update i see on this page is dated 2016/03/02 | 06:29 |
gnarface | if that's the one you see too, we're seeing the same thing | 06:29 |
systemdlete | The board is for last generation CPU | 06:30 |
systemdlete | FX8350 is about the last supported | 06:30 |
systemdlete | (I stay behind a generation for the most part.) | 06:31 |
gnarface | unless you're lucky and it's supported by libreboot i can only suggest maybe checking if it has a legacy boot mode that avoids the vulnerability | 06:31 |
systemdlete | Is there a way for it to become accessible from outside my LAN? I mean, I have no Internet-facing servers, and everything is firewalled around here. | 06:32 |
systemdlete | The problem is, I really don't have much knowledge about exploits. I just try to keep up and update my hardware and software as much as I can. | 06:34 |
systemdlete | gnarface: There's a bunch of options to disable uefi for CSM, boot mode, storage boot option control, etc. My only question is, if I disable these will my system still boot? I would think I will need to reconfigure grub, right? | 06:53 |
gnarface | systemdlete: i don't know and i don't even know if the answer would be the same for all hardware | 07:00 |
systemdlete | ok, ok. Sorry to bother you, gnarface. | 07:00 |
gnarface | systemdlete: having to reconfigure grub seems plausible so i'd keep a good live image or some sort of grub rescue disk on hand to be safe | 07:00 |
systemdlete | good idea! I just happen to have that. | 07:00 |
gnarface | systemdlete: nah, don't worry about it. i wish i could help. all i feel is rage towards UEFI | 07:00 |
systemdlete | (I got that sense, yes.) | 07:01 |
systemdlete | You know, I didn't really think about the vulnerability of a completely re-writable firmware... | 07:01 |
onefang | Install grub in MBR instead of EFI partition. Or do both. | 07:02 |
systemdlete | I've been running this for months. | 07:02 |
gnarface | systemdlete: i would strongly consider using anything else as the internet-facing firewall though, yes | 07:03 |
gnarface | systemdlete: maybe something from the era when the BIOS only had 2MB of storage in total availble | 07:04 |
gnarface | (it's not just that the thing is writable from the OS, it's that it's got enough room in there for an entire other OS) | 07:04 |
systemdlete | why? 2MB is plenty enough space to do damage | 07:04 |
gnarface | trust me 125MB is a lot bigger of an attack surface | 07:05 |
gnarface | if it has the built-in networking capability (like so it can fetch its own bios updates from the net directly without an OS) disable that for sure | 07:05 |
systemdlete | gnarface: do you think that, maybe, just maybe, the designers of the original unix (including how it booted) might have been sufficient for most purposes? Istm that it worked for decades. So did sysv init. But what the f would they have known right? The kiddies who have taken over know far more than a bunch of old computer | 07:06 |
systemdlete | scientists | 07:06 |
systemdlete | OK. So I've got marching orders... | 07:26 |
systemdlete | bbl | 07:26 |
jason1234 | is there a devuan sysVinit system for ARMEL? 32bits pandora machine | 07:57 |
jason1234 | what is the current armel - if still existing. seems that armel wont be maintained too long from linux. | 07:58 |
jason1234 | btw alike 486.,... later x86 32bits. | 07:58 |
onefang | #devuan-arm might be a more useful place to ask that. | 08:06 |
gnarface | the recent arm images are on arm-files.devuan.org, but yea ask in #devuan-arm | 08:07 |
gnarface | there's no "one-size-fits-all" image for any of the ARM sub-architectures | 08:08 |
gnarface | if there's not one there for your device then you can still debootstrap yourself an armel rootfs and build the kernel and u-boot parts by hand | 08:10 |
gnarface | details on that are better discussed in #devuan-arm though | 08:11 |
Bobemoe | so, fresh install of beowulf and pm-* is working fine! | 17:34 |
ham5urg | Would Devuan consider to have a XMR account to receive donations? | 17:44 |
fsmithred | ham5urg, you probably need to talk to jaromil about that. | 17:45 |
onefang | Isn't there already a donation link on the web site? | 17:49 |
onefang | https://www.devuan.org/os/donate.html Thought so. | 17:51 |
stian | I just installed a devuan server, and may have done something silly when I choose to force uefi. | 17:59 |
stian | now, none of the hds show up as bootable in the bios.. | 17:59 |
stian | can anyone tell me how to fix this? | 17:59 |
stian | they are all detected as sata units in the bios, just not available as bootable drives | 18:00 |
ham5urg | stian, this will need interaction with GRUB, if you don't know what GRUB is or never partitioned a harddisk, it is better to reinstall. | 18:00 |
fsmithred | what do you mean by 'force uefi'? | 18:00 |
stian | it doesn't get as far as grub when I try to start the computer | 18:00 |
ham5urg | I guess he installed the uefi-way onto a bios-machine | 18:01 |
stian | there was a question during install, whether I wanted to force uefi or continue in legacy | 18:01 |
ham5urg | How old is this machine, are there still bios-machines out there? | 18:02 |
stian | oh, I'm not sure, probably 10 years or so | 18:02 |
fsmithred | there's one next to my desk | 18:02 |
fsmithred | I'm not familiar with that question in the installer | 18:02 |
stian | I tried to reinstall afterwards, but then the uefi question never came up, and there was no change in the bios | 18:03 |
fsmithred | boot the installer media and go to Advanced options, Rescue, and reinstall the bootloader | 18:03 |
ham5urg | yes, that is a good hint. | 18:04 |
stian | Ah, good idea, I'll try that. | 18:04 |
fsmithred | also, when you boot the iso, get a shell and see if /sys/firmware/efi exists. | 18:04 |
fsmithred | if so, you booted in uefi mode. | 18:04 |
stian | OK, thanks! | 18:04 |
stian | btw, here's how the question looked in the installer: | 18:05 |
fsmithred | there should be an efi partition | 18:05 |
stian | https://i.stack.imgur.com/5BX5G.png | 18:05 |
fsmithred | you have other operating systems on this computer? | 18:05 |
fsmithred | I have seen that question before, and what they say is not really true | 18:06 |
fsmithred | if you boot the uefi install and then run update-grub, it will see the other installations and add them to the boot menu. | 18:06 |
stian | I don't have any other os on the computer, that's why I accepted forcing | 18:06 |
fsmithred | even if they are legacy | 18:06 |
fsmithred | so, efi partition should be vfat, probably a few hundred megabytes, and with boot and esp flags. | 18:07 |
fsmithred | or ef00 in gdisk | 18:07 |
onefang | I have two BIOS only x86 machines here. | 18:10 |
stian | reinstalling the bootloader is the same as running update-grub, right? If so I'm afraid it didn't change anything. | 18:16 |
stian | there was a /sys/firmware/efi | 18:16 |
stian | Is there anything I could do differently during partitioning? | 18:17 |
fsmithred | reinstalling bootloader includes grub-install and update-grub | 18:18 |
fsmithred | other thing to try is open a shell in the installed system and remove grub-efi-amd64-signed if it's present and if you don't use secure-boot. | 18:19 |
fsmithred | back in 5min | 18:19 |
stian | ok, thanks, I'll try that | 18:22 |
fsmithred | and maybe run grub-install and update-grub again | 18:29 |
stian | I reinstalled grub a few times from the rescue menu, also I tried an option to "force grub installation to efi removable media path", but neither worked I'm afraid. | 18:38 |
stian | grub-efi-amd64-signed was a directory in /usr/share/doc or something, though there were several similarly named files in /lib | 18:40 |
fsmithred | dpkg -l |grep grub | 18:40 |
fsmithred | apt remove grub-efi-amd64-signed | 18:41 |
fsmithred | dpkg-reconfigure grub-efi-amd64 | 18:41 |
stian | ah, I understand, I'll have a look, thanks | 18:41 |
fsmithred | :) | 18:41 |
fsmithred | debian is full of secret incantations | 18:42 |
stian | after that and rebooting, /dev/sda wasn't available to choose as root drive from rescue mode any more :/ | 18:52 |
stian | I've been at this all day, so I'll take a break now | 18:52 |
stian | but many thanks for your help so far | 18:52 |
fsmithred | you don't name the drive with uefi grub-install | 18:55 |
fsmithred | just grub-install and it knows what to do | 18:55 |
stian | oh, I did not know that. Thanks. I'll give it another try later :) | 18:59 |
golinux | I also run BIOS machines | 19:06 |
FilipZ | Hi! I was there asking for help with the malfunctioning wireless card on 2022-01-30 ( http://reisenweber.net/irclogs/libera/_devuan/_devuan.2022-01-30.log.html ). I would like to ask if there is anything new known on the issue, and if I could receive some further help with it. I am using Connman to manage my connections, and I just remembered that the total wireless card failure can be triggered manually by turning off the WIFI thr | 19:33 |
FilipZ | he Connman.(After turning it off it is not possible to turn it on without a system restart) Could this help? Also, my connection just got more unstable during the current session. Should I uploads some logs that could help reveal what creates an issue? If so, then how should I do it? | 19:33 |
FilipZ | I also have a Live Chimaera version, so I could run it from a pendrive, if it would be helpful. | 19:34 |
fsmithred | FilipZ, I've turned the wifi off and on in connman without rebooting. I have connman-ui-gtk starting with the desktop, and right-click on the tray icon shows me switches for wired and wifi. | 19:41 |
fsmithred | have/had | 19:42 |
fsmithred | I got angry at connman (again) and replaced it with network-manager (again). | 19:43 |
FilipZ | NM wouldn't help me. I had similar issues on it as well, then I decided to switch to the Connman, and stayed with it for now. | 19:46 |
FilipZ | I wonder what I can do to make any progress in fixing this issue. | 19:47 |
fsmithred | FilipZ, is it a laptop that uses different networks? | 20:02 |
fsmithred | if it's a desktop, just set a static ip and get rid of any gui manager. | 20:03 |
FilipZ | I am using a laptop, and mostly 2 different wireless access point. | 20:05 |
FilipZ | And from what I remember, only the wired connection worked really stable for me. | 20:06 |
FilipZ | And this is not an option. | 20:06 |
fsmithred | I have connman, connman-ui and connman-gtk installed. There is also a Connman Settings in the menu that gives me on/off switches. | 20:14 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!