Open pietrushnic opened 1 year ago
link for downloads leads to 3mdeb.com instead of dl.3mdeb.com - maybe we didn't entirely switch yet, but changing will invalidate this newsletter unless we set redirection.
Redirection is a part of the migration plan, so this point will be covered
Recovery page is under construction. Can't we reuse the recovery procedure from another platform?
This is already scheduled after initial review
Redirection is a part of the migration plan, so this point will be covered
How and where we can track it?
This is already scheduled after initial review
Can we link to PR?
@pietrushnic I pushed some improvements regarding the blobs in building manual: https://github.com/Dasharo/docs/pull/570
I expanded the recovery page: https://github.com/Dasharo/docs/pull/559
link for downloads leads to 3mdeb.com instead of dl.3mdeb.com - maybe we didn't entirely switch yet, but changing will invalidate this newsletter unless we set redirection.
We do have redirection in place. That was the prerequisite of moving the files domain in the first place.
The new release introduces new features such as ... - low quality, better would be The new release introduces features like USB stack and SMM BIOS write protection enable/disable options.
fix in review
updated checkboxes (subissues) status in the first comment
Overview page could have more information e.g., referral link to shop, picture of hardware, where to report issues.
asciinema was posted from a private account instead of using 3mdeb one - we should get rid of asciinema and replace it with a generic signature validation procedure (manual) or DTS (automatic) For me procedure described in asciinema generate different results in a clean VM (I can't see 3mdeb Dasharo Master Key nor Protectli signing key signatures), --fetch-keys has other behavior than --import. Please check the gpg command output difference. We should use import instead of fetch-keys. It took me quite a lot of time to figure out why my output is different - let's save users time.
@pietrushnic changed by this PR, new procedure is published here: Dasharo release signature verification.
@BeataZdunczyk --import
was used so it resolve the sub-issue mentioned above.
The whole procedure could be more precise. First, it says Ubuntu 22.04 would be used, then it points to DTS, then asks to compile flashrom. We should support only DTS-based deployment.
Protectli uses their own flashli for deployments. We have not supported any Protectli platform in DTS. EIther we implement support for it, or simply add instructions how to flash the ROM from DTS shell...
This submenu allows configuring UEFI Secure Boot functionality. By default, Dasharo firmware released after October 2022 has Secure Boot disabled default with no keys and certificates provisioned
There is no such text in SB menu documentation anymore. Should we consider it resolved are UX improvements from Qubes OS Summit 2023?
Regarding the Proteclti blobs ZIP, now we have the following description in building manual:
Obtain the Protectli blobs package (only v1.1.0 or older):
Replace <PROTECTLI_BLOBS_REPO> with a a proper path to the repository in a form of: git@repo-path.git. You should checkout to the same tag as in case aof the coreboot repository.
cd 3rdparty/blobs/mainboard/
git init
git remote add origin <PROTECTLI_BLOBS_REPO>
git fetch origin && git checkout protectli_vault_ehl_v1.1.0
cd -
@pietrushnic please take a look at above 2 comments and let me know which of them we can consider resolved.
Regarding the flashing, we need some improvements overall for Protectli, as we don't support DTS. Suggestions welcome.
low quality, better would be The new release introduces features like USB stack and SMM BIOS write protection enable/disable options.
I guess reviewers need to do a better job and overall do much more...
no social media announcement scheduled
Release process says:
[EX035] Social Media
Founder is responsible for this part of a process. <-------------------------
Clients, community and end-users deserve high-quality information about what the new release is bringing and how it will improve their experience.
This process is performed according to Social Media Campaign Tracker [documentation](URL obfuscated)
@pietrushnic you may want to change this...
I guess reviewers need to do a better job and overall do much more...
Probably. Either reviewers would improve, or the initial writer would improve. Descriptive PRs and commits are the essence of good release. I guess if we have descriptive PR or commits, then ChatGPT should do relatively well in wrapping up.
Founder is responsible for this part of a process.
This means I will publish, but adding to the schedule is PM work @BeataZdunczyk cc
Below is a similar review to #408 - I tried to avoid duplication, but duplicated problems were extracted to have a public record of issues we continuously repeat.
The new release introduces new features such as ...
- low quality, better would beThe new release introduces features like USB stack and SMM BIOS write protection enable/disable options.
SMM BIOS write protection enable/disable option
- link leads to Dasharo Security Options, this feature is used every time we do update and improve the security posture of the device in a significant way, it deserves better write up and clean assignment of Dasharo PID including validations procedures.--fetch-keys
has other behavior than--import.
Please check the gpg command output difference. We should use import instead of fetch-keys. It took me quite a lot of time to figure out why my output is different - let's save users time.This submenu allows configuring UEFI Secure Boot functionality. By default, Dasharo firmware released after October 2022 has Secure Boot disabled default with no keys and certificates provisioned.
link - as a user, I would like to know why.protectli_blobs.zip
- from my understanding, it comes from some private repository; some readers may have access but not all of the, which means we should inform them at the beginning, not at the end of the manualprotectli-blobs-x.y.z.{zip,tar.gz}
Obtain the Protectli blobs package and extract it to 3rdparty/blobs/mainboard directory (or keep it as protectli_blobs.zip file in the coreboot directory? The build script will remove it if needed in step 5).
- why not provide command which will do that? It would avoid the problem of misinterpreting this description. For example, when I downloaded a zip file from the private repo and used a command from the script build.shunzip protectli_blobs.zip -d 3rdparty/blobs/mainboard
s/protectli_blobs.zip/protectli-blobs-1.0.18.zip/ this of course doesn't work because3rdparty/blobs/mainboard
will containprotectli-blobs-1.0.18
but it should contain files from inside. So there is one step more to accomplish the correct build treemv 3rdparty/blobs/mainboard/protectli-blobs-1.0.18 3rdparty/blobs/mainboard/protectli
Archive: protectli_blobs.zip
End-of-central-directory signature not found. Either this file is not a zipfile, or it constitutes one disk of a multi-part archive. In the latter case the central directory and zipfile comment will be found on the last disk(s) of this archive. unzip: cannot find zipfile directory in one of protectli_blobs.zip or protectli_blobs.zip.zip, and cannot find protectli_blobs.zip.ZIP, period.