Dasharo / vpub

Dasharo Open Source Firmware vPub (aka 3mdeb vPub) - website, presentations and notes
4 stars 1 forks source link

OptiPlex Dasharo Efforts #15

Open moriel5 opened 2 years ago

moriel5 commented 2 years ago

Are the efforts in regards to the Optiplex 7010/9010 Dasharo bringup planned to be mentioned at one point?

Since if I already had a motherboard for the SFF variant, it could have been an interesting point that ties in with @meklort's BCM5719 firmware bringup (I intend to, once I have the budget, to upgrade our 790 SFF's motherboard and front I/O, and I have already put a NEC EXP182a (with the BCM5719 chipset) in it, since the plan is to have open source firmware for both (sadly there is nothing yet for my Dell Y40PH SFP+ card, with the BCM57810S chipset).

pietrushnic commented 2 years ago

@moriel5 we can definitely discuss that. @miczyg1 and me would be at vPub, so there is nothing that stopping us. I would also add your ideas to vPub backlog to make sure we will cover that wider in the Fall edition.

I'm not sure how OptiPlex is related to BCM5719. Is this for firewall or NAS build? It would be great to understand value that OptiPlex bring to that market.

moriel5 commented 2 years ago

The Optiplex and the BCM5719 aren't really related, it's just a great example of several projects put together. In this case, it will be serving as a server/router (via fiber).

The value brought by the Optiplex (specifically the SFF variant, due to the motherboard's DTX dimensions) is precisely in this part of the market, having a small server, router, firewall, and/or other similar things (technically also a NAS, however there is only space for up to 1 3.5" drive or up to 3 2.5" drives, so it's not such a good idea), and the Dasharo firmware (along with the BCM5719 meklort firmware) simply allow the user to be able to trust the hardware better, especially with the ME firmware stubbed.

In any case, I'm glad to hear that. I wonder what other ideas people may have.

miczyg1 commented 2 years ago

@moriel5 as for NAS builds you may also be interested in Dell Precision T1650 which we ported to coreboot not so long ago: https://review.coreboot.org/c/coreboot/+/62212 The advantages of this variant:

I have built my own NAS on it with 32GB RAM, Xeon E3-1275 v2, 4x 2.5'' SAS drives in the drive bay enclosure. Yet I have space to attach 4x 2.5'' SATA or 2x 3.5'' SATA/SAS drives with another SAS controller. Currently, I occupy the 4x PCIe 2.0 port from PCH, but x16 dGPU slot is also usable for PCIe 3.0 connection. Still, you would be able to connect a PCIe x1 expansion card for SFP for example (although still PCIe 2.0 from PCH).

We plan to release Dasharo for this board along with OptiPlexes.

moriel5 commented 2 years ago

Hmm... I usually prefer retail boards to OEM boards (which is why my current desktop/workstation is an Asus Z97 Pro Gamer with an i5-4570, however that is certainly enticing (though I do wish I was already at the level where I could help with these kind of ports, and also be able to port my boards, as well as any boards which potentially fulfill my needs, such as the Asus P9D WS (C226 chipset) or the AsRock C226 WS).

Funny that you mention the Xeon, my plan includes, after Xeon support stabilizes with the Optiplex 7010/9010 Dasharo port, to add a E3-1220L V2 to the aforementioned family server/router, and should ECC support materialize despite the Q77 chipset, I have 4 sticks of 4G DDR3-1600E sticks waiting (I am still trying to obtain information about the few DDR3L-1866E sticks in existence, in preparation for the E3-1285 V4 I wish to eventually add to my desktop/workstation.

Nearly all of my parts are either 2nd hand, 3rd hand or via dumpster diving, so I go down quite a few rabbit holes when finding information about the parts I have, which lead to these interesting ideas (such as deciding that the DTX standard is perfect for small home servers).

For the record, my Z97 Pro Gamer was bought 2nd hand off AliExpress, my i5-4570 was pulled from a dead Optiplex 3020 SFF that was thrown out (also my 500GB HDD is from there).

The 3020 SFF's chassis I am repurposing for another server/router build with an Acer Veriton X6620G/ECS Q77H2-AD (also bought second hand off AliExpress, for this purpose) (I still haven't decided who will receive it, perhaps my step-sister and brother-in-law, perhaps a close friend of mine) motherboard (this is a fully-standard DTX motherboard, so with an Optiplex x90-x010 SFF PSU, it can work out great with an Optiplex x020 SFF chassis).

In general, I am publishing my findings regarding the Optiplex SFF hardware of this era on Wikipedia (mainly on the Optiplex's Wikipedia talk page), and what prompted this, was finding information about an unbranded Chinese board I have (it turns out that it is a Winnfox H61, Winnfox being the ODM), which is a miniDTX board.

miczyg1 commented 2 years ago

Funny that you mention the Xeon, my plan includes, after Xeon support stabilizes with the Optiplex 7010/9010 Dasharo port, to add a E3-1220L V2 to the aforementioned family server/router, and should ECC support materialize despite the Q77 chipset, I have 4 sticks of 4G DDR3-1600E sticks waiting (I am still trying to obtain information about the few DDR3L-1866E sticks in existence, in preparation for the E3-1285 I wish to eventually add to my desktop/workstation.

Xeon will never stabilize with the OptiPlex Dasharo port for a few major reasons:

All of the above "issues" were experimentally proved. Intel fuses off the CPU capabilities which shouldn't be supported with given chipset in the early boot phase. It is done by the leftovers of Intel ME firmware even before the CPU is out of reset. Clearing the ME doesn't help because the crucial ME firmware parts are doing this nasty stuff and we cannot workaround it. So the best recommended CPU for OptiPlex7010/9010 is i7-3770 which performance-wise is on pair with top Xeon CPUs of the same family.

Of course, putting Xeon will work (if TXT is not enabled), but you are likely to lose more than gain.

moriel5 commented 2 years ago

Hmm... That is quite surprising.

I knew about the ECC limitation already, but figured that someone in the future might be able to work around that (possibly by synthesizing certain parts of the ME), however I had no idea that Xeon together with Q77 breaks the TXT.

I wonder whether a theoretically synthesized TXT would be accepted by Intel processors.

In regards to the recommendation, yeah, i7-3770 is certainly the best option regarding performance, however for certain applications, actually the Xeon E3-1220L V2 would be a better fit, due to it's extremely low TDP, which is unmatched by the iX-3xxxT models.

I believe that there are a few ThinkCentres with Q-series chipsets that have official compatibility with Xeon E3s, perhaps that is a venue to look into?

miczyg1 commented 2 years ago

possibly by synthesizing certain parts of the ME

The parts that are left are crucial to boot the platform and are signed by Intel. Unless someone finds an exploit that could influence the execution of these crucial components, there will be no workaround.

I wonder whether a theoretically synthesized TXT would be accepted by Intel processors.

What do you mean by synthesized TXT?

In regards to the recommendation, yeah, i7-3770 is certainly the best option regarding performance, however for certain applications, actually the Xeon E3-1220L V2 would be a better fit, due to it's extremely low TDP, which is unmatched by the iX-3xxxT models.

Xeon E3-1220L V2 of course has lower TDP because there is no iGPU on this CPU. You effectively lose 2x DP and VGA ports on the machine. If you still care about the display you are then forced to use dGPU which will probably consume more Watts than you gain from the lower CPU TDP.

I believe that there are a few ThinkCentres with Q-series chipsets that have official compatibility with Xeon E3s, perhaps that is a venue to look into?

Any examples? I wonder what they mean by compatibility... Dasharo is also "compatible" with Xeons on Dell OptiPlex, it's just you will not be able to leverage all Xeon features (like ECC and TXT).

moriel5 commented 2 years ago

The parts that are left are crucial to boot the platform and are signed by Intel.

That certainly explains it. This is certainly a real dampener. Still a chance, but not something that can be relied on.

What do you mean by synthesized TXT?

An open source replacement (although given the above, that would likely be signed by Intel as well, so probably a moot point at this time).

Xeon E3-1220L V2 of course has lower TDP because there is no iGPU on this CPU.

Silly me. I had completely missed this since my requirements do not need a GPU at all (the idea was for the server/router to run headless, with a web GUI such as LUCI).

Yeah, for GPU usage, there is no realistic point in going Xeon specifically with this board.

Any examples?

I forget the exact models (it is possible that it is only SkyLake+, which would be irrelevant for this), so I'll recheck and post, especially if there are any "gotchas" for that official support.

miczyg1 commented 2 years ago

An open source replacement (although given the above, that would likely be signed by Intel as well, so probably a moot point at this time).

I am not sure I am following. TXT is a security feature of Intel processors that provides Dynamic Root of Trust for Measurement. It is not something that can be replaced by software. It is ME fault to begin with that it fuses off certain CPU capabilities and causes the CPU to fail with TXT initialization. The implementation in coreboot works correctly when "Intel-approved" combinations of CPUs and chipsets are used.

I forget the exact models (it is possible that it is only SkyLake+, which would be irrelevant for this), so I'll recheck and post, especially if there are any "gotchas" for that official support.

Okay, so we are talking about at least 3 generations difference. Well, many things could change in the meantime. Comparing it to Ivy Birdge will not be apple to apple comparison.

moriel5 commented 2 years ago

It is not something that can be replaced by software.

Yeah, I confused TXT with TXE.

That said, the situation remains the same, and that is that a theoretical open-source implementation of the part of the ME that is in charge of this could some the issue, however that is not something that can be relied upon at this point in time.

Okay, so we are talking about at least 3 generations difference. Well, many things could change in the meantime. Comparing it to Ivy Birdge will not be apple to apple comparison.

Certainly true.

pietrushnic commented 2 years ago

@moriel5 I really like whole this discussion and would be glad if you could join us on Thursday vPub. Such discussion with :beers:, or beverage of your choice, would be great. Feel free to tune in we definitely want to know your ideas where we can drive Dasharo and of course we will explain everything we know so far about OptiPlex.

moriel5 commented 2 years ago

@pietrushnic Thanks, I have already planned on participating since I saw the announcement on Phoronix, and have already prepared in regards to the time (my time-keeping skills are extremely bad, so I had to make sure that I won't be needed for something during that timeframe).

pietrushnic commented 2 years ago

@moriel5 sure, good luck with time planning and hope to see you at vPub. Feel free to keep posting your ideas we love to talk about those.

moriel5 commented 2 years ago

@miczyg1 By the way, I just looked a bit more into the T1650 (and subsequently the T1700).

Seeing as the T1700 has an SFF variant with the C226 chipset (and it is also a DTX motherboard, with the same PSUs as the Optiplex x020 SFF and XE2 SFF models, and is a drop-in replacement) (from searching, I believe the part number of the motherboard to be 4JGCK, though not actually having seen pictures of a confirmed T1700 SFF motherboard), it really is a shame that there isn't a T1650 SFF, that would have literally been the perfect continuation of this subject.

Regardless, if I ever do manage to get my hands on a T1650 (or alternatively, a T1650 motherboard and a slim 1U chassis), this could be great as a server (once we finally have a dedicated server room), although the PCI slot does limit me (I need PCI, but not on a server).

moriel5 commented 2 years ago

@pietrushnic Thanks, if I have any other ideas I believe are worth mentioning at this time, I'll be sure to do so (relevant, if new issues need to be created, they will be).

miczyg1 commented 2 years ago

Regardless, if I ever do manage to get my hands on a T1650 (or alternatively, a T1650 motherboard and a slim 1U chassis), this could be great as a server (once we finally have a dedicated server room), although the PCI slot does limit me (I need PCI, but not on a server).

The non-SFF variants have the PCI slot, but unfortunately, SFF do not. That is true. However you can transplant the mainboard from T1650 MT to e.g. OptiPlex 7010 DT. DT is also close to 1U:

moriel5 commented 2 years ago

Yep, that could be a great option, however until we have a dedicated server room, I won't be able to use anything significant larger than the SFF variant as a server, since it will also be a wired router (I am still trying to source cables and keystones to rewire our house, which is quite old), and will be on top of one of the kitchen cupboards (the only place where we can have the routers without having to worry about heat, someone accidentally tripping over wires, and have relatively decent reception from the wireless router in most of the house (it's a big house with thick walls)).

This is a temporary server/router, until there is a dedicated server room (so as to have space for a server rack).

Once I start rewiring the walls, the location of the wireless router will have to remain as-is, however I may be able to change the location of the server, since I will be adding an unmanaged 5-port Gigabit switch (unfortunately, with a Realtek chipset, however it is temporary, and will eventually be replaced with a 1U 48-port PoE managed switch (that has 4 combo SFP ports)).

Switches: Edimax ES-5500G V1.2, Brocade FCX648S-HPOE.