An open source BIOS would be ideal but I don't know how you can trust any provider over another if the BIOS is not open to review.For those using it as a firewall/router, how concerned are you about the security of the BIOS since this is your gateway to the Internet?
It is one of the reasons I'm using a HP Thin Client as my firewall.
That is the use case I intend to implement, without SATA, just 2 x NVMe drives. CWWK store has reported that they have trouble with testing a PCB-adapter that provides 4 x NVMe slots like thiswould i need any kind of adapter to achieve this?
My box has space for 2x NVME and no SATA but there are some boards with both.I have an m2 nvme and a sata ssd lying around and would like to use those for a raid1 zfs mirror, would i need any kind of adapter to achieve this?
Thanks in advance for any idea and, of course, for all the info you guys are sharing here
As mentioned by @AnthonyUK and @lucker , the board does not have a SATA port, the m.2 is NVME only. You can get a cheap second m.2 NVME (I use a Kongston NV1 in my N5105), use a adapter board from CWWK (don't konw if they are already available) or go for a different unit. Either the N5104/N6005 or the Alder Lake U with a Pentium Gold/i3/i5.I have an m2 nvme and a sata ssd lying around and would like to use those for a raid1 zfs mirror, would i need any kind of adapter to achieve this?
Could you please explain how a keylogger in a driver is a danger for any kind of BIOS, and how a machine acting as router should transfer any kind of data without knowing which of the 4 ports to use and how to act as router during boot time and send this data, or how the BIOS should be able to use any port during runtime, while all ports are under control of Proxmox, pfsense or opnsense?An open source BIOS would be ideal but I don't know how you can trust any provider over another if the BIOS is not open to review.
It was only a 2-3 years ago HP were logging every keystroke in an audio driver so security is not always at the forefront for them.
Try disabling FBID, either in the bios or the kernel boot options. Linux and FreeBSD have both had issues with e-cores. Someone linked a bug earlier and I found an article on Phoronix about it.Did you make any changes in bios that I should follow along? I have confirmed virtualization is enabled ... I have also tried it with the settings replicated from Becks Wrap up post.
I'm not sure how realistic a supply chain attack is for my home internet connection. If I felt it was critical such as for a business, I'd probably use different hardware.For those using it as a firewall/router, how concerned are you about the security of the BIOS since this is your gateway to the Internet?
There was a USB interface controller exploit a few years back that allowed arbitrary code execution. I didn't require any drivers, was invisible to the OS, and persisted after a reboot. The Unpatchable USB VulnerabilityAnd if you go the driver route - how do you plan to smuggle a keylogger within a driver of FreeBSD or Linux, without being detetced?
I didn't say it was. It was an example to show that from major vendors, security is often not their top priority.Could you please explain how a keylogger in a driver is a danger for any kind of BIOS...
Supply chain attack is one thing, potential lack of BIOS updates for new vulnerabilities is another though the latter is true for EOS name brand products too....
I'm not sure how realistic a supply chain attack is for my home internet connection. If I felt it was critical such as for a business, I'd probably use different hardware.
Protectli supports coreboot on their systems, which is probably the best option in terms of transparency.
Older/unpatched enterprise gear with vPro is also a concern. Different threat vector (vulnerable to attack rather vs. possibility of vendor backdoors) but these systems operate much more like a "computer within a computer" than UEFI/BIOS:For those using it as a firewall/router, how concerned are you about the security of the BIOS since this is your gateway to the Internet?
It is one of the reasons I'm using a HP Thin Client as my firewall.
I didn't say it was. It was an example to show that from major vendors, security is often not their top priority.
Just looking at the Hikvison cam situation currently, the Chinese govt do not need to risk installing anything and being found out if people are going to not bother patching systems anyway.
Supply chain attack is one thing, potential lack of BIOS updates for new vulnerabilities is another though the latter is true for EOS name brand products too.
Yes, it is. It is pretty heavy and can buffer a lot of heat, and with the big fins it exchanges it pretty well with the surrounding air. My box doesn't go above 48°C, even after and during long data exchange sessions, and the temperature immediately drops after I stop moving data around.Looks like the stock heatsink is pretty decent on my type C variant IMHO:
I had a look at all quoted/mentioned attacks. They either require special software to be installed on the target machines (HP, Intel), which can be exploited, or rely on physical access to the hardware (key logger, USB exploits) or target the (operating) software of a machine (Hikvision camera, any kind of outdated system). All of those are not relevant, as long as you keep your FW software up to date, and "Supply Chain attack" isn't relevant here at all, as it is based on any kind of exploits, with the goal to disrupt your Supply Chain.
For a remote attack on a firewall router using an exploit in an BIOS (or a back door, implemented by the Chinese), the software/exploit in the BIOS would have to be able to receive data from a remote destination first, which is impossible, because the NICs are under control of the operating system (Opnsense, PFsense and also Proxmox) during runtime. And then the exploit/software would have to be able to guess the OS and running FW software and modify it during the runtime in a way, so it could be remotely attacked and taken over. This is a risk I am willing to take, no matter of the vendor of the machine.
I would just use good thermal paste like MX4 and replace the original stuff. This gives you the chance to check for a CPU/case gap (remove the paste, partially reassemble the box and use a bright headlamp to see if/how much light shines through at the CPU). If there is a too big gap and you see no improvements after repasting, just order a bunch of those copper shims (just pick a set with the correct size and different thicknesses) and put a good fitting one into the gap.Just installed proxmox and opnsense. With almost no load the unit was quite warm. Cpu temps seems okay, but I also see a pci temp that's way to high. Then reapplying thermal paste wouldn't make sense right?