Some information about HP T620 Plus Flexible Thin Client machines for network appliance builds...

Discussion in 'DIY Server and Workstation Builds' started by BLinux, Jul 2, 2018.

  1. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    Hey @BLinux, can the t620 Plus do SR-IOV? The RX427BB in the t730 can definitely do it, but I have a sneaking suspicion that the GX420CA can support it as well (and for that matter, a bunch of Broadcom NetXtreme cards). Anyone with a t620 Plus care to verify?
    Pay attention to your Linux boot-time dmesg for anything that mentions AMD-Vi, IOMMU or interrupt routing/re-directing, and post your results...
     
    #101
  2. BLinux

    BLinux cat lover server enthusiast

    Joined:
    Jul 7, 2016
    Messages:
    2,359
    Likes Received:
    823
    I would try it out, except my T620+ has a i340-T4 NIC...
     
    #102
  3. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    Oh, I thought you bought that $15 quadport Broadcom 5709 card. Anyways, you don't need the card to be SRIOV in order to see if it can do SRIOV stuff. Just boot it up to a recent Debian LiveCD (Stretch/MATE works quite well) and see what the dmesg says - I just want to see if the IOMMU and the interrupt remapping works.
     
    #103
  4. tigweld0101

    tigweld0101 Active Member

    Joined:
    Apr 18, 2015
    Messages:
    105
    Likes Received:
    25
    Ya'll are sandbagging. My pfsense box died so I finally had the 'opportunity' to try mine out. Turned it on with the pfsense memstick. Installed. Done. Stupid easy on the T620 Plus
     
    #104
  5. Hefferbub

    Hefferbub New Member

    Joined:
    Aug 29, 2018
    Messages:
    1
    Likes Received:
    0
    Thanks for posting this. Can anyone clarify a few things:

    1. Is this vulnerability likely to actually effect someone running PFSense? If no keys have been created and stored in the TPM by me or PFSense itself, is there any relevant vulnerability?

    2. It seems as if the updater programs all require Windows to run. I tried creating a UEFI FreeDOS bootable disk with Rufus, but when I run the updater programs they say they won't run in "DOS Mode". Is there a way to update without installing Windows on the box?

    Thanks!
     
    #105
  6. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    1,396
    Likes Received:
    1,125
    use rufus to write this iso to a usb drive, then UEFI boot off it. post has instructions

    https://forums.servethehome.com/ind...r-network-appliance-builds.21014/#post-196215

    that will get you the latest bios, not sure if there's tpm updates
     
    #106
  7. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    ...vulnerability? Someone mentioned a vulnerability?
     
    #107
    Tha_14 likes this.
  8. arglebargle

    arglebargle H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈

    Joined:
    Jul 15, 2018
    Messages:
    634
    Likes Received:
    209
    There was an advisory about the TPM firmware not producing "as random as we said they were" random numbers. It's probably not important for our use case.
     
    #108
    Tha_14 and fohdeesha like this.
  9. fohdeesha

    fohdeesha Kaini Industries

    Joined:
    Nov 20, 2016
    Messages:
    1,396
    Likes Received:
    1,125
    yeah, pfsense does not interface with that at all
     
    #109
  10. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    Wait. This thin client has a TPM chip embedded? Huh, I didn't know that. I must've turned it off in the BIOS or something.
    I thought the vuln was something scarier, like an IOMMU version of Foreshadow/L1TF that allows rogue VMs from guessing IOMMU mappings of segregated VMs...
     
    #110
  11. KopiJahe

    KopiJahe New Member

    Joined:
    Aug 30, 2018
    Messages:
    4
    Likes Received:
    7
    Hi, I have two T620 Plus with a VGA connector configuration, I attached its photo and pinout.

    IMG_20170912_182828.jpg

    hp-t620-vga-adapter.png
     
    #111
  12. KopiJahe

    KopiJahe New Member

    Joined:
    Aug 30, 2018
    Messages:
    4
    Likes Received:
    7
    I would like IOMMU support too, but it seems like that this machine does not support it? ._.

    Here's one of my T620 Plus' dmesg running Debian 9.5.0 MATE Live CD with the latest BIOS/UEFI 00.02.18 Rev.A: pastebin.com
     
    #112
  13. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    Ah, poop. Virtualization is enabled on the BIOS, right?
     
    #113
  14. KopiJahe

    KopiJahe New Member

    Joined:
    Aug 30, 2018
    Messages:
    4
    Likes Received:
    7
    Yup, it is enabled. I'm running several VirtualBox VMs on this one.
     
    #114
  15. arglebargle

    arglebargle H̸̖̅ȩ̸̐l̷̦͋l̴̰̈ỏ̶̱ ̸̢͋W̵͖̌ò̴͚r̴͇̀l̵̼͗d̷͕̈

    Joined:
    Jul 15, 2018
    Messages:
    634
    Likes Received:
    209
    Sounds like you might have to join me in the t730 cluster club.
     
    #115
  16. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    Heh - yeah, I think you might be right, although not for the reason you might think.
     
    #116
    Last edited: Sep 4, 2018
  17. fossxplorer

    fossxplorer Active Member

    Joined:
    Mar 17, 2016
    Messages:
    408
    Likes Received:
    45
    #117
  18. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    #118
  19. SwanRonson

    SwanRonson Member

    Joined:
    Sep 27, 2018
    Messages:
    33
    Likes Received:
    3
    Strongly considering this... any major drawbacks not listed in the OP? How big a deal is lack of AES-NI?
     
    #119
  20. WANg

    WANg Active Member

    Joined:
    Jun 10, 2018
    Messages:
    494
    Likes Received:
    190
    Lack of AES-NI? Both thin clients mentioned in this thread (t620 plus/t730) will support AES-NI instructions natively.
     
    #120
    SwanRonson likes this.

Share This Page