Planet Debian

Subscribe to Planet Debian feed
Planet Debian - http://planet.debian.org/
Updated: 18 min 51 sec ago

Russ Allbery: git-pbuilder 1.34

18 hours 5 min ago

Long time without a blog post. My time got eaten by work and travel and work-related travel. Hopefully more content soon.

This is just a quick note about the release of version 1.34 of the git-pbuilder script (which at some point really should just be rewritten in Python and incorporated entirely into the git-buildpackage package). Guido Günther added support for creating chroots for LTS distributions.

You can get the latest version from my scripts page.

Categories: Elsewhere

Eddy Petrișor: HOWTO: No SSH logins SFTP only chrooted server configuration with OpenSSH

Sat, 23/05/2015 - 16:44
If you are in a situation where you want to set up a SFTP server in a more secure way, don't want to expose anything from the server via SFTP and do not want to enable SSH login on the account allowed to sftp, you might find the information below useful.

What do we want to achive:
  • SFTP server
  • only a specified account is allowed to connect to SFTP
  • nothing outside the SFTP directory is exposed
  • no SSH login is allowed
  • any extra security measures are welcome
To obtain all of the above we will create a dedicated account which will be chroot-ed, its home will be stored on a removable/no always mounted drive (acessing SFTP will not work when the drive is not mounted).

Mount the removable drive which will hold the SFTP area (you might need to add some entry in fstab). 

Create the account to be used for SFTP access (on a Debian system this will do the trick):
# adduser --system --home /media/Store/sftp --shell /usr/sbin/nologin sftp
This will create the account sftp which has login disabled, shell is /usr/sbin/nologin and create the home directory for this user.

Unfortunately the default ownership of the home directory of this user are incompatible with chroot-ing in SFTP (which prevents access to other files on the server). A message like the one below will be generated in this kind of case:
$ sftp -v sftp@localhost
[..]
sftp@localhost's password:
debug1: Authentication succeeded (password).
Authenticated to localhost ([::1]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Write failed: Broken pipe
Couldn't read packet: Connection reset by peerAlso /var/log/auth.log will contain something like this:
fatal: bad ownership or modes for chroot directory "/media/Store/sftp"
The default permissions are visible using the 'namei -l' command on the sftp home directory:
# namei -l /media/Store/sftp
f: /media/Store/sftp
drwxr-xr-x root root    /
drwxr-xr-x root root    media
drwxr-xr-x root root    Store
drwxr-xr-x sftp nogroup sftpWe change the ownership of the sftp directory and make sure there is a place for files to be uploaded in the SFTP area:
# chown root:root /media/Store/sftp
# mkdir /media/Store/sftp/upload
# chown sftp /media/Store/sftp/upload
We isolate the sftp users from other users on the system and configure a chroot-ed environment for all users accessing the SFTP server:
# addgroup sftpusers
# adduser sftp sftusersSet a password for the sftp user so password authentication works:
# passwd sftpPutting all pieces together, we restrict access only to the sftp user, allow it access via password authentication only to SFTP, but not SSH (and disallow tunneling and forwarding or empty passwords).

Here are the changes done in /etc/ssh/sshd_config:
PermitEmptyPasswords no
PasswordAuthentication yes
AllowUsers sftp
Subsystem sftp internal-sftp
Match Group sftpusers
        ChrootDirectory %h
        ForceCommand internal-sftp
        X11Forwarding no
        AllowTcpForwarding no
        PermitTunnel noReload the sshd configuration (I'm using systemd):
# systemctl reload ssh.serviceCheck sftp user can't login via SSH:
$ ssh sftp@localhost
sftp@localhost's password:
This service allows sftp connections only.
Connection to localhost closed.But SFTP is working and is restricted to the SFTP area:
$ sftp sftp@localhost
sftp@localhost's password:
Connected to localhost.
sftp> ls
upload 
sftp> pwd
Remote working directory: /
sftp> put netbsd-nfs.bin
Uploading netbsd-nfs.bin to /netbsd-nfs.bin
remote open("/netbsd-nfs.bin"): Permission denied
sftp> cd upload
sftp> put netbsd-nfs.bin
Uploading netbsd-nfs.bin to /upload/netbsd-nfs.bin
netbsd-nfs.bin                                                              100% 3111KB   3.0MB/s   00:00 Now your system is ready to accept sftp connections, things can be uploaded in the upload directory and whenever the external drive is unmounted, SFTP will NOT work.

Note: Since we added 'AllowUsers sftp', you can test no local user can login via SSH. If you don't want to restrict access only to the sftp user, you can whitelist other users by adding them in the AllowUsers directive, or dropping it entirely so all local users can SSH into the system.
Categories: Elsewhere

DebConf team: Second Call for Proposals and Approved Talks for DebConf15 (Posted by DebConf Content Team)

Sat, 23/05/2015 - 16:36

DebConf15 will be held in Heidelberg, Germany from the 15th to the 22nd of August, 2015. The clock is ticking and our annual conference is approaching. There are less than three months to go, and the Call for Proposals period closes in only a few weeks.

This year, we are encouraging people to submit “half-length” 20-minute events, to allow attendees to have a broader view of the many things that go on in the project in the limited amount of time that we have.

To make sure that your proposal is part of the official DebConf schedule you should submit it before June 15th.

If you have already sent your proposal, please log in to summit and make sure to improve your description and title. This will help us fit the talks into tracks, and devise a cohesive schedule.

For more details on how to submit a proposal see: http://debconf15.debconf.org/proposals.xhtml.

Approved Talks

We have processed the proposals submitted up to now, and we are proud to announce the first batch of approved talks. Some of them:

  • This APT has Super Cow Powers (David Kalnischkies)
  • AppStream, Limba, XdgApp: Past, present and future (Matthias Klumpp)
  • Onwards to Stretch (and other items from the Release Team) (Niels Thykier for the Release Team)
  • GnuPG in Debian report (Daniel Kahn Gillmor)
  • Stretching out for trustworthy reproducible builds - creating bit by bit identical binaries (Holger Levsen & Lunar)
  • Debian sysadmin (and infrastructure) from an outsider/newcomer perspective (Donald Norwood)
  • The Debian Long Term Support Team: Past, Present and Future (Raphaël Hertzog & Holger Levsen)

If you have already submitted your event and haven’t heard from us yet, don’t panic! We will contact you shortly.

We would really like to hear about new ideas, teams and projects related to Debian, so do not hesitate to submit yours.

See you in Heidelberg,
DebConf Team

Categories: Elsewhere

Francois Marier: Usual Debian Server Setup

Sat, 23/05/2015 - 11:00

I manage a few servers for myself, friends and family as well as for the Libravatar project. Here is how I customize recent releases of Debian on those servers.

Hardware tests apt-get install memtest86+ smartmontools e2fsprogs

Prior to spending any time configuring a new physical server, I like to ensure that the hardware is fine.

To check memory, I boot into memtest86+ from the grub menu and let it run overnight.

Then I check the hard drives using:

smartctl -t long /dev/sdX badblocks -swo badblocks.out /dev/sdX Configuration apt-get install etckeepr git sudo vim

To keep track of the configuration changes I make in /etc/, I use etckeeper to keep that directory in a git repository and make the following changes to the default /etc/etckeeper/etckeeper.conf:

  • turn off daily auto-commits
  • turn off auto-commits before package installs

To get more control over the various packages I install, I change the default debconf level to medium:

dpkg-reconfigure debconf

Since I use vim for all of my configuration file editing, I make it the default editor:

update-alternatives --config editor ssh apt-get install openssh-server mosh fail2ban

Since most of my servers are set to UTC time, I like to use my local timezone when sshing into them. Looking at file timestamps is much less confusing that way.

I also ensure that the locale I use is available on the server by adding it the list of generated locales:

dpkg-reconfigure locales

Other than that, I harden the ssh configuration and end up with the following settings in /etc/ssh/sshd_config (jessie):

HostKey /etc/ssh/ssh_host_ed25519_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com UsePrivilegeSeparation sandbox AuthenticationMethods publickey PasswordAuthentication no PermitRootLogin no AcceptEnv LANG LC_* TZ LogLevel VERBOSE AllowGroups sshuser

or the following for wheezy servers:

HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ecdsa_key KexAlgorithms ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256 Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512,hmac-sha2-256

On those servers where I need duplicity/paramiko to work, I also add the following:

KexAlgorithms ...,diffie-hellman-group-exchange-sha1 MACs ...,hmac-sha1

Then I remove the "Accepted" filter in /etc/logcheck/ignore.d.server/ssh (first line) to get a notification whenever anybody successfully logs into my server.

I also create a new group and add the users that need ssh access to it:

addgroup sshuser adduser francois sshuser

and add a timeout for root sessions by putting this in /root/.bash_profile:

TMOUT=600 Security checks apt-get install logcheck logcheck-database fcheck tiger debsums apt-get remove john john-data rpcbind tripwire

Logcheck is the main tool I use to keep an eye on log files, which is why I add a few additional log files to the default list in /etc/logcheck/logcheck.logfiles:

/var/log/apache2/error.log /var/log/mail.err /var/log/mail.warn /var/log/mail.info /var/log/fail2ban.log

while ensuring that the apache logfiles are readable by logcheck:

chmod a+rx /var/log/apache2 chmod a+r /var/log/apache2/*

and fixing the log rotation configuration by adding the following to /etc/logrotate.d/apache2:

create 644 root adm

I also modify the main logcheck configuration file (/etc/logcheck/logcheck.conf):

INTRO=0 FQDN=0

Other than that, I enable daily checks in /etc/default/debsums and customize a few tiger settings in /etc/tiger/tigerrc:

Tiger_Check_RUNPROC=Y Tiger_Check_DELETED=Y Tiger_Check_APACHE=Y Tiger_FSScan_WDIR=Y Tiger_SSH_Protocol='2' Tiger_Passwd_Hashes='sha512' Tiger_Running_Procs='rsyslogd cron atd /usr/sbin/apache2 postgres' Tiger_Listening_ValidProcs='sshd|mosh-server|ntpd' General hardening apt-get install harden-clients harden-environment harden-servers apparmor apparmor-profiles apparmor-profiles-extra

While the harden packages are configuration-free, AppArmor must be manually enabled:

perl -pi -e 's,GRUB_CMDLINE_LINUX="(.*)"$,GRUB_CMDLINE_LINUX="$1 apparmor=1 security=apparmor",' /etc/default/grub update-grub Entropy and timekeeping apt-get install haveged rng-tools ntp

To keep the system clock accurate and increase the amount of entropy available to the server, I install the above packages and add the tpm_rng module to /etc/modules.

Preventing mistakes apt-get install molly-guard safe-rm sl

The above packages are all about catching mistakes (such as accidental deletions). However, in order to extend the molly-guard protection to mosh sessions, one needs to manually apply a patch.

Package updates apt-get install apticron unattended-upgrades deborphan debfoster apt-listchanges update-notifier-common aptitude popularity-contest

These tools help me keep packages up to date and remove unnecessary or obsolete packages from servers. On Rackspace servers, a small configuration change is needed to automatically update the monitoring tools.

In addition to this, I use the update-notifier-common package along with the following cronjob in /etc/cron.daily/reboot-required:

#!/bin/sh cat /var/run/reboot-required 2> /dev/null || true

to send me a notification whenever a kernel update requires a reboot to take effect.

Handy utilities apt-get install renameutils atool iotop sysstat lsof mtr-tiny

Most of these tools are configure-free, except for sysstat, which requires enabling data collection in /etc/default/sysstat to be useful.

Apache configuration apt-get install apache2-mpm-event

While configuring apache is often specific to each server and the services that will be running on it, there are a few common changes I make.

I enable these in /etc/apache2/conf.d/security:

<Directory /> AllowOverride None Order Deny,Allow Deny from all </Directory> ServerTokens Prod ServerSignature Off

and remove cgi-bin directives from /etc/apache2/sites-enabled/000-default.

I also create a new /etc/apache2/conf.d/servername which contains:

ServerName machine_hostname Mail apt-get install postfix

Configuring mail properly is tricky but the following has worked for me.

In /etc/hostname, put the bare hostname (no domain), but in /etc/mailname put the fully qualified hostname.

Change the following in /etc/postfix/main.cf:

inet_interfaces = loopback-only myhostname = (fully qualified hostname) smtp_tls_security_level = may smtp_tls_protocols = !SSLv2, !SSLv3

Set the following aliases in /etc/aliases:

  • set francois as the destination of root emails
  • set an external email address for francois
  • set root as the destination for www-data emails

before running newaliases to update the aliases database.

Create a new cronjob (/etc/cron.hourly/checkmail):

#!/bin/sh ls /var/mail

to ensure that email doesn't accumulate unmonitored on this box.

Finally, set reverse DNS for the server's IPv4 and IPv6 addresses and then test the whole setup using mail root.

Network tuning

To reduce the server's contribution to bufferbloat I change the default kernel queueing discipline by putting the following in /etc/sysctl.conf:

net.core.default_qdisc=fq_codel
Categories: Elsewhere

Michal &#268;iha&#345;: Weblate 2.3

Fri, 22/05/2015 - 10:00

Weblate 2.3 has been released today. It comes with better features for project owners, better file formats support and more configuration options for users.

Full list of changes for 2.3:

  • Dropped support for Django 1.6 and South migrations.
  • Support for adding new translations when using Java Property files
  • Allow to accept suggestion without editing.
  • Improved support for Google OAuth2.
  • Added support for Microsoft .resx files.
  • Tuned default robots.txt to disallow big crawling of translations.
  • Simplified workflow for accepting suggestions.
  • Added project owners who always receive important notifications.
  • Allow to disable editing of monolingual template.
  • More detailed repository status view.
  • Direct link for editing template when changing translation.
  • Allow to add more permissions to project owners.
  • Allow to show secondary language in zen mode.
  • Support for hiding source string in favor of secondary language.

You can find more information about Weblate on http://weblate.org, the code is hosted on Github. If you are curious how it looks, you can try it out on demo server. You can login there with demo account using demo password or register your own user.

Weblate is also being used https://hosted.weblate.org/ as official translating service for phpMyAdmin, Gammu, Weblate itself and other projects.

If you are free software project which would like to use Weblate, I'm happy to help you with set up or even host Weblate for you.

Further development of Weblate would not be possible without people providing donations, thanks to everybody who have helped so far!

PS: The roadmap for next release is just being prepared, you can influence this by expressing support for individual issues either by comments or by providing bounty for them.

Filed under: English phpMyAdmin SUSE Weblate | 0 comments

Categories: Elsewhere

Dirk Eddelbuettel: BH release 1.58.0-1

Fri, 22/05/2015 - 00:50

A new released of BH is now on CRAN. BH provides a large part of the Boost C++ libraries as a set of template headers for use by R and Rcpp.

This release both upgrades the version of Boost to the current release, and adds a new library: Boost MultiPrecision .

A brief summary of changes from the NEWS file is below.

Changes in version 1.58.0-1 (2015-05-21)
  • Upgraded to Boost 1.58 installed directly from upstream source

  • Added Boost MultiPrecision as requested in GH ticket #12 based on rcpp-devel request by Jordi Molins Coronado

Courtesy of CRANberries, there is also a diffstat report for the most recent release.

Comments and suggestions are welcome via the mailing list or the issue tracker at the GitHubGitHub repo.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

Yves-Alexis Perez: Followup on Debian grsec kernels for Jessie

Thu, 21/05/2015 - 22:36

So, following the previous post, I've indeed updated the way I'm making my grsec kernels.

I wanted to upgrade my server to Jessie, and didn't want to keep the 3.2 kernel indefinitely, so I had to update to at least 3.14, and find something to make my life (and maybe some others) easier.

In the end, like planned, I've switched to the make deb-pkg way, using some scripts here and there to simplify stuff.

The scripts and configs can be found in my debian-grsec-config repository. The repository layout is pretty much self-explaining:

The bin/ folder contains two scripts:

  • get-grsec.sh, which will pick the latest grsec patch (for each branch) and applies it to the correct Linux branch. This script should be run from a git clone of the linux-stable git repository;
  • kconfig.py is taken from the src:linux Debian package, and can be used to merge multiple KConfig files

The configs/ folder contains the various configuration bits:

  • config-* files are the Debian configuration files, taken from the linux-image binary packages (for amd64 and i386);
  • grsec* are the grsecurity specifics bits (obviously);
  • hardening* contain non-grsec stuff still useful for hardened kernels, for example KASLR (cargo-culting nonwidthstanding) or strong SSP (available since I'm building the kernels on a sid box, YMMV).

I'm currently building amd64 kernels for Jessie and i386 kernels will follow soon, using config-3.14 + hardening + grsec. I'm hosting them on my apt repository. You're obviously free to use them, but considering how easy it is to rebuild a kernel, you might want to use a personal configuration (instead of mine) and rebuild the kernel yourself, so you don't have to trust my binary packages.

Here's a very quick howto (adapt it to your needs):

mkdir linux-grsec && cd linux-grsec git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git git clone git://anonscm.debian.org/users/corsac/grsec/debian-grsec-config.git mkdir build cd linux-stable ../debian-grsec-config/bin/get-grsec.sh stable2 # for 3.14 branch ../debian-grsec-config/bin/kconfig.py ../build/.config ../debian-grsec-config/configs/config-3.14-2-amd64 ../debian-grsec-config/configs/hardening ../debian-grsec-config/configs/grsec make KBUILD_OUTPUT=../build -j4 oldconfig make KBUILD_OUTPUT=../build -j4 deb-pkg

Then you can use the generated Debian binary packages. If you use the Debian config, it'll need a lot of disk space for compilation and generate a huge linux-image debug package, so you might want to unset CONFIG_DEBUG_INFO locally if you're not interested. Right now only the deb files are generated but I've submitted a patch to have a .changes file which can be then used to manipulate them more easily (for example for uploading them a local Debian repository).

Note that, obviously, this is not targeted for inclusion to the official Debian archive. This is still not possible for various reasons explained here and there, and I still don't have a solution for that.

I hope this (either the scripts and config or the generated binary packages) can be useful. Don't hesitate to drop me a mail if needed.

Categories: Elsewhere

Jonathan McDowell: I should really learn systemd

Thu, 21/05/2015 - 19:20

As I slowly upgrade all my machines to Debian 8.0 (jessie) they’re all ending up with systemd. That’s fine; my laptop has been running it since it went into testing whenever it was. Mostly I haven’t had to care, but I’m dimly aware that it has a lot of bits I should learn about to make best use of it.

Today I discovered systemctl is-system-running. Which I’m not sure why I’d use it, but when I ran it it responded with degraded. That’s not right, thought I. How do I figure out what’s wrong? systemctl --state=failed turned out to be the answer.

# systemctl --state=failed UNIT LOAD ACTIVE SUB DESCRIPTION ● systemd-modules-load.service loaded failed failed Load Kernel Modules LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'.

Ok, so it’s failed to load some kernel modules. What’s it trying to load? systemctl status -l systemd-modules-load.service led me to /lib/systemd/systemd-modules-load which complained about various printer modules not being able to be loaded. Turned out this was because CUPS had dropped them into /etc/modules-load.d/cups-filters.conf on upgrade, and as I don’t have a parallel printer I hadn’t compiled up those modules. One of my other machines had also had an issue with starting up filesystem quotas (I think because there’d been some filesystems that hadn’t mounted properly on boot - my fault rather than systemd). Fixed that up and then systemctl is-system-running started returning a nice clean running.

Now this is probably something that was silently failing back under sysvinit, but of course nothing was tracking that other than some output on boot up. So I feel that I’ve learnt something minor about systemd that actually helped me cleanup my system, and sets me in better stead for when something important fails.

Categories: Elsewhere

Michal &#268;iha&#345;: Translating Sphinx documentation

Thu, 21/05/2015 - 18:00

Few days ago, I've started writing Odorik module to manipulate with API of one Czech mobile network operator. As usual, the code comes with documentation written in English. Given that vast majority of users are Czech, it sounds useful to have in Czech language as well.

The documentation itself is written in Sphinx and built using Read the Docs. Using those to translate the documentation is quite easy.

First step is to add necessary configuration to the Sphinx project as described in their Internationalization Quick Guide. It's matter of few configuration directives and invoking of sphinx-intl and the result can be like this commit.

Once the code in repository is ready, you can start building translated documentation on the Read the docs. There is nice guide for that as well. All you need to do is to create another project, set it's language and link it from master project as translation.

The last step is to find some translators to actually translate the document. For me the obvious choice was using Weblate, so the translation is now on Hosted Weblate. The mass import of several po files can be done by import_project management command.

And thanks to all these you can now read Czech documentation for python Odorik module.

Filed under: Coding English Odorik Weblate | 0 comments

Categories: Elsewhere

Dirk Eddelbuettel: RInside 0.2.13

Thu, 21/05/2015 - 03:41

A new release 0.2.13 of RInside is now on CRAN. RInside provides a set of convenience classes which facilitate embedding of R inside of C++ applications and programs, using the classes and functions provided by Rcpp.

This release works around a bug in R 3.2.0, and addressed in R 3.2.0-patched. The NEWS extract below has more details.

Changes in RInside version 0.2.13 (2015-05-20)
  • Added workaround for a bug in R 3.2.0: by including the file RInterface.h only once we do not getting linker errors due to multiple definitions of R_running_as_main_program (which is now addressed in R-patched as well).

  • Small improvements to the Travis CI script.

CRANberries also provides a short report with changes from the previous release. More information is on the RInside page. Questions, comments etc should go to the rcpp-devel mailing list off the Rcpp R-Forge page.

This post by Dirk Eddelbuettel originated on his Thinking inside the box blog. Please report excessive re-aggregation in third-party for-profit settings.

Categories: Elsewhere

Hideki Yamane: What is the most valuable challenge for Debian in this Stretch cycle?

Wed, 20/05/2015 - 16:48


  • restructuring website as 21st century style and drop deprecated info
  • automate test integration to infrastructure: piuparts & ci
  • more test for packages: adopt autopkgtest
  • "go/no-go vote" for migration to next release candidate (e.g. bohdi in Fedora)
  • more comfortable collab-development (see GitHub's pull request style, not mail-centric)
  • other
Your opinion?
Categories: Elsewhere

Martin-&#201;ric Racine: xf86-video-geode 2.11.17

Wed, 20/05/2015 - 11:46

This morning, I pushed out version 2.11.17 of the Geode X.Org driver. This is the driver used by the OLPC XO-1 and by a plethora of low-power desktops, micro notebooks and thin clients. This is a minor release. It merges conditional support for the OpenBSD MSR device (Marc Ballmer, Matthieu Herrb), fixes a condition that prevents compiling on some embedded platforms (Brian A. Lloyd) and upgrades the code for X server 1.17 compatibility (Maarten Lankhorst).


Pending issues:

  • toggle COM2 into DDC probing mode during driver initialization
  • reset the DAC chip when exiting X and returning to vcons
  • fix a rendering corner case with Libre Office
Categories: Elsewhere

Enrico Zini: love-thy-neighbor

Wed, 20/05/2015 - 11:35
Love thy neighbor as thyself

‘Love thy neighbor as thyself’, words which astoundingly occur already in the Old Testament.

One can love one’s neighbor less than one loves oneself; one is then the egoist, the racketeer, the capitalist, the bourgeois. and although one may accumulate money and power one does not of necessity have a joyful heart, and the best and most attractive pleasures of the soul are blocked.

Or one can love one’s neighbor more than oneself—then one is a poor devil, full of inferiority complexes, with a longing to love everything and still full of hate and torment towards oneself, living in a hell of which one lays the fire every day anew.

But the equilibrium of love, the capacity to love without being indebted to anyone, is the love of oneself which is not taken away from any other, this love of one’s neighbor which does no harm to the self.

(From Herman Hesse, "My Belief")

I always have a hard time finding this quote on the Internet. Let's fix that.

Categories: Elsewhere

Rhonda D'Vine: Berge

Wed, 20/05/2015 - 11:21

I wrote well over one year ago about Earthlings. It really did have some impact on my life. Nowadays I try to avoid animal products where possible, especially for my food. And in the context of vegan information that I tracked I stumbled upon a great band from Germany: Berge. They recently started a deal with their record label which says that if they receive one million clicks within the next two weeks on their song 10.000 Tränen their record label is going to donate 10.000,- euros to a German animal rights organization. Reason enough for me to share this band with you! :)

  • 10.000 Tränen: This is the song that needs the views. It's a nice tune and great lyrics to think about. Even though its in German it got English subtitles. :)
  • Schauen was passiert: In the light of 10.000 Tränen it was hard for me to select other songs, but this one sounds nice. "Let's see what happens". :)
  • Meer aus Farben: I love colors. And I hate the fact that most conference shirts are black only. Or that it seems to be impossible to find colorful cloths and shoes for tall women.

Like always, enjoy!

/music | permanent link | Comments: 0 | Flattr this

Categories: Elsewhere

Eddy Petri&#537;or: Linksys NSLU2 adventures into the NetBSD land passed through JTAG highlands - part 2 - RedBoot reverse engineering and APEX hacking

Wed, 20/05/2015 - 03:12
(continuation of Linksys NSLU2 adventures into the NetBSD land passed through JTAG highlands - part 1; meanwhile, my article was mentioned briefly in BSDNow Episode 89 - Exclusive Disjunction around minute 36:25)

Choosing to call RedBoot from a hacked Apex
As I was saying in my previous post, in order to be able to automate the booting of the NetBSD image via TFTP I opted for using a 2nd stage bootloader (planning to flash it in the NSLU2 instead of a Linux kernel), and since Debian was already using Apex, I chose Apex, too.

The first problem I found was that the networking support in Apex was relying on an old version of the Intel NPE library which I couldn't find on Intel's site, the new version was incompatible/not building with the old build wrapper in Apex, so I was faced with 3 options:
  1. Fight with the availabel Intel code and try to force it to compile in Apex
  2. Incorporate the NPE driver from NetBSD into a rump kernel to be included in Apex instead of the original Intel code, since the NetBSD driver only needed an easily compilable binary blob
  3. Hack together an Apex version that simulates the typing necessary RedBoot commands to load via TFTP the netbsd image and execute it.
After taking a look at the NPE driver buildsystem, I concluded there were very few options less attractive that option 1, among which was hammering nails through my forehead as a improvement measure against the severe brain damage which I would probably be likely to be influcted with after dealing with the NPE "build system".

Option 2 looked like the best option I could have, given the situation, but my NetBSD foo was too close to 0 to even dream to endeavor on such a task. In my evaluation, this still remains the technically superior solution to the problem since is very portable, and flexible way to ensure networking works in spite of the proprietary NPE code.

But, in practice, the best option I could implement at the time was option 3. I initially planned to pre-fill from Apex the RedBoot buffer that the stored the keyboard strokes with my desired commands:

load -r -b 0x200000 -h 192.168.0.2 netbsd-nfs.bin
gSince this was the first time ever for me I was going to do less than trivial reverse engineering in order to find the addresses and signatures of interesting functions in the RedBoot code, it wasn't bad at all that I had a version of the RedBoot source code.

When stuck with reverse engineering, apply JTAG
The bad thing was that the code Linksys published as the source of the RedBoot running inside the NSLU2 was, in fact, a different code which had some significant changes around the code pieces I was mostly interested in. That in spite of the GPL terms.

But I thought that I could manage in spite of that. After all, how hard could it be to identify the 2-3 functions I was interested in and 1 buffer? Even if I only had the disassembled code from the slug, I shouldn't be that hard.

I struggled with this for about 2-3 weeks on the few occasions I had during that time, but the excitement of leaning something new kept me going. Until I got stuck somewhere between the misalignment between the published RedBoot code and the disassembled code, the state of the system at the time of dumping the contents from RAM (for purposes of disassemby), the assembly code generated by GCC for some specific C code I didn't have at all, and the particularities of ARM assembly.

What was most likely to unblock me was to actually see the code in action, so I decided attaching a JTAG dongle to the slug and do a session of in-circuit-debugging was in order.

Luckily, the pinout of the JTAG interface was already identified in the NSLU2 Linux project, so I only had to solder some wires to the specified places and a 2x20 header to be able to connect through JTAG to the board.


JTAG connections on Kinder (the NSLU2 targeting NetBSD)
After this was done I tried immediately to see if when using a JTAG debugger I could break the execution of the code on the system. The answer was sadly, no.

The chip was identified, but breaking the execution was not happening. I tried this in OpenOCD and in another proprietary debugger application I had access to, and the result was the same, breaking was not happening.
$ openocd -f interface/ftdi/olimex-arm-usb-ocd.cfg -f board/linksys_nslu2.cfgOpen On-Chip Debugger 0.8.0 (2015-04-14-09:12)Licensed under GNU GPL v2For bug reports, read    http://openocd.sourceforge.net/doc/doxygen/bugs.htmlInfo : only one transport option; autoselect 'jtag'adapter speed: 300 kHzInfo : ixp42x.cpu: hardware has 2 breakpoints and 2 watchpoints0Info : clock speed 300 kHzInfo : JTAG tap: ixp42x.cpu tap/device found: 0x29277013 (mfg: 0x009,part: 0x9277, ver: 0x2)[..]
$ telnet localhost 4444Trying ::1...Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.Open On-Chip Debugger> halttarget was in unknown state when halt was requestedin procedure 'halt'> pollbackground polling: onTAP: ixp42x.cpu (enabled)target state: unknown Looking into the documentation I found a bit of information on the XScale processors[X] which suggested that XScale processors might necessarily need the (otherwise optional) SRST signal on the JTAG inteface to be able to single step the chip.

This confused me a lot since I was sure other people had already used JTAG on the NSLU2.

The options I saw at the time were:
  1. my NSLU2 did have a fully working JTAG interface (either due to the missing SRST signal on the interface or maybe due to a JTAG lock on later generation NSLU-s, as was my second slug)
  2. nobody ever single stepped the slug using OpenOCD or other JTAG debugger, they only reflashed, and I was on totally new ground
I even contacted Rod Whitby, the project leader of the NSLU2 project to try to confirm single stepping was done before. Rod told me he never did that and he only reflashed the device.

This confused me even further because, from what I encountered on other platforms, in order to flash some device, the code responsible for programming the flash is loaded in the RAM of the target microcontroller and that code is executed on the target after a RAM buffer with the to be flashed data is preloaded via JTAG, then the operation is repeated for all flash blocks to be reprogrammed.

I was aware it was possible to program a flash chip situated on the board, outside the chip, by only playing with the chip's pads, strictly via JTAG, but I was still hoping single stepping the execution of the code in RedBoot was possible.

Guided by that hope and the possibility the newer versions of the device to be locked, I decided to add a JTAG interface to my older NSLU2, too. But this time I decided I would also add the TRST and SRST signals to the JTAG interface, just in case single stepping would work.

This mod involved even more extensive changes than the ones done on the other NSLU, but I was so frustrated by the fact I was stuck that I didn't mind poking a few holes through the case and the prospect of a connector always sticking out from the other NSLU2 which was doing some small, yet useful work in my home LAN.

It turns out NOBODY single stepped the NSLU2 After biting the bullet and soldering JTAG interface with also the TRST and the SRST signals connected as the pinout page from the NSLU2 Linux wiki suggested, I was disappointed to observe that I was not able to single step the older either, in spite of the presence of the extra signals.

I even tinkered with the reset configurations of OpenOCD, but had not success. After obtaining the same result on the proprietary debugger and digging through a presentation made by Rod back in the hay day of the project and the conversations on the NSLU2 Linux Yahoo mailing list I finally concluded:
Actually nobody single stepped the NSLU2, no matter the version of the NSLU2 or connections available on the JTAG interface!So I was back to square 1, I had to either struggle with disassembly, reevaluate my inital options, find another option or even drop entirely the idea. Since I was already committed to the project dropping entirely the idea didn't seem like the reasonable thing to do.

Since I was feeling I was really close to finish on the route I chose a while ago, was not any significantly more knowledgeable in the NetBSD code and looking at the NPE code made me feel like washing my hands, the only option I saw was to go on.

Digging a lot more through the internet, I was finally able to find another version of the RedBoot source which was modified for Intel ixp42x systems. A few checks here and there revealed this newly found code was actually almost identical to the code I had disassembled from the slug I was aiming to run NetBSD on.

Long story short, a couple of days later I had a hacked Apex that could go through the RedBoot data structures, search for available commands in RedBoot and successfully call any of the built-in RedBoot commands!

Testing with loading this modified Apex by hand in RAM via TFTP then jumping into it to see if things woked as expected revealed a few small issues which I corrected right away.

Flashing a modified RedBoot?! But why? Wasn't Apex supposed to avoid exactly that risky operation?
Since the tests when executing from RAM were successful, my custom second stage Apex bootloader for NetBSD net booting was ready to be flashed into the NSLU2.

I added two more targets in the Makefile in the code on the dedicated netbsd branch of my Apex repository to generate the images ready for flashing into the NSLU2 flash (RedBoot needs to find a Sercomm header in flash, otherwise it will crash) and the exact commands to be executed in RedBoot are also print out after generation. This way, if the command is copy-pasted, there is no risk the NSLU2 is bricked by mistake.

After some flashing and reflashing of the apex_nslu2.flash image into the NSLU2 flash, some manual testing, tweaking and modifying the default built in APEX commands, checking that the sequence of commands 'move', 'go 0x01d00000' would jump into Apex, which, in turn, would call RedBoot to transfer the netbsd-nfs.bin image from a TFTP to RAM and then execute it successfully, it was high time to check NetBSD would boot automatically after the NSLU is powered on.

It didn't. Contrary to my previous tests, no call made from Apexto the RedBoot code would return back to Apex, not even a basic execution of the 'version' command.

It turns out the default commands hardcoded into RedBoot were 'boot; exec 0x01d00000', but I had tested 'boot; go 0x01d0000', which is not the same thing.

While 'go' does a plain jump at the specified address, the 'exec' command also does some preparations so it allows a jump into the Linux kernel and those preparations break some environment the RedBoot commands expect.

So the easiest solution was to change the RedBoot's built-in command and turn that 'exec' into a 'go'. But that meant this time I was actually risking to brick the NSLU, unless I
was able to reflash via JTAG the NSLU2.


(to be continued - next, changing RedBoot and bisecting through the NetBSD history)

[X] Linksys NSLU2 has an XScale IXP420 processor which is compatible at ASM level with the ARMv5TEJ instruction set
Categories: Elsewhere

Gunnar Wolf: Feeling somewhat special

Wed, 20/05/2015 - 01:36

Today I feel more special than I have ever felt.

Or... Well, or something like that.

Thing is, there is no clear adjective for this — But I successfully finished my Specialization degree! Yes, believe it or not, today I can formally say I am Specialist in Informatic Security and Information Technologies (Especialista en Seguridad Informática y Tecnologías de la Información), as awarded by the Higher School of Electric and Mechanic Engineering (Escuela Superior de Ingeniería Mecánica y Eléctrica) of the National Polytechnical Institute (Instituto Politécnico Nacional).

In Mexico and most Latin American countries, degrees are usually incorporated to your name as if they were a nobiliary title. Thus, when graduating from Engineering studies (pre-graduate universitary level), I became "Ingeniero Gunnar Wolf". People graduating from further postgraduate programs get to introduce themselves as "Maestro Foobar Baz" or "Doctor Quux Noox". And yes, a Specialization is a small posgraduate program (I often say, the smallest possible posgraduate). And as a Specialist... What can I brag about? Can say I am Specially Gunnar Wolf? Or Special Gunnar Wolf? Nope. The honorific title for a Specialization is a pointer to null, and when casted into a char* it might corrupt your honor-recognizing function. So I'm still Ingeniero Gunnar Wolf, for information security reasons.

So that's the reason I am now enrolled in the Masters program. I hope to write an addenda to this message soonish (where soonish ≥ 18 months) saying I'm finally a Maestro.

As a sidenote, many people asked me: Why did I take on the specialization, which is a degree too small for most kinds of real work recognition? Because it's been around twenty years since I last attended a long-term scholar program as a student. And my dish is quite full with activities and responsabilities. I decided to take a short program, designed for 12 months (I graduated in 16, minus two months that the university was on strike... Quite good, I'd say ;-) ) to see how I fared on it, and only later jumping on the full version.

Because, yes, to advance my career at the university, I finally recognized and understood that I do need postgraduate studies.

Oh, and what kind of work did I do for this? Besides the classes I took, I wrote a thesis on a model for evaluating covert channels for establishing secure communications.

Categories: Elsewhere

Lars Wirzenius: Software development estimation

Tue, 19/05/2015 - 21:50

Acceptable estimations for software development:

  • Almost certainly doable in less than a day.
  • Probably doable in less than a day, almost certainly not going to take more than three days.
  • Probably doable in less than a week, but who knows?
  • Certainly going to take longer than a week, and nobody can say how long, but if you press me, the estimate is between two weeks and four months.

Reality prevents better accuracy.

Categories: Elsewhere

Thorsten Alteholz: alpine and UTF-8 and Debian lists

Tue, 19/05/2015 - 17:47

This is a note for my future self: When writing an email with only “charset=US-ASCII”, alpine creates an email with:

Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII

and everything is fine.

In case of UTF-8 characters inside the text, alpine creates something like:

Content-Type: MULTIPART/MIXED; BOUNDARY="705298698-1667814148-1432049085=:28313"

and the only available part contains:

Content-Type: TEXT/PLAIN; format=flowed; charset=UTF-8
Content-Transfer-Encoding: 8BIT

Google tells me that the reason for this is:

Alpine uses a single part MULTIPART/MIXED to apply a protection wrapper around QUOTED-PRINTABLE and BASE64 content to prevent it from being corrupted by various mail delivery systems that append little (typically advertising) things at the end of the message.

Ok, this behavior might come from bad experiences and it seems to work most of the time. Unfortunately if one sends a signed email to a Debian list that checks whether the signature is valid (like for example debian-lts-announce), such an email will be rejected with:

Failed to understand the email or find a signature: UDFormatError:
Cannot handle multipart messages not of type multipart/signed

*sigh*

Categories: Elsewhere

Simon Josefsson: Scrypt in IETF

Tue, 19/05/2015 - 14:55

Colin Percival and I have worked on an internet-draft on scrypt for some time. I realize now that the -00 draft was published over two years ago, turning this effort today somewhat into archeology rather than rocket science. Still, having a published RFC that is easy to refer to from other Internet protocols will hopefully help to establish the point that PBKDF2 alone no longer provides state-of-the-art protection for password hashing.

I have written about password hashing before where I give a quick introduction to the basic concepts in the context of the well-known PBKDF2 algorithm. The novelty in scrypt is that it is designed to combat brute force and hardware accelerated attacks on hashed password databases. Briefly, scrypt expands the password and salt (using PBKDF2 as a component) and then uses that to create a large array (typically tens or hundreds of megabytes) using the Salsa20 core hash function and then de-references that large array in a random and sequential pattern. There are three parameters to the scrypt function: a CPU/Memory cost parameter N (varies, typical values are 16384 or 1048576), a blocksize parameter r (typically 8), and a parallelization parameter p (typically a low number like 1 or 16). The process is described in the draft, and there are further discussions in Colin’s original scrypt paper.

The document has been stable for some time, and we are now asking for it to be published. Thus now is good time to provide us with feedback on the document. The live document on gitlab is available if you want to send us a patch.

Categories: Elsewhere

Ritesh Raj Sarraf: Lenovo Yoga 2 13 with Debian

Tue, 19/05/2015 - 13:55

I recently acquired a Lenovo Yoga 2 13. While, at the time, the Yoga 3 was available, I decided to go for Yoga 2 13. The Yoga 3 comes with the newer Core M Broadwell family, which, in my opinion, doesn't really bring any astounding benefits.

The Yoga 2 13 comes in mulitple variants worldwide. Infact these hardware variations have different effets when run under Linux.

My varaint of Yoga 2 13 is:

CPU: Intel(R) Core(TM) i7-4510U CPU @ 2.00GHz RAM: 8 GiB - Occupying 2 slots Memory Controller Information Supported Interleave: One-way Interleave Current Interleave: One-way Interleave Maximum Memory Module Size: 8192 MB Maximum Total Memory Size: 16384 MB Handle 0x0006, DMI type 6, 12 bytes Handle 0x0007, DMI type 6, 12 bytes The usual PCI devices: rrs@learner:~$ lspci 00:00.0 Host bridge: Intel Corporation Haswell-ULT DRAM Controller (rev 0b) 00:02.0 VGA compatible controller: Intel Corporation Haswell-ULT Integrated Graphics Controller (rev 0b) 00:03.0 Audio device: Intel Corporation Haswell-ULT HD Audio Controller (rev 0b) 00:14.0 USB controller: Intel Corporation 8 Series USB xHCI HC (rev 04) 00:16.0 Communication controller: Intel Corporation 8 Series HECI #0 (rev 04) 00:1b.0 Audio device: Intel Corporation 8 Series HD Audio Controller (rev 04) 00:1c.0 PCI bridge: Intel Corporation 8 Series PCI Express Root Port 4 (rev e4) 00:1d.0 USB controller: Intel Corporation 8 Series USB EHCI #1 (rev 04) 00:1f.0 ISA bridge: Intel Corporation 8 Series LPC Controller (rev 04) 00:1f.2 SATA controller: Intel Corporation 8 Series SATA Controller 1 [AHCI mode] (rev 04) 00:1f.3 SMBus: Intel Corporation 8 Series SMBus Controller (rev 04) 01:00.0 Network controller: Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter 17:37 ♒♒♒ ☺ And the storage devices Device Model: WDC WD5000M22K-24Z1LT0-SSHD-16GB Device Model: KINGSTON SM2280S3120G

 

Storage

The drive runs into serious performance problems when its SSHD's NCQ (mis)feature is under use in Linux <= 4.0.

[28974.232550] ata2.00: configured for UDMA/133 [28974.232565] ahci 0000:00:1f.2: port does not support device sleep [28983.680955] ata1.00: exception Emask 0x10 SAct 0x7fffffff SErr 0x400100 action 0x6 frozen [28983.681000] ata1.00: irq_stat 0x08000000, interface fatal error [28983.681027] ata1: SError: { UnrecovData Handshk } [28983.681052] ata1.00: failed command: WRITE FPDMA QUEUED [28983.681082] ata1.00: cmd 61/40:00:b8:84:88/05:00:0a:00:00/40 tag 0 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.681152] ata1.00: status: { DRDY } [28983.681171] ata1.00: failed command: WRITE FPDMA QUEUED [28983.681202] ata1.00: cmd 61/40:08:f8:89:88/05:00:0a:00:00/40 tag 1 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.681271] ata1.00: status: { DRDY } [28983.681289] ata1.00: failed command: WRITE FPDMA QUEUED [28983.681316] ata1.00: cmd 61/40:10:38:8f:88/05:00:0a:00:00/40 tag 2 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.681387] ata1.00: status: { DRDY } [28983.681407] ata1.00: failed command: WRITE FPDMA QUEUED [28983.681435] ata1.00: cmd 61/40:18:78:94:88/05:00:0a:00:00/40 tag 3 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697642] ata1.00: status: { DRDY } [28983.697643] ata1.00: failed command: WRITE FPDMA QUEUED [28983.697646] ata1.00: cmd 61/40:c8:38:65:88/05:00:0a:00:00/40 tag 25 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697647] ata1.00: status: { DRDY } [28983.697648] ata1.00: failed command: WRITE FPDMA QUEUED [28983.697651] ata1.00: cmd 61/40:d0:78:6a:88/05:00:0a:00:00/40 tag 26 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697651] ata1.00: status: { DRDY } [28983.697652] ata1.00: failed command: WRITE FPDMA QUEUED [28983.697656] ata1.00: cmd 61/40:d8:b8:6f:88/05:00:0a:00:00/40 tag 27 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697657] ata1.00: status: { DRDY } [28983.697658] ata1.00: failed command: WRITE FPDMA QUEUED [28983.697661] ata1.00: cmd 61/40:e0:f8:74:88/05:00:0a:00:00/40 tag 28 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697662] ata1.00: status: { DRDY } [28983.697663] ata1.00: failed command: WRITE FPDMA QUEUED [28983.697666] ata1.00: cmd 61/40:e8:38:7a:88/05:00:0a:00:00/40 tag 29 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697667] ata1.00: status: { DRDY } [28983.697668] ata1.00: failed command: WRITE FPDMA QUEUED [28983.697672] ata1.00: cmd 61/40:f0:78:7f:88/05:00:0a:00:00/40 tag 30 ncq 688128 out res 40/00:3c:78:a9:88/00:00:0a:00:00/40 Emask 0x10 (ATA bus error) [28983.697672] ata1.00: status: { DRDY } [28983.697676] ata1: hard resetting link [28984.017356] ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [28984.022612] ata1.00: configured for UDMA/133 [28984.022740] ata1: EH complete [28991.611732] Suspending console(s) (use no_console_suspend to debug) [28992.183822] sd 1:0:0:0: [sdb] Synchronizing SCSI cache [28992.186569] sd 1:0:0:0: [sdb] Stopping disk [28992.186604] sd 0:0:0:0: [sda] Synchronizing SCSI cache [28992.189594] sd 0:0:0:0: [sda] Stopping disk [28992.967426] PM: suspend of devices complete after 1351.349 msecs [28992.999461] PM: late suspend of devices complete after 31.990 msecs [28993.000058] ehci-pci 0000:00:1d.0: System wakeup enabled by ACPI [28993.000306] xhci_hcd 0000:00:14.0: System wakeup enabled by ACPI [28993.016463] PM: noirq suspend of devices complete after 16.978 msecs [28993.017024] ACPI: Preparing to enter system sleep state S3 [28993.017349] PM: Saving platform NVS memory [28993.017357] Disabling non-boot CPUs ... [28993.017389] intel_pstate CPU 1 exiting [28993.018727] kvm: disabling virtualization on CPU1 [28993.019320] smpboot: CPU 1 is now offline [28993.019646] intel_pstate CPU 2 exiting

In the interim, to overcome this problem, we can force the device to run in degraded mode. I'm not sure if it is really the degraded mode, or the device was falsely advertised as a 6 GiB capable device. Time will tell, but for now, force it to run in 3 GiB mode, and so far, I haven't run into the above mentioned probems. To force 3 GiB speed, apply the following.

rrs@learner:~$ cat /proc/cmdline BOOT_IMAGE=/vmlinuz-4.0.4+ root=/dev/mapper/sdb_crypt ro cgroup_enable=memory swapaccount=1 rootflags=data=writeback libata.force=1:3 quiet 16:42 ♒♒♒ ☺

And then verify it... As you can see below, I've forced it for ata1 because I want my SSD drive to run at full-speed. I've done enough I/O, which earlier resulted in the kernel spitting the SATA errors. With this workaround, the kernel does not spit any error messages.

[ 1.273365] libata version 3.00 loaded. [ 1.287290] ahci 0000:00:1f.2: AHCI 0001.0300 32 slots 4 ports 6 Gbps 0x3 impl SATA mode [ 1.288238] ata1: FORCE: PHY spd limit set to 3.0Gbps [ 1.288240] ata1: SATA max UDMA/133 abar m2048@0xb051b000 port 0xb051b100 irq 41 [ 1.288242] ata2: SATA max UDMA/133 abar m2048@0xb051b000 port 0xb051b180 irq 41 [ 1.288244] ata3: DUMMY [ 1.288245] ata4: DUMMY [ 1.606971] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 320) [ 1.607906] ata1.00: ATA-9: WDC WD5000M22K-24Z1LT0-SSHD-16GB, 02.01A03, max UDMA/133 [ 1.607910] ata1.00: 976773168 sectors, multi 0: LBA48 NCQ (depth 31/32), AA [ 1.608856] ata1.00: configured for UDMA/133 [ 1.609106] scsi 0:0:0:0: Direct-Access ATA WDC WD5000M22K-2 1A03 PQ: 0 ANSI: 5 [ 1.927167] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 1.928980] ata2.00: ATA-8: KINGSTON SM2280S3120G, S8FM06.A, max UDMA/133 [ 1.928983] ata2.00: 234441648 sectors, multi 16: LBA48 NCQ (depth 31/32), AA [ 1.929616] ata2.00: configured for UDMA/133

And the throughput you get out of your WD SATA SSHD drive, with capability set to 3.0 GiB is:

rrs@learner:/media/SSHD/tmp$ while true; do dd if=/dev/zero of=foo.img bs=1M count=20000; sync; rm -rf foo.img; sync; done 20000+0 records in 20000+0 records out 20971520000 bytes (21 GB) copied, 202.014 s, 104 MB/s 20000+0 records in 20000+0 records out 20971520000 bytes (21 GB) copied, 206.111 s, 102 MB/s

Hannes Reinecke has submitted patches for NCQ enhancements, for Linux 4.1, which I hope will resolve these problems. Another option is to disable NCQ for the drive, or else blacklist the make/model in driver/ata/libata-core.c

By the time I finished this blog entry draft, I had tests to conclude that this did not look like an NCQ problem. Because in degraded mode too, it runs with NCQ enabled (check above).

rrs@learner:~$ sudo fstrim -vv /media/SSHD /media/SSHD: 268.2 GiB (287930949632 bytes) trimmed 16:58 ♒♒♒ ☺ rrs@learner:~$ sudo fstrim -vv / [sudo] password for rrs: /: 64 GiB (68650749952 bytes) trimmed 16:56 ♒♒♒ ☺

Another interesting feature of this drive is support for TRIM / DISCARD. This drive's FTL accepts the TRIM command. Ofcourse, you need to ensure that you have discard enabled in all the layers. In my case, SATA + Device Mapper (Crypt and LVM) + File System (ext4)

Display

The overall display of this device is amazing. It is large enough to give you vibrant look. At 1920x1080 resolution, things look good. The display support was available out-of-the-box.

There were some suspend / resume hangs  that occured with kernels < 4.x, during suspend / resume. The issue was root caused and fixed for Linux 4.0.

You may still notice the following kernel messages, though not problematic to me so far.

[28977.518114] PM: thaw of devices complete after 3607.979 msecs [28977.590389] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [28977.590582] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [28977.591095] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [28977.591185] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [28977.591368] acpi device:30: Cannot transition to power state D3cold for parent in (unknown) [28977.591911] pci_bus 0000:01: Allocating resources [28977.591933] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [28977.592093] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [28977.592401] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment

You may need to disable the Intel Management Engine Interface (mei.ko), incase you run into suspend/resume problems.

rrs@learner:/media/SSHD/tmp$ cat /etc/modprobe.d/intel-mei-blacklist.conf blacklist mei blacklist mei-me 17:01 ♒♒♒ ☺

You may also run into the following Kernel Oops during suspend/resume. Below, you see 2 interation of sleep because it first hibernates and then sleeps (s2both).

[ 180.470206] Syncing filesystems ... done. [ 180.473337] Freezing user space processes ... (elapsed 0.001 seconds) done. [ 180.475210] PM: Marking nosave pages: [mem 0x00000000-0x00000fff] [ 180.475213] PM: Marking nosave pages: [mem 0x0006f000-0x0006ffff] [ 180.475215] PM: Marking nosave pages: [mem 0x00088000-0x000fffff] [ 180.475220] PM: Marking nosave pages: [mem 0x97360000-0x97b5ffff] [ 180.475274] PM: Marking nosave pages: [mem 0x9c36f000-0x9cffefff] [ 180.475356] PM: Marking nosave pages: [mem 0x9d000000-0xffffffff] [ 180.476877] PM: Basic memory bitmaps created [ 180.477003] PM: Preallocating image memory... done (allocated 380227 pages) [ 180.851800] PM: Allocated 1520908 kbytes in 0.37 seconds (4110.56 MB/s) [ 180.851802] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. [ 180.853355] Suspending console(s) (use no_console_suspend to debug) [ 180.853520] wlan0: deauthenticating from c4:6e:1f:d0:67:26 by local choice (Reason: 3=DEAUTH_LEAVING) [ 180.864159] cfg80211: Calling CRDA to update world regulatory domain [ 181.172222] PM: freeze of devices complete after 319.294 msecs [ 181.196080] ------------[ cut here ]------------ [ 181.196124] WARNING: CPU: 3 PID: 3707 at drivers/gpu/drm/i915/intel_display.c:7904 hsw_enable_pc8+0x659/0x7c0 [i915]() [ 181.196125] SPLL enabled [ 181.196159] Modules linked in: rfcomm ctr ccm bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bridge stp llc xt_conntrack iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_CHECKSUM xt_tcpudp iptable_mangle ip_tables x_tables nls_utf8 nls_cp437 vfat fat rtsx_usb_ms memstick snd_hda_codec_hdmi joydev mousedev hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_iio_common iTCO_wdt iTCO_vendor_support hid_multitouch x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm btusb hid_sensor_hub bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops [ 181.196203] videobuf2_core v4l2_common videodev media pcspkr evdev mac_hid arc4 psmouse serio_raw efivars i2c_i801 rtl8723be btcoexist rtl8723_common rtl_pci rtlwifi mac80211 snd_soc_rt5640 cfg80211 snd_soc_rl6231 snd_hda_codec_realtek i915 snd_soc_core snd_hda_codec_generic ideapad_laptop ac snd_compress dw_dmac sparse_keymap drm_kms_helper rfkill battery dw_dmac_core snd_hda_intel snd_pcm_dmaengine snd_soc_sst_acpi snd_hda_controller video 8250_dw regmap_i2c snd_hda_codec drm snd_hwdep snd_pcm spi_pxa2xx_platform i2c_designware_platform soc_button_array snd_timer i2c_designware_core snd i2c_algo_bit soundcore shpchp lpc_ich button processor fuse ipv6 autofs4 ext4 crc16 jbd2 mbcache btrfs xor raid6_pq algif_skcipher af_alg dm_crypt dm_mod sg usbhid sd_mod rtsx_usb_sdmmc rtsx_usb crct10dif_pclmul [ 181.196220] crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common thermal fan thermal_sys hwmon i2c_hid hid i2c_core sdhci_acpi sdhci mmc_core gpio_lynxpoint [ 181.196224] CPU: 3 PID: 3707 Comm: kworker/u16:7 Tainted: G O 4.0.4+ #14 [ 181.196225] Hardware name: LENOVO 20344/INVALID, BIOS 96CN29WW(V1.15) 10/16/2014 [ 181.196230] Workqueue: events_unbound async_run_entry_fn [ 181.196233] 0000000000000000 ffffffffa0706f68 ffffffff81522198 ffff880064debc88 [ 181.196235] ffffffff8106c5b1 ffff880251460000 ffff880250f83b68 ffff880250f83b78 [ 181.196237] ffff880250f83800 0000000000000001 ffffffff8106c62a ffffffffa071407c [ 181.196238] Call Trace: [ 181.196248] [<ffffffff81522198>] ? dump_stack+0x40/0x50 [ 181.196251] [<ffffffff8106c5b1>] ? warn_slowpath_common+0x81/0xb0 [ 181.196254] [<ffffffff8106c62a>] ? warn_slowpath_fmt+0x4a/0x50 [ 181.196278] [<ffffffffa06ae349>] ? hsw_enable_pc8+0x659/0x7c0 [i915] [ 181.196289] [<ffffffffa0643ee0>] ? intel_suspend_complete+0xe0/0x6e0 [i915] [ 181.196300] [<ffffffffa0644501>] ? i915_drm_suspend_late+0x21/0x90 [i915] [ 181.196311] [<ffffffffa0644690>] ? i915_pm_poweroff_late+0x40/0x40 [i915] [ 181.196318] [<ffffffff813fa7ba>] ? dpm_run_callback+0x4a/0x100 [ 181.196321] [<ffffffff813fb010>] ? __device_suspend_late+0xa0/0x180 [ 181.196324] [<ffffffff813fb10e>] ? async_suspend_late+0x1e/0xa0 [ 181.196326] [<ffffffff8108b973>] ? async_run_entry_fn+0x43/0x160 [ 181.196330] [<ffffffff81083a5d>] ? process_one_work+0x14d/0x3f0 [ 181.196332] [<ffffffff81084463>] ? worker_thread+0x53/0x480 [ 181.196334] [<ffffffff81084410>] ? rescuer_thread+0x300/0x300 [ 181.196338] [<ffffffff81089191>] ? kthread+0xc1/0xe0 [ 181.196341] [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180 [ 181.196346] [<ffffffff81527898>] ? ret_from_fork+0x58/0x90 [ 181.196349] [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180 [ 181.196350] ---[ end trace 8e339004db298838 ]--- [ 181.220094] PM: late freeze of devices complete after 47.936 msecs [ 181.220972] PM: noirq freeze of devices complete after 0.875 msecs [ 181.221577] ACPI: Preparing to enter system sleep state S4 [ 181.221886] PM: Saving platform NVS memory [ 181.222702] Disabling non-boot CPUs ... [ 181.222731] intel_pstate CPU 1 exiting [ 181.224041] kvm: disabling virtualization on CPU1 [ 181.224680] smpboot: CPU 1 is now offline [ 181.225121] intel_pstate CPU 2 exiting [ 181.226407] kvm: disabling virtualization on CPU2 [ 181.227025] smpboot: CPU 2 is now offline [ 181.227441] intel_pstate CPU 3 exiting [ 181.227728] Broke affinity for irq 19 [ 181.227747] Broke affinity for irq 41 [ 181.228771] kvm: disabling virtualization on CPU3 [ 181.228793] smpboot: CPU 3 is now offline [ 181.229624] PM: Creating hibernation image: [ 181.563651] PM: Need to copy 379053 pages [ 181.563655] PM: Normal pages needed: 379053 + 1024, available pages: 1697704 [ 182.472910] PM: Hibernation image created (379053 pages copied) [ 181.232347] PM: Restoring platform NVS memory [ 181.233171] Enabling non-boot CPUs ... [ 181.233246] x86: Booting SMP configuration: [ 181.233248] smpboot: Booting Node 0 Processor 1 APIC 0x1 [ 181.246771] kvm: enabling virtualization on CPU1 [ 181.249339] CPU1 is up [ 181.249389] smpboot: Booting Node 0 Processor 2 APIC 0x2 [ 181.262313] kvm: enabling virtualization on CPU2 [ 181.264853] CPU2 is up [ 181.264903] smpboot: Booting Node 0 Processor 3 APIC 0x3 [ 181.277831] kvm: enabling virtualization on CPU3 [ 181.280317] CPU3 is up [ 181.288471] ACPI: Waking up from system sleep state S4 [ 182.340655] PM: noirq thaw of devices complete after 0.637 msecs [ 182.378087] PM: early thaw of devices complete after 37.428 msecs [ 182.378436] rtlwifi: rtlwifi: wireless switch is on [ 182.451021] rtc_cmos 00:01: System wakeup disabled by ACPI [ 182.697575] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 320) [ 182.697617] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 182.699248] ata1.00: configured for UDMA/133 [ 182.699911] ata2.00: configured for UDMA/133 [ 182.699917] ahci 0000:00:1f.2: port does not support device sleep [ 186.059539] PM: thaw of devices complete after 3685.338 msecs [ 186.134292] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 186.134479] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 186.134992] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 186.135080] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 186.135266] acpi device:30: Cannot transition to power state D3cold for parent in (unknown) [ 186.135950] pci_bus 0000:01: Allocating resources [ 186.135974] pcieport 0000:00:1c.0: bridge window [mem 0x00100000-0x000fffff 64bit pref] to [bus 01] add_size 200000 [ 186.135980] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 186.136049] pcieport 0000:00:1c.0: res[15]=[mem 0x00100000-0x000fffff 64bit pref] get_res_add_size add_size 200000 [ 186.136072] pcieport 0000:00:1c.0: BAR 15: assigned [mem 0x9fb00000-0x9fcfffff 64bit pref] [ 186.136174] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 186.136490] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 199.454497] Suspending console(s) (use no_console_suspend to debug) [ 200.024190] sd 1:0:0:0: [sdb] Synchronizing SCSI cache [ 200.024356] sd 0:0:0:0: [sda] Synchronizing SCSI cache [ 200.025359] sd 1:0:0:0: [sdb] Stopping disk [ 200.028701] sd 0:0:0:0: [sda] Stopping disk [ 201.106085] PM: suspend of devices complete after 1651.336 msecs [ 201.106591] ------------[ cut here ]------------ [ 201.106628] WARNING: CPU: 0 PID: 3725 at drivers/gpu/drm/i915/intel_display.c:7904 hsw_enable_pc8+0x659/0x7c0 [i915]() [ 201.106628] SPLL enabled [ 201.106656] Modules linked in: rfcomm ctr ccm bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bridge stp llc xt_conntrack iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_CHECKSUM xt_tcpudp iptable_mangle ip_tables x_tables nls_utf8 nls_cp437 vfat fat rtsx_usb_ms memstick snd_hda_codec_hdmi joydev mousedev hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_iio_common iTCO_wdt iTCO_vendor_support hid_multitouch x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm btusb hid_sensor_hub bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops [ 201.106694] videobuf2_core v4l2_common videodev media pcspkr evdev mac_hid arc4 psmouse serio_raw efivars i2c_i801 rtl8723be btcoexist rtl8723_common rtl_pci rtlwifi mac80211 snd_soc_rt5640 cfg80211 snd_soc_rl6231 snd_hda_codec_realtek i915 snd_soc_core snd_hda_codec_generic ideapad_laptop ac snd_compress dw_dmac sparse_keymap drm_kms_helper rfkill battery dw_dmac_core snd_hda_intel snd_pcm_dmaengine snd_soc_sst_acpi snd_hda_controller video 8250_dw regmap_i2c snd_hda_codec drm snd_hwdep snd_pcm spi_pxa2xx_platform i2c_designware_platform soc_button_array snd_timer i2c_designware_core snd i2c_algo_bit soundcore shpchp lpc_ich button processor fuse ipv6 autofs4 ext4 crc16 jbd2 mbcache btrfs xor raid6_pq algif_skcipher af_alg dm_crypt dm_mod sg usbhid sd_mod rtsx_usb_sdmmc rtsx_usb crct10dif_pclmul [ 201.106711] crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common thermal fan thermal_sys hwmon i2c_hid hid i2c_core sdhci_acpi sdhci mmc_core gpio_lynxpoint [ 201.106714] CPU: 0 PID: 3725 Comm: kworker/u16:25 Tainted: G W O 4.0.4+ #14 [ 201.106715] Hardware name: LENOVO 20344/INVALID, BIOS 96CN29WW(V1.15) 10/16/2014 [ 201.106720] Workqueue: events_unbound async_run_entry_fn [ 201.106723] 0000000000000000 ffffffffa0706f68 ffffffff81522198 ffff880064dd7c88 [ 201.106725] ffffffff8106c5b1 ffff880251460000 ffff880250f83b68 ffff880250f83b78 [ 201.106727] ffff880250f83800 0000000000000002 ffffffff8106c62a ffffffffa071407c [ 201.106728] Call Trace: [ 201.106737] [<ffffffff81522198>] ? dump_stack+0x40/0x50 [ 201.106740] [<ffffffff8106c5b1>] ? warn_slowpath_common+0x81/0xb0 [ 201.106742] [<ffffffff8106c62a>] ? warn_slowpath_fmt+0x4a/0x50 [ 201.106765] [<ffffffffa06ae349>] ? hsw_enable_pc8+0x659/0x7c0 [i915] [ 201.106776] [<ffffffffa0643ee0>] ? intel_suspend_complete+0xe0/0x6e0 [i915] [ 201.106786] [<ffffffffa0644501>] ? i915_drm_suspend_late+0x21/0x90 [i915] [ 201.106797] [<ffffffffa0644690>] ? i915_pm_poweroff_late+0x40/0x40 [i915] [ 201.106802] [<ffffffff813fa7ba>] ? dpm_run_callback+0x4a/0x100 [ 201.106805] [<ffffffff813fb010>] ? __device_suspend_late+0xa0/0x180 [ 201.106809] [<ffffffff813fb10e>] ? async_suspend_late+0x1e/0xa0 [ 201.106811] [<ffffffff8108b973>] ? async_run_entry_fn+0x43/0x160 [ 201.106813] [<ffffffff81083a5d>] ? process_one_work+0x14d/0x3f0 [ 201.106815] [<ffffffff81084463>] ? worker_thread+0x53/0x480 [ 201.106818] [<ffffffff81084410>] ? rescuer_thread+0x300/0x300 [ 201.106821] [<ffffffff81089191>] ? kthread+0xc1/0xe0 [ 201.106824] [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180 [ 201.106827] [<ffffffff81527898>] ? ret_from_fork+0x58/0x90 [ 201.106830] [<ffffffff810890d0>] ? kthread_create_on_node+0x180/0x180 [ 201.106832] ---[ end trace 8e339004db298839 ]--- [ 201.130052] PM: late suspend of devices complete after 23.960 msecs [ 201.130725] ehci-pci 0000:00:1d.0: System wakeup enabled by ACPI [ 201.130885] xhci_hcd 0000:00:14.0: System wakeup enabled by ACPI [ 201.146986] PM: noirq suspend of devices complete after 16.930 msecs [ 201.147591] ACPI: Preparing to enter system sleep state S3 [ 201.147942] PM: Saving platform NVS memory [ 201.147948] Disabling non-boot CPUs ... [ 201.147999] intel_pstate CPU 1 exiting [ 201.149324] kvm: disabling virtualization on CPU1 [ 201.149337] smpboot: CPU 1 is now offline [ 201.149640] intel_pstate CPU 2 exiting [ 201.151096] kvm: disabling virtualization on CPU2 [ 201.151108] smpboot: CPU 2 is now offline [ 201.152017] intel_pstate CPU 3 exiting [ 201.153250] kvm: disabling virtualization on CPU3 [ 201.153256] smpboot: CPU 3 is now offline [ 201.156229] ACPI: Low-level resume complete [ 201.156307] PM: Restoring platform NVS memory [ 201.160033] CPU0 microcode updated early to revision 0x1c, date = 2014-07-03 [ 201.160190] Enabling non-boot CPUs ... [ 201.160241] x86: Booting SMP configuration: [ 201.160243] smpboot: Booting Node 0 Processor 1 APIC 0x1 [ 201.172665] kvm: enabling virtualization on CPU1 [ 201.174982] CPU1 is up [ 201.175013] smpboot: Booting Node 0 Processor 2 APIC 0x2 [ 201.187569] CPU2 microcode updated early to revision 0x1c, date = 2014-07-03 [ 201.188796] kvm: enabling virtualization on CPU2 [ 201.191130] CPU2 is up [ 201.191158] smpboot: Booting Node 0 Processor 3 APIC 0x3 [ 201.203297] kvm: enabling virtualization on CPU3 [ 201.205679] CPU3 is up [ 201.210414] ACPI: Waking up from system sleep state S3 [ 201.224617] ehci-pci 0000:00:1d.0: System wakeup disabled by ACPI [ 201.332523] xhci_hcd 0000:00:14.0: System wakeup disabled by ACPI [ 201.332634] PM: noirq resume of devices complete after 121.623 msecs [ 201.372718] PM: early resume of devices complete after 40.058 msecs [ 201.372892] rtlwifi: rtlwifi: wireless switch is on [ 201.373270] sd 0:0:0:0: [sda] Starting disk [ 201.373271] sd 1:0:0:0: [sdb] Starting disk [ 201.445954] rtc_cmos 00:01: System wakeup disabled by ACPI [ 201.692510] ata2: SATA link up 6.0 Gbps (SStatus 133 SControl 300) [ 201.694719] ata2.00: configured for UDMA/133 [ 201.694724] ahci 0000:00:1f.2: port does not support device sleep [ 201.836724] usb 2-4: reset high-speed USB device number 2 using xhci_hcd [ 201.890158] psmouse serio1: synaptics: queried max coordinates: x [..5702], y [..4730] [ 201.930768] psmouse serio1: synaptics: queried min coordinates: x [1242..], y [1124..] [ 202.076784] usb 2-5: reset full-speed USB device number 3 using xhci_hcd [ 202.205100] usb 2-5: ep 0x2 - rounding interval to 64 microframes, ep desc says 80 microframes [ 202.316799] usb 2-7: reset full-speed USB device number 5 using xhci_hcd [ 202.444945] usb 2-7: No LPM exit latency info found, disabling LPM. [ 202.556817] usb 2-8: reset full-speed USB device number 6 using xhci_hcd [ 202.908691] usb 2-6: reset high-speed USB device number 4 using xhci_hcd [ 203.932602] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 320) [ 204.044890] ata1.00: configured for UDMA/133 [ 206.228698] PM: resume of devices complete after 4855.892 msecs [ 206.380738] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.383152] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.385775] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.388066] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.390415] acpi device:30: Cannot transition to power state D3cold for parent in (unknown) [ 206.393078] pci_bus 0000:01: Allocating resources [ 206.393098] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.395470] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.397927] i915 0000:00:02.0: BAR 6: [??? 0x00000000 flags 0x2] has bogus alignment [ 206.518516] Restarting kernel threads ... done. [ 206.518812] PM: Basic memory bitmaps freed [ 206.518816] Restarting tasks ... done.

There is one more occasional Kernel Oops (below), which I believe again has to do with Intel.

[ 8770.745396] ------------[ cut here ]------------ [ 8770.745441] WARNING: CPU: 0 PID: 7206 at drivers/gpu/drm/i915/intel_display.c:9756 intel_check_page_flip+0xd2/0xe0 [i915]() [ 8770.745444] Kicking stuck page flip: queued at 466186, now 466191 [ 8770.745445] Modules linked in: cpuid rfcomm ctr ccm bnep pci_stub vboxpci(O) vboxnetadp(O) vboxnetflt(O) vboxdrv(O) bridge stp llc xt_conntrack iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack xt_CHECKSUM xt_tcpudp iptable_mangle ip_tables x_tables nls_utf8 nls_cp437 vfat fat rtsx_usb_ms memstick snd_hda_codec_hdmi joydev mousedev hid_sensor_rotation hid_sensor_incl_3d hid_sensor_als hid_sensor_accel_3d hid_sensor_magn_3d hid_sensor_gyro_3d hid_sensor_trigger industrialio_triggered_buffer kfifo_buf industrialio hid_sensor_iio_common iTCO_wdt iTCO_vendor_support hid_multitouch x86_pkg_temp_thermal intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm btusb hid_sensor_hub bluetooth uvcvideo videobuf2_vmalloc videobuf2_memops [ 8770.745484] videobuf2_core v4l2_common videodev media pcspkr evdev mac_hid arc4 psmouse serio_raw efivars i2c_i801 rtl8723be btcoexist rtl8723_common rtl_pci rtlwifi mac80211 snd_soc_rt5640 cfg80211 snd_soc_rl6231 snd_hda_codec_realtek i915 snd_soc_core snd_hda_codec_generic ideapad_laptop ac snd_compress dw_dmac sparse_keymap drm_kms_helper rfkill battery dw_dmac_core snd_hda_intel snd_pcm_dmaengine snd_soc_sst_acpi snd_hda_controller video 8250_dw regmap_i2c snd_hda_codec drm snd_hwdep snd_pcm spi_pxa2xx_platform i2c_designware_platform soc_button_array snd_timer i2c_designware_core snd i2c_algo_bit soundcore shpchp lpc_ich button processor fuse ipv6 autofs4 ext4 crc16 jbd2 mbcache btrfs xor raid6_pq algif_skcipher af_alg dm_crypt dm_mod sg usbhid sd_mod rtsx_usb_sdmmc rtsx_usb crct10dif_pclmul [ 8770.745536] crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd ahci libahci libata xhci_pci ehci_pci xhci_hcd ehci_hcd scsi_mod usbcore usb_common thermal fan thermal_sys hwmon i2c_hid hid i2c_core sdhci_acpi sdhci mmc_core gpio_lynxpoint [ 8770.745561] CPU: 0 PID: 7206 Comm: icedove Tainted: G W O 4.0.4+ #14 [ 8770.745563] Hardware name: LENOVO 20344/INVALID, BIOS 96CN29WW(V1.15) 10/16/2014 [ 8770.745565] 0000000000000000 ffffffffa0706f68 ffffffff81522198 ffff88025f203dc8 [ 8770.745569] ffffffff8106c5b1 ffff880250f83800 ffff880254dcc000 0000000000000000 [ 8770.745572] 0000000000000000 0000000000000000 ffffffff8106c62a ffffffffa0709d50 [ 8770.745575] Call Trace: [ 8770.745577] <IRQ> [<ffffffff81522198>] ? dump_stack+0x40/0x50 [ 8770.745592] [<ffffffff8106c5b1>] ? warn_slowpath_common+0x81/0xb0 [ 8770.745595] [<ffffffff8106c62a>] ? warn_slowpath_fmt+0x4a/0x50 [ 8770.745616] [<ffffffffa06a0bb3>] ? __intel_pageflip_stall_check+0x113/0x120 [i915] [ 8770.745634] [<ffffffffa06af042>] ? intel_check_page_flip+0xd2/0xe0 [i915] [ 8770.745652] [<ffffffffa067cde1>] ? ironlake_irq_handler+0x2e1/0x1010 [i915] [ 8770.745657] [<ffffffff81092d1a>] ? check_preempt_curr+0x5a/0xa0 [ 8770.745663] [<ffffffff812d66c2>] ? timerqueue_del+0x22/0x70 [ 8770.745668] [<ffffffff810bb7d5>] ? handle_irq_event_percpu+0x75/0x190 [ 8770.745672] [<ffffffff8101b945>] ? read_tsc+0x5/0x10 [ 8770.745676] [<ffffffff810bb928>] ? handle_irq_event+0x38/0x50 [ 8770.745680] [<ffffffff810be841>] ? handle_edge_irq+0x71/0x120 [ 8770.745685] [<ffffffff810153bd>] ? handle_irq+0x1d/0x30 [ 8770.745689] [<ffffffff8152a866>] ? do_IRQ+0x46/0xe0 [ 8770.745694] [<ffffffff8152866d>] ? common_interrupt+0x6d/0x6d [ 8770.745695] <EOI> [<ffffffff8152794d>] ? system_call_fastpath+0x16/0x1b [ 8770.745701] ---[ end trace 8e339004db29883a ]---

Network

In my case, the laptop came with the Realtek Wireless device (details above in lspci output). Note: The machine has no wired interface.

While the Intel Wifi devices shipped with this laptop have their own share of problems, this device (rtl8723be) works out of the box. But only for a while. There is no certain pattern on what triggers the bug, but once triggered, the network just freezes. Nothing is logged.

If your Yoga 2 13 came with the RTL chip, the following workaround may help avoid the network issues.

rrs@learner:/media/SSHD/tmp$ cat /etc/modprobe.d/rtl8723be.conf options rtl8723be fwlps=0 17:06 ♒♒♒ ☺

MCE

Almost every boot, eventually, the kernel reports MCE errors. Not something I understand well, but so far, it hasn't caused any visible issues. And from what I have googled so far, nobody seems to have fixed it anywhere

So, with fingers crossed, lets just hope this never translates into a real problem.

What the kernel reports of the CPU's capabilities.

[ 0.041496] mce: CPU supports 7 MCE banks [  299.540930] mce: [Hardware Error]: Machine check events logged

The MCE logs extracted from the buffer.

mcelog: failed to prefill DIMM database from DMI data Hardware event. This is not a software error. MCE 0 CPU 0 BANK 5 MISC 38a0000086 ADDR fef81880 TIME 1432455005 Sun May 24 13:40:05 2015 MCG status: MCi status: Error overflow Uncorrected error MCi_MISC register valid MCi_ADDR register valid Processor context corrupt MCA: corrected filtering (some unreported errors in same region) Generic CACHE Level-2 Generic Error STATUS ee0000000040110a MCGSTATUS 0 MCGCAP c07 APICID 0 SOCKETID 0 CPUID Vendor Intel Family 6 Model 69 Hardware event. This is not a software error. MCE 1 CPU 0 BANK 6 MISC 78a0000086 ADDR fef81780 TIME 1432455005 Sun May 24 13:40:05 2015 MCG status: MCi status: Uncorrected error MCi_MISC register valid MCi_ADDR register valid Processor context corrupt MCA: corrected filtering (some unreported errors in same region) Generic CACHE Level-2 Generic Error STATUS ae0000000040110a MCGSTATUS 0 MCGCAP c07 APICID 0 SOCKETID 0 CPUID Vendor Intel Family 6 Model 69 Hardware event. This is not a software error. MCE 2 CPU 0 BANK 5 MISC 38a0000086 ADDR fef81880 TIME 1432455114 Sun May 24 13:41:54 2015 MCG status: MCi status: Error overflow Uncorrected error MCi_MISC register valid MCi_ADDR register valid Processor context corrupt MCA: corrected filtering (some unreported errors in same region) Generic CACHE Level-2 Generic Error STATUS ee0000000040110a MCGSTATUS 0 MCGCAP c07 APICID 0 SOCKETID 0 CPUID Vendor Intel Family 6 Model 69 Hardware event. This is not a software error. MCE 3 CPU 0 BANK 6 MISC 78a0000086 ADDR fef81780 TIME 1432455114 Sun May 24 13:41:54 2015 MCG status: MCi status: Uncorrected error MCi_MISC register valid MCi_ADDR register valid Processor context corrupt MCA: corrected filtering (some unreported errors in same region) Generic CACHE Level-2 Generic Error STATUS ae0000000040110a MCGSTATUS 0 MCGCAP c07 APICID 0 SOCKETID 0 CPUID Vendor Intel Family 6 Model 69 Categories: Keywords: 
Categories: Elsewhere

Pages