Wednesday, 22 September 2021

New release of 'isorespin.sh'

Following news of the GRUB2 Secure Boot Bypass 2021 and as a result of Google's security changes on Google Drive together with the first daily build's from Canonical of Ubuntu 21.10 (impish) and point releases for 20.04.3 and 18.04.6 I've updated my ‘isorespin.sh‘ script and respun some ISOs suitable for Intel Atom and Intel Apollo Lake devices.


Note that support for 21.10 (impish) is not finalized as the release is still under development so respinning will be experimental at this stage. However due to a new compression tool being used an additional package 'zstd' will need to be installed prior to attempting any respinning.


Unfortunately interest seems to have declined judging by the lack of donations so please remember to donate if you find this work useful.


Canonical announces new point releases - Ubuntu 20.04.3 and 18.04.6


Canonical have released both the third point release of Ubuntu 20.04 Long-Term Support (LTS) as Ubuntu 20.04.3 and an unexpected six point release of Ubuntu 18.04 Long-Term Support (LTS) as Ubuntu 18.04.6 as a result of GRUB2 Secure Boot Bypass 2021.

I’ve respun the desktop ISOs using my ‘isorespin.sh‘ script and created ISOs suitable for Intel Atom and Intel Apollo Lake devices:

Atom (-i ubuntu-20.04.3-desktop-amd64.iso --atom)
Apollo (-i ubuntu-20.04.3-desktop-amd64.iso --apollo)
Atom (-i ubuntu-18.04.6-desktop-amd64.iso --atom)
Apollo (-i ubuntu-18.04.6-desktop-amd64.iso --apollo)

I've also respun the 'Focal Fossa' desktop ISO with the '--server' option to create a pseudo server ISO suitable for Intel devices with a 32-bit bootloader:

Server (-i ubuntu-20.04.3-desktop-amd64.iso --server)

Also announced are the official 20.04.3 flavours of Ubuntu including Lubuntu which I've also respun to created an ISO suitable for Intel Atom devices:

Atom (-i lubuntu-20.04.3-desktop-amd64.iso --atom)


Downloading Note

After downloading an ISO file it is recommended to test that the file is correct and safe to use by verifying the integrity of the downloaded file. An error during the download could result in a corrupted file and trigger random issues during the usage of the ISO.

The program 'md5sum' is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. The MD5 calculation gives a checksum (called a hash value), which must equal the MD5 value of a correct ISO.

First open a terminal and go to the correct directory to check a downloaded ISO. Then run the command 'md5sum <ISO>' for example:

md5sum linuxium-atom-ubuntu-20.04.3-desktop-amd64.iso

'md5sum' should then print out a single line after calculating the hash:

166bef608b7cb64dd92ba804c490fa9e linuxium-atom-ubuntu-20.04.3-desktop-amd64.iso

Compare the hash (the alphanumeric string on left) from your output with the corresponding hash below. If both hashes match exactly then the downloaded file is almost certainly intact. However if the hashes do not match then there was a problem with the download and you should download the file again.


ISO 'md5sum' hashes

e2ec97be8ed27967335174e5551f29ce linuxium-atom-ubuntu-18.04.6-desktop-amd64.iso
ca7634b2e5c7d7ac8885b13a491242f9 linuxium-apollo-ubuntu-18.04.6-desktop-amd64.iso
166bef608b7cb64dd92ba804c490fa9e linuxium-atom-ubuntu-20.04.3-desktop-amd64.iso
1c0a56d3a7806c92f9c3ba0104ed4a1d linuxium-apollo-ubuntu-20.04.3-desktop-amd64.iso
91a6ac93e8f5976b73ee6c90ea4aacc9 linuxium-ubuntu-20.04.3-server-amd64.iso
052e5d0ab5e1b997b4df76d64c3db5a6 linuxium-atom-lubuntu-20.04.3-desktop-amd64.iso


Please donate if you find these ISOs useful.

Friday, 23 April 2021

Canonical have announced the release of Ubuntu 21.04 (Hirsute Hippo)

 


Canonical have announced the latest release of Ubuntu 21.04 (Hirsute Hippo).

I’ve respun the desktop ISO using my ‘isorespin.sh‘ script and created ISOs suitable for Intel Atom and Intel Apollo Lake devices:

Atom (-i ubuntu-21.04-desktop-amd64.iso --atom)
Apollo (-i ubuntu-21.04-desktop-amd64.iso --apollo)



Also announced are the official 21.04 flavours of Ubuntu including Lubuntu which I've also respun to created an ISO suitable for Intel Atom devices:

Atom (-i lubuntu-21.04-desktop-amd64.iso --atom)


Downloading Note

After downloading an ISO file it is recommended to test that the file is correct and safe to use by verifying the integrity of the downloaded file. An error during the download could result in a corrupted file and trigger random issues during the usage of the ISO.

The program 'md5sum' is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. The MD5 calculation gives a checksum (called a hash value), which must equal the MD5 value of a correct ISO.

First open a terminal and go to the correct directory to check a downloaded ISO. Then run the command 'md5sum <ISO>' for example:

md5sum linuxium-atom-ubuntu-21.04-desktop-amd64.iso

'md5sum' should then print out a single line after calculating the hash:

2b128897a29f7afda3651b7e89c70970 linuxium-atom-ubuntu-21.04-desktop-amd64.iso

Compare the hash (the alphanumeric string on left) from your output with the corresponding hash below. If both hashes match exactly then the downloaded file is almost certainly intact. However if the hashes do not match then there was a problem with the download and you should download the file again.


ISO 'md5sum' hashes

2b128897a29f7afda3651b7e89c70970 linuxium-atom-ubuntu-21.04-desktop-amd64.iso
7fdda3001f15fd1c630c35e7ee00be0b linuxium-apollo-ubuntu-21.04-desktop-amd64.iso
2cb56280548c243ba4c158d3540c5aa7 linuxium-atom-lubuntu-21.04-desktop-amd64.iso


Please donate if you find these ISOs useful.

Saturday, 10 April 2021

Virtualization Performance on an Intel NUC 11 Enthusiast Phantom Canyon NUC11PHKi7C


I've previously looked at Windows and Linux performance on the NUC11PHKi7C Enthusiast Phantom Canyon which is Intel’s latest NUC 11 flagship product specifically targeting gamers as it includes an NVIDIA RTX 2060 GPU.

One usage aspect I didn't test was virtualization and this brief article looks at the performance running VirtualBox and WSL2 on the NUC11PHKi7C and comparing it to Intel’s previous NUC with a discrete GPU: the NUC 9 Extreme Ghost Canyon.


Hardware Overview

For the NUC 9 Extreme I’ve using a NUC9i7QNX model and I purchased both the NUC11PHKi7C and NUC9i7QNX as barebone devices.

The NUC11PHKi7C has an Intel Core i7-1165G7 Tiger Lake processor which is a quad-core 8-thread 2.80 GHz processor boosting to 4.70 GHz and also includes an NVIDIA N18E-G1-B notebook graphics card which is a GeForce RTX 2060 mobile GPU. I’ve installed a 2TB M.2 2280 NVMe drive from addlink (S70) and 64GB (2 x 32GB) DDR4 3200MHz memory from G.SKILL.

The NUC9i7QNX has an Intel Core i7-9750H Coffee Lake processor which is a hex-core 12-thread 2.60 GHz processor boosting to 4.50 GHz. I've installed a 2TB M.2 2280 NVMe drive from ADATA (XPG 8200 Pro), 64GB (2 x 32GB) of Team Group’s Team Elite DDR4 3200MHz memory and an EVGA GeForce RTX 2060 KO ULTRA GAMING GPU.


Software Overview

On each device I've installed Windows 10 Pro and Ubuntu 20.04 LTS as dual boot. On Windows I've enabled Windows Subsystem for Linux (WSL) version 2 and then installed Ubuntu 20.04 LTS Linux distribution for WSL. Then for each OS I've installed Oracle VM VirtualBox and created VMs of either Windows 10 Enterprise or Ubuntu 20.04 LTS as antithesis to the host OS. 


Installation Issues

Whilst there were no instalation problems with the NUC9i7QNX, the NUC11PHKi7C encountered a major issue. Initially for Ubuntu I was using the latest kernel (5.8.0-48-generic). Once Windows 10 Enterprise was installed in VirtualBox I noticed the VM occationally crashing for no apparent reason. However after downloading Passmark Performance Test version 10.1 the installation file refused to run:

I then had slightly more success in downloading and installing Passmark Performance Test version 9.0 however the application then refused to run:

but I did get Passmark Performance Test version 8.0 to both install and run:

however it subsequently crashed the VM.

After many reinstalls and web searching I discoverd that a bug for the crashing issue has already been raised: https://www.virtualbox.org/ticket/20180 and that 'using a Linux kernel 5.4 does not exhibit the problem'. Switching to the 5.4.0-70-generic kernel did indeed solve all the problems including no more crashes and allowed the successful installation and execution of Passmark Performance Test version 10.1.


Virtualization on Windows

For a Windows baseline I ran the CPU tests from Passmark Performance Test natively in Windows:

NUC9i7QNX

NUC11PHKi7C

and interestingly despite having fewer cores the NUC11PHKi7C's Windows performance was 3% better than on the NUC9i7QNX.

The first virtualization comparison is against running Windows in VirtualBox on Ubuntu where I ran the same CPU tests using the Linux version of Passmark Performance Test:

NUC9i7QNX

NUC11PHKi7C

and this shows that hardware-wise the NUC11PHKi7C performance was 18% worse than the NUC9i7QNX. Software-wise virtualization on the NUC9i7QNX performed similarly to its native performance at only 1% lower however for the NUC11PHKi7C it was 19% worse.

For an Ubuntu baseline I ran the CPU tests from Passmark Performance Test Linux natively in Ubuntu:

NUC9i7QNX

NUC11PHKi7C

and this time the NUC9i7QNX Ubuntu performance was 1% better than on the NUC11PHKi7C.

The second virtualization comparison is against running Ubuntu in VirtualBox on Windows:

NUC9i7QNX

NUC11PHKi7C

which again hardware-wise shows the NUC11PHKi7C performing worse than the NUC9i7QNX but this time by only 12%. Virtualization however is markedly different with the NUC11PHKi7C being 47% worse than running Ubuntu natively and 42% worse for the NUC9i7QNX.

The final virtualization comparison is against WSL2:

NUC9i7QNX

NUC11PHKi7C

where the NUC11PHKi7C performed 4% better than the NUC9i7QNX hardware-wise. It was also the best for Ubuntu virtualisation with only a loss of 1% for the NUC11PHKi7C and a 6% loss for the NUC9i7QNX. It should also be pointed out that all of the results can be affected by test run margin of error.

The full results are summarised below:



Conclusion

Although this is very limited testing it suggests that from a hardware perspective VirtualBox on the 6-core 12-thread NUC9i7QNX performs better than on the 4-core 8-thread NUC11PHKi7C even though the native performance is similar. Virtualbox on Windows is much worse than on Ubuntu however the real winner is the performance of running Ubuntu under WSL2 as it is comparable to the native performance. Also of note is that Ubuntu performance is slightly better than Windows performance.


Donate

Please donate if you find these types of comparisons useful using the following link http://goo.gl/nXWSGf as everything helps with hardware costs.

Wednesday, 18 November 2020

Respun ISOs Questionnaire


I've just released a new version of 'isorespin.sh' that supports the respinning of the latest Ubuntu and Ubuntu flavoured 20.10 (Groovy Gorilla) ISOs.

However I don't have sufficient space available at the moment to post an example ISO similar to those posted here.

So I've created a questionnaire to ask which ISOs are required both now and in the future.

There are only three sections:

Types of ISOs
Distro releases
Future ISOs

containing a total of 10 questions requiring a simple 'yes' or 'no' answer and a final open-ended question.

Please complete the questionnaire to ensure your opinion and needs are heard.

Also if you find the script or ISOs useful please donate using the following link http://goo.gl/nXWSGf as everything helps with development costs.

Tuesday, 29 September 2020

Canonical have announced a new point release for Ubuntu 16.04 LTS - 16.04.7 (Xenial Xerus)

Update: This work is superseded ... see 'ISOs' under 'Useful posts'.

Canonical have released the seventh point release of Ubuntu 16.04 Long-Term Support (LTS) as Ubuntu 16.04.7.

I’ve respun the desktop ISO using my ‘isorespin.sh‘ script and created ISOs suitable for Intel Atom and Intel Apollo Lake devices:

Atom (-i ubuntu-16.04.7-desktop-amd64.iso --atom)
Apollo (-i ubuntu-16.04.7-desktop-amd64.iso --apollo)


Downloading Note

After downloading an ISO file it is recommended to test that the file is correct and safe to use by verifying the integrity of the downloaded file. An error during the download could result in a corrupted file and trigger random issues during the usage of the ISO.

The program 'md5sum' is designed to verify data integrity using the MD5 (Message-Digest algorithm 5) 128-bit cryptographic hash. The MD5 calculation gives a checksum (called a hash value), which must equal the MD5 value of a correct ISO.

First open a terminal and go to the correct directory to check a downloaded ISO. Then run the command 'md5sum <ISO>' for example:
md5sum linuxium-atom-ubuntu-16.04.7-desktop-amd64.iso
'md5sum' should then print out a single line after calculating the hash:

e1c5c463c3d2078f7a26d65472b59973  linuxium-atom-ubuntu-16.04.7-desktop-amd64.iso

Compare the hash (the alphanumeric string on left) from your output with the corresponding hash below. If both hashes match exactly then the downloaded file is almost certainly intact. However if the hashes do not match then there was a problem with the download and you should download the file again.


ISO 'md5sum' hashes

e1c5c463c3d2078f7a26d65472b59973  linuxium-atom-ubuntu-16.04.7-desktop-amd64.iso
ee3367e767d2c0938cc12776d5cf288d  linuxium-apollo-ubuntu-16.04.7-desktop-amd64.iso


Please donate if you find these ISOs useful.

Saturday, 26 September 2020

'BootHole' implications for 'isorespin.sh'

 

(Credit: https://eclypsium.com/2020/07/29/theres-a-hole-in-the-boot)

When it was discovered that GRUB2 contained various vulnerabilities that would allow UEFI Secure Boot to be bypassed and which became known as the “BootHole” vulnerability (CVE-2020-10713), the recommendation was that all operating systems using GRUB2 with Secure Boot must release new installers and bootloaders. 

I reviewed 'isorespin.sh' at that time as one of it's key features is the option to add a GRUB2 bootloader to allow ISOs to boot on the many Intel devices limited by their BIOS requiring a 32-bit bootloader to boot a 64-bit OS.

My initial 'fix' was based around Ubuntu's response by recompiling and adding the latest fixed GRUB2 bootloader from 'groovy' (Ubuntu 20.10) and let the Ubuntu package manager 'apt' install the appropriate GRUB2 binaries to the ISO whilst being respun.

This initially worked, however after receiving what can only be described as some abusive 'hate' email from a user complaining that 'isorespin.sh' fails when installing the 32-bit binaries, I investigated and found that Canonical had effectively removed the earlier 32-bit GRUB2 packages with vulnerabilities.

The original 'isorespin.sh' process was to download the 32-bit GRUB2 packages whose version matched the 64-bit GRUB2 packages in the ISO and update the relevant package file with the details of these packages. However in Canonical's process when a package is replaced by a newer version at some point older versions get archived so the 'isorespin.sh' download process needs to perform the download from the archive location. At this point the package information is still typically available in the package manager's cache so it is still possible to update the relevant package file.

But in order to add the other functionality in 'isorespin.sh' such as updating the kernel or installing a package as part of respinning an ISO it is also necessary to update the package manager's cache. The issue that "BootHole" subsequently created for 'isorespin.sh' was that because the cache was now updated, the earlier versions of the GRUB2 packages with the vulnerabilities were (obviously) no longer included to prevent them from being selected and installed. The consequence was that because the downloaded earlier versioned 32-bit GRUB2 packages were no longer supported, when they were further processed either by 'isorespin.sh' or as part of ISO installation, errors occurred.

Part of the problem in fixing these errors was wanting to mimic the original ISO's ability to be installed either with or without a network connection and also address the "BootHole" vulnerability as part of respinning the ISO. A new issue was encountered because by simply downloading the latest and therefore fixed 32-bit GRUB2 packages left their package dependencies untouched. This leads to package incompatibility when trying to install these later versioned packages.  

To address this I've made the decision to continue to download the 32-bit GRUB2 packages whose version matches that of the ISO thereby keeping the integrity of the ISO. However in recognising that any package in the ISO's pool structure could be superseded by security updates I also then ensure that all of the pool packages are updated to their respective current version at time of respinning the ISO. This also means that their versions are reflected in the ISO's package manager's cache. Finally to correct the GRUB2 package dependencies I also update any GRUB2 packages currently installed in the ISO's filesystem.

Whilst this addresses the vulnerabilities caused by "BootHole" it does mean that if the Ubiquity installer installs other packages from the pool structure it may still result in package dependency issues. The workaround if this occurs is to either individually update the affected packages when respinning the ISO or use the '--dist-upgrade' option to upgrade all installed packages.

This newest version (8.6.4) is now available from 'isorespin.sh'. 

Please donate if you find the script useful using the following link http://goo.gl/nXWSGf as everything helps with development costs.