Jump to content

Best SoC desktop computer replacement FOR productive use AND Youtube Playback, Prime Video??


Vaseline

Recommended Posts

I wonder what the best desktop replacement might be. I'm in need for a stable and secure desktop replacement that is energy saving and capable of dooing office work, browsing the web and even playback videos from youtube and prime video. 4K isn't necessary but I want at least 720p or 1080 fullscreen.

 

If possible:

No internal spi / eeprom / flash memory. I want the firmware to be loaded from a USB Storage / SD Card that gets hardware write protected after the first setup. Like a live distro from dvd so that there is no risk of getting infected by rootkit / bad firmware ever. Most current gen SoC offer built in flash memory. Older ones like Rock64, Pi3 and even the newer Odroid C4 doesn't seem to have built in flash memory. Which might suit my needs.

 

The odroid c4 has been my favorite choice but a lot of people complained about several bugs and poor os support in general - David L wrote: "It's now Jan 2021 and it's a shame that with this excellent hardware the OS situation is still very poor with many issues such as freezing regularly, black/frozen screens if the monitor goes into standby mode while you are away, and many more. There are manual fixes for some of them, but the level of OS support shouldn't still be this poor and left to users to identify fixes. It was the same with the U3 and (less so with the) C2, and unless HK provide more OS support, they will find people moving to other platforms (no mattter how good their h/w is!)."

 

  • Amazon Prime playback compatibility isn't necessary
  • Fullscreen Youtube 720p playback capatibility is mandatory
  • Beeing able to use a live distro is mandatory

 

 

Im really looking forward to your suggestions.

 

Best regards

Link to comment
Share on other sites

I would check out some of NicoD's videos on YouTube, as he is a desktop Armbian user and has made several videos from that perspective.  I am sure there must be some other forum threads around here about it as well.

 

20 hours ago, Vaseline said:

Beeing able to use a live distro is mandatory

 

If you meant swapping SD cards, then OK.  But if you mean a true live distro, like on a USB thumb drive (as on x86), then probably not (in most cases) as arm/SBC world is very different from x86, especially around booting.

 

20 hours ago, Vaseline said:

Fullscreen Youtube 720p playback capatibility is mandatory

 

If you can't get that to work in a (bloated) browser, a workaround I often use is to open the video in mpv.  In fact you can do something like 'mpv youtubelink' and mpv has youtube-dl (or equivalent) installed as a dependency and can usually download and display the video all in one go.  Saved me more than once on several low-spec or older devices.

 

20 hours ago, Vaseline said:

I want the firmware to be loaded from a USB Storage / SD Card that gets hardware write protected after the first setup. Like a live distro from dvd so that there is no risk of getting infected by rootkit / bad firmware ever.

 

I somehow missed this on first read.  But I guess it is one of your main requirements.  I don't think you will find that.  Because Linux kernel, and drivers, etc. (what you might call firmware) are being developed all the time.  And so they will be moving forward, and released with new versions of Armbian.

 

Having said that, at least with Armbian (and Free Software in general) you can see what the sources are, where they come from, when they get upgraded, build your own if you like, etc.  There are also some options to freeze kernels, etc. which would get you pretty close to what you are looking for I think.  As close as I think you will be able to get, anyway.

 

20 hours ago, Vaseline said:

a lot of people complained about several bugs and poor os support in general

 

Very few of these vendors provide any real long term (mainline) software support.  Such is life in SBC world.  These devices are fascinating, but it is up to us to keep them working (N.B. some of links/statements in my forum signature).

 

 

Link to comment
Share on other sites

Thank you very much for your precious time!

 

You are right, the live distro and missing eeprom/flash memory is mandatory because I have to handle a lot of passwords on my business machine that I type in by hand. Any keylogger or rootkit would result in having to change about a thousand passwords (which is a pain in the *** - I had to do this once)

 

So I was thinking of a device that is loading the firmware and os from a storage medium (sd card or usb-stick / usb-ssd). After installing firmware, setting up hardware and a live distro, I want to make the storage write protected by using an adapter with hw/ write-protect (as described here sdlocker or hardware write-protection sum up) 

 

When certain updates are needed I have to create a new live distro, copy it to the storage medium and h/w write protect it afterwards.

 

Just like a dvd live linux works. However... I would need to be able to boot from USB this way.

 

 

  1. Any idea on how to achieve a real hw write-protect when using eMMC as storage medium?
  2. Isn't there any SoC device that might suit my needs? No internal flash memory and usb boot capatibility? @NicoD
  3. Or does anyone know of a method to make an sd card write protected by hardware without rerouting through usb?

 

Imho the Odroid C4 could suit my needs well but It doesn't boot from USB. As far as I know it doesn't have eeprom/flash memory and loads everything from attached storage media. And it should be powerful enough for 720p playback within the browser - Am I right? But how could I achieve real hardware write protection on this one?
 

PS. I'm not tied to armbian. I might as well use another Linux distro if necessary and I will have a look at the recommended videos from NicoD now.

 

 

Edited by Vaseline
Link to comment
Share on other sites

What about setting the PERM_WRITE_PROTECT flag on the sd card after firmware, config files and the linux live distribution are stored on the cards memory? - This could do trick.

https://forums.raspberrypi.com/viewtopic.php?p=1447783

 

  • a) Will a SoC like the Odroid C4 be able to load the firmware from a read only / write protected sd card?
  • b) Will the device be able to boot a linux live distro afterwards?
Link to comment
Share on other sites

Would a regular encrypted drive/volume solve your problem?  I guess you could also keep the OS on an SD card, and remove it when not using it?  Possibly and/or using some hardware encryption key as well?

 

Most security really boils down to defining your threat surface (what you are trying to protect from).  I am kind of tired, but I am having a hard time framing things from this perspective in my mind right now for your situation.  Probably just me.  And a lot of that is not really Armbian specific, anyway.

 

On 8/15/2022 at 11:30 AM, Vaseline said:

PS. I'm not tied to armbian. I might as well use another Linux distro if necessary and I will have a look at the recommended videos from NicoD now.

 

You can use what you like, but you may find that Armbian is far ahead of a lot of other distros, at least on SBCs (and obviously/especially where you prefer Debian based distro).  A lot of NicoD's videos are about Armbian desktop, not other distros.

Link to comment
Share on other sites

I would love to use armbian. I just mentioned that another os would be okay as well if armbian has any limititations regarding my goal of a write protected setup.

A regular encrypted volume doesn't solve my problem. Im looking for a write protected setup like a live distro - no write access to the linux partition and no internal flash memory within the SBC

Does the Odroid C4 need any write access to the SD card after initial setup?

 

If not I might just install a live distro on the sd card and set the PERM_WRITE_PROTECT flag

Edited by Vaseline
Link to comment
Share on other sites

My favorite desktop SoC is by far the RK3399. It can do all you want. Good youtube playback at 1080p. (even 1440p when overclocked to 1.5Ghz/2Ghz)
Good for browsing and rock stable.
I've been using it for a few years now and never had much troubles.
Now I still use the PineBook Pro as desktop laptop for on the road to watch movies, do some video editing and browsing.

If you need something faster the Odroid N2+ can do it too. But it's not as stable and has problems with its USB3 ports. But it's the fastest well supported board.
My favorite makers are FriendlyElec(nanopi M4), Hardkernel (Odroid N2+), Radxa (Rock4B).
Others I would avoid. Maybe the OPi4LTS is ok. But I've got no experience with it. I'm not buying OPi boards anymore. They don't care about software for their boards, they only want to sell boards.

I've never tried write protected Armbian. So that you'll have to test yourself. Let us know how it goes.
No idea why you would want a board without SPI. Doesn't make it more unsafe. And wouldn't stop you to use write protected OS to my (limited) knowledge.
I've never used S905X3 for desktop. I do have 2 Odroid HC4's. They are amazing for NAS. Great for gaming with emuElec. For desktop itself it's a bit underpowered for me.

Now more powerful SoCs are released. I've got the Khadas VIM4 with 8-cores. Great board, but lacking in software. Also the RK3588 is being released now, but that'll take a while before it's as good as the RK3399 in software.
Good luck.

Link to comment
Share on other sites

1 hour ago, NicoD said:

Also the RK3588 is being released now, but that'll take a while before it's as good as the RK3399 in software.

Indeed. Especially thinking about both are high-end SoCs and some features of the RK3399 are still WIP years after its release. So expect that RK3588 will also take probably five years at least to bring almost everything in good shape.

Link to comment
Share on other sites

Quote

No idea why you would want a board without SPI. Doesn't make it more unsafe. And wouldn't stop you to use write protected OS to my (limited) knowledge.

 

As long as any kind of flash memory is involved in the booting process and the flash memory is writable without an external programmer - I consider this setup unsafe. If any software can be loaded in front of the OS without my knowledge... (Thought process transferred to desktop computers: Who is checking his UEFI on a regular basis? All kind of malicious software might get loaded - see
https://security.stackexchange.com/questions/196746/how-can-you-reset-a-uefi-completely-in-case-of-a-firmware-infection

https://www.bleepingcomputer.com/news/security/hp-patches-16-uefi-firmware-bugs-allowing-stealthy-malware-infections/
https://cooltechzone.com/news/windows-uefi-bootkit-might-be-infected-by-finspy-malware).

 

It's only a matter of time before criminals catch up with real good hackers or state authorities and abuse hardware security flaws on a large scale imho.

 

So while the chance of getting exploited on a SBC might be even smaller nowadays - I still wan't to keep my working environment as safe as possible. In fact I really wonder why only a few people around the world seem to care about their online safety - computers have become part of our lives and most of the hardware and software isn't safe by design.

 

A serial programmable interface itself is fine. I just want a SoC/SBC that has no additional flash memory installed.

 

Regarding the Pinebook Pro:

 

Quote

Even if you need to recover from a defective bootloader written to the SPI flash, you can simply short pin 6 of the SPI flash to GND and boot. This will render the SoC bootrom unable to read from the SPI flash and have it fall back to reading the bootloader from other boot media like the eMMC or Micro SD card. (from https://wiki.pine64.org/wiki/Pinebook_Pro#Using_the_SPI_flash_device)

 

This might be an option for me "to overlook" the insecurity introduced by the built in SPI flash memory. But there is other firmware that can be altered through software level access (which to my humble knowledge is a security risk)

 

Quote

Firmware: The touchpad controller is connected to the keyboard controller. All touchpad events go through the keyboard controller and it's software, then to the keyboard controller's USB port. Note that the touchpad does have separate firmware, (which has to be written through the keyboard controller). The touchpad vendor’s firmware binary can be flashed from userspace using the following open source command-line utility: Kamil Trzciński’s pinebook-pro-keyboard-updater.

 

Isn't there any system that really is safe by design?

 

I'm not talking about total safety. If you are a high value target, drug kingpin and law enforcement agencies or state authorities are after you, they might just break into your flat or house silently and tamper with your hardware / bug your place whats'o'ever.

 

I just want to be safe from even the most experienced online crooks that might use any remote code execution exploit, priviledge escalation, flash firmware / memory from the os level and install their rootkit.

 

Why is this attack vector open and why does nobody seem to care?

Edited by Vaseline
Link to comment
Share on other sites

On 8/23/2022 at 7:07 PM, NicoD said:

I do have 2 Odroid HC4's. They are amazing for NAS. Great for gaming with emuElec. For desktop itself it's a bit underpowered for me.

 

Can you explain the limitations of the HC4's when using as a desktop replacement?

I mostly just work/edit on wordpress and other cms based websites, watch youtube videos / amazon prime and from time to time do basic image editing like changing image dimensions / file format or adding some text.

 

Might the HC4 suit my needs?

Link to comment
Share on other sites

2 hours ago, Vaseline said:

Can you explain the limitations of the HC4's when using as a desktop replacement?

No USB3. Only 1 USB2 port.
God enough for tv box tasks and gaming. I wouldn't use it for desktop, but it can do it.
Only RK3399 is near perfect for desktop.

Link to comment
Share on other sites

55 минут назад, NicoD сказал:

Only RK3399 is near perfect for desktop

Your information is already outdated :) .

Now there is a fully finished device that can be used as a full-fledged replacement for PC. Firefly Station M3 (rk3588s). This is a fully finished and ready-to-use device, you do not need to assemble anything manually, as from a designer. Today I tested it with Armbian to play fullscreen video. In 1080p mode - everything works without problems, including youtube. Details are in the topic about Station M3 on the forum.

 

DE works even in 4K mode quickly (especially if used as NVMe or SATA media, which are supported in M3)

 

 

ps I would not advise contacting any AML-based models.

 

 

Link to comment
Share on other sites

 

There is also a cheaper alternative - Station M2 and P2. To work as a desktop in 1080P mode, they fully cope with the work and also have Libreelec for use as a powerful and unique media center up to 4k. By the way, P2 has a unique possibility of direct and very easy connection of a standard SATA SSD, and it is easy to install Armbian on it.

Link to comment
Share on other sites

Some more information. I have just tested the latest version with kernel 6.0-rc3 on Station P1 (rk3399) - the result is very good. The initial state is Jammy XFCE with a desktop resolution of 1080p (1920 x1080), full-screen video via MPV\Celluloid works without problems and the temperature is no higher than 55 degrees, the processor frequency on the monitor is at 600\600 most of the time, i.e. the entire decoding process is performed on HW. Youtube playback to full screen (720p or 1080p is specified in the settings) without brakes, temperature within 55-68 degrees, frequency 1800 \1400, i.e. this is SW decoding, but the processor's capabilities are enough to work.  :)

 

 

Station P2 - The Debian test system is SID-XFCE. Full-screen video in MPV at 1080p - shows only 35-45 degrees. Youtub+Firefox full screen - 1080p and 720p does not exceed 50-60 degrees.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...

Important Information

Terms of Use - Privacy Policy - Guidelines