Please avoid 32 bit

Hi,

yesterday, Tom’s Hardware published an article named How to Build a Hardware Firewall with IPFire, in which they are effectively advising people to run a 32 bit installation in a virtual environment:

If you want to use a VM for IPFire, you can use the 32-bit ISO from the IPFire […]

I take this as an opportunity to stress the facts mentioned in 32 bit is dead - Long live 32 bit. The brutal truth here is: 32 bit installations are effectively in extended support. Yes, they will continue to work. They will probably continue to work until the next major kernel update, but we are not making any guarantees on that front.

Supporting 32 bit installations is causing more and more pain as application support is diminishing. The Linux Kernel’s security hardening against the all-new-and-improved CPU security vulnerabilities (thanks, Intel) on 32 bit is poor, and I have no reason to be optimistic on its future. Please do not get me wrong: Kernel developers do great work indeed, and the whole CPU security vulnerability topic is a time-consuming Sisyphus task, with no end in sight and no user ever saying ‘Thank you’. If people ever looked for a reason to be depressed, this is one.

At IPFire, unfortunately, we do not have the resources to significantly improve this situation. 32 bit installations are insecure, and if your hardware supports 64 bit, you are strongly encouraged to reinstall. At the hardware vulnerability page, you will probably see the difference.

While I appreciate the article at Tom’s hardware, they could have been a better job by not bringing us a bunch of new 32 bit installations on virtualised systems. You do not want a firewall at that hardware security level.

Thanks, and best regards,
Peter Müller

i have virtualized ipfire 64 bit for a long time without problems. I think the same don’t use 32 bit. Maybe some one who has an account could write this to TH.

Please read Peter’s post again. His point is not that this won’t work. It is really really really NOT recommended and very dangerous.

Where does this leave 32 bit ARM installations ? Mine are all Allwinner CPU and spectre-meltdown-checker reports “CPU manufactrurer reports unaffected” against all vulnerabiliites.

For many home users, on poor telecom infrastructure, ARM can handle the traffic, is low wattage and unobtrusive. I’m not suggesting it for new purchases, because economy amd64 devices are much better value.

Should wiki.ipfire.org - ARM start with “Deprecated - use only pre-existing hardware” ?

Hi,

good question.

ARM seems to have less CPU vulnerability problems in general. However, according to Fireinfo,
only 1.85 % of the installations reporting back to us are running on ARM. Due to very interesting
Perl behaviour, we were recently forced to drop support for ARMv5.

For many home users, on poor telecom infrastructure, ARM can handle the traffic, is low wattage and unobtrusive.

Basically, yes. Unfortunately, there are only a few good ARM boards out there, and sometimes they
seem to disappear sooner than folks can start to support it. Indeed, ARM64 is better for new
purchases - please let us know if you came across a suitable board, we will be most interested in
it.

In the security perspective, I’d treat ARM32 differently than i586 and similar - at some point,
it probably will not matter, as the number of ARM32 installations is diminishing as well and there
is no good (and affordable) ARM64 hardware on the market.

Thanks, and best regards,
Peter Müller

If I can sum up Peter’s post in my words:

It is absolutely not worth for us to maintain ARM 32 bit. It never was. It is a nice toy project. But we will support it…

Thanks Peter & Michael,

I’ll continue deploying my ARM32, as long as those are supported, but will not point beginners to them because they are too fiddly to setup & maintain, as well as having uncertain future.

I’m not interested in ARM64 unless it has UEFI and that seems to make it unaffordable.

Refer to 32bit => 64bit - this is what the result looks like for an example what CPU security vulnerability mitigation look like before and after migrating to 64 bit.

is the 64bit Version now running on hyper-v? I remember having problems some releases ago…

Cheers
Uwe

Hi,

is the 64bit Version now running on hyper-v? I remember having problems some releases ago…

to my knowledge, there were no changes regarding Hyper-V within the last few Core Updates,
but your mileage may vary.

Could you please be more specific on “remember having problems some releases ago”? Which
release was that? What problems did you experience exactly?

Further, please consider running your firewall on dedicated hardware. Virtualisation is mainly
intended for development purposes and should be avoided in productive environments due to security
reasons.

Thanks, and best regards,
Peter Müller

I think it failed during installation…

Let me test it again. I’ll keep you posted.

As far as I know we have no bug tickets open regarding this.

I had it running on Azure once - assuming they are using Hyper-V underneath.

I think it was around core seventy-something… since then I used the 32 bit iso for VMs. Someone in the forum told me so. But yes, years ago.

…can I migrate to x64 easily? Export/import–>done?

I think it was around core seventy-something… since then I used the 32 bit iso for VMs. Someone in the forum told me so. But yes, years ago.

Okay, that’s quite a while ago.

…can I migrate to x64 easily? Export/import–>done?

Yes, this is documented at wiki.ipfire.org - arch-change .

@power-valve:

Hi,

using real hardware only, I can’t say much about VMs. I didn’t migrate the rrds, too.

What I did: installed a new Core 144, restored my 32bit Core 144 backup and it worked “out of the box”.

Yes, I had a few minor problems since my system is somewhat “tuned” ( ), but it was a lot easier than I suspected.

HTH,
Matthias

Hi all,

just to have it mentioned, we discussed discontinuing support for 32-bit Intel (i[5-6]86, it is not clear what we will do with 32-bit ARM, yet) yesterday:

Agreed on discontinuing 32-bit support, scheduled EOL 31st December 2021

Broad announcements will follow in early January. Just to give everybody a chance to mentally prepare his-/herself for it.

Thanks, and best regards,
Peter Müller

I was hoping on 2020.

Hi,

well, 2020 is almost over.

We thought it would be fair to give users enough time to upgrade their hardware, especially those who need to buy new one and cannot just re-install the 64-bit version of IPFire. (Besides, not everybody has enough money right there, and some people might have to schedule such changes for maintenance windows.)

Until that, we will have to continue endure the additional workload…

Thanks, and best regards,
Peter Müller