What are best settings for Intel CPU in UEFI Bios?

Hello,
my board is an ASRock H370M-ITX/ac
since my last problems I’m wondering how ipfire can best cope with the hardware and wanted to ask what is recommended regarding the CPU settings in the bios… I list here the options given in the Bios, what should be activated/deactivated or set to automatic?

Intel Hyper Threading Technology

Active Processor Cores

CPU C States Support

Enhanced Halt State (C1E)

CPU C6 State Support

CPU C7 State Support

Package C State Support

CFG Lock

CPU Thermal Throttling

Intel Virtualization Technology

Hardware Prefetcher

Adjacent Cache Line Prefetch

Software Guard Extensions (SGX)

The question is based on the background that the addon cpufrequtils load AMD options for my intel cpu und give kernel errors.

I suspect that the problem is that cpufrequtils was last updated in 2015 by the kernel devs.

The kernel devs have stopped working on cpufrequtils as the capability has been built-in into the kernel.

I suspect that the amd_pstates driver has changed over the last 9 years enough for cpufrequtils to no longer work correctly with it.

ASRock provide good guidance, in their manual, for most of these settings.

As a starting point:

  • disable Hyper Threading - because IPFire won’t use it
  • disable Virtualization - potential for attack
  • disable SGX - my older ASRock mainboard does not have this feature and worked fine with IPF. The feature might interfere with some low-level activities in IPF
  • leave other settings at defaults
1 Like

But also my wificard is not full supported from ipfire and I did not found a reason why, in the doc of the loaded module nothing says that only 12 devices and only 802.11gn support instead of 802.11ac.
As an example… I disabled BT in Bios, perhaps that is a wrong setting?

The settings of the chipset, are they all supported? Some of them also effect the CPU configuration, like ASPM.

Is there a guide on how to set up the mainboard so that ipfire can work best with it?

Yes, but the manual says nothing about, this settings are good in combination with ipfire, are they all supported?

But thx for this overview what I can try.

IPFire is using a recent, long-term-supported kernel, that should support most of the mainboard options. The “C” states could certainly be enabled. Although IPFire, will have constant Internet traffic mine often operates at lower speeds. This will depend on what addons you are operating.

I am a bit puzzled. Actually rather bewildered.

If there are recommended CPU BIOS setting for IPFire, why are those not in the installation manual? ( www.ipfire.org - System Requirements ) And considering the amount of CPU / BIOS combinations how do you make an attempt to document them all?

Like, well a common example for Windows; since a few years back Windows inherently supports running virtual machines, assuming the CPU supports virtualization. That setting in BIOS is pretty much self-explanatory for many, if not most, Intel platforms, but not so much for AMD, where you have to find the Intel (VMX) setting in some sub menu. (My desktop runs AMD).

Considering I run IPFire on an Atom C2758 what are the recommended CPU BIOS settings for IPFire, if any? For all intents and purposes I always run BIOS on default settings unless something is specified, like the above virtualization example.

If you have configured a 2.4 Ghz Channel you has forced the card down 802.11gn

802.11ac is only available for 5Ghz Channels.

1 Like

Wrong. IPFire use Hyperthreading if the cpu has no vulnerability that
force us to switch it off.

depends on usage. If you want to use libvirt it must be enabled.

1 Like

Enable or is auto the better option? Very often you can set to auto and the OS decided if used or not…

Normally it is a Dual Wlan 2,4 Ghz and 5Ghz chip

I think it is not a question of combination but rather what is supported by ipfire, or rather by the kernel and what is needed.

So it doesn’t matter if I enable it, if the CPU is affected, will ipfire disable it?

Indeed
https://www.ipfire.org/blog/security-announcement-disabling-smt-by-default-on-affected-intel-processors

Usually such modules cannot use 2,4 Ghz and 5 Ghz at the same time.

1 Like

Many modules are dual 2.4 GHz and 5 GHz.

Only a few are simultaneous operation on both the 2.4 GHz and 5 GHz

And for me they are hard to find!

1 Like

So even my cheap socket AP from TP-Link can use both frequencies at the same time.
Why shouldn’t that work at the same time for all Dual modules?

It is a good question. I wonder the same thing.

To do simultaneous, I know two radios are needed (2 transmitters and 2 receivers) and two antennas are needed. With only one antenna they would need a band-pass band-reject type filter and I am guessing that might be expensive. Lots of guessing on my part!

The vendors of those devices should be able to answer better than me…

the mainboard already has two antennas :smiley:

I think, main problem is, that ASRock uses intel WiFi cards. As I know from a H270M-ITX/ac and H370 user manual states the same. Only: intel may do good WiFi client cards, but they are not enganged in doing good access points (APs) at all. Just because you and me are not a market for people watching millions of customers. They even do not implement AP usage for other regions than “00”.

Take a look at the ipfire hardware compatibility list and see, that at the moment only the Atheros driver ath10k is able to manage ac-APs fully. This is because of the policy of chip manufacturers, how to support open source projects like Linux with official low level drivers or at least low level info.

Btw1: When your cheap TP-Link AP does better ac, why not use it?

Btw2: Why do you use a full featured intel 8th or 9th generation hardware to run ipfire?

And btw3: ac actually defines action on 5GHz band only. If a client or AP still uses 2,45GHz, too, then additionally and by n standard in best case. Before ax (WiFi6) there is no must for an AP to use 5 and 2,45GHz bands parallely.

1 Like

I didn’t want to “complain” about the hardware support by Linux drivers, it was just another example why I wanted to inform myself about recommended bios settings.
I had scary experiences in another thread and because of sudden and spontaneous kernel errors I was also worried about faulty hardware, I installed mcelog for example. But it turned out that an older addon which should regulate the CPU caused the problems with the new kernel. So we come to the Bios, where I looked at the settings to see if I can or should change something in here? This closed the circle/context of my question, I thought.

I do, I use two different AP, one with 5GHz only and the cheap TP-Link plug AP with 2,4Ghz and 5Ghz and both AP on green network. The TP-Link is my guest 5Ghz network and the 2.4Ghz band I use for my DreameBot lol at the moment. My older tablet also uses 2,4Ghz only.
The Wlan card on board of ipfire I use as blue network for loT devices, they also uses 2,4Ghz only.

9th Coffee Lake bought end of 2019, why is that a question? Is it too old? Or why a Desktop CPU and H370 itx board? I wanted a little 19" selfmade firewall, for my new home, so I bought all components (1,5HU 19"case/120GB SSD/itx.board/cpu/Nocuta cooler/16GB RAM/350Watt PSU for 569,47€.

Before that, at the beginning of 2014 when I also used ipfire for the first time, I bought a big loud monster for the basement, the first start was like an airplane take-off :D, a used HP ProLiant DL360 G6 with 2x Xeon L5520 Quad Core 2.26 GHz, 16 GB RAM, 292GB SAS and 4 NICs. (599,99€)
I didn’t have any good space left for and it was just completely over the top, but it was fun to deal with professional hardware.

I’ll do two or three replies. Just because there are at least two things worth to be discussed bit deeperly.

Start with

No, a 9th Coffee Lake hardware is not too old at all. I’m just wondering, why you use such a powerful hardware for your ipfire. Do you have fibre multi gigabit or satellite DSL at your home and want/need to run self-controlled VPN with more than 1 Gbps?

For comparison: At my home I have a 50Mbit DSL served by an N3160 NUC-style hardware, that’s throughput drops few percent only, if I switch to my external VPN. And recently I tried out an ARM-based appliance (Nanopi R4S) with nearly same throughput, but still sparing half of the DC power of the N3160. As line power got valuable for me these days, sparing it is something I learned to take into account. At least for devices, that run 24/7/365. You seem to be of those lucky ones, who not need to.

From my experience, no BIOS lets you fine tune any WiFi hardware attached, except with a global turn on or off, if at all. Because you are always free to plug in another WiFi card, even if it may be a bit more work as on newer ASRock motherboards, as the WiFi card has got a housing there, by which is not so easy to plug another card in as formerly. But basically you still can.
To come to BIOS: I never installed ipfire on my ASRock H270, but I think, you should set your H370 BIOS to defaults, before trying anything else. Then try (again), if you can turn on cpufreq by ipfire via SSH. It should at least offer “performance” or “powersave” governors. As it did on my N100, which is still newer as your Coffee Lake. So your hardware should be able to accept intel CPU acpi kernel driver.

If you’d like to handle the blue-over-green nets more securely, maybe look here: how-to-setup-blue-for-mesh-access-points