Friday, August 24, 2018

Windows 10 IoT Core - Initiating Recovery Via Recovery Partition

Windows 10 IoT Core images can be built to include a recovery partition.  This can be useful for restoring the device to a working state without having the user reimage the device (which can be especially difficult with a Dragonboard 410c or similar Qualcomm Snapdragon 410 based device).

Our clue for initiating it yourself is buried in the iot-adk-addonkit (or bcdedit if you are really bored):

bcdedit /set {bootmgr} bootsequence {a5935ff2-32ba-4617-bf36-5ac314b3f9bf}
shutdown /r /t 0
You can initiate this by using the Windows.System.ProcessLauncher API.

I've also initiated the process by interrupting power to the device three times in a row during startup.  In a perfect world, you would use a companion app or hardware button to initiate a restore as well.

Thursday, August 23, 2018

Windows Storage Spaces - Setting Up a Mirrored SSD Tier with RAID5 HDD Tier

Storage Spaces is a great improvement over the baseline software RAID functionality built into Windows.  The ability to have a SSD cache tier as well as full management via PowerShell only sweeten the deal.

I use it on my lab VM host which mostly does compiling of OS images and shuttling files back and forth to work.  My existing setup was a mirrored 1TB SSD cache tier with 6 x 3TB HDD tier.  I wanted to try keeping the SSD tier mirrored, but move the HDD tier to RAID5.

Long story short, the performance is pretty terrible for what I do, but I wanted to write a blog post for anyone looking to do this for their own purposes.  I suspect a larger SSD cache might make a difference, but I'm also certain the performance characteristics are good enough for a fancy Plex server or other less write intensive application.

Here's the PowerShell to set it up (change the size values for your array.  You might have to guess a bit):

Get-StorageTier | Remove-StorageTier #Delete existing tiers if you have tried this 23939 times.
New-StorageTier -StoragePoolFriendlyName StoragePool -FriendlyName SSD_Tier -MediaType SSD -ResiliencySettingName Mirror
New-StorageTier -StoragePoolFriendlyName StoragePool -FriendlyName HDD_Tier -MediaType HDD -ResiliencySettingName Parity
$ssd_tier = Get-StorageTier -FriendlyName SSD_Tier
$hdd_tier = Get-StorageTier -FriendlyName HDD_Tier
New-VirtualDisk -StoragePoolFriendlyName StoragePool -FriendlyName "VirtualDisk" -StorageTiers @($ssd_tier,$hdd_tier) -StorageTierSizes 400GB, 13000GB -WriteCacheSize 50GB

Monday, August 20, 2018

Tuesday, June 12, 2018

Diving In - Windows 10 IoT Core for Digital Signage - Part 2, Do


Diving In - Windows 10 IoT Core for Digital Signage - Part 2, Do


In Part 1, we looked at why you might use Windows 10 IoT Core and started exploring the platform.

There are plenty of awesome things you could build with an Windows 10 IoT Core device.  If this is a hobby, a solution to to internal/personal problem or a point solution at work, you probably don't need to create a commercial device.



However, if you want to bring your solution to market-

  1. Publish your app on the Windows Store. Export a package
  2. Find a device.  Commercial devices tend to be more expensive than a Raspberry Pi, but there are some advantages
    1. Warehousing, logistics, assembly and imaging
    2. Warranty and support
    3. Certifications and other material required for some environments/countries
    4. Roadmaps and supply chain predictability
    5. Some OEMs will even build images as part of a hardware partnership
  3. Build an image.  Ask yourself some questions:
    1. What's your risk appetite for updates?
    2. What does the out of box experience look like?
    3. Do you need remote management?
    4. Will the user be able to reimage or recover the OS on the device?
    5. How will settings management be performed?
  4. Making products is hard. There's always a million little details, so don't forget to draw the rest of the owl
Even if I didn't work for an OEM, I would recommend finding an OEM partner that could help shepherd this process and provide pre-existing pieces for as much as possible.  The overall point is for you to work on all the pieces that make your solution a unique entry into the market without the hardware/OS/configuration/logistics/cat herding getting in the way.





Diving In - Windows 10 IoT Core for Digital Signage - Part 1, Explore


Diving In - Windows 10 IoT Core for Digital Signage - Part 1, Explore


Exploring a new technology stack can be really hard when you are just getting started.  However, it isn't unusual to just need a push in the right direction to start.  Based on customer questions and some common themes I see in the community, I thought I'd write up a short guide for exploring Windows 10 IoT Core, a lightweight purpose built OS for applications that blend the line between traditional embedded and general purpose computing systems.



Why Windows 10 IoT Core?

I've written a lot about Windows 10 IoT Core, Now Micro IoT Player and even made a few videos if you want to get the 30 min version.

  • A streamlined, purpose built version of Windows for running UWP apps and easy to cloud enable
  • Secure by default and regularly patched
  • Available on supportable, commercial grade hardware

Prerequisites:

  1. A UWP app you want to run.  Start with a sample if you don't have a universal app.  Or Now Micro Player if you just want to run some HTML5 content.
  2. A device-  The Raspberry Pi doesn't have hardware accelerated video, but is a great exploratory device.  If you are building a commercial product, be sure to understand your case, certification, display resolution and cost requirements.
  3. Windows 10 IoT Core Dashboard - This makes finding your device's IP and some other tasks easier. The Windows 10 IoT Core Dashboard also will download and image SD cards for your Raspberry Pi.

Things to Explore

  1. Remote PowerShell - PowerShell is my favorite way to automate a job away and there are a ton of commands you can run on the system.
  2. Windows Device Portal - In place of a local GUI, use Windows Device Portal to manage the device.  The CPU and GPU performance graphs are the best way to figure out if you have enough hardware for the job.
  3. Windows 10 IoT Dashboard - If you have a bunch of devices, this is the easiest way to discover them.
  4. Azure IoT Central - A SaaS management solution for IoT that is a quick setup.





Thursday, May 31, 2018

Capturing a FFU from a Windows 10 IoT Core Device

I would not actually recommend configuring a Windows 10 IoT Core system and then capturing it (you should use the provided build system), but if you were trying to capture a demo or replicate a problem, there is a way to capture to a FFU as of Windows 10 1709 or later.

The basic version is to boot to WinPE and use DISM to capture to an attached USB stick or mapped network drive.

The addition of the "capture-ffu" switch is where the magic happens:

DISM.exe /capture-ffu /imagefile=R:\MyDemoImage.ffu /capturedrive=\\.\PhysicalDrive0

Thursday, May 17, 2018

HTTP 502.5 When Deploying ASP.NET Core Site to AWS EBS

I recently had a fun time diagnosing a weird deployment error in the following environment:

  • ASP.NET Core 2.0 site hosted on AWS EBS
  • VS 2017
  • IIS 10.0 running on 64-bit Windows Server 2016/1.2.0
After deployment, the site fails to load with a "HTTP Error 502.5 - Process Failure.  When retrieving logs from EBS, we see an error when starting the site:



Error 0:(0) IIS AspNetCore Module - Application 'MACHINE/WEBROOT/APPHOST/DEFAULT WEB SITE' with physical root 'C:\inetpub\AspNetCoreWebApps\app\' failed to start process with commandline 'dotnet .\MYAPP.dll', ErrorCode = '0x80004005 : 8000808c.


In the end, the fix was simple:  Downgrade the "Microsoft.AspNetCore.All" nuget package to the last version.

I believe what is happening here is AWS doesn't have the newest version of the .NET Core runtime and is failing because of it.  I believe you could also fix this by installing the correct version of the runtime on the EBS instance or specifying a runtime in the csproj.

In the past, a new deployment into a fresh EBS application has also fixed the issue, but did not in this instance.

Addendum: If you are having this issue on your local box, install the version of the SDK that the project requires.  You may need to install the 1.0 or 1.1 SDK for example.

Tuesday, May 15, 2018

Reflections on Microsoft BUILD 2018


I had the pleasure to attend Microsoft BUILD this year.  There's so much to see and do, it really is an assault on the senses.  Despite so much going on and all the huge announcements, I never feel like was missing anything because the sessions are recorded and freely available on the web.  The greater value is the ability to share videos of sessions I found particularly interesting with those that didn't have the opportunity or time to attend the conference.

There was a lot of AI/ML on display, from Azure hosted, to things you could host on-box with Azure IoT Edge.  It will take a while to digest it all, but I overall love the idea that you can find a way to work with these new technologies on the platform, device and security/risk posture of your choosing.

Some things I ran across:




Friday, May 11, 2018

Adding drivers to Windows 10 IoT Core at Runtime Using Windows Device Portal



While I was compiling some Windows 10 IoT Core 1709 images, I made a small typo in an input file that resulted in one of the BSP drivers not being included in the image.  Instead of compiling the whole thing immediately, I stumbled upon an easy way to add a driver to a compiled image and make sure I had the correct one.

  1. Use inf2cab from the iot-adk-addonkit to create a CAB file: inf2cab c:\temp\driver\driver.inf Driver.MyDevice
  2. Navigate to Windows Device Portal | Windows Update
  3. Select "Choose Files", navigate to the CAB and click Install
  4. Reboot


Using this method, it was easy for me to see that I had messed up the input file versus having the incorrect device driver and incorporate a fix into my next set of builds.

Friday, January 5, 2018

Meltdown and Spectre - Considerations for Digital Signage/IoT/Embedded Devices

I've been following the Meltdown and Spectre news since last week since it was just vague mentions on lkml and speculation on twitter.  After receiving some questions, I thought I would provide my take on the impact and practical things to mitigate the issues and plan for the future.

Some information/background on the vulnerabilities:

Basically, these attacks allow someone running code on a system to access protected memory contents by using timing differences and speculative execution features in a lot of modern processors.


Digital Signage/IoT/Embedded solutions are somewhat unique in that the application set on on the system is usually well-known and strategically static.  These vulnerabilities require the attacker to be able to run code on your system.  This means the actual risk is low for systems running the majority of content.  The things that change on a solution are typically:

  • Frequent content changes
  • Monthly operating system patches
  • Rare player/CMS updates


Concrete Things To Do

  1. Turn on automatic patches.  The risk of not being patched is far more than the risk of a patch breaking a system.  Chaining remote execution vulnerabilities with local privilege escalation vulnerabilities is a lot harder if you actually patch things.  Do this first.
  2. Examine your systems for things that run untrusted code.  Thankfully most solutions don't let the user navigate to arbitrary web pages or install applications
  3. Look into Application Binary Whitelisting and Write Filters.  These technologies can prevent untrusted code from being run on the system and allow you to revert back to a known good configuration with a reboot.
  4. Have a response plan.  Do you know who does what and how if you need to mitigate a piece of malware on one or more systems?
Some ruckus has been made about performance impacts recently released patches.  Although some workloads can be impacted it is mostly I/O intensive workloads not typically seen in Digital Signage.  It is also very important to not rely on synthetic benchmarks but your actual workload when judging the performance impact- synthetic benchmarks are going to give you an unrealistic picture.

Overall, the best thing to do right now is to communicate a plan to stakeholders and patch.  Ensuring systems are patching automatically now is the best protection against a "weaponized" version of any malware later.