PC Engines APU2

The APU2 is a small x86_64 single board computer. It will easily route/packet filter a one Gigabit WAN. IPsec/VPN may drop that number a wee bit, the CPU has AES-NI acceleration, use AES-GCM for performance. Tested wifi options include the PC Engines supplied WLE900VX, WLE600VX (both ath10k, 802.11ac/a/b/g/n) and full feature support via WLE200NX (ath9k, 802.11a/b/g/n) miniPCI express radio cards. There are also board versions optimized for the usage of two 3G / LTE modems, see PC Engines APU 3.

APU system boards are designed and manufactured by PC Engines in Taiwan. Boards are based on AMD Embedded G series GX-412TC low (6 to 12W) power consumption CPUs. APU boards and associated accessories are readily available from resellers across Europe and North America.

  • CPU: AMD Embedded G series GX-412TC, 1 GHz (1.4 GHz boost AMD) quad Jaguar core with 64 bit and AES-NI support, 32K data + 32K instruction cache per core, shared 2MB L2 cache
  • Currently (2018) one of the fastest performing SoCs running OpenWrt
  • AMD-V (AMD hardware virtualization technology)
  • DRAM: 2 or 4 GB DDR3-1333 DRAM
  • mSATA (SSD) mini-PCIe and SD card slot
  • Storage: Boot from m-SATA SSD, SD card (internal sdhci controller), or external USB. 1 SATA + power connector
  • Power: 12V DC, about 6 to 12 W depending on CPU load. Jack = 2.5 mm, center positive
  • I/O: DB9 serial port, 2 USB 3.0 external + 2 USB 2.0 (internal header), three front panel LEDs, pushbutton
  • 2-3 1GigE Intel Ethernet and mini-PCIe slots
  • A phone SIM slot and mini-PCIe 3G/LTE modem support
  • Expansion: 2 miniPCI express (one with SIM socket), LPC bus, 17 GPIO headers (3.3v), I2C bus
  • UART config: COM2 (3.3V RXD / TXD / RTS / DTR), COM3 and COM4 (3.3V DCD / DSR / RXD / RTS / TXD / CTS / DTR / GND) enabled via BIOS on the GPIO pins
  • Board size: 6 x 6“ (152.4 x 152.4 mm) - same as apu1d, alix2d13 and wrap1e
  • Firmware: Coreboot - source code, releases.
  • Cooling: An included 3 mm Aluminum heat spreader creates conductive cooling from the CPU to the enclosure and works quite well (50° C to 60° C). PC Engines tested the black enclosure to be a few degrees cooler

Since the board can be put in the same box as the PCEngines Alix 2d13-Board it might be useful to know that the ethernet device order has changed. The interfaces are now ordered as shown in the following image:

(Note: this is exactly the same order as in the APU1 boards)

eth0 is labelled LAN1 on the PCB silk screen, (eth1 is LAN2 and so on).

The x86_64 images contain everything for basic operation and work out of the box on APU2 since release 17.01.2. Some modules for specific APU2 features are not included by default and can be installed using opkg, or by including them in a custom build.

Module(s) feature(s) menuconfig location
kmod-leds-gpio APU2 front LED control Kernel modules/LED modules
kmod-crypto-hw-ccp AMD Cryptographic Coprocessor Kernel modules/Cryptographic API modules
kmod-gpio-nct5104d, kmod-gpio-button-hotplug GPIO pins or COM2/3/4 Kernel modules/Other modules
kmod-sp5100-tco Hardware watchdog Kernel modules/Other modules
kmod-usb-core, kmod-usb-ohci, kmod-usb2, kmod-usb3 USB v2 and v3.0 support Kernel modules/USB Support
kmod-sound-core, kmod-pcspkr Onboard PC speaker Kernel modules/Sound support

Other software packages may also be added to use certain APU2 featues:

Package(s) feature(s) menuconfig location
amd64-microcode AMD CPU microcode Firmware
flashrom Tool to update APU BIOS Utilities
irqbalance IRQ usage balancing for multi-core systems Utilities
fstrim discard unused blocks on SSDs Utilities/Filesystem

See https://github.com/pcengines/apu2-documentation/blob/master/docs/microcode_patching.md

The AMD GX-412TC supports the AES-NI instruction set, which works without any kernel module or specific configuration.

The SoC also contains a cryptographic co-processor (AMD CCP), which requires kmod-crypto-hw-ccp to be installed. The CCP can be utilized to speed up various cryptographic algorithms in kernel space, like IPSec hashing for example. See Cryptographic Hardware Accelerators on how to enable /dev/crypto and configure userspace libraries like OpenSSL to take advantage of it. AES-GCM is currently the best security vs performance trade off.

IMPORTANT: The BIOS must be updated to v4.16.0.1 or later as the AMD PSP CCP as an entropy source only functions from that version onwards.

Refer to apu-bios-update for update instructions.

After ensuring that a suitable BIOS version is being used, refer to rng for instructions on how to use the hardware RNG present at /dev/hwrng

v4.15.0.3 and prior incorrectly returns non-randomly with all bits set high and is not a source of entropy

root@openwrt:~# hexdump -n 128 -C /dev/hwrng
00000000  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000010  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000020  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000030  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000040  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000050  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000060  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
00000070  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|

v4.16.0.1 and later correctly returns as a cryptographically random source of entropy

root@openwrt:~# hexdump -n 128 -C /dev/hwrng
00000000  c3 0d 64 61 bf c0 03 10  e6 c7 a3 94 eb 20 ad d4  |..da......... ..|
00000010  eb 90 d3 90 7f 73 0b a0  fd 67 10 d6 f8 11 b5 3e  |.....s...g.....>|
00000020  e7 f2 c7 46 3d b8 01 1e  52 09 68 3e 07 3c da 21  |...F=...R.h>.<.!|
00000030  89 5f ea 73 49 9a 7a 07  5b 65 bd db 86 59 00 ff  |._.sI.z.[e...Y..|
00000040  e5 5d 82 27 5e 5c 3b bd  8c 16 0d 6e 76 5a 60 80  |.].'^\;....nvZ`.|
00000050  e1 7a 61 64 a8 6d e3 78  a5 e3 de 7f f4 a7 fc 5f  |.zad.m.x......._|
00000060  aa 4a fc 5e e2 7a fe 6d  ff 6a 26 84 4f ba 8b 57  |.J.^.z.m.j&.O..W|
00000070  08 5a 21 83 3a 6d d5 7a  fa 12 96 c9 63 03 44 ad  |.Z!.:m.z....c.D.|
root@openwrt:~# dmesg | grep -i ccp
[    8.937992] ccp 0000:00:08.0: 3 command queues available
[    8.944572] ccp 0000:00:08.0: ccp enabled
root@openwrt:~# dmesg | grep -i crng
[    8.971219] random: crng init done
root@openwrt:~# cat /sys/devices/virtual/misc/hw_random/rng_available
root@openwrt:~# cat /sys/class/misc/hw_random/rng_current

The AMD GX-412TC SoC is vulnerable to Meltdown and Spectre. For a detailed analysis and possible mitigations on the APU2, see 3mdeb blog post

The onboard BIOS can be upgraded to a more recent version, see the generic article for PC Engines APUs here

Images for x86 are provided with ext4 or squashfs. It's recommended to use squashfs. For more details read this mailinglist thread and Filesystems.

If you wish to write data to the same disk as OpenWrt is installed on, an ext4 filesystem with write persistence is useful. If using an SD card (as opposed to using an mSATA SSD or USB-attached SSD), the writable JFFS2 filesystem has journaling and wear leveling may prolong SD card life. However, it will have to be built as OpenWrt does not auto-generate JFFS2 images. See https://downloads.openwrt.org/releases/17.01.4/targets/x86/64/

To install OpenWrt, download a *combined-squashfs.img[.gz] and write it to a SD-card or USB-stick. Run lsblk to choose the correct device to write to.

sudo dd status=progress bs=8M if=lede-17.01.4-x86-64-combined-squashfs.img of=/dev/sdX


gzip -dc openwrt-x86-64-combined-squashfs.img.gz | sudo dd status=progress bs=8M of=/dev/sdX

Boot the APU from the written stick/card.

When building a custom image, choose target system x86, subtarget x86_64 and include desired APU-specific kernel modules. It's possible to further optimize the produced binaries by generating instructions for AMD family 16h cores (march=btver2). Set CONFIG_TARGET_OPTIMIZATION=”-Os -pipe -march=btver2“

In menuconfig this option can be found at: Advanced configuration options (for developers) → Target Options → Target Optimizations

If you don't want to build from source, you can use the image builder

With the generic image, the port closest to Serial port is WAN and the other two on the right are LAN

sysupgrade on x86 works with the same images as used for installation. Upload a *combined-squashfs.img.gz via LUCI or run

sysupgrade openwrt-x86-64-combined-squashfs.img.gz

Teklager.se did a Benchmark of two Compex wireless cards on pfSense and OpenWrt on an APU2C4. Quote from the article: OpenWRT is just much better at wireless. It outperforms pfSense by almost 2x.

See the PCEngines BIOS release page for known issues in different BIOS versions.

The SMBIOS board name entries differed in some releases of the coreboot 4.6.x cycle, the releases since v4.6.7 changed back to the old naming scheme. Since commit 7e42cba both naming schemes are supported. If LEDs aren't working, upgrade coreboot to at least v4.6.7 and/or install a current version of leds-apu2 which includes the mentioned commit.

Update BIOS to a recent version and test with a new (>32GB) SD card.

According to PCEngines coreboot maintainers, sdhci-pci is needed, but not included in default x86 kernel builds. See their instructions in the APU2 documentation repository.

APU2 has problems booting from USB3 flash devices. Try using a USB2 flash stick.

see OS status on this page: https://pcengines.github.io/

When using ext4 image, online resizing of filesystem seems to fail. Replace the device name below as appropriate, depending on the type of storage device you have. (ie. sdX2 for m2.ssd or mmcblkXp2 for sd-card)

M2.SSD example:

opkg update
opkg install resize2fs tune2fs
mount -o remount,ro / #Remount root as ReadOnly
tune2fs -O^resize_inode /dev/sda2 #Remove reserved GDT blocks
fsck.ext4 /dev/sda2 #Fix part, answer yes to remove GDT blocks remnants
resize2fs /dev/sda2

Bug report thread 2951

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/12 08:58
  • by