HCL - Dell Latitude E7440

[Bjarne Thomsen]

Both VT-x and VT-d are active.
There is only this problem:
TPM can only be enabled, if legacy BIOS is disabled and secure booting
is enabled.
How can I boot qubes with secure boot in UEFI?

Bjarne

[Marek Marczykowski-Górecki]

Currently you can't:
https://wiki.qubes-os.org/ticket/794

--
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

[cprise]

You should return the computer with a complaint; Restricting the TPM
like this is not normal.

Apparently, Dell thinks the only use for a TPM is the one Microsoft has
assigned to it.

[cprise]

Just remembered you had the Thinkpad-sans-VT-d earlier.... sorry to see
you are having such trouble getting a good Qubes laptop.

My approach would be to call Dell to see if there is a way around the
TPM restriction; Otherwise return the E7440 and get another T440p (or
T440, T440s or T540), making sure it has a fingerprint reader (easiest
way to tell it has a TPM) and choose a CPU for it that supports VT-d
(which you can check by looking up the CPU on the Intel ARK site).

[bjarne....@gmail.com]

I do not think that UEFI is a bad idea. Adam Williamson has given a good
introduction to UEFI:
https://www.happyassassin.net/2014/01/25/uefi-boot-how-does-that-actually-work-then/
The problem is that the UEFI specifications do not give any guidelines on
how the firmware engineers should present the configuration to the user.

The goal for Qubes must be to be able to use a UEFI native boot.
The Dell E7440 came wit Windows 7 installed in BIOS compatibility mode, and
with a Windows 8 rescue CD. The only problem with ThinkPad T440p an Qubes R2 is that the mounted processor does not have VT-d. The TPM can be activated in legacy BIOS mode. I am going to buy a new processor with VT-d when the
prices have come down. But maybe Qubes R3 will be released before that happens?

[bjarne....@gmail.com]

I have installed a Fedora20-Live (x86_64) DVD on the E7440 in UEFI mode.
It turned out that the TPM can be activated without the secure boot turned on.
I went through the installation description of the "Anti Evil Maid"
(without installing the qubes specific anti-evil-maid) by starting TrouSerS:
# systemctl start tcsd.service
followed by c) :
# find /sys/devices -name pcrs
# cat <path_to_pcrs>
PCR-00: xx xx xx etc.
so TPM is supported by the kernel.
Dell Latitude E7440 should be ready for qubes R3 (with UEFI support).

[bjarne....@gmail.com]

I went a step further. I have managed to install Fedora-x86_64-21 beta in EFI
mode, so my Dell Latitude E7440 can now boot from disk with
UEFI boot enabled
TPM active
Secure Boot enabled
Trusted Execution enabled
BUT the 3.17.2 kernel does not detect TPM according to dmesg.
Does the kernel tpm module not work with UEFI firmware?

Bjarne