best and less expensive Lenovo think pad

[27casa...@gmail.com]

What is the best and less expensive Lenovo think pad for new Qube?

[awokd]

27casa...@gmail.com:

> What is the best and less expensive Lenovo think pad for new Qube?
>

G505s if you're prepared to Coreboot it yourself. PrivacyBeast if not.

[799]

Hello,

<27casa...@gmail.com> schrieb am Mo., 12. Aug. 2019, 09:26:

What is the best and less expensive Lenovo think pad for new Qube?

As always ... It depends. The G505s is not a bad choice but it is not from the Thinkpad line but a consumer laptop.

I would say the Lenovo X230 or T430 as you can install Coreboot on them, you get USB3 and LTE. And you can add some cool things like illuminates keyboards, an additional battery pack (Slice battery) which gives you lots of battery runtime.

Additionally you can get a docking station (not sure if this is available for a G505s) which gives you additional Display options.

I would go with the x230, 16GB RAM and a new SSD, then add Coreboot (I have a specific howto covering this).

But as they are all so cheap: buy them all and test them, then sell the ones you don't like to keep ;-)

799

[27casa...@gmail.com]

Thats prity good advice :). Turns out thers a X240 modell (8GB) avalibel. will that one work as well?

Altough its most likly not an option will all X1 Carbon work?

And this is the latest recomended vertion of qubes? Seams as if many models are out dated now.

[27casa...@gmail.com]

[799]

The X240 will NOT work with Coreboot.

If you need more performance you can look at a Lenovo W530 but those are much bulkier devices and have a reduced battery runtime.

I also own a W540 (not Coreboot'able) and it has Qubes installed, but I am not using it, just because the x230 feels much more portable and has twice the battery runtime.

799

[27casa...@gmail.com]

I geting the X230. Thanks for the advice (a time saver). And the info on core boot as well!

A advantage with this modele aside from being portable. Is that a regular big SSD drive fits ib there.

[27casa...@gmail.com]

799 text on core boot

https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md

[27casa...@gmail.com]

Im paranoid. And dont like to cut corners on this :)

[799]

Hello

<27casa...@gmail.com> schrieb am Di., 13. Aug. 2019, 10:53:

https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/howto-coreboot_copy.md

Wrong link, I cleaned up the docs a few days ago, the correct link is now:

https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/README.md

Let me know if you need any help.

799

[Steve Coleman]

On 8/13/19 6:28 AM, 799 wrote:
> Hello
>
> <27casa...@gmail.com <mailto:27casa...@gmail.com>> schrieb am Di.,

> https://github.com/one7two99/my-qubes/blob/master/docs/coreboot/README.md
>
> Let me know if you need any help.

I do have a few questions for anyone experienced with the x230

Q1: Does the ThinkPad x230 have a separate USB controller available for
use as a sys-usb?

Q2: Also, how would a docking station work with this setup, given that
the keyboard would likely be connected via some internal docking station
USB interface?

The PrivacyBeast info claims there is both USB3 and USB2 connector but
it does not specifically mention any sys-usb capability, nor does the
Qubes certified hardware announcement. The Lenovo documentation does not
give any level of detail with respect to Qubes, obviously. When pricing
out a new x230 with the needed memory/SSD upgrades, it isn't too much
cheaper that PB, but rolling my own I would at least get more room for
hosting VM's. But then I would still be stuck with the Intel ME problem.
I would think that moving the pre-installed PB OS configuration to a new
SSD could be problematic, given its claimed bios/heads and
per-partitioned disk configuration, and so I might as well just start
with a clean slate and roll my own with coreboot, if I were to proceed
down this path.

Having a laptop at home with Qubes would certainly be nice, but if so, I
hope to be able to run some third party software that requires direct
control of some CNC/gcode hardware via a USB serial interface, plus a
USB camera for layout and coordinate registration. I'm not sure if this
is possible, but I am thinking it might be if the USB controller can be
assigned to that particular VM. Right now I am stuck with Windows, which
I would be happy to trade in for Qubes if it can work. Either way just
having a mobile machine as a backup in case my home office machine goes
down would be great.

thanks,

Steve.

[799]

Hello Steve,

Steve Coleman <Steve....@jhuapl.edu> schrieb am Di., 13. Aug. 2019, 20:07:

I do have a few questions for anyone experienced with the x230

Q1: Does the ThinkPad x230 have a separate USB controller available for
use as a sys-usb?

I have documented the Layout of the USB controllers here:

https://github.com/one7two99/my-qubes/blob/master/docs/qubes-x230.md

It shows which USB Controllers connects to which external USB Port and which internal USB Devices like Camera / Bluetooth / LTE-Card belongs to which USB Controller.

Depending on which USB Controller you attach to a VM, you pass along all attached internal USB Devices.

Therefore I am a using a sys-usb Qube ;-)

Regarding the other questions, I'll try to answer this later.

799

[brenda...@gmail.com]

On Tuesday, August 13, 2019 at 3:54:58 PM UTC-4, 799 wrote:

I have documented the Layout of the USB controllers here:

https://github.com/one7two99/my-qubes/blob/master/docs/qubes-x230.md

It shows which USB Controllers connects to which external USB Port and which internal USB Devices like Camera / Bluetooth / LTE-Card belongs to which USB Controller.

Depending on which USB Controller you attach to a VM, you pass along all attached internal USB Devices.

Therefore I am a using a sys-usb Qube ;-)

Regarding the other questions, I'll try to answer this later.

 

799,

1. That first USB device, which does not state where it can be used is either:

a) The USB 2.0 interface "available" via the expresscard interface (some "expresscard" devices are really just USB 2.0 devices).

b) The USB 2.0 interface available via the docking connector.

...some experimentation should lead to clarification.

2. On my W520, I typically only attach the USB 2.0 controller to sys-usb (via PCI). That way, if I have to directly attach a storage device to a VM for IO-intensive uses, I can utilize a disposable HVM and attach the USB 3.0 controller directly to it.

3. Lastly, for those worried about having a flexible USB controller PCI layout (the ability to assign different controllers to different HVMs), there's a secret I'll share: the expresscard port on both the X230 and the W520 is a PCI port! And there are expresscards that provide USB 3.0 ports! Granted expresscard's maximum signaling rate of 2500Mbps is not quite 6000Mbps maximum of USB 3.0...but definitely faster than 480Mbps! The W520 puts PCI devices mounted via the expresscard slot in their own grouping (e.g. a USB 3.0 expresscard)...again, experimentation will show whether the X230 does as well.

B

Brendan

[799]

Hello Brendan,

<brenda...@gmail.com> schrieb am Do., 15. Aug. 2019, 01:26:

(...)

1. That first USB device, which does not state where it can be used is either:

a) The USB 2.0 interface "available" via the expresscard interface (some "expresscard" devices are really just USB 2.0 devices).

b) The USB 2.0 interface available via the docking connector.

...some experimentation should lead to clarification.

You are very likely right, I have always asked myself why there is an USB Controller which has no internal devices attached and doesn't connect to any of the external USB slots.

I have a docking station, so I will test this.

2. On my W520, I typically only attach the USB 2.0 controller to sys-usb (via PCI). That way, if I have to directly attach a storage device to a VM for IO-intensive uses, I can utilize a disposable HVM and attach the USB 3.0 controller directly to it.

The problem is, that the USB 3 Controller on the X230 has also the internal WWAN Card connected, so of I attach it to an AppVM and not the sys-usb Qube I am not able to pass the WWAN Card to my sys-net VM and use LTE, which I need to rely on.

USB 3.0 Controller - Extended Host Controller Interface (xHCI)

00:14.0 USB controller: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Controller (rev 04)

Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub

Bus 002 Device 002: ID 0bdb:1926 Ericsson Business Mobile Networks BV 1 = LTE/WAN-Card

connects to: Left USB-Port (next to VGA-Display-Out)

connects to: Left USB-Port (next Mini-DisplayPort-Out)

3. Lastly, for those worried about having a flexible USB controller PCI layout (the ability to assign different controllers to different HVMs), there's a secret I'll share: the expresscard port on both the X230 and the W520 is a PCI port! And there are expresscards that provide USB 3.0 ports! Granted expresscard's maximum signaling rate of 2500Mbps is not quite 6000Mbps maximum of USB 3.0...but definitely faster than 480Mbps! The W520 puts PCI devices mounted via the expresscard slot in their own grouping (e.g. a USB 3.0 expresscard)...again, experimentation will show whether the X230 does as well.

Ok, I'll give the Expresscard Slot a try, need to buy an adapter first...

Any idea how I can test the speed of the interfaces afterwards?

I would get a Expresscard-to-USB3-Adapter.

[799]

[brenda...@gmail.com]

On Wednesday, August 14, 2019 at 7:53:38 PM UTC-4, 799 wrote:

Hello Brendan,

<brend...@gmail.com> schrieb am Do., 15. Aug. 2019, 01:26:

(...)

1. That first USB device, which does not state where it can be used is either:

a) The USB 2.0 interface "available" via the expresscard interface (some "expresscard" devices are really just USB 2.0 devices).

b) The USB 2.0 interface available via the docking connector.

...some experimentation should lead to clarification.

You are very likely right, I have always asked myself why there is an USB Controller which has no internal devices attached and doesn't connect to any of the external USB slots. I have a docking station, so I will test this.

Cool, let us know.

 

2. On my W520, I typically only attach the USB 2.0 controller to sys-usb (via PCI). That way, if I have to directly attach a storage device to a VM for IO-intensive uses, I can utilize a disposable HVM and attach the USB 3.0 controller directly to it.

The problem is, that the USB 3 Controller on the X230 has also the internal WWAN Card connected, so of I attach it to an AppVM and not the sys-usb Qube I am not able to pass the WWAN Card to my sys-net VM and use LTE, which I need to rely on.

Ok, that's unfortunate. I keep an mSATA drive in that slot in my X230 units (and in the equivalent slot in the W520 units).

In any case, with the W520, I don't think the built-in USB 3.0 controller is connected to anything except for the two left-side ports, but I could be wrong. The docking connector on the W520 only supports up to USB 2.0, while USB 3.0 via docks is supported in the X230/Tx30/W530 models. All my docks have the eSATA port in the spot the later revisions placed the USB 3.0 port. [Dock storage support may also explain a phantom /dev/sd? device you see from time to time in Thinkpads.]

3. Lastly, for those worried about having a flexible USB controller PCI layout (the ability to assign different controllers to different HVMs), there's a secret I'll share: the expresscard port on both the X230 and the W520 is a PCI port! And there are expresscards that provide USB 3.0 ports! Granted expresscard's maximum signaling rate of 2500Mbps is not quite 6000Mbps maximum of USB 3.0...but definitely faster than 480Mbps! The W520 puts PCI devices mounted via the expresscard slot in their own grouping (e.g. a USB 3.0 expresscard)...again, experimentation will show whether the X230 does as well.

Ok, I'll give the Expresscard Slot a try, need to buy an adapter first...

Any idea how I can test the speed of the interfaces afterwards?

I would get a Expresscard-to-USB3-Adapter.

I would use the poor(-ish) man's throughput tester: 'time dd if=/dev/..." reads of a contemporary fast SSD connected via a USB 3->SATA III bridge that supports UAS.  Time trial A with the cable connected to the built-in USB 3.0 controller attached to an HVM, then trial B with the cable connected to the expresscard-USB3 "controller" attached to an HVM. Trial C with one of the USB 2.0 ports if you want.

Based on the advertised rates, I'd expect IO up to about 550MBps on the internal USB 3.0 ports,  220MBps on the express card USB 3.0 ports (due to intervening 1 x lane pcie 1.0) and 40MBps on the internal USB 2.0 ports.

I bought the cheapest expresscard adapter I could find on amazon, now currently listed as unavailable: https://www.amazon.com/gp/product/B07Q819QTF

It is recognized by dom0 (see below) but I haven't hooked it up yet.. I will note that I'll probably need to file down some of the plastic, it seems slightly too big for the slot when inserting it (again, it was cheap):

[admin@dom0 ~]$ lspci|grep USB
00:1a.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #2 (rev 04)
00:1d.0 USB controller: Intel Corporation 6 Series/C200 Series Chipset Family USB Enhanced Host Controller #1 (rev 04)
05:00.0 USB controller: Renesas Technology Corp. uPD720202 USB 3.0 Host Controller (rev 02)
*** 0e:00.0 USB controller: NEC Corporation uPD720200 USB 3.0 Host Controller (rev 04) ***

Lastly a minor warning: it's really easy to pull out the expresscard when removing a USB cable, just FYI.

B

[unman]

On Wed, Aug 14, 2019 at 04:26:18PM -0700, brenda...@gmail.com wrote:
> 1. That first USB device, which does not state where it can be used is
> either:
> a) The USB 2.0 interface "available" via the expresscard interface (some
> "expresscard" devices are really just USB 2.0 devices).
> b) The USB 2.0 interface available via the docking connector.
>
> ...some experimentation should lead to clarification.
>

It's the dock.
I use 3 disposable USBVMs, each allocated 1 controller.

unman

[brenda...@gmail.com]

On Thursday, August 15, 2019 at 8:24:58 AM UTC-4, unman wrote:

On Wed, Aug 14, 2019 at 04:26:18PM -0700, brend...@gmail.com wrote:
> 1. That first USB device, which does not state where it can be used is
> either:
> a) The USB 2.0 interface "available" via the expresscard interface (some
> "expresscard" devices are really just USB 2.0 devices).
> b) The USB 2.0 interface available via the docking connector.

It's the dock.
I use 3 disposable USBVMs, each allocated 1 controller.

Thanks unman. Thinking about it...that does make the most sense as some of the compatible docks can have quite a few USB 2.0 ports (presumably implemented as a hub) on them, so it make the most sense to have that controller separate.

I won't guarantee this, but I suspect that the "alternate" interface (USB 2.0) in the expresscard slot is probably attached to the *primary* USB 2.0 controller on the Thinkpads then.

Therefore the best approach in *most* cases where the user wants either best combined throughput or USB controller assignment flexibility is to utilize a 1-lane PCIe 1.0-based expresscard (e.g. with a one-or-two port USB 3.0 controller) instead of a USB 2.0-based expresscard.

Brendan

PS - The one caveat I will note with the expresscard interface is that it is an external PCIe interface, and may provide direct DMA into memory, similar to Firewire. You can see there are commercial products that utilize the expresscard interface here for memory forensics on running but locked machines:

  https://www.forensicswiki.org/wiki/Tools:Memory_Imaging

I would be curious to see recent experiments showing how well Xen HVM IOMMU enforcement works to limit the scope of attacks using Expresscard, which Qubes + IOMMU *should* protect against. I just don't have the skills to create one or the $7800 it costs to purchase one of these devices (nor really the time) to do some testing...

For those overly concerned, they may want to investigate other preventative methods (e.g. Does BIOS disabling of the expresscard interface have a security impact? Are there physical modifications that would prevent usage of acquisition devices? Are there other software mitigation (power-off on attach, etc.))

[27casa...@gmail.com]

Hi 799, when I tride to instal I run in to mesage saying that Qubes wouldent funktion becous hardware whas mising.

The I proceeded withe installation. And later during setup I got this message:

sys firewall failed....

And then:

Start faild... Could not find capabilites for arch=x86_64

The later is refering to missing hardware i gues.

[unman]

That means you havent got VT-x enabled.
Check in your BIOS that you have enabled VT-x and VT-D, virtulization,
some entry like that.

[thecris...@gmail.com]

Can coreboot be installed on T580, have you ever heard of such?

[27casa...@gmail.com]

It workt! Again thanks for sharing.

[799]

On Fri, 16 Aug 2019 at 15:42, <thecris...@gmail.com> wrote:

Can coreboot be installed on T580, have you ever heard of such?

The following coreboot page will answer your question:

https://coreboot.org/status/board-status.html

additionally you might want to look into the FAQ:

https://www.coreboot.org/FAQ#Will_coreboot_work_on_my_machine.3F

[799]

[American Qubist 001]

Is it really so bad just to use the standard EFI with fastboot and secure boot disabled? I use that with a password but maybe coreboot is important too. No one has physical access afaik unless the landlord is letting Russian spies into my apartment. 

[American Qubist 001]

I lose track of the difference between Ideapads and Thinkpads but I have installed Qubes successfully on 4GB RAM Lenovos that cost less than $300 new, without issue. Nice to upgrade memory to 8 GB though. 

[27casa...@gmail.com]

Hi again.
I tried to install Qubes 4 on a HP Elitbook 2170 some time ago. And got this message:

HVM/VT-x/AMD-V...... Interupt Remapping

Do you know what it referes to? Perhaps it can fixt in Bios?

The 2170 is even smaler than the X230.It might lack other fetures tough. If it even works.

By the way I just got some first hand experience concerning why its a good idee to instal coreboot: When trying to enter Bios on the 2170 a pasword verification showsup! I dont think this is there by defult. So I guse some one at some point alterd bios.

After considering it I think every one sould get corboot. Its not that unlickly that some one at some point could have put some kind of program in there. After all its an old computer with many users and also a prime computer for both people that know how to infect bios and peple consernd about there privacy. So watch out!

but then again I gues you would have to trust the people behind corboot. catch 22. Or is it?

[rat rat]

x220 better than x230.

1. x220 most easiest laptop for flashing coreboot and  disassemble. x230 has two spi chips, only what you need is ch341a and clip toolchain.

5-7 minutes and job is done.

2. nude old x220 price on ebay ~ 100 dollars.

3. you can upgrade your x220 laptop to 2k display, i7hq,  16gb ram, 2TB ssd, atheros wwan 3g card, 9 cell battery 44+, 7-row ibm classical keyboard and external gpu AMD or NVIDIA Titan +, usb External WIFI antenna (kali-linux template). ~ + 1000 dollars

4. platinum status to all linux distros hardware compatibility

 

[27casa...@gmail.com]

Theres some guy on youtube "wolfgangs Chanel". Claming that the X230 is better then the X220 when it comes to instaling corboot for the vey reason that it comes with two chips. I dont know any way.

Any way its cool how easy an inexpensive it is to get up to 16 Ram on both models! cost close to nothing. my old setup hade 8 ram and couldent handel more than 4 VM or something like that.

[FenderBender]

Anything with an i-series chip should work.  G50. <$299. Pay $35 for a crucial mem card, pop out, drop it in the slot. If you can run off an internal/external SSD so much the better works either way.

[awokd]

American Qubist 001:

> Is it really so bad just to use the standard EFI with fastboot and secure
> boot disabled? I use that with a password but maybe coreboot is important
> too. No one has physical access afaik unless the landlord is letting
> Russian spies into my apartment.
>
> On Monday, August 12, 2019 at 3:51:35 AM UTC-7, awokd wrote:
>>

>> 27casa...@gmail.com <javascript:>:

>>> What is the best and less expensive Lenovo think pad for new Qube?
>>>
>> G505s if you're prepared to Coreboot it yourself. PrivacyBeast if not.
>>
>

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
https://www.kb.cert.org/vuls/id/758382/
https://www.securityweek.com/researchers-find-several-uefi-vulnerabilities