[HCL] Qubes OS R3.2 on a ThinkPad P51 (model 20HJS0BX00)

101 views
Skip to first unread message

Sven Semmler

unread,
Dec 18, 2017, 5:55:15 PM12/18/17
to qubes-users, Andrew David Wong (Qubes)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

With significant help from members of this mailing list, I was able to
install R3.2 on my new ThinkPad P51 (model 20HJS0BX00). The starting
point was the HCL linking to swami's post <http://bit.ly/2CCtOdB>,
which describes or links all the steps below except for the use of the
USB-to-Ethernet adapter to run the initial update.

A little twist that distinguishes my ThinkPad from his is that my
networking hardware requires kernel version 4.9 to run, while after the
install Qubes OS runs version 4.4. Therefore some extra steps and
hardware are required to run the initial update to kernel 4.9 to make
everything work:

* another computer running Fedora or Qubes OS with a Fedora qube
(to create the USB sticks)
* Qubes installer USB stick prepared using Fedora's livecd-tools
* rEFInd live USB stick
* Linux-friendly Ethernet-to-USB adapter (e.g. the one from Apple)

Create Qubes installer USB stick
- --------------------------------

This step was described by Dave C.'s post <http://bit.ly/2keRZs7>
with additional important input from Stephan Marwedel.

1. Get the ISO, signature and pgp key from the Qubes OS Download page.
2. Follow the instructions on digital signatures and key verification.
3. Install the 'livecd-tools' package.
4. Run 'sudo livecd-iso-to-disk --efi --format Qubes-R3.2-x86_64.iso
/dev/sda' (assuming /dev/sda is the USB stick).
5. Mount the newly created USB stick and edit /EFI/BOOT/xen.cfg. In this
file, replace every occurrence of 'LABEL=Qubes-R3.2-x86_64' with
'LABEL=BOOT'.
6. Unmount and run 'sudo dosfslabel /dev/sda BOOT' (assuming /dev/sda is
the USB stick).

Create rEFInd live USB stick
- ----------------------------

1. Download the USB flash drive image from Roderick W. Smith's rEFInd
Boot Manager page.
2. Run 'sudo dd if=refind-flashdrive-0.11.2.img of=/dev/sda bs=1M'
(assuming /dev/sda is the USB stick).

BIOS settings
- -------------

* boot in UEFI mode (not legacy)
* disable secure boot
* set graphics to discrete
* enable all virtualization features including VT-d

Install Qubes
- -------------

1. Boot the ThinkPad with the Qubes installer USB stick and run through
the normal setup routine.
2. When it is time to reboot, remove the Qubes installer USB stick and
insert the rEFInd live USB instead.
3. Once in the rEFInd boot manager, select the /EFI/BOOT/xen.cfg entry
to boot.
4. On the Qubes OS configuration screen, do not create the sys-usb qube
yet!
5. Finish configuration and log into Qubes OS.

Using USB-to-Ethernet adapter to run initial update
- ---------------------------------------------------

Both Taiidan and and earlier comment from Yethal helped me figure out
this sequence:

1. connect the USB-to-Ethernet adapter and shutdown all qubes
2. in dom0 run 'qvm-prefs -s sys-net pci_strictreset false'
3. add your USB controller to sys-net using the qubes manager
4. start sys-net and sys-firewall - you should now be online!
5. update the fedora-23 template
6. update dom0
7. reboot with rEFInd USB stick
8. use 'uname -r' to make sure you are running kernel 4.9 in both
dom0 and sys-net. In my case sys-net was now running kernel 4.9 but
dom0 was still on 4.4. It took the extra step of running 'sudo
qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel
kernel-qubes-vm --best --allowerasing' to upgrade dom0 to 4.9.
9. shutdown all qubes and remove the USB controller from sys-net
10. run 'qvm-prefs -s sys-net pci_strictreset true'
11. reboot with rEFInd USB stick

Fix EFI boot configuration
- --------------------------

For some reason the EFI entry generated by the Qubes installer doesn't
work, which is why we had to use the rEFInd live USB stick until now to
boot the machine. This can be fixed, by downloading the following
packets via rpmfind.net:

* efibootmgr-15-1.fc26.x86_64.rpm
* efivar-31-1.fc26.x86_64.rpm
* efivar-libs-31-1.fc26.x86_64.rpm

Obviously those packets are not signed by the Qubes OS team and
represent a security risk. Unfortunately the version of efibootmgr
delivered with Qubes OS doesn't fix the issue (it might actually be the
cause of it). So you have to decide whether you want to keep booting
with the rEFInd live USB stick or if you take the risk of installing
those packets in dom0.

1. copy the files to dom0 and install them via 'sudo dnf install
efibootmgr-15-1.fc26.x86_64.rpm efivar-31-1.fc26.x86_64.rpm
efivar-libs-31-1.fc26.x86_64.rpm'.
2. delete the old entry via 'sudo efibootmgr -b 0000 -B'
3. create a new entry via 'sudo efibootmgr -v -c -u -L Qubes -l
/EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1'
4. reboot without the rEFInd live USB stick

Done!
- -----

Now the ThinkPad boots straight into Qubes OS R3.2 and all the hardware
should work. During the installation we skipped creating sys-usb, which
one might want to enable now that everything works. Finally I'd like to
thank Unman and Rory for their help with approaches that ultimately
didn't work out but were definitely worth pursuing.

This post is also published (with additional links) at
http://svensemmler.org/blog/2017/12/17/qubes-on-thinkpad-p51.html

/Sven
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaOEdJAAoJENpuFnuPVB+2YkQP/jGgaBOXnXk3ulAMipFYrkdc
wxuInuel95iipxpUnyWZjweFP2J1wWPC2LRJUZE27rNbeJND9PfzoJ1InpA59t4m
USnGnbbQStIOWrJWIJTZCTHrXVZ2QiPqMQ2SmLwR1FQ3ctjkfqzs+VcmWoZI+oGX
GhH5CdrcG7mOXzaPsYHQIu5gHuv7YGFhYXcZOSqIYZpKChza8kbvujFToFhSsMQd
N4JRPbqiqhoLu6kTXtyYT5TE/pvoZd5JpuHFR0G27Z+q14GqcpzGpwRRmkegq0LZ
6iBf/MqYeLKcduR/d8H5FI4rnsmQvBfn0Dxu2DZ3FQ75mY/KU0as9LKzIadMJsbB
jIXOsBAFkgfxOWxJkqY1SyWS6Bzm/XHMuVdPYDia+zzgrS22WefgvtOCpF972FFL
adQMY1QLjUFOPF0P8shrr0HieteEbWhJKwxe5GUkbDHr4s0rNn36HMV1e9bkUI3q
glmUa6/0B862LuCr6RfT2SnzDdi5mhGzLks0TVl9Hye8Tu+YNdmG7zpWIWgPpaxM
m3Hrr/RCEJTggOxCCGe+F8VmQfH/td8dUUJ/nyCBSomB0EQUWrvCouRFwuH02uIX
IurHLGs/J3dMJ0GM6Hkjus6re0gbRYgvuOFakqyowpp8nDZoPOTBKn7rB0Xw9bmt
rKu6Nc738gnLWwlNr1jU
=8urF
-----END PGP SIGNATURE-----
Qubes-HCL-LENOVO-20HJS0BX00-20171215-110620.yml
Qubes-HCL-LENOVO-20HJS0BX00-20171215-110620.yml.sig
Reply all
Reply to author
Forward
0 new messages