New HCL Entry: Lenovo ThinkPad T470 (20HDCTO1WW)

698 views
Skip to first unread message

Joe Hemmerlein

unread,
Nov 30, 2017, 5:07:59 AM11/30/17
to qubes...@googlegroups.com
Hi,

so far it was easy to install and run Qubes OS 4.0 RC3 (and RC2) on this hardware - as long as I keep boot mode on "Legacy Only".

However, the TPM chip on this hardware works in UEFI boot mode only; and even with secureboot disabled and CSM support enabled, I can't get Qubes OS to boot in UEFI mode:
- The installer doesn't run in UEFI mode (I get text mode grub, but whatever i select simply does nothing and returns to grub)
- If I turn UEFI mode on after installing Qubes OS, I don't even get grub.
- I tried the UEFI troubleshooting guide to no avail, although I was unable to run efibootmgr directly while in legacy boot mode ("EFI variables are not supported on this system") so in order to run efibootmgr, i booted a separate Fedora 26 Live image which does boot in UEFI mode. However, even with updated records, the result is the same: selecting those options from the UEFI boot menu simply makes the screen flicker once and then i'm back in the UEFI boot menu.
- I tried copying the EFI and CFG file to /EFU/BOOT and renaming them to BOOTX64.EFI and .CFG, and also created new entries with efibootmgr for this, again without success.


I also tried installing Qubes OS 3.2 on this system which didn't work and initial troubleshooting failed; but I'd like to concentrate my efforts on making this work for Qubes 4.0 so i didn't spend too much time on getting Qubes OS 3.2 on the T470.

Any hints about troubleshooting the UEFI boot option are appreciated; i can also provide more exact details about what i already tried. Given the specs of this machine, I'm really determined to not give up easily.

For now, I'll test other functionality in legacy mode only.

Cheers,
-joe
Qubes-HCL-LENOVO-20HDCTO1WW-20171129-163138.yml
Qubes-HCL-LENOVO-20HDCTO1WW-20171129-163138.cpio.gz

Joe Hemmerlein

unread,
Nov 30, 2017, 1:25:18 PM11/30/17
to qubes-users
On Thursday, November 30, 2017 at 2:07:59 AM UTC-8, Joe Hemmerlein wrote:
> Any hints about troubleshooting the UEFI boot option are appreciated; i can also provide more exact details about what i already tried. Given the specs of this machine, I'm really determined to not give up easily.
>

Here is a detailed log of what I tried.

ThinkPad T470 (20HD-CT01WW)
UEFI/BIOS configuration
=======================
Setup – Main
- UEFI BIOS Version: N1QET68W (1.43)
- UEFI BIOS Date: 2017-11-10
- Installed Memory: 32768 MB
- UEFI Secure Boot: Off

Setup – Config – USB
- USB UEFI BIOS Support: Enabled

Setup – Security – Security Chip
- Security Chip Type: TPM 2.0
- Security Chip: Enabled
- Intel TXT Feature: Enabled

Setup – Security – Memory Protection
- Execution Prevention: Enabled

Setup – Security – Virtualization
- Intel Virtualization Technology: Enabled
- Intel VT-d Feature: Enabled

Setup – Security – Secure Boot
- Secure Boot: Disabled

Setup – Security – Intel SGX
- Intel SGX Control: Software
- Current State: Enabled

Setup – Security – Device Guard
- Device Guard: Disabled

Setup – Startup
- Boot (Priority Order) includes "USB HDD" and "NVMe0 Intel SSDPEKKF256G7L"
- UEFI/Legacy Boot: UEFI Only
- CSM Support: Yes


Initial Setup Experience
========================
- Created USB stick using Rufus with dd method from 4.0R3 ISO image
- Able to boot USB stick by invoking UEFI Boot Menu with F12, then selecting USB HDD
- This results in a text mode grub menu with the four options
- Option 1 (Test media and install Qubes R4.0-rc3) is default and will start automatically
- Option 1 then fails: "XEN 4.8.2 (c/s ) EFI loader // Failed to boot both default and fallback entries"
Only way I found to install Qubes OS:
- Change BIOS/UEFI setup configuration item "UEFI/Legacy Boot" to "Legacy Only"
- Boot from USB and install. GUI install works fine with default options (all I change is my keyboard layout to Dvorak)
- Reboot, and configure Qubes OS with default options
- Qubes OS starts and is usable as long as BIOS/UEFI setup configuration is using "Legacy Only", but...
--- Problem: no TPM available. According to Lenovo, the TPM2.0 will not be exposed in legacy boot scenario; in order for TPM to be exposed, it seems like we need UEFI boot.
Trying to switch to UEFI

- As described at https://www.qubes-os.org/doc/uefi-troubleshooting/#installation-finished-but-qubes-boot-option-is-missing-and-xencfg-is-empty, we have an empty (0 bytes) xen.efi file in /boot/efi/EFI/qubes. Followed steps in guide, essentially:
- Booted into Qubes with legacy boot
- Renamed xen-4.8.2.efi to xen.efi
- Copied contents from xen.cfg I troubleshooting guide to xen.cfg in dom0
- Edited xen.cfg to adjust for current kernel number in four places
- Rebooted
- Booted with legacy boot from USB install stick
- Selected Advanced – Rescue a Qubes installation
- Selected option 1 to continue
- Found installation on device nvme0n1p2 and entered LUKS passphrase
- Got Shell
- Changes made to files still visible in /mnt/sysimage/boot/efi/EFI/qubes
- Ran the efibootmgr command as shown in the guide, but adjusted devicename. I didn’t know whether I should add nvme0n1 or nvme0, or maybe even nvme0n1p1 – so I ran the command three times with different labels.
--- Problem: Can't run efibootmgr. Error: "EFI variables are not supported on this system"
- Rebooted, but also changing BIOS/UEFI setup boot options again
--- Boot option "Both" with "UEFI First" failed to boot from USB (went back to UEFI boot menu)
--- Boot option "Both" with "Legacy First" allowed me to boot from USB to rescue a Qubes installation.
--- Problem: efibootmgr command still fails with "EFI variables are not supported on this system".
- It looks like I may need to somehow boot with UEFI enabled I order to run efibootmgr.
- Trying a Fedora Live CD (Fedora-Workstation-Live-x86_64-26-1.5.iso)
- Created USB stick with Rufus dd method
- Booted USB stick with boot option set to "UEFI Only" and "CSM Support" enabled.
- Fedora stick boots successfully into Fedora 26 Live
- Efibootmr command generally works
- Tried it:
--- efibootmgr -v -c -u -L Qubes431 -l /EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes431 -l /EFI/qubes/xen.efi -d /dev/nvme0n1p1 -p 1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes433 -l /EFI/qubes/xen.efi -d /dev/nvme0n1p1 "placeholder /mapbs /noexitboot"

- Rebooted (still with "UEFI Only" and "CSM" boot options enabled)
- Selected F12 again for UEFI boot menu, and I could see both new added entries. I tried both of them, but...
--- Problem: selecting ay of those entries just gets us back to the UEFI boot menu. They’re failing visually the same way as the standard "Qubes" entry fails.
- Rebooted back into the Live image
- I noticed that on nvme0n1p1, the .efi file is actually in /efi/EFI/qubes/xen.efi, and not in /EFI/qubes/xen.efi. not sure if that matters, but let’s try it:
--- efibootmgr -v -c -u -L Qubes434 -l /efi/EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes435 -l /efi/EFI/qubes/xen.efi -d /dev/nvme0n1p1 -p 1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes436 -l /efi/EFI/qubes/xen.efi -d /dev/nvme0n1p1 "placeholder /mapbs /noexitboot"
--- sadly, same problem – none of them boot, goes back to UEFI boot menu.

- Trying to change where my files are from /boot/efi/EFI/qubes to /boot/efi/EFI/BOOT, and renaming them from xen.* to BOOTX64.* as suggested at https://www.qubes-os.org/doc/uefi-troubleshooting/#boot-device-not-recognized-after-installing
- Booted with "Legacy Only" into Qubes, and copied files around as suggested
- Rebooted with "UEFI Only" into Fedora Live Image
- Tried efibootmgr again with the new file names:
--- efibootmgr -v -c -u -L Qubes437 -l /EFI/BOOT/BOOTX64.efi -d /dev/nvme0n1 -p 1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes438 -l /EFI/ BOOT/BOOTX64.efi -d /dev/nvme0n1p1 -p 1 "placeholder /mapbs /noexitboot"
--- efibootmgr -v -c -u -L Qubes439 -l /EFI/ BOOT/BOOTX64.efi -d /dev/nvme0n1p1 "placeholder /mapbs /noexitboot"
--- still no success.

Tom Zander

unread,
Nov 30, 2017, 2:12:34 PM11/30/17
to qubes...@googlegroups.com, Joe Hemmerlein
On Thursday, 30 November 2017 11:07:56 CET Joe Hemmerlein wrote:
> However, the TPM chip on this hardware works in UEFI boot mode only

I think its a known issue that Qubes doesn't support EFI.
It ironically creates an efi partition, but the installer doesn't create the
right stuff to actually boot from it.
And I can confirm that the installer doesn't boot without legacy boot
systems either.

If your hardware is really incompatible with legacy boots, you are out of
luck.

--
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

Rashiq

unread,
Nov 30, 2017, 2:20:21 PM11/30/17
to qubes...@googlegroups.com
Hey,

Dnia Thursday, November 30, 2017 2:07:56 AM CET Joe Hemmerlein pisze:
> I also tried installing Qubes OS 3.2 on this system which didn't work and
> initial troubleshooting failed; but I'd like to concentrate my efforts on
> making this work for Qubes 4.0 so i didn't spend too much time on getting
> Qubes OS 3.2 on the T470.

also running Qubes R4.0 on a T470.

R3.2 won't run due to drivers for the graphics chip not present in the kernel
(as far as I remember from my troubleshooting of this some half a year ago).

--
Pozdravi,
rashiq
signature.asc

Mike Keehan

unread,
Nov 30, 2017, 4:37:59 PM11/30/17
to qubes...@googlegroups.com
Hi Joe,

This is the content of my EFI/qubes directory after installing
Qubes 4.0-rc3 in EFI mode :-

-rwxr-xr-x 1 root root 22231327 Nov 28 17:29 initramfs-4.9.56-21.pvops.qubes.x86_64.img
-rwxr-xr-x 1 root root 5316864 Nov 28 17:29 vmlinuz-4.9.56-21.pvops.qubes.x86_64
-rwxr-xr-x 1 root root 902 Nov 28 17:36 xen.cfg
-rwxr-xr-x 1 root root 2056349 Nov 28 17:29 xen.efi

I then selected which EFI directory to boot from using the bios.

I think the EFI/Boot directory is just a default.

Mike.

Joe Hemmerlein

unread,
Nov 30, 2017, 4:40:17 PM11/30/17
to qubes-users
On Thursday, November 30, 2017 at 11:12:34 AM UTC-8, Tom Zander wrote:
> I think its a known issue that Qubes doesn't support EFI.

Do you have a reference for that? I don't think that's true.

I can run Qubes OS without problems with UEFI on other hardware, and there is even UEFI troubleshooting guidance at https://www.qubes-os.org/doc/uefi-troubleshooting/ - which doesn't mention lack of support for EFI...

-joe

Joe Hemmerlein

unread,
Nov 30, 2017, 8:10:46 PM11/30/17
to qubes-users
On Thursday, November 30, 2017 at 1:37:59 PM UTC-8, Mike Keehan wrote:
> Hi Joe,
>
> This is the content of my EFI/qubes directory after installing
> Qubes 4.0-rc3 in EFI mode :-
>
> -rwxr-xr-x 1 root root 22231327 Nov 28 17:29 initramfs-4.9.56-21.pvops.qubes.x86_64.img
> -rwxr-xr-x 1 root root 5316864 Nov 28 17:29 vmlinuz-4.9.56-21.pvops.qubes.x86_64
> -rwxr-xr-x 1 root root 902 Nov 28 17:36 xen.cfg
> -rwxr-xr-x 1 root root 2056349 Nov 28 17:29 xen.efi
>
> I then selected which EFI directory to boot from using the bios.
>
> I think the EFI/Boot directory is just a default.
>
> Mike.

Thanks, Mike. In my case I can't even install Qubes in EFI mode because the installer won't run; and installing Qubes in Legacy mode will lead to an empty .cfg file. I'll take another stab at it tonight.
-joe

Mike Keehan

unread,
Dec 1, 2017, 4:22:44 AM12/1/17
to qubes...@googlegroups.com
Hi Joe,

I had trouble installing due to video driver confusion. As the Qubes
installer is based on Fedora, I tried installing that first to see what
happens. Same problem. It turned out that I needed to add the
option "modprobe.blacklist=nouveau" to the kernel boot line in the
installer to allow Fedora to install OK.

The problem then was how to add that option to the Qubes installer.
Managed in the end by binary editing the iso.

Best of luck with your attempts.

Mike.

Stephan Marwedel

unread,
Dec 1, 2017, 5:01:47 PM12/1/17
to qubes...@googlegroups.com

I have installed Qubes 3.2 successfully on my Thinkpad T470p (20J6CTO1WW). This machine is pretty similar to the T470, except that is has a quad-core i7 CPU.  It runs perfectly and all Qubes functionality is available on that machine. The installation, however, was not an easy task.

1. Booting: UEFI is not a problem for the Qubes installer, but you must pay attention on how you created the bootable install media. Just using dd is not sufficient. I had to use the livecd-tools from Fedora to create the install media. After creating the media I had to manually set the partition label to BOOT using the dosfslabel utility. Otherwise, I was unable to boot from the media. It was not necessary to fall back to legacy boot or to mess around with the Grub configuration.

2. Networking: The onboard ethernet  hardware is only supported by a 4.9 kernel or later, but the installer containts a 4.4 kernel. So you have no network in teh sys-net vm. You have to manually download the source of the Intel network driver, compile it and install it using a USB media in the template vm. As soon as you have network access, upgrade dom0 to using the testing or unstable repository.

3. Graphics: The Kaby Lake Intel graphics works well with a newer kernel.

Summary: Prepare the boot media with more care than for older machines. Compile the ethernet network driver manually to enable network access after the install. Upgrade to kernel 4.9 in dom0 as soon as possible to enable graphics and networking support of your Thinkpad.
--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJmbC%3DEVMcAMKEXLGPooXa-kQt7_vuUDigozex%2Bq4iUSARykoQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Joe Hemmerlein

unread,
Dec 2, 2017, 4:02:52 AM12/2/17
to qubes-users
Danke, Stephan, your pointers were very valuable!

At first, I decided to just borrow an external DVD drive and boot off a DVD burned from the ISO, in UEFI mode. The result however was the same as when booting from my previously-created USB stick: grub boots, but no matter what i select, the screen briefly flashes and takes me back to grub. So.. yeah, the ISO image does not appear to be usable out of the box on some UEFI devices, even when burning it to a DVD.

Your description of the livecd-tools helped make good progress, but still without ability to boot the installer completely, but they sent me in the right direction. I then found https://groups.google.com/forum/#!topic/qubes-users/4VsKdxnKHBk, which described a process very similar to yours (it omits the part about using dosfslabel, but has a part about also updating the xen.cfg file).

Altogether, this did the trick!

In condensed form, this is what i did to create a USB install stick that works with UEFI on the T470:
1. Use the "livecd-iso-to-disk" utility from fedora livecd-tools to put the ISO image onto an USB stick
2. rename the USB stick's partition label to BOOT
3. edit the /BOOT/EFI/xen.cfg file on the USB stick's partition to make sure all LABEL=<something> instances are replaced with LABEL=BOOT

In a bit more detail:
- booted Fedora 26 live USB stick in UEFI mode
- installed livecd-tools: sudo dnf install livecd-tools
- attached a USB stick that contains the Qubes 4 RC3 x86-64 ISO image file
- verified digests and signatures for ISO image
- attached another USB stick to the fedora live instance to put the Qubes installer on (/dev/sdd)
- repartitioned /dev/sdd USB stick with a single (8GB) FAT32 partition and MBR, and marked bootable
- started imaging: sudo livecd-iso-to-disk /run/media/liveuser/qsrc/Qubes-R4.0-rc3-x86_64.iso /dev/sdd1
- waited for everything to complete (took quite a while)
- used dosfslabel to rename the qubes installer USB stick: sudo dosfslabel /dev/sdd1 BOOT
- manually edited the xen.cfg file on the install stick (located at <moutpoint>/BOOT/EFI): replaced all instances of "LABEL=Qubes-R4.0-rc3-x86_64" with "LABEL=BOOT"

Success!

Now one thing that is different is that after installation, the correct/selected keyboard layout (in my case English-Dvorak) isn't active when prompted for the LUKS passphrase; but after entering it in QWERTY, Qubes OS boots and completes configuration.

But the primary issue, not being able to boot in UEFI mode, is solved.

Thanks everyone for your input!

Cheers,
-joe

Stephan Marwedel

unread,
Dec 2, 2017, 6:41:26 AM12/2/17
to Joe Hemmerlein, qubes-users
Hi Joe,

thanks for the concise summary :-)

I actually forgot to mention the necessary changes to the xen.cfg that
you correctly described.

Now we have a nice recipe to install Qubes on modern Thinkpads. This
should become part of the official documentation.

Using this recipe will try to install Qubes on my recently acquired
Anniversary Thinkpad 25 which is essentially a T470 with a different
keyboard and a dedicated GPU.

Cheers,
Stephan

Joe Hemmerlein

unread,
Dec 2, 2017, 2:09:03 PM12/2/17
to qubes-users
On Saturday, December 2, 2017 at 3:41:26 AM UTC-8, Stephan Marwedel wrote:
> Now we have a nice recipe to install Qubes on modern Thinkpads. This
> should become part of the official documentation.

Pull request: https://github.com/QubesOS/qubes-doc/pull/490

Marek Marczykowski-Górecki

unread,
Dec 2, 2017, 9:04:08 PM12/2/17
to Joe Hemmerlein, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, Dec 02, 2017 at 01:02:52AM -0800, Joe Hemmerlein wrote:
> Danke, Stephan, your pointers were very valuable!
>
> At first, I decided to just borrow an external DVD drive and boot off a DVD burned from the ISO, in UEFI mode. The result however was the same as when booting from my previously-created USB stick: grub boots, but no matter what i select, the screen briefly flashes and takes me back to grub. So.. yeah, the ISO image does not appear to be usable out of the box on some UEFI devices, even when burning it to a DVD.
>
> Your description of the livecd-tools helped make good progress, but still without ability to boot the installer completely, but they sent me in the right direction. I then found https://groups.google.com/forum/#!topic/qubes-users/4VsKdxnKHBk, which described a process very similar to yours (it omits the part about using dosfslabel, but has a part about also updating the xen.cfg file).
>
> Altogether, this did the trick!

Thanks for posting detailed instruction. And for the pull request for
qubes-doc!

> In condensed form, this is what i did to create a USB install stick that works with UEFI on the T470:
> 1. Use the "livecd-iso-to-disk" utility from fedora livecd-tools to put the ISO image onto an USB stick
> 2. rename the USB stick's partition label to BOOT
> 3. edit the /BOOT/EFI/xen.cfg file on the USB stick's partition to make sure all LABEL=<something> instances are replaced with LABEL=BOOT

Does anyone have an idea what the difference livecd-iso-to-disk make,
compared to isohybrid? If possible, we'd like to installation iso work
out of the box on UEFI systems, including new ones...

I wonder if Fedora netinst iso (_not_ Live iso) boot on such new
hardware, after directly dd-ing it to USB stick. Can you check that?
Just see if installer starts. It's here:

https://alt.fedoraproject.org/

If that would work, I can try to find what is different about those
images and fix Qubes iso.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJaHurZAAoJENuP0xzK19csN8AH/2bR8wcOcHt6BBYfsk0H6Nsv
rtZ5Pwy41RCkXqwUO5gCbxdjkisqnKGqR+QWSEgJpETk7OOQmu7IMVzWBDfZQtVA
PG6GdbX2qiohgCjzXDlGYSXkwp/hYoOu0O1YJsh/EwIRZJcYPO9MsavggFRw4fP8
HL/GsNK4Hc+zWDgjuV3NZBeT0VKIH0/frp98QIKU6JQfo79q9+1PIX4ZOTX4Y9jB
WUOaj4tbrU6vOeeCQ2EcwRVA6LxjIztvYgmI/csqeJoXV/Va/YS0lhWZFH6tswT/
C+3bj4vbuqThu56yRq/+mGM6K6Nd2DoEMX+SdZ/eWrgSHxu3Cz/awNW3ZiHiuVg=
=Fo88
-----END PGP SIGNATURE-----

Joe Hemmerlein

unread,
Dec 3, 2017, 4:24:16 AM12/3/17
to qubes-users
On Saturday, December 2, 2017 at 6:04:08 PM UTC-8, Marek Marczykowski-Górecki wrote:
> Does anyone have an idea what the difference livecd-iso-to-disk make,
> compared to isohybrid? If possible, we'd like to installation iso work
> out of the box on UEFI systems, including new ones...
>
> I wonder if Fedora netinst iso (_not_ Live iso) boot on such new
> hardware, after directly dd-ing it to USB stick. Can you check that?
> Just see if installer starts. It's here:
>
> https://alt.fedoraproject.org/
>
> If that would work, I can try to find what is different about those
> images and fix Qubes iso.

Hi Marek,

I just tried the Fedora netinst image, dd'd it onto an USB stick, and it successfully booted.

One minor observation i made i the process: the Qubes ISO9660 volume label includes a dot/period; the netinst image doesn't.

This triggered a deja-vu from understanding why we need to update the volume label and edit xen.cfg after using livecd-iso-to-disk: this approach creates a FAT32 to hold everything, but the xen.cfg file uses the Qubes volume label "Qubes-R4.0-rc3-x86_64" to identify where to load inst.stage2 from, and FAT32 volumes can't have labels that are this long and they also have trouble with periods in the label. Sure, FAT32 isn't ISO9660, but ISO9660 is also a bit troubled with a few different interpretations of the standard and restrictions.

Also, a Qubes dd'd USB stick contains an ISO9660 partition and a FAT16 partition with a stub; I could validate that my T470 boots directly from ISO9660, ignoring the FAT16 partition.

Speaking of which... I found a way to make a USB install stick, much easier than using livecd-iso-to-disk tools:
- create a FAT32 partition (not too big) on the USB stick
- mark the partition as active (if MBR; not needed if GPT)
- mount the ISO image
- mirror the file system structure from the mounted ISO image to the FAT32 volume
- give the FAT32 volume a meaningful label (not to exceed 11 chars)
- update EFI/BOOT/xen.cfg on the FAT32 volume to match that label

You can even do that on Windows without needing Rufus :) I'll update the doc one more time to include instructions for Windows users. Maybe even remove the livecd-iso-to-disk instructions again, I'm not sure.
-joe

Mike Keehan

unread,
Dec 3, 2017, 6:16:01 AM12/3/17
to qubes...@googlegroups.com
Hi Marek,

Even using that network iso to boot my Dell XPS 15 (2017), I still need
to add the option "modprobe.blacklist=nouveau" to the boot command line
to allow the installer to work. Without that option, the installer
gets a 'stuck cpu' error, with the stack trace showing the nouveau
driver as the culprit.

I could not figure out how to edit the xen.cfg file to add the option
there - others seem to have managed to do that though.

Best wishes,

Mike.

Andrew Sorensen

unread,
Dec 5, 2017, 2:06:16 AM12/5/17
to qubes-users
Thanks for the detailed write-up. Based on the steps you've provided, it appears that the TPM is present in /sys/class/devices/tpm, but no PCRs are present and it's not possible to take ownership of the TPM with tpm_takeownership. Did you get further on this, e.g. to setup anti-evil-maid?

jos...@gmail.com

unread,
Dec 6, 2017, 5:05:06 AM12/6/17
to qubes-users
On Thursday, 30 November 2017 11:07:59 UTC+1, Joe Hemmerlein wrote:
> Hi,
>
> so far it was easy to install and run Qubes OS 4.0 RC3 (and RC2) on this hardware - as long as I keep boot mode on "Legacy Only".
>
> However, the TPM chip on this hardware works in UEFI boot mode only; and even with secureboot disabled and CSM support enabled, I can't get Qubes OS to boot in UEFI mode:
> - The installer doesn't run in UEFI mode (I get text mode grub, but whatever i select simply does nothing and returns to grub)
> - If I turn UEFI mode on after installing Qubes OS, I don't even get grub.- I tried the UEFI troubleshooting guide to no avail, although I was unable to run efibootmgr directly while in legacy boot mode ("EFI variables are not supported on this system") so in order to run efibootmgr, i booted a separate Fedora 26 Live image which does boot in UEFI mode. However, even with updated records, the result is the same: selecting those options from the UEFI boot menu simply makes the screen flicker once and then i'm back in the UEFI boot menu.

> - I tried copying the EFI and CFG file to /EFU/BOOT and renaming them to BOOTX64.EFI and .CFG, and also created new entries with efibootmgr for this, again without success.
>
>
> I also tried installing Qubes OS 3.2 on this system which didn't work and initial troubleshooting failed; but I'd like to concentrate my efforts on making this work for Qubes 4.0 so i didn't spend too much time on getting Qubes OS 3.2 on the T470.
>
>
>
> Any hints about troubleshooting the UEFI boot option are appreciated; i can also provide more exact details about what i already tried. Given the specs of this machine, I'm really determined to not give up easily.
>
>
> For now, I'll test other functionality in legacy mode only.
>
> Cheers,
> -joe

Hi,

I have managed to keep everything pretty standard in my installation on my T470p.

* Turn off SecureBoot
* dd iso (qubes 4.0) to USB-stick
* add rEFInd to another USB-stick
* boot on the rEFInd USB-stick and start the installer.

I struggle with TPM, but I figure that I should go through the guide over here: https://github.com/tklengyel/xen-uefi to sign the xen-efi and get TPM.

Regards
Josef

pub0...@gmail.com

unread,
Dec 14, 2017, 10:04:24 PM12/14/17
to qubes-users
> Does anyone have an idea what the difference livecd-iso-to-disk make,
> compared to isohybrid? If possible, we'd like to installation iso work
> out of the box on UEFI systems, including new ones...

No, but I have what seems like another data point. On my Lenovo
T520 under UEFI, trying to boot the 4.0rc3 installer produces
similar symptoms: whichever option I choose from the grub menu,
the screen goes blank briefly (I didn't measure, but probably
<2sec), then comes back to the grub menu. Repeat ad nauseam.

But if I try the same thing from EFI Shell (version 1, because my
UEFI firmware's too old to support version 2), I get this:
Read failed for initrd.img: Device error
fs1:\EFI\BOOT> # i.e. it comes right back to the shell prompt

And sure enough, when I try again from grub, I can *sometimes*
see a very brief flash of purple before the grub menu returns. I
suspect that Qubes/Xen is displaying the same message, but then
grub is clearing the screen too quickly for me to read it.

Details:
- Hardware: Lenovo T520, model 4239-CTO (this laptop was bought
in 2012, and has been happily running Ubuntu in UEFI mode
ever since)

- BIOS: 8AET56WW (1.36 ) 12/06/2011
- I think the UEFI version is 2.0, but not totally sure

- TPM *disabled* (one thing at a time, y'know?)

- I'm not using USB, but rather a real DVD+R, burned directly
from the (signature-verified) .iso

- I've verified the DVD media against the original .iso image
*after* seeing these symptoms, which suggests it isn't an
actual media error

So, two things:
- If this is helpful (and it's a solvable problem), awesome!

- I'd suggest adding a "Hit <ENTER> to continue" (perhaps with
timeout) after a failed boot attempt, to keep any error
message on screen for a while

> I wonder if Fedora netinst iso (_not_ Live iso) boot on such new
> hardware, after directly dd-ing it to USB stick. Can you check that?

I already have :-) Fedora 27 netinst (again, signature-verified
and burned to optical media) boots successfully. I aborted the
installer at its first (language) prompt. I was't sure which
Fedora version 4.0rc3 contains, so picked the newest; if you'd
like me to test an older one, please let me know -- or if you
need more information (including a reboot to verify the UEFI
version).

- Eric

Eric Siegerman

unread,
Dec 14, 2017, 10:23:52 PM12/14/17
to qubes-users
Here's a screenshot of the above-described boot error:
https://photos.google.com/photo/AF1QipMO-vL-kcyiORVEZ5P4ydjpdBJwwzzTZ00JuNm1


--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/TEmVIozLJh0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users+unsubscribe@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

pub0...@gmail.com

unread,
Dec 14, 2017, 11:00:42 PM12/14/17
to qubes-users
OK, here is (I hope) a *public* version of said screen shot:
https://photos.google.com/share/AF1QipMRlHUC5EOV-PQD5kfWWfCp9BDroAHDXGAFdWcq_SrmJhfhnHHOF6ZvYU7-JenLOA?key=MlJxWFRyZm1OTHBnWXpHd1pfUXNVYzJjMmJsTlRR

(Just learning Google Photo, Google+, gmail, etc., for purposes of this post. Until now I've been able to avoid them :-/ )

- Eric

koto...@gmail.com

unread,
Dec 15, 2017, 4:20:27 AM12/15/17
to qubes-users
Hello everyone,

I tried to install Qubes 3.2 on a T470s without success. I have the version with the Intel graphics. I did everything in Legacy Mode (no EFI). It does boot but the X server cannot start. Text installation did not work.

Stephan Marwedel says in this thread he managed to install 3.2. How?

I cannot wait for version 4 to come in January or later and installing RC version is risky since I need the laptop for work and no migration path from RC to candidate is guaranteed by the Qubes OS team.

Any help will be highly appreciated!

Josef Johansson

unread,
Dec 15, 2017, 10:12:49 AM12/15/17
to pub0...@gmail.com, qubes-users

Hi,

I would try my path, download rEFInd to another usb-stick and boot the installer from there.

The only file you need is the EFI-file: https://sourceforge.net/projects/refind/

Also, that is an interesting data point as well, the bootx64.efi loader on the usb install works if it is started through rEFInd.

Cheers
Josef


--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/TEmVIozLJh0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.

To post to this group, send email to qubes...@googlegroups.com.

koto...@gmail.com

unread,
Dec 15, 2017, 10:20:47 AM12/15/17
to qubes-users
Thank you for your reply.

Could you explain to me why using EFI would solve the problem of the X server not starting?

Josef Johansson

unread,
Dec 15, 2017, 2:23:47 PM12/15/17
to koto...@gmail.com, qubes-users

Sorry, I missed that part of your reply. I was answering both of you :)

I'll see if I can get Qubes 3.2 running on my T470p in the weekend if there's time. My collegue ended up with 4.0 with legacy boot to get everything working, so I just started from there. Using it for critical work and so far it's quite stable.

Regards
Josef


On Fri, 15 Dec 2017, 16:20 , <koto...@gmail.com> wrote:
Thank you for your reply.

Could you explain to me why using EFI would solve the problem of the X server not starting?

--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/TEmVIozLJh0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users...@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.

Sven Semmler

unread,
Jan 6, 2018, 10:32:35 PM1/6/18
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 12/15/2017 03:20 AM, koto...@gmail.com wrote:
> It does boot but the X server cannot start. Text installation did
> not work.

Based on swami's post from 9/15/17 I suspect you need kernel 4.9 in
dom0 ...

https://groups.google.com/d/msg/qubes-users/ZFZT7mQNeWY/xZ1AiCYOAwAJ

> In BIOS setup, disable Secure Boot and set graphics mode to
> DISCRETE, otherwise the graphical installer won't start - You can
> set graphics mode back to Hybrid once Qubes is installed an kernel
> is upgraded to 4.9.45-21.pvops.qubes.x86_64

He is talking about a ThinkPad P51 which has both DISCRETE (NVidia only)
and HYBRID (Intel with option to switch to NVidia) graphics. I just
recently installed Qubes 3.2 on ThinkPad P51 and posted my experience to
qubes-users and my website:

http://svensemmler.org/blog/2017/12/17/qubes-on-thinkpad-p51.html

There I also describe an alternative to Stephan Marwedel's approach to
the network drivers. I used an Ethernet-to-USB adapter to run the
initial dom0 update.

Anyway, all that doesn't help you.

1. Text install is not working for you
2. X server with Intel graphics needs dom0 on 4.9
3. Install media of Qubes 3.2 is kernel 4.4

So you either get R4 to work (my last attempt with RC3 was rough - but
your mileage may differ) OR you give Frédéric Pierret's _unofficial_
R3.3 a try ...

https://groups.google.com/d/msg/qubes-users/4le5YK2V9Qg/HrdmUi6dBAAJ

/Sven



-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE18ry22WNibwI1qeq2m4We49UH7YFAlpRlMQACgkQ2m4We49U
H7bplw//SsLCrfSJQeQkQnjElMs59inBKk6ldRVlVB9PRD6hgxyPDIEaGv4ef13l
JVLEXLaXJov99/UttamtK+su/jgO2+a4sIz8rT9Mz2FMBA6tVqi1X4E3MmnLlRSh
Ak00l9M2qkZ/nxFtxKViN4ACP3CuUrt+C99osGNaXAVPhj7W75uXYEuDORlddt30
PeENBEAKQI4uGEvYaxQsJuMIJUf1PJr7hyrJsro2RcSKyUhzGS1IotLjzuwuuHTT
3I7AmdZ66wTkfDSUXne1MFxMo2k2QQS986kQM8MkIWbcTRQbcV5ubiTN4lNmE0Va
FqzFDzo0gVirkk4Qgt46qUthjIo3RhuXP8GeVpo1VbEMsfTgGcsiWmxvQZkwWJqx
SNg/xGWynyc3D/Zj+oQ8RaU1EqAU53H30uBabbPTVdaEwtVc7ZfSCFwSt3OSO6X9
XWeIwP6INQ4KWmwx04z4kKmyIoPg++qiBcsXWid7BK6sESXSRyLq6MLmhElkyCsP
9ihsEcqa2AG+sSmHx95ruruHDz8bj9hvjGMqCleEBC9Qg1gACA9iamSz1/xlHIgV
HRyVwcNIwsKNLMLtU9uYW8HE674BXzC3ZYRc4urZLDVUP9BbPFNHGbKLUL1PineR
cw+Kt6ZlE4aPYAZ0EZQyG/CuGF/1f+rrX0AuR74XbaQHbg3JQqE=
=APF5
-----END PGP SIGNATURE-----

Josef Johansson

unread,
Jan 7, 2018, 2:19:36 AM1/7/18
to koto...@gmail.com, qubes-users
Just to note this here, we tried to install Qubes 3.2 on a T470p with intel and nvidia graphics, with secureboot off and starting the installer through refind. It all went fine, except that neither ethernet nor wifi was detected ( solvable through fw updates I assume ). X started ok though.

/Josef

koto...@gmail.com

unread,
Jan 7, 2018, 2:47:51 PM1/7/18
to qubes-users
Thanks everyone for the replies. I finally opted for RC3 and after fixing the iso with a live fedora and livecd-tools it went almost almost without problems. The only problem was that the keyboard layout chosen during the installation was not taken in account for promting the encryption password when booting.

I hope I will not encounter too much bugs with it and be able to work. It seems okay for the few hours I had to use it and even more resistant to usb devices being physically disconnected without detaching them than 3.2.

leonardo.p...@gmail.com

unread,
Jan 8, 2018, 1:52:31 AM1/8/18
to qubes-users
Sorry man,
My question might be a duplicate but I’m not really good in IT would you be so nice to tell me with which of these components is that laptop compatible HVM IOMMU SLAT TPM Xen Kernel
Let me know.
Thanks very much 👍
Leonardo

rysiek

unread,
Jan 8, 2018, 6:22:07 AM1/8/18
to qubes...@googlegroups.com
Dnia Saturday, January 6, 2018 9:32:20 PM CET Sven Semmler pisze:
> On 12/15/2017 03:20 AM, koto...@gmail.com wrote:
> > It does boot but the X server cannot start. Text installation did
> > not work.
>
> Based on swami's post from 9/15/17 I suspect you need kernel 4.9 in
> dom0 ...
>
> https://groups.google.com/d/msg/qubes-users/ZFZT7mQNeWY/xZ1AiCYOAwAJ

I can confirm that T470 won't work with stock R3.2 kernel. Just go for R4.0,
works pretty well.

--
Pozdrawiam,
Michał "rysiek" Woźniak

Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
signature.asc

cooloutac

unread,
Jan 9, 2018, 7:48:21 PM1/9/18
to qubes-users
On Thursday, November 30, 2017 at 5:07:59 AM UTC-5, Joe Hemmerlein wrote:
> Hi,
>
> so far it was easy to install and run Qubes OS 4.0 RC3 (and RC2) on this hardware - as long as I keep boot mode on "Legacy Only".
>
> However, the TPM chip on this hardware works in UEFI boot mode only; and even with secureboot disabled and CSM support enabled, I can't get Qubes OS to boot in UEFI mode:
> - The installer doesn't run in UEFI mode (I get text mode grub, but whatever i select simply does nothing and returns to grub)
> - If I turn UEFI mode on after installing Qubes OS, I don't even get grub.- I tried the UEFI troubleshooting guide to no avail, although I was unable to run efibootmgr directly while in legacy boot mode ("EFI variables are not supported on this system") so in order to run efibootmgr, i booted a separate Fedora 26 Live image which does boot in UEFI mode. However, even with updated records, the result is the same: selecting those options from the UEFI boot menu simply makes the screen flicker once and then i'm back in the UEFI boot menu.
> - I tried copying the EFI and CFG file to /EFU/BOOT and renaming them to BOOTX64.EFI and .CFG, and also created new entries with efibootmgr for this, again without success.
>
>
> I also tried installing Qubes OS 3.2 on this system which didn't work and initial troubleshooting failed; but I'd like to concentrate my efforts on making this work for Qubes 4.0 so i didn't spend too much time on getting Qubes OS 3.2 on the T470.
>
>
>
> Any hints about troubleshooting the UEFI boot option are appreciated; i can also provide more exact details about what i already tried. Given the specs of this machine, I'm really determined to not give up easily.
>
>
> For now, I'll test other functionality in legacy mode only.
>
> Cheers,
> -joe

What if CSM enabled and legacy bios mode if you have it?


cooloutac

unread,
Jan 9, 2018, 7:49:53 PM1/9/18
to qubes-users
Apologize, just read you say it leads to an empty .cfg file. What do you mean? Grub file? thats weird. curious, are you multi booting?

leonardo.p...@gmail.com

unread,
Jan 23, 2018, 8:08:23 AM1/23/18
to qubes-users
I have got problems on installing qubes r4.0 on the Lenovo pc. I get a kernel panic. Where can I publish the photo of the screen? Please help me :)

jos...@gmail.com

unread,
Jul 23, 2018, 5:36:36 PM7/23/18
to qubes-users
On Tuesday, 23 January 2018 14:08:23 UTC+1, leonardo.p...@gmail.com wrote:
> I have got problems on installing qubes r4.0 on the Lenovo pc. I get a kernel panic. Where can I publish the photo of the screen? Please help me :)

Did you solve this?
I would open a new thread, but you got the correct mailing list.

Reply all
Reply to author
Forward
0 new messages