My employer recently issued me a Dell Precision 7550, which came with a
Ubuntu installation with some OEM customizations. I hoped to use Qubes
OS to protect my employee records and communications from all the
software I'll be running as part of my development work.
Unfortunately, my assessment is that under even a pessimistic estimate
of this risk, given the many problems and my limited hardware
troubleshooting skills, I don't want to do any more work to try to get
Qubes OS to work adequately on this laptop at this time.
I used the Qubes R4.0.3 installer and the Fedora 32 XFCE template.
After installation, I ran updates in both dom0 and the template to see
if that would help with anything, but it didn't. (Given that the
network didn't work under Qubes OS, I ran updates using a nasty,
insecure hack that I deemed adequate for testing, with plans to
reinstall with a better approach if I thought there was hope of
success.)
- To get the installer to start at all, I had to remove noexitboot and
mapbs as described at
https://www.qubes-os.org/doc/uefi-troubleshooting/#removing-noexitboot-and-mapbs
and turn off "Enable switchable graphics" in the BIOS.
- Display redrawing was very slow in both the installer and dom0 after
installation: when I advanced to the next screen of the installer or
started an application in dom0 such as Qube Manager, it could take up
to a second or so for the screen to redraw from top to bottom.
Disabling compositing in the XFCE Window Manager Tweaks in dom0 made
the problem less bad, but it was still unacceptable to me.
- After installation, the screen brightness keys on the keyboard had no
effect on the screen brightness, and when I tried to drag the screen
brightness slider in the XFCE Power Manager applet, the applet
segfaulted.
- When my NetVM used the dom0-provided kernel, neither the wired nor
the Wi-Fi network device worked. When it used the kernel in the VM,
the boot process got stuck for a reason not evident from the log in
Qube Manager, whether or not the network PCI devices were assigned to
the VM. When the devices were assigned, the log did show that the VM
tried to initialize at least the wired network using the "e1000e"
driver.
I'm going to use the OEM procedure to wipe the laptop and reinstall the
OS now because I need to reinstall the OS anyway for another reason.
I'm open to parallel installing Qubes OS again in the future if
someone wants me to perform specific tests, though it will be a low
priority for me.
This was a humbling reminder that I can't assume Qubes OS will work on
arbitrary hardware. I was very fortunate that when I first tried it in
October 2014, it worked on the personal Lenovo ThinkPad L430 that I had
bought in November 2012 without anticipating I'd use Qubes OS. For my
next personal laptop, I'll definitely shop for Qubes OS compatibility,
but my employer is only half-serious about information security and I
don't think I have any leverage to ask them to consider Qubes OS
compatibility in purchasing company laptops.
Matt