-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi all
Adding to the reports about the Thinkpad X1 Carbon 4th gen (20FB), here are my experiences with the ThinkPad X1 Yoga 20FQ005UGE: ## TL;DR Qubes OS R3.1 works in CSM mode but the graphics becomes unusable after suspending, switching to another vty or changing any graphics option. Some workarounds where required for Grub and the NVMe SSD. Qubes OS R3.2 can not be installed directly (neither in native UEFI nor CSM). When doing an in-place upgrade from R3.1 to R3.2, only the 4.1 kernel boots and can be used to upgrade to 4.8 which fixes the graphics issues. I have been testing with Qubes OS R3.2 for one month and am really happy with it. Works for me :) Awesome work! ## Long version The graphics problems I experienced where already described here: https://groups.google.com/forum/#!msg/qubes-users/QOINoTl1aXc/2dXut2SrBAAJ ### Qubes OS R3.1 installation Installer finished but after the reboot Grub is not able to find its /boot. Same as the initial post here: https://www.reddit.com/r/Qubes/comments/4vqb3y/grub_fails_to_boot `ls` only shows: (hd0) So, no partitions. Possible fix: Boot into rescue mode of the installer and install /boot and Grub onto a USB thumb drive. I used the handy anti-evil-maid-install script for this task which only needed to be slightly modified (attached). Not needed when using Grub from R3.2. ### Qubes OS R3.2 installation The platform resets when booting Linux 4.4.31 from R3.2 with CSM as described in https://www.reddit.com/r/Qubes/comments/4vqb3y/grub_fails_to_boot/ and https://groups.google.com/forum/#!topic/qubes-users/mOlHA2KhzLE When debugging is enabled, you can see that Xen boots just fine and one of the last entries is that Xen starts dom0 * i915.enable_rc6=0 did not help (suggested here https://www.qubes-os.org/doc/thinkpad-troubleshooting/#thinkpads-with-intel-hd-3 000-graphics) * intel_pstate=disable did not help (suggested here: http://www.thinkwiki.org/wiki/Installing_Fedora_24_on_a_ThinkPad_X1_Yoga#Success _Chart_-_Out_of_the_box_experience) ### UEFI boot UEFI mode is not usable as Grub refuses to boot any menu option for some reason for every version of Qubes OS I have tested. I disabled secure boot. The following error message is shown: /EndEntire file path: /<device_path>/File/(\EFI\BOOT)/File(xen.efi)/EndEntire Xen 4.6.1 (c/s) EFI loader Failed to boot both default and fallback entries. I already tried the things mentioned here: https://www.qubes-os.org/doc/uefi-troubleshooting/ as suggested in https://groups.google.com/d/msg/qubes-users/vPDD4rgNXx4/5faeFS-RBgAJ This does not help. ### Kernel update 4.1.24 works with graphics problems 4.4.31 does not boot (platform resets when kernel is loaded, no kernel messages) following https://groups.google.com/forum/#!msg/qubes-users/m8sWoyV58_E/HYdReRIYBAAJ 4.8.11-100.vanilla.knurd.fc23 boots but hangs after the root filesystem has been mounted (FDE pw entered). A _ keeps appearing for like .5 seconds all 4 seconds. 4.8.12-12 Works without issues. `qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel` and `dnf upgrade kernel` worked! ### Screen brightness By default the screen brightness can not be controlled by xfce and is at maximum. There is a workaround for this: dom0# qubes-dom0-update bc inotify-tools And then run https://github.com/rickybrent/x1yoga-scripts/blob/master/x1yoga-backlight-mon.sh in dom0. To start the script automatically at boot you can use "Sessions and Startup" from xfce or other means. ### Touch screen Works without issues in the default configuration. See sys-usb for more details. ### AEM I only got AEM working without owner nor SRK password set. As soon as I set any one of the passwords (even after full TPM clear), the password is being asked for at boot. But the password is not accepted (error: "Key not found in persistent storage"). When setting both passwords to well known, then it works with the exception that the secret message is not shown in plymouth but only on the text console (switched with ESC). I removed the plymouth packages from dracut again with `dnf remove '*plymouth*' && dracut -f` which solved it. I expect that this problem was caused by the in place upgrade from R3.1 to R3.2 or the fact that I removed the plymouth packages previously for debugging and later reinstalled them on R3.2. TXT seems to not work. If enabled in the UEFI setup, the platform resets after grub. The last message shown is that 6th_gen_i5_i7_SINIT_71.BIN has been loaded. I updated the AEM config in /etc to use SRTM for now. I will retry with a clean install when possible but for now it works with the mentioned limitations. ### Grub Grub is horribly slow in default config on this machine. You can read the few text lines as they start appearing on the screen and are only able to make selections when it is done. Set `GRUB_TERMINAL=console` in `/etc/default/grub` and regen grub.cfg to workaround this. ### sys-usb Required the `qvm-prefs sys-usb -s pci_strictreset false` workaround [1] unfortunately. I was not able to fix this by any UEFI setting. [1]: https://www.qubes-os.org/doc/user-faq/#i-created-a-usbvm-and-assigned-usb-contro llers-to-it-now-the-usbvm-wont-boot I tried USB mouse usage which works but this does not make the touch screen work again. I did not yet check touch screen + sys-usb in more detail yet, maybe later. ### Network Ethernet works out of the box with Fedora 23 and Debian 8 and 9. Had no issue after resuming from S3. WLAN works after installing firmware-iwlwifi in Debian 9. The only problem is that almost all times after resuming from S3, the net VM needs to be restarted to get wlan working again. The following is logged in sys-net: [14543.999216] e1000e: eth0 NIC Link is Down [14548.117695] e1000e: eth0 NIC Link is Down [14548.314301] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [23785.273315] e1000e: eth0 NIC Link is Down [23785.307940] wlan0: deauthenticating from xx:xx:xx:xx:xx:xx by local choice (Reason: 3=DEAUTH_LEAVING) [23786.152843] Freezing user space processes ... (elapsed 0.001 seconds) done. [23786.154342] Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done. [23786.155692] PM: freeze of devices complete after 0.347 msecs [23786.155697] suspending xenstore... [23786.155764] PM: late freeze of devices complete after 0.065 msecs [23786.171420] PM: noirq freeze of devices complete after 15.649 msecs [23786.172443] xen:grant_table: Grant tables using version 1 layout [23786.172443] PM: noirq thaw of devices complete after 0.708 msecs [23786.172443] PM: early thaw of devices complete after 0.086 msecs [23786.172846] PM: thaw of devices complete after 0.407 msecs [23786.172846] Restarting tasks ... done. [23809.722077] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [23810.002035] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready [23810.006535] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready [23810.008657] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23810.010616] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23815.012114] iwlwifi 0000:00:01.0: Failed to load firmware chunk! [23815.012150] iwlwifi 0000:00:01.0: Could not load the [0] uCode section [23815.012182] iwlwifi 0000:00:01.0: Failed to start INIT ucode: -110 [23815.012208] iwlwifi 0000:00:01.0: Failed to run INIT ucode: -110 [23815.042145] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23815.044004] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23820.043139] iwlwifi 0000:00:01.0: Failed to load firmware chunk! [23820.043194] iwlwifi 0000:00:01.0: Could not load the [0] uCode section [23820.043230] iwlwifi 0000:00:01.0: Failed to start INIT ucode: -110 [23820.043249] iwlwifi 0000:00:01.0: Failed to run INIT ucode: -110 [23820.049489] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23820.051445] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23825.054064] iwlwifi 0000:00:01.0: Failed to load firmware chunk! [23825.054078] iwlwifi 0000:00:01.0: Could not load the [0] uCode section [23825.054088] iwlwifi 0000:00:01.0: Failed to start INIT ucode: -110 [23825.054093] iwlwifi 0000:00:01.0: Failed to run INIT ucode: -110 [23835.017335] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled [23835.019072] iwlwifi 0000:00:01.0: L1 Enabled - LTR Enabled ### UEFI Firmware versions Most of the testing was done using the N1FET44W (1.18) version which the laptop shipped with. I am now using the latest N1FET47W (N1FUR14W, 1.21) version without issues. SHA512 sums: 66482797a45526a3b3e44ea67731d586b505933413dd884fc42df4825890f29cf228aa0f18a0d28c 490de1854937a3ed6cb5a2a53929f7cb4245002ea8ba5e8c n1fur14w.img 06bc63be4a846e9336281877300c2e4d75c8a8bd7bb9487cff8bc7c7d2f08fb0559558cc29a660c2 e3c580da3e5844d1e2382cd39936448d0da81246f7ded9b8 n1fur14w.iso ### Other issues * At least in CSM, the machine seems to be unable to boot from microSD. * Powering up after suspend/S3 does/did not always work. The problem is sometimes that pressing the power button when the system is in suspend does not have any effect. The system has to be turned of by long pressing the power button and then normally booted. Not yet sure what causes it. Might be related to AC power connected. * Hibernate S4 does not work: hibernate.target: Job hibernate.target/start failed with result 'dependency'. * TrackPoint scrolling, the usual X11 workaround works just fine. ### Works out of the box * Webcam after attaching it via qvm-usb to a VM * Speakers, headset jack ### HCL Pull request already opened: https://github.com/QubesOS/qubes-hcl/pull/4 I will update it with a link to this post on the ML. - -- Live long and prosper Robin `ypid` Schneider -- https://me.ypid.de/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYe+hWAAoJEIb9mAu/GkD4f8EQAKRl1uoTXPXgeNDH2q8DeO0J cCTmHB4LyTKa1qvE8qR/Ojwo9qXH7SkKSDWlHZuEnBqOzEeN8y+71SQSx92Ov2KD 3oh8fJm22hlE4iwDdVKu0r+Aj1fcPMMsCMWYQBfEsi+w37Mkqc8wyZSfjnU6IDPp 4mzh+CLDm63R8a2+J0RgrJCo9z6ifJPES5p3tc8MBIYATQuoy0EVDCALQPC+Y1nF dqaQizm4BZepq4WcB24pGVCYcaQYsi2YL1Gi0lmnDq7YQrLxckL8XKJW4VsRRC2C 0o6C5uqvKXBh2xAEkDzgiekL/AdPD8sbd8kPktBwm6Gglj8uRMlz2+P2nFwVHFmT RfvradL/oY7RTMifa/PjHXPRyVNcz/1Kok4bEHUB8+AY15tyfCA3z2hXG0nD0YcM AK/NtjMpanzjPOORnRwU6CjGfOoa6RekX6xWOnzK5cwNuZH5zEMVuZR0JPp/tWLC NJ3rvrMya9K2L6IRlBtg5MEZweIDAKIRw9BXGkynNRrT8KpX1/S+waeV6NCgEMVX S+2rTpdQekeWGrdQsFL0ub/3BNT4cmkUXBF2kgM++KWeGUQuw2I3koqfGhlwixTD a7R/vlM7j/Xao5wKPSglZe0ss8sXfd8kOGpoSJZdtsvMHlthVfxLYaaQFTlR+UCt W++2B+peAej3BTDjbQ2f =nQzc -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/97b2bef5-1d15-ed36-00ef-b6a192f6d2d9%40riseup.net. For more options, visit https://groups.google.com/d/optout.
#!/bin/sh -e
LABEL_PREFIX=aem
AEM_DIR=/var/lib/anti-evil-maid
TPM_DIR=/var/lib/tpm
TPMS_DIR=${TPM_DIR}s
CACHE_DIR=/run/anti-evil-maid
SRK_PASSWORD_CACHE=$CACHE_DIR/srk-password
SUFFIX_CACHE=$CACHE_DIR/suffix
# work with or without plymouth
if command plymouth --ping 2>/dev/null; then
alias plymouth_active=true
alias message=plymouth_message
else
alias plymouth=:
alias plymouth_active=false
alias message=log
fi
getluksuuids() {
_CMDLINE=${_CMDLINE-$(cat /proc/cmdline)}
for _param in $_CMDLINE; do
case "$_param" in rd.luks.uuid=*|rd_LUKS_UUID=*)
_param=${_param#*=}
echo "${_param#luks-}"
esac
done
}
log() {
echo "${0##*/}: $1" >&2
}
waitfor() {
case $# in
2) _file=$2; _what=connected ;;
3) _file=$3; _what=removed ;;
*) return 1 ;;
esac
if [ "$@" ]; then
return
fi
message "Waiting for $_file to be $_what..."
plymouth pause-progress
until [ "$@" ]; do
sleep 0.1
done
plymouth unpause-progress
message "$_file $_what"
}
synctpms() {
_label=${1:?}
_mnt=${2:?}
message "Syncing to $_mnt"
_mnt_tpms_dir=$_mnt/aem/${TPMS_DIR##*/}
rm -rf "$_mnt_tpms_dir"
_ids=$(ls "$TPMS_DIR")
for _id in $_ids; do
mkdir -p "$_mnt_tpms_dir/$_id"
cp "$TPMS_DIR/$_id/system.data" "$_mnt_tpms_dir/$_id"
if [ -d "$TPMS_DIR/$_id/$_label" ]; then
cp -r "$TPMS_DIR/$_id/$_label" "$_mnt_tpms_dir/$_id"
fi
done
}
devtomnt() {
lsblk -dnr -o MOUNTPOINT "$1" 2>/dev/null |
sed 's/%/\\x25/g' |
xargs -0 printf
}
topdev() {
lsblk -snrp -o KNAME "$1" | tail -n 1
}
external() {
_aem_whole=$(topdev "$1")
for _luks_uuid in $(getluksuuids); do
_luks_whole=$(topdev "/dev/disk/by-uuid/$_luks_uuid")
if [ "$_aem_whole" = "$_luks_whole" ]; then
return 1
fi
done
return 0
}
removable() {
_rm=$(lsblk -dnr -o RM,LABEL "$1")
case "$_rm" in
*.rm=[01]) _rm=${_rm##*=} ;;
*) _rm=${_rm%% *} ;;
esac
[ "$_rm" = 1 ]
}
LABEL_SUFFIX_CHARS=0-9a-zA-Z=.-
BOOT_DIR=/boot
GRUB_DIR=$BOOT_DIR/grub2
GRUB_CFG=$GRUB_DIR/grub.cfg
usage() {
cat <<END
Usage:
anti-evil-maid-install [-s <suffix>] [-F] <device>
Installs Anti Evil Maid to your system's boot partition, or to a different
storage device (e.g. an SD card or a USB stick).
Arguments:
-s: <device> gets labeled "$LABEL_PREFIX<suffix>"
<suffix> can be composed of 0-13 characters from the alphabet
$LABEL_SUFFIX_CHARS
It defaults to <device>'s current suffix, if any, or the empty string
otherwise. Each of your AEM installations must have a unique suffix.
This suffix has no particular meaning, except that you can let it end in
.rm=1 or .rm=0 to hint that <device> is removable or fixed, respectively,
no matter what the Linux kernel detects.
-F: passed on to mkfs.ext4 (don't ask for confirmation, etc.)
Examples:
Install on the system's boot partition (assuming that it is /dev/sda1), and
label its current filesystem "$LABEL_PREFIX":
anti-evil-maid-install /dev/sda1
Install on an SD card's first partition, replacing its data with a new ext4
filesystem labeled "$LABEL_PREFIX.sd", and make it bootable:
anti-evil-maid-install -s .sd /dev/mmcblk0p1
END
exit 1
}
# check invocation
unset LABEL_SUFFIX F
while getopts s:Fh opt; do
case "$opt" in
s) LABEL_SUFFIX=$OPTARG ;;
F) F=-F ;;
*) usage ;;
esac
done
case "$LABEL_SUFFIX" in *[!$LABEL_SUFFIX_CHARS]*|??????????????*) usage; esac
LABEL=$LABEL_PREFIX$LABEL_SUFFIX
shift $(($OPTIND - 1))
case $# in
1) PART_DEV=$1 ;;
*) usage ;;
esac
if [ "$(id -ur)" != 0 ]; then
log "This command must be run as root!"
exit 1
fi
# examine device
BOOT_MAJMIN=$(mountpoint -d "$BOOT_DIR") || BOOT_MAJMIN=
PART_DEV_MAJMIN=$(lsblk -dnr -o MAJ:MIN "$PART_DEV")
if external "$PART_DEV" && [ "$BOOT_MAJMIN" != "$PART_DEV_MAJMIN" ]; then
alias replace=true
else
alias replace=false
fi
WHOLE_DEV=$(lsblk -dnp -o PKNAME "$PART_DEV")
if ! [ -b "$WHOLE_DEV" -a "$WHOLE_DEV" != "$PART_DEV" ]; then
log "Couldn't find parent device: $WHOLE_DEV"
exit 1
fi
PART_DEV_REAL=$(readlink -f "$PART_DEV")
PART_NUM=${PART_DEV_REAL##*[!0-9]}
if ! [ "$PART_NUM" -gt 0 ]; then
log "Couldn't extract partition number: $PART_NUM"
exit 1
fi
# This check (instead of a more obvious 'mountpoint $BOOT_DIR') should work
# even in unusual setups without any internal boot partition at all:
if [ ! -e "$GRUB_CFG" ]; then
log "Couldn't find boot files at $BOOT_DIR"
exit 1
fi
# keep old label unless overridden explicitly
OLD_LABEL=$(lsblk -dnr -o LABEL "$PART_DEV") ||
OLD_LABEL=
case "$OLD_LABEL" in "$LABEL_PREFIX"*)
if [ -z "${LABEL_SUFFIX+set}" ]; then
LABEL=$OLD_LABEL
fi
esac
# create and/or label fs
if replace; then
log "Creating new ext4 filesystem labeled $LABEL"
mkfs.ext4 $F -L "$LABEL" "$PART_DEV"
else
log "Labeling filesystem $LABEL"
e2label "$PART_DEV" "$LABEL"
fi
# move secrets if label changed
if [ -n "$OLD_LABEL" -a \
-e "$AEM_DIR/$OLD_LABEL" -a \
! -e "$AEM_DIR/$LABEL" ]; then
mv -v "$AEM_DIR/$OLD_LABEL" "$AEM_DIR/$LABEL"
fi
# mount
if CUR_MNT=$(devtomnt "$PART_DEV") && [ -n "$CUR_MNT" ]; then
PART_MNT=$CUR_MNT
else
CUR_MNT=
PART_MNT=/mnt/anti-evil-maid/$LABEL
log "Mounting at $PART_MNT"
mkdir -p "$PART_MNT"
mount "$PART_DEV" "$PART_MNT"
fi
# sync
mkdir -p "$PART_MNT/aem"
mkdir -p "$AEM_DIR/$LABEL"
# make device bootable
if replace; then
log "Setting bootable flag"
parted -s "$WHOLE_DEV" set "$PART_NUM" boot on
log "Copying boot files"
find "$BOOT_DIR" -maxdepth 1 -type f ! -name 'initramfs-*.img' \
-exec cp {} "$PART_MNT" \;
# TODO: If dracut is configured for no-hostonly mode (so we don't have to
# worry about picking up loaded kernel modules), just copy each initramfs
# instead of regenerating it
for img in "$BOOT_DIR"/initramfs-*.img; do
ver=${img%.img}
ver=${ver##*initramfs-}
log "Generating initramfs for kernel $ver"
dracut --force "$PART_MNT/${img##*/}" "$ver"
done
log "Copying GRUB themes"
dst=$PART_MNT/${GRUB_DIR#$BOOT_DIR/}
mkdir "$dst"
cp -r "$GRUB_DIR/themes" "$dst"
log "Installing GRUB"
grub2-install --boot-directory="$PART_MNT" "$WHOLE_DEV"
log "Bind mounting $PART_MNT at $BOOT_DIR"
mount --bind "$PART_MNT" "$BOOT_DIR"
log "Generating GRUB configuration"
grub2-mkconfig -o "$GRUB_CFG"
log "Unmounting bind mounted $BOOT_DIR"
umount "$BOOT_DIR"
fi
if [ -z "$CUR_MNT" ]; then
log "Unmounting $PART_MNT"
umount "$PART_MNT"
fi
Qubes-HCL-LENOVO-20FQ005UGE-20161129-172726.yml
Description: application/yaml
Qubes-HCL-LENOVO-20FQ005UGE-20170115-213858.yml
Description: application/yaml
anti-evil-maid-install.sig
Description: PGP signature
Qubes-HCL-LENOVO-20FQ005UGE-20161129-172726.yml.sig
Description: PGP signature
Qubes-HCL-LENOVO-20FQ005UGE-20170115-213858.yml.sig
Description: PGP signature
