On Saturday, December 2, 2017 at 1:02:52 AM UTC-8, Joe Hemmerlein wrote: > On Friday, December 1, 2017 at 2:01:47 PM UTC-8, Stephan Marwedel wrote: > > I have installed Qubes 3.2 successfully on my Thinkpad T470p > > (20J6CTO1WW). This machine is pretty similar to the T470, except > > that is has a quad-core i7 CPU. It runs perfectly and all Qubes > > functionality is available on that machine. The installation, > > however, was not an easy task. > > > > > > > > 1. Booting: UEFI is not a problem for the Qubes installer, but > > you must pay attention on how you created the bootable install > > media. Just using dd is not sufficient. I had to use the > > livecd-tools from Fedora to create the install media. After > > creating the media I had to manually set the partition label to > > BOOT using the dosfslabel utility. Otherwise, I was unable to boot > > from the media. It was not necessary to fall back to legacy boot > > or to mess around with the Grub configuration. > > > > > > 2. Networking: The onboard ethernet hardware is only supported by a > > 4.9 kernel or later, but the installer containts a 4.4 kernel. So > > you have no network in teh sys-net vm. You have to manually download > > the source of the Intel network driver, compile it and install it > > using a USB media in the template vm. As soon as you have network > > access, upgrade dom0 to using the testing or unstable repository. > > > > > > > > 3. Graphics: The Kaby Lake Intel graphics works well with a newer > > kernel. > > > > > > > > Summary: Prepare the boot media with more care than for older > > machines. Compile the ethernet network driver manually to enable > > network access after the install. Upgrade to kernel 4.9 in dom0 as > > soon as possible to enable graphics and networking support of your > > Thinkpad. > > Danke, Stephan, your pointers were very valuable! > > At first, I decided to just borrow an external DVD drive and boot off a DVD > burned from the ISO, in UEFI mode. The result however was the same as when > booting from my previously-created USB stick: grub boots, but no matter what > i select, the screen briefly flashes and takes me back to grub. So.. yeah, > the ISO image does not appear to be usable out of the box on some UEFI > devices, even when burning it to a DVD. > > Your description of the livecd-tools helped make good progress, but still > without ability to boot the installer completely, but they sent me in the > right direction. I then found > https://groups.google.com/forum/#!topic/qubes-users/4VsKdxnKHBk, which > described a process very similar to yours (it omits the part about using > dosfslabel, but has a part about also updating the xen.cfg file). > > Altogether, this did the trick! > > In condensed form, this is what i did to create a USB install stick that > works with UEFI on the T470: > 1. Use the "livecd-iso-to-disk" utility from fedora livecd-tools to put the > ISO image onto an USB stick > 2. rename the USB stick's partition label to BOOT > 3. edit the /BOOT/EFI/xen.cfg file on the USB stick's partition to make sure > all LABEL=<something> instances are replaced with LABEL=BOOT > > In a bit more detail: > - booted Fedora 26 live USB stick in UEFI mode > - installed livecd-tools: sudo dnf install livecd-tools > - attached a USB stick that contains the Qubes 4 RC3 x86-64 ISO image file > - verified digests and signatures for ISO image > - attached another USB stick to the fedora live instance to put the Qubes > installer on (/dev/sdd) > - repartitioned /dev/sdd USB stick with a single (8GB) FAT32 partition and > MBR, and marked bootable > - started imaging: sudo livecd-iso-to-disk > /run/media/liveuser/qsrc/Qubes-R4.0-rc3-x86_64.iso /dev/sdd1 > - waited for everything to complete (took quite a while) > - used dosfslabel to rename the qubes installer USB stick: sudo dosfslabel > /dev/sdd1 BOOT > - manually edited the xen.cfg file on the install stick (located at > <moutpoint>/BOOT/EFI): replaced all instances of > "LABEL=Qubes-R4.0-rc3-x86_64" with "LABEL=BOOT" > > Success! > > Now one thing that is different is that after installation, the > correct/selected keyboard layout (in my case English-Dvorak) isn't active > when prompted for the LUKS passphrase; but after entering it in QWERTY, Qubes > OS boots and completes configuration. > > But the primary issue, not being able to boot in UEFI mode, is solved. > > Thanks everyone for your input! > > Cheers, > -joe
Thanks for the detailed write-up. Based on the steps you've provided, it appears that the TPM is present in /sys/class/devices/tpm, but no PCRs are present and it's not possible to take ownership of the TPM with tpm_takeownership. Did you get further on this, e.g. to setup anti-evil-maid? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e748ab52-1659-42a1-b53e-8c18d3ef881b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.