Framework Laptop 16 (AMD Ryzen 7040 Series)

User Support HCL Reports
1

Framework Laptop 16 (AMD Ryzen 7040 Series)

HCL Report

---
layout:
  'hcl'
type:
  'Notebook'
hvm:
  'yes'
iommu:
  'yes'
slat:
  'yes'
tpm:
  '2.0'
remap:
  'yes'
brand: |
  Framework
model: |
  Laptop 16 (AMD Ryzen 7040 Series)
bios: |
  03.02
cpu: |
  AMD Ryzen 9 7940HS w/ Radeon 780M Graphics
cpu-short: |
  FIXME
chipset: |
  Advanced Micro Devices, Inc. [AMD] Device [1022:14e8]
chipset-short: |
  FIXME
gpu: |
  Advanced Micro Devices, Inc. [AMD/ATI] Phoenix1 [1002:15bf] (rev c1) (prog-if 00 [VGA controller])
gpu-short: |
  FIXME
network: |
  MEDIATEK Corp. MT7922 802.11ax PCI Express Wireless Network Adapter [14c3:0616]
memory: |
  31940
scsi: |

usb: |
  8
certified:
  'no'
versions:
  - works:
      'partial'
    qubes: |
      R4.2.0
    xen: |
      4.17.2
    kernel: |
      6.6.2-1
    remark: |
      FIXME
    credit: |
      tayari
    link: |
      https://forum.qubes-os.org/t/framework-laptop-16-amd-ryzen-7040-series/24985

Software Versions

  • Qubes OS: R4.2.0
  • Kernel: 6.6.2-1
  • Xen: 4.17.2

Remarks

Installation

  • Disable secure boot
  • Trackpad does not work (see fix below)

Outstanding Issues

  • Keyboard not working when waking up from suspend (both shallow and deep sleep)
    • This results in suspend being unusable since you can’t login when waking up from suspend

Necessary Fixes

  • Touchpad: Add ioapic_ack=new to the Xen command line of the Grub config.

Improvements

  • Suspend: Add mem_sleep_default=deep to the Linux command line of the Grub config.
  • Battery Life: Add nvme.noacpi=1 to the Linux command line of the Grub config.

(Make sure to run sudo grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg followed by sudo dracut -f after modifying your Grub config.)

Verified Working Functionalities

  • WiFi
  • Keyboard
  • Function keys (both top row including volume and brightness, and arrows)
  • Numpad including num lock and numpad arrow keys
  • Speaker output
  • Audio output over audio jack
    • Add the USB device of the audio jack expansion card to the respective qube and then in that qube, select it as the audio output
  • Display output
    • No screen tearing or any other kind of display issues
  • External display output via both DisplayPort and HDMI (including switching the DP expansion card out for an HDMI without rebooting)
  • Audio output over HDMI
  • Ethernet via the ethernet expansion card
    • Detected as a USB device, need to add it to your sys-net qube, restart not needed!
  • Storage expansion card works and gets detected as a block device
  • Fingerprint reader
    • Detected as a USB device, enrolling and verifying fingerprints in a qube successfully work
  • Bluetooth
    • Connecting to, receiving and accepting connection requests, and sending files over bluetooth all work without issue
    • Add the MediaTek wireless device listed as a USB device to your desired qube to interact with bluetooth
  • Webcam
  • Built-in microphone

Battery

Ran a battery performance test in which a high resolution dynamic video was playing in the following conditions:

  • Video was playing in fullscreen at 1080p and was a nature scene video which entirely consisted of dynamic shots
  • Max brightness (5500 nits) and presentation mode enabled
  • Display set to 2560x1600 at 165Hz (max resolution and refresh rate)
  • Only qube running other than sys-usb, sys-net, and sys-firewall
  • All CPU cores allocated to the test VM and running between 30%-50%
  • 12GB of RAM allocated to the test VM

Total battery lifespan: 2h8m

Personally, I would judge that to be good for Qubes and even more so for a workstation.
From anecdotal experience, I spent around 2-3 hours just in terminal sessions configuring stuff while not plugged in and battery was around 55%.

Miscellaneous

  • Keyboard backlight controls are not exposed directly to the system, you cycle through the backlight levels by clicking Fn+Space (and Enter with numlock off on the numpad)
    • There appear to be community kernel modules which expose the keyboard backlight controls directly to the system but use at your own risk (personally hotkeys on the keyboard are sufficient and minimal greater control over it isn’t worth the risk)
    • A consequence of this is that keyboard backlight isn’t turned off on suspend
  • Keyboard and numpad are detected as USB device
  • I have yet to audibly hear the fans, let alone have them spin up!
  • RAM and storage were bought separately but have not had any issues
    • Kingston Fury KF556S40IB-32 DDR5 5600 (1x32GB)
    • Samsung SSD 990 Pro MZ-V9P1T0B/AM
  • Adding and removing expansion cards work absolutely flawlessly, truly plug and play and you don’t need to reboot or do anything!

Attachments

The HCL report Qubes-HCL-Framework-Laptop_16__AMD_Ryzen_7040_Series_-20240309-181958.yml is pasted above.

GitHub pull request: Added Framework Laptop 16 HCL by daylamtayari · Pull Request #114 · QubesOS/qubes-hcl · GitHub

6 Likes
2

High quality HCL, thank you!
Please add conclusion, what is your opinion should this laptop be recommended for Qubes OS not.

3

Thank you and I definitely will add a conclusion after having used it for a couple.

So far though, I would absolutely recommend it for Qubes as you are able to enjoy all of the benefits of the Framework with its modularity and expansion cards systems just like you would using any other distro, without any down sides whatsoever.
Only downside is the lack of keyboard on suspend but I’m trying to find a fix.

With my previous laptop, I would need to reboot any time I plugged something as simple as a usb to ethernet adapter to get the adapter recognised by Qubes. I was fully expecting with the Framework to have to reboot every time I switched input modules, but no not at all. Any new ones get detected automatically and I can start using them straightaway, even for things like the display output where I removed the DP expansion card and then plugged the HDMI one in and it detected it and extended the display to the output I connected, didn’t need to reboot or anything.

Also it is incredibly quiet, coming from a laptop which would spin up and sound like a jet engine on boot or under heavy load, at their peak so far the fans are barely discernible when there are no background sounds (FYI I do not have the dGPU module).

Additionally, I am running a test of the battery and it is over 2h and still going. For Qubes and given that this test is having the laptop at full brightness and running at around 30-50% CPU, I think that is quite good.
EDIT: Battery test is finished and added to the main post

2 Likes
4

This is great news to hear.
Interested to see how the keyboard issue is fixed.

I’m only aware that Evil-Maid exists. How concerned should I be about that and how will that effect the Framework laptop (With its USB Modules?)

5

I’ll update as soon as I find a fix for the keyboard working on suspend wake.

Regarding the handling of the USB modules, all of the expansion cards are treated as USB devices and are handled by sys-usb. This is evident during use as for example wanting to use the ethernet expansion card, requires adding it to sys-net (i.e. your desired network vm).
Running lsusb in dom0 will return nothing.

The one exception to this are the expansion cards for the display ports (HDMI, and display port) as when plugged in I will get a notification from sys-usb that say the HDMI card is active however, the display output is automatically handled by dom0 without needing to add the device or anything. Even then, running lsusb or even lspci in dom0 yields no different results than when the display output is not connected.
The expansion cards are certainly an added attack surface in my opinion and could be an added way to attempt to gain compromise to the device.

Regarding AEM specifically, the Framework 16 comes with AMD Ryzen CPUs which aren’t supported by Qubes AEM implementation as it requires Intel TXT.
I am aware of @miczyg talk on implementing AEM for AMD platforms with UEFI and TPM 2.0 but his fork of Qubes AEM has not being updated in 4 years and I’m unsure if it still works. GitHub - 3mdeb/qubes-antievilmaid-amd at aem_amd
https://shop.3mdeb.com/wp-content/uploads/2021/06/Anti-Evil-Maid-for-modern-AMD-UEFI-based-platform.pdf

Within the BIOS, you can disable USB boot and password lock it which will prevent any low effort AEM attacks using a USB stick but will not protect against more sophisticated attacks.

6

Where exactly on the line did you insert this?
Also did you get a blackscreen after reaching the encrypted login screen?

I just got a framework 13 amd and am really trying to get this working

7

I added it to the very end of the GRUB_CMDLINE_XEN_DEFAULT line of my /etc/default/grub file.
Make sure you then run sudo grub2-mkconfig -o /boot/efi/EFI/qubes/grub.cfg followed by sudo dracut -f to ensure your grub actually gets updated.

I usually get a black screen on boot until reaching the disk encryption prompt but not afterwards.

Do keep in mind I have a Framework 16, if you have a Framework 13 there are multiple forum threads here for each of the Framework 13 versions and chipsets which may be of additional help.

8

Okay im not making it that far because the xen commamd line keeps saying “USB in dom0 is not resticted consider rd.qubes.hide_all_usb or usbcore.authorized_default-6.” But im not sure where to put the in the xen commandline. Ill keep looking around. Thanks. I also have a ryzen 7040u

9

Can you not even get into Qubes and dom0?
Please reply in either one of these threads, whichever one is for your laptop. This thread is for the Framework 16 and I would like to not have this thread get too off topic.

10

Regarding the keyboard issue, is an external keyboard not working as well? Would be nice to know if such workaround is possible.

11

So far I’ve been able to pin the keyboard not working on suspend wake issue to be due to sys-usb not being restarted/unpaused on suspend wake and since the keyboard is registered as a USB device, you can’t use it to unlock the laptop.
I’ve been trying to play around with the Qubes suspend hooks but so far haven’t gotten anywhere.

Due to it being a sys-usb issue though, even using an external keyboard would not work (I also tried before identifying the root cause and to no avail).

A temporary but very insecure workaround would be to disable lock on suspend so when waking up, you aren’t locked out and you can then proceed to manually restart sys-usb.

12

As for the workaround, do you use touchpad to manually restart sys-usb? If so, would it be possible to use the virtual keyboard to enter the password and avoid disabling lock?

13

Yep exactly, I use the touchpad since as it is connected over i2c and not usb, it still works, and yes that would absolutely work! Good idea, hadn’t thought of that

14

Another idea is to re-create the sys-usb qube, but leave the USB controller responsible for the internal keyboard in dom0. The process described in this section of the docs.

15

Unfortunately, the USB controller that is responsible for the keyboard also handles anything connected via the expansion cards so that would significantly compromise the security and isolation of the laptop. This is because any USB device connected would be exposed directly to dom0.

The actual issue at play is sys-usb not getting restarted on suspend wake and that’s what needs to be resolved.
Haven’t had the chance to do more debugging and try and fix it since my prior comment, I’ve been quite busy and haven’t had the time to.

16

Does that mean there is only 1 usb controller for the whole device? Like in the Qube Manager for sys-usb it only shows one device selected? That would be a huge dealbreaker for me

17

No there are 6 USB controllers.
There are 6 devices passed on to sys-usb and you can also see that when running lsusb in sys-usb with no external devices connected:

[user@sys-usb ~]$ lsusb 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd QEMU Tablet
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 002 Device 002: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 002 Device 003: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 002 Device 004: ID 05e3:0610 Genesys Logic, Inc. Hub
Bus 002 Device 005: ID 0e8d:e616 MediaTek Inc. Wireless_Device
Bus 002 Device 006: ID 27c6:609c Shenzhen Goodix Technology Co.,Ltd. Goodix USB2.0 MISC
Bus 002 Device 007: ID 32ac:0012 Framework Laptop 16 Keyboard Module - ANSI
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 002: ID 05e3:0625 Genesys Logic, Inc. USB3.2 Hub
Bus 004 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 005 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 006 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 006 Device 002: ID 32ac:0002 Framework HDMI Expansion Card
Bus 007 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 008 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 009 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
18

So is it possible to create up to 6 sys-usbs and attach each controller to a different one? And if so, can the keyboard be isolated this way?

1 Like