HCL - Apple MacBook Pro (11,1)

User Support HCL Reports
1

Short Remarks (for HCL table)

Not the best laptop for Qubes OS, only 1 USB controller, WiFi and Bluetooth do not work out of the box, but it’s possible to make almost everything work. Suspend works, but resume breaks WiFi. Details here:

Detailed Remarks (for users)

The laptop has only one USB Controller, so to make WiFi and Bluetooth visible - creation of sys-usb is required. Because dom0 does not provides USB devices in current Qubes OS R4.1. After creation of sys-usb using command: sudo qubesctl state.sls qvm.usb-keyboard these devices are visible.

Keyboard, touch-pad and external USB-dongle Logitech mouse work flawlessly with and without sys-usb.

Resolution is very high (Retina display), but everything works OK if you tune dpi settings of dom0 and all qubes. If you do want such high density and do not want to be configuring high-dpi settings (Qubes OS is not great with it) then you can lower the resolution of Display, cut it double (making 2x2 pixels) and it still will look great, like current Thinkpads and usual displays, but everything will be not tiny and CPU load should be lower. Resolution will be saved and kept properly even after reboots.

GNU/Linux like Kubuntu supports this laptop almost perfectly. After installation of proprietary WiFi drivers only a couple of issues persist. One of them - SD card reader disappears after resume from suspend mode (issue is not solved upstream). Surprisingly enough in Qubes OS I had no such issue and card reader is available after resume from suspend. Another problem I had on GNU/Linux - the WiFi connection was not reliable after resume from suspend, but in Qubes OS case it can be different story the same way as for reader (was not checked properly).

Additional information:

What works (at least after additional configuration):

  • Keyboard, touch-pad and external mouse work properly (with and without sys-net),
  • Touch-pad supports “tap as click” and scrolling with 2 fingers works flawlessly,
  • 3-displays configuration works (one display via Thunderbolt/DP cable, another via HDMI),
  • WiFi works after a lot of work (see details bellow),
  • Bluetooth works (connection process was not tested, but it shows devices at least),
  • Speakers (sound playback) works properly,
  • Head-phones via 3.5" jack work (if I’m not mistaken),
  • Display brightness shortcuts works,
  • Keyboard led and keyboard brightness shortcuts work,
  • Sound volume shortcuts works,
  • Suspend works out of the box but resume breaks WiFi (it can be recovered by restart of usb/wifi qube or with an additional automated script like for other laptops),
  • Windows 10 HVM qube was imported and boots fine,
  • CPU boost seems to be working properly, fans are working fine - silent most of the time.

What does not work:

  • Sound output via HDMI cable is not working. Almost certainly it can be solved, because pulseaudio in dom0 sees the HDMI sound output, had no motivation to find out the reason.
  • CPU is definitely slow for 1080p@60fps@2xSpeed as I would want (see details bellow).

What was not tested:

  • Audio-optical (S/PDIF) output was not tested.
  • The reliability of WiFi in Qubes OS was not checked.

To make WiFi work:

Right after installation laptop has no internet to install anything. I had USB-Ethernet for this case but it was not working out of the box too.

The way to get out of this situation:

  • Create sys-usb (sudo qubesctl state.sls qvm.usb-keyboard, but check Qubes OS docs first), After reboot you will have visible USB devices, not only keyboard/mouse/touch-pad as before.
  • Here I connected to the internet with generic USB-Ethernet dongle that is shown in sys-usb devices after connection. I had to attach this device to sys-net of course. Now I had some internet.
  • Create a standalone qube based on latest fedora template, disable memory balancing, set memory amount to something not more than 1GB, set it’s kernel to empty value (use own kernel), check Provide network pref, add service network-manager in its settings.
  • Enable rpmfusion repos in this qube and install broadcom-wl package (from rpmfusion-nonfree)
sudo dnf config-manager --set-enabled rpmfusion-free
sudo dnf config-manager --set-enabled rpmfusion-free-updates
sudo dnf config-manager --set-enabled rpmfusion-nonfree
sudo dnf config-manager --set-enabled rpmfusion-nonfree-updates
sudo dnf upgrade --refresh
sudo dnf install broadcom-wl
  • Blacklist bcma and b43 drivers (without this step - WiFi won’t work!) in “/etc/modprobe.d/blacklist.conf”:
blacklist bcma
blacklist b43
  • Reboot all involved qubes and connect your WiFi to this standalone qube. Now network-manager will show networks and will be able to connect to them and provide internet access. For some reason I failed to connect to hidden networks, but it was working in Kubuntu.

Notes:

  • Maybe you can use usual kernel (based on dom0) for this qube and still make broadcom-wl (also called “wl”) kernel module work.
  • You can use sys-usb as sys-net (combine these qubes) to avoid attaching devices. There is information about it in Qubes OS docs. But it has some security drawbacks - your keyboard activity and other USB activities will be processed by the online qube that can be targeted and hacked via WiFi card.

Video playback performance:

  • SMPlayer/mpv/mplayer plays x264 videos with 1080p and high bitrate flawlessly (e.g. 20GiB per movie). They can be installed from rpmfusion-free repos.
  • Fedora’s default video player (Videos or something) struggles with the same videos, unwatchable and high bitrate, so this player is garbage, try to replace it with smplayer or something.
  • Youtube in Firefox plays videos without drops up to 720p. Higher quality leads to frame drops or freezes.
  • Youtube played via “smtube” player works better that javascript player in Firefox, but still 1080p@60fps will be dropping frames. The heavy codec VP9 of youtube videos is a reason of this limitation.
  • If you download Youtube video at 1080p@30fps there is a change it will be playable in SMPlayer without issues at 1x speed. But the performance should be similar to using the smtube directly.

NOTE: Give 2-4 CPUs (my version only has 2) to the qube that plays video to provide more CPU power.

Conclusion

I do not recommend this laptop for running Qubes OS. Right after installation you will have no internet to install anything. Even if you are advanced enough to make everything mentioned above work - you still have CPU that is not able to stream youtube at 1080p and only one USB controller that limits usage of USB devices scenarios.

The laptop is good for GNU/Linux though, works very well, even thunderbolt to USB and to Ethernet devices work out of box supporting hot-plug. The only downfall is the proprietary WiFi that can have reliability issues especially after suspend-resume.

Attachments

Qubes-HCL-Apple_Inc_-MacBookPro11_1-20230106-000000.yml (825 Bytes)

lspci.txt.log (15.5 KB)

7 Likes
2

Wow, what a detailed report. Thank you @balko!

It’s now online.

1 Like
3

And thank you for keeping track of HCL reports.

Can you please update the links in the HCL template on forum? I think those are not working now that can frustrate users trying to make a HCL report.

1 Like
4

3 posts were merged into an existing topic: HCL Report Topic Template Text is Outdated

5

I have followed this description and installed broadcom-wl without errors.
However, when I run lsmod | grep wl, I get no output at all.
The command modprobe wl gives me this error message:
modprobe: FATAL: Module wl not found in directory /lib/modules/5.15.81-1.fc32.qubes.x86_64
What am I doing wrong?
Any suggestions?

6

Maybe you are using template-based qube, aren’t you? After reboot anything on system device was reseted to the templates state. Not sure if additional kernel modules will work under this setup.

7

Hi, thanks for respondig!
Yes, I have created a template-based qube as indicated above in the instructions.

  • Create a standalone qube based on latest fedora template

So, I don´t know what would be wrong.

Any other suggestion how to create the qube?

8

And what kernel do you use for this qube for wifi?
I do not remember, what I used, maybe set it to empty string in qubes-vm-settings.

9

I use the option selected by default: Kernel: default (5.15.81-1.fc32)(current)
There is no option for “empty kernel”.
The options in the list are:

  • 5.15.52-1.fc32
  • 5.15.81-1.fc32
  • (provided by qube)

The definitions of the qube in total are:
Basic
Name and Label: fedora-36-broadcom-bcm4360
Type: StandaloneVM (fully persistent)
Template: fedora-36 (default)
Networking: default (sys-firewall)

Advanced
Provides network access to other qubes (disabled)
Storage pool: default (vm-pool)
Initial RAM (also available from settings): 512 MB

Settings
Basic
(defaults)

Advanced
Include in memory balancing (disabled)
Provides network (enabled)
Kernel: default (5.15.81-1.fc32)(current)
Mode: default (PVH)(current)

Firewall rules
(defaults)

Devices
(defaults)

Applications
(defaults)

Services
Network-manager (enabled)

10

One more information which might be useful:
To sys-net are following devices automatically assigned:
02:00.0 Network controller Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter
0a:00.0 Ethernet controller Broadcom Inc. and subsidiaries BCM57762 Gigabit Ethernet PCIe

I.e. that the devices have been correctly identified.

Ans the wired interface (usb to ethernet) works perfectly.

11

That one I called empty (because in qvm-prefs it means empty or something like that).
P.S. You have probably some different issue, but do not forget to blacklist other wifi drivers as I wrote in the first post.

12

Yes, they are blacklisted!

13

OK, I checked. I use for a qube that has wifi:

  1. Standalone HVM Fedora-based-qube
  2. kernel of this qube is set to empty string (see in qvm-prefs)
  3. it has pci device connected: “03:00.0 Network controller Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter”.
  4. lsmod | grep wl shows wl module line.
  5. lspci -vv shows for pci device: Kernel driver in use: wl, Kernel modules: bcma, wl.
  6. I installed wl module from rpmfusion, package broadcom-wl
  7. I have blacklisted bcma and b43 using /etc/modprobe.d/blacklist.conf.

That’s probably all that I find useful.

14

Based on fedora-36:
I have installed broadcom-wl from rpmfusion (and blacklisted bcma and b43).
The installation was successfull but on modprobe wl I got following error message, so I gave it up.

[user@fedora-36 ~]$ sudo modprobe wl
modprobe: FATAL: Module wl not found in directory /lib/modules/5.15.81-1.fc32.qubes.x86_64
[user@fedora-36 ~]$

Based on debian-11:
I have installed broadcom-sta-dkms*

lsmod | grep wl shows the module:
wl 6471680 0
cfg80211 1069056 1 wl

lspci -vv shows:
00:07.0 Network controller: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter (rev 03)
Subsystem: Apple Inc. BCM4360 802.11ac Wireless Network Adapter
Physical Slot: 7
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort+ <TAbort- SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 44
Region 0: Memory at f2210000 (64-bit, non-prefetchable) [size=32K]
Region 2: Memory at f2000000 (64-bit, non-prefetchable) [size=2M]
Capabilities: [48] Power Management version 3
Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=0mA PME(D0-,D1-,D2-,D3hot-,D3cold-)
Status: D0 NoSoftRst+ PME-Enable- DSel=0 DScale=2 PME-
Capabilities: [58] MSI: Enable- Count=1/1 Maskable- 64bit+
Address: 0000000000000000 Data: 0000
Capabilities: [68] Vendor Specific Information: Len=44 <?>
Capabilities: [ac] Express (v2) Endpoint, MSI 00
DevCap: MaxPayload 256 bytes, PhantFunc 0, Latency L0s <4us, L1 unlimited
ExtTag- AttnBtn- AttnInd- PwrInd- RBE+ FLReset- SlotPowerLimit 10.000W
DevCtl: CorrErr- NonFatalErr- FatalErr- UnsupReq-
RlxdOrd+ ExtTag- PhantFunc- AuxPwr- NoSnoop+
MaxPayload 128 bytes, MaxReadReq 512 bytes
DevSta: CorrErr+ NonFatalErr- FatalErr- UnsupReq- AuxPwr+ TransPend-
LnkCap: Port #0, Speed 2.5GT/s, Width x1, ASPM L0s L1, Exit Latency L0s <2us, L1 <32us
ClockPM+ Surprise- LLActRep- BwNot- ASPMOptComp+
LnkCtl: ASPM Disabled; RCB 64 bytes, Disabled- CommClk-
ExtSynch- ClockPM- AutWidDis- BWInt- AutBWInt-
LnkSta: Speed 2.5GT/s (ok), Width x1 (ok)
TrErr- Train- SlotClk+ DLActive- BWMgmt- ABWMgmt-
DevCap2: Completion Timeout: Range ABCD, TimeoutDis+ NROPrPrP- LTR+
10BitTagComp- 10BitTagReq- OBFF Via WAKE#, ExtFmt- EETLPPrefix-
EmergencyPowerReduction Not Supported, EmergencyPowerReductionInit-
FRS- TPHComp- ExtTPHComp-
AtomicOpsCap: 32bit- 64bit- 128bitCAS-
DevCtl2: Completion Timeout: 50us to 50ms, TimeoutDis- LTR- OBFF Disabled,
AtomicOpsCtl: ReqEn-
LnkSta2: Current De-emphasis Level: -3.5dB, EqualizationComplete- EqualizationPhase1-
EqualizationPhase2- EqualizationPhase3- LinkEqualizationRequest-
Retimer- 2Retimers- CrosslinkRes: unsupported
Kernel modules: bcma, wl

BUT:
dmesg|grep wl shows folowing:
[ 2.695520] wl: loading out-of-tree module taints kernel.
[ 2.695548] wl: module license ‘MIXED/Proprietary’ taints kernel.
[ 2.697612] wl: module verification failed: signature and/or required key missing - tainting kernel
[ 2.718771] wl driver 6.30.223.271 (r587334) failed with code 1
[ 2.718797] ERROR @wl_cfg80211_detach :
[ 2.718798] NULL ndev->ieee80211ptr, unable to deref wl

That means that the module for “who-knows” could not be activated in the kernel.

If you have any other ideas I would appreciate it.

Thank you!

15

I finally ended up with this solution:

System information:
xen_version: 4.14.5
Linux 5.15.81-1.fc32.qubes.x86_64
Qubes release 4.1.1 (R4.1)
Installed on a MacbookPro along to other operating systems in separate partition(s).

Assumption:
Some internet connection, either wired or wireless using a dongle (sys-usb)

Steps:

  1. Create a new qube based on the fedora-36 template

  • Open Qube ManagerNew qube
    [Basic] Name and label: sys-wl
    [Basic] Type: StandaloneVM (fully persistent)
    [Basic] Template: fedora-36 (default)
    [Basic] Networking: sys-net (you need somebody to connect you)
    [Basic] EnableLaunch settings after creation
    [Advanced] Enable "Provides network access to other qubes"
    [Advanced] Leave everything else as it is preconfigured

  • After Creation the [Dom0] Settings window for sys-wl pops up
    [Basic] Leave everything else as it is preconfigured
    [Advanced] DisableInclude in memory balancing
    [Advanced] Kernel->Kernel: (provided by qube) → alternatively: (dom0): qvm-prefs sys-wl kernel ‘’
    [Advanced] Virtualization->Mode: HVM

  1. Install broadcom-wl
    Open a terminal
    sys-wl: Terminal
    Based on the information by balko here
    [user@sys-wl ~]$ sudo dnf config-manager --set-enabled rpmfusion-free
    [user@sys-wl ~]$ sudo dnf config-manager --set-enabled rpmfusion-free-updates
    [user@sys-wl ~]$ sudo dnf config-manager --set-enabled rpmfusion-nonfree
    [user@sys-wl ~]$ sudo dnf config-manager --set-enabled rpmfusion-nonfree-updates
    [user@sys-wl ~]$ sudo dnf upgrade --refresh
    [user@sys-wl ~]$ sudo dnf install broadcom-wl

  2. Blacklist unwanted modules
    [user@sys-wl ~]$ sudo vi /etc/modprobe.d/blacklist.conf
    blacklist b43
    blacklist bcma

  3. Prepare settings for sys-wl prior to restart
    Open Qube Manager
    sys-wl->Settings
    [Basic] Net qube: (none)(current)
    [Basic] Leave everything else as it is already configured

  4. Detach BCM4350 in case that it is attached to any VM (in my case it was attached per default to sys-net)
    a) Shutdown the VM (my case: sys-net) to which the bcm4360 card has been assigned.
    b) Open Qube Managersys-netSettingsDevicesclick in the right window frame onBroadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter”, and move ( < ) it to the left oneOK

  5. Attach BCM4360 to the newly created sys-wl with the “magic” options

  • Shutdown the newly created sys-wl

  • Find out the BDF of your device
    (dom0) qvm-pci
    BACKEND:DEVID DESCRIPTION USED BY

    dom0:02_00.0 Network controller: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter

  • Now: The magic one step
    BEING WELL AWARE OF side channel attacks based on this description (How to use PCI devices | Qubes OS) attach the device to sys-wl:
    (dom0) sudo qvm-pci a sys-bcm4360 dom0:02_00.0 --persistent -o no-strict-reset=true -o permissive=true

  • Show the changes:
    (dom0) qvm-pci
    BACKEND:DEVID DESCRIPTION USED BY

    dom0:02_00.0 Network controller: Broadcom Inc. and subsidiaries BCM4360 802.11ac Wireless Network Adapter sys-bcm4360 (no-strict-reset=true, permissive=true)

  1. Reboot the whole system
    After you got your system up and running again, the Network Manager icon will be shown on the right part of the taskbar, and available networks will be shown, and you will be able to establish a wireless connection.
1 Like