NOTE: All of this has been tested on a Vanilla QubesOS 4.2.3 (XFCE + latest updates) install with LibreBoot 20241209 being the firmware.
I tested most of this functionality on another distro before to rule out hardware damages or QubesOS-specific stuff. So when I’m saying “XYZ is not working” I do not mean “it’s not working on qubes/dom0/xen/…” but “It’s not working on ‘regular’ GNU/Linux, but it’s ALSO not working on QubesOS 4.2.3”
When I say that “libreboot is claiming this and that”, I’m referring to this.
Remarks:
Working:
closing the lid is detected
suspend seems to be working
Function keys (to my surprise, as they shouldn’t according to libreboot)
Wifi
internal keyboard + trackpad + trackpoint
USB-Ports
Ethernet
External speakers
Integrated webcam
Not working / unkown:
headphone jack – expected as stated in the patch notes.
xen-acpi-processor – the problem mentioned in this thread.
If there’s anything amiss, you’ve encountered mistakes I’ve made or you have some other improvements/ suggestions, PLS! let me know!
Should there be stuff that’s easy for me but vital for you to test (like the HDMI port), also let me know, I’ll try to make it possible if it’s elementary to you.
PS
I’m only a libreboot user by coincidence / lack of skill, as I tried Máté Kukris’ exploit by hand for some time and didn’t get it to boot so as a last resort I took the libreboot path.
I’ll stay on that firmware for a week or so but if there’s not much resonance I’ll be off building, flashing and running his patches from gerrit and do the coreboot thing myself.
I just wondered about this one, bc before the libreboot-thingy/ w/ stock I once had a live distro running and it showed me 8 cores if I’m not utterly mistaking.
Since I tried another distro before, I thought this would be a libreboot problem/feature not a QubesOS specific sec thing.
But might be the other distro implementing things in the same way as QubesOS does.
It just stroke me as odd as usually on Lenovo XX30 T440p W54X it never happened to me before.
Qubes disables SMT (hyperthreading) in kernel by default but Libreboot also does this (as far as 8 revision is concerned). It can be changed when building libreboot rom from source by modifying config for the motherboard.
Lenovo ThinkPad T480 + Libreboot
Tested on 8th revision (latest as writing this post). Installed without problems but I didn’t hear FAN throughout entire installation (CPU sensors are not detected).
Remarks:
Working:
suspend/resume works
closing lid is detected
trackpoint, trackpad, keyboard works
Wifi
Ethernet
USB ports
microSD port
internal speakers, microphone
function keys (keyboard backlight, setting brightness) works. It didn’t work in first release but it was fixed before 8th revision
Screen
FAN
Not tested
Headphone jack
HDMI
Bluetooth
Fingerprint reader
Smart card reader
external display
external speakers/microphone
TPM - it’s disabled by default due to some bugged SeaBIOS drivers AFAIK
Thunderbolt
dGPU
Not working
xen-acpi-processor is not being loaded automatically and didn’t figure out how to do it manually
CPU sensors are not detected so I can’t base some FAN speeds on that. (but they are detected on Debian)
Checking CPU frequency by xenpm doesn’t work and xenpm performance settings do nothing too, so I can’t manage some performance settings like modifying energy-perf setting to save some battery. So AFAIK, you can’t increase CPU performance in xen easily for now.
Working but a bit broken
trackpoint is a bit decalibrated (?) comparing to Qubes install without libreboot (I needed to use 4.0 sensitivity as I previously used 5.0 to match speed)
trackpad seems to have a bit less accurate movement detection (like it doesn’t always follow my finger correctly comparing to using it on this machine before librebooting)
CPU performance is a bit worse that before librebooting but still as fast for me to not worry about too much
I noticed some screen tearing when moving windows with high CPU usage in dom0, independent of what which display driver I currently use. I didn’t notice it before librebooting.
As said above, FAN is working but it looks rather on some temperature sensor on the motherboard than on CPU sensors which are not detected. I don’t think if correctly but I can guess that in some cases CPU might work on higher temperatures without FAN turning on (like while installing Qubes) so take it into consideration.
Performance is smooth on Qubes, thermal control works well, and the board is quiet. I love it! Fn brightness keys work.
Here are the advantages:
In good condition, you can buy one for $200–$300, with refurbished options available on popular selling platforms. In many European countries, these come with a one-year warranty and a 14-day return policy, making it a low-risk investment.
Supports up to 64GB of DDR4 RAM, which is beneficial for Qubes users. Upgrading to 2×32GB SODIMM DDR4 costs around $100.
Low power consumption—draws only 15W and features both an internal and an external battery, last can be swapped while powered on.
Decent IPS display with 1920x1080 resolution, significant improvement over older models.
Accessing and flashing the BIOS chip on a T-series machine has never been easier—only six screws need to be removed Lenovo T480 Maximized | Heads - Wiki
Known issues:
The headphone jack needs tweacking as it does not automatically recognize the plugged in headphones. One need to go to the audio-mixer>output devices>select Headphones unplugged > configuration Pro Audio.
No Fan RPM Displayed: The fan speed is not shown. I haven’t troubleshot ACPI, since the system maintains stable operating temperatures of around 45–50°C under normal usage, as long as you’re not compiling anything heavy. The fan is barely noticeable.
dGPU is problematic and disabled in Heads on most platforms anyway
Disclaimer:
EOL in terms of microcode updates.
This board is vulnerable to a TPM reset attack, i.e. the PCRs are reset while the system is running. It possibly affects many Kaby Lake boards and newer platforms as well. The related coreboot issue contains more information: Bug #576: GPIO locking is broken on Kaby Lake and possibly other platforms - coreboot - Issue Tracker and hopefully will be fixed soon. Make sure you understand the implications of the attack for your threat model before using this board.
Acknowledgments:
coreboot port - Mate Kukri
Heads port was a community effort led by @tlaurion and @gaspar-ilom. Almost 200 commits and 400 messages. As you can imagine it was a lot of fun and learning. Huge thanks to everybody who participated on github: @akunterkontrolle, @notgivenby,@MattClifton76, @doritos4mlady, @mblanqui, @rafaelsgirao@JonathonHall-Purism
Heads is free as free beer.
In the spirit of open-source software, free knowledge, and communal goodwill, support the Heads and the open source development Insurgo Initiative - Open Collective and of course Qubes.
The supply of free beer cannot be infinite. If everyone takes without giving back, at some point, the keg runs dry, and so does the goodwill.
If you enjoy free beer, contribute in some form—whether by bringing code, docs, or financial support. The cycle must be maintained to keep the ecosystem alive. No one wants to be the last guest realizing the fridge is empty and no one restocked it. Together, it is possible to keep the free beer spirit alive—open, shared, and always refreshing. Cheers!
(CPU sensors are not detected).