This thread is a feedback for everyone with a thinkpad T480s with QubesOS 4.0 that want to try QubesOS 4.1 alpha
What is better in 4.1 than in 4.0 :
QubesOS is overall more reactive, more fast You can now disable and enable the mic from the FN keys from the keyboard, wich was not possible before You can disable and enable the sound from the FN keys from the keyboard, wich was not possible before
At the time that I installed QubesOS 4.1 alpha several weeks ago, the problem for the T480s i encountered and the solution :
Don't use debian 10 template for sys-net and sys-firewall because the wifi and ethernet interface are not working, use fedora instead
At the time that I installed QubesOS alpha several weeks ago, the problem which are not specific to T480s I encountered and the solution :
For the sys-usb with debian 10 template, the yubikey is not recognised and so you also need to switch to the fedora template default-mngt-dvm will not work with debian-10 [because of this issue](https://forum.qubes-os.org/t/qubes-updater-jinja-py-no-such-file-or-directory/4311/3), change the template to fedora 33.
Conclusion : Everything in QubesOS 4.1 is working perfectly fine to use it as a daily driver on a thinkpad T480s and is working better than on Qubesos 4.0, enjoy ! Just use fedora 33 as default template instead of debian 10.
I will update my post about T480s when more update for QubesOS will come
Encountered the same things with debian-10 template, on rather pretty new hardware desktop pc.
Haven’t yet tested yubikey but probably better to stay with fedora-33 for now.
Could you do me a favor and press Escape when you shutdown and check if you also see one red error message that just flies quickly through about failed unmounting xenstore filesystem?
Not exactly sure how severe this error is but would also like to know which kernel you are using and if you also see it.
the problems reported about debian-10 templates are probably firmware related. Debian does not include proprietary firmware, you must install yourself. Fedora includes, at least intel drivers.
The HCL report for QubesOS 4.1 alpha on Thinkpad T480s
Qubes release 4.1 (R4.1)
BIOS: N22ET65W (1.42 )
RAM: 40618 Mb
Intel(R) Core™ i7-8550U CPU @ 1.80GHz
Intel Corporation Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers [8086:5914] (rev 08)
Intel Corporation UHD Graphics 620 [8086:5917] (rev 07) (prog-if 00 [VGA controller])
Intel Corporation Ethernet Connection (4) I219-V (rev 21)
Intel Corporation Wireless 8265 / 8275 (rev 78)
I/O MMU: Active
TPM: Device not found
Yes I have 40GB on the T480s even so it’s limited in theory to 24 GB
If you want your HCL to be added to the official HCL list, please submit the .YML file as generated by the tool either here in the forum or on qubes-users. Please also put [HCL] in the subject line. Thank you!
I have a T490 with 24 GB RAM. This was the maximum available when I bought the machine. Are you saying there is a chance I may be able to put more memory in it?
Looks like you can add up to 48GO of ram to a T490
The situation is a little bit better when it comes to the Lenovo ThinkPad T490. The thicker and heavier model still has a RAM slot, allowing for memory upgrades with up to 40 / 48 GB.
In review: Lenovo ThinkPad T490 is difficult to upgrade - NotebookCheck.net News
Thanks. I did not know you could do that. I buy some more memory for the machine as soon as possible.
I replaced the SSD in it before, and the article is absolutely right in that it’s a hassle to open and close. I can’t say I’m really looking forward to that again.
Here is the HCL
Qubes-HCL-LENOVO-20L7001PFR-20210611-213452.yml (858 Bytes)
Moved this to the HCL reports category.
I find this topic overlooked given that Qubes relies on hardware isolation, but please update your BIOS if your manufacturer provides updates.
If your BIOS is version 1.42, you’re affected by:
The HCL doesn’t show your ME version, but if it matches the date of your BIOS (July 2020), you might be 5 versions vulnerable, and every single ME update is a security update.
If backdoors are included, use the version of backdoors with known vulnerabilities fixed!
[and yes, updating BIOS if you don’t have Windows is a pain]
Holy molly, thank for the info, will try to update it ASAP
no. it is not a pain. you can download the .iso file, burn to a cd and run it from a cd drive. or follow instructions scattered all over the internet, (using geteltorito, and then flash the resulting file to a USB thumb drive)
so weird I cant use the .ISO directly to an USB drive ?
I will try with geteltorito, I never use it before
don’t ask me why!
Later, remember you must boot in UEFI mode (sometimes qubes is installed in BIOS mode).
Thank you for the tips
Sure, “pain” was the wrong word; “more effort” is what I should have stated. I’m the last to dissuade someone from attempting a BIOS Upgrade or hacking on their own devices.
Assuming the vendor does provide an ISO, I presume the first thing people try is to
dd the ISO to a USB drive and find out it doesn’t work. So the additional effort is figuring out why, looking into El Torito, etc. A quick hack is to look for the MBR on the ISO and
dd to the USB starting there. So while it’s not an absolute “pain” it can take more effort if this is the first time or depending on user experience.
A good thing is that Lenovo is ahead of the curve for “non-Windows” support in BIOS updates. A T460s was upgraded effortlessly by live-booting Fedora 33 and using
I’ve run into a “Operating System not found” after a BIOS update so take backups. Most of the time it’s harmless as the NVRAM lost the EFI boot entry and live booting Fedora and an
efibootmgr command resolves it. Just be patient, read all directions, etc.
One additional note - sometimes you may not want to upgrade the BIOS. If a BIOS exploit is found that allows flashing something like Heads without disassembly, it might require an older BIOS. It’s up to you to weigh the risk. My opinion is to upgrade to the latest vulnerabilities available so that only advanced adversaries can use them!
hahah it what happen when I tried a long time ago, I though i was doing something wrong and was stupid to not be able to just boot one little .ISO hahah and I just gave up