[qubes-users] Re: X1 Carbon Gen 8

Update: Things are working better now. Here are self-contained
instructions for setting up a Lenovo X1 Carbon Gen8 as a new Qubes
machine, wiping out everything previously installed on the machine.
Hardware compatibility notes after brief tests:

    * Touchpad works _after_ the fix below (switching to kernel-latest).
      During installation, before the fix, touchpad does not work; use
      the trackpoint (red button in the middle of the keyboard) instead.
      Trackpoint works in any case.

    * Graphics work, and are accelerated _after_ the fix below
      (switching to kernel-latest). During installation, the screen will
      respond and redraw very slowly, and the pointer on the screen will
      not move smoothly. To move the pointer, push the trackpoint for a
      fraction of a second and then let it go; the pointer will jump a
      moment later.

    * The built-in wireless card works _after_ the fix below (switching
      sys-net to kernel-latest-qubes-vm and setting kernelopts as per
      https://github.com/QubesOS/qubes-issues/issues/5615). During
      installation, you'll use a separate USB wireless card for the
      first update shown below.

    * Built-in speakers, external headphones, and microphone in external
      headset work _after_ the fix below (installing SOF drivers for
      this hardware). Mute is displayed correctly on the F1 LED.

    * Built-in microphone does _not_ work. Bringing pulseaudio and/or
      ALSA up to date should fix this: https://github.com/thesofproject/sof/issues/2275
      https://blog.fts.scot/2020/07/04/dell-xps-2020-how-to-get-audio-working-on-linux/
      https://www.reddit.com/r/Dell/comments/husu3r/how_to_get_fully_working_audio_in_ubuntu_2004_on/

    * Camera works (totem v4l2:///dev/video0 after attaching camera to
      VM). The built-in camera cover convincingly blacks out the video.

    * Suspend works (close lid, see ThinkPad dot blink within a few
      seconds; then open lid, machine is back to normal with screen
      locked) if the BIOS options are changed to support S3 ("Linux"
      suspend). I didn't test S0i3 ("Windows" suspend). All available
      information says that S3 uses less power, and I really don't care
      about S0i3 supposedly waking up a bit faster.

    * Network works after suspend _after_ the fix below (adjusting
      /rw/config/suspend-module-blacklist in sys-net).

    * F1, F2, F3 adjust audio volume as expected, and F5, F6 adjust
      screen brightness as expected. Maybe the other function keys do
      something too.

0. Resources

New machine. This will be wiped by these instructions.

USB stick. This will be wiped by these instructions.

USB wireless card.

A previous machine to copy the Qubes ISO onto the USB stick.

1. Copying the Qubes ISO onto the USB stick

These instructions assume that the previous machine is also running
Qubes, and has a VM named qubesusb, with Qubes-R4.0.3-x86_64.iso
downloaded from https://qubes-os.org, having SHA-256 hash
8ccf0d6ebdf9a201d2501a25e8657c17a8e4386c44b1527fa2348f3861a610eb.

Plug USB stick into the previous machine.

In a dom0@previousmachine terminal:

    qvm-block a qubesusb sys-usb:sda

In a qubesusb@previousmachine terminal:

    time sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/xvdi bs=16777216

This copies 4830789632 bytes. Speed depends on speed of
previousmachine's disk and speed of USB stick.

In a dom0@previousmachine terminal:

    qvm-block d qubesusb sys-usb:sda

Unplug USB stick from the previous machine. Everything else will use the
new machine.

2. Initial installation from the USB stick

Plug USB stick into the new machine. Press power button for 1 second.
Press F12 once per second until you hear a beep. (Or F1 if you want to
configure the BIOS, for example to select S3 suspend.)

Boot Menu will appear within a few seconds, showing a choice between
NVMe0 (the Lenovo's built-in disk) and USB HDD (the USB stick). Select
USB HDD and press Enter.

Miscellaneous text will appear on the screen over the next minute,
ending with a Qubes screen: large Q in the upper left corner, "WELCOME
TO QUBES R4.0.3", "What language would you like to use during the
installation process?", etc.

Select a language and click Continue. Screen will (eventually) show
"INSTALLATION SUMMARY" at the top.

Click on "INSTALLATION DESTINATION". Screen will (eventually) show
"INSTALLATION DESTINATION" at the top.

Click on "nvme0n1". That box on the screen should light up in blue, with
a check mark on top of the disk. If there is no check mark or if this
removed the check mark, click again. (This seems necessary for setting
the encryption passphrase.)

Click on "Done". A pop-up will say "DISK ENCRYPTION PASSPHRASE".

Type your passphrase in both boxes and press return. The pop-up will
change to "INSTALLATION OPTIONS".

Click "Reclaim space". The pop-up will change to "RECLAIM DISK SPACE".

Click on nvme0n1p2 (the first partition after the EFI System Partition)
and click on Delete. Repeat for each subsequent partition. "Action"
should now show "Preserve" for nvme0n1 (the disk) and nvme0n1p1 (EFI
System Partition) and "Delete" for everything after that.

Click on "Reclaim space". Screen will (eventually) show "INSTALLATION
SUMMARY".

Click on "Begin Installation". Screen will (eventually) show
"CONFIGURATION". Bottom of screen will show various installation actions
happening; don't wait for those to finish.

Click on "USER CREATION". Screen will (eventually) show "CREATE USER".

Enter something in "User name", "Password", and "Confirm Password".
Click on "Done". Screen will (eventually) show "CONFIGURATION", again
with the bottom of the screen showing various installation actions
happening.

Wait for the installation to finish ("Complete!").

Click on Reboot. When the screen goes completely black, remove the USB
stick.

3. Initial boot without the USB stick

In under a minute the screen will show "Please enter passphrase for
disk". Type your disk passphrase and press Enter. Soon the screen will
show "INITIAL SETUP".

Click on "QUBES OS". The screen will show various options such as
"Create default system qubes".

Click on "DONE". Screen will show "INITIAL SETUP".

Click on "FINISH CONFIGURATION". A popup will show "[Dom0] Qubes OS
Setup" and will show activity for several minutes. Screen will then
change to a Qubes login screen: big white Q on the left, username in the
middle, white password bar below the username.

Enter your password and press Enter. Screen will change to a Qubes user
session: again big white Q on the left, but more items on the top, with
your username on the top right.

Plug in the USB wireless card. Screen will show "Device available" on a
black background for several seconds.

Click on the yellow icon in the top bar ("Qubes Devices"). Menu will
appear showing "dom0:mic - Microphone", "sys-usb:2-3" and an identifier
of the USB wireless card (assuming it is recognized by the kernel),
"sys-usb:2-8 - Bison_Integrated_Camera". The exact numbers don't matter:
what matters is finding the wireless card.

Mouse down to the wireless card. Screen will pop up a sub-menu showing
"sys-firewall" and "sys-net".

Click on "sys-net". Screen will show "Attaching device" on a black
background for several seconds.

Click on the red icon in the top bar. This is a normal NetworkManager
(nm-applet) menu, which you're assumed to know how to use. Configure the
laptop to talk to your access point.

Click on the small white-on-blue Q in the top left. Menu will appear
with "Run Program..." and "Terminal Emulator" and so on.

Click on "Terminal Emulator". A dom0@newmachine window will appear
(labeled with yourusername@dom0).

In the dom0@newmachine terminal:

    time sudo qubes-dom0-update -y

    time sudo qubes-dom0-update kernel-latest kernel-latest-qubes-vm -y

    sudo mkdir -p /lib/firmware/intel/sof
    sudo mkdir -p /lib/firmware/intel/sof-tplg
    qvm-run -a -p untrusted "wget http://archive.ubuntu.com/ubuntu/pool/main/l/linux-firmware/linux-firmware_1.187.tar.gz"
    qvm-run -a -p untrusted "openssl sha256 linux-firmware_1.187.tar.gz"
    # ddfc9be87f725ab679ded9b76f8f62bd7560412a560b30cbbf4705c076f88213

    qvm-run -a -p untrusted "tar -xf linux-firmware_1.187.tar.gz linux-firmware/intel/sof"
    qvm-run -a -p untrusted "tar -xf linux-firmware_1.187.tar.gz linux-firmware/intel/sof-tplg"
    qvm-run -a -p untrusted "cat linux-firmware/intel/sof/sof-cml.ri" > sof-cml.ri
    qvm-run -a -p untrusted "cat linux-firmware/intel/sof-tplg/sof-hda-generic-4ch.tplg" > sof-hda-generic-4ch.tplg
    openssl sha256 sof-cml.ri
    # 1a45db1b8c432593e80af31c967a4353b591a76bb0bf340a5cdaf5ff40a9af0b
    openssl sha256 sof-hda-generic-4ch.tplg
    # 33f2023c3e9d6e30d96349e09197f3af5429f62f64a3421c311c4bc0acec308f

    sudo cp sof-cml.ri /lib/firmware/intel/sof/
    sudo cp sof-hda-generic-4ch.tplg /lib/firmware/intel/sof-tplg/

Start a sys-net terminal (Q menu, sys-net, terminal). In the
sys-net@newmachine terminal:

    echo iwlmvm >> /rw/config/suspend-module-blacklist
    echo iwlwifi >> /rw/config/suspend-module-blacklist

In the dom0@newmachine terminal:

    qvm-shutdown --all
    # wait for all VMs to stop; check that "xl list" shows only Domain-0

    opt=$(qvm-prefs sys-net kernelopts)
    qvm-prefs sys-net kernelopts "$opt iwlwifi.disable_rxq=1"
    qvm-prefs sys-net kernelopts
    # should show: nopat iommu=soft swiotlb=8192 iwlwifi.disable_rxq=1

    dnf list | grep latest
    # check kernel version; currently 5.8.16-1

    qvm-prefs sys-net kernel 5.8.16-1

    sudo reboot

When the screen goes black, remove the USB wireless card.

4. Normal boot

In under a minute, there will be a "Disk password" screen (with a
graphics Q, whereas before the passphrase request was from a text
screen). Type your passphrase and press Enter. Soon the screen will show
the Qubes login screen.

Check that the touchpad is working at this point. Check that accelerated
graphics are also working: the pointer is moving smoothly.

Type your password and press Enter. Screen will change to a Qubes user
session. Check that the built-in wireless card is working: the network
connects automatically to whatever access point you configured before.

Suspend and resume the laptop (close the lid, wait for the blinking dot,
reopen the lid, type your password), and check that the network
reconnects.

Check that audio (except the built-in microphone) is working.

1 Like