Update: Things are working better now. Here are self-contained
instructions for setting up a Lenovo X1 Carbon Gen8 as a new Qubes
machine, wiping out everything previously installed on the machine.
Hardware compatibility notes after brief tests:
* Touchpad works _after_ the fix below (switching to kernel-latest).
During installation, before the fix, touchpad does not work; use
the trackpoint (red button in the middle of the keyboard) instead.
Trackpoint works in any case.
* Graphics work, and are accelerated _after_ the fix below
(switching to kernel-latest). During installation, the screen will
respond and redraw very slowly, and the pointer on the screen will
not move smoothly. To move the pointer, push the trackpoint for a
fraction of a second and then let it go; the pointer will jump a
* The built-in wireless card works _after_ the fix below (switching
sys-net to kernel-latest-qubes-vm and setting kernelopts as per
installation, you'll use a separate USB wireless card for the
first update shown below.
* Built-in speakers, external headphones, and microphone in external
headset work _after_ the fix below (installing SOF drivers for
this hardware). Mute is displayed correctly on the F1 LED.
* Built-in microphone does _not_ work. Bringing pulseaudio and/or
ALSA up to date should fix this: https://github.com/thesofproject/sof/issues/2275
* Camera works (totem v4l2:///dev/video0 after attaching camera to
VM). The built-in camera cover convincingly blacks out the video.
* Suspend works (close lid, see ThinkPad dot blink within a few
seconds; then open lid, machine is back to normal with screen
locked) if the BIOS options are changed to support S3 ("Linux"
suspend). I didn't test S0i3 ("Windows" suspend). All available
information says that S3 uses less power, and I really don't care
about S0i3 supposedly waking up a bit faster.
* Network works after suspend _after_ the fix below (adjusting
/rw/config/suspend-module-blacklist in sys-net).
* F1, F2, F3 adjust audio volume as expected, and F5, F6 adjust
screen brightness as expected. Maybe the other function keys do
New machine. This will be wiped by these instructions.
USB stick. This will be wiped by these instructions.
USB wireless card.
A previous machine to copy the Qubes ISO onto the USB stick.
1. Copying the Qubes ISO onto the USB stick
These instructions assume that the previous machine is also running
Qubes, and has a VM named qubesusb, with Qubes-R4.0.3-x86_64.iso
downloaded from https://qubes-os.org, having SHA-256 hash
Plug USB stick into the previous machine.
In a dom0@previousmachine terminal:
qvm-block a qubesusb sys-usb:sda
In a qubesusb@previousmachine terminal:
time sudo dd if=Qubes-R4.0.3-x86_64.iso of=/dev/xvdi bs=16777216
This copies 4830789632 bytes. Speed depends on speed of
previousmachine's disk and speed of USB stick.
In a dom0@previousmachine terminal:
qvm-block d qubesusb sys-usb:sda
Unplug USB stick from the previous machine. Everything else will use the
2. Initial installation from the USB stick
Plug USB stick into the new machine. Press power button for 1 second.
Press F12 once per second until you hear a beep. (Or F1 if you want to
configure the BIOS, for example to select S3 suspend.)
Boot Menu will appear within a few seconds, showing a choice between
NVMe0 (the Lenovo's built-in disk) and USB HDD (the USB stick). Select
USB HDD and press Enter.
Miscellaneous text will appear on the screen over the next minute,
ending with a Qubes screen: large Q in the upper left corner, "WELCOME
TO QUBES R4.0.3", "What language would you like to use during the
installation process?", etc.
Select a language and click Continue. Screen will (eventually) show
"INSTALLATION SUMMARY" at the top.
Click on "INSTALLATION DESTINATION". Screen will (eventually) show
"INSTALLATION DESTINATION" at the top.
Click on "nvme0n1". That box on the screen should light up in blue, with
a check mark on top of the disk. If there is no check mark or if this
removed the check mark, click again. (This seems necessary for setting
the encryption passphrase.)
Click on "Done". A pop-up will say "DISK ENCRYPTION PASSPHRASE".
Type your passphrase in both boxes and press return. The pop-up will
change to "INSTALLATION OPTIONS".
Click "Reclaim space". The pop-up will change to "RECLAIM DISK SPACE".
Click on nvme0n1p2 (the first partition after the EFI System Partition)
and click on Delete. Repeat for each subsequent partition. "Action"
should now show "Preserve" for nvme0n1 (the disk) and nvme0n1p1 (EFI
System Partition) and "Delete" for everything after that.
Click on "Reclaim space". Screen will (eventually) show "INSTALLATION
Click on "Begin Installation". Screen will (eventually) show
"CONFIGURATION". Bottom of screen will show various installation actions
happening; don't wait for those to finish.
Click on "USER CREATION". Screen will (eventually) show "CREATE USER".
Enter something in "User name", "Password", and "Confirm Password".
Click on "Done". Screen will (eventually) show "CONFIGURATION", again
with the bottom of the screen showing various installation actions
Wait for the installation to finish ("Complete!").
Click on Reboot. When the screen goes completely black, remove the USB
3. Initial boot without the USB stick
In under a minute the screen will show "Please enter passphrase for
disk". Type your disk passphrase and press Enter. Soon the screen will
show "INITIAL SETUP".
Click on "QUBES OS". The screen will show various options such as
"Create default system qubes".
Click on "DONE". Screen will show "INITIAL SETUP".
Click on "FINISH CONFIGURATION". A popup will show "[Dom0] Qubes OS
Setup" and will show activity for several minutes. Screen will then
change to a Qubes login screen: big white Q on the left, username in the
middle, white password bar below the username.
Enter your password and press Enter. Screen will change to a Qubes user
session: again big white Q on the left, but more items on the top, with
your username on the top right.
Plug in the USB wireless card. Screen will show "Device available" on a
black background for several seconds.
Click on the yellow icon in the top bar ("Qubes Devices"). Menu will
appear showing "dom0:mic - Microphone", "sys-usb:2-3" and an identifier
of the USB wireless card (assuming it is recognized by the kernel),
"sys-usb:2-8 - Bison_Integrated_Camera". The exact numbers don't matter:
what matters is finding the wireless card.
Mouse down to the wireless card. Screen will pop up a sub-menu showing
"sys-firewall" and "sys-net".
Click on "sys-net". Screen will show "Attaching device" on a black
background for several seconds.
Click on the red icon in the top bar. This is a normal NetworkManager
(nm-applet) menu, which you're assumed to know how to use. Configure the
laptop to talk to your access point.
Click on the small white-on-blue Q in the top left. Menu will appear
with "Run Program..." and "Terminal Emulator" and so on.
Click on "Terminal Emulator". A dom0@newmachine window will appear
(labeled with yourusername@dom0).
In the dom0@newmachine terminal:
time sudo qubes-dom0-update -y
time sudo qubes-dom0-update kernel-latest kernel-latest-qubes-vm -y
sudo mkdir -p /lib/firmware/intel/sof
sudo mkdir -p /lib/firmware/intel/sof-tplg
qvm-run -a -p untrusted "wget http://archive.ubuntu.com/ubuntu/pool/main/l/linux-firmware/linux-firmware_1.187.tar.gz"
qvm-run -a -p untrusted "openssl sha256 linux-firmware_1.187.tar.gz"
qvm-run -a -p untrusted "tar -xf linux-firmware_1.187.tar.gz linux-firmware/intel/sof"
qvm-run -a -p untrusted "tar -xf linux-firmware_1.187.tar.gz linux-firmware/intel/sof-tplg"
qvm-run -a -p untrusted "cat linux-firmware/intel/sof/sof-cml.ri" > sof-cml.ri
qvm-run -a -p untrusted "cat linux-firmware/intel/sof-tplg/sof-hda-generic-4ch.tplg" > sof-hda-generic-4ch.tplg
openssl sha256 sof-cml.ri
openssl sha256 sof-hda-generic-4ch.tplg
sudo cp sof-cml.ri /lib/firmware/intel/sof/
sudo cp sof-hda-generic-4ch.tplg /lib/firmware/intel/sof-tplg/
Start a sys-net terminal (Q menu, sys-net, terminal). In the
echo iwlmvm >> /rw/config/suspend-module-blacklist
echo iwlwifi >> /rw/config/suspend-module-blacklist
In the dom0@newmachine terminal:
# wait for all VMs to stop; check that "xl list" shows only Domain-0
opt=$(qvm-prefs sys-net kernelopts)
qvm-prefs sys-net kernelopts "$opt iwlwifi.disable_rxq=1"
qvm-prefs sys-net kernelopts
# should show: nopat iommu=soft swiotlb=8192 iwlwifi.disable_rxq=1
dnf list | grep latest
# check kernel version; currently 5.8.16-1
qvm-prefs sys-net kernel 5.8.16-1
When the screen goes black, remove the USB wireless card.
4. Normal boot
In under a minute, there will be a "Disk password" screen (with a
graphics Q, whereas before the passphrase request was from a text
screen). Type your passphrase and press Enter. Soon the screen will show
the Qubes login screen.
Check that the touchpad is working at this point. Check that accelerated
graphics are also working: the pointer is moving smoothly.
Type your password and press Enter. Screen will change to a Qubes user
session. Check that the built-in wireless card is working: the network
connects automatically to whatever access point you configured before.
Suspend and resume the laptop (close the lid, wait for the blinking dot,
reopen the lid, type your password), and check that the network
Check that audio (except the built-in microphone) is working.