I’m new to Qubes OS and not exactly an advanced user. However I am keen to get Qubes installed on a ThinkPad T480 that I just bought second hand. I’ve been doing a fair bit of reading on the forums, Hardware compatibility list (HCL) & elsewhere and trying to plan pre-install work.
I’ve sourced x2 32GB sticks of RAM which I will install along with a 1TB SSD.
Before I get into that I need some advice on the BIOS if possible please…
From what I can see the laptop has the latest UEFI BIOS (v1.56 N24ET81W) and ECP / Embedded Controller Program (ID 1.22 N24HT37W) installed.
Two questions:
I read on the System requirements page that Open-source boot firmware (e.g. coreboot) is “recommended for non-certified hardware”. Would this be a good opportunity to replace the existing UEFI BIOS with another option? (Coreboot, Heads, Skulls or Libreboot). Not 100% if all of these are compatible with my machine and interested to hear any pros and cons of doing this.
If I did decide to stick with UEFI BIOS, would it be a good idea to download a fresh copy from the Lenovo site and reinstall in case the version I have was somehow comprimised by a previous owner? I guess it would be wise to at least have a fresh copy in case this was needed in the future.
Also, I understand that this laptop may have had it’s last processor microcode update but unsure whether there is any advantage in installing Open-source boot firmware in relation to this shortcoming.
Hi, I’d recommend using Heads, with a caveat. After waking up from suspension, I experience heavily reduced performance on T480 with Qubes and Heads. I haven’t tested a lot of stuff on T480 with Heads, like whether camera and microphone work or not. I also need to work around on audio issues, like manually changing output between built-in speakers and jack headphones, as well as replacing dom0’s pipewire with pulseaudio.
From my experience, Libreboot on this machine always has severely degraded performance, at least on Qubes.
As for the other question, I don’t really know, perhaps trying to update the BIOS won’t hurt.
The CPU probably won’t receive any more microcode updates, unfortunately.
I wouldn’t core boot if you aren’t advanced. As fyn mentioned, it can add issues and complexity. Also, the conversion to coreboot is not easy for your level
Sure, you can do that. Download the last two versions of bios from Lenovo. Downgrade and then upgrade to current version. If you have a windows install, it is easy (exe file). If not, you’ll need El torito to convert the CD file to a USB bootable one that you run at startup
Whatever the Intel microcode situation, qubes will handle updating it through Qubes Update
T480 is a good laptop, reliably runs Qubes with few issues
Hey thanks for the response. Will have a closer look at Heads when I get a chance and weigh it up considering your experience with it. Sounds like Libreboot is best avoided then. Also looks like there is no Skulls support for the T480 as it stands: T480-T480s Support · Issue #313 · merge/skulls · GitHub
Yeah, I’m always hesitant to say I’m advanced. The knowledge/skills/experience that some people have never ceases to amaze me. On the other hand I’m not completley green. I starting getting into Linux about 20 years ago when Ubuntu first came out but have bounced between that, Mac OS & Windows over the years since. Back to Linux now for good I reckon.
I recently converted a decent Acer Chromebook into a Linux machine removing ChromeOS and installing Linux Mint then Pop_OS! and I have Coreboot installed on that. Nice little project but the hardware has it’s limitations.
Thanks for the tip regarding downgrade/upgrade of the Lenovo BIOS. My T480 came with Windows 11 installed so perhaps I can perform this process with the .exe files before I wipe Windows off the disk.
So am I understanding you correctly here that once installed, Qubes will be able to update any potential security vunrabilities related to the lack of intel microcode updates then?
Also, are there any major drawbacks of sticking with the UEFI BIOS as opposed to installing an alternative? And I assume that I could always change the BIOS at a later stage after installing Qubes if I want to right?
Correct. But the T480 CPU won’t have updates from Intel going forward (it’s past 6 years)
Yes, but it’ll likely require some troubleshooting to get it running again. Whenever I change the specs of my machine, I usually just do a fresh install. Qubes is finicky, it’s not like fedora/debian where you can just move the SSD into a new computer and things will mostly work. For example if you switch from a Nvidia to AMD graphics card, you will likely need to tweak things. Or if you change wifi card you’ll need to go into the service qube and mess with the interface and drivers
That’s good you have Linux experience, Qubes really requires it. When you have issues, you’ll be able to diagnose and fix (or at least work around). Fedora is the main /default distro on qubes so familiarize yourself with it.
I’ve had two failed attempts at running core boot on a t530 and a t580 (related to getting a good connection to the bios chip). Given up at this point. I’m more focused on microcode and bios updates than core boot (most core boot friendly computers have very old CPUs at this point unless you want to spend $2000 on a new computer)
Did you actually want answers like.
Make sure Virtualization options Enabled.
Secure Boot Off.
CSM on.
Diagnostics mode on. (to stop the fast boot which enables Windows to start so fast)
I did not see it phrased that way, boot set in Legacy mode.
Mine is set to TPM 2
From what I read:
There is a thing called AMT, which I think one should not permanently disable, as that area in the firmware can be used for Anti-Evil Maid, which I thought was a software install, hardware Flashing not needed. If it is permanently disabled, it is nearly impossible to re-enable the feature to be useful again. ???
Someone please correct me. I am kinda winging this reply before coffee.
Hi, I suppose I was trying to decide whether to stick with the BIOS the laptop already has or whether it was worth switching to another alternative and if now would be a good time to do that before installing Qubes. Based on the responses I’ve had so far I’m leaning more towards keeping what I have (probably downgrade and flash again with the upgrade to the most recent for paranoia’s sake).
However I appreciate the input you’ve given, some of these things I’ve already noted from reading the Qubes docs but will have a closer look into your other points.
Cheers
Edit: sorry that was supposed to be a reply to @catacombs - must have hit the wrong reply button
Which CPU do you use?
For me 8560 works so great! After suspension it is much more quiet without any performance degradation. Audio, camera work just fine.
The headphone jack issue was not due to heads but due to coreboot issues which are fixed now.
I would recommend to remove the proprietary bios and replace it with coreboot or its payloads like heads.
Even thunderbolt should work now…
Good to know that you’ve had good experience with coreboot / heads. I can see a report from you on the HCL that you’ve got heads running on your T480.
Although I was leaning towards staying with the stock BIOS as the path of least resistance, I’m now swinging back towards an alternative open source BIOS (Heads) which is what I was originally hoping for. From what I’ve read Qubes is not without its own complexities so perhaps I should start as I mean to go on.
It would be good to have the most secure and flexible setup possible from the outset.
In terms of the hardware key you mentioned I assume that would either be a Nitrokey or the Purism Librem Key right? Is it a choice between the two or would one be more appropriate for my use case than the other?
Also, only just started skim-reading the Heads wiki (Prerequisites for Heads | Heads - Wiki) and so far I’m unsure whether my device requires external flashing? If so I presume I would also need a SPI Programmer for this?
