Hi, I’m intending to try out Qubes with the most compatible hardware I can think of, which is x230 (unsurprising right?). This is supposed to be my training wheels before I decide what hardware and software combination will be my end goal. I want to make it as easy as possible for me to dip my toes in security-oriented OS and community.
At the moment I’m owning G505s which suppose to be one of the fastest Coreboot laptops available. I’m currently stuck attempting to “liberate” its bios. Everything was going fine until I started having issues compiling image on Raspberry Pi. Apparently at that time (about 2 years ago) ARM architecture had compatibility issues with the whole process and I didn’t want to use my desktop with Management Engine for it.
So now I’m trying to decide whether to buy x230 with Coreboot preinstalled or not. If I understand correctly the benefit is that taking the laptop apart is only needed if there were issues with the bios update process. I have all the tools needed for that eventuality but would rather skip it and spend my time testing the OS instead.
Now here are my questions. With Coreboot already installed will I be able to adapt the BIOS situation without taking the laptop apart to test any version of Qubes that is not too outdated? I don’t fully grasp the correlation between all the BIOSes (Coreboot, SeaBIOS, Heads, etc.) and what versions of Qubes are installable on the system. Also which BIOS do I need a hardware flashing method for and which I can do using software only? The latest Qubes require Heads that can only be flashed using the hardware method if I’m reading things right.
Are all the models of x230 compatible? If not, can I freely replace the components that are giving me trouble (for example WIFI card)? I don’t really know how modular this ThinkPad is.
I hope the technical level of these questions is not below the minimum acceptable here. I do realize using this kind of operating system requires above-average skills.
It’s quite straightforward to flash coreboot on to an x230 - the chips
are easily accessible and require minimal strip down (removal of the
palm rest).
I’m not sure what you mean by “adapt the BIOS situation”. If you have
flashed coreboot you will be able to reflash with an updated version
without removing the palm rest. I boot from a Live USB with the necessary
tools and flash internally.
The latest Qubes does not require heads; it does not require coreboot.
You can run Qubes using the stock BIOS.
I’ve run Qubes on a variety of x230 down to i3, using stock components.
If you want to replace the WiFi card, (you do not need to do this),
you will have to replace the stock BIOS: Lenovo BIOS restricts what
components you can use.
To clarify - Heads is a payload for coreboot; SeaBIOS is a payload for
coreboot. Coreboot is a firmware platform that initialises the hardware
and then passes control to the payload.
SeaBIOS is a version of the classic legacy BIOS.
I hope that has answered your questions.
If you have any problems in flashing coreboot, or with Qubes, just ask.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
I’m basically trying to strike a balance between how much I pay for the laptop and how much of my own effort is required to not have any potential spyware on the machine before I install the OS.
I’m proficient enough to run Linux and troubleshoot whatever is needed. The thing is last time I attempted flushing Coreboot I ended up troubleshooting a large portion of the step-by-step guide itself. So I’m considering buying a computer with Coreboot preinstalled which is not too overpriced.
I will eventually flush both of the PCs myself, I just don’t want this to be step one. Last time it took me way more time than anticipated and resulted in a failure anyway…
some observations from my current very first steps in Qubes:
On an X230 with 16GB (the maximum RAM that the X230 can accept) and with an i7 processor (which is about 20% faster than the more common i5); with Intel ME disabled and an advanced BIOS flashed using first IVprep and then 1vyrain, a solution that allows you to do this without opening the laptop or using a hardware flasher:
I would recommend considering a different Lenovo model - one that can accept 32 GB, and that also is well proven to be suitable for Coreboot. I think there is at least one, don’t remember which one right now.
Reason:
On my above setup, just Qubes + Whonix-Qubes running is already eating up well over 12 GB on my X230 right now. There isn’t much RAM left to actually run apps on.
Also so far I have not managed to get video above 480p running smoothly without lots of dropped frames. This is not really that important to me, but it may be to you. I don’t know if other older hardware would have less issues with video, best ask around.
Caveat: I am still hoping that with some more help here in this forum (without which I wouldn’t even have got this far, I’m just a low level nerd…) there might be ways to tweak and to improve things with my setup, and also I might be doing very basic things wrong potentially.
Just sharing what I have observed so far, maybe some of this helps.
One thing I can already say with certainty is that Qubes is absolutely awesome, totally worth the learning curve. Go for it, I doubt you’ll look back.
I want to add: I also think that making sure that you buy the absolute fastest RAM and the absolute fastest SSD that you can get your hands on will be something you will benefit from a whole lot when using Qubes.
Hi cristiioan, true that removing ME alone is not enough, of course.
In addition it also depends heavily on what kind of hardware you are using.
But one could argue that leaving ME operational also doesn’t make sense when setting things up with a focus on security in general. Why would I leave such a back door open if there are ways to close it?
In addition, to me this is a principle matter as well. It is my hardware, so I should be the only one who can control it. At least that’s what I want to strive for as an ideal goal.
Intel ME can be disabled, so of course I want to do that. And at least on the models / machines where this is now possible with IVprep + 1vyrain, that’s not as hard to do anymore as it used to be either.
Of course it won’t be the ultimate security solution to disable IME, but it is a meaningful piece of the security puzzle, and I simply don’t see a reason not to do it.
Hi renehoj, thank you, I will give that a go! Although right now my bigger focus is to get Freeplane to run well on my machine, which is a deal breaker necessity for me. But if that can be achieved, I will look at video again next, because it would be nice to be able to improve that, of course. So thank you for the pointer, noted
Hello Jack.
I’m afraid that you havent understood the way in which Qubes handles
memory.
Each qube can be allocated max Memory in Settings window, (maxmem in qvm-prefs) , as well as Initial Memory.
By default up to 4GB is allocated to dom0, and 4GB is set as maxmem for
each qube.
Qubes runs a memory balancer.
When you have a few Qubes running, they will share out the available
memory - this is why you think that just a few qubes are “eating up”
over 12GB.
As you start new qubes, the memory is balanced between them, and
allocated as necessary - so a memory intensive qube will take up to the
maximum set, while others will have a reduced allocation.
I’m currently running around 12 qubes on an x220 i5.
There were issues reported by some users on 4.1 - I encountered them
myself. But it seems that these may have been settled, and with some
tuning,(you can find details in the Forum), of memory allocation you
can comfortably use an x230 for most purposes.
The x230 is, of course, well proven suitable for coreboot.
This doesn’t mean that the x230 is suitable for every use. It may not be
good for your use of freeplane. It wont be suitable for heavy video
editing, or intensive 3D modelling. But for many uses it is fine.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
Hi @unman I stand corrected. You are right, I had not understood that correctly until now. sm95 has explained this to me just today as well. It is useful to know how that actually works, thank you both.
I didn’t mean whether the X230 is proven for Coreboot, I just wanted to get an idea what other people find the X230 to be capable of with Qubes.
Thank you for sharing what your own experience on the X230 is, you are giving me some hope.
I don’t expect 3D modeling from this machine of course, and I can even give up on quality Video for this machine.
But unfortunately I can’t do without a well working Freeplane. I’m still hoping that there might be a solution for that.
Seeing that Freeplane works flawlessly on an X200 with 8 GB of RAM, my assumption was that it should work well enough on an X230 with 16 GB, if the only other Qube that I am running is one with a browser with a few tabs in it. But maybe that assumption was too optimistic, not sure.
I will read up in the forums on how to tune memory allocation better.
But I am wondering if this actually is about memory.
Freeplane has never taken much more than 600 MB at any point, even while freezing, despite its maximum being set much higher than that.
But that’s more a matter for the other thread, where I have just posted about that, I don’t want to dilute that into here.
i think its all about customize your using, you know that even with i5 x230 and 8gb ram, im happy run qubes in it. its just its really enough for my use case.
Quick update so as to not lead anyone who might find this thread later to believe that Freeplane doesn’t work on an X230 with Qubes:
I found the error that I made, and it works fine now.
If you are planning to use Freeplane on Qubes, whether on an X230 or newer hardware, it should run fine. To see some of the mistakes that I made at first regarding this, as well as very helpful instructions that I have received from others about this, you can have a look at this thread:
But this is probably only relevant for you if you are planning to use Freeplane on Qubes, and / or if you have any difficulties with doing that.
