-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 With significant help from members of this mailing list, I was able to install R3.2 on my new ThinkPad P51 (model 20HJS0BX00). The starting point was the HCL linking to swami's post <http://bit.ly/2CCtOdB>, which describes or links all the steps below except for the use of the USB-to-Ethernet adapter to run the initial update.
A little twist that distinguishes my ThinkPad from his is that my networking hardware requires kernel version 4.9 to run, while after the install Qubes OS runs version 4.4. Therefore some extra steps and hardware are required to run the initial update to kernel 4.9 to make everything work: * another computer running Fedora or Qubes OS with a Fedora qube (to create the USB sticks) * Qubes installer USB stick prepared using Fedora's livecd-tools * rEFInd live USB stick * Linux-friendly Ethernet-to-USB adapter (e.g. the one from Apple) Create Qubes installer USB stick - -------------------------------- This step was described by Dave C.'s post <http://bit.ly/2keRZs7> with additional important input from Stephan Marwedel. 1. Get the ISO, signature and pgp key from the Qubes OS Download page. 2. Follow the instructions on digital signatures and key verification. 3. Install the 'livecd-tools' package. 4. Run 'sudo livecd-iso-to-disk --efi --format Qubes-R3.2-x86_64.iso /dev/sda' (assuming /dev/sda is the USB stick). 5. Mount the newly created USB stick and edit /EFI/BOOT/xen.cfg. In this file, replace every occurrence of 'LABEL=Qubes-R3.2-x86_64' with 'LABEL=BOOT'. 6. Unmount and run 'sudo dosfslabel /dev/sda BOOT' (assuming /dev/sda is the USB stick). Create rEFInd live USB stick - ---------------------------- 1. Download the USB flash drive image from Roderick W. Smith's rEFInd Boot Manager page. 2. Run 'sudo dd if=refind-flashdrive-0.11.2.img of=/dev/sda bs=1M' (assuming /dev/sda is the USB stick). BIOS settings - ------------- * boot in UEFI mode (not legacy) * disable secure boot * set graphics to discrete * enable all virtualization features including VT-d Install Qubes - ------------- 1. Boot the ThinkPad with the Qubes installer USB stick and run through the normal setup routine. 2. When it is time to reboot, remove the Qubes installer USB stick and insert the rEFInd live USB instead. 3. Once in the rEFInd boot manager, select the /EFI/BOOT/xen.cfg entry to boot. 4. On the Qubes OS configuration screen, do not create the sys-usb qube yet! 5. Finish configuration and log into Qubes OS. Using USB-to-Ethernet adapter to run initial update - --------------------------------------------------- Both Taiidan and and earlier comment from Yethal helped me figure out this sequence: 1. connect the USB-to-Ethernet adapter and shutdown all qubes 2. in dom0 run 'qvm-prefs -s sys-net pci_strictreset false' 3. add your USB controller to sys-net using the qubes manager 4. start sys-net and sys-firewall - you should now be online! 5. update the fedora-23 template 6. update dom0 7. reboot with rEFInd USB stick 8. use 'uname -r' to make sure you are running kernel 4.9 in both dom0 and sys-net. In my case sys-net was now running kernel 4.9 but dom0 was still on 4.4. It took the extra step of running 'sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm --best --allowerasing' to upgrade dom0 to 4.9. 9. shutdown all qubes and remove the USB controller from sys-net 10. run 'qvm-prefs -s sys-net pci_strictreset true' 11. reboot with rEFInd USB stick Fix EFI boot configuration - -------------------------- For some reason the EFI entry generated by the Qubes installer doesn't work, which is why we had to use the rEFInd live USB stick until now to boot the machine. This can be fixed, by downloading the following packets via rpmfind.net: * efibootmgr-15-1.fc26.x86_64.rpm * efivar-31-1.fc26.x86_64.rpm * efivar-libs-31-1.fc26.x86_64.rpm Obviously those packets are not signed by the Qubes OS team and represent a security risk. Unfortunately the version of efibootmgr delivered with Qubes OS doesn't fix the issue (it might actually be the cause of it). So you have to decide whether you want to keep booting with the rEFInd live USB stick or if you take the risk of installing those packets in dom0. 1. copy the files to dom0 and install them via 'sudo dnf install efibootmgr-15-1.fc26.x86_64.rpm efivar-31-1.fc26.x86_64.rpm efivar-libs-31-1.fc26.x86_64.rpm'. 2. delete the old entry via 'sudo efibootmgr -b 0000 -B' 3. create a new entry via 'sudo efibootmgr -v -c -u -L Qubes -l /EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1' 4. reboot without the rEFInd live USB stick Done! - ----- Now the ThinkPad boots straight into Qubes OS R3.2 and all the hardware should work. During the installation we skipped creating sys-usb, which one might want to enable now that everything works. Finally I'd like to thank Unman and Rory for their help with approaches that ultimately didn't work out but were definitely worth pursuing. This post is also published (with additional links) at http://svensemmler.org/blog/2017/12/17/qubes-on-thinkpad-p51.html /Sven -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaOEdJAAoJENpuFnuPVB+2YkQP/jGgaBOXnXk3ulAMipFYrkdc wxuInuel95iipxpUnyWZjweFP2J1wWPC2LRJUZE27rNbeJND9PfzoJ1InpA59t4m USnGnbbQStIOWrJWIJTZCTHrXVZ2QiPqMQ2SmLwR1FQ3ctjkfqzs+VcmWoZI+oGX GhH5CdrcG7mOXzaPsYHQIu5gHuv7YGFhYXcZOSqIYZpKChza8kbvujFToFhSsMQd N4JRPbqiqhoLu6kTXtyYT5TE/pvoZd5JpuHFR0G27Z+q14GqcpzGpwRRmkegq0LZ 6iBf/MqYeLKcduR/d8H5FI4rnsmQvBfn0Dxu2DZ3FQ75mY/KU0as9LKzIadMJsbB jIXOsBAFkgfxOWxJkqY1SyWS6Bzm/XHMuVdPYDia+zzgrS22WefgvtOCpF972FFL adQMY1QLjUFOPF0P8shrr0HieteEbWhJKwxe5GUkbDHr4s0rNn36HMV1e9bkUI3q glmUa6/0B862LuCr6RfT2SnzDdi5mhGzLks0TVl9Hye8Tu+YNdmG7zpWIWgPpaxM m3Hrr/RCEJTggOxCCGe+F8VmQfH/td8dUUJ/nyCBSomB0EQUWrvCouRFwuH02uIX IurHLGs/J3dMJ0GM6Hkjus6re0gbRYgvuOFakqyowpp8nDZoPOTBKn7rB0Xw9bmt rKu6Nc738gnLWwlNr1jU =8urF -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/639b0d8b-a7b1-52be-10e8-5692a58c0018%40SvenSemmler.org. For more options, visit https://groups.google.com/d/optout.
Qubes-HCL-LENOVO-20HJS0BX00-20171215-110620.yml
Description: application/yaml
Qubes-HCL-LENOVO-20HJS0BX00-20171215-110620.yml.sig
Description: PGP signature