With significant help from members of the qubes-users mailing list, I was able to install Qubes OS R3.2 on my new ThinkPad P51 (model 20HJS0BX00). The starting point was the Qubes OS Hardware Compatibility List linking to swami’s post on qubes-users, which describes or links all the steps below except for the use of the USB-to-Ethernet adapter to run the initial update.
A little twist that distinguishes my ThinkPad from his is that my networking hardware requires kernel version 4.9 to run, while after the install Qubes OS runs version 4.4. Therefore some extra steps and hardware are required to run the initial update to kernel 4.9 to make everything work:
- another computer running Fedora or Qubes OS with a Fedora qube (to create the USB sticks)
- Qubes installer USB stick prepared using Fedora’s livecd-tools
- rEFInd live USB stick
- Linux-friendly Ethernet-to-USB adapter (e.g. the one from Apple)
Create Qubes installer USB stick
- Get the ISO, signature and pgp key from the Qubes OS Download page.
- Follow the instructions on digital signatures and key verification.
- Install the ‘livecd-tools’ package.
sudo livecd-iso-to-disk --efi --format Qubes-R3.2-x86_64.iso /dev/sda(assuming /dev/sda is the USB stick).
- Mount the newly created USB stick and edit /EFI/BOOT/xen.cfg. In this file, replace every occurrence of ‘LABEL=Qubes-R3.2-x86_64’ with ‘LABEL=BOOT’.
- Unmount and run
sudo dosfslabel /dev/sda BOOT(assuming /dev/sda is the USB stick).
Create rEFInd live USB stick
- Download the USB flash drive image from Roderick W. Smith’s rEFInd Boot Manager page.
sudo dd if=refind-flashdrive-0.11.2.img of=/dev/sda bs=1M(assuming /dev/sda is the USB stick).
- boot in UEFI mode (not legacy)
- disable secure boot
- set graphics to discrete
- enable all virtualization features including VT-d
- Boot the ThinkPad with the Qubes installer USB stick and run through the normal setup routine.
- When it is time to reboot, remove the Qubes installer USB stick and insert the rEFInd live USB instead.
- Once in the rEFInd boot manager, select the /EFI/BOOT/xen.cfg entry to boot.
- On the Qubes OS configuration screen, do not create the sys-usb qube yet!
- Finish configuration and log into Qubes OS.
Using USB-to-Ethernet adapter to run initial update
- connect the USB-to-Ethernet adapter and shutdown all qubes
- in dom0 run
qvm-prefs -s sys-net pci_strictreset false
- add your USB controller to sys-net using the qubes manager
- start sys-net and sys-firewall - you should now be online!
- update the fedora-23 template
- update dom0
- reboot with rEFInd USB stick
uname -rto make sure you are running kernel 4.9 in both dom0 and sys-net. In my case sys-net was now running kernel 4.9 but dom0 was still on 4.4. It took the extra step of running
sudo qubes-dom0-update --enablerepo=qubes-dom0-unstable kernel kernel-qubes-vm --best --allowerasingto upgrade dom0 to kernel 4.9.
- shutdown all qubes and remove the USB controller from sys-net
- in dom0 run
qvm-prefs -s sys-net pci_strictreset true
- reboot with rEFInd USB stick
Fix EFI boot configuration
For some reason the EFI entry generated by the Qubes installer doesn’t work, which is why we had to use the rEFInd live USB stick until now to boot the machine. This can be fixed, by downloading the following packets via rpmfind.net:
Obviously those packets are not signed by the Qubes OS team and represent a security risk. Unfortunately the version of efibootmgr delivered with Qubes OS doesn’t fix the issue (it might actually be the cause of it). So you have to decide whether you want to keep booting with the rEFInd live USB stick or if you take the risk of installing those packets in dom0.
- copy the files to dom0 and install them via
sudo dnf install efibootmgr-15-1.fc26.x86_64.rpm efivar-31-1.fc26.x86_64.rpm efivar-libs-31-1.fc26.x86_64.rpm.
- delete the old entry via
sudo efibootmgr -b 0000 -B
- create a new entry via
sudo efibootmgr -v -c -u -L Qubes -l /EFI/qubes/xen.efi -d /dev/nvme0n1 -p 1
- reboot without the rEFInd live USB stick
Now the ThinkPad boots straight into Qubes OS R3.2 and all the hardware should work. During the installation we skipped creating sys-usb, which one might want to enable now that everything works. After successfully upgrading to kernel 4.9 one may switch the graphics BIOS setting back to hybrid. Finally I’d like to thank Unman and Rory for their help with approaches that ultimately didn’t work out but were definitely worth pursuing.