With about three weeks until Hacker Summer Camp, I'm starting to tie up the last loose ends - specifically my DEF CON badge (I'm going to email my connect) and my laptop. Normally I don't give too much thought into my tech setup - I throw a fresh copy of Kali on my travel laptop and call it good - but this year I got the bug to try something different. I'd heard of Qubes for a long time but never had a reason to actually use it - to be honest I still don't, but "I'm going to a couple hacker cons and it makes me feel cooler" is the best reason I'm gonna get anytime soon, so I decided to pull the trigger.
The only problem with my plan was that my travel laptop is old - it has a first-gen Core i5 processor, before Intel prefixed the model number with the generation. Checking the Qubes hardware compatibility list showed the OS could run on my hardware - or at least version 2.0 RC1 could.
But if I can run an ancient version of the OS, that means there's at least a chance I can run the most recent version, right? The short answer is yes, and there's no point in dragging this prelude out any longer so I'm going to show how.
First things first, Intel VT-d must be disabled during the install phase - failing to perform this step results in a reboot loop or the screen will be too trashed to complete the install.
After booting from the Qubes 4.1.0 ISO select the option to install in basic graphics mode from the troubleshooting menu, but edit the boot settings to remove the nomodeset parameter and change the xdriver to intel, meaning this:
mboot.c32 xen.gz --- vmlinuz inst.stage2=hd:LABEL=QUBES-R4-1-0-X86-64 xdriver=vesa nomodeset quiet --- initrd.img
should change to this:
mboot.c32 xen.gz --- vmlinuz inst.stage2=hd:LABEL=QUBES-R4-1-0-X86-64 xdriver=intel quiet --- initrd.img
Additionally, To run a pre-install check that the ISO was written correctly, add the rd.live.check parameter so the boot settings look like this:
mboot.c32 xen.gz --- vmlinuz inst.stage2=hd:LABEL=QUBES-R4-1-0-X86-64 xdriver=intel quiet rd.live.check --- initrd.img
After the ISO validation completes the OS installation begins, but the installer will yell because VT-d was disabled - click through it and click through the installer until it's over.
From here the system will boot, but Xserver will fail to load correctly. To begin fixing this, use Ctrl-Alt-F2 to drop into a TTY and log in with the credentials provided during installation.
One problem is the Xen Intel graphics drivers don't work well with this old chipset, fixed by creating a new Xorg conf (I created mine at /etc/X11/xorg.conf.d/20-intel.conf) with the following config:
Section "Device"
Identifier "Intel Graphics"
Driver "intel"
Option "AccelMethod" "sna"
Option "TripleBuffer" "true"
Option "TearFree" "true"
EndSection
Another problem is something I don't 100% understand but when I refuse to include my computer donesn't run right so it's pretty necessary, edit /etc/default/grub and add the iommu=no-igfx setting to the end of the GRUB_CMDLINE_XEN_DEFAULT line, changing this:
GRUB_CMDLINE_XEN_DEFAULT="console=none dom0_mem=min:1024M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096"
to this:
GRUB_CMDLINE_XEN_DEFAULT="console=none dom0_mem=min:1024M dom0_mem=max:4096M ucode=scan smt=off gnttab_max_frames=2048 gnttab_max_maptrack_frames=4096 iommu=no-igfx"
Finally, apply the GRUB changes with sudo grub2-mkconfig --output /boot/grub2/grub.cfg. After that, reboot, reenable VT-d and boot as normal.
Power users may be fine at this point, but Qubes noobs like me will most likely want to rerun the initial setup wizard that initially didn't work using /usr/libexec/initial-setup/initial-setup-graphical.
Et voila! A Lenovo X201 running Qubes 4.1.0. Was it worth spending half a day to figure this out instead of throwing a fresh copy of Kali on it and calling it good? Probably not, but trying something new is its own reward - plus it got me something to write for my blog.